Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
retu

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

show more ...

When sending ICMP packets for IPsec path MTU discovery, the first
ICMP packet could be wrong. The mtu was taken from the loopback
interface as the tdb mtu was copied to the route too late. Without

When sending ICMP packets for IPsec path MTU discovery, the first
ICMP packet could be wrong. The mtu was taken from the loopback
interface as the tdb mtu was copied to the route too late. Without
crypto task, ipsp_process_packet() returns the EMSGSIZE error
earlier. Immediately update tdb and route mtu.
IPv4 part from markus@; OK tobhe@

show more ...

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobh

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

show more ...

Use local copy of `ps_rtableid' in ip{,6}_ctloutput() and mark
`ps_rtableid' as atomic. This allows us to unlock setrtable(2).

ok claudio@ mpi@

[ICMP] IP options lead to malformed reply

icmp_send() must update IP header length if IP optaions are appended.
Such packet also has to be dispatched with IP_RAWOUTPUT flags.

Bug reported and fix c

[ICMP] IP options lead to malformed reply

icmp_send() must update IP header length if IP optaions are appended.
Such packet also has to be dispatched with IP_RAWOUTPUT flags.

Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com

OK bluhm@

show more ...

use m_dup_pkthdr in ip_fragment to copy pkthdr info to fragments.

this ensures more stuff is copied, in particular the flowid
information. this is also how v6 does it, which makes things more
consis

use m_dup_pkthdr in ip_fragment to copy pkthdr info to fragments.

this ensures more stuff is copied, in particular the flowid
information. this is also how v6 does it, which makes things more
consistent.

ok bluhm@

show more ...

Refactor ip_fragment() and ip6_fragment(). Use a mbuf list to
simplify the handling of the fragment list. Now the functions
ip_fragment() and ip6_fragment() always consume the mbuf. They
free the

Refactor ip_fragment() and ip6_fragment(). Use a mbuf list to
simplify the handling of the fragment list. Now the functions
ip_fragment() and ip6_fragment() always consume the mbuf. They
free the mbuf and mbuf list in case of an error and take care about
the counter. Adjust the code a bit to make v4 and v6 look similar.
Fixes a potential mbuf leak when pf_route6() called pf_refragment6()
and it failed. Now the mbuf is always freed by ip6_fragment().
OK dlg@ mvs@

show more ...

As ip_insertoptions() may prepend a mbuf, "goto bad" has to free
the new chain. This fixes a potential memory leak in ip_output().
Also simplify a bunch of "goto done".
OK kn@ mvs@

Use NULL instead of 0 in `m_nextpkt' assignment.

ok deraadt@ dlg@

If pf changes the routing table when sending packets, the kernel
could get stuck in an endless recursion during TCP path MTU discovery.
Create a dynamic host route in ip_output() that can be used by

If pf changes the routing table when sending packets, the kernel
could get stuck in an endless recursion during TCP path MTU discovery.
Create a dynamic host route in ip_output() that can be used by
tcp_mtudisc() to store the MTU.
Reported by Peter Mueller and Sebastian Sturm
OK claudio@

show more ...

Simplex interface sends packet back without hardware checksum
offloading. The checksum must be calculated in software. Use the
same condition in ether_resolve() to send the broadcast packet back
to

Simplex interface sends packet back without hardware checksum
offloading. The checksum must be calculated in software. Use the
same condition in ether_resolve() to send the broadcast packet back
to the stack and in in_ifcap_cksum() to force software checksumming.
This fixes regress/sys/kern/sosplice/loop.
OK procter@

show more ...

If IP_MULTICAST_IF or IP_ADD_MEMBERSHIP pass a interface index to the
kernel make sure that the rdomain of that interface is the same as
the rdomain of the inpcb.
Problem spotted and fix tested by se

If IP_MULTICAST_IF or IP_ADD_MEMBERSHIP pass a interface index to the
kernel make sure that the rdomain of that interface is the same as
the rdomain of the inpcb.
Problem spotted and fix tested by semarie@
OK bluhm@ mvs@

show more ...

Fix path MTU discovery for ESP tunneled in IPv6. We always want
short TCP segments or fragments encapsulated in ESP instead of
fragmented ESP packets. Pass the don't fragment flag down along
the st

Fix path MTU discovery for ESP tunneled in IPv6. We always want
short TCP segments or fragments encapsulated in ESP instead of
fragmented ESP packets. Pass the don't fragment flag down along
the stack so that dynamic routes with MTU are created eventually.
with and OK markus@; OK tobhe@

show more ...

Extend IP_MULTICAST_IF to take either an address (struct in_addr), a
struct ip_mreq or a struct ip_mreqn. Using struct ip_mreqn allows to
pass a interface index instead of specifying the multicast in

Extend IP_MULTICAST_IF to take either an address (struct in_addr), a
struct ip_mreq or a struct ip_mreqn. Using struct ip_mreqn allows to
pass a interface index instead of specifying the multicast interface
via its IP address. This is also the API implemented by Linux and
FreeBSD and should help porting software.
OK bluhm@ phessler@ robert@

show more ...

Create a path MTU host route for IPsec over IPv6. Basically the
code is copied from IPv4 and adapted. Some things are changed in
v4 to make it look similar.
- ip6_forward increases the noroute erro

Create a path MTU host route for IPsec over IPv6. Basically the
code is copied from IPv4 and adapted. Some things are changed in
v4 to make it look similar.
- ip6_forward increases the noroute error counter, do that in
ip_forward, too.
- Pass more specific sockaddr_in6 to icmp6_mtudisc_clone().
- IPv6 may also use reject routes for IPsec PMTU clones.
- To pass a route_in6 to ip6_output_ipsec_send() introduce one in
ip6_forward(). That is the same what IPv4 does. Note
that dst and sin6 switch roles.
- Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send()
to make code similar.
- Implement dynamic IPv6 IPsec PMTU routes.
OK tobhe@

show more ...

Extend IP_ADD_MEMBERSHIP to also support struct ip_mreqn.
struct ip_mreqn allows to use the interface index to select the
interface for multicast packets which makes it possible to use
this with unnu

Extend IP_ADD_MEMBERSHIP to also support struct ip_mreqn.
struct ip_mreqn allows to use the interface index to select the
interface for multicast packets which makes it possible to use
this with unnumbered interfaces.
OK dlg@ robert@

show more ...

Accept reject and blackhole routes for IPsec PMTU discovery.

Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.

Accept reject and blackhole routes for IPsec PMTU discovery.

Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.
They will not work, even after dynamic routing has found a better
route than the reject route.

With IPsec the use case is different. First you need a route, but
then the flow handles the packet without routing. Usually this
route should be a reject route to avoid sending unencrypted traffic
if the flow is missing. But IPsec needs this route for PMTU
discovery, so use it for that.

OK claudio@ tobhe@

show more ...

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

show more ...

Fix uninitialized use of variable 'len'.

ok bluhm@

Use mallocarray(9) & put some free(9) sizes for M_IPMOPTS allocations.

ok semarie@, visa@

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacl

Removes the KERNEL_LOCK() from bridge(4)'s output fast-path.

This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.

Tested by various, ok dlg@, visa@

show more ...

Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor
the mbuf to the next word length as it is required by the standard. Also use
the correct offset from the input mbuf.
OK visa@,

Bring back the ip_pcbopts() refactor. Pad the option buffer and therefor
the mbuf to the next word length as it is required by the standard. Also use
the correct offset from the input mbuf.
OK visa@, input & OK bluhm@

show more ...

Revert Rev 1.351, the change is not quite right yet.