Currently pf_get_translation() returns a pointer to a matching
nat/rdr/binat rule, or NULL if no rule was matched or an error occurred
while applying the translation. That is, we don't distinguish between
errors and the lack of a matching rule. This, if an error (e.g., a
memory allocation failure or a state conflict) occurs, we simply handle
the packet as if no translation rule was present. This is not
desireable.
Make pf_get_translation() return the matching rule as an out-param and
instead return a reason code which indicates whether there was no
translation rule, or there was a translation rule and we failed to apply
it, or there was a translation rule and we applied it successfully.
Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D45672
(cherry picked from commit 7e65cfc9bbe5a9d735ef38f7ed49965b234b8a20)
Similar to how the network stack needs to use mb_unmapped_to_ext() to
convert mbufs before passing them to an unsupported driver, if_bridge
needs to avoid passing M_EXTPG mbufs to interfaces that don't support
them. Thus, clear IFCAP_MEXTPG on the bridge if any member interfaces
don't handle unmapped mbufs.
PR: 278245
Reviewed by: jhb, gallatin
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D47294
(cherry picked from commit 2bbfbf80d3bb828ac782c2d990a1fba0eb51e45a)
It makes no sense to assign NULL vnet to an interface when the kernel
option VIMAGE is enabled. Add an assertion to catch that.
This will also help diagnosing problem report [1] and [2].
1. https://bugs.freebsd.org/275381
2. https://bugs.freebsd.org/282168
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46982
(cherry picked from commit d1d839d0b593541174ca48c675c9eff4ddb4715e)
This driver allows only exactly one instance to be created. Clone
creating additional interfaces, e.g. `ifconfig enc1 create`, will get
error EEXIST which is somewhat confusing.
Convert to new KPI for less confusing error ENOSPC.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45758
(cherry picked from commit eacad82f3ad0af7d74968e73ed383fc4531d1924)
This might be useful when adding bounds checks to mtod(). No functional
change intended.
MFC after: 1 week
(cherry picked from commit 5c385a54fe9ccbd3f28f20b5a025a856d229fa05)
It is declared as static. Make the definition consistent with the
declaration.
This follows 7ff9ae90f0 and partially reverts 09f6ff4f1a.
Reviewed by: erj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46185
(cherry picked from commit 8161000892830ee52bc8048be91b40cdad25fea8)
If we fail to change the vlan id we have to undo the removal (and vlan id
change) in the error path. Otherwise we'll have removed the vlan object from the
hash table, and have the wrong vlan id as well. Subsequent modification attempts
will then try to remove an entry which doesn't exist, and panic.
Undo the vlan id modification if the insertion in the hash table fails, and
re-insert it under the original vlan id.
PR: 279195
Reviewed by: zlei
MFC atfer: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D45285
(cherry picked from commit bdd12889eaa64032b3d09ef47e9a6f7081863378)
As for the consumer `enc_add_hhooks()`, `hhook_add_hook()` will never
fail for the given parameters. Meanwhile, to build the module if_enc(4),
at least option INET or INET6 is required, so no need for the error
EPFNOSUPPORT.
No functional change intended.
Reviewed by: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46770
(cherry picked from commit 7643141e9314f1eac0d9ac08457410509e6829ad)
This ensures that the ifnet's NUMA affinity is accurate.
Reviewed by: kbowling
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46667
(cherry picked from commit 767723ddebe9c76a2d4a45a50d9b0efc9f2f91d7)
Follow the pattern from iflib_irq_alloc_generic function and use
iflib_fast_intr as a handler for RX only interrupts.
Also remove some intermediate variables and use consistent
way for referencing queue's structures.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka@intel.com>
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D46061
(cherry picked from commit 36a001923836e280e750b76947b8705fcc47b0b7)
The indentation style for the SYSCTL_* macros used was not matching KNF.
Reported by: jhb
Differential Revision: https://reviews.freebsd.org/D44811
(cherry picked from commit e4a0c92e7aea50654290e3082668932cea16b64f)
Some of the QUAD sysctls are actually for unsigned quad values.
Switch to using UQUAD instead, as that is meant for unsigned.
Reviewed by: erj, jhb
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D44620
(cherry picked from commit 303dea74c2cb3a41fba455fce8577993e637c3da)
This comment was introduced by fix [1], later the fix was refined by
change [2], and the context of the usage of `m_get2()` and `m_getjcl()`
got lost, then the comment became obscure.
Update to reflect the current behavior.
1. f13da24715 net/bpf: Fix writing of buffer bigger than PAGESIZE
2. a051ca72e2 Introduce m_get3()
Fixes: a051ca72e2 Introduce m_get3()
MFC after: 3 days
(cherry picked from commit 343bf78e487190557889c8ba53d8080b268867f7)
An interface's bpf could feasibly not exist, in which case
bpf_peers_present() would panic from a NULL pointer dereference. Solve
this by adding a new IfAPI that could deal with a NULL bpf, if such
could occur in the network stack.
Reviewed by: zlei
Sponsored by: Juniper Networks, Inc.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42082
(cherry picked from commit 8f31b879ecaf9e738dba631df4606742ee404e8e)
bpf: Prefer the boolean form when calling bpf_peers_present()
Reviewed by: markj, kp, #network
MFC with: 8f31b879ecaf
Differential Revision: https://reviews.freebsd.org/D45509
(cherry picked from commit 89204d9dcbe28558fae65936a0e93f44d926b88f)
IFF_ALLMULTI has an associated activation counter and so needs special
treatment, like IFF_PROMISC. Introduce IFF_PALLMULTI, akin to
IFF_PPROMISC, which indicates that userspace requested allmulti mode,
and handle it specially in ifhwioctl().
Reviewed by: zlei, glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D46524
(cherry picked from commit 58f194223ab8578269772a6874a8444e5e03afaf)
All uses of this function were incorrect. if_amcount is a reference
count which tracks the number of times the network stack internally set
IFF_ALLMULTI. (if_pcount is the corresponding counter for IFF_PROMISC.)
Remove if_getamcount() and fix up callers to get the number of assigned
multicast addresses instead, since that's what they actually want.
Sponsored by: Klara, Inc.
Reviewed by: zlei, glebius
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46523
(cherry picked from commit 408c909dc64f77d2696d6fec77a2e0b00255cf96)
If pf_icmp_state_lookup() finds a state but rejects it for not matching the
expected direction we should unlock the state (and NULL out *state). This
simplifies life for callers, and also ensures there's no confusion about what a
non-NULL returned state means.
Previously it could have been left in there by the caller, resulting in callers
unlocking the same state twice.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 0578fe492284ded4745167060be794032e6e22f0)
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
PR: 280701
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 2633ae8c4c8a
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82)
In main [1] this warning message is suppressed but no plans to MFC the
change as the message may be still useful for users that upgrade from
older releases to 14.x or 13.x. Well emitting this warning message every
time increasing the fib number is confusing for users not for the feature
`net.add_addr_allfibs`, let's limit it to be printed only once.
1. a48f7a2eb90b fibs: Suppress the WARNING message for setups with multiple fibs
This is a direct commit to stable/14 and stable/13.
PR: 280097
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D46204
These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked per-vnet.
However, they both can be decreased (back to their default values) if the
memory allocations for their respective tables fail, and these allocations are
per-vnet. That is, it's possible for a few vnets to be started and have the
tuned size for the hash and srchash tables only to have later vnets fail the
initial allocation and fall back to smaller allocations. That would confuse
the previously created vnets (because their actual table size and size/mask
variables would no longer match).
Avoid this by turning these into per-vnet variables.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 271f146955641857c93705b5b1916b8004e5623c)
Some drivers, e.g. if_enc(4), only allow one instance to be created, but
the KPI ifc_attach_cloner() treat zero value of maxunit as not limited,
aka IF_MAXUNIT.
Introduce a new flag IFC_F_LIMITUNIT to indicate that the requested
maxunit is limited and should be respected.
Consumers should use the new flag if there is an intended limit.
Reviewed by: glebius
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45757
(cherry picked from commit a2cac544a668d2834ed41986aca32b44b9819c89)
When a lagg interface is destroyed, it destroys all of the lagg ports,
which triggers an asynchronous link state change handler. This in turn
may generate a netlink message, a portion of which requires netlink to
invoke the SIOCGIFMEDIA ioctl of the lagg interface, which involves
scanning the list of interface media. This list is not internally
locked, it requires the interface driver to provide some kind of
synchronization.
Shortly after the link state notification has been raised, the lagg
interface detaches itself from the network stack. As a part of this, it
blocks in order to wait for link state handlers to drain, but before
that it destroys the interface media list. Reverse this order of
operations so that the link state change handlers drain first, avoiding
a use-after-free that is very occasionally triggered by lagg stress
tests. This matches other ethernet drivers in the tree.
MFC after: 2 weeks
(cherry picked from commit 02cbf9ebf110c94ec9e60f0801716ff0a75e55e5)
Change 4787572d05 made if_alloc_domain() never fail, then also do the
wrappers if_alloc(), if_alloc_dev(), and if_gethandle().
No functional change intended.
Reviewed by: kp, imp, glebius, stevek
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45740
(cherry picked from commit aa3860851b9f6a6002d135b1cac7736e0995eedc)
On clone creating, either failure from vxlan_set_user_config() or
ifc_copyin() will result in leaking previous allocated counters.
Since counter_u64_alloc(M_WAITOK) never fails, make vxlan_stats_alloc()
void and move the allocation for counters below checking ifd->params to
avoid memory leak.
Reviewed by: kp, glebius
Fixes: b092fd6c97 if_vxlan(4): add support for hardware assisted checksumming, TSO, and RSS
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45822
(cherry picked from commit 087f5e08ab5f0384163f76f73b9a91c98a3ba450)
The encapsulated (original) frame does not count in FCS as per Section 5
of RFC 7348.
Reviewed by: afedorov, bryanv, #network
Fixes: b7592822d5 Allow set MTU more than 1500 bytes
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45195
(cherry picked from commit d6963b9ed3287e91db3d1df153861591faff0007)
Since change [1], if_bpf will not be detached by the interface departure
eventhandler and will not be NULL. Then the logic to re-attach if_bpf
becomes dead and serves no purpose any more.
This partially reverts commit 05fc416403.
1. 9ce40d321d bpf: Fix incorrect cleanup
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45599
(cherry picked from commit 9738277b5c662a75347efa6a58daea485d30f895)
While here remove a pointless static local variable lo_cloner.
No functional change intended.
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45728
(cherry picked from commit 2cb7605a2415a1c0dd35374a88f815ef00e31de9)
This improves readability a little. As a side effect, a redundant
CURVNET_RESTORE is removed.
No functional change intended.
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45595
(cherry picked from commit ef4f4a44d9134ddadede0e2e6e658d0688c5ab3c)
This makes it easier to grep the usage.
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45715
(cherry picked from commit 71f8fbf9bda43e3ca2f26d0499b7a88d0f2f7352)
State keys are trivially const in lookup routines, so annotate them as
such. No functional change intended.
Reviewed by: kp
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D45671
(cherry picked from commit 66b8cac8d837c0ca3fd38d0a66259ca932a1c430)
This function was introduced in commit [1] and is actually used as a
boolean function although it was not defined as so.
No functional change intended.
1. 16d878cc99 Fix the following bpf(4) race condition which can result in a panic
Reviewed by: markj, kp, #network
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45509
(cherry picked from commit 0dfd11abc4bd0dcb96a6d287cc4e52e8f59b64c1)
User misconfiguration, either tunnel loops, or a large number of
different nested tunnels, can overflow the kernel stack. Prevent that
by using if_tunnel_check_nesting().
PR: 278394
Diagnosed by: markj
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45197
(cherry picked from commit 93fbfef0b50354b7a1620822454ef29cd415cb2d)
User misconfiguration may lead to routing loops where we try to send the tunnel
packet into the tunnel. This eventually leads to stack overflows and panics.
Avoid this using if_tunnel_check_nesting(), which will drop the packet if we're
looping or we hit three layers of nested tunnels.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 59a6666ec91d71f97aaae5195bbfafd9d422db2e)
There are situations where an struct ifnet has a NULL if_ioctl pointer.
For example, e6000sw creates such struct ifnets for each of its ports so it can
call into the MII code.
If there is then a link state event this calls do_link_state_change()
-> rtnl_handle_ifevent() -> dump_iface() -> get_operstate() ->
get_operstate_ether(). That wants to know if the link is up or down, so it tries
to ioctl(SIOCGIFMEDIA), which doesn't go well if if_ioctl is NULL.
Guard against this, and return EOPNOTSUPP.
PR: 275920
MFC ater: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 43387b4e574043b78a58c8bcb7575161b055fce1)
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1159
(cherry picked from commit 65767e6126a7e92bc76561b4ffd005cf85ba525e)
if_bridge: Minor style fixes
And more comments on the #ifdef INET blocks to improve readability.
While here, revert the order of two prototypes to produce minimal diff
compared to stable branches.
(cherry picked from commit 73585176ffd84c13d68cad67c2ca81643f09075c)
The pseudo_AF_HDRCMPLT check is already being done in if_loop and
just needed to be ported over to if_ic, if_wg, if_disc, if_gif,
if_gre, if_me, if_tuntap and ng_iface. This is needed in order to
allow these interfaces to work properly with e.g., tcpreplay.
PR: 256587
Reviewed by: markj
MFC after: 2 weeks
Pull Request: https://github.com/freebsd/freebsd-src/pull/876
(cherry picked from commit 2cb0fce24d64039090dc9243cdf0715ee80c91b1)
The if_bridge contains several instances of:
if (AF_INET code ...
#ifdef INET6
AF_INET6 code ...
#endif
) {
...
Clean this up by adding a couple of macros at the top of the file that
are conditionally defined based on whether INET and/or INET6 are enabled,
which makes the code more readable and easier to maintain.
No functional change intended.
Reviewed by: zlei, markj
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/1191
(cherry picked from commit ef84dd8f4926304306d5989ca9afdbf760c6d813)
This is used by 802.3 Ethernet. (Also be used by 802.4 Token Bus and
802.5 Token Ring, but we don't support those.)
This was accidentally removed along with FDDI support in commit
0437c8e3b1, presumably because comments implied it was used only by
FDDI or Token Ring.
Fixes: 0437c8e3b1 ("Remove support for FDDI networks.")
Reviewed-by: emaste
Signed-off-by: Denny Page <dennypage@me.com>
Pull-request: https://github.com/freebsd/freebsd-src/pull/1166
(cherry picked from commit fcdf9a19893b9b5beb7a21407de507f0ae4c500b)
The ice(4) driver will add the ability to create extra interfaces
that hang off of the base interface; to do that the driver requires
a method for the subinterface to request hardware interrupt resources
from the base interface.
Signed-off-by: Eric Joyner <erj@FreeBSD.org>
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D39930
(cherry picked from commit ed34a6b6eab9ea39759ccd3f12876a815d271929)
