kernel: No need to handle mbuf allocation failures if use M_WAITOK

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restricti

kernel - Add per-process capability-based restrictions

* This new system allows userland to set capability restrictions which
turns off numerous kernel features and root accesses. These restrictions
are inherited by sub-processes recursively. Once set, restrictions cannot
be removed.

Basic restrictions that mimic an unadorned jail can be enabled without
creating a jail, but generally speaking real security also requires
creating a chrooted filesystem topology, and a jail is still needed
to really segregate processes from each other. If you do so, however,
you can (for example) disable mount/umount and most global root-only
features.

* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)

* Add sys/caps.h

* Add the "setcaps" userland utility and manual page.

* Remove priv.9 and the priv_check infrastructure, replacing it with
a newly designed caps infrastructure.

* The intention is to add path restriction lists and similar features to
improve jailess security in the near future, and to optimize the
priv_check code.

show more ...

network - Remove ip_len header-length adjustment

* This should remove the last main code path modifications to packet
mbuf contents. The IP header in the mbuf is now basically left alone
whenev

network - Remove ip_len header-length adjustment

* This should remove the last main code path modifications to packet
mbuf contents. The IP header in the mbuf is now basically left alone
whenever possible, bringing us in-line with FreeBSD and Linux and
removing cache-line bounces between cpus and between a cpu and the
related PCIe DMA.

* Do not adjust ip_len to remove the IP header length.

* Various protocol stacks do the subtraction themselves, when needed.

* Various bits of code that added the length back in to execute a function
then removed it again cleaned up.

* IP reassembly (in ip_input.c and pf_norm.c) cleaned up.

show more ...

network - Remove host-order translations of ipv4 ip_off and ip_len

* Do not translate ip_off and ip_len to host order and then back again
in the network stack. The fields are now left in network

network - Remove host-order translations of ipv4 ip_off and ip_len

* Do not translate ip_off and ip_len to host order and then back again
in the network stack. The fields are now left in network order.

show more ...

inet: unhook and remove rip_ctlinput

This is no longer needed thanks to rt_purgecloned.
This also fixes two problems where we would lie about the address
being removed via RTM_DELADDR and the assump

inet: unhook and remove rip_ctlinput

This is no longer needed thanks to rt_purgecloned.
This also fixes two problems where we would lie about the address
being removed via RTM_DELADDR and the assumption that the
subnet route should be removed / moved to another interface.

show more ...

socket: introduce SO_RERROR to detect receive buffer overflow

kernel receive buffers are initially of a limited size and
generally the network protocols that use them don't care
if a packet gets los

socket: introduce SO_RERROR to detect receive buffer overflow

kernel receive buffers are initially of a limited size and
generally the network protocols that use them don't care
if a packet gets lost.

However some users do care about lost messages even if not
baked into the protocol - such as consumers of route(4) to
track state.

POSIX states that read(2) can return an error of ENOBUFS so
return this error code when an overflow is detected.
Guard this with socket option SO_RERROR so that existing
applications which do not care can carry on not caring by
default.

Taken-from: NetBSD
Reviewed-by: sephe

show more ...

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them agai

kernel: Remove numerous #include <sys/thread2.h>.

Most of them were added when we converted spl*() calls to
crit_enter()/crit_exit(), almost 14 years ago. We can now
remove a good chunk of them again for where crit_*() are
no longer used.

I had to adjust some files that were relying on thread2.h
or headers that it includes coming in via other headers
that it was removed from.

show more ...

Remove IPsec and related code from the system.

It was unmaintained ever since we inherited it from FreeBSD 4.8.

In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.
FAST_IPSEC

Remove IPsec and related code from the system.

It was unmaintained ever since we inherited it from FreeBSD 4.8.

In fact, we had two implementations from that time: IPSEC and FAST_IPSEC.
FAST_IPSEC is the implementation to which FreeBSD has moved since, but
it didn't even build in DragonFly.

Fixes for dports have been committed to DeltaPorts.

Requested-by: dillon
Dports-testing-and-fixing: zrj

show more ...

ipfw: Add per-cpu table support.

This is intended to improve performance and reduce latency for
matching discrete addresses. Table itself is radix tree.

For exmaple, nginx, 1KB web object, 30K con

ipfw: Add per-cpu table support.

This is intended to improve performance and reduce latency for
matching discrete addresses. Table itself is radix tree.

For exmaple, nginx, 1KB web object, 30K concurrent connections,
1 request/connection. ipfw is running on the server side.

Comparison between no-match rules and no-match table entries:

| perf-avg | lat-avg | lat-stdev | lat-99%
| (tps) | (ms) | (ms) | (ms)
-------------------+-----------+---------+-----------+---------
100 nomatch rules | 184752.65 | 67.50 | 5.69 | 79.11
-------------------+-----------+---------+-----------+---------
100 nomatch tblent | 200754.53 | 61.18 | 5.72 | 73.10

1K nomatch rules | 90836.43 | 144.72 | 12.28 | 168.97
-------------------+-----------+---------+-----------+---------
1K nomatch tblent | 199750.35 | 61.54 | 5.73 | 72.90

10K nomatch rules | 14836.69 | 864.46 | 157.49 | 1110.00
-------------------+-----------+---------+-----------+---------
10K nomatch tblent | 198412.93 | 62.17 | 5.66 | 73.08

Comparison between number of no-match table entries:

| perf-avg | lat-avg | lat-stdev | lat-99%
| (tps) | (ms) | (ms) | (ms)
-------------------+-----------+---------+-----------+---------
no-ipfw | 210658.80 | 58.01 | 5.20 | 68.73
-------------------+-----------+---------+-----------+---------
100 nomatch tblent | 200754.53 | 61.18 | 5.72 | 73.10
-------------------+-----------+---------+-----------+---------
1K nomatch tblent | 199750.35 | 61.54 | 5.73 | 72.90
-------------------+-----------+---------+-----------+---------
10K nomatch tblent | 198412.93 | 62.17 | 5.66 | 73.08

It scales pretty well with the number of no-match table entries.
En if it is compared w/ no-ipfw case, the performance and latency
impacts of the ipfw after this commit are pretty small.

show more ...

ipfw3: Simplify sockopt.

dummynet: Move ctrl function pointer to dummynet

ipfw: Simplify sockopt.

netisr: Simplify assertion related bits

inpcb: Add function to set inpcbinfo's portinfo.

This unbreaks inpcbinfo.portinfo_mask -> inpcbinfo.portinfo_cnt
conversion for divert inpcbs (unused by rip inpcbs).

inpcb: Use netisr_ncpus for listing inpcbs.

Unbreak kernel building

inpcb: Split portinfo token into tokens for porthash head

And use pooled token for porthash head. This avoids another 10K/s
~20K/s contention during local port selection.

net: Factor out ASSERT_IN_NETISR and ASSERT_IS_NETISR

ipfw2 - Rename FreeBSD ipfw port to ipfw3

* Rename all elements of the port to ipfw3 to reduce confusion.

Version 'alpha 1' of ipfw2 firewall module for DragonflyBSD.
1. Modular design
2. Lockless stateful firewall
3. In-kernel NAT using libalias
4. Enhanced policy routing. (coming soon)

Refactor the source for ipfw2.

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD

kernel: Move us to using M_NOWAIT and M_WAITOK for mbuf functions.

The main reason is that our having to use the MB_WAIT and MB_DONTWAIT
flags was a recurring issue when porting drivers from FreeBSD because
it tended to get forgotten and the code would compile anyway with the
wrong constants. And since MB_WAIT and MB_DONTWAIT ended up as ocflags
for an objcache_get() or objcache_reclaimlist call (which use M_WAITOK
and M_NOWAIT), it was just one big converting back and forth with some
sanitization in between.

This commit allows M_* again for the mbuf functions and keeps the
sanitizing as it was before: when M_WAITOK is among the passed flags,
objcache functions will be called with M_WAITOK and when it is absent,
they will be called with M_NOWAIT. All other flags are scrubbed by the
MB_OCFLAG() macro which does the same as the former MBTOM().

Approved-by: dillon

show more ...

ifnet: Make ifnet and ifindex2ifnet MPSAFE

- Accessing to these two global variables from non-netisr threads uses
ifnet lock. This kind of accessing is from
- Accessing to ifindex2ifnet from neti

ifnet: Make ifnet and ifindex2ifnet MPSAFE

- Accessing to these two global variables from non-netisr threads uses
ifnet lock. This kind of accessing is from
- Accessing to ifindex2ifnet from netisrs are lockless MPSAFE.
- Netisrs no longer access ifnet, instead they access ifnet array as of
this commit, which is lockless MPSAFE.

Rules for accessing ifnet and ifindex2ifnet is commented near the
declaration of the related global variables/functions in net/if_var.h.

show more ...

inet/inet6: Remove the v4-mapped address support

This greatly simplies the code (even the IPv4 code) and avoids all kinds
of possible port theft.

INPCB:
- Nuke IN6P_IPV6_V6ONLY, which is always on

inet/inet6: Remove the v4-mapped address support

This greatly simplies the code (even the IPv4 code) and avoids all kinds
of possible port theft.

INPCB:
- Nuke IN6P_IPV6_V6ONLY, which is always on after this commit.
- Change inp_vflag into inp_af (AF_INET or AF_INET6), since the socket
is either IPv6 or IPv4, but never both. Set inpcb.inp_af in
in_pcballoc() instead of in every pru_attach methods. Add INP_ISIPV4()
and INP_ISIPV6() macros to check inpcb family (socket family and
inpcb.inp_af are same).
- Nuke the convoluted code in in_pcbbind() and in6_pcbbind() which is used
to allow wildcard binding to accepting IPv4 connections on IPv6 wildcard
bound sockets.
- Nuke the code in in_pcblookup_pkthash() to match IPv4 faddr with IPv6
wildcard bound socket.
- Nuke in6_mapped_{peeraddr,sockaddr,savefaddr}(); use in6_{setpeeraddr,
setsockaddr,savefaddr}() directly.
- Nuke v4-mapped address convertion functions.
- Don't allow binding to v4-mapped address in in6_pcbind().
- Don't allow connecting to v4-mapped address in in6_pcbconnect().

TCP:
- Nuke the code in tcp_output() which takes care of the IP header TTL
setting for v4-mapped IPv6 socket.
- Don't allow binding to v4-mapped address (through in6_pcbbind()).
- Don't allow connecting to v4-mapped address and nuke the related code
(PRUC_NAMALLOC etc.).
- Nuke the code (PRUC_FALLBACK etc.) to fallback to IPv4 connection if
IPv6 connection fails, which is wrong.
- Nuke the code for v4-mapped IPv6 socket in tcp6_soport().

UDP:
- Nuke the code for v4-mapped IPv6 socket in udp_input() and udp_append().
- Don't allow binding to v4-mapped address (through in6_pcbbind()).
- Don't allow connecting to v4-mapped address.
- Don't allow sending datagrams to v4-mapped address and nuke the related
code in udp6_output().
- Nuke the code for v4-mapped IPv6 socket in udp6_disconnect()

RIP:
- Don't allow sending packets to v4-mapped address.
- Don't allow binding to v4-mapped address.
- Don't allow connecting to v4-mapped address.

Misc fixup:
- Don't force rip pru_attach method to return 0. If in_pcballoc() fails,
just return the error code.

show more ...

socket: Provide socket owner cpuid hint

If the cpuid hint could not be provided or the cpuid hint does not make
sense, -1 will be returned as cpuid hint, e.g. TCP listen sockets w/o
SO_REUSEPORT.

T

socket: Provide socket owner cpuid hint

If the cpuid hint could not be provided or the cpuid hint does not make
sense, -1 will be returned as cpuid hint, e.g. TCP listen sockets w/o
SO_REUSEPORT.

This helps avoiding unnecessary IPIs and contention on receiving sockbuf
token.

show more ...