#
215a18d5 |
|
05-Jun-2024 |
Zhenlei Huang <zlei@FreeBSD.org> |
if_enc(4): Prefer the boolean form when calling bpf_peers_present() No functional change intended. MFC after: 1 week
|
#
95ee2897 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
a2256150 |
|
14-Feb-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
net: use pfil_mbuf_{in,out} where we always have an mbuf This finalizes what has been started in 0b70e3e78b0. Reviewed by: kp, mjg Differential revision: https://reviews.freebsd.org/D37976
|
#
2c2b37ad |
|
13-Jan-2023 |
Justin Hibbits <jhibbits@FreeBSD.org> |
ifnet/API: Move struct ifnet definition to a <net/if_private.h> Hide the ifnet structure definition, no user serviceable parts inside, it's a netstack implementation detail. Include it temporarily in <net/if_var.h> until all drivers are updated to use the accessors exclusively. Reviewed by: glebius Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D38046
|
#
28d2a72b |
|
29-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>. This fixes ipsec.ko to include all of IPSEC_DEBUG. Reviewed by: imp MFC after: 2 weeks Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D25046
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
b252313f |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
New pfil(9) KPI together with newborn pfil API and control utility. The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision: https://reviews.freebsd.org/D18951
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
effaab88 |
|
23-Mar-2018 |
Kristof Provost <kp@FreeBSD.org> |
netpfil: Introduce PFIL_FWD flag Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded. Reviewed by: ae, kevans Differential Revision: https://reviews.freebsd.org/D13715
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
95e8b991 |
|
08-Aug-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add to if_enc(4) ability to capture packets via BPF after pfil processing. New flag 0x4 can be configured in net.enc.[in|out].ipsec_bpf_mask. When it is set, if_enc(4) additionally captures a packet via BPF after invoking pfil hook. This may be useful for debugging. MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D11804
|
#
1a01e0e7 |
|
31-Jul-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook from enc_hhook(). This should solve the problem when pf is used with if_enc(4) interface, and outbound packet with existing PCB checked by pf, and this leads to deadlock due to pf does its own PCB lookup and tries to take rlock when wlock is already held. Now we pass PCB pointer if it is known to the pfil hook, this helps to avoid extra PCB lookup and thus rlock acquiring is not needed. For inbound packets it is safe to pass NULL, because we do not held any PCB locks yet. PR: 220217 MFC after: 3 weeks Sponsored by: Yandex LLC
|
#
52b8eb0b |
|
27-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Declare module version. MFC after: 1 week
|
#
89856f7e |
|
21-Jun-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Get closer to a VIMAGE network stack teardown from top to bottom rather than removing the network interfaces first. This change is rather larger and convoluted as the ordering requirements cannot be separated. Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and related modules to their own SI_SUB_PROTO_FIREWALL. Move initialization of "physical" interfaces to SI_SUB_DRIVERS, move virtual (cloned) interfaces to SI_SUB_PSEUDO. Move Multicast to SI_SUB_PROTO_MC. Re-work parts of multicast initialisation and teardown, not taking the huge amount of memory into account if used as a module yet. For interface teardown we try to do as many of them as we can on SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling over a higher layer protocol such as IP. In that case the interface has to go along (or before) the higher layer protocol is shutdown. Kernel hhooks need to go last on teardown as they may be used at various higher layers and we cannot remove them before we cleaned up the higher layers. For interface teardown there are multiple paths: (a) a cloned interface is destroyed (inside a VIMAGE or in the base system), (b) any interface is moved from a virtual network stack to a different network stack ("vmove"), or (c) a virtual network stack is being shut down. All code paths go through if_detach_internal() where we, depending on the vmove flag or the vnet state, make a decision on how much to shut down; in case we are destroying a VNET the individual protocol layers will cleanup their own parts thus we cannot do so again for each interface as we end up with, e.g., double-frees, destroying locks twice or acquiring already destroyed locks. When calling into protocol cleanups we equally have to tell them whether they need to detach upper layer protocols ("ulp") or not (e.g., in6_ifdetach()). Provide or enahnce helper functions to do proper cleanup at a protocol rather than at an interface level. Approved by: re (hrs) Obtained from: projects/vnet Reviewed by: gnn, jhb Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D6747
|
#
1f12da0e |
|
22-Jan-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Just checkpoint the WIP in order to be able to make the tree update easier. Note: this is currently not in a usable state as certain teardown parts are not called and the DOMAIN rework is missing. More to come soon and find its way to head. Obtained from: P4 //depot/user/bz/vimage/... Sponsored by: The FreeBSD Foundation
|
#
766b4e4b |
|
25-Nov-2015 |
Enji Cooper <ngie@FreeBSD.org> |
Fix building sys/modules/if_enc by adding missing headers X-MFC with: r291292, r291299 (if that ever happens) Pointyhat to: ae
|
#
03b7b4bf |
|
25-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix the build.
|
#
ef91a976 |
|
25-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Overhaul if_enc(4) and make it loadable in run-time. Use hhook(9) framework to achieve ability of loading and unloading if_enc(4) kernel module. INET and INET6 code on initialization registers two helper hooks points in the kernel. if_enc(4) module uses these helper hook points and registers its hooks. IPSEC code uses these hhook points to call helper hooks implemented in if_enc(4).
|
#
033074c4 |
|
09-Nov-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Replace 'struct route *' if_output() argument with 'struct nhop_info *'. Leave 'struct route' as is for legacy routing api users. Remove most of rtalloc_ign*-derived functions.
|
#
9ef26821 |
|
07-Oct-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Our packet filters use mbuf's rcvif pointer to determine incoming interface. Change mbuf's rcvif to enc0 and restore it after pfil processing. PR: 110959 Sponsored by: Yandex LLC
|
#
76039bc8 |
|
26-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
bdad3190 |
|
28-Sep-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix a fallout from r241610. One enc interface must be created on startup. Pointy hat to: glebius Reported by: gavin Approved by: re (gjb)
|
#
47e8d432 |
|
25-Apr-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Add const qualifier to the dst parameter of the ifnet if_output method.
|
#
42a58907 |
|
16-Oct-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Make the "struct if_clone" opaque to users of the cloning API. Users now use function calls: if_clone_simple() if_clone_advanced() to initialize a cloner, instead of macros that initialize if_clone structure. Discussed with: brooks, bz, 1 year ago
|
#
9823d527 |
|
10-Oct-2012 |
Kevin Lo <kevlo@FreeBSD.org> |
Revert previous commit... Pointyhat to: kevlo (myself)
|
#
a10cee30 |
|
09-Oct-2012 |
Kevin Lo <kevlo@FreeBSD.org> |
Prefer NULL over 0 for pointers
|
#
21d172a3 |
|
06-Oct-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
A step in resolving mess with byte ordering for AF_INET. After this change: - All packets in NETISR_IP queue are in net byte order. - ip_input() is entered in net byte order and converts packet to host byte order right _after_ processing pfil(9) hooks. - ip_output() is entered in host byte order and converts packet to net byte order right _before_ processing pfil(9) hooks. - ip_fragment() accepts and emits packet in net byte order. - ip_forward(), ip_mloopback() use host byte order (untouched actually). - ip_fastforward() no longer modifies packet at all (except ip_ttl). - Swapping of byte order there and back removed from the following modules: pf(4), ipfw(4), enc(4), if_bridge(4). - Swapping of byte order added to ipfilter(4), based on __FreeBSD_version - __FreeBSD_version bumped. - pfil(9) manual page updated. Reviewed by: ray, luigi, eri, melifaro Tested by: glebius (LE), ray (BE)
|
#
b3aa4193 |
|
01-Oct-2012 |
John Baldwin <jhb@FreeBSD.org> |
Rename the module for 'device enc' to "if_enc" to avoid conflicting with the CAM "enc" peripheral (part of ses(4)). Previously the two modules used the same name, so only one was included in a linked kernel causing enc0 to not be created if you added IPSEC to GENERIC. The new module name follows the pattern of other network interfaces (e.g. "if_loop"). MFC after: 1 week
|
#
6472ac3d |
|
07-Nov-2011 |
Ed Schouten <ed@FreeBSD.org> |
Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs. The SYSCTL_NODE macro defines a list that stores all child-elements of that node. If there's no SYSCTL_DECL macro anywhere else, there's no reason why it shouldn't be static.
|
#
a0ae8f04 |
|
27-Apr-2011 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Make various (pseudo) interfaces compile without INET in the kernel adding appropriate #ifdefs. For module builds the framework needs adjustments for at least carp. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
|
#
f8e4b4ef |
|
19-Jan-2011 |
Matthew D Fleming <mdf@FreeBSD.org> |
sysctl(8) should use the CTLTYPE to determine the type of data when reading. (This was already done for writing to a sysctl). This requires all SYSCTL setups to specify a type. Most of them are now checked at compile-time. Remove SYSCTL_*X* sysctl additions as the print being in hex should be controlled by the -x flag to sysctl(8). Succested by: bde
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
2ae7ec29 |
|
07-Feb-2010 |
Julian Elischer <julian@FreeBSD.org> |
MFC of 197952 and 198075 Virtualize the pfil hooks so that different jails may chose different packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting. and Unbreak the VIMAGE build with IPSEC, broken with r197952 by virtualizing the pfil hooks. For consistency add the V_ to virtualize the pfil hooks in here as well.
|
#
382e8b5a |
|
14-Oct-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Unbreak the VIMAGE build with IPSEC, broken with r197952 by virtualizing the pfil hooks. For consistency add the V_ to virtualize the pfil hooks in here as well. MFC after: 55 days X-MFC after: julian MFCed r197952.
|
#
530c0060 |
|
01-Aug-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
|
#
eddfbb76 |
|
14-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
7654a365 |
|
16-Jun-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add the explicit include of vimage.h to another five .c files still missing it. Remove the "hidden" kernel only include of vimage.h from ip_var.h added with the very first Vimage commit r181803 to avoid further kernel poisoning.
|
#
279aa3d4 |
|
16-Apr-2009 |
Kip Macy <kmacy@FreeBSD.org> |
Change if_output to take a struct route as its fourth argument in order to allow passing a cached struct llentry * down to L2 Reviewed by: rwatson
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
97c2a697 |
|
12-Aug-2008 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Increase statistic counters for enc0 interface when enabled and processing IPSec traffic. Approved by: gnn (mentor) MFC after: 1 week
|
#
89254723 |
|
24-Mar-2008 |
Jung-uk Kim <jkim@FreeBSD.org> |
Remove redundant inclusions of net/bpfdesc.h.
|
#
e361d7d4 |
|
26-Dec-2007 |
Andrew Thompson <thompsa@FreeBSD.org> |
Fix a panic where if the mbuf was consumed by the filter for requeueing (dummynet), ipsec_filter() would return the empty error code and the ipsec code would continue to forward/deference the null mbuf. Found by: m0n0wall Reviewed by: bz MFC after: 3 days
|
#
19ad9831 |
|
28-Nov-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
|
#
0dea849a |
|
29-Dec-2006 |
John Baldwin <jhb@FreeBSD.org> |
Various bpf(4) related fixes to catch places up to the new bpf(4) semantics. - Stop testing bpf pointers for NULL. In some cases use bpf_peers_present() and then call the function directly inside the conditional block instead of the macro. - For places where the entire conditional block is the macro, remove the test and make the macro unconditional. - Use BPF_MTAP() in if_pfsync on FreeBSD instead of an expanded version of the old semantics. Reviewed by: csjp (older version)
|
#
07ed9a88 |
|
09-Jul-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
Catch up with the revised network interface cloning which takes an optional opaque parameter that can specify configuration parameters.
|
#
bac89dce |
|
04-Jul-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
Fix a braino in the last revision, enc_clone_destroy needs return void instead of int. The clone system will ensure that our first interface is not destroyed so we dont need the extra checking anyway. Tested by: Scott Ullrich
|
#
ae4748ad |
|
28-Jun-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
A small race existed where the lock was dropped between when encif was tested and then set. [1] Reorganise things to eliminate this, we now ensure that enc0 can not be destroyed which as the benefit of no longer needing to lock in ipsec_filter and ipsec_bpf. The cloner will create one interface during the init so we can guarantee that encif will be valid before any SPD entries are added to ipsec. Spotted by: glebius [1]
|
#
f0ac1eed |
|
26-Jun-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
Simplify ipsec_bpf by using bpf_mtap2().
|
#
bdea400f |
|
26-Jun-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
|