BSD Commit Log Search

in6: Constify some sockaddr conversion functions

No functional change intended.

MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Stormshield

(cherry picked from commit 3bb15ffc4ab4bfcd4c1bd700a64b3b5ed95389c3)

icmp6: move ICMPv6 related tunables to the files where they are used

Most of them can be declared as static after the move out of in6_proto.c.
Keeping sysctl(9) declarations with their text descriptions next to the
variable declaration create self-documenting code.  There should be no
functional changes.

Differential Revision:  https://reviews.freebsd.org/D44481

(cherry picked from commit 4f96be33fe7676c69c5abb476bb09bba0c63a3f4)

carp: check CARP status in in_localip_fib(), in6_localip_fib()

Don't report a BACKUP CARP address as local.  These two functions are used
only by source address validation for input packets, controlled by sysctls
net.inet.ip.source_address_validation and
net.inet6.ip6.source_address_validation.  For this purpose we definitely
want to treat BACKUP addresses as non local.

This change is conservative and doesn't modify compat in_localip() and
in6_localip().  They are used more widely than the FIB-aware versions.
The change would modify the notion of ipfw(4) 'me' keyword.  There might
be other consequences as in_localip() is used by various tunneling
protocols.

PR:                     277349
(cherry picked from commit 56f7860087eec14b4a65310b70bd704e79e1b48c)

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

mac_ipacl: new MAC policy module to limit jail/vnet IP configuration

The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It allows the root user to define rules governing IP addresses for
jails and their interfaces using the sysctl interface.

Requested by:   multiple
Sponsored by:   Google, Inc. (GSoC 2019)
MFC after:      2 months
Reviewed by:    bz, dch (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D20967

netinet[6]: make in[6]_control use ucred instead of td.

Reviewed by:    markj, zlei
Differential Revision: https://reviews.freebsd.org/D40793
MFC after:      2 weeks

ifnet: consistently call hooks when the interface gets up.

Some context on the current IPv6 interface setup & address management:

There are two data path for IPv6 initialisation in context of assigning
 LL addresses:
1) Userland explicitly requests IFF_UP for the interface w/o any addresses.
if_up() then calls in6_if_up(), which calls in6_ifattach().
The latter sets up some initial ND/IN6 state and disables IPv6 for the
interface if it’s not loopback. If the interface is loopback, then it
adds ::1/128 and LL addresses via in6_ifattach_loopback().
Then, devd notification is generated (if the VNET is the default one),
which triggers rc.network ifconfig_up(), causing ifdisabled to be removed
via SIOCSIFINFO_IN6 from ifconfig. The kernel SIOCSIFINFO_IN6 handler
calls in6_if_up() once again and it assigns the interface link-local address.

2) Userland adds IPv4 or IPv6 address to the interface. SIOCAIFADDR[_IN6]
kernel handler calls IPv4/IPv6 protocol handler to add the address.
Both then call if_ioctl() with SIOCSIFADDR. Ethernet/loopback ioctl handlers

    [15 lines not shown]

inet6: protect address manipulation with a lock

This is a total hack/bare minimum which follows inet4.

Otherwise 2 threads removing the same address can easily crash.

Reviewed by:    kp
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D39317

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header.  <net/if_var.h> will stop including the
header in the future.

Sponsored by:   Juniper Networks, Inc.
Reviewed by:    glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

routing: fix panic for p2p interfaces after 800c68469ba6.

Reported by:    cy
MFC after:      1 month

(cherry picked from commit 08bb0873ca88be777e1fc8dd9d374e4da938be65)

net: Fix memory leaks in lltable_calc_llheader() error paths

Also convert raw epoch_call() calls to lltable_free_entry() calls, no
functional change intended.  There's no need to asynchronously free the
LLEs in that case to begin with, but we might as well use the lltable
interfaces consistently.

Noticed by code inspection; I believe lltable_calc_llheader() failures
do not generally happen in practice.

Reviewed by:    bz
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 990a6d18b0cb1eee9e18a4220150d549b9bee753)

netinet6: factor interface addition code to the dedicated function

Summary:
Move SIOCAIFADDR_IN6 (current "primary" ioctl to add an IPv6
 interface address) handling code to the dedicated in6_addifaddr()
 function and make it a part of KPI. This allows in-kernel users to
 add/delete interfaces addresses without relying on ioctl interface.

Subscribers: imp, ae, glebius

Differential Revision: https://reviews.freebsd.org/D36713

Revert "routing: install prefix and loopback routes using new nhop-based KPI."

Temporarily revert the commit to unblock testing.

This reverts commit a1b59379db7d879551118b921f6e9692b4bf200c.

routing: install prefix and loopback routes using new nhop-based KPI.

Construct the desired hexthops directly instead of using the
 "translation" layer in form of filling rt_addrinfo data.
Simplify V_rt_add_addr_allfibs handling by using recently-added
 rib_copy_route() to propagate the routes to the non-primary address
 fibs.

MFC after:      1 month
Differential Revision:  https://reviews.freebsd.org/D36166

mld6: use callout(9) directly instead of pr_slowtimo, pr_fasttimo

While here remove recursive network epoch entry in mld_fasttimo_vnet(),
as this function is already in epoch.

Reviewed by:            melifaro
Differential revision:  https://reviews.freebsd.org/D36161

protosw: change prototype for pr_control

For some reason protosw.h is used during world complation and userland
is not aware of caddr_t, a relic from the first version of C.  Broken
buildworld is good reason to get rid of yet another caddr_t in kernel.

Fixes:  886fc1e80490fb03e72e306774766cbb2c733ac6

routing: fix panic for p2p interfaces after 800c68469ba6.

Reported by:    cy
MFC after:      1 month

netinet6: fix panic on kldunload pfsync

Commit d6cd20cc5 ("netinet6: fix ndp proxying") caused us to panic when
unloading pfsync:

        Fatal trap 12: page fault while in kernel mode
        cpuid = 19; apic id = 38
        fault virtual address   = 0x20
        fault code              = supervisor read data, page not present
        instruction pointer     = 0x20:0xffffffff80dfe7f4
        stack pointer           = 0x28:0xfffffe015d4f8ac0
        frame pointer           = 0x28:0xfffffe015d4f8ae0
        code segment            = base 0x0, limit 0xfffff, type 0x1b
                                = DPL 0, pres 1, long 1, def32 0, gran 1
        processor eflags        = interrupt enabled, resume, IOPL = 0
        current process         = 5477 (kldunload)
        trap number             = 12
        panic: page fault
        cpuid = 19

    [33 lines not shown]

lltable: introduce the llt_post_resolved callback

In order to decrease ifdef INET/INET6s in the lltable implementation,
introduce the llt_post_resolved callback and implement protocol-dependent
code in the protocol-dependent part.

Reviewed By: melifaro
Differential Revision: https://reviews.freebsd.org/D35322
MFC after:      2 weeks

netinet6: fix ndp proxying

We could insert proxy NDP entries by the ndp command, but the host
with proxy ndp entries had not responded to Neighbor Solicitations.
Change the following points for proxy NDP to work as expected:
* join solicited-node multicast addresses for proxy NDP entries
  in order to receive Neighbor Solicitations.
* look up proxy NDP entries not on the routing table but on the
  link-level address table when receiving Neighbor Solicitations.

Reviewed By: melifaro
Differential Revision: https://reviews.freebsd.org/D35307
MFC after:      2 weeks

net: Fix memory leaks in lltable_calc_llheader() error paths

Also convert raw epoch_call() calls to lltable_free_entry() calls, no
functional change intended.  There's no need to asynchronously free the
LLEs in that case to begin with, but we might as well use the lltable
interfaces consistently.

Noticed by code inspection; I believe lltable_calc_llheader() failures
do not generally happen in practice.

Reviewed by:    bz
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit 990a6d18b0cb1eee9e18a4220150d549b9bee753)

netinet6: Use __diagused for variables only used in KASSERT().

net: Fix memory leaks in lltable_calc_llheader() error paths

Also convert raw epoch_call() calls to lltable_free_entry() calls, no
functional change intended.  There's no need to asynchronously free the
LLEs in that case to begin with, but we might as well use the lltable
interfaces consistently.

Noticed by code inspection; I believe lltable_calc_llheader() failures
do not generally happen in practice.

Reviewed by:    bz
MFC after:      1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D34832

[lltable] Add per-family lltable getters.

Introduce a new function, lltable_get(), to retrieve lltable pointer
 for the specified interface and family.
Use it to avoid all-iftable list traversal when adding or deleting
 ARP/ND records.

Differential Revision: https://reviews.freebsd.org/D33660
Approved by:    re(gjb)
MFC after:      2 weeks

(cherry picked from commit ff3a85d32411cdd7894f932b1d3d7ce01ec7a648)
(cherry picked from commit ffcca53561ed0b3d4755dbd2ce1d9942ea4a468e)

[lltable] Add per-family lltable getters.

Introduce a new function, lltable_get(), to retrieve lltable pointer
 for the specified interface and family.
Use it to avoid all-iftable list traversal when adding or deleting
 ARP/ND records.

Differential Revision: https://reviews.freebsd.org/D33660
MFC after:      2 weeks

(cherry picked from commit ff3a85d32411cdd7894f932b1d3d7ce01ec7a648)

[lltable] Add per-family lltable getters.

Introduce a new function, lltable_get(), to retrieve lltable pointer
 for the specified interface and family.
Use it to avoid all-iftable list traversal when adding or deleting
 ARP/ND records.

Differential Revision: https://reviews.freebsd.org/D33660
MFC after:      2 weeks

Add in_localip_fib(), in6_localip_fib().

Check if given address/FIB exists locally.

Reviewed by:            melifaro
Differential revision:  https://reviews.freebsd.org/D32913

lltable: Add support for "child" LLEs holding encap for IPv4oIPv6 entries.

Currently we use pre-calculated headers inside LLE entries as prepend data
 for `if_output` functions. Using these headers allows saving some
 CPU cycles/memory accesses on the fast path.

However, this approach makes adding L2 header for IPv4 traffic with IPv6
 nexthops more complex, as it is not possible to store multiple
 pre-calculated headers inside lle. Additionally, the solution space is
 limited by the fact that PCB caching saves LLEs in addition to the nexthop.

Thus, add support for creating special "child" LLEs for the purpose of holding
 custom family encaps and store mbufs pending resolution. To simplify handling
 of those LLEs, store them in a linked-list inside a "parent" (e.g. normal) LLE.
 Such LLEs are not visible when iterating LLE table. Their lifecycle is bound
 to the "parent" LLE - it is not possible to delete "child" when parent is alive.
 Furthermore, "child" LLEs are static (RTF_STATIC), avoding complex state
 machine used by the standard LLEs.


    [9 lines not shown]

lltable: fix crash introduced in c541bd368f86.

Reported by:    cy

(cherry picked from commit f8c1b1a9296696f70ac209612a00ae0722d07ed9)

[lltable] Unify datapath feedback mechamism.

Use newly-create llentry_request_feedback(),
 llentry_mark_used() and llentry_get_hittime() to
 request datapatch usage check and fetch the results
 in the same fashion both in IPv4 and IPv6.

While here, simplify llentry_provide_feedback() wrapper
 by eliminating 1 condition check.

Differential Revision: https://reviews.freebsd.org/D31390

(cherry picked from commit f3a3b061216936b6233d1624dfdba03240d7c045)