svn commit: r374398 - in head/net/stf-6rd-kmod: . files files-10 files-8 files-9 files-9.1 files-9.2
Jun Kuriyama
kuriyama at FreeBSD.org
Tue Dec 9 14:34:58 UTC 2014
Author: kuriyama
Date: Tue Dec 9 14:34:56 2014
New Revision: 374398
URL: https://svnweb.freebsd.org/changeset/ports/374398
QAT: https://qat.redports.org/buildarchive/r374398/
Log:
Add support for 10.1R and drop 9.2R.
Added:
head/net/stf-6rd-kmod/files-10/
head/net/stf-6rd-kmod/files-10/patch-aa (contents, props changed)
head/net/stf-6rd-kmod/files-8/
head/net/stf-6rd-kmod/files-8/patch-aa (contents, props changed)
head/net/stf-6rd-kmod/files-9/
head/net/stf-6rd-kmod/files-9.1/
head/net/stf-6rd-kmod/files-9.1/patch-aa (contents, props changed)
head/net/stf-6rd-kmod/files-9/patch-aa (contents, props changed)
head/net/stf-6rd-kmod/files/fixup_mtime.sh (contents, props changed)
Deleted:
head/net/stf-6rd-kmod/files-9.2/
head/net/stf-6rd-kmod/files/patch-stf_6rd_20100923-1.diff
Modified:
head/net/stf-6rd-kmod/Makefile
head/net/stf-6rd-kmod/distinfo
Modified: head/net/stf-6rd-kmod/Makefile
==============================================================================
--- head/net/stf-6rd-kmod/Makefile Tue Dec 9 14:22:10 2014 (r374397)
+++ head/net/stf-6rd-kmod/Makefile Tue Dec 9 14:34:56 2014 (r374398)
@@ -14,25 +14,22 @@ COMMENT= 6rd patched stf(4) kernel modul
ONLY_FOR_ARCHS= amd64 i386
WRKSRC= ${WRKDIR}
-SVN_REV= 267655
+SVN_REV= 275558
+PATCH_STRIP= -p1
+#PATCH_DEBUG= YES
USES= kmod
.include <bsd.port.pre.mk>
.if ${OSREL} == "8.4"
-#SVN_REV= 255447
+PATCHDIR= ${MASTERDIR}/files-8
.elif ${OSREL} == "9.1"
-#SVN_REV= 255448
-.elif ${OSREL} == "9.2"
-#SVN_REV= 255444
-PATCHDIR= ${MASTERDIR}/files-9.2
+PATCHDIR= ${MASTERDIR}/files-9.1
.elif ${OSREL} == "9.3"
-#SVN_REV= 267655
-PATCHDIR= ${MASTERDIR}/files-9.2
-#.elif ${OSREL} == "10.0"
-##SVN_REV= 258913
-#PATCHDIR= ${MASTERDIR}/files-10.0
+PATCHDIR= ${MASTERDIR}/files-9
+.elif ${OSREL} == "10.1"
+PATCHDIR= ${MASTERDIR}/files-10
.else
IGNORE= not supported $${OSREL} (${OSREL})
.endif
@@ -44,9 +41,6 @@ post-extract:
${CP} -Rp ${SRC_BASE}/share/man/man4 ${WRKSRC}/share/man/
${CP} -Rp ${WRKSRC}/tmp/* ${WRKSRC}/sys/
-pre-patch:
- ${REINPLACE_CMD} -e 's|\.Dd July 23, 2011|.Dd April 27, 2001|' ${WRKSRC}/share/man/man4/stf.4
-
do-build:
cd ${WRKSRC}/sys/modules/if_stf; ${MAKE} DEBUG_FLAGS=-g
@@ -59,14 +53,24 @@ do-install:
# For maintainer only.
SVN_MIRROR?= http://svn.freebsd.org/base
EXPDIR= ${WRKSRC}/src/sys
+maintainer-tar-all:
+.for r in 8.4 9.1 9.3 10.1
+ ${MAKE} OSREL=${r} OSVERSION=${r:C/\.//}0000 UNAMER=${r}-RELEASE maintainer-tar
+.endfor
+
+maintainer-diff:
+.for r in 8 9 10
+ ${FETCH_CMD} -o ${MASTERDIR}/files-${r}/patch-aa https://github.com/kuriyama/freebsd/compare/freebsd:stable/${r}...6rd-stable-${r}.diff
+.endfor
+ ${FETCH_CMD} -o ${MASTERDIR}/files-9.1/patch-aa https://github.com/kuriyama/freebsd/compare/freebsd:releng/9.1...6rd-releng-9.1.diff
+
maintainer-tar:
-.for _osrel in 8.4 9.1 9.2 9.3 10.0
-${RM} -rf ${EXPDIR}
${MKDIR} ${EXPDIR}
- cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${_osrel}/sys/net net
- cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${_osrel}/sys/modules/if_stf modules/if_stf
- cd ${EXPDIR} && ${TAR} cfz ${DISTDIR}/freebsd-stf-${_osrel}-${PORTVERSION}${EXTRACT_SUFX} net modules
-.endfor
+ cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${OSREL}/sys/net net
+ cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${OSREL}/sys/modules/if_stf modules/if_stf
+ ${SH} ${MASTERDIR}/files/fixup_mtime.sh ${EXPDIR} ${SVN_REV} ${SVN_MIRROR} ${OSREL}
+ cd ${EXPDIR} && ${TAR} cfz ${DISTDIR}/freebsd-stf-${OSREL}-${PORTVERSION}${EXTRACT_SUFX} net modules
maintainer-check:
@new=`svn log -ql 1 ${SVN_MIRROR}@HEAD releng/${OSREL}/sys/net/if_stf.c | ${GREP} -v ^- | ${SED} -e 's| .*||'`;\
@@ -75,9 +79,10 @@ maintainer-check:
make-distinfo:
${RM} -f distinfo.tmp.*
-.for r in 8.4 9.1 9.2 9.3 10.0
- ${MAKE} OSREL=${r} DISTINFO_FILE=${MASTERDIR}/distinfo.tmp.${r} makesum
+.for r in 8.4 9.1 9.3 10.1
+ ${MAKE} OSREL=${r} OSVERSION=${r:C/\.//}0000 UNAMER=${r}-RELEASE DISTINFO_FILE=${MASTERDIR}/distinfo.tmp.${r} makesum
.endfor
${CAT} ${MASTERDIR}/distinfo.tmp.* > ${MASTERDIR}/distinfo
+ ${RM} -f distinfo.tmp.*
.include <bsd.port.post.mk>
Modified: head/net/stf-6rd-kmod/distinfo
==============================================================================
--- head/net/stf-6rd-kmod/distinfo Tue Dec 9 14:22:10 2014 (r374397)
+++ head/net/stf-6rd-kmod/distinfo Tue Dec 9 14:34:56 2014 (r374398)
@@ -1,10 +1,8 @@
-SHA256 (freebsd-stf-10.0-0.267655.tar.gz) = 492bc45cf0b9651dde008199920435c782bad71616398e0c52814a381578adae
-SIZE (freebsd-stf-10.0-0.267655.tar.gz) = 535733
-SHA256 (freebsd-stf-8.4-0.267655.tar.gz) = 0c4dc42d0bbf8946cbde58f7047cd293a7de647f88db100ffe5db37125c635c0
-SIZE (freebsd-stf-8.4-0.267655.tar.gz) = 504670
-SHA256 (freebsd-stf-9.1-0.267655.tar.gz) = 239f90a4ac81d4b6f3ceb82a59e3d9a9152b08f611c9d7557dbca17877bb0ab9
-SIZE (freebsd-stf-9.1-0.267655.tar.gz) = 510463
-SHA256 (freebsd-stf-9.2-0.267655.tar.gz) = 7acfa2a90d6abf87302008a5357411b0732217d10b1e1c0b4cce292626a2024b
-SIZE (freebsd-stf-9.2-0.267655.tar.gz) = 514295
-SHA256 (freebsd-stf-9.3-0.267655.tar.gz) = 2ffb08ff5abcbed586623237e9e4a3891492ac592557eef250b67fd74c3749de
-SIZE (freebsd-stf-9.3-0.267655.tar.gz) = 529933
+SHA256 (freebsd-stf-10.1-0.275558.tar.gz) = f63f044ff403702601caf77ea6be8471df6cc63a747870eb8c1b618720508b6a
+SIZE (freebsd-stf-10.1-0.275558.tar.gz) = 543214
+SHA256 (freebsd-stf-8.4-0.275558.tar.gz) = 0496e8a23e55725f47e72e587b74b4963c11fdc98afe49e94aee861a0fad83bf
+SIZE (freebsd-stf-8.4-0.275558.tar.gz) = 500025
+SHA256 (freebsd-stf-9.1-0.275558.tar.gz) = dbcecda506697d7255220838146a8af3d10a3986e67f942ef4efe0cb91d5a72e
+SIZE (freebsd-stf-9.1-0.275558.tar.gz) = 509740
+SHA256 (freebsd-stf-9.3-0.275558.tar.gz) = 09c9a4dbafbb13bd1d6bbbe99792a7185725cd028a34228ed4be8bdc656e331b
+SIZE (freebsd-stf-9.3-0.275558.tar.gz) = 528285
Added: head/net/stf-6rd-kmod/files-10/patch-aa
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/net/stf-6rd-kmod/files-10/patch-aa Tue Dec 9 14:34:56 2014 (r374398)
@@ -0,0 +1,1298 @@
+diff --git a/share/man/man4/stf.4 b/share/man/man4/stf.4
+index 5e210df..1f3da39 100644
+--- a/share/man/man4/stf.4
++++ b/share/man/man4/stf.4
+@@ -1,6 +1,7 @@
+ .\" $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $
+ .\"
+ .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
++.\" Copyright (c) 2010 Hiroki Sato <hrs at FreeBSD.org>
+ .\" All rights reserved.
+ .\"
+ .\" Redistribution and use in source and binary forms, with or without
+@@ -42,21 +43,11 @@ tunnel interface
+ .Sh DESCRIPTION
+ The
+ .Nm
+-interface supports
+-.Dq 6to4
+-IPv6 in IPv4 encapsulation.
+-It can tunnel IPv6 traffic over IPv4, as specified in
+-.Li RFC3056 .
+-.Pp
+-For ordinary nodes in 6to4 site, you do not need
+-.Nm
+-interface.
+-The
+-.Nm
+-interface is necessary for site border router
+-(called
+-.Dq 6to4 router
+-in the specification).
++interface supports IPv6 in IPv4 encapsulation by
++tunneling IPv6 traffic over IPv4, as specified in
++.Li RFC3056 Pq 6to4
++and
++.Li RFC5569 Pq 6rd .
+ .Pp
+ Each
+ .Nm
+@@ -72,12 +63,28 @@ variable in
+ .Pp
+ Due to the way 6to4 protocol is specified,
+ .Nm
+-interface requires certain configuration to work properly.
++interface requires certain configuration to work properly. Two
++different protocols defined in RFC3056 and RFC5569 are basically the
++same as each other except for address handling, so
++.Nm
++decides its behavior based on the configured IPv6 addresses as
++explained in the following.
++The
++.Nm
++interface can be configured with multiple IPv6 addresses including
++both 6to4 and 6rd.
++.Sh RFC3056 (a.k.a. 6to4)
+ Single
+-(no more than 1)
+-valid 6to4 address needs to be configured to the interface.
+-.Dq A valid 6to4 address
+-is an address which has the following properties.
++.Pq no more than 1 valid 6to4 address needs to be configured to the interface.
++.Dq a valid 6to4 address
++is an address which has the following properties. For ordinary nodes
++in 6to4 site, you do not need
++.Nm
++interface; it is necessary only for site border router
++(called
++.Dq 6to4 router
++in the specification).
++.Pp
+ If any of the following properties are not satisfied,
+ .Nm
+ raises runtime error on packet transmission.
+@@ -110,6 +117,78 @@ you may want to configure IPv6 prefix length as
+ .Nm
+ interface will check the IPv4 source address on packets,
+ if the IPv6 prefix length is larger than 16.
++.Sh RFC5569 (a.k.a. 6rd)
++The
++.Nm
++interface works in the 6rd mode when one or more IPv6 addresses that
++consists of an IPv6 prefix and 32-bit IPv4 part with a prefix length
++equal to or shorter than 64. In 6rd protocol, an IPv6 address
++.Li 2001:db8:c000:205::1/32
++means the following, for example:
++.Bl -bullet
++.It
++The 6rd relay prefix is
++.Li 2001:db8::/32 .
++.It
++The 6rd router's IPv4 address is
++.Li 192.0.2.5 .
++.El
++.Pp
++As you can see the IPv4 address is embedded in the IPv6 address just
++after the prefix. While you can choose an IPv6 prefix length other
++than 32, it must be from 0 to 32.
++.Pp
++Assuming this address is configured on the
++.Nm
++interface, it does the following:
++.Bl -bullet
++.It
++An incoming IPv6 packet on
++.Nm
++will be encapsuled in an IPv4 packet with the source address
++.Li 192.0.2.5
++and then the IPv4 packet is delivered based on the IPv4 routing table.
++The IPv4 destination address is calculated from the destination
++address of the original IPv6 packet in the same way as the source.
++.It
++An incoming IPv4 packet which encapsules an IPv6 packet whose
++destination address matches a 6rd prefix with embedded IPv4 address
++configured on the
++.Nm
++interface, the IPv6 packet will be decapsulated and delivered based on
++the IPv6 routing table. Note that
++.Nm
++interface normally has a route which covers whole range of a 6rd relay
++prefix, the delivered IPv6 packet can return to
++.Nm
++if there is no more specific route. In that case, the returned packet
++will be discarded silently.
++.El
++.\" XXX: example configuration will be added
++.\" .Pp
++.\" By using this interface, you can configure a 6rd domain. For simplicity,
++.\" we assume the following here:
++.\" .Bl -bullet
++.\" .It
++.\" A 6rd Customer, who has an IPv6/IPv4 LAN and an IPv4-only access
++.\" toward network of his Internet Service Provider. The Customer has
++.\" a router called
++.\" .Dq CE Pq Customer Edge
++.\" Router, which can communicate between his LAN and the ISP over IPv4
++.\" and encapsulate
++.\" his networks.
++.\" .It
++.\" A 6rd Provider, who provides IPv6 Internet reachability by using 6rd
++.\" protocol. The Provider offers access to a router called
++.\" .Dq PE Pq Provider Edge
++.\" Router, which can communicate with
++.\" .El
++.\" .Pp
++.\" A 6rd customer
++.\" needs to configure
++.\" .Nm
++.\" on his CE (Customer Edge) router.
++.Sh Other Functionality of the Interface
+ .Pp
+ .Nm
+ can be configured to be ECN friendly.
+@@ -147,9 +226,6 @@ Packets with IPv4 multicast address as outer IPv4 source/destination
+ Packets with limited broadcast address as outer IPv4 source/destination
+ .Pq Li 255.0.0.0/8
+ .It
+-Packets with private address as outer IPv4 source/destination
+-.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16
+-.It
+ Packets with subnet broadcast address as outer IPv4 source/destination.
+ The check is made against subnet broadcast addresses for
+ all of the directly connected subnets.
+@@ -164,6 +240,11 @@ The same set of rules are applied against the IPv4 address embedded into
+ inner IPv6 address, if the IPv6 address matches 6to4 prefix.
+ .El
+ .Pp
++In addition to them, packets with private address as outer IPv4
++source/destination
++.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16
++are filtered out only in the 6to4 mode.
++.Pp
+ It is recommended to filter/audit
+ incoming IPv4 packet with IP protocol number 41, as necessary.
+ It is also recommended to filter/audit encapsulated IPv6 packets as well.
+diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c
+index 20251dc..37d96a9 100644
+--- a/sys/net/if_stf.c
++++ b/sys/net/if_stf.c
+@@ -3,6 +3,7 @@
+
+ /*-
+ * Copyright (C) 2000 WIDE Project.
++ * Copyright (c) 2010 Hiroki Sato <hrs at FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -31,7 +32,7 @@
+ */
+
+ /*
+- * 6to4 interface, based on RFC3056.
++ * 6to4 interface, based on RFC3056 + 6rd (RFC5569) support.
+ *
+ * 6to4 interface is NOT capable of link-layer (I mean, IPv4) multicasting.
+ * There is no address mapping defined from IPv6 multicast address to IPv4
+@@ -60,7 +61,7 @@
+ * ICMPv6:
+ * - Redirects cannot be used due to the lack of link-local address.
+ *
+- * stf interface does not have, and will not need, a link-local address.
++ * stf interface does not have, and will not need, a link-local address.
+ * It seems to have no real benefit and does not help the above symptoms much.
+ * Even if we assign link-locals to interface, we cannot really
+ * use link-local unicast/multicast on top of 6to4 cloud (since there's no
+@@ -72,6 +73,12 @@
+ * http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt
+ * for details. The code tries to filter out some of malicious packets.
+ * Note that there is no way to be 100% secure.
++ *
++ * 6rd (RFC5569) extension is enabled when an IPv6 GUA other than
++ * 2002::/16 is assigned. The stf(4) recognizes a 32-bit just after
++ * prefixlen as the IPv4 address of the 6rd customer site. The
++ * prefixlen must be shorter than 32.
++ *
+ */
+
+ #include "opt_inet.h"
+@@ -120,20 +127,45 @@
+
+ #include <security/mac/mac_framework.h>
+
++#define STF_DEBUG 1
++#define ip_sprintf(buf, a) \
++ sprintf(buf, "%d.%d.%d.%d", \
++ (ntohl((a)->s_addr)>>24)&0xFF, \
++ (ntohl((a)->s_addr)>>16)&0xFF, \
++ (ntohl((a)->s_addr)>>8)&0xFF, \
++ (ntohl((a)->s_addr))&0xFF);
++#if STF_DEBUG
++#define DEBUG_PRINTF(a, ...) \
++ do { \
++ if (V_stf_debug >= a) \
++ printf(__VA_ARGS__); \
++ } while (0)
++#else
++#define DEBUG_PRINTF(a, ...)
++#endif
++
+ SYSCTL_DECL(_net_link);
+ static SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface");
+
+-static int stf_route_cache = 1;
+-SYSCTL_INT(_net_link_stf, OID_AUTO, route_cache, CTLFLAG_RW,
+- &stf_route_cache, 0, "Caching of IPv4 routes for 6to4 Output");
++static VNET_DEFINE(int, stf_route_cache) = 1;
++#define V_stf_route_cache VNET(stf_route_cache)
++SYSCTL_VNET_INT(_net_link_stf, OID_AUTO, route_cache, CTLFLAG_RW,
++ &VNET_NAME(stf_route_cache), 0,
++ "Enable caching of IPv4 routes for 6to4 output.");
++
++#if STF_DEBUG
++static VNET_DEFINE(int, stf_debug) = 0;
++#define V_stf_debug VNET(stf_debug)
++SYSCTL_VNET_INT(_net_link_stf, OID_AUTO, stf_debug, CTLFLAG_RW,
++ &VNET_NAME(stf_debug), 0,
++ "Enable displaying verbose debug message of stf interfaces");
++#endif
+
+ static int stf_permit_rfc1918 = 0;
+ TUNABLE_INT("net.link.stf.permit_rfc1918", &stf_permit_rfc1918);
+ SYSCTL_INT(_net_link_stf, OID_AUTO, permit_rfc1918, CTLFLAG_RW | CTLFLAG_TUN,
+ &stf_permit_rfc1918, 0, "Permit the use of private IPv4 addresses");
+
+-#define STFUNIT 0
+-
+ #define IN6_IS_ADDR_6TO4(x) (ntohs((x)->s6_addr16[0]) == 0x2002)
+
+ /*
+@@ -149,19 +181,28 @@ struct stf_softc {
+ struct route_in6 __sc_ro6; /* just for safety */
+ } __sc_ro46;
+ #define sc_ro __sc_ro46.__sc_ro4
+- struct mtx sc_ro_mtx;
++ struct mtx sc_mtx;
+ u_int sc_fibnum;
+ const struct encaptab *encap_cookie;
++ u_int sc_flags;
++ LIST_ENTRY(stf_softc) stf_list;
+ };
+ #define STF2IFP(sc) ((sc)->sc_ifp)
+
+ static const char stfname[] = "stf";
+
+-/*
+- * Note that mutable fields in the softc are not currently locked.
+- * We do lock sc_ro in stf_output though.
+- */
++static struct mtx stf_mtx;
+ static MALLOC_DEFINE(M_STF, stfname, "6to4 Tunnel Interface");
++static VNET_DEFINE(LIST_HEAD(, stf_softc), stf_softc_list);
++#define V_stf_softc_list VNET(stf_softc_list)
++
++#define STF_LOCK_INIT(sc) mtx_init(&(sc)->sc_mtx, "stf softc", \
++ NULL, MTX_DEF);
++#define STF_LOCK_DESTROY(sc) mtx_destroy(&(sc)->sc_mtx)
++#define STF_LOCK(sc) mtx_lock(&(sc)->sc_mtx)
++#define STF_UNLOCK(sc) mtx_unlock(&(sc)->sc_mtx)
++#define STF_LOCK_ASSERT(sc) mtx_assert(&(sc)->sc_mtx, MA_OWNED)
++
+ static const int ip_stf_ttl = 40;
+
+ extern struct domain inetdomain;
+@@ -190,7 +231,18 @@ static int stf_checkaddr6(struct stf_softc *, struct in6_addr *,
+ struct ifnet *);
+ static void stf_rtrequest(int, struct rtentry *, struct rt_addrinfo *);
+ static int stf_ioctl(struct ifnet *, u_long, caddr_t);
+-
++static int stf_is_up(struct ifnet *);
++
++#define STF_GETIN4_USE_CACHE 1
++static struct sockaddr_in *stf_getin4addr(struct sockaddr_in *,
++ struct ifaddr *,
++ int);
++static struct sockaddr_in *stf_getin4addr_in6(struct sockaddr_in *,
++ struct ifaddr *,
++ const struct in6_addr *);
++static struct sockaddr_in *stf_getin4addr_sin6(struct sockaddr_in *,
++ struct ifaddr *,
++ struct sockaddr_in6 *);
+ static int stf_clone_match(struct if_clone *, const char *);
+ static int stf_clone_create(struct if_clone *, char *, size_t, caddr_t);
+ static int stf_clone_destroy(struct if_clone *, struct ifnet *);
+@@ -212,45 +264,38 @@ stf_clone_match(struct if_clone *ifc, const char *name)
+ static int
+ stf_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
+ {
+- int err, unit;
+ struct stf_softc *sc;
+ struct ifnet *ifp;
+-
+- /*
+- * We can only have one unit, but since unit allocation is
+- * already locked, we use it to keep from allocating extra
+- * interfaces.
+- */
+- unit = STFUNIT;
+- err = ifc_alloc_unit(ifc, &unit);
+- if (err != 0)
+- return (err);
++ char *dp;
++ int error, unit, wildcard;
+
+ sc = malloc(sizeof(struct stf_softc), M_STF, M_WAITOK | M_ZERO);
++ sc->sc_fibnum = curthread->td_proc->p_fibnum;
+ ifp = STF2IFP(sc) = if_alloc(IFT_STF);
+- if (ifp == NULL) {
++ if (sc->sc_ifp == NULL) {
+ free(sc, M_STF);
+- ifc_free_unit(ifc, unit);
+- return (ENOSPC);
++ return (ENOMEM);
+ }
++ STF_LOCK_INIT(sc);
+ ifp->if_softc = sc;
+- sc->sc_fibnum = curthread->td_proc->p_fibnum;
+-
+- /*
+- * Set the name manually rather then using if_initname because
+- * we don't conform to the default naming convention for interfaces.
+- */
++ error = ifc_name2unit(name, &unit);
++ if (error != 0)
++ return (error);
++ wildcard = (unit < 0);
++ /* In the wildcard case, we need to update the name. */
++ if (wildcard) {
++ for (dp = name; *dp != '\0'; dp++);
++ if (snprintf(dp, len - (dp-name), "%d", unit) > len - (dp-name) - 1) {
++ panic("%s: interface name too long", __func__);
++ }
++ }
++ ifp->if_dname = name;
+ strlcpy(ifp->if_xname, name, IFNAMSIZ);
+- ifp->if_dname = stfname;
+- ifp->if_dunit = IF_DUNIT_NONE;
+-
+- mtx_init(&(sc)->sc_ro_mtx, "stf ro", NULL, MTX_DEF);
+ sc->encap_cookie = encap_attach_func(AF_INET, IPPROTO_IPV6,
+ stf_encapcheck, &in_stf_protosw, sc);
+ if (sc->encap_cookie == NULL) {
+ if_printf(ifp, "attach failed\n");
+ free(sc, M_STF);
+- ifc_free_unit(ifc, unit);
+ return (ENOMEM);
+ }
+
+@@ -260,6 +305,11 @@ stf_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
+ ifp->if_snd.ifq_maxlen = ifqmaxlen;
+ if_attach(ifp);
+ bpfattach(ifp, DLT_NULL, sizeof(u_int32_t));
++
++ mtx_lock(&stf_mtx);
++ LIST_INSERT_HEAD(&V_stf_softc_list, sc, stf_list);
++ mtx_unlock(&stf_mtx);
++
+ return (0);
+ }
+
+@@ -269,33 +319,44 @@ stf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp)
+ struct stf_softc *sc = ifp->if_softc;
+ int err;
+
++ mtx_lock(&stf_mtx);
++ LIST_REMOVE(sc, stf_list);
++ mtx_unlock(&stf_mtx);
++
+ err = encap_detach(sc->encap_cookie);
+ KASSERT(err == 0, ("Unexpected error detaching encap_cookie"));
+- mtx_destroy(&(sc)->sc_ro_mtx);
+ bpfdetach(ifp);
+ if_detach(ifp);
+ if_free(ifp);
+
++ STF_LOCK_DESTROY(sc);
+ free(sc, M_STF);
+- ifc_free_unit(ifc, STFUNIT);
+
+ return (0);
+ }
+
++static void
++vnet_stf_init(const void *unused __unused)
++{
++
++ LIST_INIT(&V_stf_softc_list);
++}
++VNET_SYSINIT(vnet_stf_init, SI_SUB_PSEUDO, SI_ORDER_MIDDLE, vnet_stf_init,
++ NULL);
++
+ static int
+-stfmodevent(mod, type, data)
+- module_t mod;
+- int type;
+- void *data;
++stfmodevent(module_t mod, int type, void *data)
+ {
+
+ switch (type) {
+ case MOD_LOAD:
++ mtx_init(&stf_mtx, "stf_mtx", NULL, MTX_DEF);
+ stf_cloner = if_clone_advanced(stfname, 0, stf_clone_match,
+ stf_clone_create, stf_clone_destroy);
+ break;
+ case MOD_UNLOAD:
+ if_clone_detach(stf_cloner);
++ mtx_destroy(&stf_mtx);
+ break;
+ default:
+ return (EOPNOTSUPP);
+@@ -311,28 +372,31 @@ static moduledata_t stf_mod = {
+ };
+
+ DECLARE_MODULE(if_stf, stf_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
++MODULE_VERSION(if_stf, 1);
+
+ static int
+-stf_encapcheck(m, off, proto, arg)
+- const struct mbuf *m;
+- int off;
+- int proto;
+- void *arg;
++stf_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
+ {
+ struct ip ip;
+ struct in6_ifaddr *ia6;
++ struct sockaddr_in ia6_in4addr;
++ struct sockaddr_in ia6_in4mask;
++ struct sockaddr_in *sin;
+ struct stf_softc *sc;
+- struct in_addr a, b, mask;
++ struct ifnet *ifp;
++ int ret = 0;
+
++ DEBUG_PRINTF(1, "%s: enter\n", __func__);
+ sc = (struct stf_softc *)arg;
+ if (sc == NULL)
+ return 0;
++ ifp = STF2IFP(sc);
+
+- if ((STF2IFP(sc)->if_flags & IFF_UP) == 0)
++ if ((ifp->if_flags & IFF_UP) == 0)
+ return 0;
+
+ /* IFF_LINK0 means "no decapsulation" */
+- if ((STF2IFP(sc)->if_flags & IFF_LINK0) != 0)
++ if ((ifp->if_flags & IFF_LINK0) != 0)
+ return 0;
+
+ if (proto != IPPROTO_IPV6)
+@@ -344,83 +408,162 @@ stf_encapcheck(m, off, proto, arg)
+ if (ip.ip_v != 4)
+ return 0;
+
+- ia6 = stf_getsrcifa6(STF2IFP(sc));
++ /* Lookup an ia6 whose IPv4 addr encoded in the IPv6 addr is valid. */
++ ia6 = stf_getsrcifa6(ifp);
+ if (ia6 == NULL)
+ return 0;
++ sin = stf_getin4addr(&ia6_in4addr, &ia6->ia_ifa, STF_GETIN4_USE_CACHE);
++ if (sin == NULL)
++ return 0;
+
++#if STF_DEBUG
++ {
++ char buf[INET6_ADDRSTRLEN + 1];
++ memset(&buf, 0, sizeof(buf));
++
++ ip6_sprintf(buf, &satosin6(ia6->ia_ifa.ifa_addr)->sin6_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_ifa.ifa_addr = %s\n", __func__, buf);
++ ip6_sprintf(buf, &ia6->ia_addr.sin6_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_addr = %s\n", __func__, buf);
++ ip6_sprintf(buf, &satosin6(ia6->ia_ifa.ifa_netmask)->sin6_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_ifa.ifa_netmask = %s\n", __func__, buf);
++ ip6_sprintf(buf, &ia6->ia_prefixmask.sin6_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_prefixmask = %s\n", __func__, buf);
++
++ ip_sprintf(buf, &ia6_in4addr.sin_addr);
++ DEBUG_PRINTF(1, "%s: ia6_in4addr.sin_addr = %s\n", __func__, buf);
++ ip_sprintf(buf, &ip.ip_src);
++ DEBUG_PRINTF(1, "%s: ip.ip_src = %s\n", __func__, buf);
++ ip_sprintf(buf, &ip.ip_dst);
++ DEBUG_PRINTF(1, "%s: ip.ip_dst = %s\n", __func__, buf);
++ }
++#endif
+ /*
+ * check if IPv4 dst matches the IPv4 address derived from the
+ * local 6to4 address.
+ * success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:...
+ */
+- if (bcmp(GET_V4(&ia6->ia_addr.sin6_addr), &ip.ip_dst,
+- sizeof(ip.ip_dst)) != 0) {
+- ifa_free(&ia6->ia_ifa);
+- return 0;
++ DEBUG_PRINTF(1, "%s: check1: ia6_in4addr.sin_addr == ip.ip_dst?\n", __func__);
++ if (ia6_in4addr.sin_addr.s_addr != ip.ip_dst.s_addr) {
++ DEBUG_PRINTF(1, "%s: check1: false. Ignore this packet.\n", __func__);
++ goto freeit;
+ }
+
+- /*
+- * check if IPv4 src matches the IPv4 address derived from the
+- * local 6to4 address masked by prefixmask.
+- * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24
+- * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24
+- */
+- bzero(&a, sizeof(a));
+- bcopy(GET_V4(&ia6->ia_addr.sin6_addr), &a, sizeof(a));
+- bcopy(GET_V4(&ia6->ia_prefixmask.sin6_addr), &mask, sizeof(mask));
+- ifa_free(&ia6->ia_ifa);
+- a.s_addr &= mask.s_addr;
+- b = ip.ip_src;
+- b.s_addr &= mask.s_addr;
+- if (a.s_addr != b.s_addr)
+- return 0;
++ DEBUG_PRINTF(1, "%s: check2: ia6->ia_addr is 2002::/16?\n", __func__);
++ if (IN6_IS_ADDR_6TO4(&ia6->ia_addr.sin6_addr)) {
++ /* 6to4 (RFC 3056) */
++ /*
++ * check if IPv4 src matches the IPv4 address derived
++ * from the local 6to4 address masked by prefixmask.
++ * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24
++ * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24
++ */
++ DEBUG_PRINTF(1, "%s: check2: true.\n", __func__);
++
++ memcpy(&ia6_in4mask.sin_addr,
++ GET_V4(&ia6->ia_prefixmask.sin6_addr),
++ sizeof(ia6_in4mask));
++#if STF_DEBUG
++ {
++ char buf[INET6_ADDRSTRLEN + 1];
++ memset(&buf, 0, sizeof(buf));
++
++ ip_sprintf(buf, &ia6_in4addr.sin_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_addr = %s\n",
++ __func__, buf);
++ ip_sprintf(buf, &ip.ip_src);
++ DEBUG_PRINTF(1, "%s: ip.ip_src = %s\n",
++ __func__, buf);
++ ip_sprintf(buf, &ia6_in4mask.sin_addr);
++ DEBUG_PRINTF(1, "%s: ia6->ia_prefixmask = %s\n",
++ __func__, buf);
++
++ DEBUG_PRINTF(1, "%s: check3: ia6_in4addr.sin_addr & mask == ip.ip_src & mask\n",
++ __func__);
++ }
++#endif
+
++ if ((ia6_in4addr.sin_addr.s_addr & ia6_in4mask.sin_addr.s_addr) !=
++ (ip.ip_src.s_addr & ia6_in4mask.sin_addr.s_addr)) {
++ DEBUG_PRINTF(1, "%s: check3: false. Ignore this packet.\n",
++ __func__);
++ goto freeit;
++ }
++ } else {
++ /* 6rd (RFC 5569) */
++ DEBUG_PRINTF(1, "%s: check2: false. 6rd.\n", __func__);
++ /*
++ * No restriction on the src address in the case of
++ * 6rd because the stf(4) interface always has a
++ * prefix which covers whole of IPv4 src address
++ * range. So, stf_output() will catch all of
++ * 6rd-capsuled IPv4 traffic with suspicious inner dst
++ * IPv4 address (i.e. the IPv6 destination address is
++ * one the admin does not like to route to outside),
++ * and then it discard them silently.
++ */
++ }
++ DEBUG_PRINTF(1, "%s: all clear!\n", __func__);
+ /* stf interface makes single side match only */
+- return 32;
++ ret = 32;
++freeit:
++ ifa_free(&ia6->ia_ifa);
++
++ return (ret);
+ }
+
+ static struct in6_ifaddr *
+-stf_getsrcifa6(ifp)
+- struct ifnet *ifp;
++stf_getsrcifa6(struct ifnet *ifp)
+ {
+- struct ifaddr *ia;
++ struct ifaddr *ifa;
+ struct in_ifaddr *ia4;
+- struct sockaddr_in6 *sin6;
+- struct in_addr in;
++ struct sockaddr_in *sin;
++ struct sockaddr_in in4;
+
+ if_addr_rlock(ifp);
+- TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
+- if (ia->ifa_addr->sa_family != AF_INET6)
++ TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
++ if (ifa->ifa_addr->sa_family != AF_INET6)
+ continue;
+- sin6 = (struct sockaddr_in6 *)ia->ifa_addr;
+- if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr))
++ if ((sin = stf_getin4addr(&in4, ifa,
++ STF_GETIN4_USE_CACHE)) == NULL)
+ continue;
+-
+- bcopy(GET_V4(&sin6->sin6_addr), &in, sizeof(in));
+- LIST_FOREACH(ia4, INADDR_HASH(in.s_addr), ia_hash)
+- if (ia4->ia_addr.sin_addr.s_addr == in.s_addr)
++ LIST_FOREACH(ia4, INADDR_HASH(sin->sin_addr.s_addr), ia_hash)
++ if (ia4->ia_addr.sin_addr.s_addr == sin->sin_addr.s_addr)
+ break;
+ if (ia4 == NULL)
+ continue;
+
+- ifa_ref(ia);
++#if STF_DEBUG
++ {
++ char buf[INET6_ADDRSTRLEN + 1];
++ memset(&buf, 0, sizeof(buf));
++
++ ip6_sprintf(buf, &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr);
++ DEBUG_PRINTF(1, "%s: ifa->ifa_addr->sin6_addr = %s\n",
++ __func__, buf);
++ ip_sprintf(buf, &ia4->ia_addr.sin_addr);
++ DEBUG_PRINTF(1, "%s: ia4->ia_addr.sin_addr = %s\n",
++ __func__, buf);
++ }
++#endif
++ ifa_ref(ifa);
+ if_addr_runlock(ifp);
+- return (struct in6_ifaddr *)ia;
++ return (ifatoia6(ifa));
+ }
+ if_addr_runlock(ifp);
+
++
+ return NULL;
+ }
+
+ static int
+-stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+- struct route *ro)
++stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, struct route *ro)
+ {
+ struct stf_softc *sc;
+ const struct sockaddr_in6 *dst6;
+ struct route *cached_route;
+- struct in_addr in4;
+- const void *ptr;
++ struct sockaddr_in *sin;
++ struct sockaddr_in in4;
+ struct sockaddr_in *dst4;
+ u_int8_t tos;
+ struct ip *ip;
+@@ -472,20 +615,28 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ /*
+ * Pickup the right outer dst addr from the list of candidates.
+ * ip6_dst has priority as it may be able to give us shorter IPv4 hops.
++ * ip6_dst: destination addr in the packet header.
++ * dst6: destination addr specified in function argument.
+ */
+- ptr = NULL;
+- if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst))
+- ptr = GET_V4(&ip6->ip6_dst);
+- else if (IN6_IS_ADDR_6TO4(&dst6->sin6_addr))
+- ptr = GET_V4(&dst6->sin6_addr);
+- else {
++ DEBUG_PRINTF(1, "%s: dst addr selection\n", __func__);
++ sin = stf_getin4addr_in6(&in4, &ia6->ia_ifa, &ip6->ip6_dst);
++ if (sin == NULL)
++ sin = stf_getin4addr_in6(&in4, &ia6->ia_ifa, &dst6->sin6_addr);
++ if (sin == NULL) {
+ ifa_free(&ia6->ia_ifa);
+ m_freem(m);
+ ifp->if_oerrors++;
+ return ENETUNREACH;
+ }
+- bcopy(ptr, &in4, sizeof(in4));
++#if STF_DEBUG
++ {
++ char buf[INET6_ADDRSTRLEN + 1];
++ memset(&buf, 0, sizeof(buf));
+
++ ip_sprintf(buf, &sin->sin_addr);
++ DEBUG_PRINTF(1, "%s: ip_dst = %s\n", __func__, buf);
++ }
++#endif
+ if (bpf_peers_present(ifp->if_bpf)) {
+ /*
+ * We need to prepend the address family as
+@@ -509,11 +660,26 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ ip = mtod(m, struct ip *);
+
+ bzero(ip, sizeof(*ip));
++ bcopy(&in4.sin_addr, &ip->ip_dst, sizeof(ip->ip_dst));
+
+- bcopy(GET_V4(&((struct sockaddr_in6 *)&ia6->ia_addr)->sin6_addr),
+- &ip->ip_src, sizeof(ip->ip_src));
++ sin = stf_getin4addr_sin6(&in4, &ia6->ia_ifa, &ia6->ia_addr);
++ if (sin == NULL) {
++ ifa_free(&ia6->ia_ifa);
++ m_freem(m);
++ ifp->if_oerrors++;
++ return ENETUNREACH;
++ }
++ bcopy(&in4.sin_addr, &ip->ip_src, sizeof(ip->ip_src));
++#if STF_DEBUG
++ {
++ char buf[INET6_ADDRSTRLEN + 1];
++ memset(&buf, 0, sizeof(buf));
++
++ ip_sprintf(buf, &ip->ip_src);
++ DEBUG_PRINTF(1, "%s: ip_src = %s\n", __func__, buf);
++ }
++#endif
+ ifa_free(&ia6->ia_ifa);
+- bcopy(&in4, &ip->ip_dst, sizeof(ip->ip_dst));
+ ip->ip_p = IPPROTO_IPV6;
+ ip->ip_ttl = ip_stf_ttl;
+ ip->ip_len = htons(m->m_pkthdr.len);
+@@ -522,7 +688,7 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ else
+ ip_ecn_ingress(ECN_NOCARE, &ip->ip_tos, &tos);
+
+- if (!stf_route_cache) {
++ if (!V_stf_route_cache) {
+ cached_route = NULL;
+ goto sendit;
+ }
+@@ -530,7 +696,7 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ /*
+ * Do we have a cached route?
+ */
+- mtx_lock(&(sc)->sc_ro_mtx);
++ STF_LOCK(sc);
+ dst4 = (struct sockaddr_in *)&sc->sc_ro.ro_dst;
+ if (dst4->sin_family != AF_INET ||
+ bcmp(&dst4->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)) != 0) {
+@@ -548,8 +714,15 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ rtalloc_fib(&sc->sc_ro, sc->sc_fibnum);
+ if (sc->sc_ro.ro_rt == NULL) {
+ m_freem(m);
+- mtx_unlock(&(sc)->sc_ro_mtx);
+ ifp->if_oerrors++;
++ STF_UNLOCK(sc);
++ return ENETUNREACH;
++ }
++ if (sc->sc_ro.ro_rt->rt_ifp == ifp) {
++ /* infinite loop detection */
++ m_free(m);
++ ifp->if_oerrors++;
++ STF_UNLOCK(sc);
+ return ENETUNREACH;
+ }
+ }
+@@ -558,35 +731,32 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+ sendit:
+ M_SETFIB(m, sc->sc_fibnum);
+ ifp->if_opackets++;
++ DEBUG_PRINTF(1, "%s: ip_output dispatch.\n", __func__);
+ error = ip_output(m, NULL, cached_route, 0, NULL, NULL);
+
+ if (cached_route != NULL)
+- mtx_unlock(&(sc)->sc_ro_mtx);
++ STF_UNLOCK(sc);
+ return error;
+ }
+
+ static int
+-isrfc1918addr(in)
+- struct in_addr *in;
++isrfc1918addr(struct in_addr *in)
+ {
+ /*
+ * returns 1 if private address range:
+ * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+ */
+ if (stf_permit_rfc1918 == 0 && (
+- (ntohl(in->s_addr) & 0xff000000) >> 24 == 10 ||
+- (ntohl(in->s_addr) & 0xfff00000) >> 16 == 172 * 256 + 16 ||
+- (ntohl(in->s_addr) & 0xffff0000) >> 16 == 192 * 256 + 168))
++ (ntohl(in->s_addr) & 0xff000000) == 10 << 24 ||
++ (ntohl(in->s_addr) & 0xfff00000) == (172 * 256 + 16) << 16 ||
++ (ntohl(in->s_addr) & 0xffff0000) == (192 * 256 + 168) << 16 ))
+ return 1;
+
+ return 0;
+ }
+
+ static int
+-stf_checkaddr4(sc, in, inifp)
+- struct stf_softc *sc;
+- struct in_addr *in;
+- struct ifnet *inifp; /* incoming interface */
++stf_checkaddr4(struct stf_softc *sc, struct in_addr *in, struct ifnet *inifp)
+ {
+ struct in_ifaddr *ia4;
+
+@@ -602,13 +772,6 @@ stf_checkaddr4(sc, in, inifp)
+ }
+
+ /*
+- * reject packets with private address range.
+- * (requirement from RFC3056 section 2 1st paragraph)
+- */
+- if (isrfc1918addr(in))
+- return -1;
+-
+- /*
+ * reject packets with broadcast
+ */
+ IN_IFADDR_RLOCK();
+@@ -631,7 +794,7 @@ stf_checkaddr4(sc, in, inifp)
+
+ bzero(&sin, sizeof(sin));
+ sin.sin_family = AF_INET;
+- sin.sin_len = sizeof(struct sockaddr_in);
++ sin.sin_len = sizeof(sin);
+ sin.sin_addr = *in;
+ rt = rtalloc1_fib((struct sockaddr *)&sin, 0,
+ 0UL, sc->sc_fibnum);
+@@ -652,10 +815,7 @@ stf_checkaddr4(sc, in, inifp)
+ }
+
+ static int
+-stf_checkaddr6(sc, in6, inifp)
+- struct stf_softc *sc;
+- struct in6_addr *in6;
+- struct ifnet *inifp; /* incoming interface */
++stf_checkaddr6(struct stf_softc *sc, struct in6_addr *in6, struct ifnet *inifp)
+ {
+ /*
+ * check 6to4 addresses
+@@ -679,9 +839,7 @@ stf_checkaddr6(sc, in6, inifp)
+ }
+
+ void
+-in_stf_input(m, off)
+- struct mbuf *m;
+- int off;
++in_stf_input(struct mbuf *m, int off)
+ {
+ int proto;
+ struct stf_softc *sc;
+@@ -689,6 +847,7 @@ in_stf_input(m, off)
+ struct ip6_hdr *ip6;
+ u_int8_t otos, itos;
+ struct ifnet *ifp;
++ struct route_in6 rin6;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-ports-all
mailing list