Use roundup_pow_of_two in place of a local function that does the same thing.
Reviewed by: alc, markj
Differential Revision: https://reviews.freebsd.org/D45536
In several places, a loop tests for powers of two, or iterates through
powers of two. In those places, replace the loop with an invocation
of fls or ilog2 without changing the meaning of the code.
Reviewed by: alc, markj, kib, np, erj, avg (previous version)
Differential Revision: https://reviews.freebsd.org/D45494
When a packet matches an existing dynamic rule for a keep-state rule,
the matching engine advances the "instruction pointer" to the action
portion of the rule skipping over the match conditions. However, the
code was merely breaking out of the switch statement rather than doing
a continue, so the remainder of the loop body after the switch was
still executed. If the first action opcode contains an F_NOT but not
an F_OR (such as an "untag" action), then match is toggled to 0, and
the code exits the inner loop via a break which aborts processing of
the actions.
To fix, just use a continue instead of a break.
PR: 276732
Reviewed by: jhb, ae
MFC after: 2 weeks
Have a simple Gilbert-Elliott channel model in
dummynet to mimick correlated loss behavior of
realistic environments. This allows simpler testing
of burst-loss environments.
Reviewed By: tuexen, kp, pauamma_gundo.com, #manpages
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42980
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.
Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/
Sponsored by: Netflix
The following sysctl variables are actually loader tunables. Add sysctl
flag CTLFLAG_TUN to them so that `sysctl -T` will report them correctly.
1. net.inet.ip.fw.enable
2. net.inet6.ip6.fw.enable
3. net.link.ether.ipfw
No functional change intended.
Reviewed by: glebius
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D41928
Explicitly add pfsync as a know upper layer protocol so we don't
automatically discard pfsync packets (carried over IPv6).
net.inet6.ip6.fw.deny_unknown_exthdrs defaults to 1, so even if
net.inet.ip.fw.default_to_accept is set to 1 we'd discard pfsync (over
IPv6).
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D40973
When we clean up a wf2q+ queue we need to ensure that we remove it from
the correct heap. If we leave a queue pointer behind in an unexpected
heap we'll later write to it, causing a use-after-free and unpredictable
panics.
Teach the dummynet heap code to verify that we're removing the correct
object so we can safely attempt to remove objects not contained in the
heap.
Remove a to-be-removed queue from all heaps.
Also don't continue the enqueue function if we're not finding the queue
on the idle heap as we'd expect.
While here also remove the empty heap warning, because this is now
expected to happen.
See also: https://redmine.pfsense.org/issues/14433
Sponsored by: Rubicon Communications, LLC ("Netgate")
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.
Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month
The 0b70e3e78b changed the original design of a single entry point
into pfil(9) chains providing separate functions for the filtering
points that always provide mbufs and know the direction of a flow.
The motivation was to reduce branching. The logical continuation
would be to do the same for the filtering points that always provide
a memory pointer and retire the single entry point.
o Hooks now provide two functions: one for mbufs and optional for
memory pointers.
o pfil_hook_args() has a new member and pfil_add_hook() has a
requirement to zero out uninitialized data. Bump PFIL_VERSION.
o As it was before, a hook function for a memory pointer may realloc
into an mbuf. Such mbuf would be returned via a pointer that must
be provided in argument.
o The only hook that supports memory pointers is ipfw:default-link.
It is rewritten to provide two functions.
o All remaining uses of pfil_run_hooks() are converted to
pfil_mem_in().
o Transparent union of pfil_packet_t and tricks to fix pointer
alignment are retired. Internal pfil_realloc() reduces down to
m_devget() and thus is retired, too.
Reviewed by: mjg, ocochard
Differential revision: https://reviews.freebsd.org/D37977
Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.
Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200
The name doesn't get modified, and it gets passed through to a hash
function that accepts only a const pointer. Const it for correctness.
Sponsored by: Juniper Networks, Inc.
Serialize rcvif when enqueing packets for codel. We already tried to
restore the serialized rcvif in fq_codel_extract_head(), but that
doesn't work when we fail to serialize it first, so we ended up dropping
all packets passed through codel.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37318
The NAT module use of the tcphdr.th_x2 field now collides with the
use of this TCP header flag as AccECN (AE) bit. Use the topmost
bit instead to allow negotiation of AccECN across a NAT device.
Event: IETF 115 Hackathon
Reviewed By: #transport, tuexen
MFC after: 3 days
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D37300
With clang 15, the following -Werror warnings are produced:
sys/netpfil/ipfw/ip_fw_iface.c:206:16: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_iface_init()
^
void
sys/netpfil/ipfw/ip_fw_iface.c:219:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_iface_destroy()
^
void
This is because ipfw_iface_init() and ipfw_iface_destroy() are declared
with (void) argument lists, but defined with empty argument lists. Make
the definitions match the declarations.
MFC after: 3 days
With clang 15, the following -Werror warning is produced:
sys/netpfil/ipfw/ip_fw_iface.c:159:26: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
iface_khandler_deregister()
^
void
This is because iface_khandler_deregister() is declared with a (void)
argument list, but defined with an empty argument list. Make the
definition match the declaration.
MFC after: 3 days
With clang 15, the following -Werror warning are produced:
sys/netpfil/ipfw/ip_fw_sockopt.c:3477:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_init_sopt_handler()
^
void
sys/netpfil/ipfw/ip_fw_sockopt.c:3485:26: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_destroy_sopt_handler()
^
void
This is because ipfw_init_sopt_handler() and ipfw_destroy_sopt_handler()
are declared with (void) argument lists, but defined with empty argument
lists. Make the definitions match the declarations.
MFC after: 3 days
With clang 15, the following -Werror warning is produced:
sys/netpfil/ipfw/ip_fw_iface.c:128:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
iface_khandler_register()
^
void
This is because iface_khandler_register() is declared with a (void)
argument list, but defined with an empty argument list. Make the
definition match the declaration.
MFC after: 3 days
With clang 15, the following -Werror warnings are produced:
sys/netpfil/ipfw/ip_fw_sockopt.c:187:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_init_counters()
^
void
sys/netpfil/ipfw/ip_fw_sockopt.c:196:22: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_destroy_counters()
^
void
sys/netpfil/ipfw/ip_fw_sockopt.c:3241:23: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_init_obj_rewriter()
^
void
sys/netpfil/ipfw/ip_fw_sockopt.c:3249:26: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
ipfw_destroy_obj_rewriter()
^
void
This is because ipfw_init_counters(), ipfw_destroy_counters(),
ipfw_init_obj_rewriter(), and ipfw_destroy_obj_rewriter() are declared
with (void) argument lists, but defined with empty argument lists. Make
the definitions match the declarations.
MFC after: 3 days
With clang 15, the following -Werror warning is produced:
sys/netpfil/ipfw/ip_dummynet.c:802:6: error: variable 'n' set but not used [-Werror,-Wunused-but-set-variable]
int n = 0; /* only for stats */
^
Here, 'n' is a variable that is only used when debugging. Mark the
variable as potentially unused, to suppress the warning.
MFC after: 3 days
When we extended the switch statement to allow for PROTO_LAYER2 |
PROTO_IPV6 in c21cbaca2b we didn't extend the check for a non-NULL
struct ifnet pointer.
Happily the only PROTO_IPV6 case is pf's layer 2 support, which always
provides one.
Reported by: Coverity (CID 1490459)
Sponsored by: Rubicon Communications, LLC ("Netgate")
If dummynet_task() is run on a vnet where dummynet is still initialising
(i.e. still running ip_dn_vnet_init()) we can attempt to use an
uninitialised mutex.
We can use the existing init_done field to check if the per-vnet
V_dn_cfg is fully set up, if we ensure that it's only set to 1 when
we've done all of the init work.
Reported by: Alfredo Dal'Ava Júnior <alfredo@freebsd.org>
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35716
When pf sends layer 2 traffic into dummynet it still marks IPv6 with
IPFW_ARGS_IPV6 (which dummynet translates to PROTO_V6). That in turn
results in it not matching the 'DIR_IN | PROTO_LAYER2' case, and
triggering the 'bad switch' error message.
Add extra cases for LAYER2 | PROTO_IPV6.
Sponsored by: Rubicon Communications, LLC ("Netgate")
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1
Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103
The dn_pkt_tag tag contained a struct ifnet pointer. If we persist that
across NET_EPOCH boundaries (as we did in dummynet) we risk panics if
the interface is removed between the packet being enqueued and it being
dequeued.
Convert the pointer into an index/generation pair and restore it when
the packet is taken out of the queue.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35256
This fixed panic with interface being removed while packet
was sitting on a queue. This allows to pass all dummynet
tests including forthcoming dummynet:ipfw_interface_removal
and dummynet:pf_interface_removal and demonstrates use of
m_rcvif_serialize() and m_rcvif_restore().
Reviewed by: kp
Differential revision: https://reviews.freebsd.org/D33267
(cherry picked from commit 165746f4e4)
Matching for DSCP codes has used incorrect bits. Use IPV6_DSCP()
macro for matching opcodes to fix this. Also this leads to always
use value from a mbuf instead of cached value.
Previously different opcodes have used both cached in f_id value
and stored in the mbuf, and it did not always work after setdscp
action, since cached value was not updated.
Update IPv6 flowid value cached in the f_id.flow_id6 when we do
modification of DSCP value in O_SETDSCP opcode, it may be used by
external modules.
Also added logging support for O_SETDSCP opcode.
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34807
The ref_count counter is global (i.e. not per-vnet) so we can't use a
per-vnet lock to protect it. Moreover, in callouts curvnet is not set,
so we'd end up panicing when trying to use DN_BH_WLOCK().
Instead we use the global sched_lock, which is already used when
evaluating ref_count (in unload_dn_aqm()).
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34059
If there are no more entries, or if we fail to restore the rcvif of a
queued mbuf dn_dequeue() can return NULL.
Cope with this.
Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34078