#
368183 |
|
30-Nov-2020 |
tuexen |
MFC r367530: RFC 7323 specifies that: * TCP segments without timestamps should be dropped when support for the timestamp option has been negotiated. * TCP segments with timestamps should be processed normally if support for the timestamp option has not been negotiated. This patch enforces the above. Manually resolved merge conflicts.
MFC 367891: Fix an issue I introuced in r367530: tcp_twcheck() can be called with to == NULL for SYN segments. So don't assume tp != NULL. Thanks to jhb@ for reporting and suggesting a fix.
MFC r367946: Fix two occurences of a typo in a comment introduced in r367530. Thanks to lstewart@ for reporting them.
PR: 250499 Reviewed by: gnn, rrs Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D27148
|
#
360768 |
|
07-May-2020 |
tuexen |
MFC r358621:
When using automatically generated flow labels and using TCP SYN cookies, use the same flow label for the segments sent during the handshake and after the handshake. This fixes a bug by making sure that sc_flowlabel is always stored in network byte order.
Reviewed by: bz Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D23957
|
#
358740 |
|
08-Mar-2020 |
tuexen |
MFC r358614:
Don't send an uninitialised traffic class in the IPv6 header, when sending a TCP segment from the TCP SYN cache (like a SYN-ACK). This fix initialises it to zero. This is correct for the ECN bits, but is does not honor the DSCP what an application might have set via the IPPROTO_IPV6 level socket options IPV6_TCLASS. That will be fixed separately.
Reviewed by: Richard Scheffenegger Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D23900
|
#
348435 |
|
30-May-2019 |
tuexen |
MFC r338053:
Don't expose the uptime via the TCP timestamps.
The TCP client side or the TCP server side when not using SYN-cookies used the uptime as the TCP timestamp value. This patch uses in all cases an offset, which is the result of a keyed hash function taking the source and destination addresses and port numbers into account. The keyed hash function is the same a used for the initial TSN.
The use of VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]); had to be replaced by VNET_DEFINE(u_char, ts_offset_secret[32]);
MFC r348290:
When an ACK segment as the third message of the three way handshake is received and support for time stamps was negotiated in the SYN/SYNACK exchange, perform the PAWS check and only expand the syn cache entry if the check is passed. Without this check, endpoints may get stuck on the incomplete queue.
Reviewed by: jtl@, rrs@ Approved by: re (kib@)) Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D16636 Differential Revision: https://reviews.freebsd.org/D20374
|
#
347157 |
|
05-May-2019 |
tuexen |
MFC r336932: Add missing send/recv dtrace probes for TCP.
These missing probe are mostly in the syncache and timewait code.
Reviewed by: markj@, rrs@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D16369
|
#
347153 |
|
05-May-2019 |
tuexen |
MFC r335194: When retransmitting TCP SYN-ACK segments with the TCP timestamp option enabled use an updated timestamp instead of reusing the one used in the initial TCP SYN-ACK segment.
This patch ensures that an updated timestamp is used when sending the SYN-ACK from the syncache code. It was already done if the SYN-ACK was retransmitted from the generic code.
This makes the behaviour consistent and also conformant with the TCP specification.
Reviewed by: jtl@, Jason Eggleston Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D15634
|
#
343431 |
|
25-Jan-2019 |
tuexen |
MFC r338137:
Fix the inheritance of IPv6 level socket options on TCP sockets.
This was broken for IPv6 listening socket, which are not IPV6_ONLY, and the accepted TCP connection was using IPv4.
Reviewed by: bz@, rrs@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D16792
|
#
334731 |
|
06-Jun-2018 |
tuexen |
MFC r334497:
Limit the retransmission timer for SYN-ACKs by TCPTV_REXMTMAX.
Use the same logic to handle the SYN-ACK retransmission when sent from the syn cache code as when sent from the main code.
Sponsored by: Netflix, Inc.
|
#
334730 |
|
06-Jun-2018 |
tuexen |
MFC r334494:
Ensure net.inet.tcp.syncache.rexmtlimit is limited by TCP_MAXRXTSHIFT.
If the sysctl variable is set to a value larger than TCP_MAXRXTSHIFT+1, the array tcp_syn_backoff[] is accessed out of bounds.
Discussed with: jtl@ Sponsored by: Netflix, Inc.
|
#
332238 |
|
07-Apr-2018 |
tuexen |
MFC r331061:
Set the inp_vflag consistently for accepted TCP/IPv6 connections when net.inet6.ip6.v6only=0.
Without this patch, the inp_vflag would have INP_IPV4 and the INP_IPV6 flags for accepted TCP/IPv6 connections if the sysctl variable net.inet6.ip6.v6only is 0. This resulted in netstat to report the source and destination addresses as IPv4 addresses, even they are IPv6 addresses.
PR: 226421 Reviewed by: bz, hiren, kib Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D13514
|
#
324521 |
|
11-Oct-2017 |
sephe |
MFC 324050
tcp: Don't "negotiate" MSS.
_NO_ OSes actually "negotiate" MSS.
RFC 879: "... This Maximum Segment Size (MSS) announcement (often mistakenly called a negotiation) ..."
This negotiation behaviour was introduced 11 years ago by r159955 without any explaination about why FreeBSD had to "negotiate" MSS:
In syncache_respond() do not reply with a MSS that is larger than what the peer announced to us but make it at least tcp_minmss in size.
Sponsored by: TCP/IP Optimization Fundraise 2005
The tcp_minmss behaviour is still kept.
Syncookie fix was prodded by tuexen, who also helped to test this patch w/ packetdrill.
Reviewed by: tuexen, karels, bz (previous version) Sponsored by: Microsoft Differential Revision: https://reviews.freebsd.org/D12430
|
#
319654 |
|
07-Jun-2017 |
tuexen |
MFC r319556: Fix the ICMP6 handling for TCP.
The ICMP6 packets might not be contained in a single mbuf. So don't assume this. Keep the IPv4 and IPv6 code in sync and make explicit that the syncache code only need the TCP sequence number, not the complete TCP header.
Approved by: re (marius)
|
#
319401 |
|
01-Jun-2017 |
tuexen |
MFC r317244:
Represent "a syncache overflow hasn't happend yet" by using -(SYNCOOKIE_LIFETIME + 1) instead of INT64_MIN, since it is good enough and works when time_t is int32 or int64. This fixes the issue reported by cy@ on i386.
Reported by: cy
|
#
319400 |
|
01-Jun-2017 |
tuexen |
MFC r317208:
Syncoockies can be used in combination with the syncache. If the cache overflows, syncookies are used. This patch restricts the usage of syncookies in this case: accept syncookies only if there was an overflow of the syncache recently. This mitigates a problem reported in PR217637, where is syncookie was accepted without any recent drops. Thanks to glebius@ for suggesting an improvement.
PR: 217637 Reviewed by: gnn, glebius Differential Revision: https://reviews.freebsd.org/D10272
|
#
315514 |
|
18-Mar-2017 |
ae |
MFC r304572 (by bz): Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated more than 7 years ago in favour of a sysctl in r192648.
MFC r305122: Remove redundant sanity checks from ipsec[46]_common_input_cb().
This check already has been done in the each protocol callback.
MFC r309144,309174,309201 (by fabient): IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.
Since the previous algorithm, based on bit shifting, does not scale with large replay windows, the algorithm used here is based on RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting. The replay window will be fast to be updated, but will cost as many bits in RAM as its size.
The previous implementation did not provide a lock on the replay window, which may lead to replay issues.
Obtained from: emeric.poupon@stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D8468
MFC r309143,309146 (by fabient): In a dual processor system (2*6 cores) during IPSec throughput tests, we see a lot of contention on the arc4 lock, used to generate the IV of the ESP output packets.
The idea of this patch is to split this mutex in order to reduce the contention on this lock.
Update r309143 to prevent false sharing.
Reviewed by: delphij, markm, ache Approved by: so Obtained from: emeric.poupon@stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D8130
MFC r313330: Merge projects/ipsec into head/.
Small summary -------------
o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting.
Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352
MFC r313331: Add removed headers into the ObsoleteFiles.inc.
MFC r313561 (by glebius): Move tcp_fields_to_net() static inline into tcp_var.h, just below its friend tcp_fields_to_host(). There is third party code that also uses this inline.
MFC r313697: Remove IPsec related PCB code from SCTP.
The inpcb structure has inp_sp pointer that is initialized by ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec security policies associated with a specific socket. An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options to configure these security policies. Then ip[6]_output() uses inpcb pointer to specify that an outgoing packet is associated with some socket. And IPSEC_OUTPUT() method can use a security policy stored in the inp_sp. For inbound packet the protocol-specific input routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms to inbound security policy configured in the inpcb.
SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends packets. Thus IPSEC_OUTPUT() method does not consider such packets as associated with some socket and can not apply security policies from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY() method is called from protocol-specific input routine, it can specify inpcb pointer and associated with socket inbound policy will be checked. But there are two problems: 1. Such check is asymmetric, becasue we can not apply security policy from inpcb for outgoing packet. 2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and access to inp_sp is protected. But for SCTP this is not correct, becasue SCTP uses own locks to protect inpcb.
To fix these problems remove IPsec related PCB code from SCTP. This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options will be not applicable to SCTP sockets. To be able correctly check inbound security policies for SCTP, mark its protocol header with the PR_LASTHDR flag.
Differential Revision: https://reviews.freebsd.org/D9538
MFC r313746: Add missing check to fix the build with IPSEC_SUPPORT and without MAC.
MFC r313805: Fix LINT build for powerpc.
Build kernel modules support only when both IPSEC and TCP_SIGNATURE are not defined.
MFC r313922: For translated packets do not adjust UDP checksum if it is zero.
In case when decrypted and decapsulated packet is an UDP datagram, check that its checksum is not zero before doing incremental checksum adjustment.
MFC r314339: Document that the size of AH ICV for HMAC-SHA2-NNN should be half of NNN bits as described in RFC4868.
PR: 215978
MFC r314812: Introduce the concept of IPsec security policies scope.
Currently are defined three scopes: global, ifnet, and pcb. Generic security policies that IKE daemon can add via PF_KEY interface or an administrator creates with setkey(8) utility have GLOBAL scope. Such policies can be applied by the kernel to outgoing packets and checked agains inbound packets after IPsec processing. Security policies created by if_ipsec(4) interfaces have IFNET scope. Such policies are applied to packets that are passed through if_ipsec(4) interface. And security policies created by application using setsockopt() IP_IPSEC_POLICY option have PCB scope. Such policies are applied to packets related to specific socket. Currently there is no way to list PCB policies via setkey(8) utility.
Modify setkey(8) and libipsec(3) to be able distinguish the scope of security policies in the `setkey -DP` listing. Add two optional flags: '-t' to list only policies related to virtual *tunneling* interfaces, i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL scope. By default policies from all scopes are listed.
To implement this PF_KEY's sadb_x_policy structure was modified. sadb_x_policy_reserved field is used to pass the policy scope from the kernel to userland. SADB_SPDDUMP message extended to support filtering by scope: sadb_msg_satype field is used to specify bit mask of requested scopes.
For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy is used to pass if_ipsec's interface if_index to the userland. For GLOBAL policies sadb_x_policy_priority is used only to manage order of security policies in the SPDB. For IFNET policies it is not used, so it can be used to keep if_index.
After this change the output of `setkey -DP` now looks like: # setkey -DPt 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0 refcnt=1 # setkey -DPg ::/0 ::/0 icmp6 135,0 out none spid=5 seq=1 pid=872 scope=global refcnt=1
Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9805
PR: 212018 Relnotes: yes Sponsored by: Yandex LLC
|
#
309548 |
|
04-Dec-2016 |
hiren |
MFC r308943
For RTT calculations mid-session, we explicitly ignore ACKs with tsecr of 0 as many borken middle-boxes tend to do that. But during 3whs, in syncache_expand(), we don't do that which causes us to send a RST to such a client. Relax this constraint by only using tsecr to compare against timestamp that we sent when it is not 0. As a result, we'd now accept the final ACK of 3whs with tsecr of 0.
Sponsored by: Limelight Networks
|
#
308426 |
|
07-Nov-2016 |
jch |
MFC r307966:
Remove an extraneous call to soisconnected() in syncache_socket(), introduced with r261242. The useful and expected soisconnected() call is done in tcp_do_segment().
Has been found as part of unrelated PR:212920 investigation.
Improve slightly (~2%) the maximum number of TCP accept per second.
Tested by: kevin.bowling_kev009.com, jch Approved by: gnn, hiren MFC after: 1 week Sponsored by: Verisign, Inc Differential Revision: https://reviews.freebsd.org/D8072
|
#
306922 |
|
09-Oct-2016 |
jch |
MFC r306443:
Fix an issue with accept_filter introduced with r261242:
As a side effect of r261242 when using accept_filter the first call to soisconnected() is done earlier in tcp_input() instead of tcp_do_segment() context. Restore the expected behaviour.
Note: This call to soisconnected() seems to be extraneous in all cases (with or without accept_filter). Will be addressed in a separate commit.
PR: 212920 Reported by: Alexey Tested by: Alexey, jch Sponsored by: Verisign, Inc.
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
299315 |
|
10-May-2016 |
sephe |
tcp/syncache: Add comment for syncache_respond
Suggested by: hiren, hps Reviewed by: sbruno Sponsored by: Microsoft OSTC Differential Revision: https://reviews.freebsd.org/D6148
|
#
298995 |
|
03-May-2016 |
pfg |
sys/net*: minor spelling fixes.
No functional change.
|
#
298769 |
|
29-Apr-2016 |
sephe |
tcp/syncache: Set flowid and hash type properly for SYN|ACK
So the underlying drivers can use it to select the sending queue properly for SYN|ACK instead of rolling their own hash.
Sponsored by: Microsoft OSTC Differential Revision: https://reviews.freebsd.org/D6120
|
#
298354 |
|
20-Apr-2016 |
pfg |
Indentation issues.
Contract some lines leftover from r298310.
Mea culpa.
|
#
298310 |
|
19-Apr-2016 |
pfg |
kernel: use our nitems() macro when it is available through param.h.
No functional change, only trivial cases are done in this sweep,
Discussed in: freebsd-current
|
#
297736 |
|
09-Apr-2016 |
bz |
Mfp: r296309
While there is no dependency interaction, stopping the timer before freeing the rest of the resources seems more natural and avoids it being scheduled an extra time when it is no longer needed.
Reviewed by: gnn, emaste MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5733
|
#
296881 |
|
14-Mar-2016 |
glebius |
Redo r294869. The array of counters for TCP states doesn't belong to struct tcpstat, because the structure can be zeroed out by netstat(1) -z, and of course running connection counts shouldn't be touched.
Place running connection counts into separate array, and provide separate read-only sysctl oid for it.
|
#
294870 |
|
26-Jan-2016 |
glebius |
Grab a snap amount of TCP connections in syncache from tcpstat.
|
#
294869 |
|
26-Jan-2016 |
glebius |
Augment struct tcpstat with tcps_states[], which is used for book-keeping the amount of TCP connections by state. Provides a cheap way to get connection count without traversing the whole pcb list.
Sponsored by: Netflix
|
#
292706 |
|
24-Dec-2015 |
pkelsey |
Implementation of server-side TCP Fast Open (TFO) [RFC7413].
TFO is disabled by default in the kernel build. See the top comment in sys/netinet/tcp_fastopen.c for implementation particulars.
Reviewed by: gnn, jch, stas MFC after: 3 days Sponsored by: Verisign, Inc. Differential Revision: https://reviews.freebsd.org/D4350
|
#
292309 |
|
15-Dec-2015 |
rrs |
First cut of the modularization of our TCP stack. Still to do is to clean up the timer handling using the async-drain. Other optimizations may be coming to go with this. Whats here will allow differnet tcp implementations (one included). Reviewed by: jtl, hiren, transports Sponsored by: Netflix Inc. Differential Revision: D4055
|
#
287481 |
|
05-Sep-2015 |
glebius |
Use Jenkins hash for TCP syncache.
o Unlike xor, in Jenkins hash every bit of input affects virtually every bit of output, thus salting the hash actually works. With xor salting only provides a false sense of security, since if hash(x) collides with hash(y), then of course, hash(x) ^ salt would also collide with hash(y) ^ salt. [1] o Jenkins provides much better distribution than xor, very close to ideal.
TCP connection setup/teardown benchmark has shown a 10% increase with default hash size, and with bigger hashes that still provide possibility for collisions. With enormous hash size, when dataset is by an order of magnitude smaller than hash size, the benchmark has shown 4% decrease in performance decrease, which is expected and acceptable.
Noticed by: Jeffrey Knockel <jeffk cs.unm.edu> [1] Benchmarks by: jch Reviewed by: jch, pkelsey, delphij Security: strengthens protection against hash collision DoS Sponsored by: Nginx, Inc.
|
#
286227 |
|
03-Aug-2015 |
jch |
Decompose TCP INP_INFO lock to increase short-lived TCP connections scalability:
- The existing TCP INP_INFO lock continues to protect the global inpcb list stability during full list traversal (e.g. tcp_pcblist()).
- A new INP_LIST lock protects inpcb list actual modifications (inp allocation and free) and inpcb global counters.
It allows to use TCP INP_INFO_RLOCK lock in critical paths (e.g. tcp_input()) and INP_INFO_WLOCK only in occasional operations that walk all connections.
PR: 183659 Differential Revision: https://reviews.freebsd.org/D2599 Reviewed by: jhb, adrian Tested by: adrian, nitroboost-gmail.com Sponsored by: Verisign, Inc.
|
#
277938 |
|
30-Jan-2015 |
hiren |
Make syncookie_mac() use 'tcp_seq irs' in computing hash. This fixes what seems like a simple oversight when the function was added in r253210.
Reported by: Daniel Borkmann <dborkman@redhat.com> Florian Westphal <fw@strlen.de> Differential Revision: https://reviews.freebsd.org/D1628 Reviewed by: gnn MFC after: 1 month Sponsored by: Limelight Networks
|
#
275358 |
|
01-Dec-2014 |
hselasky |
Start process of removing the use of the deprecated "M_FLOWID" flag from the FreeBSD network code. The flag is still kept around in the "sys/mbuf.h" header file, but does no longer have any users. Instead the "m_pkthdr.rsstype" field in the mbuf structure is now used to decide the meaning of the "m_pkthdr.flowid" field. To modify the "m_pkthdr.rsstype" field please use the existing "M_HASHTYPE_XXX" macros as defined in the "sys/mbuf.h" header file.
This patch introduces new behaviour in the transmit direction. Previously network drivers checked if "M_FLOWID" was set in "m_flags" before using the "m_pkthdr.flowid" field. This check has now now been replaced by checking if "M_HASHTYPE_GET(m)" is different from "M_HASHTYPE_NONE". In the future more hashtypes will be added, for example hashtypes for hardware dedicated flows.
"M_HASHTYPE_OPAQUE" indicates that the "m_pkthdr.flowid" value is valid and has no particular type. This change removes the need for an "if" statement in TCP transmit code checking for the presence of a valid flowid value. The "if" statement mentioned above is now a direct variable assignment which is then later checked by the respective network drivers like before.
Additional notes: - The SCTP code changes will be committed as a separate patch. - Removal of the "M_FLOWID" flag will also be done separately. - The FreeBSD version has been bumped.
MFC after: 1 month Sponsored by: Mellanox Technologies
|
#
274225 |
|
07-Nov-2014 |
glebius |
Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed.
Sponsored by: Nginx, Inc.
|
#
273903 |
|
31-Oct-2014 |
ae |
Fix typo.
|
#
272201 |
|
27-Sep-2014 |
melifaro |
* Split tcp_signature_compute() into 2 pieces: - tcp_get_sav() - SADB key lookup - tcp_signature_do_compute() - actual computation * Fix TCP signature case for listening socket: do not assume EVERY connection coming to socket with TCP_SIGNATURE set to be md5 signed regardless of SADB key existance for particular address. This fixes the case for routing software having _some_ BGP sessions secured by md5. * Simplify TCP_SIGNATURE handling in tcp_input()
MFC after: 2 weeks
|
#
271119 |
|
04-Sep-2014 |
jhb |
In tcp_input(), don't acquire the pcbinfo global write lock for SYN packets targeting a listening socket. Permit to reduce TCP input processing starvation in context of high SYN load (e.g. short-lived TCP connections or SYN flood).
Submitted by: Julien Charbon <jcharbon@verisign.com> Reviewed by: adrian, hiren, jhb, Mike Bentkofsky
|
#
266619 |
|
24-May-2014 |
bz |
syncache_lookup() is a file local function. Make it static and take it out of the public KPI; seems it was never used elsewhere.
MFC after: 2 weeks
|
#
266420 |
|
18-May-2014 |
adrian |
Ensure that the flowid hashtype is assigned to the inp if the flowid is also assigned.
|
#
261594 |
|
07-Feb-2014 |
glebius |
Utilize SYSCTL_UMA_CUR() to export usage of syncache and tcp reassembly zones.
Sponsored by: Nginx, Inc.
|
#
261242 |
|
28-Jan-2014 |
gnn |
Decrease lock contention within the TCP accept case by removing the INP_INFO lock from tcp_usr_accept. As the PR/patch states this was following the advice already in the code. See the PR below for a full disucssion of this change and its measured effects.
PR: 183659 Submitted by: Julian Charbon Reviewed by: jhb
|
#
260871 |
|
18-Jan-2014 |
adrian |
If the flowid is available for the mbuf that finalised the creation of a syncache connection, copy it into the inp_flowid field.
Without this, an incoming TCP connection won't have an inp_flowid marked until some data comes in, and this means that things like the per-CPU TCP timer option will choose a different CPU for the timer work. (It also means that if one grabbed the flowid via an ioctl from userland, it won't be available until some data has been received.)
Sponsored by: Netflix, Inc.
|
#
257176 |
|
26-Oct-2013 |
glebius |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h
Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
254889 |
|
25-Aug-2013 |
markj |
Implement the ip, tcp, and udp DTrace providers. The probe definitions use dynamic translation so that their arguments match the definitions for these providers in Solaris and illumos. Thus, existing scripts for these providers should work unmodified on FreeBSD.
Tested by: gnn, hiren MFC after: 1 month
|
#
253395 |
|
16-Jul-2013 |
andre |
Free the non-fatal "timestamp missing" debug string manually as it is not covered by the catch-all free for the error cases.
Found by: Coverity
|
#
253210 |
|
11-Jul-2013 |
andre |
Improve SYN cookies by encoding the MSS, WSCALE (window scaling) and SACK information into the ISN (initial sequence number) without the additional use of timestamp bits and switching to the very fast and cryptographically strong SipHash-2-4 MAC hash algorithm to protect the SYN cookie against forgeries.
The purpose of SYN cookies is to encode all necessary session state in the 32 bits of our initial sequence number to avoid storing any information locally in memory. This is especially important when under heavy spoofed SYN attacks where we would either run out of memory or the syncache would fill with bogus connection attempts swamping out legitimate connections.
The original SYN cookies method only stored an indexed MSS values in the cookie. This isn't sufficient anymore and breaks down in the presence of WSCALE information which is only exchanged during SYN and SYN-ACK. If we can't keep track of it then we may severely underestimate the available send or receive window. This is compounded with large windows whose size information on the TCP segment header is even lower numerically. A number of years back SYN cookies were extended to store the additional state in the TCP timestamp fields, if available on a connection. While timestamps are common among the BSD, Linux and other *nix systems Windows never enabled them by default and thus are not present for the vast majority of clients seen on the Internet.
The common parameters used on TCP sessions have changed quite a bit since SYN cookies very invented some 17 years ago. Today we have a lot more bandwidth available making the use window scaling almost mandatory. Also SACK has become standard making recovering from packet loss much more efficient.
This change moves all necessary information into the ISS removing the need for timestamps. Both the MSS (16 bits) and send WSCALE (4 bits) are stored in 3 bit indexed form together with a single bit for SACK. While this is significantly less than the original range, it is sufficient to encode all common values with minimal rounding.
The MSS depends on the MTU of the path and with the dominance of ethernet the main value seen is around 1460 bytes. Encapsulations for DSL lines and some other overheads reduce it by a few more bytes for many connections seen. Rounding down to the next lower value in some cases isn't a problem as we send only slightly more packets for the same amount of data.
The send WSCALE index is bit more tricky as rounding down under-estimates the available send space available towards the remote host, however a small number values dominate and are carefully selected again.
The receive WSCALE isn't encoded at all but recalculated based on the local receive socket buffer size when a valid SYN cookie returns. A listen socket buffer size is unlikely to change while active.
The index values for MSS and WSCALE are selected for minimal rounding errors based on large traffic surveys. These values have to be periodically validated against newer traffic surveys adjusting the arrays tcp_sc_msstab[] and tcp_sc_wstab[] if necessary.
In addition the hash MAC to protect the SYN cookies is changed from MD5 to SipHash-2-4, a much faster and cryptographically secure algorithm.
Reviewed by: dwmalone Tested by: Fabian Keil <fk@fabiankeil.de>
|
#
253150 |
|
10-Jul-2013 |
andre |
Extend debug logging of TCP timestamp related specification violations.
Update related comments and style.
|
#
246208 |
|
01-Feb-2013 |
andre |
uma_zone_set_max() directly returns the rounded effective zone limit. Use the return value directly instead of doing a second uma_zone_set_max() step.
MFC after: 1 week
|
#
245919 |
|
25-Jan-2013 |
np |
Add TCP_OFFLOAD hook in syncache_respond for IPv6 too, just like the one that exists for IPv4.
Reviewed by: bz@
|
#
244680 |
|
25-Dec-2012 |
glebius |
Fix sysctl_handle_int() usage. Either arg1 or arg2 should be supplied, and arg2 doesn't pass size of arg1.
|
#
243882 |
|
05-Dec-2012 |
glebius |
Mechanically substitute flags from historic mbuf allocator with malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched - sys/mbuf.h edited manually
|
#
242261 |
|
28-Oct-2012 |
andre |
For retransmits of SYN|ACK from the syncache use the slightly more aggressive special tcp_syn_backoff[] retransmit schedule instead of the normal tcp_backoff[] schedule for established connections.
MFC after: 2 weeks
|
#
242254 |
|
28-Oct-2012 |
andre |
Change the syncache count reporting the current number of entries from an unprotected u_int that reports garbage on SMP to a function based sysctl obtaining the current value from UMA.
Also read back the actual cache_limit after page size rounding by UMA.
PR: kern/165879 MFC after: 2 weeks
|
#
242250 |
|
28-Oct-2012 |
andre |
When SYN or SYN/ACK had to be retransmitted RFC5681 requires us to reduce the initial CWND to one segment. This reduction got lost some time ago due to a change in initialization ordering.
Additionally in tcp_timer_rexmt() avoid entering fast recovery when we're still in TCPS_SYN_SENT state.
MFC after: 2 weeks
|
#
241913 |
|
22-Oct-2012 |
glebius |
Switch the entire IPv4 stack to keep the IP packet header in network byte order. Any host byte order processing is done in local variables and host byte order values are never[1] written to a packet.
After this change a packet processed by the stack isn't modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to scratch his head trying to figure out what is the byte order at the given place in the stack.
[1] One exception still remains. The raw sockets convert host byte order before pass a packet to an application. Probably this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len, but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru> Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
|
#
237263 |
|
19-Jun-2012 |
np |
- Updated TOE support in the kernel.
- Stateful TCP offload drivers for Terminator 3 and 4 (T3 and T4) ASICs. These are available as t3_tom and t4_tom modules that augment cxgb(4) and cxgbe(4) respectively. The cxgb/cxgbe drivers continue to work as usual with or without these extra features.
- iWARP driver for Terminator 3 ASIC (kernel verbs). T4 iWARP in the works and will follow soon.
Build-tested with make universe.
30s overview ============ What interfaces support TCP offload? Look for TOE4 and/or TOE6 in the capabilities of an interface: # ifconfig -m | grep TOE
Enable/disable TCP offload on an interface (just like any other ifnet capability): # ifconfig cxgbe0 toe # ifconfig cxgbe0 -toe
Which connections are offloaded? Look for toe4 and/or toe6 in the output of netstat and sockstat: # netstat -np tcp | grep toe # sockstat -46c | grep toe
Reviewed by: bz, gnn Sponsored by: Chelsio communications. MFC after: ~3 months (after 9.1, and after ensuring MFC is feasible)
|
#
236170 |
|
28-May-2012 |
bz |
It turns out that too many drivers are not only parsing the L2/3/4 headers for TSO but also for generic checksum offloading. Ideally we would only have one common function shared amongst all drivers, and perhaps when updating them for IPv6 we should introduce that. Eventually we should provide the meta information along with mbufs to avoid (re-)parsing entirely.
To not break IPv6 (checksums and offload) and to be able to MFC the changes without risking to hurt 3rd party drivers, duplicate the v4 framework, as other OSes have done as well.
Introduce interface capability flags for TX/RX checksum offload with IPv6, to allow independent toggling (where possible). Add CSUM_*_IPV6 flags for UDP/TCP over IPv6, and reserve further for SCTP, and IPv6 fragmentation. Define CSUM_DELAY_DATA_IPV6 as we do for legacy IP and add an alias for CSUM_DATA_VALID_IPV6.
This pretty much brings IPv6 handling in line with IPv4. TSO is still handled in a different way and not via if_hwassist.
Update ifconfig to allow (un)setting of the new capability flags. Update loopback to announce the new capabilities and if_hwassist flags.
Individual driver updates will have to follow, as will SCTP.
Reported by: gallatin, dim, .. Reviewed by: gallatin (glanced at?) MFC after: 3 days X-MFC with: r235961,235959,235958
|
#
235961 |
|
25-May-2012 |
bz |
MFp4 bz_ipv6_fast:
Add code to handle pre-checked TCP checksums as indicated by mbuf flags to save the entire computation for validation if not needed.
In the IPv6 TCP output path only compute the pseudo-header checksum, set the checksum offset in the mbuf field along the appropriate flag as done in IPv4.
In tcp_respond() just initialize the IPv6 payload length to 0 as ip6_output() will properly set it.
Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems
Reviewed by: gnn (as part of the whole) MFC After: 3 days
|
#
231767 |
|
15-Feb-2012 |
bz |
Fix PAWS (Protect Against Wrapped Sequence numbers) in cases when hz >> 1000 and thus getting outside the timestamp clock frequenceny of 1ms < x < 1s per tick as mandated by RFC1323, leading to connection resets on idle connections.
Always use a granularity of 1ms using getmicrouptime() making all but relevant callouts independent of hz.
Use getmicrouptime(), not getmicrotime() as the latter may make a jump possibly breaking TCP nfsroot mounts having our timestamps move forward for more than 24.8 days in a second without having been idle for that long.
PR: kern/61404 Reviewed by: jhb, mav, rrs Discussed with: silby, lstewart Sponsored by: Sandvine Incorporated (originally in 2011) MFC after: 6 weeks
|
#
231025 |
|
05-Feb-2012 |
glebius |
Add new socket options: TCP_KEEPINIT, TCP_KEEPIDLE, TCP_KEEPINTVL and TCP_KEEPCNT, that allow to control initial timeout, idle time, idle re-send interval and idle send count on a per-socket basis.
Reviewed by: andre, bz, lstewart
|
#
227309 |
|
07-Nov-2011 |
ed |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.
The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
222748 |
|
06-Jun-2011 |
rwatson |
Implement a CPU-affine TCP and UDP connection lookup data structure, struct inpcbgroup. pcbgroups, or "connection groups", supplement the existing inpcbinfo connection hash table, which when pcbgroups are enabled, might now be thought of more usefully as a per-protocol 4-tuple reservation table.
Connections are assigned to connection groups base on a hash of their 4-tuple; wildcard sockets require special handling, and are members of all connection groups. During a connection lookup, a per-connection group lock is employed rather than the global pcbinfo lock. By aligning connection groups with input path processing, connection groups take on an effective CPU affinity, especially when aligned with RSS work placement (see a forthcoming commit for details). This eliminates cache line migration associated with global, protocol-layer data structures in steady state TCP and UDP processing (with the exception of protocol-layer statistics; further commit to follow).
Elements of this approach were inspired by Willman, Rixner, and Cox's 2006 USENIX paper, "An Evaluation of Network Stack Parallelization Strategies in Modern Operating Systems". However, there are also significant differences: we maintain the inpcb lock, rather than using the connection group lock for per-connection state.
Likewise, the focus of this implementation is alignment with NIC packet distribution strategies such as RSS, rather than pure software strategies. Despite that focus, software distribution is supported through the parallel netisr implementation, and works well in configurations where the number of hardware threads is greater than the number of NIC input queues, such as in the RMI XLR threaded MIPS architecture.
Another important difference is the continued maintenance of existing hash tables as "reservation tables" -- these are useful both to distinguish the resource allocation aspect of protocol name management and the more common-case lookup aspect. In configurations where connection tables are aligned with hardware hashes, it is desirable to use the traditional lookup tables for loopback or encapsulated traffic rather than take the expense of hardware hashes that are hard to implement efficiently in software (such as RSS Toeplitz).
Connection group support is enabled by compiling "options PCBGROUP" into your kernel configuration; for the time being, this is an experimental feature, and hence is not enabled by default.
Subject to the limited MFCability of change dependencies in inpcb, and its change to the inpcbinfo init function signature, this change in principle could be merged to FreeBSD 8.x.
Reviewed by: bz Sponsored by: Juniper Networks, Inc.
|
#
222691 |
|
04-Jun-2011 |
rwatson |
Add _mbuf() variants of various inpcb-related interfaces, including lookup, hash install, etc. For now, these are arguments are unused, but as we add RSS support, we will want to use hashes extracted from mbufs, rather than manually calculated hashes of header fields, due to the expensive of the software version of Toeplitz (and similar hashes).
Add notes that it would be nice to be able to pass mbufs into lookup routines in pf(4), optimising firewall lookup in the same way, but the code structure there doesn't facilitate that currently.
(In principle there is no reason this couldn't be MFCed -- the change extends rather than modifies the KBI. However, it won't be useful without other previous possibly less MFCable changes.)
Reviewed by: bz Sponsored by: Juniper Networks, Inc.
|
#
222488 |
|
30-May-2011 |
rwatson |
Decompose the current single inpcbinfo lock into two locks:
- The existing ipi_lock continues to protect the global inpcb list and inpcb counter. This lock is now relegated to a small number of allocation and free operations, and occasional operations that walk all connections (including, awkwardly, certain UDP multicast receive operations -- something to revisit).
- A new ipi_hash_lock protects the two inpcbinfo hash tables for looking up connections and bound sockets, manipulated using new INP_HASH_*() macros. This lock, combined with inpcb locks, protects the 4-tuple address space.
Unlike the current ipi_lock, ipi_hash_lock follows the individual inpcb connection locks, so may be acquired while manipulating a connection on which a lock is already held, avoiding the need to acquire the inpcbinfo lock preemptively when a binding change might later be required. As a result, however, lookup operations necessarily go through a reference acquire while holding the lookup lock, later acquiring an inpcb lock -- if required.
A new function in_pcblookup() looks up connections, and accepts flags indicating how to return the inpcb. Due to lock order changes, callers no longer need acquire locks before performing a lookup: the lookup routine will acquire the ipi_hash_lock as needed. In the future, it will also be able to use alternative lookup and locking strategies transparently to callers, such as pcbgroup lookup. New lookup flags are, supplementing the existing INPLOOKUP_WILDCARD flag:
INPLOOKUP_RLOCKPCB - Acquire a read lock on the returned inpcb INPLOOKUP_WLOCKPCB - Acquire a write lock on the returned inpcb
Callers must pass exactly one of these flags (for the time being).
Some notes:
- All protocols are updated to work within the new regime; especially, TCP, UDPv4, and UDPv6. pcbinfo ipi_lock acquisitions are largely eliminated, and global hash lock hold times are dramatically reduced compared to previous locking. - The TCP syncache still relies on the pcbinfo lock, something that we may want to revisit. - Support for reverting to the FreeBSD 7.x locking strategy in TCP input is no longer available -- hash lookup locks are now held only very briefly during inpcb lookup, rather than for potentially extended periods. However, the pcbinfo ipi_lock will still be acquired if a connection state might change such that a connection is added or removed. - Raw IP sockets continue to use the pcbinfo ipi_lock for protection, due to maintaining their own hash tables. - The interface in6_pcblookup_hash_locked() is maintained, which allows callers to acquire hash locks and perform one or more lookups atomically with 4-tuple allocation: this is required only for TCPv6, as there is no in6_pcbconnect_setup(), which there should be. - UDPv6 locking remains significantly more conservative than UDPv4 locking, which relates to source address selection. This needs attention, as it likely significantly reduces parallelism in this code for multithreaded socket use (such as in BIND). - In the UDPv4 and UDPv6 multicast cases, we need to revisit locking somewhat, as they relied on ipi_lock to stablise 4-tuple matches, which is no longer sufficient. A second check once the inpcb lock is held should do the trick, keeping the general case from requiring the inpcb lock for every inpcb visited. - This work reminds us that we need to revisit locking of the v4/v6 flags, which may be accessed lock-free both before and after this change. - Right now, a single lock name is used for the pcbhash lock -- this is undesirable, and probably another argument is required to take care of this (or a char array name field in the pcbinfo?).
This is not an MFC candidate for 8.x due to its impact on lookup and locking semantics. It's possible some of these issues could be worked around with compatibility wrappers, if necessary.
Reviewed by: bz Sponsored by: Juniper Networks, Inc.
|
#
221250 |
|
30-Apr-2011 |
bz |
Make the TCP code compile without INET. Sort #includes and add #ifdef INETs. Add some comments at #endifs given more nestedness. To make the compiler happy, some default initializations were added in accordance with the style on the files.
Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
|
#
221023 |
|
25-Apr-2011 |
attilio |
Add the possibility to verify MD5 hash of incoming TCP packets. As long as this is a costy function, even when compiled in (along with the option TCP_SIGNATURE), it can be disabled via the net.inet.tcp.signature_verify_input sysctl.
Sponsored by: Sandvine Incorporated Reviewed by: emaste, bz MFC after: 2 weeks
|
#
218909 |
|
21-Feb-2011 |
brucec |
Fix typos - remove duplicate "the".
PR: bin/154928 Submitted by: Eitan Adler <lists at eitanadler.com> MFC after: 3 days
|
#
217322 |
|
12-Jan-2011 |
mdf |
sysctl(9) cleanup checkpoint: amd64 GENERIC builds cleanly.
Commit the net* piece.
|
#
215701 |
|
22-Nov-2010 |
dim |
After some off-list discussion, revert a number of changes to the DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various people working on the affected files. A better long-term solution is still being considered. This reversal may give some modules empty set_pcpu or set_vnet sections, but these are harmless.
Changes reverted:
------------------------------------------------------------------------ r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines
Instead of unconditionally emitting .globl's for the __start_set_xxx and __stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu sections are actually defined.
------------------------------------------------------------------------ r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout the tree.
------------------------------------------------------------------------ r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines
Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
|
#
215317 |
|
14-Nov-2010 |
dim |
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout the tree.
|
#
211332 |
|
15-Aug-2010 |
andre |
Initializing the new error variable to zero in syncache_socket() is not necessary.
Noticed by: bz
|
#
211327 |
|
15-Aug-2010 |
andre |
Add more logging points for failures in syncache_socket() to report when a new socket couldn't be created because one of in_pcbinshash(), in6_pcbconnect() or in_pcbconnect() failed.
Logging is conditional on net.inet.tcp.log_debug being enabled.
MFC after: 1 week
|
#
210666 |
|
30-Jul-2010 |
andre |
Fix a bug in syncache where the initial CWND for new incoming connections was limited to one segment under the faulty assumption of a retransmit. Due to this the opportunity to initialize the increased congestion window according to RFC3390 was missed.
Support for RFC3465 introduced in r187289 uncovered the bug as the ACK to SYN/ACK no longer caused snd_cwnd increase by MSS (actually, this increase shouldn't happen as it's explicitly forbidden by RFC3390, but it's another issue). Snd_cwnd remains really small (1*MSS + 1) and this causes really bad interaction with delayed acks on other side.
The variable name sc_rxmits is a bit misleading as it counts all transmits, not just retransmits.
Submitted by: Maxim Dounin <mdounin-at-mdounin-dot-ru> MFC after: 10 days
|
#
207369 |
|
29-Apr-2010 |
bz |
MFP4: @176978-176982, 176984, 176990-176994, 177441
"Whitspace" churn after the VIMAGE/VNET whirls.
Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed.
Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9.
This also removes some header file pollution for putatively static global variables.
Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed.
Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH MFC after: 6 days
|
#
204143 |
|
20-Feb-2010 |
bz |
Upon virtual network stack teardown properly release the TCP syncache resources.
Sponsored by: ISPsystem Reviewed by: rwatson MFC After: 5 days
|
#
196019 |
|
01-Aug-2009 |
rwatson |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes.
Reviewed by: bz Approved by: re (vimage blanket)
|
#
195922 |
|
28-Jul-2009 |
julian |
Somewhere along the line accept sockets stopped honoring the FIB selected for them. Fix this.
Reviewed by: ambrisko Approved by: re (kib) MFC after: 3 days
|
#
195727 |
|
16-Jul-2009 |
rwatson |
Remove unused VNET_SET() and related macros; only VNET_GET() is ever actually used. Rename VNET_GET() to VNET() to shorten variable references.
Discussed with: bz, julian Reviewed by: bz Approved by: re (kensmith, kib)
|
#
195699 |
|
14-Jul-2009 |
rwatson |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
195654 |
|
13-Jul-2009 |
lstewart |
Replace struct tcpopt with a proxy toeopt struct in the TOE driver interface to the TCP syncache. This returns struct tcpopt to being private within the TCP implementation, thus allowing it to be modified without ABI concerns.
The patch breaks the ABI. Bump __FreeBSD_version to 800103 accordingly. The cxgb driver is the only TOE consumer affected by this change, and needs to be recompiled along with the kernel.
Suggested by: rwatson Reviewed by: rwatson, kmacy Approved by: re (kensmith), kensmith (mentor temporarily unavailable)
|
#
193731 |
|
08-Jun-2009 |
zec |
Introduce an infrastructure for dismantling vnet instances.
Vnet modules and protocol domains may now register destructor functions to clean up and release per-module state. The destructor mechanisms can be triggered by invoking "vimage -d", or a future equivalent command which will be provided via the new jail framework.
While this patch introduces numerous placeholder destructor functions, many of those are currently incomplete, thus leaking memory or (even worse) failing to stop all running timers. Many of such issues are already known and will be incrementaly fixed over the next weeks in smaller incremental commits.
Apart from introducing new fields in structs ifnet, domain, protosw and vnet_net, which requires the kernel and modules to be rebuilt, this change should have no impact on nooptions VIMAGE builds, since vnet destructors can only be called in VIMAGE kernels. Moreover, destructor functions should be in general compiled in only in options VIMAGE builds, except for kernel modules which can be safely kldunloaded at run time.
Bump __FreeBSD_version to 800097. Reviewed by: bz, julian Approved by: rwatson, kib (re), julian (mentor)
|
#
193511 |
|
05-Jun-2009 |
rwatson |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include.
Discussed with: pjd
|
#
193332 |
|
02-Jun-2009 |
rwatson |
Add internal 'mac_policy_count' counter to the MAC Framework, which is a count of the number of registered policies.
Rather than unconditionally locking sockets before passing them into MAC, lock them in the MAC entry points only if mac_policy_count is non-zero.
This avoids locking overhead for a number of socket system calls when no policies are registered, eliminating measurable overhead for the MAC Framework for the socket subsystem when there are no active policies.
Possibly socket locks should be acquired by policies if they are required for socket labels, which would further avoid locking overhead when there are policies but they don't require labeling of sockets, or possibly don't even implement socket controls.
Obtained from: TrustedBSD Project
|
#
191688 |
|
30-Apr-2009 |
zec |
Permit buiding kernels with options VIMAGE, restricted to only a single active network stack instance. Turning on options VIMAGE at compile time yields the following changes relative to default kernel build:
1) V_ accessor macros for virtualized variables resolve to structure fields via base pointers, instead of being resolved as fields in global structs or plain global variables. As an example, V_ifnet becomes:
options VIMAGE: ((struct vnet_net *) vnet_net)->_ifnet default build: vnet_net_0._ifnet options VIMAGE_GLOBALS: ifnet
2) INIT_VNET_* macros will declare and set up base pointers to be used by V_ accessor macros, instead of resolving to whitespace:
INIT_VNET_NET(ifp->if_vnet); becomes
struct vnet_net *vnet_net = (ifp->if_vnet)->mod_data[VNET_MOD_NET];
3) Memory for vnet modules registered via vnet_mod_register() is now allocated at run time in sys/kern/kern_vimage.c, instead of per vnet module structs being declared as globals. If required, vnet modules can now request the framework to provide them with allocated bzeroed memory by filling in the vmi_size field in their vmi_modinfo structures.
4) structs socket, ifnet, inpcbinfo, tcpcb and syncache_head are extended to hold a pointer to the parent vnet. options VIMAGE builds will fill in those fields as required.
5) curvnet is introduced as a new global variable in options VIMAGE builds, always pointing to the default and only struct vnet.
6) struct sysctl_oid has been extended with additional two fields to store major and minor virtualization module identifiers, oid_v_subs and oid_v_mod. SYSCTL_V_* family of macros will fill in those fields accordingly, and store the offset in the appropriate vnet container struct in oid_arg1. In sysctl handlers dealing with virtualized sysctls, the SYSCTL_RESOLVE_V_ARG1() macro will compute the address of the target variable and make it available in arg1 variable for further processing.
Unused fields in structs vnet_inet, vnet_inet6 and vnet_ipfw have been deleted.
Reviewed by: bz, rwatson Approved by: julian (mentor)
|
#
190948 |
|
11-Apr-2009 |
rwatson |
Update stats in struct tcpstat using two new macros, TCPSTAT_ADD() and TCPSTAT_INC(), rather than directly manipulating the fields across the kernel. This will make it easier to change the implementation of these statistics, such as using per-CPU versions of the data structures.
MFC after: 3 days
|
#
187062 |
|
11-Jan-2009 |
rwatson |
Since we allow conditional allocation of labels on syncache entries, remove historic assertion that labels are always present.
|
#
186222 |
|
17-Dec-2008 |
bz |
Use inc_flags instead of the inc_isipv6 alias which so far had been the only flag with random usage patterns. Switch inc_flags to be used as a real bit field by using INC_ISIPV6 with bitops to check for the 'isipv6' condition.
While here fix a place or two where in case of v4 inc_flags were not properly initialized before.[1]
Found by: rwatson during review [1] Discussed with: rwatson Reviewed by: rwatson MFC after: 4 weeks
|
#
186141 |
|
15-Dec-2008 |
bz |
Another step assimilating IPv[46] PCB code - directly use the inpcb names rather than the following IPv6 compat macros: in6pcb,in6p_sp, in6p_ip6_nxt,in6p_flowinfo,in6p_vflag, in6p_flags,in6p_socket,in6p_lport,in6p_fport,in6p_ppcb and sotoin6pcb().
Apart from removing duplicate code in netipsec, this is a pure whitespace, not a functional change.
Discussed with: rwatson Reviewed by: rwatson (version before review requested changes) MFC after: 4 weeks (set the timer and see then)
|
#
185571 |
|
02-Dec-2008 |
bz |
Rather than using hidden includes (with cicular dependencies), directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files.
For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h.
Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
|
#
185348 |
|
26-Nov-2008 |
zec |
Merge more of currently non-functional (i.e. resolving to whitespace) macros from p4/vimage branch.
Do a better job at enclosing all instantiations of globals scheduled for virtualization in #ifdef VIMAGE_GLOBALS blocks.
De-virtualize and mark as const saorder_state_alive and saorder_state_any arrays from ipsec code, given that they are never updated at runtime, so virtualizing them would be pointless.
Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
185088 |
|
19-Nov-2008 |
zec |
Change the initialization methodology for global variables scheduled for virtualization.
Instead of initializing the affected global variables at instatiation, assign initial values to them in initializer functions. As a rule, initialization at instatiation for such variables should never be introduced again from now on. Furthermore, enclose all instantiations of such global variables in #ifdef VIMAGE_GLOBALS blocks.
Essentialy, this change should have zero functional impact. In the next phase of merging network stack virtualization infrastructure from p4/vimage branch, the new initialization methology will allow us to switch between using global variables and their counterparts residing in virtualization containers with minimum code churn, and in the long run allow us to intialize multiple instances of such container structures.
Discussed at: devsummit Strassburg Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
184298 |
|
26-Oct-2008 |
rwatson |
Remove endearing but syntactically unnecessary "return;" statements directly before the final closeing brackets of some TCP functions.
MFC after: 3 days
|
#
184214 |
|
23-Oct-2008 |
des |
Fix a number of style issues in the MALLOC / FREE commit. I've tried to be careful not to fix anything that was already broken; the NFSv4 code is particularly bad in this respect.
|
#
184205 |
|
23-Oct-2008 |
des |
Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after: 3 months
|
#
183550 |
|
02-Oct-2008 |
zec |
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
183001 |
|
13-Sep-2008 |
bz |
Implement IPv6 support for TCP MD5 Signature Option (RFC 2385) the same way it has been implemented for IPv4.
Reviewed by: bms (skimmed) Tested by: Nick Hilliard (nick netability.ie) (with more changes) MFC after: 2 months
|
#
182129 |
|
24-Aug-2008 |
julian |
Move some struct defs around. This is a prep step for Vimage.A No real effect of this at this time.
|
#
182056 |
|
23-Aug-2008 |
bz |
Cache the cred locally in _syncache_add() while holding the locks, so we can be sure that it's valid. In case we abort early free it again else put it into the syncache.
We need the cred in the syncache to be able to restrict what will be exportet by the sysctl helper function syncache_pcblist() (to netstat) within jails.
PR: kern/126493 Reviewed by: rwatson (earlier versions) MFC after: 3 days
|
#
182045 |
|
23-Aug-2008 |
bz |
Add an explicit comment why we NULLify the two variables.
Reviewed by: rwatson MFC after: 3 days
|
#
181887 |
|
19-Aug-2008 |
julian |
A bunch of formatting fixes brough to light by, or created by the Vimage commit a few days ago.
|
#
181803 |
|
17-Aug-2008 |
bz |
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course of the next few weeks.
Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
|
#
181337 |
|
05-Aug-2008 |
jhb |
Minor style tweaks.
|
#
181056 |
|
31-Jul-2008 |
rpaulo |
MFp4 (//depot/projects/tcpecn/):
TCP ECN support. Merge of my GSoC 2006 work for NetBSD. TCP ECN is defined in RFC 3168.
Partly reviewed by: dwmalone, silby Obtained from: NetBSD
|
#
180645 |
|
21-Jul-2008 |
kmacy |
add interface for external consumers to syncache_expand - rename syncache_add in a manner consistent with other bits intended for offload
|
#
179833 |
|
16-Jun-2008 |
ups |
Change incorrect stale cookie detection in syncookie_lookup() that prematurely declared a cookie as expired.
Reviewed by: andre@, silby@ Reported by: Yahoo!
|
#
179832 |
|
16-Jun-2008 |
ups |
Fix a check in SYN cache expansion (syncache_expand()) to accept packets that arrive in the receive window instead of just on the left edge of the receive window. This is needed for correct behavior when packets are lost or reordered.
PR: kern/123950 Reviewed by: andre@, silby@ Reported by: Yahoo!, Wang Jin MFC after: 1 week
|
#
178888 |
|
09-May-2008 |
julian |
Add code to allow the system to handle multiple routing tables. This particular implementation is designed to be fully backwards compatible and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4 Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I have some time to work on is "policy based routing", which allows different packet streams to be routed by more than just the destination address.
Constraints: ------------
I want to make some form of this available in the 6.x tree (and by extension 7.x) , but FreeBSD in general needs it so I might as well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to instantiate multiple kernel routing tables (which I will now refer to as "Forwarding Information Bases" or "FIBs" for political correctness reasons). Which FIB a particular packet uses to make the next hop decision can be decided by a number of mechanisms. The policies these mechanisms implement are the "Policies" referred to in "Policy based routing".
One of the constraints I have if I try to back port this work to 6.x is that it must be implemented as a EXTENSION to the existing ABIs in 6.x so that third party applications do not need to be recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that will come with later versions. It will, for example, be limited to 16 tables in the first commit. Implementation method, Compatible version. (part 1) ------------------------------- For this reason I have implemented a "sufficient subset" of a multiple routing table solution in Perforce, and back-ported it to 6.x. (also in Perforce though not always caught up with what I have done in -current/P4). The subset allows a number of FIBs to be defined at compile time (8 is sufficient for my purposes in 6.x) and implements the changes needed to allow IPV4 to use them. I have not done the changes for ipv6 simply because I do not need it, and I do not have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be users with proprietary protocol families, they should continue to work and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB code starts everything off with a single dimensional array of pointers to FIB head structures (One per protocol family), each of which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to extent that array to be a 2 dimensional array, so that instead of protocol family X looking at rt_tables[X] for the table it needs, it looks at rt_tables[Y][X] when for all protocol families except ipv4 Y is always 0. Code that is unaware of the change always just sees the first row of the table, which of course looks just like the one dimensional array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign() are all maintained, but refer only to the first row of the array, so that existing callers in proprietary protocols can continue to do the "right thing". Some new entry points are added, for the exclusive use of ipv4 code called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(), which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called rtalloc_fib() and friends) that check the Address family being looked up and call either rtalloc() (and friends) if the protocol is not IPv4 forcing the action to row 0 or to the appropriate row if it IS IPv4 (and that info is available). These are for calling from code that is not specific to any particular protocol. The way these are implemented would change in the non ABI preserving code to be added later.
One feature of the first version of the code is that for ipv4, the interface routes show up automatically on all the FIBs, so that no matter what FIB you select you always have the basic direct attached hosts available to you. (rtinit() does this automatically).
You CAN delete an interface route from one FIB should you want to but by default it's there. ARP information is also available in each FIB. It's assumed that the same machine would have the same MAC address, regardless of which FIB you are using to get to it.
This brings us as to how the correct FIB is selected for an outgoing IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing has been done to change it, it will be FIB 0. The FIB is changed in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB. Such packets select a FIB from a number associated with the socket/PCB. This in turn is inherited from the process, but can be changed by a socket option. The process in turn inherits it on fork. I have written a utility call setfib that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail but I have not done so. It can be achieved by combining the setfib and jail commands.
2/ packets received on an interface for forwarding. By default these packets would use table 0, (or possibly a number settable in a sysctl(not yet)). but prior to routing the firewall can inspect them (see below). (possibly in the future you may be able to associate a FIB with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily associate a fib with it on a packet by packet basis. A fib assigned to a packet by a packet classifier (such as ipfw) would over-ride a fib associated by a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset or icmp packets). These should use the FIB associated with the packet being reponded to.
6/ Packets generated during encapsulation. gif, tun and other tunnel interfaces will encapsulate using the FIB that was in effect withthe proces that set up the tunnel. thus setfib 1 ifconfig gif0 [tunnel instructions] will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their process, and thus select one FIB or another. messages from the kernel would be associated with the fib they refer to and would only be received by a routing socket associated with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the fact that the array is now 2 dimensional. (It looks in system memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give: a) the number of FIBs compiled in (active) b) the default FIB of the calling process.
Early testing experience: -------------------------
Basically our (IronPort's) appliance does this functionality already using ipfw fwd but that method has some drawbacks.
For example, It can't fully simulate a routing table because it can't influence the socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been remarkably smooth so far. Multiple tables have co-existed with no notable side effects, and packets have been routes accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs in Cisco parlance. it will be interesting to see how that handles it when it suddenly actually does something.
Where to next: --------------------
After committing the ABI compatible version and MFCing it, I'd like to proceed in a forward direction in -current. this will result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per protocol family, all of the same format, and pointed to by the 1 dimensional array is a bit silly. Especially when one considers that there is code that makes assumptions about every protocol having the same internal structures there. Some protocols don't WANT that sort of structure. (for example the whole idea of a netmask is foreign to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the 'domain' structure, along with information pointing the data. instead of having an array of pointers to uniform structures, there would be an array pointing to the 'domain' structures for each protocol address domain (protocol family), and the methods this reached would be called. The methods would have an argument that gives FIB number, but the protocol would be free to ignore it.
When the ABI can be changed it raises the possibilty of the addition of a fib entry into the "struct route". Currently, the structure contains the sockaddr of the desination, and the resulting fib entry. To make this work fully, one could add a fib number so that given an address and a fib, one can find the third element, the fib entry.
Interaction with the ARP layer/ LL layer would need to be revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each) Obtained from: Ironport systems/Cisco
|
#
178862 |
|
08-May-2008 |
jhb |
Always bump tcpstat.tcps_badrst if we get a RST for a connection in the syncache that has an invalid SEQ instead of only doing it when we suceed in mallocing space for the log message.
MFC after: 1 week Reviewed by: sam, bz
|
#
178303 |
|
19-Apr-2008 |
kmacy |
move tcbinfo lock acquisition in to syncache
|
#
178285 |
|
17-Apr-2008 |
rwatson |
Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to explicitly select write locking for all use of the inpcb mutex. Update some pcbinfo lock assertions to assert locked rather than write-locked, although in practice almost all uses of the pcbinfo rwlock main exclusive, and all instances of inpcb lock acquisition are exclusive.
This change should introduce (ideally) little functional change. However, it lays the groundwork for significantly increased parallelism in the TCP/IP code.
MFC after: 3 months Tested by: kris (superset of committered patch)
|
#
174775 |
|
19-Dec-2007 |
ru |
Fix bugs in the TCP syncache timeout code. including:
When system ticks are positive, for entries in the cache bucket, syncache_timer() ran on every tick (doing nothing useful) instead of the supposed 3, 6, 12, and 24 seconds later (when it's time to retransmit SYN,ACK).
When ticks are negative, syncache_timer() was scheduled for the too far future (up to ~25 days on systems with HZ=1000), no SYN,ACK retransmits were attempted at all, and syncache entries added in that period that correspond to non-established connections stay there forever.
Only HEAD and RELENG_7 are affected.
Reviewed by: silby, kmacy (earlier version) Submitted by: Maxim Dounin, ru
|
#
174704 |
|
17-Dec-2007 |
kmacy |
incorporate feedback since initial commit - rename tcp_ofld.[ch] to tcp_offload.[ch] - document usage and locking conventions of the functions in the toe_usrreqs function vector - document tcpcb, inpcb, and socket fields used by toe - widen the listen interface into 2 functions - rename DISABLE_TCP_OFFLOAD to TCP_OFFLOAD_DISABLE - shrink conditional compilation to reduce the likelihood of bitrot - replace sc->sc_toepcb checks in tcp_syncache.c with TOEPCB_ISSET
|
#
174558 |
|
12-Dec-2007 |
kmacy |
Add interface for tcp offload to syncache: - make neccessary changes to release offload resources when a syncache entry is removed before connection establishment - disable checks for offloaded connection where insufficient information is available
Reviewed by: silby
|
#
174545 |
|
12-Dec-2007 |
kmacy |
Remove spurious timestamp check. RFC 1323 explicitly states that timestamps MAY be transmitted if negotiated.
|
#
174388 |
|
06-Dec-2007 |
kmacy |
Add padding for anticipated functionality - vimage - TOE - multiq - host rtentry caching
Rename spare used by 80211 to if_llsoftc
Reviewed by: rwatson, gnn MFC after: 1 day
|
#
174248 |
|
04-Dec-2007 |
silby |
Fix SACK negotiation that was broken in rev 1.105.
Before this fix, FreeBSD would negotiate SACK on outgoing connections, but would always fail to negotiate it on incoming connections.
Discovered by: James Healy and Lawrence Stewart Submitted by: James Healy and Lawrence Stewart MFC after: 3 days
|
#
174119 |
|
30-Nov-2007 |
bz |
Move call to tcp_signature_compute() after we adjusted the payload offset in the tcp header. With relevant parts of the tcp header changing after the 'signature' was computed, the signature becomes invalid.
Reviewed by: tools/regression/netinet/tcpconnect MFC after: 3 days Tested by: Nick Hilliard (see net@)
|
#
173771 |
|
20-Nov-2007 |
silby |
Comment out the syncache's test which ensures that hosts which negotiate TCP timestamps in the initial SYN packet actually use them in the rest of the connection. Unfortunately, during the 7.0 testing cycle users have already found network devices that violate this constraint.
RFC 1323 states 'and may send a TSopt in other segments' rather than 'and MUST send', so we must allow it.
Discovered by: Rob Zietlow Tracked down by: Kip Macy PR: bin/118005
|
#
172970 |
|
25-Oct-2007 |
rwatson |
Normalize TCP syncache-related MAC Framework entry points to match most other entry points in the form mac_<object>_method().
Discussed with: csjp Obtained from: TrustedBSD Project
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172795 |
|
19-Oct-2007 |
silby |
Pick the smallest possible TCP window scaling factor that will still allow us to scale up to sb_max, aka kern.ipc.maxsockbuf.
We do this because there are broken firewalls that will corrupt the window scale option, leading to the other endpoint believing that our advertised window is unscaled. At scale factors larger than 5 the unscaled window will drop below 1500 bytes, leading to serious problems when traversing these broken firewalls.
With the default maxsockbuf of 256K, a scale factor of 3 will be chosen by this algorithm. Those who choose a larger maxsockbuf should watch out for the compatiblity problems mentioned above.
Reviewed by: andre
|
#
172467 |
|
07-Oct-2007 |
silby |
Add FBSDID to all files in netinet so that people can more easily include file version information in bug reports.
Approved by: re (kensmith)
|
#
171744 |
|
06-Aug-2007 |
rwatson |
Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which previously conditionally acquired Giant based on debug.mpsafenet. As that has now been removed, they are no longer required. Removing them significantly simplifies error-handling in the socket layer, eliminated quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used for the NET_WITH_GIANT kernel option. Clean up some related gotos for consistency.
Reviewed by: bz, csjp Tested by: kris Approved by: re (kensmith)
|
#
171652 |
|
29-Jul-2007 |
bmah |
Fix a typo in a log message: s/Reveived/Received/.
Approved by: re (rwatson)
|
#
171643 |
|
28-Jul-2007 |
silby |
Fix a panic introduced in rev 1.126.
Approved by: re (rwatson)
|
#
171639 |
|
28-Jul-2007 |
andre |
o Move setting/resetting logic of syncache timer from macro SYNCACHE_TIMEOUT to new function syncache_timeout(). o Fix inverted timeout callout engagement logic to actually enable the timer for the bucket row. Before SYN|ACK was not retransmitted. o Simplify SYN|ACK retransmit timeout backoff calculation. o Improve logging of retransmit and timeout events. o Reset timeout when duplicate SYN arrives. o Add comments. o Rearrange SYN cookie statistics counting.
Bug found by: silby Submitted by: silby (different version) Approved by: re (rwatson)
|
#
171638 |
|
28-Jul-2007 |
andre |
o Move all detailed checks for RST in LISTEN state from tcp_input() to syncache_rst(). o Fix tests for flag combinations of RST and SYN, ACK, FIN. Before a RST for a connection in syncache did not properly free the entry. o Add more detailed logging.
Approved by: re (rwatson)
|
#
171605 |
|
26-Jul-2007 |
silby |
Export the contents of the syncache to netstat.
Approved by: re (kensmith) MFC after: 2 weeks
|
#
171167 |
|
03-Jul-2007 |
gnn |
Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC.
Approved by: re Sponsored by: Secure Computing
|
#
171133 |
|
01-Jul-2007 |
gnn |
Commit IPv6 support for FAST_IPSEC to the tree. This commit includes only the kernel files, the rest of the files will follow in a second commit.
Reviewed by: bz Approved by: re Supported by: Secure Computing
|
#
170385 |
|
06-Jun-2007 |
andre |
Correctly print SEQ and IRS in the corresponding log message in syncache_expand().
|
#
170078 |
|
28-May-2007 |
andre |
Make log messages more verbose and simpler to understand for non-experts. Update comments to be more conscious, verbose and fully reflect reality.
|
#
170055 |
|
28-May-2007 |
andre |
Refactor and rewrite in parts the SYN handling code on listen sockets in tcp_input():
o tighten the checks on allowed TCP flags to be RFC793 and tcp-secure conform o log check failures to syslog at LOG_DEBUG level o rearrange the code flow to be easier to follow o add KASSERTs to validate assumptions of the code flow
Add sysctl net.inet.tcp.syncache.rst_on_sock_fail defaulting to enable that controls the behavior on socket creation failure for a otherwise successful 3-way handshake. The socket creation can fail due to global memory shortage, listen queue limits and file descriptor limits. The sysctl allows to chose between two options to deal with this. One is to send a reset to the other endpoint to notify it about the failure (default). The other one is to ignore and treat the failure as a transient error and have the other endpoint retransmit for another try.
Reviewed by: rwatson (in general)
|
#
169686 |
|
18-May-2007 |
andre |
Be more restrictive with segment validity checks in syncache_expand() and log check failures to syslog at LOG_DEBUG level.
Always prefill the sc->sc_ts field to use it in the checks.
|
#
169685 |
|
18-May-2007 |
andre |
o Add syslog logging under LOG_DEBUG to various failures caused by bogus segments o Add more KASSERT()s o Update comments
|
#
169317 |
|
06-May-2007 |
andre |
Use existing TF_SACK_PERMIT flag in struct tcpcb t_flags field instead of a decdicated sack_enable int for this bool. Change all users accordingly.
|
#
168904 |
|
20-Apr-2007 |
andre |
o Remove unused and redundant TCP option definitions o Replace usage of MAX_TCPOPTLEN with the correctly constructed and derived MAX_TCPOPTLEN
|
#
168903 |
|
20-Apr-2007 |
andre |
Remove bogus check for accept queue length and associated failure handling from the incoming SYN handling section of tcp_input().
Enforcement of the accept queue limits is done by sonewconn() after the 3WHS is completed. It is not necessary to have an earlier check before a connection request enters the SYN cache awaiting the full handshake. It rather limits the effectiveness of the syncache by preventing legit and illegit connections from entering it and having them shaken out before we hit the real limit which may have vanished by then.
Change return value of syncache_add() to void. No status communication is required.
|
#
168902 |
|
20-Apr-2007 |
andre |
Simplifly syncache_expand() and clarify its semantics. Zero is returned when the ACK is invalid and doesn't belong to any registered connection, either in syncache or through SYN cookies. True but a NULL struct socket is returned when the 3WHS completed but the socket could not be created due to insufficient resources or limits reached.
For both cases an RST is sent back in tcp_input().
A logic error leading to a panic is fixed where syncache_expand() would free the mbuf on socket allocation failure but tcp_input() later supplies it to tcp_dropwithreset() to issue a RST to the peer.
Reported by: kris (the panic)
|
#
168901 |
|
20-Apr-2007 |
andre |
Only update TCP timestamp on SYN duplication if it is present on current SYN in syncache_add(). Otherwise disable timestamps.
|
#
168900 |
|
20-Apr-2007 |
andre |
o Plug memory leak in syncache_add() on MAC label allocation failure. o Simplify code flow with 'done' goto label. o Remove mbuf argument from syncache_respond(). It doesn't make use of it.
|
#
168817 |
|
17-Apr-2007 |
andre |
When we run into the syncache entry limits syncache_add() tries to free the oldest entry in the current bucket row. The global entry limit may be smaller than the bucket rows and their limit combined however. Thus only try to free a syncache entry if we found one in this bucket row.
Reported by: kris
|
#
168615 |
|
11-Apr-2007 |
andre |
Change the TCP timer system from using the callout system five times directly to a merged model where only one callout, the next to fire, is registered.
Instead of callout_reset(9) and callout_stop(9) the new function tcp_timer_activate() is used which then internally manages the callout.
The single new callout is a mutex callout on inpcb simplifying the locking a bit.
tcp_timer() is the called function which handles all race conditions in one place and then dispatches the individual timer functions.
Reviewed by: rwatson (earlier version)
|
#
168368 |
|
04-Apr-2007 |
andre |
Move last tcpcb initialization for the inbound connection case from tcp_input() to syncache_socket() where it belongs and the majority of it already happens.
The "tp->snd_up = tp->snd_una" is removed as it is done with the tcp_sendseqinit() macro a few lines earlier.
|
#
167659 |
|
17-Mar-2007 |
andre |
Unbreak IPv6 after consolidation of TCP options insertion.
Submitted by: tegge
|
#
167658 |
|
17-Mar-2007 |
kmacy |
Fix the most obvious of the bugs introduced by recent syncache changes
- *ip is not initialized in the case of inet6 connection, but ip->ip_len is being changed anyway
Now the question is, why does it think an ipv4 connection is an ipv6 connection? xemacs still doesn't work over X11 forwarding, but the kernel no longer panics.
|
#
167606 |
|
15-Mar-2007 |
andre |
Consolidate insertion of TCP options into a segment from within tcp_output() and syncache_respond() into its own generic function tcp_addoptions().
tcp_addoptions() is alignment agnostic and does optimal packing in all cases.
In struct tcpopt rename to_requested_s_scale to just to_wscale.
Add a comment with quote from RFC1323: "The Window field in a SYN (i.e., a <SYN> or <SYN,ACK>) segment itself is never scaled."
Reviewed by: silby, mohans, julian Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
166403 |
|
01-Feb-2007 |
andre |
Change the way the advertized TCP window scaling is computed. Instead of upper-bounding it to the size of the initial socket buffer lower-bound it to the smallest MSS we accept. Ideally we'd use the actual MSS information here but it is not available yet.
For socket buffer auto sizing to be effective we need room to grow the receive window. The window scale shift is determined at connection setup and can't be changed afterwards. The previous, original, method effectively just did a power of two roundup of the socket buffer size at connection setup severely limiting the headroom for larger socket buffers.
Tested by: many (as part of the socket buffer auto sizing patch) MFC after: 1 month
|
#
165149 |
|
13-Dec-2006 |
csjp |
Fix LOR between the syncache and inpcb locks when MAC is present in the kernel. This LOR snuck in with some of the recent syncache changes. To fix this, the inpcb handling was changed:
- Hang a MAC label off the syncache object - When the syncache entry is initially created, we pickup the PCB lock is held because we extract information from it while initializing the syncache entry. While we do this, copy the MAC label associated with the PCB and use it for the syncache entry. - When the packet is transmitted, copy the label from the syncache entry to the mbuf so it can be processed by security policies which analyze mbuf labels.
This change required that the MAC framework be extended to support the label copy operations from the PCB to the syncache entry, and then from the syncache entry to the mbuf.
These functions really should be referencing the syncache structure instead of the label. However, due to some of the complexities associated with exposing this syncache structure we operate directly on it's label pointer. This should be OK since we aren't making any access control decisions within this code directly, we are merely allocating and copying label storage so we can properly initialize mbuf labels for any packets the syncache code might create.
This also has a nice side effect of caching. Prior to this change, the PCB would be looked up/locked for each packet transmitted. Now the label is cached at the time the syncache entry is initialized.
Submitted by: andre [1] Discussed with: rwatson
[1] andre submitted the tcp_syncache.c changes
|
#
163606 |
|
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
162306 |
|
14-Sep-2006 |
ache |
Add missing #ifdef INET6 (can't be compiled)
|
#
162278 |
|
13-Sep-2006 |
andre |
Remove unessary includes and follow common ordering style.
|
#
162277 |
|
13-Sep-2006 |
andre |
Rewrite of TCP syncookies to remove locking requirements and to enhance functionality:
- Remove a rwlock aquisition/release per generated syncookie. Locking is now integrated with the bucket row locking of syncache itself and syncookies no longer add any additional lock overhead. - Syncookie secrets are different for and stored per syncache buck row. Secrets expire after 16 seconds and are reseeded on-demand. - The computational overhead for syncookie generation and verification is one MD5 hash computation as before. - Syncache can be turned off and run with syncookies only by setting the sysctl net.inet.tcp.syncookies_only=1.
This implementation extends the orginal idea and first implementation of FreeBSD by using not only the initial sequence number field to store information but also the timestamp field if present. This way we can keep track of the entire state we need to know to recreate the session in its original form. Almost all TCP speakers implement RFC1323 timestamps these days. For those that do not we still have to live with the known shortcomings of the ISN only SYN cookies. The use of the timestamp field causes the timestamps to be randomized if syncookies are enabled.
The idea of SYN cookies is to encode and include all necessary information about the connection setup state within the SYN-ACK we send back and thus to get along without keeping any local state until the ACK to the SYN-ACK arrives (if ever). Everything we need to know should be available from the information we encoded in the SYN-ACK.
A detailed description of the inner working of the syncookies mechanism is included in the comments in tcp_syncache.c.
Reviewed by: silby (slightly earlier version) Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
159955 |
|
26-Jun-2006 |
andre |
In syncache_respond() do not reply with a MSS that is larger than what the peer announced to us but make it at least tcp_minmss in size.
Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
159950 |
|
26-Jun-2006 |
andre |
Some cleanups and janitorial work to tcp_syncache:
o don't assign remote/local host/port information manually between provided struct in_conninfo and struct syncache, bcopy() it instead o rename sc_tsrecent to sc_tsreflect in struct syncache to better capture the purpose of this field o rename sc_request_r_scale to sc_requested_r_scale for ditto reasons o fix IPSEC error case printf's to report correct function name o in syncache_socket() only transpose enhanced tcp options parameters to struct tcpcb when the inpcb doesn't has TF_NOOPT set o in syncache_respond() reorder stack variables o in syncache_respond() remove bogus KASSERT()
No functional changes.
Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
159945 |
|
26-Jun-2006 |
andre |
Reverse the source/destination parameters to in[6]_pcblookup_hash() in syncache_respond() for the #ifdef MAC case.
Submitted by: Tai-hwa Liang <avatar-at-mmlab.cse.yzu.edu.tw>
|
#
159922 |
|
25-Jun-2006 |
andre |
Decrement the global syncache counter in syncache_expand() when the entry is removed from the bucket. This fixes the syncache statistics.
|
#
159859 |
|
22-Jun-2006 |
andre |
Move the syncookie MD5 context from globals to the stack to make it MP safe.
|
#
159787 |
|
20-Jun-2006 |
andre |
Allocate a zero'ed syncache hashtable. mtx_init() tests the supplied memory location for already existing/initialized mutexes. With random data in the memory location this fails (ie. after a soft reboot).
Reported by: brueffer, YAMAMOTO Shigeru Submitted by: YAMAMOTO Shigeru <shigeru-at-iij.ad.jp>
|
#
159727 |
|
18-Jun-2006 |
andre |
Do not access syncache entry before it was allocated for the TF_NOOPT case in syncache_add().
Found by: Coverity Prevent CID: 1473
|
#
159725 |
|
18-Jun-2006 |
andre |
Move all syncache related structures to tcp_syncache.c. They are only used there.
This unbreaks userland programs that include tcp_var.h.
Discussed with: rwatson
|
#
159722 |
|
18-Jun-2006 |
andre |
Remove double lock acquisition in syncookie_lookup() which came from last minute conversions to macros.
Pointy hat to: andre
|
#
159701 |
|
17-Jun-2006 |
andre |
Fix the !INET6 compile.
Reported by: alc
|
#
159697 |
|
17-Jun-2006 |
andre |
ANSIfy and tidy up comments.
Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
159695 |
|
17-Jun-2006 |
andre |
Add locking to TCP syncache and drop the global tcpinfo lock as early as possible for the syncache_add() case. The syncache timer no longer aquires the tcpinfo lock and timeout/retransmit runs can happen in parallel with bucket granularity.
On a P4 the additional locks cause a slight degression of 0.7% in tcp connections per second. When IP and TCP input are deserialized and can run in parallel this little overhead can be neglected. The syncookie handling still leaves room for improvement and its random salts may be moved to the syncache bucket head structures to remove the second lock operation currently required for it. However this would be a more involved change from the way syncookies work at the moment.
Reviewed by: rwatson Tested by: rwatson, ps (earlier version) Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
156763 |
|
16-Mar-2006 |
rwatson |
Change soabort() from returning int to returning void, since all consumers ignore the return value, soabort() is required to succeed, and protocols produce errors here to report multiple freeing of the pcb, which we hope to eliminate.
|
#
156125 |
|
28-Feb-2006 |
andre |
Rework TCP window scaling (RFC1323) to properly scale the send window right from the beginning and partly clean up the differences in handling between SYN_SENT and SYN_RCVD (syncache).
Further changes to this code to come. This is a first incremental step to a general overhaul and streamlining of the TCP code.
PR: kern/15095 PR: kern/92690 (partly) Reviewed by: qingli (and tested with ANVL) Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
155487 |
|
09-Feb-2006 |
qingli |
Set the M_ZERO flag when calling uma_zalloc() to allocate a syncache entry.
Reviewed by: andre, glebius MFC after: 3 days
|
#
155463 |
|
08-Feb-2006 |
qingli |
Redo the previous fix by setting the UMA_ZONE_ZINIT bit in the syncache zone, eliminating the need to call bzero() after each syncache entry allocation.
Suggested by: glebius Reviewed by: andre MFC after: 3 days
|
#
155439 |
|
07-Feb-2006 |
qingli |
Fixes a crash due to the memory of the newly allocated syncache entry in syncache_lookup() is not cleared and may lead to an arbitrary and bogus rtentry pointer which later gets free'd.
Reviewed by: andre MFC after: 3 days
|
#
154524 |
|
18-Jan-2006 |
andre |
In syncache_expand() insert a proper syncache_free() to fix a case that currently can't be triggered. But better be safe than sorry later on. Additionally it properly silences Coverity Prevent for future tests.
Found by: Coverity Prevent(tm) Coverity ID: CID802 Sponsored by: TCP/IP Optimization Fundraise 2005 MFC after: 3 days
|
#
154355 |
|
14-Jan-2006 |
glebius |
UMA can return NULL not only in case when our zone is full, but also in case of generic memory shortage. In the latter case we may not find an old entry.
Found with: Coverity Prevent(tm)
|
#
152592 |
|
18-Nov-2005 |
andre |
Consolidate all IP Options handling functions into ip_options.[ch] and include ip_options.h into all files making use of IP Options functions.
From ip_input.c rev 1.306: ip_dooptions(struct mbuf *m, int pass) save_rte(m, option, dst) ip_srcroute(m0) ip_stripoptions(m, mopt)
From ip_output.c rev 1.249: ip_insertoptions(m, opt, phlen) ip_optcopy(ip, jp) ip_pcbopts(struct inpcb *inp, int optname, struct mbuf *m)
No functional changes in this commit.
Discussed with: rwatson Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
151967 |
|
02-Nov-2005 |
andre |
Retire MT_HEADER mbuf type and change its users to use MT_DATA.
Having an additional MT_HEADER mbuf type is superfluous and redundant as nothing depends on it. It only adds a layer of confusion. The distinction between header mbuf's and data mbuf's is solely done through the m->m_flags M_PKTHDR flag.
Non-native code is not changed in this commit. For compatibility MT_HEADER is mapped to MT_DATA.
Sponsored by: TCP/IP Optimization Fundraise 2005
|
#
150131 |
|
14-Sep-2005 |
andre |
Do not ignore all other TCP options (eg. timestamp, window scaling) when responding to TCP SYN packets with TCP_MD5 enabled and set.
PR: kern/82963 Submitted by: <demizu at dd.iij4u.or.jp> MFC after: 3 days
|
#
149455 |
|
25-Aug-2005 |
glebius |
- Refuse hashsize of 0, since it is invalid. - Use defined constant instead of 512.
|
#
148156 |
|
19-Jul-2005 |
rwatson |
Remove no-op spl's and most comment references to spls, as TCP locking is believed to be basically done (modulo any remaining bugs).
MFC after: 3 days
|
#
145373 |
|
21-Apr-2005 |
ps |
Remove some code that snuck in by accident.
Submitted by: Mohan Srinivasan
|
#
145372 |
|
21-Apr-2005 |
ps |
Fix for interaction problems between TCP SACK and TCP Signature. If TCP Signatures are enabled, the maximum allowed sack blocks aren't going to fit. The fix is to compute how many sack blocks fit and tack these on last. Also on SYNs, defer padding until after the SACK PERMITTED option has been added.
Found by: Mohan Srinivasan. Submitted by: Mohan Srinivasan, Noritoshi Demizu. Reviewed by: Raja Mukerji.
|
#
145371 |
|
21-Apr-2005 |
ps |
Undo rev 1.71 as it is the wrong change.
|
#
145369 |
|
21-Apr-2005 |
ps |
Fix for 2 bugs related to TCP Signatures : - If the peer sends the Signature option in the SYN, use of Timestamps and Window Scaling were disabled (even if the peer supports them). - The sender must not disable signatures if the option is absent in the received SYN. (See comment in syncache_add()).
Found, Submitted by: Noritoshi Demizu <demizu at dd dot ij4u dot or dot jp>. Reviewed by: Mohan Srinivasan <mohans at yahoo-inc dot com>.
|
#
142906 |
|
01-Mar-2005 |
glebius |
Use NET_CALLOUT_MPSAFE macro.
|
#
141063 |
|
30-Jan-2005 |
rwatson |
Remove clause three from tcp_syncache.c license per permission of McAfee. Update copyright to McAfee from NETA.
|
#
137139 |
|
02-Nov-2004 |
andre |
Remove RFC1644 T/TCP support from the TCP side of the network stack.
A complete rationale and discussion is given in this message and the resulting discussion:
http://docs.freebsd.org/cgi/mid.cgi?4177C8AD.6060706
Note that this commit removes only the functional part of T/TCP from the tcp_* related functions in the kernel. Other features introduced with RFC1644 are left intact (socket layer changes, sendmsg(2) on connection oriented protocols) and are meant to be reused by a simpler and less intrusive reimplemention of the previous T/TCP functionality.
Discussed on: -arch
|
#
135274 |
|
15-Sep-2004 |
andre |
Remove the last two global variables that are used to store packet state while it travels through the IP stack. This wasn't much of a problem because IP source routing is disabled by default but when enabled together with SMP and preemption it would have very likely cross-corrupted the IP options in transit.
The IP source route options of a packet are now stored in a mtag instead of the global variable.
|
#
133874 |
|
16-Aug-2004 |
rwatson |
White space cleanup for netinet before branch:
- Trailing tab/space cleanup - Remove spurious spaces between or before tabs
This change avoids touching files that Andre likely has in his working set for PFIL hooks changes for IPFW/DUMMYNET.
Approved by: re (scottl) Submitted by: Xin LI <delphij@frontfree.net>
|
#
133720 |
|
14-Aug-2004 |
dwmalone |
Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD have already done this, so I have styled the patch on their work:
1) introduce a ip_newid() static inline function that checks the sysctl and then decides if it should return a sequential or random IP ID.
2) named the sysctl net.inet.ip.random_id
3) IPv6 flow IDs and fragment IDs are now always random. Flow IDs and frag IDs are significantly less common in the IPv6 world (ie. rarely generated per-packet), so there should be smaller performance concerns.
The sysctl defaults to 0 (sequential IP IDs).
Reviewed by: andre, silby, mlaier, ume Based on: NetBSD MFC after: 2 months
|
#
133517 |
|
11-Aug-2004 |
andre |
Backout removal of UMA_ZONE_NOFREE flag for all zones which are established for structures with timers in them. It might be that a timer might fire even when the associated structure has already been free'd. Having type- stable storage in this case is beneficial for graceful failure handling and debugging.
Discussed with: bosko, tegge, rwatson
|
#
133509 |
|
11-Aug-2004 |
andre |
Remove the UMA_ZONE_NOFREE flag to all uma_zcreate() calls in the IP and TCP code. This flag would have prevented giving back excessive free slabs to the global pool after a transient peak usage.
|
#
132315 |
|
17-Jul-2004 |
dwmalone |
Fix the !INET6 build.
Reported by: alc
|
#
132307 |
|
17-Jul-2004 |
dwmalone |
The tcp syncache code was leaving the IPv6 flowlabel uninitialised for the SYN|ACK packet and then letting in6_pcbconnect set the flowlabel later. Arange for the syncache/syncookie code to set and recall the flow label so that the flowlabel used for the SYN|ACK is consistent. This is done by using some of the cookie (when tcp cookies are enabeled) and by stashing the flowlabel in syncache.
Tested and Discovered by: Orla McGann <orly@cnri.dit.ie> Approved by: ume, silby MFC after: 1 month
|
#
130989 |
|
23-Jun-2004 |
ps |
Add support for TCP Selective Acknowledgements. The work for this originated on RELENG_4 and was ported to -CURRENT.
The scoreboarding code was obtained from OpenBSD, and many of the remaining changes were inspired by OpenBSD, but not taken directly from there.
You can enable/disable sack using net.inet.tcp.do_sack. You can also limit the number of sack holes that all senders can have in the scoreboard with net.inet.tcp.sackhole_limit.
Reviewed by: gnn Obtained from: Yahoo! (Mohan Srinivasan, Jayanth Vijayaraghavan)
|
#
130555 |
|
16-Jun-2004 |
rwatson |
Convert GIANT_REQUIRED to NET_ASSERT_GIANT for socket access.
|
#
130398 |
|
13-Jun-2004 |
rwatson |
Socket MAC labels so_label and so_peerlabel are now protected by SOCK_LOCK(so):
- Hold socket lock over calls to MAC entry points reading or manipulating socket labels.
- Assert socket lock in MAC entry point implementations.
- When externalizing the socket label, first make a thread-local copy while holding the socket lock, then release the socket lock to externalize to userspace.
|
#
128905 |
|
04-May-2004 |
rwatson |
Switch to using the inpcb MAC label instead of socket MAC label when labeling new mbufs created from sockets/inpcbs in IPv4. This helps avoid the need for socket layer locking in the lower level network paths where inpcb locks are already frequently held where needed. In particular:
- Use the inpcb for label instead of socket in raw_append(). - Use the inpcb for label instead of socket in tcp_output(). - Use the inpcb for label instead of socket in tcp_respond(). - Use the inpcb for label instead of socket in tcp_twrespond(). - Use the inpcb for label instead of socket in syncache_respond().
While here, modify tcp_respond() to avoid assigning NULL to a stack variable and centralize assertions about the inpcb when inp is assigned.
Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research
|
#
127505 |
|
27-Mar-2004 |
pjd |
Reduce 'td' argument to 'cred' (struct ucred) argument in those functions: - in_pcbbind(), - in_pcbbind_setup(), - in_pcbconnect(), - in_pcbconnect_setup(), - in6_pcbbind(), - in6_pcbconnect(), - in6_pcbsetport(). "It should simplify/clarify things a great deal." --rwatson
Requested by: rwatson Reviewed by: rwatson, ume
|
#
125819 |
|
14-Feb-2004 |
bms |
Final brucification pass. Spell types consistently (u_int). Remove bogus casts. Remove unnecessary parenthesis.
Submitted by: bde
|
#
125783 |
|
13-Feb-2004 |
bms |
Brucification.
Submitted by: bde
|
#
125680 |
|
11-Feb-2004 |
bms |
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request.
Sponsored by: sentex.net
|
#
124851 |
|
22-Jan-2004 |
andre |
Remove leftover FREE() from changes in rev 1.50.
Noticed by: Jun Kuriyama <kuriyama@imgsrc.co.jp>
|
#
124848 |
|
22-Jan-2004 |
andre |
Move the reduction by one of the syncache limit after the zone has been allocated.
Reviewed by: sam (mentor) Obtained from: DragonFlyBSD rev 1.6 (hsu)
|
#
124847 |
|
22-Jan-2004 |
andre |
Remove an unused variable and put the sockaddr_in6 onto the stack instead of malloc'ing it.
Reviewed by: sam (mentor) Obtained from: DragonFlyBSD rev 1.6 (hsu)
|
#
122922 |
|
20-Nov-2003 |
andre |
Introduce tcp_hostcache and remove the tcp specific metrics from the routing table. Move all usage and references in the tcp stack from the routing table metrics to the tcp hostcache.
It caches measured parameters of past tcp sessions to provide better initial start values for following connections from or to the same source or destination. Depending on the network parameters to/from the remote host this can lead to significant speedups for new tcp connections after the first one because they inherit and shortcut the learning curve.
tcp_hostcache is designed for multiple concurrent access in SMP environments with high contention and is hash indexed by remote ip address.
It removes significant locking requirements from the tcp stack with regard to the routing table.
Reviewed by: sam (mentor), bms Reviewed by: -net, -current, core@kame.net (IPv6 parts) Approved by: re (scottl)
|
#
122501 |
|
11-Nov-2003 |
sam |
correct typos
Pointed out by: Mike Silbersack
|
#
122496 |
|
11-Nov-2003 |
sam |
o add missing inpcb locking in tcp_respond o replace spl's with lock assertions
Supported by: FreeBSD Foundation
|
#
122449 |
|
10-Nov-2003 |
sam |
use Giant-less callouts when debug_mpsafenet is non-zero
Supported by: FreeBSD Foundation
|
#
122437 |
|
10-Nov-2003 |
hsu |
Mark TCP syncache timer as not Giant-free ready yet.
|
#
122062 |
|
04-Nov-2003 |
ume |
- cleanup SP refcnt issue. - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets.
Tested by: nork Obtained from: KAME
|
#
121307 |
|
21-Oct-2003 |
silby |
Change all SYSCTLS which are readonly and have a related TUNABLE from CTLFLAG_RD to CTLFLAG_RDTUN so that sysctl(8) can provide more useful error messages.
|
#
119137 |
|
19-Aug-2003 |
sam |
Change instances of callout_init that specify MPSAFE behaviour to use CALLOUT_MPSAFE instead of "1" for the second parameter. This does not change the behaviour; it just makes the intent more clear.
|
#
118864 |
|
13-Aug-2003 |
harti |
The syncache has made use of TCPDEBUG problematic, because the SYN segments are lost for the application. This broke, for example, ports/benchmarks/dbs which needs the SYN segment to filter the contents of the trace buffer for the connection it is interested in.
This patch makes the SYN segments available again. Unfortunately they are now associated with the listening socket instead of the new one, so a change to applications is required, but without this patch it wouldn't work altogether.
PR: kern/45966
|
#
117686 |
|
17-Jul-2003 |
hsu |
Drop Giant around syncache timer processing.
|
#
111405 |
|
24-Feb-2003 |
silby |
Fix a comment which didn't match the new cookie behavior.
Submitted by: Scott Renfro <scott@renfro.org> MFC after: 1 day
|
#
111338 |
|
23-Feb-2003 |
silby |
Improve the security and performance of syncookies:
Security improvements: - Increase the size of each syncookie secret from 32 to 128 bits in order to make brute force attacks on the secrets much more difficult. - Always return the lowest order dword from the MD5 hash; this allows us to expose 2 more bits of the cookie and makes ACK floods which seek to guess the cookie value more difficult.
Performance improvements: - Increase the lifetime of each syncookie from 4 seconds to 16 seconds. This increases the usefulness of syncookies during an attack. - From Yahoo!: Reduce the number of calls to MD5Update; this results in a ~17% increase in cookie generation time here.
Reviewed by: hsu, jayanth, jlemon, nectar MFC After: 15 seconds
|
#
111119 |
|
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
#
110737 |
|
11-Feb-2003 |
hsu |
Properly document that syncache timer processing requires an exclusive TCP protocol lock.
|
#
110023 |
|
29-Jan-2003 |
silby |
Fix a bug with syncookies; previously, the syncache's MSS size was not initialized until after a syncookie was generated. As a result, all connections resulting from a returned cookie would end up using a MSS of ~512 bytes. Now larger packets will be used where possible.
MFC after: 5 days
|
#
109623 |
|
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
108703 |
|
05-Jan-2003 |
hsu |
Validate inp before de-referencing it.
Submitted by: pb
|
#
108180 |
|
22-Dec-2002 |
pb |
Remove forgotten INP_UNLOCK(inp) in my previous commit. Reported by: hsu
|
#
108160 |
|
21-Dec-2002 |
pb |
In syncache_timer(), don't attempt to lock the inpcb structure associated with the syncache entry: in case tcp_close() has been called on the corresponding listening socket, the lock has been destroyed as a side effect of in_pcbdetach(), causing a panic when we attempt to lock on it.
Reviewed by: hsu
|
#
108125 |
|
20-Dec-2002 |
hsu |
Eliminate a goto. Fix some line breaks.
|
#
108112 |
|
19-Dec-2002 |
hsu |
Expand scope of TCP protocol lock to cover syncache data structures.
|
#
106696 |
|
09-Nov-2002 |
alfred |
Fix instances of macros with improperly parenthasized arguments.
Verified by: md5
|
#
105199 |
|
16-Oct-2002 |
sam |
Tie new "Fast IPsec" code into the build. This involves the usual configuration stuff as well as conditional code in the IPv4 and IPv6 areas. Everything is conditional on FAST_IPSEC which is mutually exclusive with IPSEC (KAME IPsec implmentation).
As noted previously, don't use FAST_IPSEC with INET6 at the moment.
Reviewed by: KAME, rwatson Approved by: silence Supported by: Vernier Networks
|
#
105194 |
|
15-Oct-2002 |
sam |
Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren Approved by: julian, silence from everyone else Obtained from: openbsd (mostly) MFC after: 1 month
|
#
101405 |
|
05-Aug-2002 |
silby |
Handle PMTU discovery in syn-ack packets slightly differently; rely on syncache flags instead of directly accessing the route entry.
MFC after: 3 days
|
#
101106 |
|
31-Jul-2002 |
rwatson |
Introduce support for Mandatory Access Control and extensible kernel access control.
Instrument the TCP socket code for packet generation and delivery: label outgoing mbufs with the label of the socket, and check socket and mbuf labels before permitting delivery to a socket. Assign labels to newly accepted connections when the syncache/cookie code has done its business. Also set peer labels as convenient. Currently, MAC policies cannot influence the PCB matching algorithm, so cannot implement polyinstantiation. Note that there is at least one case where a PCB is not available due to the TCP packet not being associated with any socket, so we don't label in that case, but need to handle it in a special manner.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
98982 |
|
28-Jun-2002 |
jlemon |
One possible code path for syncache_respond() is:
syncache_respond(A), ip_output(), ip_input(), tcp_input(), syncache_badack(B)
Which winds up deleting a different entry from the syncache. Handle this by not utilizing the next entry in the timer chain until after syncache_respond() completes. The case of A == B should not be possible.
Problem found by: Don Bowman <don@sandvine.com>
|
#
98204 |
|
14-Jun-2002 |
silby |
Re-commit w/fix:
Ensure that the syn cache's syn-ack packets contain the same ip_tos, ip_ttl, and DF bits as all other tcp packets.
PR: 39141 MFC after: 2 weeks
This time, make sure that ipv4 specific code (aka all of the above) is only run in the ipv4 case.
|
#
98203 |
|
14-Jun-2002 |
silby |
Back out ip_tos/ip_ttl/DF "fix", it just panic'd my box. :)
Pointy-hat to: silby
|
#
98202 |
|
14-Jun-2002 |
silby |
Ensure that the syn cache's syn-ack packets contain the same ip_tos, ip_ttl, and DF bits as all other tcp packets.
PR: 39141 MFC after: 2 weeks
|
#
98108 |
|
10-Jun-2002 |
hsu |
Every array elt is initialized in the following loop, so remove unnecessary M_ZERO.
|
#
98102 |
|
10-Jun-2002 |
hsu |
Lock up inpcb.
Submitted by: Jennifer Yang <yangjihui@yahoo.com>
|
#
96602 |
|
14-May-2002 |
rwatson |
Modify the arguments to syncache_socket() to include the mbuf (m) that results in the syncache entry being turned into a socket. While it's not used in the main tree, this is required in the MAC tree so that labels can be propagated from the mbuf to the socket. This is also useful if you're doing things like transparent IP connection hijacking and you want to use the syncache/cookie mechanism, but we won't go there.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
92760 |
|
20-Mar-2002 |
jeff |
Switch vm_zone.h with uma.h. Change over to uma interfaces.
|
#
92654 |
|
19-Mar-2002 |
jeff |
This is the first part of the new kernel memory allocator. This replaces malloc(9) and vm_zone with a slab like allocator.
Reviewed by: arch@
|
#
92275 |
|
14-Mar-2002 |
rwatson |
NAI DBA update
|
#
91492 |
|
28-Feb-2002 |
ume |
- Set inc_isipv6 in tcp6_usr_connect(). - When making a pcb from a sync cache, do not forget to copy inc_isipv6.
Obtained from: KAME MFC After: 1 week
|
#
90982 |
|
20-Feb-2002 |
jlemon |
When expanding a syncache entry into a socket, inherit the socket options from the current listen socket instead of the cached (and possibly stale) TCB pointer.
|
#
90556 |
|
12-Feb-2002 |
jlemon |
When a duplicate SYN arrives which matches an entry in the syncache, update our lazy reference to the inpcb structure, as it may have changed.
Found by: dima
|
#
90361 |
|
07-Feb-2002 |
julian |
Pre-KSE/M3 commit. this is a low-functionality change that changes the kernel to access the main thread of a process via the linked list of threads rather than assuming that it is embedded in the process. It IS still embeded there but remove all teh code that assumes that in preparation for the next commit which will actually move it out.
Reviewed by: peter@freebsd.org, gallatin@cs.duke.edu, benno rice,
|
#
89667 |
|
22-Jan-2002 |
jlemon |
The ENDPTS_EQ macro was comparing the one of the fports to itself. Fix.
Submitted by: emy@boostworks.com
|
#
88330 |
|
21-Dec-2001 |
jlemon |
If syncookies are disabled (net.inet.tcp.syncookies) then use the faster arc4random() routine to generate ISNs instead of creating them with MD5().
Suggested by: silby
|
#
88195 |
|
19-Dec-2001 |
jlemon |
When storing an int value in a void *, use intptr_t as the cast type (instead of int) to keep the 64 bit platforms happy.
|
#
88180 |
|
19-Dec-2001 |
jlemon |
Extend the SYN DoS defense by adding syncookies to the syncache. All TCP ISNs that are sent out are valid cookies, which allows entries in the syncache to be dropped and still have the ACK accepted later. As all entries pass through the syncache, there is no sudden switchover from cache -> cookies when the cache is full; instead, syncache entries simply have a reduced lifetime. More details may be found in the "Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002 conference proceedings.
Sponsored by: DARPA, NAI Labs
|
#
87780 |
|
13-Dec-2001 |
jlemon |
Undo one of my last minute changes; move sc_iss up earlier so it is initialized in case we take the T/TCP path.
|
#
87193 |
|
02-Dec-2001 |
dillon |
Fix a bug with transmitter restart after receiving a 0 window. The receiver was not sending an immediate ack with delayed acks turned on when the input buffer is drained, preventing the transmitter from restarting immediately.
Propogate the TCP_NODELAY option to accept()ed sockets. (Helps tbench and is a good idea anyway).
Some cleanup. Identify additonal issues in comments.
MFC after: 1 day
|
#
86958 |
|
27-Nov-2001 |
tanimura |
Clear a new syncache entry first, followed by filling in values. This fixes route breakage due to uncleared gabage on my box.
|
#
86814 |
|
23-Nov-2001 |
bde |
Fixed a buffer overrun. In my kernel configuration, tcp_syncache happens to be followed by nfsnodehashtbl, so bzeroing callouts beyond the end of tcp_syncache soon caused a null pointer panic when nfsnodehashtbl was accessed.
|
#
86764 |
|
22-Nov-2001 |
jlemon |
Introduce a syncache, which enables FreeBSD to withstand a SYN flood DoS in an improved fashion over the existing code.
Reviewed by: silby (in a previous iteration) Sponsored by: DARPA, NAI Labs
|