| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Make it bool. Reword the comment, add note that mbuf is always consumed.
In case tunnel consumed the mbuf, don't INP_RUNLOCK(), behave just like
all the other normal exits from the function.
Reviewed by: tuexen, kp, markj
Differential Revision: https://reviews.freebsd.org/D52171
|
| |
|
|
|
|
|
| |
Fixes: e1751ef896119d7372035b1b60f18a6342bd0e3b
Reviewed by: tuexen, kp, markj
Differential Revision: https://reviews.freebsd.org/D52170
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and fix assigning IP addresses to the gif(4) interface when it is a
member of a if_bridge(4) interface.
When setting the sysctl net.link.bridge.member_ifaddrs to 1, if_bridge(4)
can eliminate unnecessary walk of the member list to determine whether
the inbound unicast packets are for us or not.
Well when a gif(4) interface is member of a if_bridge(4) interface, it
acts as the tunnel endpoint to tunnel Ethernet frames over IP network,
aka the EtherIP protocol, so the IP addresses configured on it are
independent of the if_bridge(4) interface or other if_bridge(4) members,
hence the sysctl net.link.bridge.member_ifaddrs should not have any
influnce over gif(4) interfaces's behavior of assigning IP addresses.
PR: 227450
Reported by: Siva Mahadevan <me@svmhdvn.name>
Reviewed by: ivy, #bridge
MFC after: 1 week
Fixes: 0a1294f6c610 bridge: allow IP addresses on members to be disabled
Differential Revision: https://reviews.freebsd.org/D52200
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that when the sysctl-variable net.inet.tcp.syncookies_only is
non zero, SYN-cookies are sent and no SYN-cache entry is added to the
SYN-cache. In particular, this behavior should not depend on the value
of the sysctl-variable net.inet.tcp.syncookies, which controls whether
SYN cookies are used in combination with the SYN-cache to deal with
bucket overflows.
Also ensure that tcps_sc_completed does not include TCP connections
established via a SYN-cookie.
While there, make V_tcp_syncookies and V_tcp_syncookiesonly bool
instead of int, since they are used as boolean variables.
Reviewed by: rscheff, cc, Peter Lei, Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52225
|
| |
|
|
|
| |
MFC after: 3 days
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The need for such a variant comes from the fact that we need to
re-calculate checksum aftet ng_nat(4) transformations while getting
mbufs from the layer 2 (ethernet) directly.
Reviewed by: markj, tuexen
Approved by: tuexen
Sponsored by: Sippy Software, Inc.
Differential Revision: https://reviews.freebsd.org/D49677
MFC After: 2 weeks
|
| | |
|
| |
|
|
|
|
| |
- s/assigments/assignments/
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
Don't subtract tcp_sack_adjust() sometimes twice, just once in all
cases.
Reviewed by: rscheff
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D52140
|
| |
|
|
|
|
|
|
|
|
|
| |
Take the condition of RFC 6675 into account.
While there, remove stale comments.
PR: 282605
Reviewed by: cc (earlier version)
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51426
|
| |
|
|
|
|
|
|
|
|
|
| |
When reflecting a packet, use an offset of 0 and clear all three bits,
in particular the DF bit.
PR: 288558
Reviewed by: markj, zlei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51991
|
| |
|
|
|
|
| |
- s/datgram/datagram/
MFC after: 3 days
|
| |
|
|
| |
Fixes: c3fc0db3bc50df18a724e6e6b12ea4e060fd9255
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 2460 section 5 paragraph 7 allowed a Packet Too Big message
to report a Next-Hop MTU less than 1280 in support of 6-to-4 routers.
A node receiving such a message was required to add a Fragment
Header to outgoing packets, even though they were not fragmented.
Almost 20 years later, RFC 8200 was published. It obsoletes RFC 2460
and removes that paragraph. UNH IOL Intact was updated to test for
compliance with the new standard.
Remove code supporting that obsolete paragraph.
Test cases v6LC_4_1_06a and 06b failed before this change, saying:
DUT processed PTB and sent a fragmented echo reply
Those two test cases now pass:
DUT did not process PTB and sent un-fragmented echo reply
All PMTU test cases pass except v6LC_4_1_08. It fails because we
ignore the MTU in RAs.
Reviewed by: tuexen
MFC After: 1 month
Sponsored by: Dell Inc.
Differential Revision: https://reviews.freebsd.org/D51835
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With the latest changes, this variable and parameter for
tcp_dropwithreset() is not needed anymore.
It also makes it harder to introduce the usage of multiple counters
for TCP again, which might open side channel attacks.
No funtional changes intended.
Reviewed by: rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51872
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't use the rstreason variable as a hint that a second lookup is
performed, since the rstreason variable will be removed.
Use the INPLOOKUP_WILDCARD flag in the lookupflag variable instead.
No functional change intended.
Reviewed by: rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51847
|
| |
|
|
|
|
|
|
|
|
| |
Since there are multicast and broadcast specific error counters,
use them.
Reviewed by: rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51869
|
| |
|
|
|
|
|
| |
Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51849
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a blind attacker wants to guess by sending ACK segments if there
exists a TCP connection , this might trigger a challenge ACK on an
existing TCP connection. To make this hit non-observable for the
attacker, also increment the global counter, which would have been
incremented if it would have been a non-hit.
This issue was reported as issue number 11 in Keyu Man et al.:
SCAD: Towards a Universal and Automated Network Side-Channel
Vulnerability Detection
Reviewed by: Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51724
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also rate limit the sending of RST segments in the following cases:
* when receiving data on a closed socket.
* when a socket can not be created at the end of the handshake and
the sysctl-variable net.inet.tcp.syncache.rst_on_sock_fail is 1.
* when an ACK segment is received in SYN SENT state and it does not
acknowledge the SYN segment.
After this change, there is no need anymore to provide a rstreason
to tcp_dropwithreset(), since it is always BANDLIM_TCP_RST.
This will be a follow-up commit, since it will change the code in a
couple of places, but will not change the functionality.
Reviewed by: rrs, Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51815
|
| |
|
|
|
|
|
|
|
|
|
| |
rstreason is only relevant in the code paths with the label
'dropwithreset', but not in the one with the label 'drop'.
No functional change intended.
Reviewed by: Nick Banks, rrs, Peter Lei, imp
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51814
|
| |
|
|
|
|
|
|
|
| |
Note: btw submitted a number of other things in this area that haven't
made it into the tree, so I'm making an exception to the no typo rule
since it was done in that context.
Submitted by: btw (Tiwei Bie GSOC 2015 so unsure what to use for author)
Differential Revision: https://reviews.freebsd.org/D3510
|
| |
|
|
|
|
|
|
|
|
|
| |
When a RTO happens during SACK loss recovery, snd_recover can possibly pulled left.
With Lost Retransmission Detection (LRD) this can lead to rxmit of a hole to end up
pointing to the left of the hole, which is unexpected and leads to complications.
Reviewed By: tuexen, #transport
Sponsored by: NetApp, Inc.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51725
|
| |
|
|
|
|
|
|
|
|
|
| |
delivered_data is the number of bytes, which have newly been
delivered to the peer. This includes the number of bytes
cumulatively acknowledged and selectively acknowledged.
Reviewed by: rscheff
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51718
|
| |
|
|
|
|
|
|
|
|
| |
When panicing, don't print the condition, which was violated,
but the condition which holds at the time of the panic.
Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51726
|
| |
|
|
|
|
|
|
|
| |
No functional change intended.
Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51734
|
| |
|
|
|
|
|
|
|
| |
This is mostly for better readability when we need to resolve
what opcode corresponds to specific number.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D51457
|
| |
|
|
|
|
|
|
| |
The variables p_curtick and p_lasttick are not in usecs.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the SCTP, TCP, or UDP implementation send a packet, it does not
compute the corresponding checksum but defers that. The network layer
will determine whether the network interface selected for the packet
has the requested capability and computes the checksum in software,
if the selected network interface doesn't have the requested
capability.
Do this not only for packets being sent by the local SCTP, TCP,
and UDP stack, but also when forwarding packets. Furthermore, when
such packets are delivered to a local SCTP, TCP, or UDP stack, do not
compute or validate the checksum, since such packets never have been on
the wire.
This allows to support checksum offloading also in the case of local
virtual machines or jails.
Support for epair, vtnet, and tap interfaces will be added in
separate commits.
Reviewed by: kp, rgrimes, tuexen, manpages
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D51475
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Cleanup tcp_hpts.h by
* move definition used only in tcp_hpts.c to that file
* fix a typo
* remove duplicate declarion of tcp_min_hptsi_time
* rearange declarations for simpler reading
Approved by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
| |
Don't use ticks in variable names or constant when they don't have
a relation to ticks. Use slots or usecs.
No functional change intended.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
| |
tcp_tv_to_usectick(), tcp_tv_to_mssectick(), and tcp_tv_to_lusectick()
are not related to ticks. Therefore remove the trailing 'tick'.
No functional change intended.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
| |
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the sendfile(2) we carry an old hack (originating from d99b0dd2c5297)
to help dumb benchmarks and applications to achieve higher performance. We
would modify low watermark on the socket send buffer to avoid socket being
reported as writable too early, which would result in lots of small
writes.
Skip that hack for applications that do setsockopt(SO_SNDLOWAT) or that
register the socket in kevent(2) with NOTE_LOWAT feature. First, we don't
want the hack to rewrite the watermark value explicitly specified by the
user. Second, in certain cases that can lead to real performance
regressions. A kevent(2) with NOTE_LOWAT would report socket as writable,
but then sendfile(2) would write 0 bytes and return EAGAIN.
The change also disables the hack for unix(4) sockets, leaving only TCP.
Reviewed by: rrs
Differential Revision: https://reviews.freebsd.org/D50581
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the socket has a tunneling function attached, udp_append() drops
the inpcb lock before calling it. To keep the inpcb alive, we bump the
refcount. After commit 742e7210d00b we only dropped the reference if
the tunnel consumed the packet, but it needs to be dropped in either
case. if_ovpn is the only driver that can trigger this bug.
Fixes: 742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51505
|
| |
|
|
|
|
| |
Reviewed by: cc, tuexen, Peter Lei
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51437
|
| |
|
|
|
|
|
|
|
| |
Remove code that can't be enabled in FreeBSD anyway.
Reviewed by: glebius, rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51423
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the correct variable in the correct way. The app limited period
is cleared when gp_seq is greater than or equal to
cleared_app_ack_seq.
Reviewed by: rrs, tuexen, Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51441
|
| |
|
|
|
|
|
|
|
|
| |
Using two counters does not provide any benefit, but it provides an
externally observable signal whether there is a listening port.
Reviewed by: Nick Banks, Peter Lei
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51440
|
| |
|
|
|
|
| |
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rc_app_limited_cnt is an internal counter on the rack structure
that tracks the number of sendmap entries that have the
RACK_APP_LIMITED flag set. These entries gate goodput measurements.
The counter is reported in a number of blackbox logging events.
When a sendmap entry which has the RACK_APP_LIMITED flag set is
cloned, the counter was not being maintained properly.
While here, cleanup the counter check when a sendmap entry with
the flag set is freed which previously hid this issue.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
| |
No functional changes intended.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
| |
Don't use the variable rstreason temporarily with a different semantic.
No functional change intended.
Reviewed by: Nick Banks
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51438
|
| |
|
|
|
|
| |
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
| |
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
| |
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Netflix, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing a TCP segment, data is removed from the head or
the tail. The test whether a segment has no data on it should
depend on the TCP segment before the removal. Without this,
received segments might trigger a fast retransmit even when they
should not.
Reported by: syzbot+fc97a2b5a0f7ea161161@syzkaller.appspotmail.com
Reviewed by: Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51425
|
| |
|
|
|
|
|
|
| |
Also ignore errors from drivers. If driver snd_tag status method
returned an error, silently ignore the returned string, and not advance
the position of the filled buffer.
Sponsored by: Nvidia networking
|
| |
|
|
|
|
|
|
|
| |
If EDEADLK is returned from the locked handler, restart it. Do it
limited number of times. Catch signals between tries.
Reviewed by: glebius, markj
Sponsored by: Nvidia networking
Differential revision: https://reviews.freebsd.org/D51143
|
| |
|
|
|
|
|
|
|
|
| |
For this, unlock inp around the calls, taking the reference on it. If
the inp appears to be freed or unlinked after the relock, return
EDEADLK.
Reviewed by: glebius, markj
Sponsored by: Nvidia networking
Differential revision: https://reviews.freebsd.org/D51143
|
