net: attach IPv4 and IPv6 stacks to an interface with EVENTHANDLER(9)

This change retires two historic relics: the if_afdata[] array and the
dom_ifattach/dom_ifdetach methods.

The if_afdata[] array

net: attach IPv4 and IPv6 stacks to an interface with EVENTHANDLER(9)

This change retires two historic relics: the if_afdata[] array and the
dom_ifattach/dom_ifdetach methods.

The if_afdata[] array is a relic of the era, when there was expectation
that many transport protocols will coexist with IP, e.g. IPX or NetAtalk.
The array hasn't had any members except AF_INET and AF_INET6 for over a
decade already. This change removes the array and just leaves two pointer
fields: if_inet and if_inet6.

The dom_ifattach/dom_ifdetach predates the EVENTHANDLER(9) framework and
was a good enough method to initialize protocol contexts back then. Today
there is no good reason to treat IPv4 and IPv6 stacks differently to other
protocols/features that attach and detach from an interface.

The locking of if_afdata[] is a relic of SMPng times, when the system
startup and the interface attach was even more convoluted than before this
change, and we also had unloadable protocols that used a field in
if_afdata[]. Note that IPv4 and IPv6 are not unloadable.

Note that this change removes NET_EPOCH_WAIT() from the interface detach
sequence. This may surface several new races associated with interface
removal. I failed to hit any with consecutive test suite runs, though.
The expected general race scenario is that while struct ifnet is freed
with proper epoch_call(9) itself, some structures hanging off ifnet are
freed with direct free(9). The proper fix is either make if_foo point at
some static "dead" structure providing SMP visibility of this store, or
free those structure with epoch_call(9). All of these cases are planned
to be found and resolved during 16.0-CURRENT lifetime.

Reviewed by: zlei, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D54089

show more ...

lltable: use own lock

Add struct mtx to struct lltable and stop using IF_AFDATA_LOCK, that
was created for a completely different purpose. No functional change
intended.

Reviewed by: zlei, melifa

lltable: use own lock

Add struct mtx to struct lltable and stop using IF_AFDATA_LOCK, that
was created for a completely different purpose. No functional change
intended.

Reviewed by: zlei, melifaro
Differential Revision: https://reviews.freebsd.org/D54086

show more ...

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After:

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After: 2 weeks

show more ...

bridge: Print a warning if member_ifaddrs=1

When adding an interface with an IP address to a bridge, or assigning an
IP address to an interface which is in a bridge, and member_ifaddrs=1,
print a wa

bridge: Print a warning if member_ifaddrs=1

When adding an interface with an IP address to a bridge, or assigning an
IP address to an interface which is in a bridge, and member_ifaddrs=1,
print a warning so users are informed this is deprecated. Also add
"(deprecated)" to the sysctl description.

MFC after: 9 hours
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52335

show more ...

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real pro

ifnet: Defer detaching address family dependent data

While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.

PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444

show more ...

bridge: Fix adding gif(4) interface assigned with IP addresses as bridge memeber

and fix assigning IP addresses to the gif(4) interface when it is a
member of a if_bridge(4) interface.

When setting

bridge: Fix adding gif(4) interface assigned with IP addresses as bridge memeber

and fix assigning IP addresses to the gif(4) interface when it is a
member of a if_bridge(4) interface.

When setting the sysctl net.link.bridge.member_ifaddrs to 1, if_bridge(4)
can eliminate unnecessary walk of the member list to determine whether
the inbound unicast packets are for us or not.

Well when a gif(4) interface is member of a if_bridge(4) interface, it
acts as the tunnel endpoint to tunnel Ethernet frames over IP network,
aka the EtherIP protocol, so the IP addresses configured on it are
independent of the if_bridge(4) interface or other if_bridge(4) members,
hence the sysctl net.link.bridge.member_ifaddrs should not have any
influnce over gif(4) interfaces's behavior of assigning IP addresses.

PR: 227450
Reported by: Siva Mahadevan <me@svmhdvn.name>
Reviewed by: ivy, #bridge
MFC after: 1 week
Fixes: 0a1294f6c610 bridge: allow IP addresses on members to be disabled
Differential Revision: https://reviews.freebsd.org/D52200

show more ...

bridge: allow IP addresses on members to be disabled

add a new sysctl, net.link.bridge.member_ifaddrs, which defaults to 1.

if it is set to 1, bridge behaviour is unchanged.

if it is set to 0:

-

bridge: allow IP addresses on members to be disabled

add a new sysctl, net.link.bridge.member_ifaddrs, which defaults to 1.

if it is set to 1, bridge behaviour is unchanged.

if it is set to 0:

- an interface which has AF_INET6 or AF_INET addresses assigned cannot
be added to a bridge.
- an interface in a bridge cannot have an AF_INET6 or AF_INET address
assigned to it.
- the bridge will no longer consider the lladdrs on bridge members to be
local addresses, i.e. frames sent to member lladdrs will not be
processed by the host.

update bridge.4 to document this behaviour, as well as the existing
recommendation that IP addresses should not be configured on bridge
members anyway, even if it currently partially works.

in testing, setting this to 0 on a bridge with 50 member interfaces
improved throughput by 22% (4.61Gb/s -> 5.67Gb/s) across two member
epairs due to eliding the bridge member list walk in GRAB_OUR_PACKETS.

Reviewed by: kp, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49995

show more ...

netinet: Make in_canforward() return bool

No functional change intended.

MFC after: 5 days

netinet: Do not forward or ICMP response to INADDR_ANY

The section 4 in the draft proposal [1] explicitly states that 0.0.0.0,
aka INADDR_ANY, retains its existing special meanings.

[1] https://dat

netinet: Do not forward or ICMP response to INADDR_ANY

The section 4 in the draft proposal [1] explicitly states that 0.0.0.0,
aka INADDR_ANY, retains its existing special meanings.

[1] https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-0

Reviewed by: glebius
Fixes: efe58855f3ea IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D49157

show more ...

netinet: Make in_ifhasaddr() return bool

No functional change intended.

MFC after: 1 week

netinet: Make in_localaddr() return bool

It is used as a boolean function everywhere.

No functional change intended.

MFC after: 1 week

netinet: Update a comment for in_localip()

The function in_localip() was changed to return bool but the comment was
left unchanged.

Fixes: c8ee75f2315e Use network epoch to protect local IPv4 addre

netinet: Update a comment for in_localip()

The function in_localip() was changed to return bool but the comment was
left unchanged.

Fixes: c8ee75f2315e Use network epoch to protect local IPv4 addresses hash
MFC after: 3 days

show more ...

netinet: use in_broadcast() inline

There should be no functional change.

Reviewed by: rrs, markj
Differential Revision: https://reviews.freebsd.org/D49088

netinet: rename in_broadcast() to in_ifnet_broadcast()

This aligns with existing in_ifaddr_broadcast() and aligns with other
simple functions or macros with bare "in_" prefix that operator just on
s

netinet: rename in_broadcast() to in_ifnet_broadcast()

This aligns with existing in_ifaddr_broadcast() and aligns with other
simple functions or macros with bare "in_" prefix that operator just on
struct in_addr and nothing else, e.g. in_nullhost(). No functional
change.

Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D49041

show more ...

netinet: make in_broadcast() and in_ifaddr_broadcast return bool

While here annotate deprecated condition with __predict_false() and
slightly refactor in_broadcast() removing leftovers from old addr

netinet: make in_broadcast() and in_ifaddr_broadcast return bool

While here annotate deprecated condition with __predict_false() and
slightly refactor in_broadcast() removing leftovers from old address list
locking. Should be no functional change.

show more ...

Clarify net.inet.ip.allow_net240 and allow_net0

The stack has never limited use of addresses in these ranges as an
endpoint. The relatively recent sysctls control only forwarding of,
and ICMP respo

Clarify net.inet.ip.allow_net240 and allow_net0

The stack has never limited use of addresses in these ranges as an
endpoint. The relatively recent sysctls control only forwarding of,
and ICMP response to, these addresses.

Reviewed by: bz
Fixes: efe58855f3ea ("IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48262

show more ...

in: add in_mask2len()

Similar to the existing in6_mask2len() function, but for IPv4. This will be used
by pf's nat64 code.

Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate

in: add in_mask2len()

Similar to the existing in6_mask2len() function, but for IPv4. This will be used
by pf's nat64 code.

Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47785

show more ...

netinet: correct SIOCDIFADDR{,_IN6} calls to use {,in6_}ifreq

The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an
ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argu

netinet: correct SIOCDIFADDR{,_IN6} calls to use {,in6_}ifreq

The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an
ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argument.
As opposed to ifaliasreq/in_aliasreq/in6_aliasreq used by
SIOCAIFADDR{,_IN6}, the ifreq/in6_ifreq structures used by the
SIOCDIFADDR{,_IN6} ioctls do not include a separate field for a
broadcast address and other values required to add an address to a
network interface with SIOCAIFADDR{,_IN6}.

Whilst this issue is not specific to CHERI-extended architectures, it
was first observed on CheriBSD running on Arm Morello. For example,
incorrect calls using the in6_aliasreq object result in CHERI capability
violations. A pointer to the ifra_addr field in in6_aliasreq cast to the
ifru_addr union member of in6_ifreq results in bounds being set to the
union's larger size. Such bounds exceed the bounds of of in6_aliasreq
object and the bounds-setting instruction clears a tag of the object's
capability.

Reviewed by: brooks, kp, oshogbo
Accepted by: oshogbo (mentor)
Reported by: CHERI
Obtained from: CheriBSD
Differential Revision: https://reviews.freebsd.org/D46016

show more ...

pf: simplify pf_addrcpy() and pf_match_addr()

Use the v4/v6 union members rather than the uint32_t ones.
Export IN_ARE_MASKED_ADDR_EQUAL() in in_var.h and use it (and its IPv6
equivalent) for masked

pf: simplify pf_addrcpy() and pf_match_addr()

Use the v4/v6 union members rather than the uint32_t ones.
Export IN_ARE_MASKED_ADDR_EQUAL() in in_var.h and use it (and its IPv6
equivalent) for masked comparisons rather than hand-rolled code.

Event: Kitchener-Waterloo Hackathon 202406

show more ...

carp: check CARP status in in_localip_fib(), in6_localip_fib()

Don't report a BACKUP CARP address as local. These two functions are used
only by source address validation for input packets, control

carp: check CARP status in in_localip_fib(), in6_localip_fib()

Don't report a BACKUP CARP address as local. These two functions are used
only by source address validation for input packets, controlled by sysctls
net.inet.ip.source_address_validation and
net.inet6.ip6.source_address_validation. For this purpose we definitely
want to treat BACKUP addresses as non local.

This change is conservative and doesn't modify compat in_localip() and
in6_localip(). They are used more widely than the FIB-aware versions.
The change would modify the notion of ipfw(4) 'me' keyword. There might
be other consequences as in_localip() is used by various tunneling
protocols.

PR: 277349

show more ...

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl s

sys: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

mac_ipacl: new MAC policy module to limit jail/vnet IP configuration

The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It

mac_ipacl: new MAC policy module to limit jail/vnet IP configuration

The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It allows the root user to define rules governing IP addresses for
jails and their interfaces using the sysctl interface.

Requested by: multiple
Sponsored by: Google, Inc. (GSoC 2019)
MFC after: 2 months
Reviewed by: bz, dch (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D20967

show more ...

netinet[6]: make in[6]_control use ucred instead of td.

Reviewed by: markj, zlei
Differential Revision: https://reviews.freebsd.org/D40793
MFC after: 2 weeks

lltable: properly set expire time to 0 for static IPv4 entries.

MFC after: 2 weeks