Retire switch(4) it never really was production ready and the OpenFlow
API implemented is a deadend.
OK akoshibe@ yasuoka@ deraadt@ kn@ patrick@ sthen@

spelling

ok gnezdo@ semarie@ mpi@

We have this sequence in bridge(4) ioctl(2) path:

ifs = ifunit(req->ifbr_ifsname);
if (ifs == NULL) {
error = ENOENT;
break;
}
if (ifs->if_bridgeidx != ifp->if_index) {
error = ESRCH;

We have this sequence in bridge(4) ioctl(2) path:

ifs = ifunit(req->ifbr_ifsname);
if (ifs == NULL) {
error = ENOENT;
break;
}
if (ifs->if_bridgeidx != ifp->if_index) {
error = ESRCH;
break;
}
bif = bridge_getbif(ifs);

This sequence repeats 8 times. Also we don't check value returned by
bridge_getbig() before use. Newly introduced bridge_getbig() function
replaces this sequence. This not only reduces duplicated code but also
makes `bif' dereference safe.

ok bluhm@

show more ...

`struct bstp_state' stores pointer to parent `ifnet' as `bs_ifp'.
Replace this pointer by interface index. This allow us to avoid some use
after free issues caused by ifioctl() races.

ok sashan@

Interface index is unsigned integer. Fix the places where it referenced
as signed. u_int used within pipex(4) for consistency with other code.

ok dlg@ mpi@

Use interface index instead of pointer to `ifnet' in `struct bstp_port'.

ok yasuoka@

turn the linkstate hooks into a task list, like the detach hooks.

this is largely mechanical, except for carp. this moves the addition
of the carp link state hook after we're committed to using the

turn the linkstate hooks into a task list, like the detach hooks.

this is largely mechanical, except for carp. this moves the addition
of the carp link state hook after we're committed to using the new
interface as a carpdev. because the add can't fail, we avoid a
complicated unwind dance. also, this tweaks the carp linkstate hook
so it only updates the relevant carp interface, not all of the
carpdevs on the parent.

hrvoje popovski has tested an early version of this diff and it's
generally ok, but there's some splasserts that this diff fires that
i'll fix in an upcoming diff.

ok claudio@

show more ...

replace the hooks used with if_detachhooks with a task list.

the main semantic change is that things registering detach hooks
have to allocate and set a task structure that then gets added to
the li

replace the hooks used with if_detachhooks with a task list.

the main semantic change is that things registering detach hooks
have to allocate and set a task structure that then gets added to
the list. this means if the task is allocated up front (eg, as part
of carps softc or bridges port structure), it avoids the possibility
that adding a hook can fail. a lot of drivers weren't checking for
failure, and unwinding state in the event of failure in other parts
was error prone.

while doing this i discovered that the list operations have to be
in a particular order, but drivers weren't doing that consistently
either. this diff wraps the list ops up so you have to seriously
go out of your way to screw them up.

ive also sprinkled some NET_ASSERT_LOCKED around the list operations
so we can make sure there's no potential for the list to be corrupted,
especially while it's being run.

hrvoje popovski has tested this a bit, and some issues he discovered
have been fixed.

ok sashan@

show more ...

Switch the list of span interfaces and interfaces to SMR.

This removes the KERNEL_LOCK() around the list iteration in bridge_enqueue().

Since the NET_LOCK() isn't protecting any data structure, rel

Switch the list of span interfaces and interfaces to SMR.

This removes the KERNEL_LOCK() around the list iteration in bridge_enqueue().

Since the NET_LOCK() isn't protecting any data structure, release it early
in all the code paths coming from the Network Stack to prevent possible
deadlock situations with smr_barrier().

bridge_input() is still KERNEL_LOCK()ed as well as bridge_filterrule().

ok visa@

show more ...

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacl

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.

Tested by various, ok dlg@, visa@

show more ...

Move the tag mechanism outside of net/if_bridge.c.

This will help for future (un)locking.

ok visa@

Protect the hash table with a mutex.

inputs & ok visa@

Make bridge_rtupdate() return an error value instead of a pointer.

Plumbing to simplify upcoming locking.

- Do checks that do not access shared data structures first, they don't
need locking and save us some dances.

- Use the common !ETHER_IS_MULTICAST() idiom a

Plumbing to simplify upcoming locking.

- Do checks that do not access shared data structures first, they don't
need locking and save us some dances.

- Use the common !ETHER_IS_MULTICAST() idiom and move some code that won't
be executed if the bridge(4) is down.

ok bluhm@, visa@

show more ...

Convert interface lists from TAILQ to SLIST in preparation for fine
grained locking.

ok visa@, florian@

Stop passing `sc' when it isn't needed and use `ifp' where it's good
enough.

ok sthen@, visa@

Add a new '-protected' option for bridge members.

Bridge members that are part of the same protected domain, refered by
a number between 1 and 31, cannot talk to each others. This is useful
to isol

Add a new '-protected' option for bridge members.

Bridge members that are part of the same protected domain, refered by
a number between 1 and 31, cannot talk to each others. This is useful
to isolate VMs or untrusted networks at layer 2.

Members can be part of multiple protected domain making it possible to
create complex protected setups.

ok ccardenas@, claudio@, dlg@, henning@

show more ...

implement an arp filter
allows arp (and rarp) requests and replies to be matched, including matching
based on the source and target host and protocol adresses, and thus control
over arp traffic and l

implement an arp filter
allows arp (and rarp) requests and replies to be matched, including matching
based on the source and target host and protocol adresses, and thus control
over arp traffic and learning.
written for medical x-ray machines, but useful in many spread out L2 networks
ok claudio benno

show more ...

Stop using pfsockaddr_union outside of pf so that we can remove its usage
inside pf later on. pfsync can use the one from ip_ipsp.h and bridge can
have its own version for now.
OK mpi@ phessler@

No need for a splsoftnet()/splx() dance when the KERNEL_LOCK() is what
serialize access to bridge(4) data structures.

ok mikeb@

Use detach hook to notify bridge of interface removal instead of adding
code to if.c.

ok mpi@

Rename brtag_src/brtag_dst to brtag_peer/brtag_local to avoid
confusion about the tunnel endpoints when responding to the peer.

OK yasuoka@

Add support for a multipoint-to-multipoint mode in vxlan(4). In this
mode, vxlan(4) must be configured to accept any virtual network
identifier with "vnetid any" and added to a bridge(4) or switch(4

Add support for a multipoint-to-multipoint mode in vxlan(4). In this
mode, vxlan(4) must be configured to accept any virtual network
identifier with "vnetid any" and added to a bridge(4) or switch(4).
This way the driver will dynamically learn the tunnel endpoints and
their vnetids for the responses and can be used to dynamically bridge
between VXLANs. It is also being used in combination with switch(4)
and the OpenFlow tunnel classifiers.

With input from yasuoka@ goda@
OK deraadt@ dlg@

show more ...

Add switch(4) support to ifconfig

ok deraadt@ yasuoka@ reyk@ henning@

Import switch(4), an in-kernel OpenFlow switch which can work alone.
switch(4) currently supports OpenFlow 1.3.5.
Currently, it's disabled by the kernel config.

With help from yasuoka@ reyk@ jsg@.

Import switch(4), an in-kernel OpenFlow switch which can work alone.
switch(4) currently supports OpenFlow 1.3.5.
Currently, it's disabled by the kernel config.

With help from yasuoka@ reyk@ jsg@.

ok deraadt@ yasuoka@ reyk@ henning@

show more ...