Additional length check for IPv6 reassembled fragments.

FreeBSD-SA-23:06.ipv6 security advisory has added an additional
overflow check in frag6_input(). OpenBSD is not affected by that
as the bug was introduced by another change in 2019. The existing
code is complicated and NetBSD has taken the FreeBSD fix, although
they were also not affected.

The additional check makes the complicated code more robust. Length
calculation taken from NetBSD. Discussed with FreeBSD.

OK sashan@ mvs@

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Do not use the flow of the first fragment to store ECN information.
Handle the ECN in the fragment queue.
Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com
fix from FreeBSD; OK claudio@

branches: 1.85.2; 1.85.4;
Instead of calculating the mbuf packet header length here and there,
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@

During fragment reassembly, mbuf chains with packet headers were
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@

frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however. So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi. Discussed with bluhm and kn. Regress test help
by bluhm. Additional testing by kn.

ok kn@ visa@ mpi@

The function ip6_get_prevhdr() did return a pointer into a mbuf.
It was not guaranteed that the mbuf data was not somewhere else in
the chain. So return an offset and do a proper mbuf pulldown.
found by Maxime Villard; from NetBSD; with markus@; OK deraadt@

Put the net lock around frag6_freef() as it sends ICMP6 error
messages. Splassert was triggered by regress/sys/netinet6/frag6.
OK mpi@ sashan@ visa@

Remove 18 year old #if 0.

ok visa@, benno@

Serialize access to the IPv6 reassembly queue with a mutex.
This lets the code run without KERNEL_LOCK() and NET_LOCK().

In addition, this patch reorganizes a part of the code, to move
some of the memory release operations outside the critical section.

Input and OK mpi@, OK florian@, an earlier version OK bluhm@

Finish off pr_drain functions, they haven't been used since 2006.
OK mpi

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Allocate IPv6 reassembly structs using pools instead of malloc(),
and drop the now redundant allocation type M_FTABLE.

OK mikeb@, bluhm@, mpi@

Replace macro `IP6_REASS_MBUF' with direct use of field `ip6af_m'.

OK bluhm@, mpi@

branches: 1.74.4;
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

branches: 1.72.4;
Use percpu counters for ip6stat

Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.

Input from mpi@, ok bluhm@ mpi@

Assert that every slow/fast timeout routine is called at IPL_SOFTNET.

This removes multipe recursive splsoftnet()/splx() dances.

When the IPv6 network stack receives an empty non atomic fragment,
just drop it. It can never overlap existing content, there is no
ambiguous payload. So save resources and do not try to insert it
into the queue. This makes our IPv6 stack behave like pf fragment
reassembly.
OK deraadt@

Kill ip6_forward_rt reducing differences between v4 and v6.

A single forwarding cache is not the answer. The answer is 42... err PF!

ok bluhm@

Sizes for free(9) from David Hill.

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

rewrite if to be more clear. ok bluhm stsp

Kill dead code missed in per-ifp counter removal.

ok millert@, bluhm@

Remove superfluous NULL checks.

ifa are refcounted to ensure that rt_ifa is always valid.

Kill in6_ifstat_inc() and associated per-ifp storage.

The SIOCGIFSTAT_IN6 is no longer supported.

ok mikeb@, claudio@, dlg@

Kill some commented out in6_ifstat_inc().

unifdef IN6_IFSTAT_STRICT.

ok deraadt@, millert@

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

Do not use a "struct route" when a "struct rtentry" is enough.

ok millert@, bluhm@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The header file netinet/in_var.h included netinet6/in6_var.h. This
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@

Sync comment with reality, the draft is now an RFC and OpenBSD follows
it since bluhm@ implemented it in 2012.

From Loganaden Velvindron, ok claudio@

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove a bunch of sockaddr_in6 pointer casts and replace others
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@

simple replacement of LIST_END with NULL. ok mpi

Replace the cast to struct in6_ifaddr pointer with the ifatoia6() macro.
No binary change.
OK claudio@

change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@

Add a short cut for atomic IPv6 fragments. They will be processed
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@

Do not keep state when dropping overlapping IPv6 fragments in pf
and IPv6 stack.
ok sperreault@

Implement RFC 5722 and drop all IPv6 fragments that belong to a
packet with overlapping fragments.
ok henning@

Flush the cached IPv6 forward route every 500 ms. This prevents
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@

Remove the IPv6 fragment overlapping length adjustment code. It
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@

Replace the hand-crafted queue for IPv6 fragments with LIST.
ok henning@

Remove dead code from #if 0: we do not have an ipsrcchk_rt anywhere else.
from FreeBSD; ok henning@

Replace the hand-crafted queue for fragmented IPv6 packets with TAILQ.
ok henning@

Fix potential null dereference.

Found by LLVM/Clang Static Analyzer.

ok claudio@ henning@

Kill redundant offsetof definitions; ok deraadt henning sthen thib

Extract the new function frag6_deletefraghdr() from frag6_input()
to make it reusable by pf. No functional change.
ok henning@, claudio@

In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Destatic and ansify.

ok claudio@ naddy@

- obvious typo in comment, from holger mikolon

When accessing cached routes make sure the route is actually still valid.
Before accessing a ro_rt make sure the route is either freshly allocated or
RTF_UP is set. If not ro_rt should be freed and reallocated or at least no
info from the ro_rt should be considered valid.
This seems to solve the crashes seen by Felipe Alfaro Solana.
some sort of OK dlg@

ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.

ok todd deraadt naddy bluhm

take advantage of M_ZERO

ok claudio gilles

framgent -> fragment

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

splimp -> splvm. mbuf allocation here.

ok henning@

use random number generator to generate IPv6 fragment ID/flowlabel.
cleanup IPv6 flowlabel handling. deraadt ok

make PULLDOWN_TEST codepath the default (has been default for a long time).
markus ok

fix pointer signedness mixup. sync w/kame

KNF - return is not a function. sync w/kame

splnet -> splsoftnet where appropriate

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

kill __P

bring in ECN support from KAME.
it consists of
- ECN support in TCP
- tunnel-egress and fragment reassembly rules in layer-3 not to lose
congestion info at tunnel-egress and fragment reassembly

to enable ECN in TCP, build a kernel with TCP_ECN, and then,
turn it on by "sysctl -w net.inet.tcp.ecn=1".

ok deraadt@

have a real lock around IPv6 reassembly.

First round of __P removal in sys

branches: 1.11.4;
No need for net/net_osdep.h

fix memory leak on ipv6 reass failure. sync with kame

correct behavior when ip6 reass queue reaches the upper limit.

set frag6_doing_reass while doing reass, to help frag6_drain.

sync whitespace/comment with kame. to help merge tasks

branches: 1.6.2;
fix include file path related to ip6.

make IPv6 reass work on alpha. NetBSD PR 9340.

pull in arc4random() prototype

use arc4random() instead of random for two reasons.
1) on some architectures, random() should only be used by the scheduler
(ie. statintr() because it is uniformly distributed
2) arc4random() is actually strong, random() is not at all

Remove remaining unnecessary ifdefs (itojun will hate me for this :-)

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Do not use the flow of the first fragment to store ECN information.
Handle the ECN in the fragment queue.
Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com
fix from FreeBSD; OK claudio@

branches: 1.85.2; 1.85.4;
Instead of calculating the mbuf packet header length here and there,
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@

During fragment reassembly, mbuf chains with packet headers were
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@

frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however. So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi. Discussed with bluhm and kn. Regress test help
by bluhm. Additional testing by kn.

ok kn@ visa@ mpi@

The function ip6_get_prevhdr() did return a pointer into a mbuf.
It was not guaranteed that the mbuf data was not somewhere else in
the chain. So return an offset and do a proper mbuf pulldown.
found by Maxime Villard; from NetBSD; with markus@; OK deraadt@

Put the net lock around frag6_freef() as it sends ICMP6 error
messages. Splassert was triggered by regress/sys/netinet6/frag6.
OK mpi@ sashan@ visa@

Remove 18 year old #if 0.

ok visa@, benno@

Serialize access to the IPv6 reassembly queue with a mutex.
This lets the code run without KERNEL_LOCK() and NET_LOCK().

In addition, this patch reorganizes a part of the code, to move
some of the memory release operations outside the critical section.

Input and OK mpi@, OK florian@, an earlier version OK bluhm@

Finish off pr_drain functions, they haven't been used since 2006.
OK mpi

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Allocate IPv6 reassembly structs using pools instead of malloc(),
and drop the now redundant allocation type M_FTABLE.

OK mikeb@, bluhm@, mpi@

Replace macro `IP6_REASS_MBUF' with direct use of field `ip6af_m'.

OK bluhm@, mpi@

branches: 1.74.4;
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

branches: 1.72.4;
Use percpu counters for ip6stat

Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.

Input from mpi@, ok bluhm@ mpi@

Assert that every slow/fast timeout routine is called at IPL_SOFTNET.

This removes multipe recursive splsoftnet()/splx() dances.

When the IPv6 network stack receives an empty non atomic fragment,
just drop it. It can never overlap existing content, there is no
ambiguous payload. So save resources and do not try to insert it
into the queue. This makes our IPv6 stack behave like pf fragment
reassembly.
OK deraadt@

Kill ip6_forward_rt reducing differences between v4 and v6.

A single forwarding cache is not the answer. The answer is 42... err PF!

ok bluhm@

Sizes for free(9) from David Hill.

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

rewrite if to be more clear. ok bluhm stsp

Kill dead code missed in per-ifp counter removal.

ok millert@, bluhm@

Remove superfluous NULL checks.

ifa are refcounted to ensure that rt_ifa is always valid.

Kill in6_ifstat_inc() and associated per-ifp storage.

The SIOCGIFSTAT_IN6 is no longer supported.

ok mikeb@, claudio@, dlg@

Kill some commented out in6_ifstat_inc().

unifdef IN6_IFSTAT_STRICT.

ok deraadt@, millert@

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

Do not use a "struct route" when a "struct rtentry" is enough.

ok millert@, bluhm@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The header file netinet/in_var.h included netinet6/in6_var.h. This
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@

Sync comment with reality, the draft is now an RFC and OpenBSD follows
it since bluhm@ implemented it in 2012.

From Loganaden Velvindron, ok claudio@

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove a bunch of sockaddr_in6 pointer casts and replace others
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@

simple replacement of LIST_END with NULL. ok mpi

Replace the cast to struct in6_ifaddr pointer with the ifatoia6() macro.
No binary change.
OK claudio@

change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@

Add a short cut for atomic IPv6 fragments. They will be processed
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@

Do not keep state when dropping overlapping IPv6 fragments in pf
and IPv6 stack.
ok sperreault@

Implement RFC 5722 and drop all IPv6 fragments that belong to a
packet with overlapping fragments.
ok henning@

Flush the cached IPv6 forward route every 500 ms. This prevents
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@

Remove the IPv6 fragment overlapping length adjustment code. It
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@

Replace the hand-crafted queue for IPv6 fragments with LIST.
ok henning@

Remove dead code from #if 0: we do not have an ipsrcchk_rt anywhere else.
from FreeBSD; ok henning@

Replace the hand-crafted queue for fragmented IPv6 packets with TAILQ.
ok henning@

Fix potential null dereference.

Found by LLVM/Clang Static Analyzer.

ok claudio@ henning@

Kill redundant offsetof definitions; ok deraadt henning sthen thib

Extract the new function frag6_deletefraghdr() from frag6_input()
to make it reusable by pf. No functional change.
ok henning@, claudio@

In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Destatic and ansify.

ok claudio@ naddy@

- obvious typo in comment, from holger mikolon

When accessing cached routes make sure the route is actually still valid.
Before accessing a ro_rt make sure the route is either freshly allocated or
RTF_UP is set. If not ro_rt should be freed and reallocated or at least no
info from the ro_rt should be considered valid.
This seems to solve the crashes seen by Felipe Alfaro Solana.
some sort of OK dlg@

ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.

ok todd deraadt naddy bluhm

take advantage of M_ZERO

ok claudio gilles

framgent -> fragment

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

splimp -> splvm. mbuf allocation here.

ok henning@

use random number generator to generate IPv6 fragment ID/flowlabel.
cleanup IPv6 flowlabel handling. deraadt ok

make PULLDOWN_TEST codepath the default (has been default for a long time).
markus ok

fix pointer signedness mixup. sync w/kame

KNF - return is not a function. sync w/kame

splnet -> splsoftnet where appropriate

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

kill __P

bring in ECN support from KAME.
it consists of
- ECN support in TCP
- tunnel-egress and fragment reassembly rules in layer-3 not to lose
congestion info at tunnel-egress and fragment reassembly

to enable ECN in TCP, build a kernel with TCP_ECN, and then,
turn it on by "sysctl -w net.inet.tcp.ecn=1".

ok deraadt@

have a real lock around IPv6 reassembly.

First round of __P removal in sys

branches: 1.11.4;
No need for net/net_osdep.h

fix memory leak on ipv6 reass failure. sync with kame

correct behavior when ip6 reass queue reaches the upper limit.

set frag6_doing_reass while doing reass, to help frag6_drain.

sync whitespace/comment with kame. to help merge tasks

branches: 1.6.2;
fix include file path related to ip6.

make IPv6 reass work on alpha. NetBSD PR 9340.

pull in arc4random() prototype

use arc4random() instead of random for two reasons.
1) on some architectures, random() should only be used by the scheduler
(ie. statintr() because it is uniformly distributed
2) arc4random() is actually strong, random() is not at all

Remove remaining unnecessary ifdefs (itojun will hate me for this :-)

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Do not use the flow of the first fragment to store ECN information.
Handle the ECN in the fragment queue.
Reported-by: syzbot+0aa80b25e9041001cac8@syzkaller.appspotmail.com
fix from FreeBSD; OK claudio@

Instead of calculating the mbuf packet header length here and there,
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@

During fragment reassembly, mbuf chains with packet headers were
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@

frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however. So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi. Discussed with bluhm and kn. Regress test help
by bluhm. Additional testing by kn.

ok kn@ visa@ mpi@

The function ip6_get_prevhdr() did return a pointer into a mbuf.
It was not guaranteed that the mbuf data was not somewhere else in
the chain. So return an offset and do a proper mbuf pulldown.
found by Maxime Villard; from NetBSD; with markus@; OK deraadt@

Put the net lock around frag6_freef() as it sends ICMP6 error
messages. Splassert was triggered by regress/sys/netinet6/frag6.
OK mpi@ sashan@ visa@

Remove 18 year old #if 0.

ok visa@, benno@

Serialize access to the IPv6 reassembly queue with a mutex.
This lets the code run without KERNEL_LOCK() and NET_LOCK().

In addition, this patch reorganizes a part of the code, to move
some of the memory release operations outside the critical section.

Input and OK mpi@, OK florian@, an earlier version OK bluhm@

Finish off pr_drain functions, they haven't been used since 2006.
OK mpi

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Allocate IPv6 reassembly structs using pools instead of malloc(),
and drop the now redundant allocation type M_FTABLE.

OK mikeb@, bluhm@, mpi@

Replace macro `IP6_REASS_MBUF' with direct use of field `ip6af_m'.

OK bluhm@, mpi@

branches: 1.74.4;
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

branches: 1.72.4;
Use percpu counters for ip6stat

Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.

Input from mpi@, ok bluhm@ mpi@

Assert that every slow/fast timeout routine is called at IPL_SOFTNET.

This removes multipe recursive splsoftnet()/splx() dances.

When the IPv6 network stack receives an empty non atomic fragment,
just drop it. It can never overlap existing content, there is no
ambiguous payload. So save resources and do not try to insert it
into the queue. This makes our IPv6 stack behave like pf fragment
reassembly.
OK deraadt@

Kill ip6_forward_rt reducing differences between v4 and v6.

A single forwarding cache is not the answer. The answer is 42... err PF!

ok bluhm@

Sizes for free(9) from David Hill.

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

rewrite if to be more clear. ok bluhm stsp

Kill dead code missed in per-ifp counter removal.

ok millert@, bluhm@

Remove superfluous NULL checks.

ifa are refcounted to ensure that rt_ifa is always valid.

Kill in6_ifstat_inc() and associated per-ifp storage.

The SIOCGIFSTAT_IN6 is no longer supported.

ok mikeb@, claudio@, dlg@

Kill some commented out in6_ifstat_inc().

unifdef IN6_IFSTAT_STRICT.

ok deraadt@, millert@

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

Do not use a "struct route" when a "struct rtentry" is enough.

ok millert@, bluhm@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The header file netinet/in_var.h included netinet6/in6_var.h. This
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@

Sync comment with reality, the draft is now an RFC and OpenBSD follows
it since bluhm@ implemented it in 2012.

From Loganaden Velvindron, ok claudio@

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove a bunch of sockaddr_in6 pointer casts and replace others
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@

simple replacement of LIST_END with NULL. ok mpi

Replace the cast to struct in6_ifaddr pointer with the ifatoia6() macro.
No binary change.
OK claudio@

change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@

Add a short cut for atomic IPv6 fragments. They will be processed
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@

Do not keep state when dropping overlapping IPv6 fragments in pf
and IPv6 stack.
ok sperreault@

Implement RFC 5722 and drop all IPv6 fragments that belong to a
packet with overlapping fragments.
ok henning@

Flush the cached IPv6 forward route every 500 ms. This prevents
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@

Remove the IPv6 fragment overlapping length adjustment code. It
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@

Replace the hand-crafted queue for IPv6 fragments with LIST.
ok henning@

Remove dead code from #if 0: we do not have an ipsrcchk_rt anywhere else.
from FreeBSD; ok henning@

Replace the hand-crafted queue for fragmented IPv6 packets with TAILQ.
ok henning@

Fix potential null dereference.

Found by LLVM/Clang Static Analyzer.

ok claudio@ henning@

Kill redundant offsetof definitions; ok deraadt henning sthen thib

Extract the new function frag6_deletefraghdr() from frag6_input()
to make it reusable by pf. No functional change.
ok henning@, claudio@

In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Destatic and ansify.

ok claudio@ naddy@

- obvious typo in comment, from holger mikolon

When accessing cached routes make sure the route is actually still valid.
Before accessing a ro_rt make sure the route is either freshly allocated or
RTF_UP is set. If not ro_rt should be freed and reallocated or at least no
info from the ro_rt should be considered valid.
This seems to solve the crashes seen by Felipe Alfaro Solana.
some sort of OK dlg@

ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.

ok todd deraadt naddy bluhm

take advantage of M_ZERO

ok claudio gilles

framgent -> fragment

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

splimp -> splvm. mbuf allocation here.

ok henning@

use random number generator to generate IPv6 fragment ID/flowlabel.
cleanup IPv6 flowlabel handling. deraadt ok

make PULLDOWN_TEST codepath the default (has been default for a long time).
markus ok

fix pointer signedness mixup. sync w/kame

KNF - return is not a function. sync w/kame

splnet -> splsoftnet where appropriate

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

kill __P

bring in ECN support from KAME.
it consists of
- ECN support in TCP
- tunnel-egress and fragment reassembly rules in layer-3 not to lose
congestion info at tunnel-egress and fragment reassembly

to enable ECN in TCP, build a kernel with TCP_ECN, and then,
turn it on by "sysctl -w net.inet.tcp.ecn=1".

ok deraadt@

have a real lock around IPv6 reassembly.

First round of __P removal in sys

branches: 1.11.4;
No need for net/net_osdep.h

fix memory leak on ipv6 reass failure. sync with kame

correct behavior when ip6 reass queue reaches the upper limit.

set frag6_doing_reass while doing reass, to help frag6_drain.

sync whitespace/comment with kame. to help merge tasks

branches: 1.6.2;
fix include file path related to ip6.

make IPv6 reass work on alpha. NetBSD PR 9340.

pull in arc4random() prototype

use arc4random() instead of random for two reasons.
1) on some architectures, random() should only be used by the scheduler
(ie. statintr() because it is uniformly distributed
2) arc4random() is actually strong, random() is not at all

Remove remaining unnecessary ifdefs (itojun will hate me for this :-)

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

Instead of calculating the mbuf packet header length here and there,
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@

During fragment reassembly, mbuf chains with packet headers were
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@

frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however. So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi. Discussed with bluhm and kn. Regress test help
by bluhm. Additional testing by kn.

ok kn@ visa@ mpi@

The function ip6_get_prevhdr() did return a pointer into a mbuf.
It was not guaranteed that the mbuf data was not somewhere else in
the chain. So return an offset and do a proper mbuf pulldown.
found by Maxime Villard; from NetBSD; with markus@; OK deraadt@

Put the net lock around frag6_freef() as it sends ICMP6 error
messages. Splassert was triggered by regress/sys/netinet6/frag6.
OK mpi@ sashan@ visa@

Remove 18 year old #if 0.

ok visa@, benno@

Serialize access to the IPv6 reassembly queue with a mutex.
This lets the code run without KERNEL_LOCK() and NET_LOCK().

In addition, this patch reorganizes a part of the code, to move
some of the memory release operations outside the critical section.

Input and OK mpi@, OK florian@, an earlier version OK bluhm@

Finish off pr_drain functions, they haven't been used since 2006.
OK mpi

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Allocate IPv6 reassembly structs using pools instead of malloc(),
and drop the now redundant allocation type M_FTABLE.

OK mikeb@, bluhm@, mpi@

Replace macro `IP6_REASS_MBUF' with direct use of field `ip6af_m'.

OK bluhm@, mpi@

branches: 1.74.4;
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

branches: 1.72.4;
Use percpu counters for ip6stat

Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.

Input from mpi@, ok bluhm@ mpi@

Assert that every slow/fast timeout routine is called at IPL_SOFTNET.

This removes multipe recursive splsoftnet()/splx() dances.

When the IPv6 network stack receives an empty non atomic fragment,
just drop it. It can never overlap existing content, there is no
ambiguous payload. So save resources and do not try to insert it
into the queue. This makes our IPv6 stack behave like pf fragment
reassembly.
OK deraadt@

Kill ip6_forward_rt reducing differences between v4 and v6.

A single forwarding cache is not the answer. The answer is 42... err PF!

ok bluhm@

Sizes for free(9) from David Hill.

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

rewrite if to be more clear. ok bluhm stsp

Kill dead code missed in per-ifp counter removal.

ok millert@, bluhm@

Remove superfluous NULL checks.

ifa are refcounted to ensure that rt_ifa is always valid.

Kill in6_ifstat_inc() and associated per-ifp storage.

The SIOCGIFSTAT_IN6 is no longer supported.

ok mikeb@, claudio@, dlg@

Kill some commented out in6_ifstat_inc().

unifdef IN6_IFSTAT_STRICT.

ok deraadt@, millert@

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

Do not use a "struct route" when a "struct rtentry" is enough.

ok millert@, bluhm@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The header file netinet/in_var.h included netinet6/in6_var.h. This
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@

Sync comment with reality, the draft is now an RFC and OpenBSD follows
it since bluhm@ implemented it in 2012.

From Loganaden Velvindron, ok claudio@

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove a bunch of sockaddr_in6 pointer casts and replace others
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@

simple replacement of LIST_END with NULL. ok mpi

Replace the cast to struct in6_ifaddr pointer with the ifatoia6() macro.
No binary change.
OK claudio@

change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@

Add a short cut for atomic IPv6 fragments. They will be processed
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@

Do not keep state when dropping overlapping IPv6 fragments in pf
and IPv6 stack.
ok sperreault@

Implement RFC 5722 and drop all IPv6 fragments that belong to a
packet with overlapping fragments.
ok henning@

Flush the cached IPv6 forward route every 500 ms. This prevents
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@

Remove the IPv6 fragment overlapping length adjustment code. It
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@

Replace the hand-crafted queue for IPv6 fragments with LIST.
ok henning@

Remove dead code from #if 0: we do not have an ipsrcchk_rt anywhere else.
from FreeBSD; ok henning@

Replace the hand-crafted queue for fragmented IPv6 packets with TAILQ.
ok henning@

Fix potential null dereference.

Found by LLVM/Clang Static Analyzer.

ok claudio@ henning@

Kill redundant offsetof definitions; ok deraadt henning sthen thib

Extract the new function frag6_deletefraghdr() from frag6_input()
to make it reusable by pf. No functional change.
ok henning@, claudio@

In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Destatic and ansify.

ok claudio@ naddy@

- obvious typo in comment, from holger mikolon

When accessing cached routes make sure the route is actually still valid.
Before accessing a ro_rt make sure the route is either freshly allocated or
RTF_UP is set. If not ro_rt should be freed and reallocated or at least no
info from the ro_rt should be considered valid.
This seems to solve the crashes seen by Felipe Alfaro Solana.
some sort of OK dlg@

ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.

ok todd deraadt naddy bluhm

take advantage of M_ZERO

ok claudio gilles

framgent -> fragment

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

splimp -> splvm. mbuf allocation here.

ok henning@

use random number generator to generate IPv6 fragment ID/flowlabel.
cleanup IPv6 flowlabel handling. deraadt ok

make PULLDOWN_TEST codepath the default (has been default for a long time).
markus ok

fix pointer signedness mixup. sync w/kame

KNF - return is not a function. sync w/kame

splnet -> splsoftnet where appropriate

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

kill __P

bring in ECN support from KAME.
it consists of
- ECN support in TCP
- tunnel-egress and fragment reassembly rules in layer-3 not to lose
congestion info at tunnel-egress and fragment reassembly

to enable ECN in TCP, build a kernel with TCP_ECN, and then,
turn it on by "sysctl -w net.inet.tcp.ecn=1".

ok deraadt@

have a real lock around IPv6 reassembly.

First round of __P removal in sys

branches: 1.11.4;
No need for net/net_osdep.h

fix memory leak on ipv6 reass failure. sync with kame

correct behavior when ip6 reass queue reaches the upper limit.

set frag6_doing_reass while doing reass, to help frag6_drain.

sync whitespace/comment with kame. to help merge tasks

branches: 1.6.2;
fix include file path related to ip6.

make IPv6 reass work on alpha. NetBSD PR 9340.

pull in arc4random() prototype

use arc4random() instead of random for two reasons.
1) on some architectures, random() should only be used by the scheduler
(ie. statintr() because it is uniformly distributed
2) arc4random() is actually strong, random() is not at all

Remove remaining unnecessary ifdefs (itojun will hate me for this :-)

bring in KAME IPv6 code, dated 19991208.
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.

GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).

frag6_slowtimo: push NET_LOCK into frag6_freef around icmp6_error.

icmp6_error() still probably needs the NET_LOCK, as the call chain
icmp6_error -> icmp6_reflect -> rt_match -> rt_clone -> rtrequest
is possible.

The fragment discard loop in frag6_slowtimo and the other
cleanup bits in frag6_freef do not require it however. So
push the lock down into frag6_freef around icmp6_error.

Prompted by mpi. Discussed with bluhm and kn. Regress test help
by bluhm. Additional testing by kn.

ok kn@ visa@ mpi@

The function ip6_get_prevhdr() did return a pointer into a mbuf.
It was not guaranteed that the mbuf data was not somewhere else in
the chain. So return an offset and do a proper mbuf pulldown.
found by Maxime Villard; from NetBSD; with markus@; OK deraadt@

Put the net lock around frag6_freef() as it sends ICMP6 error
messages. Splassert was triggered by regress/sys/netinet6/frag6.
OK mpi@ sashan@ visa@

Remove 18 year old #if 0.

ok visa@, benno@

Serialize access to the IPv6 reassembly queue with a mutex.
This lets the code run without KERNEL_LOCK() and NET_LOCK().

In addition, this patch reorganizes a part of the code, to move
some of the memory release operations outside the critical section.

Input and OK mpi@, OK florian@, an earlier version OK bluhm@

Finish off pr_drain functions, they haven't been used since 2006.
OK mpi

Move NET_{,UN}LOCK into individual slowtimo functions.

Direction suggested by mpi

OK mpi, visa

Allocate IPv6 reassembly structs using pools instead of malloc(),
and drop the now redundant allocation type M_FTABLE.

OK mikeb@, bluhm@, mpi@

Replace macro `IP6_REASS_MBUF' with direct use of field `ip6af_m'.

OK bluhm@, mpi@

branches: 1.74.4;
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED().

ok visa@

Pass down the address family through the pr_input calls. This
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@

branches: 1.72.4;
Use percpu counters for ip6stat

Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.

Input from mpi@, ok bluhm@ mpi@

Assert that every slow/fast timeout routine is called at IPL_SOFTNET.

This removes multipe recursive splsoftnet()/splx() dances.

When the IPv6 network stack receives an empty non atomic fragment,
just drop it. It can never overlap existing content, there is no
ambiguous payload. So save resources and do not try to insert it
into the queue. This makes our IPv6 stack behave like pf fragment
reassembly.
OK deraadt@

Kill ip6_forward_rt reducing differences between v4 and v6.

A single forwarding cache is not the answer. The answer is 42... err PF!

ok bluhm@

Sizes for free(9) from David Hill.

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

rewrite if to be more clear. ok bluhm stsp

Kill dead code missed in per-ifp counter removal.

ok millert@, bluhm@

Remove superfluous NULL checks.

ifa are refcounted to ensure that rt_ifa is always valid.

Kill in6_ifstat_inc() and associated per-ifp storage.

The SIOCGIFSTAT_IN6 is no longer supported.

ok mikeb@, claudio@, dlg@

Kill some commented out in6_ifstat_inc().

unifdef IN6_IFSTAT_STRICT.

ok deraadt@, millert@

Store a unique ID, an interface index, rather than a pointer to the
receiving interface in the packet header of every mbuf.

The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.

Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.

Tested by jmatthew@ and krw@, discussed with many.

ok mikeb@, bluhm@, dlg@

Do not use a "struct route" when a "struct rtentry" is enough.

ok millert@, bluhm@

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

move arc4random prototype to systm.h. more appropriate for most code
to include that than rdnvar.h. ok deraadt dlg

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

Replace most of our formating functions to convert IPv4/6 addresses from
network to presentation format to inet_ntop().

The few remaining functions will be soon converted.

ok mikeb@, deraadt@ and moral support from henning@

Put a large chunk of the IPv6 rdomain support in-tree.

Still some important missing pieces, and this is not yet enabled.

OK bluhm@

The header file netinet/in_var.h included netinet6/in6_var.h. This
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@

Sync comment with reality, the draft is now an RFC and OpenBSD follows
it since bluhm@ implemented it in 2012.

From Loganaden Velvindron, ok claudio@

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove a bunch of sockaddr_in6 pointer casts and replace others
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@

simple replacement of LIST_END with NULL. ok mpi

Replace the cast to struct in6_ifaddr pointer with the ifatoia6() macro.
No binary change.
OK claudio@

change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@

Add a short cut for atomic IPv6 fragments. They will be processed
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@

Do not keep state when dropping overlapping IPv6 fragments in pf
and IPv6 stack.
ok sperreault@

Implement RFC 5722 and drop all IPv6 fragments that belong to a
packet with overlapping fragments.
ok henning@

Flush the cached IPv6 forward route every 500 ms. This prevents
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@

Remove the IPv6 fragment overlapping length adjustment code. It
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@

Replace the hand-crafted queue for IPv6 fragments with LIST.
ok henning@

Remove dead code from #if 0: we do not have an ipsrcchk_rt anywhere else.
from FreeBSD; ok henning@

Replace the hand-crafted queue for fragmented IPv6 packets with TAILQ.
ok henning@

Fix potential null dereference.

Found by LLVM/Clang Static Analyzer.

ok claudio@ henning@

Kill redundant offsetof definitions; ok deraadt henning sthen thib

Extract the new function frag6_deletefraghdr() from frag6_input()
to make it reusable by pf. No functional change.
ok henning@, claudio@

In frag6_input() there was an mbuf length calculation error. If
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@

Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning

Destatic and ansify.

ok claudio@ naddy@

- obvious typo in comment, from holger mikolon

When accessing cached routes make sure the route is actually still valid.
Before accessing a ro_rt make sure the route is either freshly allocated or
RTF_UP is set. If not ro_rt should be freed and reallocated or at least no
info from the ro_rt should be considered valid.
This seems to solve the crashes seen by Felipe Alfaro Solana.
some sort of OK dlg@

ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.

ok todd deraadt naddy bluhm

take advantage of M_ZERO

ok claudio gilles

framgent -> fragment

Add support for equal-cost multipath IP.

To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.

To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1

testing norby@
ok claudio@ henning@ hshoexer@

splimp -> splvm. mbuf allocation here.

ok henning@

use random number generator to generate IPv6 fragment ID/flowlabel.
cleanup IPv6 flowlabel handling. deraadt ok

make PULLDOWN_TEST codepath the default (has been default for a long time).
markus ok

fix pointer signedness mixup. sync w/kame

KNF - return is not a function. sync w/kame

splnet -> splsoftnet where appropriate

limit number of IPv6 fragments (not the fragment queue size) to
fight against lots-of-frags DoS attacks. sync w/kame

kill __P

bring in ECN support from KAME.
it consists of
- ECN support in TCP
- tunnel-egress and fragment reassembly rules in layer-3 not to lose
congestion info at tunnel-egress and fragment reassembly

to enable ECN in TCP, build a kernel with TCP_ECN, and then,
turn it on by "sysctl -w net.inet.tcp.ecn=1".

ok deraadt@