| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Notes:
svn path=/head/; revision=126936
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add encapmtx to protect ip_encap.c global variables (encapsulation
list).
- Unifdef #ifdef 0 pieces of encap_init() which was (and now really
is) basically a no-op.
- Lock encapmtx when walking encaptab, modifying it, comparing
entries, etc.
- Remove spl's.
Note that currently there's no facilite to make sure outstanding
use of encapsulation methods on a table entry have drained bfore
we allow a table entry to be removed. As such, it's currently the
caller's responsibility to make sure that draining takes place.
Reviewed by: mlaier
Notes:
svn path=/head/; revision=126792
|
|
|
|
| |
Notes:
svn path=/head/; revision=126791
|
|
|
|
|
|
|
|
|
|
| |
header to the inner IP header of the PIM Register if this is a PIM
Null-Register message.
Submitted by: Pavlin Radoslavov <pavlin@icir.org>
Notes:
svn path=/head/; revision=126741
|
|
|
|
|
|
|
| |
Submitted by: Pavlin Radoslavov <pavlin@icir.org>
Notes:
svn path=/head/; revision=126740
|
|
|
|
|
|
|
|
| |
Noticed by: Simon Coggins
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=126513
|
|
|
|
|
|
|
|
|
|
|
| |
ifp is now passed explicitly to ether_demux; no need to look it up again.
Make mtag a global var in ip_input.
Noticed by: rwatson
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=126486
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
to NET_UNLOCK_GIANT(). While they are used in similar ways, the
semantics are quite different -- NET_LOCK_GIANT() and NET_UNLOCK_GIANT()
directly wrap mutex lock and unlock operations, whereas drop/pickup
special case the handling of Giant recursion. Add a comment saying
as much.
Add NET_ASSERT_GIANT(), which conditionally asserts Giant based
on the value of debug_mpsafenet.
Notes:
svn path=/head/; revision=126467
|
|
|
|
|
|
|
| |
Pointed out by: ru
Notes:
svn path=/head/; revision=126456
|
|
|
|
|
|
|
|
|
| |
in a code block, as the variable is now gone.
Submitted by: sam
Notes:
svn path=/head/; revision=126368
|
|
|
|
|
|
|
|
|
| |
were needed by the MAC Framework until inpcbs gained labels.
Submitted by: sam
Notes:
svn path=/head/; revision=126351
|
|
|
|
|
|
|
|
|
|
|
| |
This enables pf to track dynamic address changes on interfaces (dailup) with
the "on (<ifname>)"-syntax. This also brings hooks in anticipation of
tracking cloned interfaces, which will be in future versions of pf.
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=126264
|
|
|
|
|
|
|
|
|
|
| |
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=126263
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the syscall arguments and does the suser() permission check, and
kern_mlock(), which does the resource limit checking and calls
vm_map_wire(). Split munlock() in a similar way.
Enable the RLIMIT_MEMLOCK checking code in kern_mlock().
Replace calls to vslock() and vsunlock() in the sysctl code with
calls to kern_mlock() and kern_munlock() so that the sysctl code
will obey the wired memory limits.
Nuke the vslock() and vsunlock() implementations, which are no
longer used.
Add a member to struct sysctl_req to track the amount of memory
that is wired to handle the request.
Modify sysctl_wire_old_buffer() to return an error if its call to
kern_mlock() fails. Only wire the minimum of the length specified
in the sysctl request and the length specified in its argument list.
It is recommended that sysctl handlers that use sysctl_wire_old_buffer()
should specify reasonable estimates for the amount of data they
want to return so that only the minimum amount of memory is wired
no matter what length has been specified by the request.
Modify the callers of sysctl_wire_old_buffer() to look for the
error return.
Modify sysctl_old_user to obey the wired buffer length and clean up
its implementation.
Reviewed by: bms
Notes:
svn path=/head/; revision=126253
|
|
|
|
|
|
|
|
| |
Tested by: -current, bms(mentor), me
Approved by: bms(mentor), sam
Notes:
svn path=/head/; revision=126239
|
|
|
|
|
|
|
|
|
|
|
| |
increased <netinet/tcp_var>'s already large set of prerequisites, and
this was handled badly. Just don't declare the complete syncache struct
unless <netinet/pcb.h> is included before <netinet/tcp_var.h>.
Approved by: jlemon (years ago, for a more invasive fix)
Notes:
svn path=/head/; revision=126226
|
|
|
|
|
|
|
| |
<vm/uma.h>'s idempotency indentifier or its misspelling.
Notes:
svn path=/head/; revision=126225
|
|
|
|
|
|
|
|
|
| |
the FIN on the last segment consumes an extra sequence number.
Spurious panic reported by Mike Silbersack <silby@silby.com>.
Notes:
svn path=/head/; revision=126220
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
amount of segments it will hold.
The following tuneables and sysctls control the behaviour of the tcp
segment reassembly queue:
net.inet.tcp.reass.maxsegments (loader tuneable)
specifies the maximum number of segments all tcp reassemly queues can
hold (defaults to 1/16 of nmbclusters).
net.inet.tcp.reass.maxqlen
specifies the maximum number of segments any individual tcp session queue
can hold (defaults to 48).
net.inet.tcp.reass.cursegments (readonly)
counts the number of segments currently in all reassembly queues.
net.inet.tcp.reass.overflows (readonly)
counts how often either the global or local queue limit has been reached.
Tested by: bms, silby
Reviewed by: bms, silby
Notes:
svn path=/head/; revision=126193
|
|
|
|
|
|
|
|
|
| |
Approved by: scottl (mentor)
PR: 54163
MFC after: 3 days
Notes:
svn path=/head/; revision=126002
|
|
|
|
|
|
|
|
|
| |
not working properly with the patch in place.
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=125952
|
|
|
|
|
|
|
|
|
| |
so merge these (IPSEC has an extra ipsecstat)
Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Notes:
svn path=/head/; revision=125941
|
|
|
|
|
|
|
|
|
| |
treatment.
Submitted by: Vincent Jardin
Notes:
svn path=/head/; revision=125890
|
|
|
|
|
|
|
|
|
| |
was not made.
Obtained from: KAME
Notes:
svn path=/head/; revision=125875
|
|
|
|
|
|
|
|
|
| |
attribute, as we are often #include'd from userland without <sys/cdefs.h> in front of us, and it is not strictly necessary.
Noticed by: Sascha Blank
Notes:
svn path=/head/; revision=125870
|
|
|
|
|
|
|
|
|
| |
casts. Remove unnecessary parenthesis.
Submitted by: bde
Notes:
svn path=/head/; revision=125819
|
|
|
|
|
|
|
| |
----------------------------------------------------------------------
Notes:
svn path=/head/; revision=125791
|
|
|
|
|
|
|
| |
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=125785
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
them mostly with packet tags (one case is handled by using an mbuf flag
since the linkage between "caller" and "callee" is direct and there's no
need to incur the overhead of a packet tag).
This is (mostly) work from: sam
Silence from: -arch
Approved by: bms(mentor), sam, rwatson
Notes:
svn path=/head/; revision=125784
|
|
|
|
|
|
|
| |
Submitted by: bde
Notes:
svn path=/head/; revision=125783
|
|
|
|
|
|
|
| |
Obtained from: KAME
Notes:
svn path=/head/; revision=125776
|
|
|
|
|
|
|
|
|
| |
the types used by m_apply()'s callback function, f, as documented in mbuf(9).
Noticed by: njl
Notes:
svn path=/head/; revision=125742
|
|
|
|
|
|
|
| |
Submitted by: njl
Notes:
svn path=/head/; revision=125741
|
|
|
|
|
|
|
|
|
| |
verifies TCP-MD5 digests.
Noticed by: njl
Notes:
svn path=/head/; revision=125740
|
|
|
|
|
|
|
|
|
| |
is only used by TCP_SIGNATURE code.
Noticed by: Roop Nanuwa
Notes:
svn path=/head/; revision=125698
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
Notes:
svn path=/head/; revision=125680
|
|
|
|
|
|
|
| |
works again.
Notes:
svn path=/head/; revision=125396
|
|
|
|
|
|
|
|
|
|
|
| |
used for the ICMP reply source in reponse to packets which are not
directly addressed to us. By default continue with with normal
source selection.
Reviewed by: bms
Notes:
svn path=/head/; revision=125360
|
|
|
|
|
|
|
| |
Reviewed by: bms
Notes:
svn path=/head/; revision=125349
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
at packet arrival.
For benchmarking purposes SO_BINTIME is preferable to SO_TIMEVAL
since it has higher resolution and lower overhead. Simultaneous
use of the two options is possible and they will return consistent
timestamps.
This introduces an extra test and a function call for SO_TIMEVAL, but I have
not been able to measure that.
Notes:
svn path=/head/; revision=125264
|
|
|
|
| |
Notes:
svn path=/head/; revision=125226
|
|
|
|
| |
Notes:
svn path=/head/; revision=125118
|
|
|
|
|
|
|
|
|
|
|
| |
ifconfig(8) flag since header for version 2 is the same but IP payload
is prepended with additional 4-bytes field.
Inspired by: Roman Synyuk <roman@univ.kiev.ua>
MFC after: 2 weeks
Notes:
svn path=/head/; revision=125024
|
|
|
|
|
|
|
| |
Kill trailing spaces.
Notes:
svn path=/head/; revision=125020
|
|
|
|
|
|
|
| |
Noticed by: Jun Kuriyama <kuriyama@imgsrc.co.jp>
Notes:
svn path=/head/; revision=124851
|
|
|
|
|
|
|
|
|
|
|
| |
recwin and sendwin. This removes a big source of confusion and makes
following the code much easier.
Reviewed by: sam (mentor)
Obtained from: DragonFlyBSD rev 1.6 (hsu)
Notes:
svn path=/head/; revision=124849
|
|
|
|
|
|
|
|
|
|
| |
allocated.
Reviewed by: sam (mentor)
Obtained from: DragonFlyBSD rev 1.6 (hsu)
Notes:
svn path=/head/; revision=124848
|
|
|
|
|
|
|
|
|
|
| |
of malloc'ing it.
Reviewed by: sam (mentor)
Obtained from: DragonFlyBSD rev 1.6 (hsu)
Notes:
svn path=/head/; revision=124847
|
|
|
|
|
|
|
|
|
|
| |
date: 2003/09/02 10:04:47; author: hsu; state: Exp; lines: +5 -6
Account for when Limited Transmit is not congestion window limited.
Obtained from: DragonFlyBSD
Notes:
svn path=/head/; revision=124761
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes it possible to have multiple packet aliasing instances in a
single process by moving all static and global variables into an
instance structure called "struct libalias".
Redefine a new API based on s/PacketAlias/LibAlias/g
Add new "instance" argument to all functions in the new API.
Implement old API in terms of the new API.
Notes:
svn path=/head/; revision=124621
|