Use domain name for socket lock.

Syzkaller with witness complains about lock ordering of pf lock
with socket lock. Socket lock for inet is taken before pf lock.
Pf lock is taken before socket lock for route. This is a false
positive as route and inet socket locks are distinct. Witness does
not know this. Name the socket lock like the domain of the socket,
then rwlock name is used in witness lo_name subtype. Make domain
names more consistent for locking, they were not used anyway.
Regardless of witness problem, unique lock name for each socket
type make sense.

Reported-by: syzbot+34d22dcbf20d76629c5a@syzkaller.appspotmail.com
Reported-by: syzbot+fde8d07ba74b69d0adfe@syzkaller.appspotmail.com
OK mvs@

Backout sysctl(2) unlocking. Lock order issue was triggered in UVM
layer.

Revert ip_sysctl() unlocking. Lock order issue was triggered in UVM
layer.

Introduce temporary PR_MPSYSCTL flag to mark (*pr_sysctl)() handler MP
safe. We have may of them, so use flag instead of pushing kernel lock
within.

Unlock ip_sysctl(). Still take kernel lock within IPCTL_MRTSTATS case.
It looks like `mrtstat' protection is inconsistent, so keep locking as
it was. Since `mrtstat' are counters, it make sense to rework them into
per CPU counters with separate diffs.

Feedback and ok from bluhm@

Push kernel lock deep down to sys_sysctl(). At least network subset of
sysctl(8) MIBs relies on netlock or another locks and doesn't require
kernel lock, so unlock it. The protocols layer *_sysctl()s are left
under kernel lock and will be sequentially unlocked later.

ok bluhm@

remove unneeded includes in sys/kern
ok mpi@ miod@

As network features are not added dynamically, the domain structures
are constant. Having more const makes MP review easier. More
pointers are mapped read-only in the kernel image.
OK deraadt@ mvs@

Increase the default buffer space using on PF_UNIX sockets to 8k.
Additionally make the values tuneable via sysctl.
OK deraadt@ mvs@

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Backout sysctl(2) unlocking. Lock order issue was triggered in UVM
layer.

Revert ip_sysctl() unlocking. Lock order issue was triggered in UVM
layer.

Introduce temporary PR_MPSYSCTL flag to mark (*pr_sysctl)() handler MP
safe. We have may of them, so use flag instead of pushing kernel lock
within.

Unlock ip_sysctl(). Still take kernel lock within IPCTL_MRTSTATS case.
It looks like `mrtstat' protection is inconsistent, so keep locking as
it was. Since `mrtstat' are counters, it make sense to rework them into
per CPU counters with separate diffs.

Feedback and ok from bluhm@

Push kernel lock deep down to sys_sysctl(). At least network subset of
sysctl(8) MIBs relies on netlock or another locks and doesn't require
kernel lock, so unlock it. The protocols layer *_sysctl()s are left
under kernel lock and will be sequentially unlocked later.

ok bluhm@

remove unneeded includes in sys/kern
ok mpi@ miod@

As network features are not added dynamically, the domain structures
are constant. Having more const makes MP review easier. More
pointers are mapped read-only in the kernel image.
OK deraadt@ mvs@

Increase the default buffer space using on PF_UNIX sockets to 8k.
Additionally make the values tuneable via sysctl.
OK deraadt@ mvs@

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

remove unneeded includes in sys/kern
ok mpi@ miod@

As network features are not added dynamically, the domain structures
are constant. Having more const makes MP review easier. More
pointers are mapped read-only in the kernel image.
OK deraadt@ mvs@

Increase the default buffer space using on PF_UNIX sockets to 8k.
Additionally make the values tuneable via sysctl.
OK deraadt@ mvs@

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

As network features are not added dynamically, the domain structures
are constant. Having more const makes MP review easier. More
pointers are mapped read-only in the kernel image.
OK deraadt@ mvs@

Increase the default buffer space using on PF_UNIX sockets to 8k.
Additionally make the values tuneable via sysctl.
OK deraadt@ mvs@

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Increase the default buffer space using on PF_UNIX sockets to 8k.
Additionally make the values tuneable via sysctl.
OK deraadt@ mvs@

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

add the kernel side of net.link.ifrxq.pressure_return and pressure_drop

these values are used as the backpressure thresholds in the interface
rx q processing code. theyre being exposed as tunables to userland
while we are figuring out what the best values for them are.

ok visa@ deraadt@

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@

Import MPLS (Multi Protocol Label Switching)

MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.

It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.

Imported to allow more people to work on this in the coming weeks.

ok claudio@ laurent@ dlg@

remove remaining IPX hooks. all inside #ifdef IPX, so no actual change

allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo

nuke code that has been dead for so long that it stinks. claudio ok

bye bye netns

remove CCITT handling

First step in Bluetooth protocol stack support.

The code is adopted from the FreeBSD netgraph-based Bluetooth
implementation by Maksim Yevmenkin <m_evmenkin@yahoo.com> but
all netgraph glue was replaced with usual BSD network stack
hooks. This is a work in progress. Only HCI layer works for now,
L2CAP and RFCOMM are on the way.

Help in testing from many, ok markus@.

introduce pffinddomain(), to find a domain by family.
while here, fix some spacing, ansi, de-register, etc.

mostly from netbsd

tested & ok otto millert

remove special handling of PF_KEY in net_sysctl; ok deraadt

Kill more netiso ghosts.

ok millert@

use NULL for ptrs. parts from Joris Vink

sysctl knob for bpf tunables. some tips from canacar@
ok canacar@ deraadt@ mcbride@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

Nuke a whole bunch of commons; ok tedu (still more to come *sigh*)

First round of __P removal in sys

branches: 1.12.2;
Replace inclusion of <vm/foo.h> with the correct <uvm/bar.h> when necessary.
(Look ma, I might have broken the tree)

NATM domain; stoklund@taxidriver.dk

Use new timeouts for pfslowtimo and pffasttimo.

branches: 1.9.2;
bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

make option IPSEC imply option KEY

Disable encap domain.

ready for INET6 and KEY

Add AppleTalk.

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Add IPX support (#ifdef'ed, so no problems would arise).

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Replace value with a constant

OK bluhm@, jca@

Constify protocol tables and remove an assert now that ip_deliver() is
mp-safe.

ok bluhm@, visa@

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Reduces the scope of the NET_LOCK() in sysctl(2) path.

Exposes per-CPU counters to real parrallelism.

ok visa@, bluhm@, jca@

Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

Kill option KEY, it is a useless knob, nobody uses pfkeyv2 without IPSEC or
tcp md5. OK mpi@

Convert a splsoftnet()/splx() dance to NET_ASSERT_LOCKED().

pfctlinput() is only called in the input path with the NET_LOCK() held.

ok bluhm@

Retire the AF_MPLS protosw struct. Nothing is using it and the code was super
basic anyway. Simplifies the code a lot also by calling the mpls sysctl no
longer via the protosw but instead directly.
OK mpi@ on a previous diff. Also tested by renato@ who actually found a bug
which is now fixed.

Grab the NET_LOCK() in so{s,g}etopt(), pffasttimo() and pfslowtimo().

ok rzalamena@, bluhm@

A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@

Enforce that pr_ctlinput, pr_slowtimo and pr_fasttimo are called
at IPL_SOFTNET.

This will allow us to keep locking simple as soon as we trade
splsoftnet() for a rwlock.

ok bluhm@

replace the XXX next to setting link_maxhdr with an explanation

the XXX has been there since 1.1, even back in netbsd, and im too
lazy to go back further to try and see why it is there. either way
it is meaningless.

suggested by mikeb@ and mpi@

bump link_maxhdr up from 16 to 64

link_maxhdr is best explained as the space reserved before an ip
packet payload for link headers, the most common of which is ethernet.
16 was a good choice when the only traffic we really did was ip
over ethernet, but now there are commonly used transports that are
bigger, specifically 802.11 traffic and vlan/vlan encapsulations,
that justify bumping it up.

i chose 64 because it would also allow enough space for encapsulations
like etherip or gif.

this reduces the size of the smallest packet that can fit into an
mbuf before more storage needs to be suffixed, but because most
traffic is either full sized (ie, already bigger than a single mbuf)
or tiny packets (think tcp ACKS, keystrokes over ssh, or dns requests)
the impact is negligible.

ok stsp@ mpi@ sthen@ mikeb@

Make every subsystem using a radix tree call rn_init() and pass the
length of the key as argument.

This way every consumer of the radix tree has a chance to explicitly
initialize the shared data structures and no longer rely on another
subsystem to do the initialization.

As a bonus ``dom_maxrtkey'' is no longer used an die.

ART kernels should now be fully usable because pf(4) and IPSEC properly
initialized the radix tree.

ok chris@, reyk@

Use a global table for domains instead of building a list at run time.

As a side effect there's no need to run if_attachdomain() after the
list of domains has been built.

ok claudio@, reyk@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET

remove uneeded proc.h includes
ok mpi@ kspillner@

"It's not the years, honey; it's the mileage."

bluetooth support doesn't work and isn't going anywhere. the current
design is a dead end, and should not be the basis for any future support.
general consensus says to whack it so as to not mislead the unwary.

decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h
don't need to be married.
ok guenther miod beck jsing kettenis

lint is gone, and the 'lint' conditional was never in the implementation
namespace, so stop changing behavior when it's #defined

ok beck@ krw@

Remove max_datalen. It is only used once an can be replaced easily with
MHLEN - max_hdr in that place. OK mikeb@

tedu netnatm and ueagle(4).

ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@

begone, fucking rotten appletalk shit. ok room

Include PIPEX in kernel by default. And add new sysctl variable
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

timeout_add -> timeout_add_msec

ok claudio@ krw@

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

netstat statistics for pflow(4) via pseudo family

ok cluadio@ henning@