carp: retire ioctl(2) API

All supported stable branches use netlink(4) API to configure carp(4).
The deleted code also has kernel stack leak vulnerability, that requires
extra effort to fix.

Review

carp: retire ioctl(2) API

All supported stable branches use netlink(4) API to configure carp(4).
The deleted code also has kernel stack leak vulnerability, that requires
extra effort to fix.

Reviewed by: pouria, kp
Differential Revision: https://reviews.freebsd.org/D55804

show more ...

carp: fix global demotion counter to VRRP advertisements

When net.inet.carp.preempt=1 and a physical interface goes down, the global
V_carp_demotion counter is incremented. For CARP this was already

carp: fix global demotion counter to VRRP advertisements

When net.inet.carp.preempt=1 and a physical interface goes down, the global
V_carp_demotion counter is incremented. For CARP this was already reflected in
outgoing advertisements via DEMOTE_ADVSKEW(), but VRRP sent the raw
sc_vrrp_prio unchanged, so demotion had no effect.

Add DEMOTE_VRRP_PRIO(), a macro analogous to DEMOTE_ADVSKEW():
It subtracts V_carp_demotion from the configured priority and clamps the result
to [0, 254]. Priority 0 is VRRPv3's "resign" signal and causes backups to
preempt immediately. Priority 255 (IP address owner) is never demoted.

Reviewed by: kp
Approved by: kp
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D55558

show more ...

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After:

netinet: Remove left-over sys/cdefs.h

These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.

Sponsored by: Netflix
MFC After: 2 weeks

show more ...

carp6: revise the generation of ND6 NA

* use ND_NA_FLAG_ROUTER flag in carp_send_na() when we work as router.
* use in6addr_any as destination address for nd6_na_output(), then it
will use ipv6-al

carp6: revise the generation of ND6 NA

* use ND_NA_FLAG_ROUTER flag in carp_send_na() when we work as router.
* use in6addr_any as destination address for nd6_na_output(), then it
will use ipv6-all-nodes multicast address.
* add in6_selectsrc_nbr() function that accepts additional argument
ip6_moptions. Use this function from ND6 code to avoid cases when
nd6_na_output/nd6_ns_output can not find source address for
multicast destinations.
* add some comments from RFC2461 for better understanding.
* use tlladdr argument as flags and use ND6_NA_OPT_LLA when we need
to add target link-layer address option, and ND6_NA_CARP_MASTER when
we know that target address is CARP master. Then we can prepare
correct CARP's mac address if target address is CARP master.
* move blocks of code where multicast options is initialized and
use it when destination address is multicast.

Reviewed by: kp
Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D52825

show more ...

carp: fix mbuf_tag usage in carp_macmatch6

carp_macmatch6() had two issues that affect IPv6 processing:
1) it returns sc->sc_addr pointer that might become invalid after
softc destroying.
2) carp

carp: fix mbuf_tag usage in carp_macmatch6

carp_macmatch6() had two issues that affect IPv6 processing:
1) it returns sc->sc_addr pointer that might become invalid after
softc destroying.
2) carp_output() expects carp vhid to be stored in the mtag,
not the pointer to softc.

Fix these issues. Allocate enough space in mtag to keep both vhid and
mac address. Copy vhid first to fix issue with carp_output(), then
copy sc_addr and return pointer to this copy. mtag will be alive
until mbuf is used.
This fixes problem when IPv6 packets originated from CARP IPv6 address
use incorrect mac address due to mbuf_tag has invalid data.

Reviewed by: zlei, kp, glebius
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D50455

show more ...

carp: Use static initializers

MFC after: 1 week

netinet: allow per protocol random IP id control, single out IPSEC

A globally enabled random IP id generation maybe useful in most IP
contexts, but it may be unnecessary in the case of IPsec encapsu

netinet: allow per protocol random IP id control, single out IPSEC

A globally enabled random IP id generation maybe useful in most IP
contexts, but it may be unnecessary in the case of IPsec encapsulated
packets because IPsec can be configured to use anti-replay windows.

This commit adds a new net.inet.ipsec.random_id sysctl to control whether
or not IPsec packets should use random IP id generation.

Rest of the protocols/modules are still controlled by the global
net.inet.ip.random_id, but can be easily augmented with a knob.

Reviewed by: glebius
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D49164

show more ...

carp: Fix checking IPv4 multicast address

An IPv4 address stored in `struct in_addr` is in network byte order but
`IN_MULTICAST` wants host order.

PR: 284872
Reported by: Steven Perreau
Reported b

carp: Fix checking IPv4 multicast address

An IPv4 address stored in `struct in_addr` is in network byte order but
`IN_MULTICAST` wants host order.

PR: 284872
Reported by: Steven Perreau
Reported by: Brett Merrick <brett.merrick@itcollective.nz>
Reviewed by: Franco Fichtner <franco@opnsense.org>, ae, kp, glebius
Tested by: Steven Perreau
Fixes: 137818006de5 carp: support unicast
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D49053

show more ...

netlink: refactor KPI for generic Netlink modules

Now that the family and group are completely private to netlink_generic.c,
provide a simple and robust KPI, that would require very simple guarantee

netlink: refactor KPI for generic Netlink modules

Now that the family and group are completely private to netlink_generic.c,
provide a simple and robust KPI, that would require very simple guarantees
from both KPI and the module:

* Strings are used only for family and group registration, that return ID:
uint16_t genl_register_family(const char *name, ...
uint32_t genl_register_group(uint16_t family, const char *name, ...
* Once created families and groups are guaranteed to not disappear and
be addressable by their ID.
* All subsequent calls, including deregistration shall use ID.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D48845

show more ...

pf: netlink KPI use cleanup

- use nlf_p_empty instead of declaring own empty array
- don't declare _IN() macro when we don't parse a header

Reviewed by: kp
Differential Revision: https://reviews.f

pf: netlink KPI use cleanup

- use nlf_p_empty instead of declaring own empty array
- don't declare _IN() macro when we don't parse a header

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D48306

show more ...

netlink: use nitems() and roundup(2) from param.h

While here style nested includes (kernel ones go first).

Reviewed by: melifaro
Differential Revision: https://reviews.freebsd.org/D47557

carp: Fix pullup checks

The conditions used to test whether a pullup is needed were inverted.

While here:
- Fix a bogus assignment to "iplen": it's already initialized to *offp.
- Use in_cksum_skip

carp: Fix pullup checks

The conditions used to test whether a pullup is needed were inverted.

While here:
- Fix a bogus assignment to "iplen": it's already initialized to *offp.
- Use in_cksum_skip() instead of manually adjusting the data pointer.
Otherwise the mbuf is temporarily in an invalid state, since m_len
isn't updated to match.

Reported by: KMSAN
Reviewed by: kp
Sponsored by: Klara, Inc.
Fixes: 37115154672f ("carp: support VRRPv3")
Differential Revision: https://reviews.freebsd.org/D46492

show more ...

carp: isolate VRRP from CARP

There is only one functional change here - we don't allow SIOCSVH (or
netlink request) to change sc->sc_version. I'm convinced that allowing
such a change doesn't bring

carp: isolate VRRP from CARP

There is only one functional change here - we don't allow SIOCSVH (or
netlink request) to change sc->sc_version. I'm convinced that allowing
such a change doesn't brings any practical value, but creates enless
minefields in front of both developers and end users (sysadmins). If
you want to switch from VRRP to CARP or vice versa, you'd need to recreate
the VHID.

Oh, one tiny funtional change: carp_ioctl_set() won't modify any fields
if it returns EINVAL. Previously you could provide valid advbase with
invalid advskew - that used to modify advbase and return EINVAL.

All other changes is a sweep around not ever using CARP fields when
we are in VRRP mode and vice versa. Also adding assertions on sc_version
where necessary.

Do not send VRRP vars in CARP mode via NetLink and vice versa. However
in compat ioctl SIOCGVH for VRRP mode the CARP fields would be zeroes.

This allows to declare softc as union and thus prevent any future logic
deterioration wrt to mixing VRRP and CARP.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45039

show more ...

carp: refactor packet tagging for ether_output()

- Separate HMAC preparation (CARP specific) from tagging.
- In unicast mode (CARP specific) don't put tag at all.
- Don't put pointer to software con

carp: refactor packet tagging for ether_output()

- Separate HMAC preparation (CARP specific) from tagging.
- In unicast mode (CARP specific) don't put tag at all.
- Don't put pointer to software context into the tag. Putting just vhid,
an integer value, is a safer design.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45038

show more ...

carp: assert that we are calling correct input function. We are.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45037

carp: don't chain call vrrp_send_ad via carp_send_ad

Provide inline send_ad_locked() that switches between protocol
specific sending function.

Rename carp_send_ad() to carp_callout() to avoid getti

carp: don't chain call vrrp_send_ad via carp_send_ad

Provide inline send_ad_locked() that switches between protocol
specific sending function.

Rename carp_send_ad() to carp_callout() to avoid getting lost in
all these multiple foo_send_ad.

No functional change intended.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D45036

show more ...

carp: support VRRPv3

Allow carp(4) to use the VRRPv3 protocol (RFC 5798). We can distinguish carp and
VRRP based on the protocol version number (carp is 2, VRRPv3 is 3), and support
both from the ca

carp: support VRRPv3

Allow carp(4) to use the VRRPv3 protocol (RFC 5798). We can distinguish carp and
VRRP based on the protocol version number (carp is 2, VRRPv3 is 3), and support
both from the carp(4) code.

Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44774

show more ...

carp(4): Fix a typo in a source code comment

- s/successfull/successful/

MFC after: 3 days

netlink: move NETLINK define to opt_global.h

Move the NETLINK define into opt_global.h so we can rely on it being
set correctly, without having to remember to include opt_netlink.h.
This ensures tha

netlink: move NETLINK define to opt_global.h

Move the NETLINK define into opt_global.h so we can rely on it being
set correctly, without having to remember to include opt_netlink.h.
This ensures that the NETLINK define is correctly set. If not we
may end up with unloadable modules, due to missing symbols (such as
nlmsg_get_group_writer).

PR: 274306
Reviewed by: imp, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D42179

show more ...

carp: Explicitly mark tunnable net.inet.carp.allow with CTLFLAG_NOFETCH

With recent change 110113bc086f, a vnet tunable can be initialized when
there is a corresponding kernel environment variable u

carp: Explicitly mark tunnable net.inet.carp.allow with CTLFLAG_NOFETCH

With recent change 110113bc086f, a vnet tunable can be initialized when
there is a corresponding kernel environment variable unless it is marked
with the flag CTLFLAG_NOFETCH.

The initialization may happen during early boot(linker preload), at that
time vnet0 has not been created. The hander carp_allow_sysctl() for the
tunable net.inet.carp.allow requires vnet, thus invoking it during early
boot will cause kernel panic.

The tunnable is initialized by vnet sysinit routine ipcarp_sysinit() so
let's just mark it with flag CTLFLAG_NOFETCH.

No functional change intended.

Fixes: 110113bc086f sysctl(9): Enable vnet sysctl variables to be loader tunable
MFC after: 2 week
Differential Revision: https://reviews.freebsd.org/D41525

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

carp: delete interface routes on link loss.

Obtained from: Yandex LLC
MFC after: 10 days
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D41290

carp: fix unicast link-local

If the peer6 address is a link-local address we have to embed the
scopeid, much like we have to for IPv6 multicast as well.

Sponsored by: Rubicon Communications, LLC ("

carp: fix unicast link-local

If the peer6 address is a link-local address we have to embed the
scopeid, much like we have to for IPv6 multicast as well.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

carp: allow commands to use interface name rather than index

Get/set commands can now choose to provide the interface name rather
than the interface index. This allows userspace to avoid a call to
i

carp: allow commands to use interface name rather than index

Get/set commands can now choose to provide the interface name rather
than the interface index. This allows userspace to avoid a call to
if_nametoindex().

Suggested by: melifaro
Reviewed by: melifaro
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D39359

show more ...