IABSD.fr/src/sys/netinet/ip_input.c

Branch :


Log

Author Commit Date CI Message
5a12b7de 2025-07-31 09:05:11 Unlock ip6_sysctl(). Use temporary local buffer for lockless IO within ip6_sysctl_soiikey(). Use existing `sysctl_lock' rwlock(9) to protect `ip6_soiikey'. Also, replace temporary `ip_sysctl_lock' with `sysctl_lock' rwlock(9). It was introduced as temporary to avoid recursive lock acquisition in ip*_sysctl() until upcoming unlocked. The usage paths are not the hot paths, no reason to have dedicated locks for them. ok bluhm
34fb0aba 2025-07-24 22:31:19 We use capital letters for global locks description, so use capital 'Q' for `ipq_mutex' mutex(9). No functional changes.
433890ba 2025-07-23 20:53:55 Unlock IPV6CTL_HDRNESTLIMIT case of ip6_sysctl(). `ip6_hdrnestlimit' loaded only once in ip_deliver(). If the `ip6_hdrnestlimit' is null, the "(++nest > ip6_hdrnestlimit)" check will be always true, so the check of `ip6_hdrnestlimit' against null could be omitted. Also unused in ramdisk. ok bluhm
2728a864 2025-07-19 16:40:40 Push netlock down to mrt_sysctl_vif(). Link the network interfaces to the temporary `if_tmplist' list protected with `if_tmplist_lock' rwlock(9). This moves copyuot() out of exclusive netlock and allows to relax it to shared netlock. ip_sysctl() became mp-safe, so mark it as PR_MPSYSCTL. ok bluhm
226c3bfc 2025-07-17 17:31:45 Unlock IPCTL_ARPDOWN case of ip_sysctl(). ok bluhm
881125a9 2025-07-15 22:12:49 Unlock IPCTL_ARPTIMEOUT case of ip_sysctl(). ok bluhm
ef8bdab2 2025-07-15 18:28:57 Unlock IPCTL_MFORWARDING case of ip_sysctl(). ok bluhm
66267f85 2025-07-15 08:27:47 Unlock IPCTL_IPPORT_MAXQUEUE case of ip_sysctl() We could set `ip_maxqueue' to be less than (ip_frags + 1) just after the netlock is released. So we don't need to serializes `ip_frags' and `ip_maxqueue' with the `ipq_mutex', the cached value is enough for ip_fragcheck() run. ok bluhm
148caabb 2025-07-08 00:47:41 remove unneeded includes; ok bluhm@
3ae74042 2025-06-30 12:43:22 Unlock IPCTL_DEFTTL case of ip_sysctl(). Read-only access at initialization time of interfaces, PCBs and IP packets. ok bluhm
b71ef036 2025-06-25 10:33:53 Push netlock down to mrt{,6}_sysctl_mfc(). Move copyout() and sleeping M_WAITOK malloc(9) out of netlock. Keep exclusive netlock instead of shared because the walker callback does `rt_gateway' dereference. Leave locking relaxation to the further diffs. ok bluhm
72282bea 2025-06-24 18:05:51 Unlock IPCTL_IPPORT_* cases of ip_sysctl(). Corresponding variables accessed read-only only within in_pcbpickport(). ok bluhm
1213dbc0 2025-06-23 20:59:25 Unlock IPCTL_MTUDISC case of ip_sysctl(). `ip_mtudisc' is atomically accessed boolean, so allow only 0 and 1 values to set. Also, while `ip_mtudisc' is 0, the rt_timer_queue_flush() will be triggered all the times even if we do read access. There is no reason for that, so flush the queue only if this thread successfully assigned 0 value. The rt_timer_queue_flush() requires to be serialized with the netlock. ok bluhm
251e27b0 2025-06-23 20:56:38 Unlock IPCTL_MRTPROTO case of ip_sysctl(). We do read-only access from sysctl(2) interface. Also `ip_mrtproto' is immutable. ok bluhm
1df70e8b 2025-06-23 09:16:32 Move IP{,V6}CTL_MULTIPATH cases of ip{,6}_sysctl() out of netlock. Add missing membar_producer() before `rtgeneration' update to invalidate route cache after ipmultipath changes. Feedback and ok from bluhm.
4d34df45 2025-06-21 14:21:17 Move IP{,V6}CTL_MTUDISCTIMEOUT cases of ip{,6}_sysctl() out of netlock. They are identical, so unlock them both. Use the temporary `ip_sysctl_lock' rwlock(9) for value assignment and the following rt_timer_queue_change() serialization. ok bluhm
939e9288 2025-06-12 20:37:56 Carefully prune sysctl nodes with #ifndef SMALL_KERNEL recover space lost to other bloaty software. ok bluhm
b8a5eea1 2025-05-20 18:40:09 Move move IPCTL_SOURCEROUTE case of ip_sysctl() out of netlock. It is atomically accessed integer. sysctl_securelevel_int() is mp-safe. ok bluhm
65799e18 2025-05-12 05:07:17 remove unused extern, gcc warned about an unused variable
b9e56c4e 2025-05-09 14:43:47 mp-safe multicast stats with per cpu counters ok mvs, bluhm
c677dfb5 2025-03-12 23:27:17 Set M_BCAST for packets going to 0.0.0.0 or 255.255.255.255, so the upper layers can handle them properly. Found by IIJ. ok bluhm
1c7441f2 2025-03-02 21:28:31 Cache route per softnet thread with netstack. Introduce struct netstack to pass memory down the network stack. Currently this is only implemented as part of struct softnet serving as thread local storage. Especially the interface input and IP protocol input functions if_input() and pr_input() have been extended by a netstack parameter. if_input_process() selects the netstack pointer of the currently running softnet thread and passes it to the input functions. The first user of this storage is the route cache in ipv4_input() and ipv6_input(). For consecutive packets it can reuse the route to the same destination. Cache invalidation via route generation number has already been implemented before. OK claudio@ dlg@
84d9c64a 2025-01-03 21:27:40 Use atomic operations to modify the MTU of route. When unlocking TCP, path MTU discovery will run in parallel. To keep route MTU consistent, make access to rt_mtu atomic. Use compare-and-swap function to detect whether another thread is modifying the MTU field. In this case skip updating rt_mtu. OK mvs@
c77b3186 2024-11-21 20:15:44 During IP deliver, propagate correct address family. If ip_deliver() changes the af, e.g. for ip6 over ip4, then it cannot rely on the caller ip_ours() to enqueue the packet in the correct queue. ip_deliver() has to do the enqueue depending on the changed af. from markus@
c80589b8 2024-08-06 16:56:09 Unlock sysctl net.inet.ip.directed-broadcast. ip_directedbcast is read once in either ip_input() or pf_test() during packet processing. So writing the variable does not need net lock. OK mvs@
9c4c1a6f 2024-07-19 16:58:31 Unlock sysctl net.inet.ip.redirect and net.inet6.ip6.redirect. Variable ip and ip6 sendredirects is only read once during packet processing. Use atomic_load_int() to access the value in exactly one read instruction. No memory barriers needed as there is no correlation with other values. Sort the ip and ip6 checks, so the difference is easier to see. Move access to global variable to the end. OK mvs@
1f9e444e 2024-07-14 18:53:39 Unlock IPv6 sysctl net.inet6.ip6.forwarding from net lock. Use atomic operations to read ip6_forwarding while processing packets in the network stack. To make clear where actually the router property is needed, use the i_am_router variable based on ip6_forwarding. It already existed in nd6_nbr. Move i_am_router setting up the call stack until all users are independent. The forwarding decisions in pf_test, pf_refragment6, ip6_input do also not interfere. Use a new array ipv6ctl_vars_unlocked to make transition of all the integer sysctls easier. Adapt IPv4 to the new style. OK mvs@
2c9f5b1f 2024-07-12 09:25:27 Run sysctl net.inet.ip.forwarding without net lock. The places in packet processing where ip_forwarding is evaluated have been consolidated. The remaining pieces in pf test, ip input, and icmp input do not need consistent information. If the integer value is changed by another CPU, it is harmless. The sysctl syscall sets the value atomically, so add atomic read in network processing and remove the net lock in sysctl IPCTL_FORWARDING. OK claudio@ mvs@
0e25137a 2024-07-02 18:33:47 Read IPsec forwarding information once. Fix MP race between reading ip_forwarding in ip_input() and checking ip_forwarding == 2 in ip_output(). In theory ip_forwarding could be 2 during ip_input() and later 0 in ip_output(). Then a packet would be forwarded that was never allowed. Currently exclusive netlock in sysctl(2) prevents all races. Introduce IP_FORWARDING_IPSEC and pass it with the flags parameter that was introduced for IP_FORWARDING. Instead of calling m_tag_find(), traversing the list, and comparing with NULL, just check the PACKET_TAG_IPSEC_IN_DONE bit. Reading ipsec_in_use in ip_output() is a performance hack that is not necessary. New code only checks tree bits. OK mvs@
a96be699 2024-06-24 12:19:19 Explicitly allocate stack memory for ICMP payload in IPv4 forward. Old ip_forward() allocated a fake mbuf copy on the stack to send an ICMP packet after ip_output() has failed. It seems easier to just copy the data onto the stack that icmp_error() may use. Only if the ICMP error packet is acutally sent, create the mbuf. m_dup_pkthdr() uses atomic operation to link the incpb to mbuf. pf_pkt_addr_changed() was immediately called afterwards to remove the linkage again. Also m_tag_delete_chain() was overhead. New code uses less CPU locking in the hot path. OK deraadt@ claudio@
84b2c343 2024-06-07 18:24:16 Read IP forwarding variables only once. Do not assume that ip_forwarding and ip_directedbcast cannot change while processing one packet. Read it once and pass down its value with a flag. This is necessary for unlocking the sysctl path. There are a few places where a consistent value does not really matter, they are unchanged. Use a proper ip_ prefix for the global variable. OK claudio@
652f3531 2024-05-08 13:01:30 Fix route leak in ip input. In previous commit when refactoring the route cache, a rtfree() has been forgotten. For each forwarded packet the reference counter of the route entry was increased. This eventually leads to an integer overflow and triggers kassert. reported by and OK jan@
00dd3069 2024-04-16 12:56:39 Use route cache function in IP input. Instaed of passing a struct rtentry from ip_input() to ip_forward() and then embed it into a struct route for ip_output(), start with struct route and pass it along. Then the route cache is used consistently. Also the route cache hit and missed counters should reflect reality after this commit. There is a small difference in the code. in_ouraddr() checks for NULL and not rtisvalid(). Previous discussion showed that the route RTF_UP flag should only be considered for multipath routing. Otherwise it does not mean anything. Especially the local and broadcast check in in_ouraddr() should not be affected by interface link status. When doing cache lookups, route must be valid, but after rtalloc_mpath() lookup, use any route that route_mpath() returns. OK claudio@
7019ae97 2024-04-14 20:46:27 Run raw IP input in parallel. Running raw IPv4 input with shared net lock in parallel is less complex than UDP. Especially there is no socket splicing. New ip_deliver() may run with shared or exclusive net lock. The last parameter indicates the mode. If is is running with shared netlock and encounters a protocol that needs exclusive lock, the packet is queued. Old ip_ours() always queued the packet. Now it calls ip_deliver() with shared net lock, and if that cannot handle the packet completely, the packet is queued and later processed with exclusive net lock. In case of an IPv6 header chain, that switches from shared to exclusive processing, the next protocol and mbuf offset are stored in a mbuf tag. OK mvs@
2136a888 2024-02-28 10:57:20 Cleanup IP input, forward, output. Before changing the routing code, get IPv4 and IPv6 input, forward, and output in a similar shape. Remove inconsistencies. OK claudio@
caa7f414 2024-02-22 14:25:58 Make the route cache aware of multipath routing. Pass source address to route_cache() and store it in struct route. Cached multipath routes are only valid if source address matches. If sysctl multipath changes, increase route generation number. OK claudio@
94c0e2bd 2024-02-13 12:22:09 Merge struct route and struct route_in6. Use a common struct route for both inet and inet6. Unfortunately struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has to be exposed from net/route.h. Struct route has to be bsd visible for userland as netstat kvm code inspects inp_route. Internet PCB and TCP SYN cache can use a plain struct route now. All specific sockaddr types for inet and inet6 are embeded there. OK claudio@
029c6615 2024-01-31 14:56:42 Add route generation number to route cache. The outgoing route is cached at the inpcb. This cache was only invalidated when the socket closes or if the route gets invalid. More specific routes were not detected. Especially with dynamic routing protocols, sockets must be closed and reopened to use the correct route. Running ping during a route change shows the problem. To solve this, add a route generation number that is updated whenever the routing table changes. The lookup in struct route is put into the route_cache() function. If the generation number is too old, the cached route gets discarded. Implement route_cache() for ip_output() and ip_forward() first. IPv6 and more places will follow. OK claudio@
bf0d449c 2023-09-16 09:33:27 Allow counters_read(9) to take an optional scratch buffer. Using a scratch buffer makes it possible to take a consistent snapshot of per-CPU counters without having to allocate memory. Makes ddb(4) show uvmexp command work in OOM situations. ok kn@, mvs@, cheloha@
fe6e30d1 2023-09-06 11:09:43 Use shared net lock for ip_send() and ip6_send(). When called with NULL options, ip_output() and ip6_output() are MP safe. Convert exclusive to shared net lock in send dispatch. OK mpi@
a0a5c4c7 2023-05-18 09:59:43 Revert ip_sysctl() unlocking. Lock order issue was triggered in UVM layer.
df71082d 2023-05-16 19:36:00 Introduce temporary PR_MPSYSCTL flag to mark (*pr_sysctl)() handler MP safe. We have may of them, so use flag instead of pushing kernel lock within. Unlock ip_sysctl(). Still take kernel lock within IPCTL_MRTSTATS case. It looks like `mrtstat' protection is inconsistent, so keep locking as it was. Since `mrtstat' are counters, it make sense to rework them into per CPU counters with separate diffs. Feedback and ok from bluhm@
e2c34204 2023-04-05 21:51:47 ARP has a sysctl to show the number of packets waiting for an arp response. Implement analog sysctl net.inet6.icmp6.nd6_queued for ND6 to reduce places where mbufs can hide within the kernel. Atomic operations operate on unsigned int. Make the type of total hold queue length consistent. Use atomic load to read the value for the sysctl. This clarifies why no lock around sysctl_rdint() is needed. OK mvs@ kn@
d49c6b99 2023-03-08 23:17:02 An invalid source routing IP option could overwrite kernel memory by using a bad option length. This bug is only reachable if both pf IP option check is disabled and IP source routing is enabled. reported by @fuzzingrf Erg Noor OK claudio@ deraadt@
4628c0e6 2022-08-29 14:43:56 Do not calculate the output protocol checksum in the IP input path. This logic was introduced in 2013 when pf checksum fixup was temporarily removed. After restoring the pf bahavior in 2016, it should not be necessary anymore. OK claudio@
cfa8497d 2022-08-21 14:15:55 Remove ip_local() and ip6_local(). After moving the IPv4 fragment reassembly and IPv6 hob-by-hob header chain processing out of ip_local() and ip6_local(), they are almost empty stubs. The check for local deliver loop in ip_ours() and ip6_ours() is sufficient. Recover mbuf offset and next protocol directly in ipintr() and ip6intr(). OK mvs@
0b448d84 2022-08-15 16:15:36 Run IPv6 hop-by-hop options processing in parallel. The ip6_hbhchcheck() code is MP safe and moves from ip6_local() to ip6_ours(). If there are any options, store the chain offset and next protocol in a mbuf tag. When dequeuing without tag, it is a regular IPv6 header. As mbuf tags degrade performance, use them only if a hop-by-hop header is present. Such packets are rare and pf drops them by default. OK mvs@
0b5e72a3 2022-08-12 14:49:15 There are some places in ip and ip6 input where operations fail due to out of memory. Use a generic idropped counter for those. OK mvs@
6a1c2aef 2022-08-06 15:57:58 Clean up the netlock macros. Merge NET_RLOCK_IN_SOFTNET and NET_RLOCK_IN_IOCTL, which have the same implementation. The R and W are hard to see, call the new macro NET_LOCK_SHARED. Rename the opposite assertion from NET_ASSERT_WLOCKED to NET_ASSERT_LOCKED_EXCLUSIVE. Update some outdated comments about net locking. OK mpi@ mvs@
dc2bd884 2022-08-04 18:05:09 Use 16 bit variable to store more fragment flag. This avoids loss of significant bits on big endian machines. Bug has been introduced in previous commit by removing the =! 0 check. OK mvs@
0541ad29 2022-07-28 22:05:39 Checking the fragment flags of an incoming IP packet does not need the mutex for the fragment list. Move this code before the critical section. Use ISSET() to make clear which flags are checked. OK mvs@
3ab0b803 2022-07-25 23:19:34 The IPv4 reassembly code is MP safe, so we can run it in parallel. Note that ip_ours() runs with shared netlock, while ip_local() has exclusive netlock after queuing. Move existing the code into function ip_fragcheck() and call it from ip_ours(). OK mvs@
f96d279d 2022-07-24 22:38:25 Fix assertion for write netlock in rip6_input(). ip6_input() has shared net lock. ip_deliver() needs exclusive net lock. Instead of calling ip_deliver() directly, use ip6_ours() to queue the packet. Move the write lock assertion into ip_deliver() to catch such bugs earlier. The assertion was only triggered with IPv6 multicast forwarding or router alert hop by hop option. Found by regress test. OK kn@ mvs@
38603a7e 2022-06-29 09:01:48 Nullify `ipsecflowinfo' when mbuf(9) has no ipsec flowinfo data. Otherwise we use `ipsecflowinfo' obtained from previous packet. ok claudio@
2028c273 2022-05-05 13:57:40 Use static objects for struct rttimer_queue instead of dynamically allocate them. Currently there are 6 rttimer_queues and not many more will follow. So change rt_timer_queue_create() to rt_timer_queue_init() which now takes a struct rttimer_queue * as argument which will be initialized. Since this changes the gloabl vars from pointer to struct adjust other callers as well. OK bluhm@
38f7d33d 2022-05-04 16:52:10 Move rttimer callback function from the rttimer itself to rttimer_queue. All users use the same callback per queue so that makes sense. Also replace rt_timer_queue_destroy() with rt_timer_queue_flush(). OK bluhm@
ef8e83db 2022-04-28 17:27:14 In the multicast router code don't allocate a rt timer queue for each rdomain. The rttimer API is rtable/rdomain aware and so there is no need to have so many queues. Also init the two queues (one for IPv4 and one for IPv6) early on. This will allow the rttable code to become simpler. OK bluhm@
55159bee 2022-04-28 16:56:39 Decouple IP input and forwarding from protocol input. This allows to have parallel IP processing while the upper layers are still not MP safe. Introduce ip_ours() that enqueues the packets and ipintr() that dequeues and processes them with an exclusive netlock. Note that we still have only one softnet task. Running IP processing on multiple CPU will be the next step. lots of testing Hrvoje Popovski; OK sashan@
aae40be1 2022-04-20 09:38:25 Route timeout was a mixture of int, u_int and long. Use type int for timeout, add sysctl bounds checking between 0 and max int, and use time_t for absolute times. Some code assumes that the route timeout queue can be NULL and at some places this was checked. Better make sure that all queues always exist. The pool_get for struct rttimer_queue is only called from initialization and from syscall, so PR_WAITOK is possible. Keep the special hack when ip_mtudisc is set to 0. Destroy the queue and generate an empty one. If redirect timeout is 0, it should not time out. Check the value in IPv6 to make the behavior like IPv4. Sysctl net.inet6.icmp6.redirtimeout had no effect as the queue timeout was not modified. Make icmp6_sysctl() look like icmp_sysctl(). OK claudio@
3ca2e802 2022-02-22 01:35:40 Delete unnecessary #includes of <netinet6/ip6protosw.h>: some never needed it and some no longer need it after moving the externs from there to <sys/protosw.h> ok jsg@
4cd1828e 2022-01-25 04:04:40 Capture a repeated pattern into sysctl_securelevel_int function A few variables in the kernel are only writeable before securelevel is raised. It makes sense to handle them with less code. OK sthen@ bluhm@
a380976c 2021-11-22 13:47:10 Copy code from ip_forward() to ip6_forward() to fix Path MTU discovery in IPsec IPv6 tunnel. Implement sending ICMP6 packet too big messages. Also implement the pf error case in ip6_forward(). While there, do some cleanup and make the IPv4 and IPv6 code look similar. OK tobhe@
7bc01861 2021-06-21 22:09:14 Fix uninitialized variables introduced in rev 1.361 Thankfully clang elided the code in an almost harmless way (at least on amd64 GENERIC.MP). Spotted by chance when building kernels with -Wno-error=uninitialized. ok dlg@ sashan@ bluhm@
b1cb9b44 2021-06-03 01:55:52 remember if the ipv4 header checksum is ok. if a bridge checks the ip header before the network stack, then we can remember it was ok when the bridge checks it so the ip stack doesnt have to. ok claudio@ mvs@
29fa630f 2021-06-02 00:09:57 factor out the code that does basic sanity checks on ipv4 headers. this will allow these checks to be reused by bridge (where they're currently duplicated), veb, and tpmr. ok bluhm@ sashan@
a1c674a4 2021-05-15 08:07:20 Fix IPsec NAT-T to work with pipex(4). Introduce a new packet tag PACKET_TAG_IPSEC_FLOWINFO to specify the IPsec flow. ok mvs
b32486e3 2021-04-30 13:52:48 Rearrange the implementation of bounded sysctl. The primitive functions are sysctl_int() and sysctl_rdint(). This brings us back the 4.4BSD implementation. Then sysctl_int_bounded() builds the magic for range checks on top. sysctl_bounded_arr() is a wrapper around it to support multiple variables. Introduce macros that describe the meaning of the magic boundary values. Use these macros in obvious places. input and OK gnezdo@ mvs@
632220b1 2021-04-23 21:55:36 Setting variable arpinit_done is not MP save if we want to execute arp_rtrequest() in parallel. Move initialization to arpinit() function. OK kettenis@ mvs@
04cb3f44 2021-04-23 21:47:32 The variable la_hold_total contains the number of packets currently in the arp queue. So the sysctl net.inet.ip.arpqueued must be read only. In if_ether.c include the header with the declaration of la_hold_total to ensure that the definition matches. OK mvs@
4a2fbec5 2021-03-30 08:37:10 [ICMP] IP options lead to malformed reply icmp_send() must update IP header length if IP optaions are appended. Such packet also has to be dispatched with IP_RAWOUTPUT flags. Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com OK bluhm@
678831be 2021-03-10 10:21:47 spelling ok gnezdo@ semarie@ mpi@
07beafa0 2021-01-15 15:18:12 As documented in sysctl(2) net.inet.ip.forwarding can be 2. Relax input validation and use integer comparison. OK kn@ mvs@ sthen@
59caf375 2021-01-11 13:28:53 Create a path MTU host route for IPsec over IPv6. Basically the code is copied from IPv4 and adapted. Some things are changed in v4 to make it look similar. - ip6_forward increases the noroute error counter, do that in ip_forward, too. - Pass more specific sockaddr_in6 to icmp6_mtudisc_clone(). - IPv6 may also use reject routes for IPsec PMTU clones. - To pass a route_in6 to ip6_output_ipsec_send() introduce one in ip6_forward(). That is the same what IPv4 does. Note that dst and sin6 switch roles. - Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send() to make code similar. - Implement dynamic IPv6 IPsec PMTU routes. OK tobhe@
37cac5fd 2020-11-16 06:44:38 Replace sysctl_rdint with sysctl_bounded_args entries in net.inet*
b9c5f65a 2020-08-22 17:55:30 Convert ip_sysctl to sysctl_bounded_args
22eb2a69 2020-08-08 07:42:31 No longer prevent TCP connections to IPv6 anycast addresses. RFC 4291 dropped this requirement from RFC 3513: o An anycast address must not be used as the source address of an IPv6 packet. And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly concluded that TCP connections must be prevented. The draft also states: The proposed method MUST be removed when one of the following events happens in the future: o Restriction imposed on IPv6 anycast address is loosened, so that anycast address can be placed into source address field of the IPv6 header[...] OK jca
41d03808 2020-08-01 23:41:55 Move range check inside sysctl_int_arr Range violations are now consistently reported as EOPNOTSUPP. Previously they were mixed with ENOPROTOOPT. OK kn@
3c6c3993 2020-04-12 11:56:52 Stop processing packets under non-exclusive (read) netlock. Prevent concurrency in the socket layer which is not ready for that. Two recent data corruptions in pfsync(4) and the socket layer pointed out that, at least, tun(4) was incorrectly using NET_RUNLOCK(). Until we find a way in software to avoid future mistakes and to make sure that only the softnet thread and some ioctls are safe to use a read version of the lock, put everything back to the exclusive version. ok stsp@, visa@
fd4abc02 2019-12-23 22:33:57 rdr-to with loopback destination should work even though IP forwarding is disabled. Issue reported by Daniel Jakots (danj@) OK bluhm@
59e813f9 2019-12-09 06:48:52 always pull in if_types.h, to unbreak ramdisks
144d7e8e 2019-12-08 11:08:22 Make sure packet destination address matches interface address, where such packet is bound to. This check is enforced if and only IP forwarding is disabled. Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@ OK bluhm@, claudio@, tobhe@
8f6d2e8b 2019-08-06 22:57:54 When we needed the kernel lock for local IP packet delivery, mpi@ introduced a queue to grab the lock for multiple packets. Now we have only netlock for both IP and protocol input. So the queue is not necessary anymore. It just switches CPU and decreases performance. So remove the inet and inet6 ip queue for local packets. To get TCP running on loopback, we have to queue once between TCP input and output of the two sockets. So use the loopback queue in looutput() unconditionally. OK visa@
9f78c7ff 2019-06-10 23:48:21 use m_microtime instead of microtime for SO_TIMESTAMP socketopt handling drivers can set ph_timestamp when packets are received by the hardware, which should be more accurate and cheaper than getting the clock when the packet is queued on the socket.
346625e3 2018-10-13 18:36:01 Expose net.inet.ip.arpq.drops to help debug what's going on when a lot of packets are being dropped but non of the other counters are increasing. From Daniel Hokka Zakrisson (daniel AT hozac DOT com), thanks! OK florian, phessler
7017ab2c 2018-09-11 21:04:03 Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap. OK mpi@
f02cb2e8 2018-09-10 16:14:07 Instead of calculating the mbuf packet header length here and there, put the algorithm into a new function m_calchdrlen(). Also set an uninitialized m_len to 0 in NFS code. OK claudio@
c1746f11 2018-09-10 12:47:02 During fragment reassembly, mbuf chains with packet headers were created. Add a new function m_removehdr() do convert packet header mbufs within the chain to regular mbufs. Assert that the mbuf at the beginning of the chain has a packet header. found by Maxime Villard in NetBSD; from markus@; OK claudio@
4ec8e257 2018-07-10 11:34:12 Introduce new IPsec (per-CPU) statistics and refactor ESP input callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
3664055b 2018-05-21 15:52:22 All places that call carp_lsdrop() use the interface pointer already. It does not make sense to call if_get() again, just pass ifp as parameter. Move the IFT_CARP check into the function instead of doing it everywhere. Replace the inverted match variable logic with simple returns. OK mpi@ friehm@
d36614f7 2017-12-29 17:05:25 Make the functions which link the pf state keys to mbufs, inpcbs, or other states more consistent. OK visa@ sashan@ on a previous version
c7745dcb 2017-12-04 13:40:34 Make divert lookup similar for all socket types. If PF_TAG_DIVERTED is set, pf_find_divert() cannot fail so put an assert there. Explicitly check all possible divert types, panic in the default case. For raw sockets call pf_find_divert() before of the socket loop. Divert reply should not match on TCP or UDP listen sockets. OK sashan@ visa@
036aff27 2017-11-23 13:45:46 Constify protocol tables and remove an assert now that ip_deliver() is mp-safe. ok bluhm@, visa@
94334c66 2017-11-20 10:35:24 Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running pr_input handlers without KERNEL_LOCK(). ok visa@
4efd2bdb 2017-11-14 09:30:17 Introduce ipsec_sysctl() and move IPsec tunables where they belong. ok bluhm@, visa@
5b72b23a 2017-11-10 08:55:49 Introduce a reader version of the NET_LOCK(). This will be used to first allow read-only ioctl(2) to be executed while the softnet taskq is running. Then it will allows us to execute multiple softnet taskq in parallel. Tested by Hrvoje Popovski, ok kettenis@, sashan@, visa@, tb@
6460338b 2017-11-08 16:29:20 Make {ah,esp,ipcomp}stat use percpu counters. OK bluhm@, mpi@
914692ad 2017-11-05 13:19:59 Finish off pr_drain functions, they haven't been used since 2006. OK mpi
a1654542 2017-11-01 06:35:38 Fix typo in previous resulting in a NULL dereference.
93865884 2017-10-31 22:05:12 - add one more softnet taskq NOTE: code still runs with single softnet task. change definition of SOFTNET_TASKS in net/if.c, if you want to have more than one softnet task OK mpi@, OK phessler@
c5651e2f 2017-10-29 14:58:39 This doesn't need the NET_LOCK, everything is protected by a mutex. OK mpi, visa