Merge IPv4 and IPv6 options in inpcb.

A internet PCB has either inp_options or inp_outputopts6. Put them
into a common anonymous union.

OK mvs@ kn@

Use struct ipsec_level within inpcb.

Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels. This provides better type safety.
The embedding struct inpcb is globally visible for netstat(1), so
put struct ipsec_level outside of #ifdef _KERNEL.

OK deraadt@ mvs@

Delete unused inp_csumoffset define.

OK mvs@

Remove padding from union inpaddru.

Alignment of IPv4 address with lower part of IPv6 address looks
like a leftover from times when IPv6 compatible addresses should
contain IPv4 addreses. Better use a simple union for both IPv4 and
IPv6 addresses like everywhere else. Use this type also for common
zero address.

OK mvs@

Make local port which is bound during connect(2) unique per laddr.

in_pcbconnect() did not pass down the address it got from in_pcbselsrc()
to in_pcbpickport(). As a consequence local port numbers selected
during connect(2) were globally unique although they belong to
different addresses. This strict uniqueness is not necessary and
wastes usable ports for outgoing connections.

To solve this, pass ina from in_pcbconnect() to in_pcbbind_locked().
This does not interfere how wildcard sockets are matched with
specific sockets during bind(2). It only allows non-wildcard sockets
to share a local port during connect(2).

OK mvs@ deraadt@

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Remove include netinet6/ip6_var.h from netinet/in_pcb.h.

OK mvs@

Split in_pcbrtentry() and in6_pcbrtentry() based on INP_IPV6.

Splitting the IPv6 code into a separate function results in less
#ifdef INET6. Also struct route_in6 *ro in in6_pcbrtentry() is of
the correct type and in_pcbrtentry() does not rely on the fact that
inp_route and inp_route6 are pointers to the same union.

OK kn@ claudio@

Use more specific sockaddr type for inpcb notify.

in_pcbnotifyall() is an IPv4 only function. All callers check that
sockaddr dst is in fact a sockaddr_in. Pass the more spcific type
and remove the runtime check at beginning of in_pcbnotifyall().
Use const sockaddr_in in in_pcbnotifyall() and const sockaddr_in6
in6_pcbnotify() as dst parameter.

OK millert@

Convert some struct inpcb parameter to const pointer.

OK millert@

Run connect(2) in parallel within inet doamin.

This unlocks soconnect() for UDP, rip, rip6 and divert. It takes
shared net lock in combination with per socket lock. TCP and GRE
still use exclusive net lock when connecting.

OK mvs@

Protect link between pf and inp with mutex.

Introduce global mutex to protect the pointers between pf state key
and internet PCB. Then in_pcbdisconnect() and in_pcbdetach() do
not need exclusive netlock anymore. Use a bunch of read once
unlocked access to reduce performance impact.

OK sashan@

Run bind(2) system call in parallel.

For protocols that care about locking, use the shared net lock to
call sobind(). Use the per socket rwlock together with shared net
lock. This affects protocols UDP, raw IP, and divert. Move the
inpcb mutex locking into soreceive(), it is only used there. Add
a comment to describe the current inmplementation of inpcb locking.

OK mvs@ sashan@

Use inpcb table mutex to set addresses.

Protect all remaining write access to inp_faddr and inp_laddr with
inpcb table mutex. Document inpcb locking for foreign and local
address and port and routing table id. Reading will be made MP
safe by adding per socket rw-locks in a next step.

OK sashan@ mvs@

Inpcb table mutex protects addr and port during bind(2) and connect(2).

in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() have to set
addresses and ports within the same critical section as the inpcb
hash table calculation. Also lookup and address selection have to
be protected to avoid bindings and connections that are not unique.

For that in_pcbpickport() and in_pcbbind_locked() expect that the
table mutex is already taken. The functions in_pcblookup_lock(),
in_pcblookup_local_lock(), and in_pcbaddrisavail_lock() grab the
mutex iff the lock parameter is IN_PCBLOCK_GRAB. Otherwise the
parameter is IN_PCBLOCK_HOLD has the lock has to be taken already.
Note that in_pcblookup_lock() and in_pcblookup_local() return an
inp with increased reference iff they take and release the lock.
Otherwise the caller protects the life time of the inp.

This gives enough flexibility that in_pcbbind() and in_pcbconnect()
can hold the table mutex when they need it. The public inpcb API
does not change.

OK sashan@ mvs@

Use INP_IPV6 flag instead of sotopf().

During initialization in_pcballoc() sets INP_IPV6 once to avoid
reaching through inp_socket->so_proto->pr_domain->dom_family. Use
this flag consistently.

OK sashan@ mvs@

Set inp address, port and rtable together with inpcb hash.

The inpcb hash table is protected by table->inpt_mtx. The hash is
based on addresses, ports, and routing table. These fields were
not sychronized with the hash. Put writes and hash update into the
same critical section.
Move the updates from ip_ctloutput(), ip6_ctloutput(), syn_cache_get(),
tcp_connect(), udp_disconnect() to dedicated inpcb set functions.
There they use the same table mutex as in_pcbrehash().
in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() need more work
and are not included yet.

OK sashan@ mvs@

Document inp_socket as immutable and remove NULL checks.

Struct inpcb field inp_socket is initialized in in_pcballoc(). It
is not NULL and never changed.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@

Declare global variable zeroin46_addr as const.

OK mvs@ jca@

Calculate inet PCB SIP hash without table mutex.

Goal is to run UDP input in parallel. Btrace kstack analysis shows
that SIP hash for PCB lookup is quite expensive. When running in
parallel, there is also lock contention on the PCB table mutex.

It results in better performance to calculate the hash value before
taking the mutex. The hash secret has to be constant as hash
calculation must not depend on values protected by the table mutex.
Do not reseed anymore when hash table gets resized.

Analysis also shows that asserting a rw_lock while holding a mutex
is a bit expensive. Just remove the netlock assert.

OK dlg@ mvs@

System calls should not fail due to temporary memory shortage in
malloc(9) or pool_get(9).
Pass down a wait flag to pru_attach(). During syscall socket(2)
it is ok to wait, this logic was missing for internet pcb. Pfkey
and route sockets were already waiting.
sonewconn() must not wait when called during TCP 3-way handshake.
This logic has been preserved. Unix domain stream socket connect(2)
can wait until the other side has created the socket to accept.
OK mvs@

Move PRU_PEERADDR request to (*pru_peeraddr)().

Introduce in{,6}_peeraddr() and use them for inet and inet6 sockets,
except tcp(4) case.

Also remove *_usrreq() handlers.

ok bluhm@

Move PRU_SOCKADDR request to (*pru_sockaddr)()

Introduce in{,6}_sockaddr() functions, and use them for all except tcp(4)
inet sockets. For tcp(4) sockets use tcp_sockaddr() to keep debug ability.

The key management and route domain sockets returns EINVAL error for
PRU_SOCKADDR request, so keep this behaviour for a while instead of make
pru_sockaddr handler optional and return EOPNOTSUPP.

ok bluhm@

Refactor internet PCB lookup function. Rename in_pcbhashlookup()
so the public API is in_pcblookup() and in_pcblookup_listen(). For
internal use introduce in_pcbhash_insert() and in_pcbhash_lookup()
to avoid code duplication. Routing domain is unsigned, change the
type to u_int.
OK mvs@

Use rwlock per inpcb table to protect notify list. The notify
function may sleep, so holding a mutex is not possible. The same
list entry and rwlock is used for UDP multicast and raw IP delivery.
By adding a write lock, exclusive netlock is no longer necessary
for PCB notify and UDP and raw IP input.
OK mvs@

Introduce a mutex per inpcb to serialize access to socket receive
buffer. Later it may be used to protect more of the PCB or socket.
In divert input replace the kernel lock with this mutex.
OK mvs@

have in_pcbselsrc copy the selected address to memory provided by the caller.

having it return a pointer to something that has a lifetime managed
by a lock without accounting for it or taking a reference count or
anything like that is asking for trouble. copying the address to
caller provded memory while still inside the lock is a lot safer.

discussed with visa@
ok bluhm@ claudio@

For multicast and broadcast packets udp_input() traverses the loop
of all UDP PCBs. From there it calls udp_sbappend() while holding
the UDP table mutex. This ends in sorwakeup() where we finally
grab the kernel lock while holding a mutex. Witness detects this
misuse.
Use the same solution as for PCB notify. Collect the affected PCBs
in a temporary list. The list is protected by exclusive net lock.
Reported-by: syzbot+7596cb96fb9f3c9d6f4f@syzkaller.appspotmail.com
OK sashan@

Header netinet/in_pcb.h includes sys/mutex.h now. Recommit mutex
for PCB tables. It does not break userland build anymore.

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

Include sys/mutex.h from netinet/in_pcb.h. Struct mutex will be
needed to make inpcb in kernel MP safe. To build sysctl and libkvm
based programs, we have to export it to userland.
OK claudio@

Unbreak the tree, revert commitid aZ8fm4iaUnTCc0ul

This reverts the commit protecting the list and hashes in the PCB tables
with a mutex since the build of sysctl(8) breaks, as found by kettenis.

ok sthen

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

The return value of in6_pcbnotify() is never used. Make it a void
function.
OK gnezdo@ mvs@ florian@ sashan@

Shifting signed integers left by 31 is undefined behavior in C.
found by kubsan; joint work with tobhe@; OK miod@

if stoeplitz is enabled, use it to provide a flowid for tcp packets.

drivers that implement rss and multiple rings depend on the symmetric
toeplitz code, and use it to generate a key that decides with rx
ring a packet lands on. if the toeplitz code is enabled, this diff
has the pcb and tcp layer use the toeplitz code to generate a flowid
for packets they send, which in turn is used to pick a tx ring.
because the nic and the stack use the same key, the tx and rx sides
end up with the same hash/flowid. at the very least this means that
the same rx and tx queue pair on a particular nic are used for both
sides of the connection. as the stack becomes more parallel, it
will also help keep both sides of the tcp connection processing in
the one place.

knf: the inp_upcall line was too long.

add a inp_upcall function pointer and inp_upcall_arg to struct in_pcb.

this is so protocols (eg, udp) can let things (eg, kernel support
for wireguard or vxlan or geneve) look at and possibly steal packets
before they get added to a socket buffer.

i wrote the original version of this, but it was tweaked by Matt
Dunwoodie and Jason A. Donenfeld for use with wireguard.

Add DoT 853 to DEFBADDYNAMICPORTS_TCP. This port will be increasingly
unfiltered in the future, so this prevents rresvport_af(3) from randomly
exposing a service intended for local visibility only.
ok florian

in6_setsockaddr and in6_setpeeraddr can't fail, so let them return void.

this also brings them in line with the AF_INET equivalents.

ok visa@ bluhm@

Initialize struct inpcb pool not on demand, but during initialization.
Removes a global variable and avoids MP problems.
OK mpi@ visa@

Revert the inpcb table mutex commit. It triggers a witness panic
in raw IP delivery and UDP broadcast loops. There inpcbtable_mtx
is held and sorwakeup() is called within the loop. As sowakeup()
grabs the kernel lock, we have a lock ordering problem.
found by Hrvoje Popovski; OK deraadt@ mpi@

As a step towards per inpcb or socket locks, remove the net lock
for netstat -a. Introduce a global mutex that protects the tables
and hashes for the internet PCBs. To detect detached PCB, set its
inp_socket field to NULL. This has to be protected by a per PCB
mutex. The protocol pointer has to be protected by the mutex as
netstat uses it.
Always take the kernel lock in in_pcbnotifyall() and in6_pcbnotify()
before the table mutex to avoid lock ordering problems in the notify
functions.
OK visa@

In general it is a bad idea to use one random secret for two things.
The inet PCB uses one hash with local and foreign addresses, and
one with local port numbers. Give both hashes separate keys. Also
document the struct fields.
OK visa@

unbreak userland uses of in_pcb.h by including sys/refcnt.h
ok visa@

Add reference counting for inet pcb, this will be needed when we
start locking the socket. An inp can be referenced by the PCB queue
and hashes, by a pf mbuf header, or by a pf state key.
OK visa@

Make the distribution of in_ and in6_ functions in in_pcb.c and
in6_pcb.c consistent, to ease comparing the code. Move all inet6
functions to in6_. Bring functions in both source files in same
order. Cleanup the include section. Now in_pcb.c is a superset
of in6_pcb.c. The latter contains all the special implementations.
Just moving arround, no code change intended.
OK mpi@

Rename the incpb table field inpt_hash to inpt_mask as it contains
the hashmask. For the resize calculations it is clearer to use the
field inpt_size.
OK visa@ mpi@

Move the declarations of the raw ip and ip6 pcb tables into the
in_pcb.h header file.
OK mpi@ visa@

Store the allocation size in inpcbhead for free().

OK visa@

Simplify the reverse PCB lookup logic. The PF_TAG_TRANSLATE_LOCALHOST
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@

Kill the divert-packet socket option IP_DIVERTFL to filter packets.
It used a loop over the global list divbtable that would be hard
to make MP safe. The port net/dnsfilter does not work without this,
it should be converted to divert-to. Neither other ports nor base
use this filter feature.
ports checked by sthen@; OK mpi@ benno@

Reserve the BFD destination ports in baddynamic

OK claudio@, henning@

Commit in6_selectsrc() split again, with missing assignment fixed.

Revert in_selectsrc() refactoring, it breaks IPv6.

Reported by Heiko on bugs@.

ok stsp@, claudio@

Split in6_selectsrc() into a low-level part and a pcb-level part, and
convert in_selectsrc() prototype to match.

Ok bluhm@ mpi@.

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Add net.inet.{tcp,udp}.rootonly sysctl, to mark which ports
cannot be bound to by non-root users.

Ok millert@ bluhm@

Rename in_pcblookup() to in_pcblookup_local() and change its prototype
to get rid of the now useless foreign address and ports parameters.

ok mpi@

Move inp_laddr assignment after in_pcbpickport(), extend in_pcbpickport()
as needed.

Ok bluhm@

Merge in_pcbbind() and in6_pcbbind(), and change every call to
in6_pcbbind() into in_pcbbind().

Ok jca@ mpi@

Extract in_pcbaddrisavail() from in_pcbbind().

ok jca@

Extract in6_pcbaddrisavail() from in6_pcbbind(), and use it when
checking for source availability in udp6_output(); This time with
all the files.

Ok jca@ bluhm@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

Move port picking away from in_pcbbind()

ok sthen@

Ignore Router Advertisment's current hop limit.

Appart from the usual inet6 axe murdering exercise to keep you fit, this
allows us to get rid of a lot of layer violation due to the use of per-
ifp variables to store the current hop limit.

Imputs from bluhm@, ok phessler@, florian@, bluhm@

Remove inpt_lastport from struct inpcbtable, use local variables
in in_pcbbind() and in6_pcbsetport()

ok claudio@, with input from David Hill

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

use siphash in the in_pcb hashing. this mitigates it against flooding
attacks.

this is a textbook use of siphash.

the idea of using siphash for this came from yasuoka-san, but i had
the time to do it. he also tested and tweaked this diff.

ok yasuoka@ mikeb@

Resize the pcb hashtable automatically. The table size will be doubled
when the number of the hash entries reaches 75% of the table size.

ok dlg henning, 'commit in' claudio

Invert the signature logic of in{,6}_selectsrc, make them return the
error code and pass the resulting source address back to the caller
through a pointer, as suggested by chrisz. This gives us more readable
code, and eases the deletion of useless checks in the callers' error path.
Add a bunch of "0 -> NULL" conversions, while here.
ok chrisz@ mpi@

Merge in_fixaddr() into in_selectsrc() in order to prepare for
IP_SENDSRCADDR support. This reduces the differences with the
IPv6 version and kill some comments that are no longer true.

ok jca@, chrisz@, mikeb@

factor out source and destination address mangling from in_pcbconnect()
for later reuse in udp_output().

"Apart from that OK" claudio@

Switch inpt_queue from CIRCLEQ to TAILQ. Thus ending use of CIRCLEQ
in the base. Ports fixes to follow shortly for the two ports (gkrellm
and net-snmp) affected.

ok zhuk@ millert@

Back when some NRL code was merged into KAME to create the *BSD IPV6
stack (factoid: by a bunch of people in my living room), some compatibility
#define's were created to shim incompatible inpcb access methods. There
was an understanding they would eventually be removed. Since they are
error prone, and 1999 is a long time ago, now they die.
ok mikeb claudio mpi

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The function rip6_ctlinput() claims that sa6_src is constant to
allow the assingment of &sa6_any. But rip6_ctlinput() could not
guarantee that as it casted away the const attribute when it passes
the pointer to in6_pcbnotify(). Replace sockaddr with const
sockaddr_in6 in the in6_pcbnotify() parameters. This reduces the
number of casts. Also adjust in6_pcbhashlookup() to handle the
const attribute correctly.
Input and OK claudio@

Move an extern declaration into its corresponding header file.

Declare struct pf_state_key in the mbuf and in_pcb header files to
avoid ugly casts.
OK krw@ tedu@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)

Pass struct inpcb pointer to in_pcb...() functions instead of void
pointer. Allows stricter type checking. No functional change.
OK claudio@

Add the IP_DIVERTFL socket option on divert(4) sockets to control
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@

add IPV6_RECVDSTPORT socket option, which enables us to get original
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.

from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage

Add IP_RECVRTABLE socket option to be used with a IPPROTO_IP
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).

ok claudio

add a new IP level socket option IP_PIPEX. This option is used for L2TP
support by pipex.
OK henning@, "Carry on" blambert@

Fix the naming of interfaces and variables for rdomains and rtables
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.

Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.

Written by claudio@, criticized^Wcritiqued by me

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

Initial support for routing domains. This allows to bind interfaces to
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@

add X11 ports to default TCP baddynamic list

expand the net.inet.(tcp|udp).baddynamic dynamic source port
skipping bitmasks to cover the entire 65536 port space - previously
they covered 512-1024 only.

sysctl needs to be updated to cope with this change; please
"make includes" before rebuilding it.

feedback millert@ ok millert@ deraadt@ markus@

link pf state keys to tcp pcbs and vice versa.
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan

Deal with the situation when TCP nfs mounts timeout and processes
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.

OK markus@, blambert@.
"go ahead" deraadt@.

Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.

divert for ipv6; ok henning, pyr

IP_RECVDSTPORT, allows you to get the destination port of UDP datagrams
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@

divert packets to local socket without modifying the ip header;
makes transparent proxies much easier; ok beck@, feedback claudio@

Remove TCP ports 760 and 761 from DEFBADDYNAMICPORTS_TCP; they are
not used with Heimdal. Add UDP port 749 to DEFBADDYNAMICPORTS_UDP
for consistency with DEFBADDYNAMICPORTS_TCP. We retain some Kerberos
4 ports for people running Heimdal in Kerberos 4 compat mode.
OK deraadt@ beck@

switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.

bump libc shlib minor for function additions.

tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.

implement IP_MINTTL socket option fo tcp sockets
This is for RFC3682 aka the TTL security hack - sender sets TTL to 255,
receiver checks no router on the way (or, no more than expected) reduced
the TTL. carp uses that technique already.
modeled after FreeBSD implementation.
ok claudio djm deraadt

implement IP_RECVTTL socket option.
when set on raw or udp sockets, userland receives the incoming packet's TTL
as ancillary data (cmsg shitz). modeled after the FreeBSD implementation.
ok claudio djm deraadt

udp port 664 is sometimes also stolen on the wire by ipmi/asf balony.
Did these vendors really really really not think? Absolute morons.

Put ASF/IPMI port 623 into the bad dynamic udp table, because otherwise
we will randomly choose that stupid port, which NIC's are sometimes
programmed to eat invisibly; sthen@bootes.spacehopper.org, pr5139

Make savecontrol functions more generic and use them now for raw IP too.
Additionally add the IP_RECVIF option which returns the interface a packet
was received on. OK markus@ norby@

in ansi c, bitfields must be done against int, unsigned int, or _Bool.
so we must start to use u_int; ok cloder

remove in_pcbnotify, it is no longer used.

support IPV6_USE_MIN_MTU (forgot to commit the file, sorry). noted by Anil

change in*_pcbnotify to return numbers of matches; ok itojun, mcbride, henning

Mbuf tag tcp and udp packets which are translated to localhost, and
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.

Bulk of changes from dhartmei@, some changes markus@

ok dhartmei@ deraadt@

add in(6)_pcblookup_listen() and replace all calls to in_pcblookup()
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen();
in_pcblookup is now only used by bind(2); speeds up pcb lookup for
listening sockets; from Claudio Jeker

additional hash for local port; improves speed of implicit bind
from >1000K cpu cycles to 20-30K for 18000 sockets on i386;
test+feedback by Claudio Jeker; ok itojun@;
[make sure you rebuild netstat/systat, too]

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

pass struct proc * down to in6_pcbsetport

whitespace

sync with latest KAME in6_ifaddr/prefix/default router manipulation.
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.

Keep an policy attached to each socket (that needs it), and cleanup as
needed on socket tear-down.

Final __P removal plus some cosmetic fixups

First round of __P removal in sys

branches: 1.38.4;
IPComp itself (include files). angelos@ ok.

IPsec-related socket options; these can be set/removed/retrieved, but
are not taken into consideration in anything just yet.

Inclusion protection.

Keep local authentication material on the PCB.

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

pull in new pcb notification code from kame. better handling of scope address.

amove in6_{embed,recover}scope prototypes to in6_var.h (kernel only).
add in6_clearscope. sync better with kame

witch raw ip6 socket code from NRL to kame.
makes upgrades/code sharing much easier.

nuke inp_flags bits for controlling IPv4 mapped address.
we don't support IPv4 mapped address,
and there are inconsistent bit manipulation code so it's safer to nuke them.

verify payload of the icmp need fragment message at the tcp layer. okay itojun@

check if we have a tcb connected to the destination quoted in the icmp need
fragment message when doing path mtu discovery. okay angelos@

Path MTU discovery based on NetBSD but with the decision to use the DF
flag delayed to ip_output(). That halves the code and reduces most of
the route lookups. okay deraadt@

sync with KAME udp6_output(). udp output logic is very different between
IPv4/v6 so the separation should make more sense.

TODO: remove IPv6 case from udp_output()
TODO: remove/comment out/#if 0 IPv4 mapped address cases

allow link-local IPv6 addres in in6_pcbbind.

add TCP port 587 to default list of reserved ports not to allocate dynamically in order to reserve it for sendmail.

branches: 1.22.2;
fix include file path related to ip6.

Remove ifdef'ed out definitions.

synchronize inp_flags definition across kame/*bsd.
this would ease us implement future COMPAT_*BSD.

(sync with kame tree)

make it easier to synchronize INP_xx flags and IN6P_xx flags.

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Removed inclusion of netinet6/in6.h. This was an artifact of when the core
IPv6 symbols were there rather than in netinet/in.h, and now not only is
unnecessary but also could create problems (see PR library/781).

netinet merge of NRL stuff. some indent and shrinkage needed; NRL/cmetz

more IPV6 merge; cmetz

INET6 support

in_pcblookup() now takes ptr to both ip address arguments

rename baddynamic() to in_baddynamic(), and export it

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

indent

Add DP_CLR() macro

Theo doesn't like extra kernel options, so don't allow
DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden from the kernel. It's not really too useful
since there is a nice sysctl interface for this stuff.

Allow DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden via kernel config file.

The list of tcp/udp ports not to allocate dynamically is now
a bitmask configurable via sysctl([38]). The default values
have not changed. If one wants to change the list it should
be done early on in /etc/rc.

Moved IPsec socket state to the PCB.

From FreeBSD (with slightly different sysctl names):

"... Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast,
net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.]

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it."

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Use struct ipsec_level within inpcb.

Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels. This provides better type safety.
The embedding struct inpcb is globally visible for netstat(1), so
put struct ipsec_level outside of #ifdef _KERNEL.

OK deraadt@ mvs@

Delete unused inp_csumoffset define.

OK mvs@

Remove padding from union inpaddru.

Alignment of IPv4 address with lower part of IPv6 address looks
like a leftover from times when IPv6 compatible addresses should
contain IPv4 addreses. Better use a simple union for both IPv4 and
IPv6 addresses like everywhere else. Use this type also for common
zero address.

OK mvs@

Make local port which is bound during connect(2) unique per laddr.

in_pcbconnect() did not pass down the address it got from in_pcbselsrc()
to in_pcbpickport(). As a consequence local port numbers selected
during connect(2) were globally unique although they belong to
different addresses. This strict uniqueness is not necessary and
wastes usable ports for outgoing connections.

To solve this, pass ina from in_pcbconnect() to in_pcbbind_locked().
This does not interfere how wildcard sockets are matched with
specific sockets during bind(2). It only allows non-wildcard sockets
to share a local port during connect(2).

OK mvs@ deraadt@

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Remove include netinet6/ip6_var.h from netinet/in_pcb.h.

OK mvs@

Split in_pcbrtentry() and in6_pcbrtentry() based on INP_IPV6.

Splitting the IPv6 code into a separate function results in less
#ifdef INET6. Also struct route_in6 *ro in in6_pcbrtentry() is of
the correct type and in_pcbrtentry() does not rely on the fact that
inp_route and inp_route6 are pointers to the same union.

OK kn@ claudio@

Use more specific sockaddr type for inpcb notify.

in_pcbnotifyall() is an IPv4 only function. All callers check that
sockaddr dst is in fact a sockaddr_in. Pass the more spcific type
and remove the runtime check at beginning of in_pcbnotifyall().
Use const sockaddr_in in in_pcbnotifyall() and const sockaddr_in6
in6_pcbnotify() as dst parameter.

OK millert@

Convert some struct inpcb parameter to const pointer.

OK millert@

Run connect(2) in parallel within inet doamin.

This unlocks soconnect() for UDP, rip, rip6 and divert. It takes
shared net lock in combination with per socket lock. TCP and GRE
still use exclusive net lock when connecting.

OK mvs@

Protect link between pf and inp with mutex.

Introduce global mutex to protect the pointers between pf state key
and internet PCB. Then in_pcbdisconnect() and in_pcbdetach() do
not need exclusive netlock anymore. Use a bunch of read once
unlocked access to reduce performance impact.

OK sashan@

Run bind(2) system call in parallel.

For protocols that care about locking, use the shared net lock to
call sobind(). Use the per socket rwlock together with shared net
lock. This affects protocols UDP, raw IP, and divert. Move the
inpcb mutex locking into soreceive(), it is only used there. Add
a comment to describe the current inmplementation of inpcb locking.

OK mvs@ sashan@

Use inpcb table mutex to set addresses.

Protect all remaining write access to inp_faddr and inp_laddr with
inpcb table mutex. Document inpcb locking for foreign and local
address and port and routing table id. Reading will be made MP
safe by adding per socket rw-locks in a next step.

OK sashan@ mvs@

Inpcb table mutex protects addr and port during bind(2) and connect(2).

in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() have to set
addresses and ports within the same critical section as the inpcb
hash table calculation. Also lookup and address selection have to
be protected to avoid bindings and connections that are not unique.

For that in_pcbpickport() and in_pcbbind_locked() expect that the
table mutex is already taken. The functions in_pcblookup_lock(),
in_pcblookup_local_lock(), and in_pcbaddrisavail_lock() grab the
mutex iff the lock parameter is IN_PCBLOCK_GRAB. Otherwise the
parameter is IN_PCBLOCK_HOLD has the lock has to be taken already.
Note that in_pcblookup_lock() and in_pcblookup_local() return an
inp with increased reference iff they take and release the lock.
Otherwise the caller protects the life time of the inp.

This gives enough flexibility that in_pcbbind() and in_pcbconnect()
can hold the table mutex when they need it. The public inpcb API
does not change.

OK sashan@ mvs@

Use INP_IPV6 flag instead of sotopf().

During initialization in_pcballoc() sets INP_IPV6 once to avoid
reaching through inp_socket->so_proto->pr_domain->dom_family. Use
this flag consistently.

OK sashan@ mvs@

Set inp address, port and rtable together with inpcb hash.

The inpcb hash table is protected by table->inpt_mtx. The hash is
based on addresses, ports, and routing table. These fields were
not sychronized with the hash. Put writes and hash update into the
same critical section.
Move the updates from ip_ctloutput(), ip6_ctloutput(), syn_cache_get(),
tcp_connect(), udp_disconnect() to dedicated inpcb set functions.
There they use the same table mutex as in_pcbrehash().
in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() need more work
and are not included yet.

OK sashan@ mvs@

Document inp_socket as immutable and remove NULL checks.

Struct inpcb field inp_socket is initialized in in_pcballoc(). It
is not NULL and never changed.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@

Declare global variable zeroin46_addr as const.

OK mvs@ jca@

Calculate inet PCB SIP hash without table mutex.

Goal is to run UDP input in parallel. Btrace kstack analysis shows
that SIP hash for PCB lookup is quite expensive. When running in
parallel, there is also lock contention on the PCB table mutex.

It results in better performance to calculate the hash value before
taking the mutex. The hash secret has to be constant as hash
calculation must not depend on values protected by the table mutex.
Do not reseed anymore when hash table gets resized.

Analysis also shows that asserting a rw_lock while holding a mutex
is a bit expensive. Just remove the netlock assert.

OK dlg@ mvs@

System calls should not fail due to temporary memory shortage in
malloc(9) or pool_get(9).
Pass down a wait flag to pru_attach(). During syscall socket(2)
it is ok to wait, this logic was missing for internet pcb. Pfkey
and route sockets were already waiting.
sonewconn() must not wait when called during TCP 3-way handshake.
This logic has been preserved. Unix domain stream socket connect(2)
can wait until the other side has created the socket to accept.
OK mvs@

Move PRU_PEERADDR request to (*pru_peeraddr)().

Introduce in{,6}_peeraddr() and use them for inet and inet6 sockets,
except tcp(4) case.

Also remove *_usrreq() handlers.

ok bluhm@

Move PRU_SOCKADDR request to (*pru_sockaddr)()

Introduce in{,6}_sockaddr() functions, and use them for all except tcp(4)
inet sockets. For tcp(4) sockets use tcp_sockaddr() to keep debug ability.

The key management and route domain sockets returns EINVAL error for
PRU_SOCKADDR request, so keep this behaviour for a while instead of make
pru_sockaddr handler optional and return EOPNOTSUPP.

ok bluhm@

Refactor internet PCB lookup function. Rename in_pcbhashlookup()
so the public API is in_pcblookup() and in_pcblookup_listen(). For
internal use introduce in_pcbhash_insert() and in_pcbhash_lookup()
to avoid code duplication. Routing domain is unsigned, change the
type to u_int.
OK mvs@

Use rwlock per inpcb table to protect notify list. The notify
function may sleep, so holding a mutex is not possible. The same
list entry and rwlock is used for UDP multicast and raw IP delivery.
By adding a write lock, exclusive netlock is no longer necessary
for PCB notify and UDP and raw IP input.
OK mvs@

Introduce a mutex per inpcb to serialize access to socket receive
buffer. Later it may be used to protect more of the PCB or socket.
In divert input replace the kernel lock with this mutex.
OK mvs@

have in_pcbselsrc copy the selected address to memory provided by the caller.

having it return a pointer to something that has a lifetime managed
by a lock without accounting for it or taking a reference count or
anything like that is asking for trouble. copying the address to
caller provded memory while still inside the lock is a lot safer.

discussed with visa@
ok bluhm@ claudio@

For multicast and broadcast packets udp_input() traverses the loop
of all UDP PCBs. From there it calls udp_sbappend() while holding
the UDP table mutex. This ends in sorwakeup() where we finally
grab the kernel lock while holding a mutex. Witness detects this
misuse.
Use the same solution as for PCB notify. Collect the affected PCBs
in a temporary list. The list is protected by exclusive net lock.
Reported-by: syzbot+7596cb96fb9f3c9d6f4f@syzkaller.appspotmail.com
OK sashan@

Header netinet/in_pcb.h includes sys/mutex.h now. Recommit mutex
for PCB tables. It does not break userland build anymore.

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

Include sys/mutex.h from netinet/in_pcb.h. Struct mutex will be
needed to make inpcb in kernel MP safe. To build sysctl and libkvm
based programs, we have to export it to userland.
OK claudio@

Unbreak the tree, revert commitid aZ8fm4iaUnTCc0ul

This reverts the commit protecting the list and hashes in the PCB tables
with a mutex since the build of sysctl(8) breaks, as found by kettenis.

ok sthen

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

The return value of in6_pcbnotify() is never used. Make it a void
function.
OK gnezdo@ mvs@ florian@ sashan@

Shifting signed integers left by 31 is undefined behavior in C.
found by kubsan; joint work with tobhe@; OK miod@

if stoeplitz is enabled, use it to provide a flowid for tcp packets.

drivers that implement rss and multiple rings depend on the symmetric
toeplitz code, and use it to generate a key that decides with rx
ring a packet lands on. if the toeplitz code is enabled, this diff
has the pcb and tcp layer use the toeplitz code to generate a flowid
for packets they send, which in turn is used to pick a tx ring.
because the nic and the stack use the same key, the tx and rx sides
end up with the same hash/flowid. at the very least this means that
the same rx and tx queue pair on a particular nic are used for both
sides of the connection. as the stack becomes more parallel, it
will also help keep both sides of the tcp connection processing in
the one place.

knf: the inp_upcall line was too long.

add a inp_upcall function pointer and inp_upcall_arg to struct in_pcb.

this is so protocols (eg, udp) can let things (eg, kernel support
for wireguard or vxlan or geneve) look at and possibly steal packets
before they get added to a socket buffer.

i wrote the original version of this, but it was tweaked by Matt
Dunwoodie and Jason A. Donenfeld for use with wireguard.

Add DoT 853 to DEFBADDYNAMICPORTS_TCP. This port will be increasingly
unfiltered in the future, so this prevents rresvport_af(3) from randomly
exposing a service intended for local visibility only.
ok florian

in6_setsockaddr and in6_setpeeraddr can't fail, so let them return void.

this also brings them in line with the AF_INET equivalents.

ok visa@ bluhm@

Initialize struct inpcb pool not on demand, but during initialization.
Removes a global variable and avoids MP problems.
OK mpi@ visa@

Revert the inpcb table mutex commit. It triggers a witness panic
in raw IP delivery and UDP broadcast loops. There inpcbtable_mtx
is held and sorwakeup() is called within the loop. As sowakeup()
grabs the kernel lock, we have a lock ordering problem.
found by Hrvoje Popovski; OK deraadt@ mpi@

As a step towards per inpcb or socket locks, remove the net lock
for netstat -a. Introduce a global mutex that protects the tables
and hashes for the internet PCBs. To detect detached PCB, set its
inp_socket field to NULL. This has to be protected by a per PCB
mutex. The protocol pointer has to be protected by the mutex as
netstat uses it.
Always take the kernel lock in in_pcbnotifyall() and in6_pcbnotify()
before the table mutex to avoid lock ordering problems in the notify
functions.
OK visa@

In general it is a bad idea to use one random secret for two things.
The inet PCB uses one hash with local and foreign addresses, and
one with local port numbers. Give both hashes separate keys. Also
document the struct fields.
OK visa@

unbreak userland uses of in_pcb.h by including sys/refcnt.h
ok visa@

Add reference counting for inet pcb, this will be needed when we
start locking the socket. An inp can be referenced by the PCB queue
and hashes, by a pf mbuf header, or by a pf state key.
OK visa@

Make the distribution of in_ and in6_ functions in in_pcb.c and
in6_pcb.c consistent, to ease comparing the code. Move all inet6
functions to in6_. Bring functions in both source files in same
order. Cleanup the include section. Now in_pcb.c is a superset
of in6_pcb.c. The latter contains all the special implementations.
Just moving arround, no code change intended.
OK mpi@

Rename the incpb table field inpt_hash to inpt_mask as it contains
the hashmask. For the resize calculations it is clearer to use the
field inpt_size.
OK visa@ mpi@

Move the declarations of the raw ip and ip6 pcb tables into the
in_pcb.h header file.
OK mpi@ visa@

Store the allocation size in inpcbhead for free().

OK visa@

Simplify the reverse PCB lookup logic. The PF_TAG_TRANSLATE_LOCALHOST
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@

Kill the divert-packet socket option IP_DIVERTFL to filter packets.
It used a loop over the global list divbtable that would be hard
to make MP safe. The port net/dnsfilter does not work without this,
it should be converted to divert-to. Neither other ports nor base
use this filter feature.
ports checked by sthen@; OK mpi@ benno@

Reserve the BFD destination ports in baddynamic

OK claudio@, henning@

Commit in6_selectsrc() split again, with missing assignment fixed.

Revert in_selectsrc() refactoring, it breaks IPv6.

Reported by Heiko on bugs@.

ok stsp@, claudio@

Split in6_selectsrc() into a low-level part and a pcb-level part, and
convert in_selectsrc() prototype to match.

Ok bluhm@ mpi@.

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Add net.inet.{tcp,udp}.rootonly sysctl, to mark which ports
cannot be bound to by non-root users.

Ok millert@ bluhm@

Rename in_pcblookup() to in_pcblookup_local() and change its prototype
to get rid of the now useless foreign address and ports parameters.

ok mpi@

Move inp_laddr assignment after in_pcbpickport(), extend in_pcbpickport()
as needed.

Ok bluhm@

Merge in_pcbbind() and in6_pcbbind(), and change every call to
in6_pcbbind() into in_pcbbind().

Ok jca@ mpi@

Extract in_pcbaddrisavail() from in_pcbbind().

ok jca@

Extract in6_pcbaddrisavail() from in6_pcbbind(), and use it when
checking for source availability in udp6_output(); This time with
all the files.

Ok jca@ bluhm@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

Move port picking away from in_pcbbind()

ok sthen@

Ignore Router Advertisment's current hop limit.

Appart from the usual inet6 axe murdering exercise to keep you fit, this
allows us to get rid of a lot of layer violation due to the use of per-
ifp variables to store the current hop limit.

Imputs from bluhm@, ok phessler@, florian@, bluhm@

Remove inpt_lastport from struct inpcbtable, use local variables
in in_pcbbind() and in6_pcbsetport()

ok claudio@, with input from David Hill

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

use siphash in the in_pcb hashing. this mitigates it against flooding
attacks.

this is a textbook use of siphash.

the idea of using siphash for this came from yasuoka-san, but i had
the time to do it. he also tested and tweaked this diff.

ok yasuoka@ mikeb@

Resize the pcb hashtable automatically. The table size will be doubled
when the number of the hash entries reaches 75% of the table size.

ok dlg henning, 'commit in' claudio

Invert the signature logic of in{,6}_selectsrc, make them return the
error code and pass the resulting source address back to the caller
through a pointer, as suggested by chrisz. This gives us more readable
code, and eases the deletion of useless checks in the callers' error path.
Add a bunch of "0 -> NULL" conversions, while here.
ok chrisz@ mpi@

Merge in_fixaddr() into in_selectsrc() in order to prepare for
IP_SENDSRCADDR support. This reduces the differences with the
IPv6 version and kill some comments that are no longer true.

ok jca@, chrisz@, mikeb@

factor out source and destination address mangling from in_pcbconnect()
for later reuse in udp_output().

"Apart from that OK" claudio@

Switch inpt_queue from CIRCLEQ to TAILQ. Thus ending use of CIRCLEQ
in the base. Ports fixes to follow shortly for the two ports (gkrellm
and net-snmp) affected.

ok zhuk@ millert@

Back when some NRL code was merged into KAME to create the *BSD IPV6
stack (factoid: by a bunch of people in my living room), some compatibility
#define's were created to shim incompatible inpcb access methods. There
was an understanding they would eventually be removed. Since they are
error prone, and 1999 is a long time ago, now they die.
ok mikeb claudio mpi

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The function rip6_ctlinput() claims that sa6_src is constant to
allow the assingment of &sa6_any. But rip6_ctlinput() could not
guarantee that as it casted away the const attribute when it passes
the pointer to in6_pcbnotify(). Replace sockaddr with const
sockaddr_in6 in the in6_pcbnotify() parameters. This reduces the
number of casts. Also adjust in6_pcbhashlookup() to handle the
const attribute correctly.
Input and OK claudio@

Move an extern declaration into its corresponding header file.

Declare struct pf_state_key in the mbuf and in_pcb header files to
avoid ugly casts.
OK krw@ tedu@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)

Pass struct inpcb pointer to in_pcb...() functions instead of void
pointer. Allows stricter type checking. No functional change.
OK claudio@

Add the IP_DIVERTFL socket option on divert(4) sockets to control
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@

add IPV6_RECVDSTPORT socket option, which enables us to get original
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.

from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage

Add IP_RECVRTABLE socket option to be used with a IPPROTO_IP
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).

ok claudio

add a new IP level socket option IP_PIPEX. This option is used for L2TP
support by pipex.
OK henning@, "Carry on" blambert@

Fix the naming of interfaces and variables for rdomains and rtables
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.

Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.

Written by claudio@, criticized^Wcritiqued by me

Extend the protosw pr_ctlinput function to include the rdomain. This is
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@

Initial support for routing domains. This allows to bind interfaces to
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@

add X11 ports to default TCP baddynamic list

expand the net.inet.(tcp|udp).baddynamic dynamic source port
skipping bitmasks to cover the entire 65536 port space - previously
they covered 512-1024 only.

sysctl needs to be updated to cope with this change; please
"make includes" before rebuilding it.

feedback millert@ ok millert@ deraadt@ markus@

link pf state keys to tcp pcbs and vice versa.
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan

Deal with the situation when TCP nfs mounts timeout and processes
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.

OK markus@, blambert@.
"go ahead" deraadt@.

Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.

divert for ipv6; ok henning, pyr

IP_RECVDSTPORT, allows you to get the destination port of UDP datagrams
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@

divert packets to local socket without modifying the ip header;
makes transparent proxies much easier; ok beck@, feedback claudio@

Remove TCP ports 760 and 761 from DEFBADDYNAMICPORTS_TCP; they are
not used with Heimdal. Add UDP port 749 to DEFBADDYNAMICPORTS_UDP
for consistency with DEFBADDYNAMICPORTS_TCP. We retain some Kerberos
4 ports for people running Heimdal in Kerberos 4 compat mode.
OK deraadt@ beck@

switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.

bump libc shlib minor for function additions.

tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.

implement IP_MINTTL socket option fo tcp sockets
This is for RFC3682 aka the TTL security hack - sender sets TTL to 255,
receiver checks no router on the way (or, no more than expected) reduced
the TTL. carp uses that technique already.
modeled after FreeBSD implementation.
ok claudio djm deraadt

implement IP_RECVTTL socket option.
when set on raw or udp sockets, userland receives the incoming packet's TTL
as ancillary data (cmsg shitz). modeled after the FreeBSD implementation.
ok claudio djm deraadt

udp port 664 is sometimes also stolen on the wire by ipmi/asf balony.
Did these vendors really really really not think? Absolute morons.

Put ASF/IPMI port 623 into the bad dynamic udp table, because otherwise
we will randomly choose that stupid port, which NIC's are sometimes
programmed to eat invisibly; sthen@bootes.spacehopper.org, pr5139

Make savecontrol functions more generic and use them now for raw IP too.
Additionally add the IP_RECVIF option which returns the interface a packet
was received on. OK markus@ norby@

in ansi c, bitfields must be done against int, unsigned int, or _Bool.
so we must start to use u_int; ok cloder

remove in_pcbnotify, it is no longer used.

support IPV6_USE_MIN_MTU (forgot to commit the file, sorry). noted by Anil

change in*_pcbnotify to return numbers of matches; ok itojun, mcbride, henning

Mbuf tag tcp and udp packets which are translated to localhost, and
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.

Bulk of changes from dhartmei@, some changes markus@

ok dhartmei@ deraadt@

add in(6)_pcblookup_listen() and replace all calls to in_pcblookup()
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen();
in_pcblookup is now only used by bind(2); speeds up pcb lookup for
listening sockets; from Claudio Jeker

additional hash for local port; improves speed of implicit bind
from >1000K cpu cycles to 20-30K for 18000 sockets on i386;
test+feedback by Claudio Jeker; ok itojun@;
[make sure you rebuild netstat/systat, too]

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

pass struct proc * down to in6_pcbsetport

whitespace

sync with latest KAME in6_ifaddr/prefix/default router manipulation.
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.

Keep an policy attached to each socket (that needs it), and cleanup as
needed on socket tear-down.

Final __P removal plus some cosmetic fixups

First round of __P removal in sys

branches: 1.38.4;
IPComp itself (include files). angelos@ ok.

IPsec-related socket options; these can be set/removed/retrieved, but
are not taken into consideration in anything just yet.

Inclusion protection.

Keep local authentication material on the PCB.

Use a reference-counted structure for IPsec IDs and credentials, so we
can cheaply keep copies of them at the PCB. ok deraadt@

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

pull in new pcb notification code from kame. better handling of scope address.

amove in6_{embed,recover}scope prototypes to in6_var.h (kernel only).
add in6_clearscope. sync better with kame

witch raw ip6 socket code from NRL to kame.
makes upgrades/code sharing much easier.

nuke inp_flags bits for controlling IPv4 mapped address.
we don't support IPv4 mapped address,
and there are inconsistent bit manipulation code so it's safer to nuke them.

verify payload of the icmp need fragment message at the tcp layer. okay itojun@

check if we have a tcb connected to the destination quoted in the icmp need
fragment message when doing path mtu discovery. okay angelos@

Path MTU discovery based on NetBSD but with the decision to use the DF
flag delayed to ip_output(). That halves the code and reduces most of
the route lookups. okay deraadt@

sync with KAME udp6_output(). udp output logic is very different between
IPv4/v6 so the separation should make more sense.

TODO: remove IPv6 case from udp_output()
TODO: remove/comment out/#if 0 IPv4 mapped address cases

allow link-local IPv6 addres in in6_pcbbind.

add TCP port 587 to default list of reserved ports not to allocate dynamically in order to reserve it for sendmail.

branches: 1.22.2;
fix include file path related to ip6.

Remove ifdef'ed out definitions.

synchronize inp_flags definition across kame/*bsd.
this would ease us implement future COMPAT_*BSD.

(sync with kame tree)

make it easier to synchronize INP_xx flags and IN6P_xx flags.

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Removed inclusion of netinet6/in6.h. This was an artifact of when the core
IPv6 symbols were there rather than in netinet/in.h, and now not only is
unnecessary but also could create problems (see PR library/781).

netinet merge of NRL stuff. some indent and shrinkage needed; NRL/cmetz

more IPV6 merge; cmetz

INET6 support

in_pcblookup() now takes ptr to both ip address arguments

rename baddynamic() to in_baddynamic(), and export it

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

indent

Add DP_CLR() macro

Theo doesn't like extra kernel options, so don't allow
DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden from the kernel. It's not really too useful
since there is a nice sysctl interface for this stuff.

Allow DEFBADDYNAMICPORTS_TCP and DEFBADDYNAMICPORTS_UDP to be
overridden via kernel config file.

The list of tcp/udp ports not to allocate dynamically is now
a bitmask configurable via sysctl([38]). The default values
have not changed. If one wants to change the list it should
be done early on in /etc/rc.

Moved IPsec socket state to the PCB.

From FreeBSD (with slightly different sysctl names):

"... Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast,
net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.]

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it."

From NetBSD: 960217 merge

branches: 1.1.1;
Initial revision

Delete unused inp_csumoffset define.

OK mvs@

Remove padding from union inpaddru.

Alignment of IPv4 address with lower part of IPv6 address looks
like a leftover from times when IPv6 compatible addresses should
contain IPv4 addreses. Better use a simple union for both IPv4 and
IPv6 addresses like everywhere else. Use this type also for common
zero address.

OK mvs@

Make local port which is bound during connect(2) unique per laddr.

in_pcbconnect() did not pass down the address it got from in_pcbselsrc()
to in_pcbpickport(). As a consequence local port numbers selected
during connect(2) were globally unique although they belong to
different addresses. This strict uniqueness is not necessary and
wastes usable ports for outgoing connections.

To solve this, pass ina from in_pcbconnect() to in_pcbbind_locked().
This does not interfere how wildcard sockets are matched with
specific sockets during bind(2). It only allows non-wildcard sockets
to share a local port during connect(2).

OK mvs@ deraadt@

Merge struct route and struct route_in6.

Use a common struct route for both inet and inet6. Unfortunately
struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has
to be exposed from net/route.h. Struct route has to be bsd visible
for userland as netstat kvm code inspects inp_route. Internet PCB
and TCP SYN cache can use a plain struct route now. All specific
sockaddr types for inet and inet6 are embeded there.

OK claudio@

Remove include netinet6/ip6_var.h from netinet/in_pcb.h.

OK mvs@

Split in_pcbrtentry() and in6_pcbrtentry() based on INP_IPV6.

Splitting the IPv6 code into a separate function results in less
#ifdef INET6. Also struct route_in6 *ro in in6_pcbrtentry() is of
the correct type and in_pcbrtentry() does not rely on the fact that
inp_route and inp_route6 are pointers to the same union.

OK kn@ claudio@

Use more specific sockaddr type for inpcb notify.

in_pcbnotifyall() is an IPv4 only function. All callers check that
sockaddr dst is in fact a sockaddr_in. Pass the more spcific type
and remove the runtime check at beginning of in_pcbnotifyall().
Use const sockaddr_in in in_pcbnotifyall() and const sockaddr_in6
in6_pcbnotify() as dst parameter.

OK millert@

Convert some struct inpcb parameter to const pointer.

OK millert@

Run connect(2) in parallel within inet doamin.

This unlocks soconnect() for UDP, rip, rip6 and divert. It takes
shared net lock in combination with per socket lock. TCP and GRE
still use exclusive net lock when connecting.

OK mvs@

Protect link between pf and inp with mutex.

Introduce global mutex to protect the pointers between pf state key
and internet PCB. Then in_pcbdisconnect() and in_pcbdetach() do
not need exclusive netlock anymore. Use a bunch of read once
unlocked access to reduce performance impact.

OK sashan@

Run bind(2) system call in parallel.

For protocols that care about locking, use the shared net lock to
call sobind(). Use the per socket rwlock together with shared net
lock. This affects protocols UDP, raw IP, and divert. Move the
inpcb mutex locking into soreceive(), it is only used there. Add
a comment to describe the current inmplementation of inpcb locking.

OK mvs@ sashan@

Use inpcb table mutex to set addresses.

Protect all remaining write access to inp_faddr and inp_laddr with
inpcb table mutex. Document inpcb locking for foreign and local
address and port and routing table id. Reading will be made MP
safe by adding per socket rw-locks in a next step.

OK sashan@ mvs@

Inpcb table mutex protects addr and port during bind(2) and connect(2).

in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() have to set
addresses and ports within the same critical section as the inpcb
hash table calculation. Also lookup and address selection have to
be protected to avoid bindings and connections that are not unique.

For that in_pcbpickport() and in_pcbbind_locked() expect that the
table mutex is already taken. The functions in_pcblookup_lock(),
in_pcblookup_local_lock(), and in_pcbaddrisavail_lock() grab the
mutex iff the lock parameter is IN_PCBLOCK_GRAB. Otherwise the
parameter is IN_PCBLOCK_HOLD has the lock has to be taken already.
Note that in_pcblookup_lock() and in_pcblookup_local() return an
inp with increased reference iff they take and release the lock.
Otherwise the caller protects the life time of the inp.

This gives enough flexibility that in_pcbbind() and in_pcbconnect()
can hold the table mutex when they need it. The public inpcb API
does not change.

OK sashan@ mvs@

Use INP_IPV6 flag instead of sotopf().

During initialization in_pcballoc() sets INP_IPV6 once to avoid
reaching through inp_socket->so_proto->pr_domain->dom_family. Use
this flag consistently.

OK sashan@ mvs@

Set inp address, port and rtable together with inpcb hash.

The inpcb hash table is protected by table->inpt_mtx. The hash is
based on addresses, ports, and routing table. These fields were
not sychronized with the hash. Put writes and hash update into the
same critical section.
Move the updates from ip_ctloutput(), ip6_ctloutput(), syn_cache_get(),
tcp_connect(), udp_disconnect() to dedicated inpcb set functions.
There they use the same table mutex as in_pcbrehash().
in_pcbbind(), in_pcbconnect(), and in6_pcbconnect() need more work
and are not included yet.

OK sashan@ mvs@

Document inp_socket as immutable and remove NULL checks.

Struct inpcb field inp_socket is initialized in in_pcballoc(). It
is not NULL and never changed.

OK mvs@

Remove struct inpcb from in6_embedscope() parameters.

rip6_output() did modify inp_outputopts6 temporarily to provide
different ip6_pktopts to in6_embedscope(). Better pass inp_outputopts6
and inp_moptions6 as separate arguments to in6_embedscope().
Simplify the code that deals with these options in in6_embedscope().
Doucument inp_moptions and inp_moptions6 as protected by net lock.

OK kn@

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@

Declare global variable zeroin46_addr as const.

OK mvs@ jca@

Calculate inet PCB SIP hash without table mutex.

Goal is to run UDP input in parallel. Btrace kstack analysis shows
that SIP hash for PCB lookup is quite expensive. When running in
parallel, there is also lock contention on the PCB table mutex.

It results in better performance to calculate the hash value before
taking the mutex. The hash secret has to be constant as hash
calculation must not depend on values protected by the table mutex.
Do not reseed anymore when hash table gets resized.

Analysis also shows that asserting a rw_lock while holding a mutex
is a bit expensive. Just remove the netlock assert.

OK dlg@ mvs@

System calls should not fail due to temporary memory shortage in
malloc(9) or pool_get(9).
Pass down a wait flag to pru_attach(). During syscall socket(2)
it is ok to wait, this logic was missing for internet pcb. Pfkey
and route sockets were already waiting.
sonewconn() must not wait when called during TCP 3-way handshake.
This logic has been preserved. Unix domain stream socket connect(2)
can wait until the other side has created the socket to accept.
OK mvs@

Move PRU_PEERADDR request to (*pru_peeraddr)().

Introduce in{,6}_peeraddr() and use them for inet and inet6 sockets,
except tcp(4) case.

Also remove *_usrreq() handlers.

ok bluhm@

Move PRU_SOCKADDR request to (*pru_sockaddr)()

Introduce in{,6}_sockaddr() functions, and use them for all except tcp(4)
inet sockets. For tcp(4) sockets use tcp_sockaddr() to keep debug ability.

The key management and route domain sockets returns EINVAL error for
PRU_SOCKADDR request, so keep this behaviour for a while instead of make
pru_sockaddr handler optional and return EOPNOTSUPP.

ok bluhm@

Refactor internet PCB lookup function. Rename in_pcbhashlookup()
so the public API is in_pcblookup() and in_pcblookup_listen(). For
internal use introduce in_pcbhash_insert() and in_pcbhash_lookup()
to avoid code duplication. Routing domain is unsigned, change the
type to u_int.
OK mvs@

Use rwlock per inpcb table to protect notify list. The notify
function may sleep, so holding a mutex is not possible. The same
list entry and rwlock is used for UDP multicast and raw IP delivery.
By adding a write lock, exclusive netlock is no longer necessary
for PCB notify and UDP and raw IP input.
OK mvs@

Introduce a mutex per inpcb to serialize access to socket receive
buffer. Later it may be used to protect more of the PCB or socket.
In divert input replace the kernel lock with this mutex.
OK mvs@

have in_pcbselsrc copy the selected address to memory provided by the caller.

having it return a pointer to something that has a lifetime managed
by a lock without accounting for it or taking a reference count or
anything like that is asking for trouble. copying the address to
caller provded memory while still inside the lock is a lot safer.

discussed with visa@
ok bluhm@ claudio@

For multicast and broadcast packets udp_input() traverses the loop
of all UDP PCBs. From there it calls udp_sbappend() while holding
the UDP table mutex. This ends in sorwakeup() where we finally
grab the kernel lock while holding a mutex. Witness detects this
misuse.
Use the same solution as for PCB notify. Collect the affected PCBs
in a temporary list. The list is protected by exclusive net lock.
Reported-by: syzbot+7596cb96fb9f3c9d6f4f@syzkaller.appspotmail.com
OK sashan@

Header netinet/in_pcb.h includes sys/mutex.h now. Recommit mutex
for PCB tables. It does not break userland build anymore.

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

Include sys/mutex.h from netinet/in_pcb.h. Struct mutex will be
needed to make inpcb in kernel MP safe. To build sysctl and libkvm
based programs, we have to export it to userland.
OK claudio@

Unbreak the tree, revert commitid aZ8fm4iaUnTCc0ul

This reverts the commit protecting the list and hashes in the PCB tables
with a mutex since the build of sysctl(8) breaks, as found by kettenis.

ok sthen

pf_socket_lookup() calls in_pcbhashlookup() in the PCB layer. To
run pf in parallel, make parts of the stack MP safe. Protect the
list and hashes in the PCB tables with a mutex.
Note that the protocol notify functions may call pf via tcp_output().
As the pf lock is a sleeping rw_lock, we must not hold a mutex. To
solve this for now, collect these PCBs in inp_notify list and protect
it with exclusive netlock.
OK sashan@

The return value of in6_pcbnotify() is never used. Make it a void
function.
OK gnezdo@ mvs@ florian@ sashan@

Shifting signed integers left by 31 is undefined behavior in C.
found by kubsan; joint work with tobhe@; OK miod@

if stoeplitz is enabled, use it to provide a flowid for tcp packets.

drivers that implement rss and multiple rings depend on the symmetric
toeplitz code, and use it to generate a key that decides with rx
ring a packet lands on. if the toeplitz code is enabled, this diff
has the pcb and tcp layer use the toeplitz code to generate a flowid
for packets they send, which in turn is used to pick a tx ring.
because the nic and the stack use the same key, the tx and rx sides
end up with the same hash/flowid. at the very least this means that
the same rx and tx queue pair on a particular nic are used for both
sides of the connection. as the stack becomes more parallel, it
will also help keep both sides of the tcp connection processing in
the one place.

knf: the inp_upcall line was too long.

add a inp_upcall function pointer and inp_upcall_arg to struct in_pcb.

this is so protocols (eg, udp) can let things (eg, kernel support
for wireguard or vxlan or geneve) look at and possibly steal packets
before they get added to a socket buffer.

i wrote the original version of this, but it was tweaked by Matt
Dunwoodie and Jason A. Donenfeld for use with wireguard.

Add DoT 853 to DEFBADDYNAMICPORTS_TCP. This port will be increasingly
unfiltered in the future, so this prevents rresvport_af(3) from randomly
exposing a service intended for local visibility only.
ok florian

in6_setsockaddr and in6_setpeeraddr can't fail, so let them return void.

this also brings them in line with the AF_INET equivalents.

ok visa@ bluhm@

Initialize struct inpcb pool not on demand, but during initialization.
Removes a global variable and avoids MP problems.
OK mpi@ visa@

Revert the inpcb table mutex commit. It triggers a witness panic
in raw IP delivery and UDP broadcast loops. There inpcbtable_mtx
is held and sorwakeup() is called within the loop. As sowakeup()
grabs the kernel lock, we have a lock ordering problem.
found by Hrvoje Popovski; OK deraadt@ mpi@

As a step towards per inpcb or socket locks, remove the net lock
for netstat -a. Introduce a global mutex that protects the tables
and hashes for the internet PCBs. To detect detached PCB, set its
inp_socket field to NULL. This has to be protected by a per PCB
mutex. The protocol pointer has to be protected by the mutex as
netstat uses it.
Always take the kernel lock in in_pcbnotifyall() and in6_pcbnotify()
before the table mutex to avoid lock ordering problems in the notify
functions.
OK visa@

In general it is a bad idea to use one random secret for two things.
The inet PCB uses one hash with local and foreign addresses, and
one with local port numbers. Give both hashes separate keys. Also
document the struct fields.
OK visa@

unbreak userland uses of in_pcb.h by including sys/refcnt.h
ok visa@

Add reference counting for inet pcb, this will be needed when we
start locking the socket. An inp can be referenced by the PCB queue
and hashes, by a pf mbuf header, or by a pf state key.
OK visa@

Make the distribution of in_ and in6_ functions in in_pcb.c and
in6_pcb.c consistent, to ease comparing the code. Move all inet6
functions to in6_. Bring functions in both source files in same
order. Cleanup the include section. Now in_pcb.c is a superset
of in6_pcb.c. The latter contains all the special implementations.
Just moving arround, no code change intended.
OK mpi@

Rename the incpb table field inpt_hash to inpt_mask as it contains
the hashmask. For the resize calculations it is clearer to use the
field inpt_size.
OK visa@ mpi@

Move the declarations of the raw ip and ip6 pcb tables into the
in_pcb.h header file.
OK mpi@ visa@

Store the allocation size in inpcbhead for free().

OK visa@

Simplify the reverse PCB lookup logic. The PF_TAG_TRANSLATE_LOCALHOST
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@

Kill the divert-packet socket option IP_DIVERTFL to filter packets.
It used a loop over the global list divbtable that would be hard
to make MP safe. The port net/dnsfilter does not work without this,
it should be converted to divert-to. Neither other ports nor base
use this filter feature.
ports checked by sthen@; OK mpi@ benno@

Reserve the BFD destination ports in baddynamic

OK claudio@, henning@

Commit in6_selectsrc() split again, with missing assignment fixed.

Revert in_selectsrc() refactoring, it breaks IPv6.

Reported by Heiko on bugs@.

ok stsp@, claudio@

Split in6_selectsrc() into a low-level part and a pcb-level part, and
convert in_selectsrc() prototype to match.

Ok bluhm@ mpi@.

Implement IPV6_MINHOPCOUNT support.

Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@

Add net.inet.{tcp,udp}.rootonly sysctl, to mark which ports
cannot be bound to by non-root users.

Ok millert@ bluhm@

Rename in_pcblookup() to in_pcblookup_local() and change its prototype
to get rid of the now useless foreign address and ports parameters.

ok mpi@

Move inp_laddr assignment after in_pcbpickport(), extend in_pcbpickport()
as needed.

Ok bluhm@

Merge in_pcbbind() and in6_pcbbind(), and change every call to
in6_pcbbind() into in_pcbbind().

Ok jca@ mpi@

Extract in_pcbaddrisavail() from in_pcbbind().

ok jca@

Extract in6_pcbaddrisavail() from in6_pcbbind(), and use it when
checking for source availability in udp6_output(); This time with
all the files.

Ok jca@ bluhm@

rm unused kernel only IPV6_RECVRTHDRDSTOPTS sockopt. ok deraadt sthen

Move port picking away from in_pcbbind()

ok sthen@

Ignore Router Advertisment's current hop limit.

Appart from the usual inet6 axe murdering exercise to keep you fit, this
allows us to get rid of a lot of layer violation due to the use of per-
ifp variables to store the current hop limit.

Imputs from bluhm@, ok phessler@, florian@, bluhm@

Remove inpt_lastport from struct inpcbtable, use local variables
in in_pcbbind() and in6_pcbsetport()

ok claudio@, with input from David Hill

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

use siphash in the in_pcb hashing. this mitigates it against flooding
attacks.

this is a textbook use of siphash.

the idea of using siphash for this came from yasuoka-san, but i had
the time to do it. he also tested and tweaked this diff.

ok yasuoka@ mikeb@

Resize the pcb hashtable automatically. The table size will be doubled
when the number of the hash entries reaches 75% of the table size.

ok dlg henning, 'commit in' claudio

Invert the signature logic of in{,6}_selectsrc, make them return the
error code and pass the resulting source address back to the caller
through a pointer, as suggested by chrisz. This gives us more readable
code, and eases the deletion of useless checks in the callers' error path.
Add a bunch of "0 -> NULL" conversions, while here.
ok chrisz@ mpi@

Merge in_fixaddr() into in_selectsrc() in order to prepare for
IP_SENDSRCADDR support. This reduces the differences with the
IPv6 version and kill some comments that are no longer true.

ok jca@, chrisz@, mikeb@

factor out source and destination address mangling from in_pcbconnect()
for later reuse in udp_output().

"Apart from that OK" claudio@

Switch inpt_queue from CIRCLEQ to TAILQ. Thus ending use of CIRCLEQ
in the base. Ports fixes to follow shortly for the two ports (gkrellm
and net-snmp) affected.

ok zhuk@ millert@

Back when some NRL code was merged into KAME to create the *BSD IPV6
stack (factoid: by a bunch of people in my living room), some compatibility
#define's were created to shim incompatible inpcb access methods. There
was an understanding they would eventually be removed. Since they are
error prone, and 1999 is a long time ago, now they die.
ok mikeb claudio mpi

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The function rip6_ctlinput() claims that sa6_src is constant to
allow the assingment of &sa6_any. But rip6_ctlinput() could not
guarantee that as it casted away the const attribute when it passes
the pointer to in6_pcbnotify(). Replace sockaddr with const
sockaddr_in6 in the in6_pcbnotify() parameters. This reduces the
number of casts. Also adjust in6_pcbhashlookup() to handle the
const attribute correctly.
Input and OK claudio@

Move an extern declaration into its corresponding header file.

Declare struct pf_state_key in the mbuf and in_pcb header files to
avoid ugly casts.
OK krw@ tedu@

tedu faith(4), suggested by todd@ some weeks ago after a submission by
dhill.

ok krw@, mikeb@, tedu@ (implicit)