#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
255926 |
|
28-Sep-2013 |
glebius |
Fix a fallout from r241610. One enc interface must be created on startup.
Pointy hat to: glebius Reported by: gavin Approved by: re (gjb)
|
#
249925 |
|
26-Apr-2013 |
glebius |
Add const qualifier to the dst parameter of the ifnet if_output method.
|
#
241610 |
|
16-Oct-2012 |
glebius |
Make the "struct if_clone" opaque to users of the cloning API. Users now use function calls:
if_clone_simple() if_clone_advanced()
to initialize a cloner, instead of macros that initialize if_clone structure.
Discussed with: brooks, bz, 1 year ago
|
#
241394 |
|
10-Oct-2012 |
kevlo |
Revert previous commit...
Pointyhat to: kevlo (myself)
|
#
241370 |
|
09-Oct-2012 |
kevlo |
Prefer NULL over 0 for pointers
|
#
241245 |
|
06-Oct-2012 |
glebius |
A step in resolving mess with byte ordering for AF_INET. After this change:
- All packets in NETISR_IP queue are in net byte order. - ip_input() is entered in net byte order and converts packet to host byte order right _after_ processing pfil(9) hooks. - ip_output() is entered in host byte order and converts packet to net byte order right _before_ processing pfil(9) hooks. - ip_fragment() accepts and emits packet in net byte order. - ip_forward(), ip_mloopback() use host byte order (untouched actually). - ip_fastforward() no longer modifies packet at all (except ip_ttl). - Swapping of byte order there and back removed from the following modules: pf(4), ipfw(4), enc(4), if_bridge(4). - Swapping of byte order added to ipfilter(4), based on __FreeBSD_version - __FreeBSD_version bumped. - pfil(9) manual page updated.
Reviewed by: ray, luigi, eri, melifaro Tested by: glebius (LE), ray (BE)
|
#
241130 |
|
02-Oct-2012 |
jhb |
Rename the module for 'device enc' to "if_enc" to avoid conflicting with the CAM "enc" peripheral (part of ses(4)). Previously the two modules used the same name, so only one was included in a linked kernel causing enc0 to not be created if you added IPSEC to GENERIC. The new module name follows the pattern of other network interfaces (e.g. "if_loop").
MFC after: 1 week
|
#
227309 |
|
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
221130 |
|
27-Apr-2011 |
bz |
Make various (pseudo) interfaces compile without INET in the kernel adding appropriate #ifdefs. For module builds the framework needs adjustments for at least carp.
Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
|
#
217586 |
|
19-Jan-2011 |
mdf |
sysctl(8) should use the CTLTYPE to determine the type of data when reading. (This was already done for writing to a sysctl). This requires all SYSCTL setups to specify a type. Most of them are now checked at compile-time.
Remove SYSCTL_*X* sysctl additions as the print being in hex should be controlled by the -x flag to sysctl(8).
Succested by: bde
|
#
198075 |
|
14-Oct-2009 |
bz |
Unbreak the VIMAGE build with IPSEC, broken with r197952 by virtualizing the pfil hooks. For consistency add the V_ to virtualize the pfil hooks in here as well.
MFC after: 55 days X-MFC after: julian MFCed r197952.
|
#
196019 |
|
01-Aug-2009 |
rwatson |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes.
Reviewed by: bz Approved by: re (vimage blanket)
|
#
195699 |
|
14-Jul-2009 |
rwatson |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
194357 |
|
17-Jun-2009 |
bz |
Add the explicit include of vimage.h to another five .c files still missing it.
Remove the "hidden" kernel only include of vimage.h from ip_var.h added with the very first Vimage commit r181803 to avoid further kernel poisoning.
|
#
191148 |
|
16-Apr-2009 |
kmacy |
Change if_output to take a struct route as its fourth argument in order to allow passing a cached struct llentry * down to L2
Reviewed by: rwatson
|
#
181627 |
|
12-Aug-2008 |
vanhu |
Increase statistic counters for enc0 interface when enabled and processing IPSec traffic.
Approved by: gnn (mentor) MFC after: 1 week
|
#
177584 |
|
24-Mar-2008 |
jkim |
Remove redundant inclusions of net/bpfdesc.h.
|
#
174913 |
|
26-Dec-2007 |
thompsa |
Fix a panic where if the mbuf was consumed by the filter for requeueing (dummynet), ipsec_filter() would return the empty error code and the ipsec code would continue to forward/deference the null mbuf.
Found by: m0n0wall Reviewed by: bz MFC after: 3 days
|
#
174054 |
|
28-Nov-2007 |
bz |
Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets.
This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see.
Last but not least it gives you if_enc(4) for IPv6 as well.
[ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ]
Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
|
#
165632 |
|
29-Dec-2006 |
jhb |
Various bpf(4) related fixes to catch places up to the new bpf(4) semantics. - Stop testing bpf pointers for NULL. In some cases use bpf_peers_present() and then call the function directly inside the conditional block instead of the macro. - For places where the entire conditional block is the macro, remove the test and make the macro unconditional. - Use BPF_MTAP() in if_pfsync on FreeBSD instead of an expanded version of the old semantics.
Reviewed by: csjp (older version)
|
#
160233 |
|
10-Jul-2006 |
thompsa |
Catch up with the revised network interface cloning which takes an optional opaque parameter that can specify configuration parameters.
|
#
160099 |
|
04-Jul-2006 |
thompsa |
Fix a braino in the last revision, enc_clone_destroy needs return void instead of int. The clone system will ensure that our first interface is not destroyed so we dont need the extra checking anyway.
Tested by: Scott Ullrich
|
#
160011 |
|
28-Jun-2006 |
thompsa |
A small race existed where the lock was dropped between when encif was tested and then set. [1]
Reorganise things to eliminate this, we now ensure that enc0 can not be destroyed which as the benefit of no longer needing to lock in ipsec_filter and ipsec_bpf. The cloner will create one interface during the init so we can guarantee that encif will be valid before any SPD entries are added to ipsec.
Spotted by: glebius [1]
|
#
159969 |
|
26-Jun-2006 |
thompsa |
Simplify ipsec_bpf by using bpf_mtap2().
|
#
159965 |
|
26-Jun-2006 |
thompsa |
Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering.
Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
|