| created | 2021-02-06T23:02:11Z |
|---|---|
| begin | 2021-02-03T00:00:00Z |
| end | 2021-02-04T00:00:00Z |
| path | src/sys |
| commits | 4 |
| date | 2021-02-03T07:41:12Z | |||
|---|---|---|---|---|
| author | dlg | |||
| files | src/sys/net/pf.c | log | diff | annotate |
| message |
change pf_route so pf only runs when packets enter and leave the stack. before this change pf_route operated on the semantic that pf runs when packets go over an interface, so when pf_route changed which interface the packet was on it would run pf_test again. this change changes (restores) the semantic that pf is only supposed to run when packets go in or out of the network stack, even if route-to is responsibly for short circuiting past the network stack. just to be clear, for normal packets (ie, those not touched by route-to/reply-to/dup-to), there isn't a difference between running pf when packets enter or leave the stack, or having pf run when a packet goes over an interface. the main reason for this change is that running the same packet through pf multiple times creates confusion for the state table. by default, pf states are floating, meaning that packets are matched to states regardless of which interface they're going over. if a packet leaving on em0 is rerouted out em1, both traversals will end up using the same state, which at best will make the accounting look weird, or at worst fail some checks in the state and get dropped. another reason for this commit is is to make handling of the changes that route-to makes consistent with other changes that are made to packet. eg, when nat is applied to a packet, we don't run pf_test again with the new addresses. the main caveat with this diff is you can't have one rule that pushes a packet out a different interface, and then have a rule on that second interface that NATs the packet. i'm not convinced this ever worked reliably or was used much anyway, so we don't think it's a big concern. discussed with many, with special thanks to bluhm@, sashan@ and sthen@ for weathering most of that pain. ok claudio@ sashan@ jmatthew@ |
|||
| date | 2021-02-03T11:34:24Z | |||
|---|---|---|---|---|
| author | mglocker | |||
| files | src/sys/dev/usb/usbdi.c | log | diff | annotate |
| message |
After the rev. 1.108 commit we see some issues with ugen(4) behaviour, which finally makes umb(4) fail, since ugen(4) attaches to one of the umb(4) interfaces, fails, and marks the whole device dying. Therefore make usbd_device2interface_handle() backwards compatible again. Problem reported by Mikolaj Kucharski. ok edd@ |
|||
| date | 2021-02-03T13:40:06Z | |||
|---|---|---|---|---|
| author | jan | |||
| files | src/sys/netinet/tcp_input.c | log | diff | annotate |
| message |
Turns off the direct ACK on every other segment The kernel uses a huge amount of processing time for sending ACKs to the sender on the receiving interface. After receiving a data segment, we send out two ACKs. The first one in tcp_input() direct after receiving. The second ACK is send out, after the userland or the sosplice task read some data out of the socket buffer. Thus, we save some processing time and improve network performance. Longer tested by sthen@ OK claudio@ |
|||
| date | 2021-02-03T22:46:55Z | |||
|---|---|---|---|---|
| author | tobhe | |||
| files | src/sys/kern/kern_pledge.c | log | diff | annotate |
| message |
Add SIOCAIFADDR_IN and SIOCDIFADDR_IN to the wroute pledge to allow setting and removing IPv4 addresses. Needed for future iked(8) improvements. Discussed with sthen@ and florian@ ok bluhm@ deraadt@ |
|||