Parent Directory
| 
Revision Log
| Links to HEAD: | (view) (download) (annotate) |
| Sticky Revision: |
MFC r232865, r232868, r233478 - Add ipfw eXtended tables permitting radix to be used for any kind of keys. - Add support for IPv6 and interface extended tables - Make number of tables to be changed in runtime in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add some-unqualified-host' now assumes 'some-unqualified-host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. Sysctl change: net.inet.ip.fw.tables_max is now read-write. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Approved by: kib(mentor)
MFC r231852,232127: Merge multi-FIB IPv6 support. Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity. This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat. Sponsored by: Cisco Systems, Inc.
MFC r225036: Hide IPv6 next header parsing warnings under the verbose sysctl so people can possibly disable it when their consoles are flooded, or enabled it for debugging.
MFC r225033: If we detect an IPv6 fragment header and it is not the first fragment, then terminate the loop as we will not find any further headers and for short fragments this could otherwise lead to a pullup error discarding the fragment. Submitted by: Matthew Luckie (mjl luckie.org.nz) PR: kern/145733
MFC r225032,225034: ipfw internally checks for offset == 0 to determine whether the packet is a/the first fragment or not. For IPv6 we have added the "more fragments" flag as well to be able to determine on whether there will be more as we do not have the fragment header avaialble for logging, while for IPv4 this information can be derived directly from the IPv4 header. This allowed fragmented packets to bypass normal rules as proper masking was not done when checking offset. Split variables to not need masking for IPv6 to avoid further errors. After r225032 fix logging in a similar way masking the the IPv6 more fragments flag off so that offset == 0 checks work properly. Submitted by: Matthew Luckie (mjl luckie.org.nz) PR: kern/145733
MFC r225030: While not explicitly allowed by RFC 2460, in case there is no translation technology involved (and that section is suggested to be removed by Errata 2843), single packet fragments do not harm. There is another errata and further drafts under discussion to clarify on these kinds of packets. Meanwhile add a sysctl to allow disabling this behaviour again. We will treat single packet fragment (a fragment header added when not needed) as if there was no fragment header. Submitted by: Matthew Luckie (mjl luckie.org.nz) (original version) PR: kern/145733
MFC r223666: Add new rule actions "call" and "return" to ipfw. They make possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov
MFC 225518,225793,227085: Allow the ipfw.ko module built with a kernel to honor any options defined in the kernel config. This more closely matches the behavior of other modules which inherit configuration settings from the kernel configuration during a kernel + modules build. Do not try to build the module in case of no INET support but keep #error calls for now in case we would compile it into the kernel. While here garbage collect unneeded opt_*.h includes. opt_ipdn.h is not used anywhere but we need to leave the DUMMYNET entry in options for conditional inclusion in kernel so keep the file with the same name.
MFC r223080: Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version)
Merge from head/ 220796: Pullup up to TCP header length before matching against 'tcpopts'. PR: kern/156180 Reviewed by: luigi
MFC r222582: O_FORWARD_IP is only action which depends from the result of lookup of dynamic rules. We are doing forwarding in the following cases: o For the simple ipfw fwd rule, e.g. fwd 10.0.0.1 ip from any to any out xmit em0 fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1 o For the dynamic fwd rule, e.g. fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state When this rule triggers it creates a dynamic rule, but this dynamic rule should forward packets only in forward direction. o And the last case that does not work before - simple fwd rule which triggers when some dynamic rule is already executed. PR: kern/136695, kern/147720, kern/150798
MFC r222473: Add tablearg support for ipfw setfib. PR: kern/156410 MFC r222474: Wrap long line.
MFC r220568: Restore previous behaviour - always match rule when we doing tagging, even when tag is already exists. Reported by: Vadim Goncharov
MFC r220211: Fill up src_port and dst_port variables for SCTP over IPv4. PR: kern/153415
MFhead r210537: Fix operation of "netgraph" action in conjunction with the net.inet.ip.fw.one_pass sysctl. PR: kern/148885 Submitted by: Nickolay Dudorov <nnd mail.nsk.ru>
Merge 209589 from head: After processing the O_SKIPTO opcode our cmd points to the next rule, and "match" processing at the end of inner loop would look ahead into the next rule, which is incorrect. Particularly, in the case when the next rule started with F_NOT opcode it was skipped blindly. To fix this, exit the inner loop with the continue operator forcibly and explicitly. PR: kern/147798
MFC of a large number of ipfw and dummynet fixes and enhancements done in CURRENT over the last 4 months. HEAD and RELENG_8 are almost in sync now for ipfw, dummynet the pfil hooks and related components. Among the most noticeable changes: - r200855 more efficient lookup of skipto rules, and remove O(N) blocks from critical sections in the kernel; - r204591 large restructuring of the dummynet module, with support for multiple scheduling algorithms (4 available so far) See the original commit logs for details. Changes in the kernel/userland ABI should be harmless because the kernel is able to understand previous requests from RELENG_8 and RELENG_7. For this reason, this changeset would be applicable to RELENG_7 as well, but i am not sure if it is worthwhile.
MFC of 197952 and 198075
Virtualize the pfil hooks so that different jails may chose different
packet filters. ALso allows ipfw to be enabled on on ejail and disabled
on another. In 8.0 it's a global setting.
and
Unbreak the VIMAGE build with IPSEC, broken with r197952 by
virtualizing the pfil hooks.
For consistency add the V_ to virtualize the pfil hooks in here as well.
MFC r200055, r200102: - Teach an IPv6 to the debug prints. - Use INET_ADDRSTRLEN and INET6_ADDRSTRLEN rather than hard coded number.
MFC r200027: Teach an IPv6 to send_pkt() and ipfw_tick(). It fixes the issue which keep-alive doesn't work for an IPv6.
some simple MFC: r200020: change the type of the opcode from enum *:8 to u_int8_t so the size and alignment of the ipfw_insn is not compiler dependent. No changes in the code generated by gcc. r200023: Add new sockopt names for ipfw and dummynet. This commit is just grabbing entries for the new names that will be used in the future, so you don't need to rebuild anything now. r200034 Dispatch sockopt calls to ipfw and dummynet using the new option numbers, IP_FW3 and IP_DUMMYNET3. Right now the modules return an error if called with those arguments so there is no danger of unwanted behaviour. r200040 - initialize src_ip in the main loop to prevent a compiler warning (gcc 4.x under linux, not sure how real is the complaint). - rename a macro argument to prevent name clashes. - add the macro name on a couple of #endif - add a blank line for readability.
MFC r196423 Fix ipfw's initialization functions to get the correct order of evaluation to allow vnet and non vnet operation. Move some functions from ip_fw_pfil.c to ip_fw2.c and mode to mostly using the SYSINIT and VNET_SYSINIT handlers instead of the modevent handler. Correct some spelling errors in comments in the affected code. Note this bug fixes a crash in NON VIMAGE kernels when ipfw is unloaded. This patch is a minimal patch for 8.0 I have a much larger patch that actually fixes the underlying problems that will be applied after 8.0 Reviewed by: zec@, rwatson@, bz@(earlier version) Approved by: re (rwatson)
MFC: Purge mergeinfo in sys/ that is either empty or a subset of the parent mergeinfo on sys/ itself. Approved by: re (mergeinfo blanket)
Stow my time machine and note that r196223 is an MFC of r196224. Pointy hat to: jhb Approved by: re (rwatson)
MFC r196318: Correct accounting error when allocating a a page table page to implement a user-space demotion. Approved by: re (rwatson)
MFC r196316: Fix a typo in ifdef mesh support. This would make mesh unworkable if TDMA support was compiled out. Approved by: re (kib)
MFC r196309: getcwd() (when __getcwd() fails) works by stating current directory, going up (..), calling readdir and looking for previous directory inode. In case of .zfs/ directory this doesn't work, because .zfs/ is hidden by default, so it won't be visible in readdir output. Fix this by implementing VPTOCNP for snapshot directories, so __getcwd() doesn't fail and getcwd() doesn't have to use readdir method. This fixes /bin/pwd from within .zfs/snapshot/<name>/. Suggested by: kib Approved by: re (rwatson)
MFC r196307: Manage asynchronous vnode release just like Solaris. Discussed with: kmacy Approved by: re (kib)
MFC r196303: - Reduce z_teardown_lock lock scope a bit. - The error variable is int, not bool. - Convert spaces to tabs where needed. Approved by: re (kib)
MFC r196301: If z_buf is NULL, we should free znode immediately. Noticed by: avg Approved by: re (kib)
MFC r196299: - We need to recycle vnode instead of freeing znode. Submitted by: avg - Add missing vnode interlock unlock. - Remove redundant znode locking. Approved by: re (kib)
MFC r196297: Fix panic in zfs recv code. The last vnode (mountpoint's vnode) can have 0 usecount. Reported by: Thomas Backman <serenity@exscape.org> Approved by: re (kib)
MFC r196295: Remove OpenSolaris taskq port (it performs very poorly in our kernel) and replace it with wrappers around our taskqueue(9). To make it possible implement taskqueue_member() function which returns 1 if the given thread was created by the given taskqueue. Approved by: re (kib)
MFC r196293: Because taskqueue_run() can drop tq_mutex, we need to check if the TQ_FLAGS_ACTIVE flag wasn't removed in the meantime, which means we missed a wakeup. Approved by: re (kib)
MFC r196291: - Fix a race where /dev/zfs control device is created before ZFS is fully initialized. Also destroy /dev/zfs before doing other deinitializations. - Initialization through taskq is no longer needed and there is a race where one of the zpool/zfs command loads zfs.ko and tries to do some work immediately, but /dev/zfs is not there yet. Reported by: pav Approved by: re (kib)
MFC r196289: Remove files that are no longer used. Discussed with: kmacy Approved by: re (kib)
MFC r196276: Fix small style regression introduced by the MPSAFE newbus code. Approved by: re (rwatson)
MFC r196274 Change the usb workers from kernel processes to threads, this is mostly a cosmetic change to reduce cruft in the proc table. Also change the idle wait message to `-` like how taskqueues are. Reviewed by: julian Approved by: re (kib)
MFC revision 196269: Fix misalignment in nvpair_native_embedded() caused by the compiler replacing the bzero(). Approved by: re (kensmith)
MFC rev 196268: Decouple ACPI CPU Ids from FreeBSD's cpuid. The ACPI Ids can be sparse, which causes a kernel assert. Approved by: re (kensmith)
MFC r196260. * Fix a bug where PR-SCTP settings are ignore when using implicit association setup. * Fix a bug where message with illegal stream ids are not deleted. * Fix a crash when reporting back unsent messages from the send_queue. * Fix a bug related to INIT retransmission when the socket is already closed. * Fix a bug where associations were stalled when partial delivery API was enabled. * Fix a bug where the receive buffer size was smaller than the partial_delivery_point. Approved by: re, rrs (mentor)
- Merge r196246: Proprely intialize UART parameters at probe stage, so uart(4) will initialize the FIFO memory correctly on attach. Before that this values was intialized in only in at91_usart_bus_attach which is called after the uart(4) memory allocation happens. Approved by: re (kib) MFC after: 1 week
MFC 196234
In function ip_output(), the cached route is flushed when there is a
mismatch between the cached entry and the intended destination. The
cached rtentry{} is flushed but the associated llentry{} is not. This
causes the wrong destination MAC address being used in the output
packets. The fix is to flush the llentry{} when rtentry{} is cleared.
Reviewed by: kmacy, rwatson
Approved by: re
MFC r196230: Appease VNET_DEBUG - in if_vmove we temporarily switch i.e. recurse from one vnet to another which is OK, so no need to flood the console with warnings here. Approved by: re (rwatson), julian (mentor) Approved by: re (rwatson)
MFC r196229: SCTP is not yet compatible with options VIMAGE kernels although it compiles with VIMAGE defined, so explicitly disallow building such kernels. Reviewed by: rrs Approved by: re (rwatson), julian (mentor) Approved by: re (rwatson)
MFC r196228: Make VNET_DEBUG a standalone compile-time option, i.e. decouple it from INVARIANTS. Reviewed by: bz Approved by: re (rwatson), julian (mentor) Approved by: re (rwatson)
MFC r196226: Add a new macro to test that a variable could be loaded atomically. Check that the given variable is at most uintptr_t in size and that it is aligned. Note: ASSERT_ATOMIC_LOAD() uses ALIGN() to check for adequate alignment -- however, the function of ALIGN() is to guarantee alignment, and therefore may lead to stronger alignment enforcement than necessary for types that are smaller than sizeof(uintptr_t). Add checks to mtx, rw and sx locks init functions to detect possible breakage. This was used during debugging of the problem fixed with r196118 where a pointer was on an un-aligned address in the dpcpu area. In collaboration with: rwatson Reviewed by: rwatson Approved by: re (kib)
MFC r196206: Take the number of allocated freeblks into consideration for softdep_slowdown(), to prevent kernel memory exhaustioni on mass-truncation. Approved by: re (rwatson)
MFC r196205: In nfs_upgrade_vnlock(), assert that the vnode is locked. When downgrading, pass LK_RETRY to the vn_lock(), since otherwise vn_lock() unlocks the doomed vnode, causing extra unlock. Approved by: re (rwatson)
MFC r196204: Add the address of the lock to the KTR_LOCK trace. Approved by: re (rwatson)
MFC r196203: Correctly handle unlock for !MAKEENTRY case. Approved by: re (rwatson)
MFC of r196201 URL: http://svn.freebsd.org/changeset/base/196201 Fix ipfw crash on uid or gid check. Receiving any ip packet for which there is no existing socket will crash if ipfw has a uid or gid test rule, as the uid/gid of the non existent owner of said non existent socket is tested. Brooks introduced this error as part of his >16 gids patch. It appears to be a cut-n-paste error from similar code a few lines before. The old code used the 'pcb' variable here, but in the new code that switched the 'inp' variable, which is often NULL and what is tested in the code further up. The rest of the multi-gid patch for ipfw seems solid (and cleaner than previous code). p.s. What's up with all the properties changing? It is a fresh checkout. Reviewed by: brooks Approved by: re (rwatson)
MFC r196193: Use correct wbinv operation in pmap_l2cache_wbinv_range(). Submitted by: Michal Hajduk Reviewed by: stas Approved by: re (kib) Obtained from: Semihalf
Merge r196122 from head to stable/8: Correctly audit real gids following changes to the audit record argument interface. Approved by: re (kib)
Merge r196121 from head to stable/8: Reverse misordered unlock and lock in at_control for netatalk phase I addresses. Submitted by: Russell Cattelan <cattelan at thebarn.com> Approved by: re (kib)
InstaMFC 196179: Remove CDDL warning. Approved by: re (kib), core
MFC r196176: Make it possible to change the vnet sysctl variables on jails with their own virtual network stack. Jails only inheriting a network stack cannot change anything that cannot be changed from within a prison. Reviewed by: rwatson, zec Approved by: re (kib)
MFC r196174: Put multiple instructions into a block when iterating; unbreaks NET_RT_DUMP, which otherwise only returned information of AF_MAX. This was broken in r193232 (save your time - my bug, my fix). Reported by: Larry Baird (lab gta.com) Tested by: Larry Baird (lab gta.com) Reviewed by: zec, lstewart, qing PR: kern/137700 Approved by: re (kib)
MFC r196159: Drain link state event changes posted during vap destroy. This is a band-aid for the general problem that if_link_state_change can be called between if_detach and if_free leaving a task queued that has been free'd. Reviewed by: rwatson Approved by: re (rwatson)
MFC r196152 A piece of code was added to install a host route when an IPv6 interface address is configured with a /128 prefix. This is no longer necessary due to r192011. In fact that code conflicts with r192011. This patch removes the host route installation when detecting the /128 prefix, and instead let the code added by r192011 to install the loopback route for that IPv6 interface address. Approved by: re
MFC r196149: Add a check for a NULL mbuf ptr at the beginning of xdrmbuf_inline() so that it returns failure instead of crashing when "m->m_len" is executed and m == NULL. The mbuf ptr can be NULL when a call to xdrmbuf_getbytes() gets the bytes it needs, but they are at the end of a short RPC reply. When this happens, xdrmbuf_getbytes() returns success, but advances the mbuf ptr (xdrs->x_private) to m_next, which is NULL. If this is followed by a call to xdrmbuf_getlong(), it calls xdrmbuf_inline(), which would cause a crash by accessing "m->m_len". Approved by: re (rwatson), kib (mentor)
MFC: r196150 Always embed pointer to BPF JIT function in BPF descriptor to avoid inconsistency when opt_bpf.h is not included. Reviewed by: rwatson Approved by: re (rwatson)
Merge r196142 Add support for radeon RS880 IGP chips to drm. Approved by: re (kib)
Merge r196141 Add some additional radeon pci ids to drm. Approved by: re (kib)
MFC r196135: Make the kernel compile without IP networking by moving a variable under a proper #ifdef. Approved by: re (rwatson)
MFC r196132: Add ddb show dpcpu_off command to ease dpcpu memory debugging. While show pcpu prints pc_dynamic this also prints the original memory address as well as the maths. Once dpcpu goes NUMA this is considered to help debugging as well. Reviewed by: rwatson Approved by: re
MFC r196129: Update DDB show vnet command to print all used and available information. Reviewed by: rwatson, zec Approved by: re
MFC r196118: Put minimum alignment on the dpcpu and vnet section so that ld when adding the __start_ symbol knows the expected section alignment and can place the __start_ symbol correctly. These sections will not support symbols with super-cache line alignment requirements. For full details, see posting to freebsd-current, 2009-08-10, Message-ID: <20090810133111.C93661@maildrop.int.zabbadoz.net>. Debugging and testing patches by: Kamigishi Rei (spambox haruhiism.net), np, lstewart, jhb, kib, rwatson Tested by: Kamigishi Rei, lstewart Reviewed by: kib Approved by: re
Copy head to stable/8 as part of 8.0 Release cycle. Approved by: re (Implicit)
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
Startup the vnet part of initialization a bit after the global part. Fixes crash on boot if ipfw compiled in. Submitted by: tegge@ Reviewed by: tegge@ Approved by: re (kib)
Catch ipfw up to the rest of the vimage code. It got left behind when it moved to its new location. Approved by: re (kensmith)
Remove unused VNET_SET() and related macros; only VNET_GET() is ever actually used. Rename VNET_GET() to VNET() to shorten variable references. Discussed with: bz, julian Reviewed by: bz Approved by: re (kensmith, kib)
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
Update various IPFW-related modules to use if_addr_rlock()/ if_addr_runlock() rather than IF_ADDR_LOCK()/IF_ADDR_UNLOCK(). MFC after: 6 weeks
Rework the credential code to support larger values of NGROUPS and
NGROUPS_MAX, eliminate ABI dependencies on them, and raise the to 1024
and 1023 respectively. (Previously they were equal, but under a close
reading of POSIX, NGROUPS_MAX was defined to be too large by 1 since it
is the number of supplemental groups, not total number of groups.)
The bulk of the change consists of converting the struct ucred member
cr_groups from a static array to a pointer. Do the equivalent in
kinfo_proc.
Introduce new interfaces crcopysafe() and crsetgroups() for duplicating
a process credential before modifying it and for setting group lists
respectively. Both interfaces take care for the details of allocating
groups array. crsetgroups() takes care of truncating the group list
to the current maximum (NGROUPS) if necessary. In the future,
crsetgroups() may be responsible for insuring invariants such as sorting
the supplemental groups to allow groupmember() to be implemented as a
binary search.
Because we can not change struct xucred without breaking application
ABIs, we leave it alone and introduce a new XU_NGROUPS value which is
always 16 and is to be used or NGRPS as appropriate for things such as
NFS which need to use no more than 16 groups. When feasible, truncate
the group list rather than generating an error.
Minor changes:
- Reduce the number of hand rolled versions of groupmember().
- Do not assign to both cr_gid and cr_groups[0].
- Modify ipfw to cache ucreds instead of part of their contents since
they are immutable once referenced by more than one entity.
Submitted by: Isilon Systems (initial implementation)
X-MFC after: never
PR: bin/113398 kern/133867
small simplifications to the code in charge of reaping deleted rules: - clear the head pointer immediately before using it, so there is no chance of mistakes; - call reap_rules() unconditionally. The function can handle a NULL argument just fine, and the cost of the extra call is hardly significant given that we do it rarely and outside the lock. MFC after: 3 days
Close long existed race with net.inet.ip.fw.one_pass = 0: If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc) it carries pointer to matching ipfw rule. If this packet then reinjected back to ipfw, ruleset processing starts from that rule. If rule was deleted meanwhile, due to existed race condition panic was possible (as well as other odd effects like parsing rules in 'reap list'). P.S. this commit changes ABI so userland ipfw related binaries should be recompiled. MFC after: 1 month Tested by: Mikolaj Golub
After r193232 rt_tables in vnet.h are no longer indirectly dependent on the ROUTETABLES kernel option thus there is no need to include opt_route.h anymore in all consumers of vnet.h and no longer depend on it for module builds. Remove the hidden include in flowtable.h as well and leave the two explicit #includes in ip_input.c and ip_output.c.
move kernel ipfw-related sources to a separate directory, adjust conf/files and modules' Makefiles accordingly. No code or ABI changes so this and most of previous related changes can be easily MFC'ed MFC after: 5 days
More cleanup in preparation of ipfw relocation (no actual code change): + move ipfw and dummynet hooks declarations to raw_ip.c (definitions in ip_var.h) same as for most other global variables. This removes some dependencies from ip_input.c; + remove the IPFW_LOADED macro, just test ip_fw_chk_ptr directly; + remove the DUMMYNET_LOADED macro, just test ip_dn_io_ptr directly; + move ip_dn_ruledel_ptr to ip_fw2.c which is the only file using it; To be merged together with rev 193497 MFC after: 5 days
Revert the logical change of r192341. net.inet.ip.fw.one_pass is a classic ip_input.c variable and is used in the pfil and bridge code as well. As ipfw is loadable we need to always provide it. That is the reason why it lives in struct vnet_inet and not in struct vnet_ipfw.
- Fix typo in description of 'net.inet.ip.fw.autoinc_step'. - Use 'vnet_ipfw' instead of 'vnet_inet' for 'net.inet.ip.fw.one_pass'.
Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept'. The current value can also be queried via a read-only sysctl of the same name. Requested by: plosher MFC after: 1 week
Optimize packet flow: if net.inet.ip.fw.one_pass != 0 and packet was processed by ipfw once - avoid second ipfw_chk() call. This saves us from unnecessary IPFW_RLOCK(), m_tag_find() calls and ip/tcp/udp header parsing. MFC after: 2 month
In preparation for turning on options VIMAGE in next commits, rearrange / replace / adjust several INIT_VNET_* initializer macros, all of which currently resolve to whitespace. Reviewed by: bz (an older version of the patch) Approved by: julian (mentor)
Prefer actual field names (if_addrhead, ifa_link) to macros aliasing those field names in FreeBSD code. MFC after: 2 weeks
Lock the interface address list when searching for a matching interface by address, or when implementing 'me' rules on IPv6. Prefer the field name if_addrhead to the macro if_addrlist. MFC after: 2 weeks
Implement an ipfw action to reassemble ip packets: reass.
fw_debug has been unused for ages, so remove it from the list of sysctl_variables. I would also remove it from the VNET record but I am unsure if there is any ABI issue -- so for the time being just mark it as unused in ip_fw.h, and then we will collect the garbage at some appropriate time in the future. MFC after: 3 days
For all files including net/vnet.h directly include opt_route.h and net/route.h. Remove the hidden include of opt_route.h and net/route.h from net/vnet.h. We need to make sure that both opt_route.h and net/route.h are included before net/vnet.h because of the way MRT figures out the number of FIBs from the kernel option. If we do not, we end up with the default number of 1 when including net/vnet.h and array sizes are wrong. This does not change the list of files which depend on opt_route.h but we can identify them now more easily.
correct some #include
use a const format string in the log message so we can check the arguments (if/when we enable those checks)
remove unnecessary #include, and document some of the others
initialize a couple of variables, gcc 4.2.4-4 (linux) reports some possible uninitialized uses and the warning does make sense.
For some reason (probably dating ages ago) an #ifdef SYSCTL_NODE / #endif section included a lot of stuff that did not belong there. So split the block in multiple components each around the relevant stuff. This said, I wonder if building a kernel where SYSCTL_NODE is not defined is supported at all. Submitted by: Marta Carbone
ipfw doesn't use the radix node head lock to protect the radix tree - remove acquisition
This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,
The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.
Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:
- Kip Macy revised the locking code completely, thus completing
the last piece of the puzzle, Kip has also been conducting
active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
me maintaining that branch before the svn conversion
version that will compile
radix node head lock needs to be held when calling rnh_addaddr
This form allows you to request diffs between any two revisions of this file. For each of the two "sides" of the diff, enter a numeric revision.
| ViewVC Help | |
| Powered by ViewVC 1.1.27 |