| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched
- sys/mbuf.h edited manually
Notes:
svn path=/head/; revision=243882
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
before passing a packet to protocol input routines.
For several protocols this mean that now protocol needs to
do subtraction itself, and for another half this means that
we do not need to add header length back to the packet.
Make ip_stripoptions() to adjust ip_len, since now we enter
this function with a packet header whose ip_len does represent
length of entire packet, not payload only.
Notes:
svn path=/head/; revision=241923
|
| |
|
|
|
|
|
|
| |
- Add XXX comment about necessity of the entire block,
that "fixes up" the IP header.
Notes:
svn path=/head/; revision=241922
|
| |
|
|
|
|
|
| |
IPv4 stack to network byte order.
Notes:
svn path=/head/; revision=241919
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in network byte order. Any host byte order processing is
done in local variables and host byte order values are
never[1] written to a packet.
After this change a packet processed by the stack isn't
modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to
scratch his head trying to figure out what is the byte order
at the given place in the stack.
[1] One exception still remains. The raw sockets convert host
byte order before pass a packet to an application. Probably
this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len,
but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru>
Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
Notes:
svn path=/head/; revision=241913
|
| |
|
|
|
|
|
| |
They have been Noop's for a long time now.
Notes:
svn path=/head/; revision=241686
|
| |
|
|
| |
Notes:
svn path=/head/; revision=240630
|
| |
|
|
|
|
|
|
|
|
|
| |
closing another.
It worked only in tunnel mode before.
Submitted by: Andreas Longwitz <longwitz@incore.de>
MFC after: 1M
Notes:
svn path=/head/; revision=240392
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
into head. The most significant achievements in the new code:
o Fine grained locking, thus much better performance.
o Fixes to many problems in pf, that were specific to FreeBSD port.
New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.
Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:
r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
I'd like to thank people who participated in early testing:
Tested by: Florian Smeets <flo freebsd.org>
Tested by: Chekaluk Vitaly <artemrts ukr.net>
Tested by: Ben Wilber <ben desync.com>
Tested by: Ian FREISLICH <ianf cloudseed.co.za>
Notes:
svn path=/head/; revision=240233
|
| |
|
|
| |
Notes:
svn path=/head/; revision=239357
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SAs. For now allow same address family bundles. While discovered with
ESP and AH, which does not make a lot of sense, IPcomp could be a possible
problematic candidate.
PR: kern/164400
MFC after: 3 days
Notes:
svn path=/head/; revision=238700
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the original IPv4 implementation from r178888:
- Use RT_DEFAULT_FIB in the IPv4 implementation where noticed.
- Use rt*fib() KPI with explicit RT_DEFAULT_FIB where applicable in
the NFS code.
- Use the new in6_rt* KPI in TCP, gif(4), and the IPv6 network stack
where applicable.
- Split in6_rtqtimo() and in6_mtutimo() as done in IPv4 and equally
prevent multiple initializations of callouts in in6_inithead().
- Use wrapper functions where needed to preserve the current KPI to
ease MFCs. Use BURN_BRIDGES to indicate expected future cleanup.
- Fix (related) comments (both technical or style).
- Convert to rtinit() where applicable and only use custom loops where
currently not possible otherwise.
- Multicast group, most neighbor discovery address actions and faith(4)
are locked to the default FIB. Individual IPv6 addresses will only
appear in the default FIB, however redirect information and prefixes
of connected subnets are automatically propagated to all FIBs by
default (mimicking IPv4 behavior as closely as possible).
Sponsored by: Cisco Systems, Inc.
Notes:
svn path=/projects/multi-fibv6/head/; revision=230942
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
comments to longer, also refining strange ones.
Properly use #ifdef rather than #if defined() where possible. Four
#if defined(PCBGROUP) occurances (netinet and netinet6) were ignored to
avoid conflicts with eventually upcoming changes for RSS.
Reported by: bde (most)
Reviewed by: bde
MFC after: 3 days
Notes:
svn path=/head/; revision=230442
|
| |
|
|
| |
Notes:
svn path=/head/; revision=228014
|
| |
|
|
|
|
|
| |
EALG_MAX_BLOCK_LEN.
Notes:
svn path=/head/; revision=228012
|
| |
|
|
| |
Notes:
svn path=/head/; revision=228011
|
| |
|
|
| |
Notes:
svn path=/head/; revision=228010
|
| |
|
|
| |
Notes:
svn path=/head/; revision=228009
|
| |
|
|
| |
Notes:
svn path=/head/; revision=228008
|
| |
|
|
|
|
|
|
|
|
|
| |
(already done in the non-error case).
CID: 4726
Found with: Coverity Prevent(tm)
MFC after: 1 week
Notes:
svn path=/head/; revision=226117
|
| |
|
|
|
|
|
|
|
|
|
| |
You need to update userland (world and ports) tools
to be in sync with the kernel.
Submitted by: mlaier
Submitted by: eri
Notes:
svn path=/head/; revision=223637
|
| |
|
|
|
|
|
|
|
| |
PR: 156676
Submitted by: Tobias Brunner (tobias@strongswan.org)
MFC after: 1 week
Notes:
svn path=/head/; revision=221692
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c
to not need three different versions depending on INET, INET6 or both.
Mark two places preparing for not yet supported functionality with IPv6.
Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 4 days
Notes:
svn path=/head/; revision=221129
|
| |
|
|
|
|
|
|
|
| |
Reviewed by: Tavis Ormandy (taviso cmpxchg8b.com)
MFC after: 5 days
Security: CVE-2011-1547
Notes:
svn path=/head/; revision=220247
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove contention on ISR during the crypto operation by using rwlock(9).
- Remove a second lookup of the SA in the callback.
Gain on 6 cores CPU with SHA1/AES128 can be up to 30%.
Reviewed by: vanhu
MFC after: 1 month
Notes:
svn path=/head/; revision=220206
|
| |
|
|
|
|
|
|
|
|
|
| |
- AH does not release the SA like in ESP/IPCOMP when handling EAGAIN
- ipsec_process_done incorrectly release the SA.
Reviewed by: vanhu
MFC after: 1 week
Notes:
svn path=/head/; revision=220194
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will break interoperability with all older versions of
FreeBSD for those algorithms.
Reviewed by: bz, gnn
Obtained from: NETASQ
MFC after: 1w
Notes:
svn path=/head/; revision=218794
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various
people working on the affected files. A better long-term solution is
still being considered. This reversal may give some modules empty
set_pcpu or set_vnet sections, but these are harmless.
Changes reverted:
------------------------------------------------------------------------
r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines
Instead of unconditionally emitting .globl's for the __start_set_xxx and
__stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu
sections are actually defined.
------------------------------------------------------------------------
r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout
the tree.
------------------------------------------------------------------------
r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines
Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
Notes:
svn path=/head/; revision=215701
|
| |
|
|
|
|
|
| |
the tree.
Notes:
svn path=/head/; revision=215317
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
feature_present(3) checks.
This will help to run-time detect and conditionally handle specific
optionas of either feature in user space (i.e. in libipsec).
Descriptions read by: rwatson
MFC after: 2 weeks
Notes:
svn path=/head/; revision=214565
|
| |
|
|
| |
Notes:
svn path=/head/; revision=214351
|
| |
|
|
|
|
|
|
|
|
|
|
| |
legacy and IPv6 route destination address.
Previously in case of IPv6, there was a memory overwrite due to not enough
space for the IPv6 address.
PR: kern/122565
MFC After: 2 weeks
Notes:
svn path=/head/; revision=214250
|
| |
|
|
|
|
|
|
|
| |
assignment to a local variable not used anywhere after that.
MFC after: 3 days
Notes:
svn path=/head/; revision=213837
|
| |
|
|
|
|
|
| |
MFC after: 3 days
Notes:
svn path=/head/; revision=213836
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Improve IPsec flow distribution for better netisr parallelism.
Instead of using the pointer that would have the last bits masked in a %
statement in netisr_select_cpuid() to select the queue, use the SPI.
Reviewed by: rwatson
MFC after: 4 weeks
Notes:
svn path=/head/; revision=208508
|
| |
|
|
|
|
|
|
|
|
| |
as the SA may be used as soon as key_mature() has been done.
Obtained from: NETASQ
MFC after: 1 week
Notes:
svn path=/head/; revision=207652
|
| |
|
|
|
|
|
|
|
|
| |
as SA may be used as soon as key_mature() has been called.
Obtained from: NETASQ
MFC after: 1 week
Notes:
svn path=/head/; revision=207651
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"Whitspace" churn after the VIMAGE/VNET whirls.
Remove the need for some "init" functions within the network
stack, like pim6_init(), icmp_init() or significantly shorten
others like ip6_init() and nd6_init(), using static initialization
again where possible and formerly missed.
Move (most) variables back to the place they used to be before the
container structs and VIMAGE_GLOABLS (before r185088) and try to
reduce the diff to stable/7 and earlier as good as possible,
to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9.
This also removes some header file pollution for putatively
static global variables.
Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are
no longer needed.
Reviewed by: jhb
Discussed with: rwatson
Sponsored by: The FreeBSD Foundation
Sponsored by: CK Software GmbH
MFC after: 6 days
Notes:
svn path=/head/; revision=207369
|
| |
|
|
|
|
|
|
|
|
|
| |
This can prevent kernel panics when updating SPs while
there is some traffic for them.
Obtained from: NETASQ
MFC after: 1m
Notes:
svn path=/head/; revision=206659
|
| |
|
|
|
|
|
|
|
|
|
| |
information from the packets.
Reviewed by: bz, mlaier
Approved by: mlaier(mentor)
MFC after: 1 month
Notes:
svn path=/head/; revision=206111
|
| |
|
|
|
|
|
|
|
|
|
| |
do not try to free the same list twice but free both the
acquiring list and the security policy acquiring list.
Reviewed by: anchie
MFC after: 3 days
Notes:
svn path=/head/; revision=205789
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204074
|
| |
|
|
|
|
|
|
| |
PR: kern/123587
MFC after: 5 days
Notes:
svn path=/head/; revision=199947
|
| |
|
|
|
|
|
|
|
|
| |
Try to version the struct in a backward compatible way.
People asked for the versioning of the stats structs in general before.
MFC after: 5 days
Notes:
svn path=/head/; revision=199946
|
| |
|
|
|
|
|
|
|
| |
(no real functional change).
MFC after: 5 days
Notes:
svn path=/head/; revision=199905
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
payload size. Before we had always added the header, no matter if we
actually send out compressed data or not.
With this, after the opencrypto/deflate changes, IPcomp starts to work
apart from edge cases. Leave it disabled by default until those are
fixed as well.
PR: kern/123587
MFC after: 5 days
Notes:
svn path=/head/; revision=199899
|
| |
|
|
|
|
|
| |
MFC after: 6 days
Notes:
svn path=/head/; revision=199897
|
| |
|
|
|
|
|
|
|
| |
the compression algorithm threshold.
MFC after: 6 days
Notes:
svn path=/head/; revision=199896
|
| |
|
|
|
|
|
| |
MFC after: 6 days
Notes:
svn path=/head/; revision=199894
|
| |
|
|
|
|
|
|
|
|
|
| |
which can both lead to a kernel panic when adding/removing quickly
a lot of SAs.
Obtained from: NETASQ
MFC after: 2w (MFC on 8 before 8.0 release ???)
Notes:
svn path=/head/; revision=199398
|
