pf: Make ":0" (noalias) also ignore link-local IPv6 addresses

When users mark an interface to not use aliases they likely also don't
want to use the link-local IPv6 address there.

For example, with

pf: Make ":0" (noalias) also ignore link-local IPv6 addresses

When users mark an interface to not use aliases they likely also don't
want to use the link-local IPv6 address there.

For example, with the following rule to NAT IPv6:

nat on $ext_if inet6 from $int_if:network to !$int_if:network -> ($ext_if:0)

PF was selecting the link-local address (which comes the first) for the
NAT'ed IPv6 address, which was wrong and broke the NAT setup.

This commit makes PF to ignore the link-local IPv6 addresses so that the
above NAT setup would work.

Obtained-from: FreeBSD (revision 339835, review D17633)
See also: https://lists.freebsd.org/pipermail/freebsd-pf/2014-September/007441.html

show more ...

pf: Fix 'set skip on' for interface groups

Previously if an interface type (without number), e.g. "set skip on vlan"
or "set skip on em" was used, it would have the *undocumented* behavior
of matchi

pf: Fix 'set skip on' for interface groups

Previously if an interface type (without number), e.g. "set skip on vlan"
or "set skip on em" was used, it would have the *undocumented* behavior
of matching *any* interface of that type.

Now it will only match an interface which is a member of the named group.
And thus it works with interface groups of arbitrary names, e.g., one
can "set skip on home" with "home" being the group containing interfaces
"em1" and "tun0".

This results in some changed behavior:

If you currently use "set skip" with a physical interface type (e.g.
"set skip on ix") you will need to add the interface to a group of that
name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0.

Interfaces cloned at runtime (e.g. lo, tap, tun, vlan) default to being
in a group named after the interface type, so for these interfaces there
will be no change in the behavior unless you have deliberately changed
groups.

Obtained-from: FreeBSD (revision 337643)
Obtained-from: OpenBSD (pf_if.c,v 1.62, 1.63)

show more ...

Revert "pf: Allow disappearing or not yet existing interfaces for ALTQ"

This reverts commit 0a887f91f9633448c99b9a5b7c6116a0a22d25d6.

1. It's incorrect to change the ifnet_unlock(). The original p

Revert "pf: Allow disappearing or not yet existing interfaces for ALTQ"

This reverts commit 0a887f91f9633448c99b9a5b7c6116a0a22d25d6.

1. It's incorrect to change the ifnet_unlock(). The original protection
range is used to make sure that the ifp does not get ripped out behind
our back.

2. We don't suffer from the issue that that commit was intended to fix.

Thanks-to: sephe

show more ...

net: Tweak some styles and comments

pf: Allow disappearing or not yet existing interfaces for ALTQ

Make ALTQ cope with disappearing interfaces (particularly common with
net/mpd4 and netgraph in general). This also allows to add queue

pf: Allow disappearing or not yet existing interfaces for ALTQ

Make ALTQ cope with disappearing interfaces (particularly common with
net/mpd4 and netgraph in general). This also allows to add queues for
an interface that is not yet existing, however, you have to provide
the bandwidth for the interface.

Meanwhile, simplify the ifnet_unlock() calls for ifunit() use.

Taken-from: FreeBSD (r177700)

show more ...

pf: Fix and improve interface group support

The old PF code has broken partial support of the interface group.
Without this patch, loading the 'pf.ko' module will panic the system.

* Add event hand

pf: Fix and improve interface group support

The old PF code has broken partial support of the interface group.
Without this patch, loading the 'pf.ko' module will panic the system.

* Add event handlers of pfi_{attach,detach,change}_group_event()
to support the interface groups. Meanwhile, add event handler
of pfi_ifaddr_event() that is called when an address is set up
on an interface, and update pfi_{attach,detach}_event() handlers.
(Based on FreeBSD)

* Remove function pfi_kifaddr_update() as it is merged into
pfi_ifaddr_event() handler.

* Update pfi_initialize() and pfi_cleanup() functions (Based on
FreeBSD).

* Split function pfi_kif_find() out of pfi_kif_get().
(Based on OpenBSD)

* The PF module will be properly initialized on module load, so remove
extra pfi_initialize() calls.

* Rename malloc type 'PFI_MTYPE' to 'M_PFI', and merge with malloc type
'M_PFIADDRPL'.

* Staticize internal functions and variables.

* Some cleanups and style updates.

Thanks to sephe for the guidance.

show more ...

netisr: Simplify assertion related bits

ifnet: Make blocking operation in if_addrheads iteration MPSAFE

Two methods are used:
- Dispatch blocking operation in if_addrheads iteration to netisr0
to run for functions which do not copy data

ifnet: Make blocking operation in if_addrheads iteration MPSAFE

Two methods are used:
- Dispatch blocking operation in if_addrheads iteration to netisr0
to run for functions which do not copy data into user space.
- Use ifaddr marker to make sure that the ifaddr list is not broken
if the ifaddr list is changed during the blocking operation. And
reference the ifaddr being used so it will not be destroyed during
the blocking operation.

show more ...

ifnet: Make ifnet and ifindex2ifnet MPSAFE

- Accessing to these two global variables from non-netisr threads uses
ifnet lock. This kind of accessing is from
- Accessing to ifindex2ifnet from neti

ifnet: Make ifnet and ifindex2ifnet MPSAFE

- Accessing to these two global variables from non-netisr threads uses
ifnet lock. This kind of accessing is from
- Accessing to ifindex2ifnet from netisrs are lockless MPSAFE.
- Netisrs no longer access ifnet, instead they access ifnet array as of
this commit, which is lockless MPSAFE.

Rules for accessing ifnet and ifindex2ifnet is commented near the
declaration of the related global variables/functions in net/if_var.h.

show more ...

network/pf - Avoid a possible bad pointer access.

- Make sure new pfi_kif structures are zeroed on allocation.
- A panic was hit when pfi_instance_add() tried to access a bad ifp
pointer (i.e. whe

network/pf - Avoid a possible bad pointer access.

- Make sure new pfi_kif structures are zeroed on allocation.
- A panic was hit when pfi_instance_add() tried to access a bad ifp
pointer (i.e. when using non-existing iface names in pf.conf)

show more ...

kernel: Remove some unneeded NULL checks after kmalloc() with M_WAITOK.

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

pf: convert to use kmalloc instead of zalloc

Rework carp(4) IPv4 support.

Generic layer changes:
- Pass more detailed information to ifaddr_event handler.
o The ifaddr which triggers the event is passed in
o The action (add/delete/change

Rework carp(4) IPv4 support.

Generic layer changes:
- Pass more detailed information to ifaddr_event handler.
o The ifaddr which triggers the event is passed in
o The action (add/delete/change) performed upon the ifaddr is
passed in
- Add ifa_prflags field in ifaddr_container. This field should
be used to hold protocol specific flags. For inet addresses,
IA_PRF_RTEXISTOK is defined to ignore rtinit() EEXIST error in
in_ifinit().

carp(4) changes:
- Add virtual address struct, which holds corresponding carp(4)
inet address and backing address of a "real" interface (backing
interface).
- The list holding virtual address struct is sorted. This is
mainly used to fix the bug in following case:
host1:
ifconfig carp0 192.168.5.1
ifconfig carp0 alias 192.168.5.2
host2:
ifconfig carp0 192.168.5.2
ifconfig carp0 alias 192.168.5.1
Before this change, the inet addresses sha1 calculated for these
two host will be different, thus CARP fails.
Based-on: OpenBSD
- Allow inet addresses to be added to carp(4) interface, even if
no backing interface could be found or the backing interface is
not running.
- Don't abuse IFF_UP, which is administrative flag; use IFF_RUNNING
instead.
- Factor out carp_stop().
- Handle ifaddr_event; most of the carp(4) inet address configuration
happens in this event handler. In carp_ioctl(), we just mark the
carp(4) interface IFF_UP|IFF_RUNNING and set IA_PRF_RTEXISTOK on
the inet address.
- Fix the ifdetach_event handler:
o Don't sit on the branch while we are sawing it off.
o We always need to leave the joined multicast group.
- Free carp_if to the proper kmalloc pool.
- Simplify the carp_if struct; except the TAILQ_HEAD, rest of the
fields are not used; nuke them.
- Use 'void *' as ifnet.if_carp's type. This could ease upcoming
carp(4) MPSAFE work.
- M_NOWAIT -> MB_DONTWAIT
- Throw in assertions
- Cleanup:
o Nuke SC2IFP
o Nuke carp_softc.sc_ifp compat shim
o Constify function parameters
o ...

show more ...

Parallelize ifnet.if_addrhead accessing by duplicating the list itself
on each CPU, each list element points to ifaddr:
- Add SI_SUB_PRE_DRIVERS before SI_SUB_DRIVERS, so action could be taken
befo

Parallelize ifnet.if_addrhead accessing by duplicating the list itself
on each CPU, each list element points to ifaddr:
- Add SI_SUB_PRE_DRIVERS before SI_SUB_DRIVERS, so action could be taken
before drivers' initialization (mainly before NIC driver's if_attach())
- Move netisr_init() to the FIRST of SI_SUB_PRE_DRIVERS, so that
netmsg_service_port_init() could be called in earlier stage of system
initialization.
- Create one thread on each CPU to propagate changes to ifnet.if_addrhead.
Their thread ports are registered with netmsg_service_port_init() for
port syncing operation.
- Change to ifnet.if_addrhead begins in netisr0, i.e. serial of changes
to ifnet.if_addrhead are serialized by netisr0
- ifaddr's refcnt is moved to its list elements, i.e. per-CPU refcnt.
They are initialized to 1 instead of 0.
- A magic field is added to ifaddr list element to make sure that IFAREF
and IFAFREE are called on valid ifaddr list element. This field is
initialized to a magic value and is wiped out once the list element's
refcnt drops to 0
- To close the gap between testing and freeing, once the ifaddr list
element's refcnt drops to 0, ifa_portfn(0) (a thread's port on CPU0) is
poked to check whether ifaddr is referenced on other CPUs, if not, then
ifaddr is freed on ifa_portfn(0)

Reviewed-by: dillon@ (earlier version)

show more ...

For kmalloc(), MALLOC() and contigmalloc(), use M_ZERO instead of
explicitly bzero()ing.

Reviewed-by: sephe

Rename printf -> kprintf in sys/ and add some defines where necessary
(files which are used in userland, too).

Rename sprintf -> ksprintf
Rename snprintf -> knsprintf

Make allowances for source files that are compiled for both userland and
the kernel.

Rename malloc->kmalloc, free->kfree, and realloc->krealloc. Pass 2

Rename malloc->kmalloc, free->kfree, and realloc->krealloc. Pass 1

Convert to critical sections.

EVENTHANDLER_REGISTER uses the name of the event as string and therefore
the compiler couldn't detect the wrong event names. I used
ifnet_attach_event and ifnet_detach_event instead of ifnet_arrival_

EVENTHANDLER_REGISTER uses the name of the event as string and therefore
the compiler couldn't detect the wrong event names. I used
ifnet_attach_event and ifnet_detach_event instead of ifnet_arrival_event
and ifnet_departure_event. This seemed to work for PF as module because
all existing interfaces are added by hand first.

Problem-reported-by: Aggelos Economopoulos <aoiko@cc.ece.ntua.gr>

show more ...

Add a missing #include and add a missing semicolon.

Kernel part of PF

Ported-by:
- Max Layer (original patch set, FreeBSD PF maintainer)
- Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific
changes)

In contrast to FreeBSD

Kernel part of PF

Ported-by:
- Max Layer (original patch set, FreeBSD PF maintainer)
- Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific
changes)

In contrast to FreeBSD and OpenBSD, use direct flags in pkthdr instead of
m_tags. This reduces allocation and processing overhead.

Keep the IP header in Host Byte Order like the rest of the tree assumes.

Module support has a memory leak for vm_zones when unloading pf.ko.

show more ...

pf: Update packetfilter to OpenBSD 4.4

* As correct pf function depends directly on pfsync now
compile if_pfsyn.c into pf.ko. pflog is already part
of pf.ko.

* A

pf: Update packetfilter to OpenBSD 4.4

* As correct pf function depends directly on pfsync now
compile if_pfsyn.c into pf.ko. pflog is already part
of pf.ko.

* Activate pfsync function by default. It's not a kernel
option anymore, but pfsync is very unlikley to work.
Anyway our ifconfig is missing all pfsync related options.
I will try to make pfsync working again after upgrading to
pf from OpenBSD 4.5 as pfsync changes completley then
and is not compatible anymore with prior versions.

* Also make the module unloading sane in if_pflog.c

Thanks to Alex Hornung and Aggelos Economopoulos for debugging.

show more ...