Index: stable/11/UPDATING
===================================================================
--- stable/11/UPDATING (revision 346754)
+++ stable/11/UPDATING (revision 346755)
@@ -1,1850 +1,1856 @@
Updating Information for FreeBSD current users.
This file is maintained and copyrighted by M. Warner Losh <imp@freebsd.org>.
See end of file for further details. For commonly done items, please see the
COMMON ITEMS: section later in the file. These instructions assume that you
basically know what you are doing. If not, then please consult the FreeBSD
handbook:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
NOTE: FreeBSD has switched from gcc to clang. If you have trouble bootstrapping
from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20190426:
+ CARP now sets DSCP value CS7(Network Traffic) in the flowlabel field
+ of packets by default instead of only setting TOS_LOWDELAY in IPv4,
+ which was deprecated in 1998. Original behavior can be restored by
+ setting sysctl net.inet.carp.dscp=4.
+
20190416:
Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to
8.0.0. Please see the 20141231 entry below for information about
prerequisites and upgrading, if you are not already using clang 3.5.0
or higher.
20190226:
geom_uzip(4) depends on the new module xz. If geom_uzip is statically
compiled into your custom kernel, add 'device xz' statement to the
kernel config.
20190220:
Co-existance for Forth and Lua interpreters in bootloaders has now been
merged to ease testing of lualoader. LOADER_DEFAULT_INTERP, documented
in build(7), may be used to control which interpreter flavor is used in
the default loader to be installed. For systems where Lua and Forth
coexist, this switch can also be made on a running system by creating a
link from /boot/loader{,.efi} to /boot/loader_${flavor}{,.efi} rather
than requiring a rebuild.
The default flavor in this branch will remain Forth. As indicated in
the 20190216 UPDATING entry, booting is a complex environment; it would
be prudent to assume that lualoader may not work for your setup and make
provisions for backup boot methods.
20190220:
zfsloader's functionality has now been folded into loader.
zfsloader is no longer necesasary once you've updated your
boot blocks. For a transition period, we will install a
hardlink for zfsloader to loader to allow a smooth transition
until the boot blocks can be updated (hard link because old
zfs boot blocks don't understand symlinks).
20190216:
Lualoader has been merged to facilitate testing on this branch. It's
purely opt-in for now by building WITH_LOADER_LUA and WITHOUT_FORTH in
/etc/src.conf, but co-existance will come shortly. Booting is a complex
environment and test coverage for Lua-enabled loaders has been thin, so
it would be prudent to assume it might not work and make provisions for
backup boot methods.
20190216:
Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to
7.0.1. Please see the 20141231 entry below for information about
prerequisites and upgrading, if you are not already using clang 3.5.0
or higher.
20181228:
r342562 modifies the NFSv4 server so that it obeys vfs.nfsd.nfs_privport
in the same as it is applied to NFSv2 and 3. This implies that NFSv4
servers that have vfs.nfsd.nfs_privport set will only allow mounts
from clients using a reserved port#. Since both the FreeBSD and Linux
NFSv4 clients use reserved port#s by default, this should not affect
most NFSv4 mounts.
20181107:
The '%I' format in the kern.corefile sysctl limits the number of
core files that a process can generate to the number stored in the
debug.ncores sysctl. The '%I' format is replaced by the single digit
index. Previously, if all indexes were taken the kernel would overwrite
only a core file with the highest index in a filename.
Currently the system will create a new core file if there is a free
index or if all slots are taken it will overwrite the oldest one.
20180818:
WITH_OFED option now only enables the build for the OFED libraries
and some fundamental client utilities. OpenSM and rest of the
debugging tools are enabled by WITH_OFED_EXTRA build switch.
WITH_OFED is turned on by default on amd64.
20180714:
Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to
6.0.1. Please see the 20141231 entry below for information about
prerequisites and upgrading, if you are not already using clang 3.5.0
or higher.
20180601:
The releng/11.2 branch has been created from stable/11@r334458.
20180504:
The tz database (tzdb) has been updated to 2018e. This version more
correctly models time stamps in time zones with negative DST such as
Europe/Dublin (from 1971 on), Europe/Prague (1946/7), and
Africa/Windhoek (1994/2017). This does not affect the UT offsets, only
time zone abbreviations and the tm_isdst flag.
20180409:
The use of RSS hash from the network card aka flowid has been
disabled by default for lagg(4) as it's currently incompatible with
the lacp and loadbalance protocols.
This can be re-enabled by setting the following in loader.conf:
net.link.lagg.default_use_flowid="1"
20180331:
Clang, llvm, lld, lldb, compiler-rt and libc++ have been upgraded to
6.0.0. Please see the 20141231 entry below for information about
prerequisites and upgrading, if you are not already using clang 3.5.0
or higher.
20180211:
The LOADER_FIREWIRE_SUPPORT build variable as been renamed to
WITH/OUT_LOADER_FIREWIRE. LOADER_{NO_,}GELI_SUPPORT has been renamed
to WITH/OUT_LOADER_GELI.
20180210:
The geli password typed at boot is now hidden. To restore the previous
behavior, see geli(8) for configuration options.
The SW_WATCHDOG option is no longer necessary to enable the
hardclock-based software watchdog if no hardware watchdog is
configured. As before, SW_WATCHDOG will cause the software
watchdog to be enabled even if a hardware watchdog is configured.
20180108:
lint(1) binaries and library are no longer built by default. To
enable building them, define WITH_LINT in src.conf. If you are using
a FreeBSD 12 or later system to build 11-stable, you may need to
install a lint(1) binary to use WITH_LINT.
20171003:
When building multiple kernels using KERNCONF, non-existent KERNCONF
files will produce an error and buildkernel will fail. Previously
missing KERNCONF files silently failed giving no indication as to
why, only to subsequently discover during installkernel that the
desired kernel was never built in the first place.
20170926:
Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 5.0.0.
Please see the 20141231 entry below for information about prerequisites
and upgrading, if you are not already using clang 3.5.0 or higher.
20170822:
Since the switch to GPT disk labels, fsck for UFS/FFS has been
unable to automatically find alternate superblocks. As of r322806,
the information needed to find alternate superblocks has been
moved to the end of the area reserved for the boot block.
Filesystems created with a newfs of this vintage or later
will create the recovery information. If you have a filesystem
created prior to this change and wish to have a recovery block
created for your filesystem, you can do so by running fsck in
forground mode (i.e., do not use the -p or -y options). As it
starts, fsck will ask ``SAVE DATA TO FIND ALTERNATE SUPERBLOCKS''
to which you should answer yes.
20170629:
The releng/11.1 branch has been created from stable/11@r320475.
20170518:
arm64 builds now use the base system LLD 4.0.0 linker by default,
instead of requiring that the aarch64-binutils port or package be
installed. To continue using aarch64-binutils, set
CROSS_BINUTILS_PREFIX=/usr/local/aarch64-freebsd/bin .
20170529:
The ctl.ko module no longer implements the iSCSI target frontend:
cfiscsi.ko does instead.
If building cfiscsi.ko as a kernel module, the module can be loaded
via one of the following methods:
- `cfiscsi_load="YES"` in loader.conf(5).
- Add `cfiscsi` to `$kld_list` in rc.conf(5).
- ctladm(8)/ctld(8), when compiled with iSCSI support
(`WITH_ISCSI=yes` in src.conf(5))
Please see cfiscsi(4) for more details.
20170511:
The mmcsd.ko module now additionally depends on geom_flashmap.ko.
Also, mmc.ko and mmcsd.ko need to be a matching pair built from the
same source (previously, the dependency of mmcsd.ko on mmc.ko was
missing, but mmcsd.ko now will refuse to load if it is incompatible
with mmc.ko).
20170414:
Binds and sends to the loopback addresses, IPv6 and IPv4, will now
use any explicitly assigned loopback address available in the jail
instead of using the first assigned address of the jail.
20170413:
As of r316810 for ipfilter, keep frags is no longer assumed when
keep state is specified in a rule. r316810 aligns ipfilter with
documentation in man pages separating keep frags from keep state.
This allows keep state to specified without forcing keep frags
and allows keep frags to be specified independently of keep state.
To maintain previous behaviour, also specify keep frags with
keep state (as documented in ipf.conf.5).
20170402:
Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 4.0.0.
Please see the 20141231 entry below for information about prerequisites
and upgrading, if you are not already using clang 3.5.0 or higher.
20170323:
The code that provides support for ZFS .zfs/ directory functionality
has been reimplemented. It's not possible now to create a snapshot
by mkdir under .zfs/snapshot/. That should be the only user visible
change.
20170319:
Many changes in the IPsec code have been merged from the FreeBSD-CURRENT
branch. The IPSEC_FILTERTUNNEL kernel option is removed in favour of
corresponding sysctl. The IPSEC_NAT_T kernel option is also removed,
and now NAT-T is supported by default. Security associations now use
the single namespace for SPI allocation, so if you use several manually
configured security associations with the same SPI, this configuration
needs modification.
20161217:
Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.1.
Please see the 20141231 entry below for information about prerequisites
and upgrading, if you are not already using clang 3.5.0 or higher.
20161124:
Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.9.0.
Please see the 20141231 entry below for information about prerequisites
and upgrading, if you are not already using clang 3.5.0 or higher.
20161119:
The layout of the pmap structure has changed for powerpc to put the pmap
statistics at the front for all CPU variations. libkvm(3) and all tools
that link against it need to be recompiled.
20161030:
isl(4) and cyapa(4) drivers now require a new driver,
chromebook_platform(4), to work properly on Chromebook-class hardware.
On other types of hardware the drivers may need to be configured using
device hints. Please see the corresponding manual pages for details.
20161210:
Relocatable object files with the extension of .So have been renamed
to use an extension of .pico instead. The purpose of this change is
to avoid a name clash with shared libraries on case-insensitive file
systems. On those file systems, foo.So is the same file as foo.so.
20160811:
The releng/11.0 branch has been created from stable/11@r303970.
20160708:
The stable/11 branch has been created from head@r302406.
20160622:
The libc stub for the pipe(2) system call has been replaced with
a wrapper that calls the pipe2(2) system call and the pipe(2)
system call is now only implemented by the kernels that include
"options COMPAT_FREEBSD10" in their config file (this is the
default). Users should ensure that this option is enabled in
their kernel or upgrade userspace to r302092 before upgrading their
kernel.
20160527:
CAM will now strip leading spaces from SCSI disks' serial numbers.
This will effect users who create UFS filesystems on SCSI disks using
those disk's diskid device nodes. For example, if /etc/fstab
previously contained a line like
"/dev/diskid/DISK-%20%20%20%20%20%20%20ABCDEFG0123456", you should
change it to "/dev/diskid/DISK-ABCDEFG0123456". Users of geom
transforms like gmirror may also be affected. ZFS users should
generally be fine.
20160523:
The bitstring(3) API has been updated with new functionality and
improved performance. But it is binary-incompatible with the old API.
Objects built with the new headers may not be linked against objects
built with the old headers.
20160520:
The brk and sbrk functions have been removed from libc on arm64.
Binutils from ports has been updated to not link to these
functions and should be updated to the latest version before
installing a new libc.
20160517:
The armv6 port now defaults to hard float ABI. Limited support
for running both hardfloat and soft float on the same system
is available using the libraries installed with -DWITH_LIBSOFT.
This has only been tested as an upgrade path for installworld
and packages may fail or need manual intervention to run. New
packages will be needed.
To update an existing self-hosted armv6hf system, you must add
TARGET_ARCH=armv6 on the make command line for both the build
and the install steps.
20160510:
Kernel modules compiled outside of a kernel build now default to
installing to /boot/modules instead of /boot/kernel. Many kernel
modules built this way (such as those in ports) already overrode
KMODDIR explicitly to install into /boot/modules. However,
manually building and installing a module from /sys/modules will
now install to /boot/modules instead of /boot/kernel.
20160414:
The CAM I/O scheduler has been committed to the kernel. There should be
no user visible impact. This does enable NCQ Trim on ada SSDs. While the
list of known rogues that claim support for this but actually corrupt
data is believed to be complete, be on the lookout for data
corruption. The known rogue list is believed to be complete:
o Crucial MX100, M550 drives with MU01 firmware.
o Micron M510 and M550 drives with MU01 firmware.
o Micron M500 prior to MU07 firmware
o Samsung 830, 840, and 850 all firmwares
o FCCT M500 all firmwares
Crucial has firmware http://www.crucial.com/usa/en/support-ssd-firmware
with working NCQ TRIM. For Micron branded drives, see your sales rep for
updated firmware. Black listed drives will work correctly because these
drives work correctly so long as no NCQ TRIMs are sent to them. Given
this list is the same as found in Linux, it's believed there are no
other rogues in the market place. All other models from the above
vendors work.
To be safe, if you are at all concerned, you can quirk each of your
drives to prevent NCQ from being sent by setting:
kern.cam.ada.X.quirks="0x2"
in loader.conf. If the drive requires the 4k sector quirk, set the
quirks entry to 0x3.
20160330:
The FAST_DEPEND build option has been removed and its functionality is
now the one true way. The old mkdep(1) style of 'make depend' has
been removed. See 20160311 for further details.
20160317:
Resource range types have grown from unsigned long to uintmax_t. All
drivers, and anything using libdevinfo, need to be recompiled.
20160311:
WITH_FAST_DEPEND is now enabled by default for in-tree and out-of-tree
builds. It no longer runs mkdep(1) during 'make depend', and the
'make depend' stage can safely be skipped now as it is auto ran
when building 'make all' and will generate all SRCS and DPSRCS before
building anything else. Dependencies are gathered at compile time with
-MF flags kept in separate .depend files per object file. Users should
run 'make cleandepend' once if using -DNO_CLEAN to clean out older
stale .depend files.
20160306:
On amd64, clang 3.8.0 can now insert sections of type AMD64_UNWIND into
kernel modules. Therefore, if you load any kernel modules at boot time,
please install the boot loaders after you install the kernel, but before
rebooting, e.g.:
make buildworld
make kernel KERNCONF=YOUR_KERNEL_HERE
make -C sys/boot install
<reboot in single user>
Then follow the usual steps, described in the General Notes section,
below.
20160305:
Clang, llvm, lldb and compiler-rt have been upgraded to 3.8.0. Please
see the 20141231 entry below for information about prerequisites and
upgrading, if you are not already using clang 3.5.0 or higher.
20160301:
The AIO subsystem is now a standard part of the kernel. The
VFS_AIO kernel option and aio.ko kernel module have been removed.
Due to stability concerns, asynchronous I/O requests are only
permitted on sockets and raw disks by default. To enable
asynchronous I/O requests on all file types, set the
vfs.aio.enable_unsafe sysctl to a non-zero value.
20160226:
The ELF object manipulation tool objcopy is now provided by the
ELF Tool Chain project rather than by GNU binutils. It should be a
drop-in replacement, with the addition of arm64 support. The
(temporary) src.conf knob WITHOUT_ELFCOPY_AS_OBJCOPY knob may be set
to obtain the GNU version if necessary.
20160129:
Building ZFS pools on top of zvols is prohibited by default. That
feature has never worked safely; it's always been prone to deadlocks.
Using a zvol as the backing store for a VM guest's virtual disk will
still work, even if the guest is using ZFS. Legacy behavior can be
restored by setting vfs.zfs.vol.recursive=1.
20160119:
The NONE and HPN patches has been removed from OpenSSH. They are
still available in the security/openssh-portable port.
20160113:
With the addition of ypldap(8), a new _ypldap user is now required
during installworld. "mergemaster -p" can be used to add the user
prior to installworld, as documented in the handbook.
20151216:
The tftp loader (pxeboot) now uses the option root-path directive. As a
consequence it no longer looks for a pxeboot.4th file on the tftp
server. Instead it uses the regular /boot infrastructure as with the
other loaders.
20151211:
The code to start recording plug and play data into the modules has
been committed. While the old tools will properly build a new kernel,
a number of warnings about "unknown metadata record 4" will be produced
for an older kldxref. To avoid such warnings, make sure to rebuild
the kernel toolchain (or world). Make sure that you have r292078 or
later when trying to build 292077 or later before rebuilding.
20151207:
Debug data files are now built by default with 'make buildworld' and
installed with 'make installworld'. This facilitates debugging but
requires more disk space both during the build and for the installed
world. Debug files may be disabled by setting WITHOUT_DEBUG_FILES=yes
in src.conf(5).
20151130:
r291527 changed the internal interface between the nfsd.ko and
nfscommon.ko modules. As such, they must both be upgraded to-gether.
__FreeBSD_version has been bumped because of this.
20151108:
Add support for unicode collation strings leads to a change of
order of files listed by ls(1) for example. To get back to the old
behaviour, set LC_COLLATE environment variable to "C".
Databases administrators will need to reindex their databases given
collation results will be different.
Due to a bug in install(1) it is recommended to remove the ancient
locales before running make installworld.
rm -rf /usr/share/locale/*
20151030:
The OpenSSL has been upgraded to 1.0.2d. Any binaries requiring
libcrypto.so.7 or libssl.so.7 must be recompiled.
20151020:
Qlogic 24xx/25xx firmware images were updated from 5.5.0 to 7.3.0.
Kernel modules isp_2400_multi and isp_2500_multi were removed and
should be replaced with isp_2400 and isp_2500 modules respectively.
20151017:
The build previously allowed using 'make -n' to not recurse into
sub-directories while showing what commands would be executed, and
'make -n -n' to recursively show commands. Now 'make -n' will recurse
and 'make -N' will not.
20151012:
If you specify SENDMAIL_MC or SENDMAIL_CF in make.conf, mergemaster
and etcupdate will now use this file. A custom sendmail.cf is now
updated via this mechanism rather than via installworld. If you had
excluded sendmail.cf in mergemaster.rc or etcupdate.conf, you may
want to remove the exclusion or change it to "always install".
/etc/mail/sendmail.cf is now managed the same way regardless of
whether SENDMAIL_MC/SENDMAIL_CF is used. If you are not using
SENDMAIL_MC/SENDMAIL_CF there should be no change in behavior.
20151011:
Compatibility shims for legacy ATA device names have been removed.
It includes ATA_STATIC_ID kernel option, kern.cam.ada.legacy_aliases
and kern.geom.raid.legacy_aliases loader tunables, kern.devalias.*
environment variables, /dev/ad* and /dev/ar* symbolic links.
20151006:
Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 3.7.0.
Please see the 20141231 entry below for information about prerequisites
and upgrading, if you are not already using clang 3.5.0 or higher.
20150924:
Kernel debug files have been moved to /usr/lib/debug/boot/kernel/,
and renamed from .symbols to .debug. This reduces the size requirements
on the boot partition or file system and provides consistency with
userland debug files.
When using the supported kernel installation method the
/usr/lib/debug/boot/kernel directory will be renamed (to kernel.old)
as is done with /boot/kernel.
Developers wishing to maintain the historical behavior of installing
debug files in /boot/kernel/ can set KERN_DEBUGDIR="" in src.conf(5).
20150827:
The wireless drivers had undergone changes that remove the 'parent
interface' from the ifconfig -l output. The rc.d network scripts
used to check presence of a parent interface in the list, so old
scripts would fail to start wireless networking. Thus, etcupdate(3)
or mergemaster(8) run is required after kernel update, to update your
rc.d scripts in /etc.
20150827:
pf no longer supports 'scrub fragment crop' or 'scrub fragment drop-ovl'
These configurations are now automatically interpreted as
'scrub fragment reassemble'.
20150817:
Kernel-loadable modules for the random(4) device are back. To use
them, the kernel must have
device random
options RANDOM_LOADABLE
kldload(8) can then be used to load random_fortuna.ko
or random_yarrow.ko. Please note that due to the indirect
function calls that the loadable modules need to provide,
the build-in variants will be slightly more efficient.
The random(4) kernel option RANDOM_DUMMY has been retired due to
unpopularity. It was not all that useful anyway.
20150813:
The WITHOUT_ELFTOOLCHAIN_TOOLS src.conf(5) knob has been retired.
Control over building the ELF Tool Chain tools is now provided by
the WITHOUT_TOOLCHAIN knob.
20150810:
The polarity of Pulse Per Second (PPS) capture events with the
uart(4) driver has been corrected. Prior to this change the PPS
"assert" event corresponded to the trailing edge of a positive PPS
pulse and the "clear" event was the leading edge of the next pulse.
As the width of a PPS pulse in a typical GPS receiver is on the
order of 1 millisecond, most users will not notice any significant
difference with this change.
Anyone who has compensated for the historical polarity reversal by
configuring a negative offset equal to the pulse width will need to
remove that workaround.
20150809:
The default group assigned to /dev/dri entries has been changed
from 'wheel' to 'video' with the id of '44'. If you want to have
access to the dri devices please add yourself to the video group
with:
# pw groupmod video -m $USER
20150806:
The menu.rc and loader.rc files will now be replaced during
upgrades. Please migrate local changes to menu.rc.local and
loader.rc.local instead.
20150805:
GNU Binutils versions of addr2line, c++filt, nm, readelf, size,
strings and strip have been removed. The src.conf(5) knob
WITHOUT_ELFTOOLCHAIN_TOOLS no longer provides the binutils tools.
20150728:
As ZFS requires more kernel stack pages than is the default on some
architectures e.g. i386, it now warns if KSTACK_PAGES is less than
ZFS_MIN_KSTACK_PAGES (which is 4 at the time of writing).
Please consider using 'options KSTACK_PAGES=X' where X is greater
than or equal to ZFS_MIN_KSTACK_PAGES i.e. 4 in such configurations.
20150706:
sendmail has been updated to 8.15.2. Starting with FreeBSD 11.0
and sendmail 8.15, sendmail uses uncompressed IPv6 addresses by
default, i.e., they will not contain "::". For example, instead
of ::1, it will be 0:0:0:0:0:0:0:1. This permits a zero subnet
to have a more specific match, such as different map entries for
IPv6:0:0 vs IPv6:0. This change requires that configuration
data (including maps, files, classes, custom ruleset, etc.) must
use the same format, so make certain such configuration data is
upgrading. As a very simple check search for patterns like
'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. To return to the old
behavior, set the m4 option confUSE_COMPRESSED_IPV6_ADDRESSES or
the cf option UseCompressedIPv6Addresses.
20150630:
The default kernel entropy-processing algorithm is now
Fortuna, replacing Yarrow.
Assuming you have 'device random' in your kernel config
file, the configurations allow a kernel option to override
this default. You may choose *ONE* of:
options RANDOM_YARROW # Legacy /dev/random algorithm.
options RANDOM_DUMMY # Blocking-only driver.
If you have neither, you get Fortuna. For most people,
read no further, Fortuna will give a /dev/random that works
like it always used to, and the difference will be irrelevant.
If you remove 'device random', you get *NO* kernel-processed
entropy at all. This may be acceptable to folks building
embedded systems, but has complications. Carry on reading,
and it is assumed you know what you need.
*PLEASE* read random(4) and random(9) if you are in the
habit of tweaking kernel configs, and/or if you are a member
of the embedded community, wanting specific and not-usual
behaviour from your security subsystems.
NOTE!! If you use RANDOM_DUMMY and/or have no 'device
random', you will NOT have a functioning /dev/random, and
many cryptographic features will not work, including SSH.
You may also find strange behaviour from the random(3) set
of library functions, in particular sranddev(3), srandomdev(3)
and arc4random(3). The reason for this is that the KERN_ARND
sysctl only returns entropy if it thinks it has some to
share, and with RANDOM_DUMMY or no 'device random' this
will never happen.
20150623:
An additional fix for the issue described in the 20150614 sendmail
entry below has been been committed in revision 284717.
20150616:
FreeBSD's old make (fmake) has been removed from the system. It is
available as the devel/fmake port or via pkg install fmake.
20150615:
The fix for the issue described in the 20150614 sendmail entry
below has been been committed in revision 284436. The work
around described in that entry is no longer needed unless the
default setting is overridden by a confDH_PARAMETERS configuration
setting of '5' or pointing to a 512 bit DH parameter file.
20150614:
ALLOW_DEPRECATED_ATF_TOOLS/ATFFILE support has been removed from
atf.test.mk (included from bsd.test.mk). Please upgrade devel/atf
and devel/kyua to version 0.20+ and adjust any calling code to work
with Kyuafile and kyua.
20150614:
The import of openssl to address the FreeBSD-SA-15:10.openssl
security advisory includes a change which rejects handshakes
with DH parameters below 768 bits. sendmail releases prior
to 8.15.2 (not yet released), defaulted to a 512 bit
DH parameter setting for client connections. To work around
this interoperability, sendmail can be configured to use a
2048 bit DH parameter by:
1. Edit /etc/mail/`hostname`.mc
2. If a setting for confDH_PARAMETERS does not exist or
exists and is set to a string beginning with '5',
replace it with '2'.
3. If a setting for confDH_PARAMETERS exists and is set to
a file path, create a new file with:
openssl dhparam -out /path/to/file 2048
4. Rebuild the .cf file:
cd /etc/mail/; make; make install
5. Restart sendmail:
cd /etc/mail/; make restart
A sendmail patch is coming, at which time this file will be
updated.
20150604:
Generation of legacy formatted entries have been disabled by default
in pwd_mkdb(8), as all base system consumers of the legacy formatted
entries were converted to use the new format by default when the new,
machine independent format have been added and supported since FreeBSD
5.x.
Please see the pwd_mkdb(8) manual page for further details.
20150525:
Clang and llvm have been upgraded to 3.6.1 release. Please see the
20141231 entry below for information about prerequisites and upgrading,
if you are not already using 3.5.0 or higher.
20150521:
TI platform code switched to using vendor DTS files and this update
may break existing systems running on Beaglebone, Beaglebone Black,
and Pandaboard:
- dtb files should be regenerated/reinstalled. Filenames are the
same but content is different now
- GPIO addressing was changed, now each GPIO bank (32 pins per bank)
has its own /dev/gpiocX device, e.g. pin 121 on /dev/gpioc0 in old
addressing scheme is now pin 25 on /dev/gpioc3.
- Pandaboard: /etc/ttys should be updated, serial console device is
now /dev/ttyu2, not /dev/ttyu0
20150501:
soelim(1) from gnu/usr.bin/groff has been replaced by usr.bin/soelim.
If you need the GNU extension from groff soelim(1), install groff
from package: pkg install groff, or via ports: textproc/groff.
20150423:
chmod, chflags, chown and chgrp now affect symlinks in -R mode as
defined in symlink(7); previously symlinks were silently ignored.
20150415:
The const qualifier has been removed from iconv(3) to comply with
POSIX. The ports tree is aware of this from r384038 onwards.
20150416:
Libraries specified by LIBADD in Makefiles must have a corresponding
DPADD_<lib> variable to ensure correct dependencies. This is now
enforced in src.libnames.mk.
20150324:
From legacy ata(4) driver was removed support for SATA controllers
supported by more functional drivers ahci(4), siis(4) and mvs(4).
Kernel modules ataahci and ataadaptec were removed completely,
replaced by ahci and mvs modules respectively.
20150315:
Clang, llvm and lldb have been upgraded to 3.6.0 release. Please see
the 20141231 entry below for information about prerequisites and
upgrading, if you are not already using 3.5.0 or higher.
20150307:
The 32-bit PowerPC kernel has been changed to a position-independent
executable. This can only be booted with a version of loader(8)
newer than January 31, 2015, so make sure to update both world and
kernel before rebooting.
20150217:
If you are running a -CURRENT kernel since r273872 (Oct 30th, 2014),
but before r278950, the RNG was not seeded properly. Immediately
upgrade the kernel to r278950 or later and regenerate any keys (e.g.
ssh keys or openssl keys) that were generated w/ a kernel from that
range. This does not affect programs that directly used /dev/random
or /dev/urandom. All userland uses of arc4random(3) are affected.
20150210:
The autofs(4) ABI was changed in order to restore binary compatibility
with 10.1-RELEASE. The automountd(8) daemon needs to be rebuilt to work
with the new kernel.
20150131:
The powerpc64 kernel has been changed to a position-independent
executable. This can only be booted with a new version of loader(8),
so make sure to update both world and kernel before rebooting.
20150118:
Clang and llvm have been upgraded to 3.5.1 release. This is a bugfix
only release, no new features have been added. Please see the 20141231
entry below for information about prerequisites and upgrading, if you
are not already using 3.5.0.
20150107:
ELF tools addr2line, elfcopy (strip), nm, size, and strings are now
taken from the ELF Tool Chain project rather than GNU binutils. They
should be drop-in replacements, with the addition of arm64 support.
The WITHOUT_ELFTOOLCHAIN_TOOLS= knob may be used to obtain the
binutils tools, if necessary. See 20150805 for updated information.
20150105:
The default Unbound configuration now enables remote control
using a local socket. Users who have already enabled the
local_unbound service should regenerate their configuration
by running "service local_unbound setup" as root.
20150102:
The GNU texinfo and GNU info pages have been removed.
To be able to view GNU info pages please install texinfo from ports.
20141231:
Clang, llvm and lldb have been upgraded to 3.5.0 release.
As of this release, a prerequisite for building clang, llvm and lldb is
a C++11 capable compiler and C++11 standard library. This means that to
be able to successfully build the cross-tools stage of buildworld, with
clang as the bootstrap compiler, your system compiler or cross compiler
should either be clang 3.3 or later, or gcc 4.8 or later, and your
system C++ library should be libc++, or libdstdc++ from gcc 4.8 or
later.
On any standard FreeBSD 10.x or 11.x installation, where clang and
libc++ are on by default (that is, on x86 or arm), this should work out
of the box.
On 9.x installations where clang is enabled by default, e.g. on x86 and
powerpc, libc++ will not be enabled by default, so libc++ should be
built (with clang) and installed first. If both clang and libc++ are
missing, build clang first, then use it to build libc++.
On 8.x and earlier installations, upgrade to 9.x first, and then follow
the instructions for 9.x above.
Sparc64 and mips users are unaffected, as they still use gcc 4.2.1 by
default, and do not build clang.
Many embedded systems are resource constrained, and will not be able to
build clang in a reasonable time, or in some cases at all. In those
cases, cross building bootable systems on amd64 is a workaround.
This new version of clang introduces a number of new warnings, of which
the following are most likely to appear:
-Wabsolute-value
This warns in two cases, for both C and C++:
* When the code is trying to take the absolute value of an unsigned
quantity, which is effectively a no-op, and almost never what was
intended. The code should be fixed, if at all possible. If you are
sure that the unsigned quantity can be safely cast to signed, without
loss of information or undefined behavior, you can add an explicit
cast, or disable the warning.
* When the code is trying to take an absolute value, but the called
abs() variant is for the wrong type, which can lead to truncation.
If you want to disable the warning instead of fixing the code, please
make sure that truncation will not occur, or it might lead to unwanted
side-effects.
-Wtautological-undefined-compare and
-Wundefined-bool-conversion
These warn when C++ code is trying to compare 'this' against NULL, while
'this' should never be NULL in well-defined C++ code. However, there is
some legacy (pre C++11) code out there, which actively abuses this
feature, which was less strictly defined in previous C++ versions.
Squid and openjdk do this, for example. The warning can be turned off
for C++98 and earlier, but compiling the code in C++11 mode might result
in unexpected behavior; for example, the parts of the program that are
unreachable could be optimized away.
20141222:
The old NFS client and server (kernel options NFSCLIENT, NFSSERVER)
kernel sources have been removed. The .h files remain, since some
utilities include them. This will need to be fixed later.
If "mount -t oldnfs ..." is attempted, it will fail.
If the "-o" option on mountd(8), nfsd(8) or nfsstat(1) is used,
the utilities will report errors.
20141121:
The handling of LOCAL_LIB_DIRS has been altered to skip addition of
directories to top level SUBDIR variable when their parent
directory is included in LOCAL_DIRS. Users with build systems with
such hierarchies and without SUBDIR entries in the parent
directory Makefiles should add them or add the directories to
LOCAL_DIRS.
20141109:
faith(4) and faithd(8) have been removed from the base system. Faith
has been obsolete for a very long time.
20141104:
vt(4), the new console driver, is enabled by default. It brings
support for Unicode and double-width characters, as well as
support for UEFI and integration with the KMS kernel video
drivers.
You may need to update your console settings in /etc/rc.conf,
most probably the keymap. During boot, /etc/rc.d/syscons will
indicate what you need to do.
vt(4) still has issues and lacks some features compared to
syscons(4). See the wiki for up-to-date information:
https://wiki.freebsd.org/Newcons
If you want to keep using syscons(4), you can do so by adding
the following line to /boot/loader.conf:
kern.vty=sc
20141102:
pjdfstest has been integrated into kyua as an opt-in test suite.
Please see share/doc/pjdfstest/README for more details on how to
execute it.
20141009:
gperf has been removed from the base system for architectures
that use clang. Ports that require gperf will obtain it from the
devel/gperf port.
20140923:
pjdfstest has been moved from tools/regression/pjdfstest to
contrib/pjdfstest .
20140922:
At svn r271982, The default linux compat kernel ABI has been adjusted
to 2.6.18 in support of the linux-c6 compat ports infrastructure
update. If you wish to continue using the linux-f10 compat ports,
add compat.linux.osrelease=2.6.16 to your local sysctl.conf. Users are
encouraged to update their linux-compat packages to linux-c6 during
their next update cycle.
20140729:
The ofwfb driver, used to provide a graphics console on PowerPC when
using vt(4), no longer allows mmap() of all physical memory. This
will prevent Xorg on PowerPC with some ATI graphics cards from
initializing properly unless x11-servers/xorg-server is updated to
1.12.4_8 or newer.
20140723:
The xdev targets have been converted to using TARGET and
TARGET_ARCH instead of XDEV and XDEV_ARCH.
20140719:
The default unbound configuration has been modified to address
issues with reverse lookups on networks that use private
address ranges. If you use the local_unbound service, run
"service local_unbound setup" as root to regenerate your
configuration, then "service local_unbound reload" to load the
new configuration.
20140709:
The GNU texinfo and GNU info pages are not built and installed
anymore, WITH_INFO knob has been added to allow to built and install
them again.
UPDATE: see 20150102 entry on texinfo's removal
20140708:
The GNU readline library is now an INTERNALLIB - that is, it is
statically linked into consumers (GDB and variants) in the base
system, and the shared library is no longer installed. The
devel/readline port is available for third party software that
requires readline.
20140702:
The Itanium architecture (ia64) has been removed from the list of
known architectures. This is the first step in the removal of the
architecture.
20140701:
Commit r268115 has added NFSv4.1 server support, merged from
projects/nfsv4.1-server. Since this includes changes to the
internal interfaces between the NFS related modules, a full
build of the kernel and modules will be necessary.
__FreeBSD_version has been bumped.
20140629:
The WITHOUT_VT_SUPPORT kernel config knob has been renamed
WITHOUT_VT. (The other _SUPPORT knobs have a consistent meaning
which differs from the behaviour controlled by this knob.)
20140619:
Maximal length of the serial number in CTL was increased from 16 to
64 chars, that breaks ABI. All CTL-related tools, such as ctladm
and ctld, need to be rebuilt to work with a new kernel.
20140606:
The libatf-c and libatf-c++ major versions were downgraded to 0 and
1 respectively to match the upstream numbers. They were out of
sync because, when they were originally added to FreeBSD, the
upstream versions were not respected. These libraries are private
and not yet built by default, so renumbering them should be a
non-issue. However, unclean source trees will yield broken test
programs once the operator executes "make delete-old-libs" after a
"make installworld".
Additionally, the atf-sh binary was made private by moving it into
/usr/libexec/. Already-built shell test programs will keep the
path to the old binary so they will break after "make delete-old"
is run.
If you are using WITH_TESTS=yes (not the default), wipe the object
tree and rebuild from scratch to prevent spurious test failures.
This is only needed once: the misnumbered libraries and misplaced
binaries have been added to OptionalObsoleteFiles.inc so they will
be removed during a clean upgrade.
20140512:
Clang and llvm have been upgraded to 3.4.1 release.
20140508:
We bogusly installed src.opts.mk in /usr/share/mk. This file should
be removed to avoid issues in the future (and has been added to
ObsoleteFiles.inc).
20140505:
/etc/src.conf now affects only builds of the FreeBSD src tree. In the
past, it affected all builds that used the bsd.*.mk files. The old
behavior was a bug, but people may have relied upon it. To get this
behavior back, you can .include /etc/src.conf from /etc/make.conf
(which is still global and isn't changed). This also changes the
behavior of incremental builds inside the tree of individual
directories. Set MAKESYSPATH to ".../share/mk" to do that.
Although this has survived make universe and some upgrade scenarios,
other upgrade scenarios may have broken. At least one form of
temporary breakage was fixed with MAKESYSPATH settings for buildworld
as well... In cases where MAKESYSPATH isn't working with this
setting, you'll need to set it to the full path to your tree.
One side effect of all this cleaning up is that bsd.compiler.mk
is no longer implicitly included by bsd.own.mk. If you wish to
use COMPILER_TYPE, you must now explicitly include bsd.compiler.mk
as well.
20140430:
The lindev device has been removed since /dev/full has been made a
standard device. __FreeBSD_version has been bumped.
20140424:
The knob WITHOUT_VI was added to the base system, which controls
building ex(1), vi(1), etc. Older releases of FreeBSD required ex(1)
in order to reorder files share/termcap and didn't build ex(1) as a
build tool, so building/installing with WITH_VI is highly advised for
build hosts for older releases.
This issue has been fixed in stable/9 and stable/10 in r277022 and
r276991, respectively.
20140418:
The YES_HESIOD knob has been removed. It has been obsolete for
a decade. Please move to using WITH_HESIOD instead or your builds
will silently lack HESIOD.
20140405:
The uart(4) driver has been changed with respect to its handling
of the low-level console. Previously the uart(4) driver prevented
any process from changing the baudrate or the CLOCAL and HUPCL
control flags. By removing the restrictions, operators can make
changes to the serial console port without having to reboot.
However, when getty(8) is started on the serial device that is
associated with the low-level console, a misconfigured terminal
line in /etc/ttys will now have a real impact.
Before upgrading the kernel, make sure that /etc/ttys has the
serial console device configured as 3wire without baudrate to
preserve the previous behaviour. E.g:
ttyu0 "/usr/libexec/getty 3wire" vt100 on secure
20140306:
Support for libwrap (TCP wrappers) in rpcbind was disabled by default
to improve performance. To re-enable it, if needed, run rpcbind
with command line option -W.
20140226:
Switched back to the GPL dtc compiler due to updates in the upstream
dts files not being supported by the BSDL dtc compiler. You will need
to rebuild your kernel toolchain to pick up the new compiler. Core dumps
may result while building dtb files during a kernel build if you fail
to do so. Set WITHOUT_GPL_DTC if you require the BSDL compiler.
20140216:
Clang and llvm have been upgraded to 3.4 release.
20140216:
The nve(4) driver has been removed. Please use the nfe(4) driver
for NVIDIA nForce MCP Ethernet adapters instead.
20140212:
An ABI incompatibility crept into the libc++ 3.4 import in r261283.
This could cause certain C++ applications using shared libraries built
against the previous version of libc++ to crash. The incompatibility
has now been fixed, but any C++ applications or shared libraries built
between r261283 and r261801 should be recompiled.
20140204:
OpenSSH will now ignore errors caused by kernel lacking of Capsicum
capability mode support. Please note that enabling the feature in
kernel is still highly recommended.
20140131:
OpenSSH is now built with sandbox support, and will use sandbox as
the default privilege separation method. This requires Capsicum
capability mode support in kernel.
20140128:
The libelf and libdwarf libraries have been updated to newer
versions from upstream. Shared library version numbers for
these two libraries were bumped. Any ports or binaries
requiring these two libraries should be recompiled.
__FreeBSD_version is bumped to 1100006.
20140110:
If a Makefile in a tests/ directory was auto-generating a Kyuafile
instead of providing an explicit one, this would prevent such
Makefile from providing its own Kyuafile in the future during
NO_CLEAN builds. This has been fixed in the Makefiles but manual
intervention is needed to clean an objdir if you use NO_CLEAN:
# find /usr/obj -name Kyuafile | xargs rm -f
20131213:
The behavior of gss_pseudo_random() for the krb5 mechanism
has changed, for applications requesting a longer random string
than produced by the underlying enctype's pseudo-random() function.
In particular, the random string produced from a session key of
enctype aes256-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 will
be different at the 17th octet and later, after this change.
The counter used in the PRF+ construction is now encoded as a
big-endian integer in accordance with RFC 4402.
__FreeBSD_version is bumped to 1100004.
20131108:
The WITHOUT_ATF build knob has been removed and its functionality
has been subsumed into the more generic WITHOUT_TESTS. If you were
using the former to disable the build of the ATF libraries, you
should change your settings to use the latter.
20131025:
The default version of mtree is nmtree which is obtained from
NetBSD. The output is generally the same, but may vary
slightly. If you found you need identical output adding
"-F freebsd9" to the command line should do the trick. For the
time being, the old mtree is available as fmtree.
20131014:
libbsdyml has been renamed to libyaml and moved to /usr/lib/private.
This will break ports-mgmt/pkg. Rebuild the port, or upgrade to pkg
1.1.4_8 and verify bsdyml not linked in, before running "make
delete-old-libs":
# make -C /usr/ports/ports-mgmt/pkg build deinstall install clean
or
# pkg install pkg; ldd /usr/local/sbin/pkg | grep bsdyml
20131010:
The stable/10 branch has been created in subversion from head
revision r256279.
20131010:
The rc.d/jail script has been updated to support jail(8)
configuration file. The "jail_<jname>_*" rc.conf(5) variables
for per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible. See below about some
incompatibilities and rc.conf(5) manual page for more details.
These variables are now deprecated in favor of jail(8) configuration
file. One can use "rc.d/jail config <jname>" command to generate
a jail(8) configuration file in /var/run/jail.<jname>.conf without
running the jail(8) utility. The default pathname of the
configuration file is /etc/jail.conf and can be specified by
using $jail_conf or $jail_<jname>_conf variables.
Please note that jail_devfs_ruleset accepts an integer at
this moment. Please consider to rewrite the ruleset name
with an integer.
20130930:
BIND has been removed from the base system. If all you need
is a local resolver, simply enable and start the local_unbound
service instead. Otherwise, several versions of BIND are
available in the ports tree. The dns/bind99 port is one example.
With this change, nslookup(1) and dig(1) are no longer in the base
system. Users should instead use host(1) and drill(1) which are
in the base system. Alternatively, nslookup and dig can
be obtained by installing the dns/bind-tools port.
20130916:
With the addition of unbound(8), a new unbound user is now
required during installworld. "mergemaster -p" can be used to
add the user prior to installworld, as documented in the handbook.
20130911:
OpenSSH is now built with DNSSEC support, and will by default
silently trust signed SSHFP records. This can be controlled with
the VerifyHostKeyDNS client configuration setting. DNSSEC support
can be disabled entirely with the WITHOUT_LDNS option in src.conf.
20130906:
The GNU Compiler Collection and C++ standard library (libstdc++)
are no longer built by default on platforms where clang is the system
compiler. You can enable them with the WITH_GCC and WITH_GNUCXX
options in src.conf.
20130905:
The PROCDESC kernel option is now part of the GENERIC kernel
configuration and is required for the rwhod(8) to work.
If you are using custom kernel configuration, you should include
'options PROCDESC'.
20130905:
The API and ABI related to the Capsicum framework was modified
in backward incompatible way. The userland libraries and programs
have to be recompiled to work with the new kernel. This includes the
following libraries and programs, but the whole buildworld is
advised: libc, libprocstat, dhclient, tcpdump, hastd, hastctl,
kdump, procstat, rwho, rwhod, uniq.
20130903:
AES-NI intrinsic support has been added to gcc. The AES-NI module
has been updated to use this support. A new gcc is required to build
the aesni module on both i386 and amd64.
20130821:
The PADLOCK_RNG and RDRAND_RNG kernel options are now devices.
Thus "device padlock_rng" and "device rdrand_rng" should be
used instead of "options PADLOCK_RNG" & "options RDRAND_RNG".
20130813:
WITH_ICONV has been split into two feature sets. WITH_ICONV now
enables just the iconv* functionality and is now on by default.
WITH_LIBICONV_COMPAT enables the libiconv api and link time
compatibility. Set WITHOUT_ICONV to build the old way.
If you have been using WITH_ICONV before, you will very likely
need to turn on WITH_LIBICONV_COMPAT.
20130806:
INVARIANTS option now enables DEBUG for code with OpenSolaris and
Illumos origin, including ZFS. If you have INVARIANTS in your
kernel configuration, then there is no need to set DEBUG or ZFS_DEBUG
explicitly.
DEBUG used to enable witness(9) tracking of OpenSolaris (mostly ZFS)
locks if WITNESS option was set. Because that generated a lot of
witness(9) reports and all of them were believed to be false
positives, this is no longer done. New option OPENSOLARIS_WITNESS
can be used to achieve the previous behavior.
20130806:
Timer values in IPv6 data structures now use time_uptime instead
of time_second. Although this is not a user-visible functional
change, userland utilities which directly use them---ndp(8),
rtadvd(8), and rtsold(8) in the base system---need to be updated
to r253970 or later.
20130802:
find -delete can now delete the pathnames given as arguments,
instead of only files found below them or if the pathname did
not contain any slashes. Formerly, the following error message
would result:
find: -delete: <path>: relative path potentially not safe
Deleting the pathnames given as arguments can be prevented
without error messages using -mindepth 1 or by changing
directory and passing "." as argument to find. This works in the
old as well as the new version of find.
20130726:
Behavior of devfs rules path matching has been changed.
Pattern is now always matched against fully qualified devfs
path and slash characters must be explicitly matched by
slashes in pattern (FNM_PATHNAME). Rulesets involving devfs
subdirectories must be reviewed.
20130716:
The default ARM ABI has changed to the ARM EABI. The old ABI is
incompatible with the ARM EABI and all programs and modules will
need to be rebuilt to work with a new kernel.
To keep using the old ABI ensure the WITHOUT_ARM_EABI knob is set.
NOTE: Support for the old ABI will be removed in the future and
users are advised to upgrade.
20130709:
pkg_install has been disconnected from the build if you really need it
you should add WITH_PKGTOOLS in your src.conf(5).
20130709:
Most of network statistics structures were changed to be able
keep 64-bits counters. Thus all tools, that work with networking
statistics, must be rebuilt (netstat(1), bsnmpd(1), etc.)
20130618:
Fix a bug that allowed a tracing process (e.g. gdb) to write
to a memory-mapped file in the traced process's address space
even if neither the traced process nor the tracing process had
write access to that file.
20130615:
CVS has been removed from the base system. An exact copy
of the code is available from the devel/cvs port.
20130613:
Some people report the following error after the switch to bmake:
make: illegal option -- J
usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable]
...
*** [buildworld] Error code 2
this likely due to an old instance of make in
${MAKEPATH} (${MAKEOBJDIRPREFIX}${.CURDIR}/make.${MACHINE})
which src/Makefile will use that blindly, if it exists, so if
you see the above error:
rm -rf `make -V MAKEPATH`
should resolve it.
20130516:
Use bmake by default.
Whereas before one could choose to build with bmake via
-DWITH_BMAKE one must now use -DWITHOUT_BMAKE to use the old
make. The goal is to remove these knobs for 10-RELEASE.
It is worth noting that bmake (like gmake) treats the command
line as the unit of failure, rather than statements within the
command line. Thus '(cd some/where && dosomething)' is safer
than 'cd some/where; dosomething'. The '()' allows consistent
behavior in parallel build.
20130429:
Fix a bug that allows NFS clients to issue READDIR on files.
20130426:
The WITHOUT_IDEA option has been removed because
the IDEA patent expired.
20130426:
The sysctl which controls TRIM support under ZFS has been renamed
from vfs.zfs.trim_disable -> vfs.zfs.trim.enabled and has been
enabled by default.
20130425:
The mergemaster command now uses the default MAKEOBJDIRPREFIX
rather than creating it's own in the temporary directory in
order allow access to bootstrapped versions of tools such as
install and mtree. When upgrading from version of FreeBSD where
the install command does not support -l, you will need to
install a new mergemaster command if mergemaster -p is required.
This can be accomplished with the command (cd src/usr.sbin/mergemaster
&& make install).
20130404:
Legacy ATA stack, disabled and replaced by new CAM-based one since
FreeBSD 9.0, completely removed from the sources. Kernel modules
atadisk and atapi*, user-level tools atacontrol and burncd are
removed. Kernel option `options ATA_CAM` is now permanently enabled
and removed.
20130319:
SOCK_CLOEXEC and SOCK_NONBLOCK flags have been added to socket(2)
and socketpair(2). Software, in particular Kerberos, may
automatically detect and use these during building. The resulting
binaries will not work on older kernels.
20130308:
CTL_DISABLE has also been added to the sparc64 GENERIC (for further
information, see the respective 20130304 entry).
20130304:
Recent commits to callout(9) changed the size of struct callout,
so the KBI is probably heavily disturbed. Also, some functions
in callout(9)/sleep(9)/sleepqueue(9)/condvar(9) KPIs were replaced
by macros. Every kernel module using it won't load, so rebuild
is requested.
The ctl device has been re-enabled in GENERIC for i386 and amd64,
but does not initialize by default (because of the new CTL_DISABLE
option) to save memory. To re-enable it, remove the CTL_DISABLE
option from the kernel config file or set kern.cam.ctl.disable=0
in /boot/loader.conf.
20130301:
The ctl device has been disabled in GENERIC for i386 and amd64.
This was done due to the extra memory being allocated at system
initialisation time by the ctl driver which was only used if
a CAM target device was created. This makes a FreeBSD system
unusable on 128MB or less of RAM.
20130208:
A new compression method (lz4) has been merged to -HEAD. Please
refer to zpool-features(7) for more information.
Please refer to the "ZFS notes" section of this file for information
on upgrading boot ZFS pools.
20130129:
A BSD-licensed patch(1) variant has been added and is installed
as bsdpatch, being the GNU version the default patch.
To inverse the logic and use the BSD-licensed one as default,
while having the GNU version installed as gnupatch, rebuild
and install world with the WITH_BSD_PATCH knob set.
20130121:
Due to the use of the new -l option to install(1) during build
and install, you must take care not to directly set the INSTALL
make variable in your /etc/make.conf, /etc/src.conf, or on the
command line. If you wish to use the -C flag for all installs
you may be able to add INSTALL+=-C to /etc/make.conf or
/etc/src.conf.
20130118:
The install(1) option -M has changed meaning and now takes an
argument that is a file or path to append logs to. In the
unlikely event that -M was the last option on the command line
and the command line contained at least two files and a target
directory the first file will have logs appended to it. The -M
option served little practical purpose in the last decade so its
use is expected to be extremely rare.
20121223:
After switching to Clang as the default compiler some users of ZFS
on i386 systems started to experience stack overflow kernel panics.
Please consider using 'options KSTACK_PAGES=4' in such configurations.
20121222:
GEOM_LABEL now mangles label names read from file system metadata.
Mangling affect labels containing spaces, non-printable characters,
'%' or '"'. Device names in /etc/fstab and other places may need to
be updated.
20121217:
By default, only the 10 most recent kernel dumps will be saved. To
restore the previous behaviour (no limit on the number of kernel dumps
stored in the dump directory) add the following line to /etc/rc.conf:
savecore_flags=""
20121201:
With the addition of auditdistd(8), a new auditdistd user is now
required during installworld. "mergemaster -p" can be used to
add the user prior to installworld, as documented in the handbook.
20121117:
The sin6_scope_id member variable in struct sockaddr_in6 is now
filled by the kernel before passing the structure to the userland via
sysctl or routing socket. This means the KAME-specific embedded scope
id in sin6_addr.s6_addr[2] is always cleared in userland application.
This behavior can be controlled by net.inet6.ip6.deembed_scopeid.
__FreeBSD_version is bumped to 1000025.
20121105:
On i386 and amd64 systems WITH_CLANG_IS_CC is now the default.
This means that the world and kernel will be compiled with clang
and that clang will be installed as /usr/bin/cc, /usr/bin/c++,
and /usr/bin/cpp. To disable this behavior and revert to building
with gcc, compile with WITHOUT_CLANG_IS_CC. Really old versions
of current may need to bootstrap WITHOUT_CLANG first if the clang
build fails (its compatibility window doesn't extend to the 9 stable
branch point).
20121102:
The IPFIREWALL_FORWARD kernel option has been removed. Its
functionality now turned on by default.
20121023:
The ZERO_COPY_SOCKET kernel option has been removed and
split into SOCKET_SEND_COW and SOCKET_RECV_PFLIP.
NB: SOCKET_SEND_COW uses the VM page based copy-on-write
mechanism which is not safe and may result in kernel crashes.
NB: The SOCKET_RECV_PFLIP mechanism is useless as no current
driver supports disposeable external page sized mbuf storage.
Proper replacements for both zero-copy mechanisms are under
consideration and will eventually lead to complete removal
of the two kernel options.
20121023:
The IPv4 network stack has been converted to network byte
order. The following modules need to be recompiled together
with kernel: carp(4), divert(4), gif(4), siftr(4), gre(4),
pf(4), ipfw(4), ng_ipfw(4), stf(4).
20121022:
Support for non-MPSAFE filesystems was removed from VFS. The
VFS_VERSION was bumped, all filesystem modules shall be
recompiled.
20121018:
All the non-MPSAFE filesystems have been disconnected from
the build. The full list includes: codafs, hpfs, ntfs, nwfs,
portalfs, smbfs, xfs.
20121016:
The interface cloning API and ABI has changed. The following
modules need to be recompiled together with kernel:
ipfw(4), pfsync(4), pflog(4), usb(4), wlan(4), stf(4),
vlan(4), disc(4), edsc(4), if_bridge(4), gif(4), tap(4),
faith(4), epair(4), enc(4), tun(4), if_lagg(4), gre(4).
20121015:
The sdhci driver was split in two parts: sdhci (generic SD Host
Controller logic) and sdhci_pci (actual hardware driver).
No kernel config modifications are required, but if you
load sdhc as a module you must switch to sdhci_pci instead.
20121014:
Import the FUSE kernel and userland support into base system.
20121013:
The GNU sort(1) program has been removed since the BSD-licensed
sort(1) has been the default for quite some time and no serious
problems have been reported. The corresponding WITH_GNU_SORT
knob has also gone.
20121006:
The pfil(9) API/ABI for AF_INET family has been changed. Packet
filtering modules: pf(4), ipfw(4), ipfilter(4) need to be recompiled
with new kernel.
20121001:
The net80211(4) ABI has been changed to allow for improved driver
PS-POLL and power-save support. All wireless drivers need to be
recompiled to work with the new kernel.
20120913:
The random(4) support for the VIA hardware random number
generator (`PADLOCK') is no longer enabled unconditionally.
Add the padlock_rng device in the custom kernel config if
needed. The GENERIC kernels on i386 and amd64 do include the
device, so the change only affects the custom kernel
configurations.
20120908:
The pf(4) packet filter ABI has been changed. pfctl(8) and
snmp_pf module need to be recompiled to work with new kernel.
20120828:
A new ZFS feature flag "com.delphix:empty_bpobj" has been merged
to -HEAD. Pools that have empty_bpobj in active state can not be
imported read-write with ZFS implementations that do not support
this feature. For more information read the zpool-features(5)
manual page.
20120727:
The sparc64 ZFS loader has been changed to no longer try to auto-
detect ZFS providers based on diskN aliases but now requires these
to be explicitly listed in the OFW boot-device environment variable.
20120712:
The OpenSSL has been upgraded to 1.0.1c. Any binaries requiring
libcrypto.so.6 or libssl.so.6 must be recompiled. Also, there are
configuration changes. Make sure to merge /etc/ssl/openssl.cnf.
20120712:
The following sysctls and tunables have been renamed for consistency
with other variables:
kern.cam.da.da_send_ordered -> kern.cam.da.send_ordered
kern.cam.ada.ada_send_ordered -> kern.cam.ada.send_ordered
20120628:
The sort utility has been replaced with BSD sort. For now, GNU sort
is also available as "gnusort" or the default can be set back to
GNU sort by setting WITH_GNU_SORT. In this case, BSD sort will be
installed as "bsdsort".
20120611:
A new version of ZFS (pool version 5000) has been merged to -HEAD.
Starting with this version the old system of ZFS pool versioning
is superseded by "feature flags". This concept enables forward
compatibility against certain future changes in functionality of ZFS
pools. The first read-only compatible "feature flag" for ZFS pools
is named "com.delphix:async_destroy". For more information
read the new zpool-features(5) manual page.
Please refer to the "ZFS notes" section of this file for information
on upgrading boot ZFS pools.
20120417:
The malloc(3) implementation embedded in libc now uses sources imported
as contrib/jemalloc. The most disruptive API change is to
/etc/malloc.conf. If your system has an old-style /etc/malloc.conf,
delete it prior to installworld, and optionally re-create it using the
new format after rebooting. See malloc.conf(5) for details
(specifically the TUNING section and the "opt.*" entries in the MALLCTL
NAMESPACE section).
20120328:
Big-endian MIPS TARGET_ARCH values no longer end in "eb". mips64eb
is now spelled mips64. mipsn32eb is now spelled mipsn32. mipseb is
now spelled mips. This is to aid compatibility with third-party
software that expects this naming scheme in uname(3). Little-endian
settings are unchanged. If you are updating a big-endian mips64 machine
from before this change, you may need to set MACHINE_ARCH=mips64 in
your environment before the new build system will recognize your machine.
20120306:
Disable by default the option VFS_ALLOW_NONMPSAFE for all supported
platforms.
20120229:
Now unix domain sockets behave "as expected" on nullfs(5). Previously
nullfs(5) did not pass through all behaviours to the underlying layer,
as a result if we bound to a socket on the lower layer we could connect
only to the lower path; if we bound to the upper layer we could connect
only to the upper path. The new behavior is one can connect to both the
lower and the upper paths regardless what layer path one binds to.
20120211:
The getifaddrs upgrade path broken with 20111215 has been restored.
If you have upgraded in between 20111215 and 20120209 you need to
recompile libc again with your kernel. You still need to recompile
world to be able to configure CARP but this restriction already
comes from 20111215.
20120114:
The set_rcvar() function has been removed from /etc/rc.subr. All
base and ports rc.d scripts have been updated, so if you have a
port installed with a script in /usr/local/etc/rc.d you can either
hand-edit the rcvar= line, or reinstall the port.
An easy way to handle the mass-update of /etc/rc.d:
rm /etc/rc.d/* && mergemaster -i
20120109:
panic(9) now stops other CPUs in the SMP systems, disables interrupts
on the current CPU and prevents other threads from running.
This behavior can be reverted using the kern.stop_scheduler_on_panic
tunable/sysctl.
The new behavior can be incompatible with kern.sync_on_panic.
20111215:
The carp(4) facility has been changed significantly. Configuration
of the CARP protocol via ifconfig(8) has changed, as well as format
of CARP events submitted to devd(8) has changed. See manual pages
for more information. The arpbalance feature of carp(4) is currently
not supported anymore.
Size of struct in_aliasreq, struct in6_aliasreq has changed. User
utilities using SIOCAIFADDR, SIOCAIFADDR_IN6, e.g. ifconfig(8),
need to be recompiled.
20111122:
The acpi_wmi(4) status device /dev/wmistat has been renamed to
/dev/wmistat0.
20111108:
The option VFS_ALLOW_NONMPSAFE option has been added in order to
explicitely support non-MPSAFE filesystems.
It is on by default for all supported platform at this present
time.
20111101:
The broken amd(4) driver has been replaced with esp(4) in the amd64,
i386 and pc98 GENERIC kernel configuration files.
20110930:
sysinstall has been removed
20110923:
The stable/9 branch created in subversion. This corresponds to the
RELENG_9 branch in CVS.
COMMON ITEMS:
General Notes
-------------
Avoid using make -j when upgrading. While generally safe, there are
sometimes problems using -j to upgrade. If your upgrade fails with
-j, please try again without -j. From time to time in the past there
have been problems using -j with buildworld and/or installworld. This
is especially true when upgrading between "distant" versions (eg one
that cross a major release boundary or several minor releases, or when
several months have passed on the -current branch).
Sometimes, obscure build problems are the result of environment
poisoning. This can happen because the make utility reads its
environment when searching for values for global variables. To run
your build attempts in an "environmental clean room", prefix all make
commands with 'env -i '. See the env(1) manual page for more details.
When upgrading from one major version to another it is generally best
to upgrade to the latest code in the currently installed branch first,
then do an upgrade to the new branch. This is the best-tested upgrade
path, and has the highest probability of being successful. Please try
this approach before reporting problems with a major version upgrade.
When upgrading a live system, having a root shell around before
installing anything can help undo problems. Not having a root shell
around can lead to problems if pam has changed too much from your
starting point to allow continued authentication after the upgrade.
This file should be read as a log of events. When a later event changes
information of a prior event, the prior event should not be deleted.
Instead, a pointer to the entry with the new information should be
placed in the old entry. Readers of this file should also sanity check
older entries before relying on them blindly. Authors of new entries
should write them with this in mind.
ZFS notes
---------
When upgrading the boot ZFS pool to a new version, always follow
these two steps:
1.) recompile and reinstall the ZFS boot loader and boot block
(this is part of "make buildworld" and "make installworld")
2.) update the ZFS boot block on your boot drive
The following example updates the ZFS boot block on the first
partition (freebsd-boot) of a GPT partitioned drive ada0:
"gpart bootcode -p /boot/gptzfsboot -i 1 ada0"
Non-boot pools do not need these updates.
To build a kernel
-----------------
If you are updating from a prior version of FreeBSD (even one just
a few days old), you should follow this procedure. It is the most
failsafe as it uses a /usr/obj tree with a fresh mini-buildworld,
make kernel-toolchain
make -DALWAYS_CHECK_MAKE buildkernel KERNCONF=YOUR_KERNEL_HERE
make -DALWAYS_CHECK_MAKE installkernel KERNCONF=YOUR_KERNEL_HERE
To test a kernel once
---------------------
If you just want to boot a kernel once (because you are not sure
if it works, or if you want to boot a known bad kernel to provide
debugging information) run
make installkernel KERNCONF=YOUR_KERNEL_HERE KODIR=/boot/testkernel
nextboot -k testkernel
To just build a kernel when you know that it won't mess you up
--------------------------------------------------------------
This assumes you are already running a CURRENT system. Replace
${arch} with the architecture of your machine (e.g. "i386",
"arm", "amd64", "ia64", "pc98", "sparc64", "powerpc", "mips", etc).
cd src/sys/${arch}/conf
config KERNEL_NAME_HERE
cd ../compile/KERNEL_NAME_HERE
make depend
make
make install
If this fails, go to the "To build a kernel" section.
To rebuild everything and install it on the current system.
-----------------------------------------------------------
# Note: sometimes if you are running current you gotta do more than
# is listed here if you are upgrading from a really old current.
<make sure you have good level 0 dumps>
make buildworld
make kernel KERNCONF=YOUR_KERNEL_HERE
[1]
<reboot in single user> [3]
mergemaster -Fp [5]
make installworld
mergemaster -Fi [4]
make delete-old [6]
<reboot>
To cross-install current onto a separate partition
--------------------------------------------------
# In this approach we use a separate partition to hold
# current's root, 'usr', and 'var' directories. A partition
# holding "/", "/usr" and "/var" should be about 2GB in
# size.
<make sure you have good level 0 dumps>
<boot into -stable>
make buildworld
make buildkernel KERNCONF=YOUR_KERNEL_HERE
<maybe newfs current's root partition>
<mount current's root partition on directory ${CURRENT_ROOT}>
make installworld DESTDIR=${CURRENT_ROOT} -DDB_FROM_SRC
make distribution DESTDIR=${CURRENT_ROOT} # if newfs'd
make installkernel KERNCONF=YOUR_KERNEL_HERE DESTDIR=${CURRENT_ROOT}
cp /etc/fstab ${CURRENT_ROOT}/etc/fstab # if newfs'd
<edit ${CURRENT_ROOT}/etc/fstab to mount "/" from the correct partition>
<reboot into current>
<do a "native" rebuild/install as described in the previous section>
<maybe install compatibility libraries from ports/misc/compat*>
<reboot>
To upgrade in-place from stable to current
----------------------------------------------
<make sure you have good level 0 dumps>
make buildworld [9]
make kernel KERNCONF=YOUR_KERNEL_HERE [8]
[1]
<reboot in single user> [3]
mergemaster -Fp [5]
make installworld
mergemaster -Fi [4]
make delete-old [6]
<reboot>
Make sure that you've read the UPDATING file to understand the
tweaks to various things you need. At this point in the life
cycle of current, things change often and you are on your own
to cope. The defaults can also change, so please read ALL of
the UPDATING entries.
Also, if you are tracking -current, you must be subscribed to
freebsd-current@freebsd.org. Make sure that before you update
your sources that you have read and understood all the recent
messages there. If in doubt, please track -stable which has
much fewer pitfalls.
[1] If you have third party modules, such as vmware, you
should disable them at this point so they don't crash your
system on reboot.
[3] From the bootblocks, boot -s, and then do
fsck -p
mount -u /
mount -a
cd src
adjkerntz -i # if CMOS is wall time
Also, when doing a major release upgrade, it is required that
you boot into single user mode to do the installworld.
[4] Note: This step is non-optional. Failure to do this step
can result in a significant reduction in the functionality of the
system. Attempting to do it by hand is not recommended and those
that pursue this avenue should read this file carefully, as well
as the archives of freebsd-current and freebsd-hackers mailing lists
for potential gotchas. The -U option is also useful to consider.
See mergemaster(8) for more information.
[5] Usually this step is a noop. However, from time to time
you may need to do this if you get unknown user in the following
step. It never hurts to do it all the time. You may need to
install a new mergemaster (cd src/usr.sbin/mergemaster && make
install) after the buildworld before this step if you last updated
from current before 20130425 or from -stable before 20130430.
[6] This only deletes old files and directories. Old libraries
can be deleted by "make delete-old-libs", but you have to make
sure that no program is using those libraries anymore.
[8] The new kernel must be able to run existing binaries used by
an installworld. When upgrading across major versions, the new
kernel's configuration must include the correct COMPAT_FREEBSD<n>
option for existing binaries (e.g. COMPAT_FREEBSD11 to run 11.x
binaries). Failure to do so may leave you with a system that is
hard to boot to recover. A GENERIC kernel will include suitable
compatibility options to run binaries from older branches.
Make sure that you merge any new devices from GENERIC since the
last time you updated your kernel config file.
[9] When checking out sources, you must include the -P flag to have
cvs prune empty directories.
If CPUTYPE is defined in your /etc/make.conf, make sure to use the
"?=" instead of the "=" assignment operator, so that buildworld can
override the CPUTYPE if it needs to.
MAKEOBJDIRPREFIX must be defined in an environment variable, and
not on the command line, or in /etc/make.conf. buildworld will
warn if it is improperly defined.
FORMAT:
This file contains a list, in reverse chronological order, of major
breakages in tracking -current. It is not guaranteed to be a complete
list of such breakages, and only contains entries since September 23, 2011.
If you need to see UPDATING entries from before that date, you will need
to fetch an UPDATING file from an older FreeBSD release.
Copyright information:
Copyright 1998-2009 M. Warner Losh. All Rights Reserved.
Redistribution, publication, translation and use, with or without
modification, in full or in part, in any form or format of this
document are permitted without further permission from the author.
THIS DOCUMENT IS PROVIDED BY WARNER LOSH ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL WARNER LOSH BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Contact Warner Losh if you have any questions about your use of
this document.
$FreeBSD$
Index: stable/11/share/man/man4/carp.4
===================================================================
--- stable/11/share/man/man4/carp.4 (revision 346754)
+++ stable/11/share/man/man4/carp.4 (revision 346755)
@@ -1,323 +1,329 @@
.\" $OpenBSD: carp.4,v 1.16 2004/12/07 23:41:35 jmc Exp $
.\"
.\" Copyright (c) 2003, Ryan McBride. All rights reserved.
.\" Copyright (c) 2011, Gleb Smirnoff <glebius@FreeBSD.org>
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
-.Dd February 21, 2013
+.Dd July 1, 2018
.Dt CARP 4
.Os
.Sh NAME
.Nm carp
.Nd Common Address Redundancy Protocol
.Sh SYNOPSIS
.Cd "device carp"
.Sh DESCRIPTION
The CARP allows multiple hosts on the same local network to share a set of
IPv4 and/or IPv6 addresses.
Its primary purpose is to ensure that these
addresses are always available.
.Pp
To use
.Nm ,
the administrator needs to configure at a minimum a common virtual host ID
(vhid), and attach at least one IP address to this vhid on each machine which
is to take part in the virtual group.
Additional parameters can also be set on a per-vhid basis:
.Cm advbase
and
.Cm advskew ,
which are used to control how frequently the host sends advertisements when it
is the master for a virtual host, and
.Cm pass
which is used to authenticate
.Nm
advertisements.
The
.Cm advbase
parameter stands for
.Dq "advertisement base" .
It is measured in seconds and specifies the base of the advertisement interval.
The
.Cm advskew
parameter stands for
.Dq "advertisement skew" .
It is measured in 1/256 of seconds.
It is added to the base advertisement interval to make one host advertise
a bit slower that the other does.
Both
.Cm advbase
and
.Cm advskew
are put inside CARP advertisements.
These values can be configured using
.Xr ifconfig 8 ,
or through the
.Dv SIOCSVH
.Xr ioctl 2 .
.Pp
CARP virtual hosts can be configured on multicast-capable interfaces: Ethernet,
layer 2 VLAN, FDDI and Token Ring.
An arbitrary number of virtual host IDs can be configured on an interface.
An arbitrary number of IPv4 or IPv6 addresses can be attached to a particular
vhid.
It is important that all hosts participating in a vhid have the same list
of prefixes configured on the vhid, since all prefixes are included in the
cryptographic checksum supplied in each advertisement.
Multiple vhids running on one interface participate in master/backup
elections independently.
.Pp
Additionally, there are a number of global parameters which can be set using
.Xr sysctl 8 :
.Bl -tag -width ".Va net.inet.carp.ifdown_demotion_factor"
.It Va net.inet.carp.allow
Accept incoming
.Nm
packets.
Enabled by default.
.It Va net.inet.carp.preempt
Allow virtual hosts to preempt each other.
When enabled, a vhid in a backup state would preempt a master that
is announcing itself with a lower advskew.
Disabled by default.
+.It Va net.inet.carp.dscp
+DSCP value in carp packet.
+Valid Values are 0 to 63.
+A value of 4 is equivalent to the old standard of TOS LOW_DELAY.
+TOS values were deprecated and replaced by DSCP in 1998.
+The default value is 56 (CS7/Network Control).
.It Va net.inet.carp.log
Determines what events relating to
.Nm
vhids are logged.
A value of 0 disables any logging.
A value of 1 enables logging state changes of
.Nm
vhids.
Values above 1 enable logging of bad
.Nm
packets.
The default value is 1.
.It Va net.inet.carp.demotion
This value shows current level of CARP demotion.
The value is added to the actual advskew sent in announcements for
all vhids.
At normal system operation the demotion factor is zero.
However, problematic conditions raise its level: when
.Nm
experiences problem with sending announcements, when an interface
running a vhid goes down, or while the
.Xr pfsync 4
interface is not synchronized.
The demotion factor can be adjusted writing to the sysctl oid.
The signed value supplied to the
.Xr sysctl 8
command is added to current demotion factor.
This allows to control
.Nm
behaviour depending on some external conditions, for example on the status
of some daemon utility.
.It Va net.inet.carp.ifdown_demotion_factor
This value is added to
.Va net.inet.carp.demotion
when an interface running a vhid goes down.
The default value is 240 (the maximum advskew value).
.It Va net.inet.carp.senderr_demotion_factor
This value is added to
.Va net.inet.carp.demotion
when
.Nm
experiences errors sending its announcements.
The default value is 240 (the maximum advskew value).
.El
.\".Sh ARP level load balancing
.\"A
.\".Nm
.\"interface has limited abilities for load balancing incoming connections
.\"between hosts in an Ethernet network.
.\"For load-balancing operation, one needs several CARP interfaces that
.\"are configured to the same IP address, but to a different vhids.
.\"Once an ARP request is received, the CARP protocol will use a hashing
.\"function against the source IP address in the ARP request to determine
.\"which vhid the request will be assigned to.
.\"If the corresponding CARP interface is the current
.\"master interface, a reply will
.\"be sent to the ARP request;
.\"otherwise it will be ignored.
.\"See the
.\".Sx EXAMPLES
.\"section for a practical example of load balancing.
.\".Pp
.\"The ARP load balancing implemented in
.\".Nm
.\"has some limitations.
.\"First, ARP balancing only works on the local network segment.
.\"It cannot balance traffic that crosses a router, because the
.\"router itself will always be balanced to the same virtual host.
.\"Second, ARP load balancing can lead to asymmetric routing
.\"of incoming and outgoing traffic, and thus combining it with
.\".Xr pfsync 4
.\"is dangerous, because this creates a race condition between
.\"balanced routers and a host they are serving.
.\"Imagine an incoming packet creating state on the first router, being
.\"forwarded to its destination, and the destination replying faster
.\"than the state information is packed and synced with the second router.
.\"If the reply would be load balanced to second router, it will be
.\"dropped since the second router has not yet received information about
.\"the connection state.
.Sh STATE CHANGE NOTIFICATIONS
Sometimes it is useful to get notified about
.Nm
status change events.
This can be accomplished by using
.Xr devd 8
hooks.
Master/slave events are signalled under system
.Dv CARP .
The subsystem specifies the vhid and name of the interface where
the master/slave event occurred.
The type of the message displays the new state of the vhid.
Please see
.Xr devd.conf 5
and the
.Sx EXAMPLES
section for more information.
.Sh EXAMPLES
For firewalls and routers with multiple interfaces, it is desirable to
failover all of the addresses running
.Nm
together, when one of the physical interfaces goes down.
This is achieved by the use of the preempt option.
Enable it on both hosts A and B:
.Pp
.Dl sysctl net.inet.carp.preempt=1
.Pp
Assume that host A is the preferred master and we are running the
192.168.1.0/24 prefix on em0 and 192.168.2.0/24 on em1.
This is the setup for host A (advskew is above 0 so it could be overwritten
in the emergency situation from the other host):
.Bd -literal -offset indent
ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.1.1/24
ifconfig em1 vhid 2 advskew 100 pass mekmitasdigoat 192.168.2.1/24
.Ed
.Pp
The setup for host B is identical, but it has a higher
.Cm advskew :
.Bd -literal -offset indent
ifconfig em0 vhid 1 advskew 200 pass mekmitasdigoat 192.168.1.1/24
ifconfig em1 vhid 2 advskew 200 pass mekmitasdigoat 192.168.2.1/24
.Ed
.Pp
When one of the physical interfaces of host A fails,
.Cm advskew
is demoted to a configured value on all its
.Nm
vhids.
Due to the preempt option, host B would start announcing itself, and thus
preempt host A on both interfaces instead of just the failed one.
.\".Pp
.\"In order to set up an ARP balanced virtual host, it is necessary to configure
.\"one virtual host for each physical host which would respond to ARP requests
.\"and thus handle the traffic.
.\"In the following example, two virtual hosts are configured on two hosts to
.\"provide balancing and failover for the IP address 192.168.1.10.
.\".Pp
.\"First the
.\".Nm
.\"interfaces on host A are configured.
.\"The
.\".Cm advskew
.\"of 100 on the second virtual host means that its advertisements will be sent
.\"out slightly less frequently.
.\".Bd -literal -offset indent
.\"ifconfig carp0 create
.\"ifconfig carp0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.1.10/24
.\"ifconfig carp1 create
.\"ifconfig carp1 vhid 2 advskew 200 pass mekmitasdigoat 192.168.1.10/24
.\".Ed
.\".Pp
.\"The configuration for host B is identical, except the
.\".Cm advskew
.\"is on virtual host 1 rather than virtual host 2.
.\".Bd -literal -offset indent
.\"ifconfig carp0 create
.\"ifconfig carp0 vhid 1 advskew 200 pass mekmitasdigoat 192.168.1.10/24
.\"ifconfig carp1 create
.\"ifconfig carp1 vhid 2 advskew 100 pass mekmitasdigoat 192.168.1.10/24
.\".Ed
.\".Pp
.\"Finally, the ARP balancing feature must be enabled on both hosts:
.\".Pp
.\".Dl sysctl net.inet.carp.arpbalance=1
.\".Pp
.\"When the hosts receive an ARP request for 192.168.1.10, the source IP address
.\"of the request is used to compute which virtual host should answer the request.
.\"The host which is master of the selected virtual host will reply to the
.\"request, the other(s) will ignore it.
.\".Pp
.\"This way, locally connected systems will receive different ARP replies and
.\"subsequent IP traffic will be balanced among the hosts.
.\"If one of the hosts fails, the other will take over the virtual MAC address,
.\"and begin answering ARP requests on its behalf.
.Pp
Processing of
.Nm
status change events can be set up by using the following devd.conf rule:
.Bd -literal -offset indent
notify 0 {
match "system" "CARP";
match "subsystem" "[0-9]+@[0-9a-z]+";
match "type" "(MASTER|BACKUP)";
action "/root/carpcontrol.sh $subsystem $type";
};
.Ed
.Pp
To see
.Nm
packets decoded in
.Xr tcpdump 1
output, one needs to specify
.Fl T Ar carp
option, otherwise
.Xr tcpdump 1
tries to interpret them as VRRP packets:
.Bd -literal -offset indent
tcpdump -npi vlan0 -T carp
.Ed
.Sh SEE ALSO
.Xr tcpdump 1 ,
.Xr inet 4 ,
.Xr pfsync 4 ,
.Xr devd.conf 5 ,
.Xr rc.conf 5 ,
.Xr ifconfig 8 ,
.Xr sysctl 8
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 3.5 .
The
.Nm
device was imported into
.Fx 5.4 .
In
.Fx 10.0 ,
.Nm
was significantly rewritten, and is no longer a pseudo-interface.
Index: stable/11/sys/netinet/ip.h
===================================================================
--- stable/11/sys/netinet/ip.h (revision 346754)
+++ stable/11/sys/netinet/ip.h (revision 346755)
@@ -1,222 +1,227 @@
/*-
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ip.h 8.2 (Berkeley) 6/1/94
* $FreeBSD$
*/
#ifndef _NETINET_IP_H_
#define _NETINET_IP_H_
#include <sys/cdefs.h>
/*
* Definitions for internet protocol version 4.
*
* Per RFC 791, September 1981.
*/
#define IPVERSION 4
/*
* Structure of an internet header, naked of options.
*/
struct ip {
#if BYTE_ORDER == LITTLE_ENDIAN
u_char ip_hl:4, /* header length */
ip_v:4; /* version */
#endif
#if BYTE_ORDER == BIG_ENDIAN
u_char ip_v:4, /* version */
ip_hl:4; /* header length */
#endif
u_char ip_tos; /* type of service */
u_short ip_len; /* total length */
u_short ip_id; /* identification */
u_short ip_off; /* fragment offset field */
#define IP_RF 0x8000 /* reserved fragment flag */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
u_char ip_ttl; /* time to live */
u_char ip_p; /* protocol */
u_short ip_sum; /* checksum */
struct in_addr ip_src,ip_dst; /* source and dest address */
} __packed __aligned(2);
#define IP_MAXPACKET 65535 /* maximum packet size */
/*
* Definitions for IP type of service (ip_tos).
*/
#define IPTOS_LOWDELAY 0x10
#define IPTOS_THROUGHPUT 0x08
#define IPTOS_RELIABILITY 0x04
#define IPTOS_MINCOST 0x02
/*
* Definitions for IP precedence (also in ip_tos) (deprecated).
*/
#define IPTOS_PREC_NETCONTROL IPTOS_DSCP_CS7
#define IPTOS_PREC_INTERNETCONTROL IPTOS_DSCP_CS6
#define IPTOS_PREC_CRITIC_ECP IPTOS_DSCP_CS5
#define IPTOS_PREC_FLASHOVERRIDE IPTOS_DSCP_CS4
#define IPTOS_PREC_FLASH IPTOS_DSCP_CS3
#define IPTOS_PREC_IMMEDIATE IPTOS_DSCP_CS2
#define IPTOS_PREC_PRIORITY IPTOS_DSCP_CS1
#define IPTOS_PREC_ROUTINE IPTOS_DSCP_CS0
/*
+ * Offset of Diffserv decimal value to convert it to tos value .
+ */
+#define IPTOS_DSCP_OFFSET 2
+
+/*
* Definitions for DiffServ Codepoints as per RFC2474 and RFC5865.
*/
#define IPTOS_DSCP_CS0 0x00
#define IPTOS_DSCP_CS1 0x20
#define IPTOS_DSCP_AF11 0x28
#define IPTOS_DSCP_AF12 0x30
#define IPTOS_DSCP_AF13 0x38
#define IPTOS_DSCP_CS2 0x40
#define IPTOS_DSCP_AF21 0x48
#define IPTOS_DSCP_AF22 0x50
#define IPTOS_DSCP_AF23 0x58
#define IPTOS_DSCP_CS3 0x60
#define IPTOS_DSCP_AF31 0x68
#define IPTOS_DSCP_AF32 0x70
#define IPTOS_DSCP_AF33 0x78
#define IPTOS_DSCP_CS4 0x80
#define IPTOS_DSCP_AF41 0x88
#define IPTOS_DSCP_AF42 0x90
#define IPTOS_DSCP_AF43 0x98
#define IPTOS_DSCP_CS5 0xa0
#define IPTOS_DSCP_VA 0xb0
#define IPTOS_DSCP_EF 0xb8
#define IPTOS_DSCP_CS6 0xc0
#define IPTOS_DSCP_CS7 0xe0
/*
* ECN (Explicit Congestion Notification) codepoints in RFC3168 mapped to the
* lower 2 bits of the TOS field.
*/
#define IPTOS_ECN_NOTECT 0x00 /* not-ECT */
#define IPTOS_ECN_ECT1 0x01 /* ECN-capable transport (1) */
#define IPTOS_ECN_ECT0 0x02 /* ECN-capable transport (0) */
#define IPTOS_ECN_CE 0x03 /* congestion experienced */
#define IPTOS_ECN_MASK 0x03 /* ECN field mask */
/*
* Definitions for options.
*/
#define IPOPT_COPIED(o) ((o)&0x80)
#define IPOPT_CLASS(o) ((o)&0x60)
#define IPOPT_NUMBER(o) ((o)&0x1f)
#define IPOPT_CONTROL 0x00
#define IPOPT_RESERVED1 0x20
#define IPOPT_DEBMEAS 0x40
#define IPOPT_RESERVED2 0x60
#define IPOPT_EOL 0 /* end of option list */
#define IPOPT_NOP 1 /* no operation */
#define IPOPT_RR 7 /* record packet route */
#define IPOPT_TS 68 /* timestamp */
#define IPOPT_SECURITY 130 /* provide s,c,h,tcc */
#define IPOPT_LSRR 131 /* loose source route */
#define IPOPT_ESO 133 /* extended security */
#define IPOPT_CIPSO 134 /* commercial security */
#define IPOPT_SATID 136 /* satnet id */
#define IPOPT_SSRR 137 /* strict source route */
#define IPOPT_RA 148 /* router alert */
/*
* Offsets to fields in options other than EOL and NOP.
*/
#define IPOPT_OPTVAL 0 /* option ID */
#define IPOPT_OLEN 1 /* option length */
#define IPOPT_OFFSET 2 /* offset within option */
#define IPOPT_MINOFF 4 /* min value of above */
/*
* Time stamp option structure.
*/
struct ip_timestamp {
u_char ipt_code; /* IPOPT_TS */
u_char ipt_len; /* size of structure (variable) */
u_char ipt_ptr; /* index of current entry */
#if BYTE_ORDER == LITTLE_ENDIAN
u_char ipt_flg:4, /* flags, see below */
ipt_oflw:4; /* overflow counter */
#endif
#if BYTE_ORDER == BIG_ENDIAN
u_char ipt_oflw:4, /* overflow counter */
ipt_flg:4; /* flags, see below */
#endif
union ipt_timestamp {
uint32_t ipt_time[1]; /* network format */
struct ipt_ta {
struct in_addr ipt_addr;
uint32_t ipt_time; /* network format */
} ipt_ta[1];
} ipt_timestamp;
};
/* Flag bits for ipt_flg. */
#define IPOPT_TS_TSONLY 0 /* timestamps only */
#define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */
#define IPOPT_TS_PRESPEC 3 /* specified modules only */
/* Bits for security (not byte swapped). */
#define IPOPT_SECUR_UNCLASS 0x0000
#define IPOPT_SECUR_CONFID 0xf135
#define IPOPT_SECUR_EFTO 0x789a
#define IPOPT_SECUR_MMMM 0xbc4d
#define IPOPT_SECUR_RESTR 0xaf13
#define IPOPT_SECUR_SECRET 0xd788
#define IPOPT_SECUR_TOPSECRET 0x6bc5
/*
* Internet implementation parameters.
*/
#define MAXTTL 255 /* maximum time to live (seconds) */
#define IPDEFTTL 64 /* default ttl, from RFC 1340 */
#define IPFRAGTTL 60 /* time to live for frags, slowhz */
#define IPTTLDEC 1 /* subtracted when forwarding */
#define IP_MSS 576 /* default maximum segment size */
/*
* This is the real IPv4 pseudo header, used for computing the TCP and UDP
* checksums. For the Internet checksum, struct ipovly can be used instead.
* For stronger checksums, the real thing must be used.
*/
struct ippseudo {
struct in_addr ippseudo_src; /* source internet address */
struct in_addr ippseudo_dst; /* destination internet address */
u_char ippseudo_pad; /* pad, must be zero */
u_char ippseudo_p; /* protocol */
u_short ippseudo_len; /* protocol length */
};
#endif
Index: stable/11/sys/netinet/ip6.h
===================================================================
--- stable/11/sys/netinet/ip6.h (revision 346754)
+++ stable/11/sys/netinet/ip6.h (revision 346755)
@@ -1,346 +1,347 @@
/* $FreeBSD$ */
/* $KAME: ip6.h,v 1.18 2001/03/29 05:34:30 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*-
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ip.h 8.1 (Berkeley) 6/10/93
*/
#ifndef _NETINET_IP6_H_
#define _NETINET_IP6_H_
/*
* Definition for internet protocol version 6.
* RFC 2460
*/
struct ip6_hdr {
union {
struct ip6_hdrctl {
u_int32_t ip6_un1_flow; /* 20 bits of flow-ID */
u_int16_t ip6_un1_plen; /* payload length */
u_int8_t ip6_un1_nxt; /* next header */
u_int8_t ip6_un1_hlim; /* hop limit */
} ip6_un1;
u_int8_t ip6_un2_vfc; /* 4 bits version, top 4 bits class */
} ip6_ctlun;
struct in6_addr ip6_src; /* source address */
struct in6_addr ip6_dst; /* destination address */
} __packed;
#define ip6_vfc ip6_ctlun.ip6_un2_vfc
#define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow
#define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen
#define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt
#define ip6_hlim ip6_ctlun.ip6_un1.ip6_un1_hlim
#define ip6_hops ip6_ctlun.ip6_un1.ip6_un1_hlim
#define IPV6_VERSION 0x60
#define IPV6_VERSION_MASK 0xf0
#if BYTE_ORDER == BIG_ENDIAN
#define IPV6_FLOWINFO_MASK 0x0fffffff /* flow info (28 bits) */
#define IPV6_FLOWLABEL_MASK 0x000fffff /* flow label (20 bits) */
#else
#if BYTE_ORDER == LITTLE_ENDIAN
#define IPV6_FLOWINFO_MASK 0xffffff0f /* flow info (28 bits) */
#define IPV6_FLOWLABEL_MASK 0xffff0f00 /* flow label (20 bits) */
#endif /* LITTLE_ENDIAN */
#endif
+#define IPV6_FLOWLABEL_LEN 20
#if 1
/* ECN bits proposed by Sally Floyd */
#define IP6TOS_CE 0x01 /* congestion experienced */
#define IP6TOS_ECT 0x02 /* ECN-capable transport */
#endif
/*
* Extension Headers
*/
struct ip6_ext {
u_int8_t ip6e_nxt;
u_int8_t ip6e_len;
} __packed;
/* Hop-by-Hop options header */
/* XXX should we pad it to force alignment on an 8-byte boundary? */
struct ip6_hbh {
u_int8_t ip6h_nxt; /* next header */
u_int8_t ip6h_len; /* length in units of 8 octets */
/* followed by options */
} __packed;
/* Destination options header */
/* XXX should we pad it to force alignment on an 8-byte boundary? */
struct ip6_dest {
u_int8_t ip6d_nxt; /* next header */
u_int8_t ip6d_len; /* length in units of 8 octets */
/* followed by options */
} __packed;
/* Option types and related macros */
#define IP6OPT_PAD1 0x00 /* 00 0 00000 */
#define IP6OPT_PADN 0x01 /* 00 0 00001 */
#define IP6OPT_JUMBO 0xC2 /* 11 0 00010 = 194 */
#define IP6OPT_NSAP_ADDR 0xC3 /* 11 0 00011 */
#define IP6OPT_TUNNEL_LIMIT 0x04 /* 00 0 00100 */
#ifndef _KERNEL
#define IP6OPT_RTALERT 0x05 /* 00 0 00101 (KAME definition) */
#endif
#define IP6OPT_ROUTER_ALERT 0x05 /* 00 0 00101 (RFC3542, recommended) */
#define IP6OPT_RTALERT_LEN 4
#define IP6OPT_RTALERT_MLD 0 /* Datagram contains an MLD message */
#define IP6OPT_RTALERT_RSVP 1 /* Datagram contains an RSVP message */
#define IP6OPT_RTALERT_ACTNET 2 /* contains an Active Networks msg */
#define IP6OPT_MINLEN 2
#define IP6OPT_EID 0x8a /* 10 0 01010 */
#define IP6OPT_TYPE(o) ((o) & 0xC0)
#define IP6OPT_TYPE_SKIP 0x00
#define IP6OPT_TYPE_DISCARD 0x40
#define IP6OPT_TYPE_FORCEICMP 0x80
#define IP6OPT_TYPE_ICMP 0xC0
#define IP6OPT_MUTABLE 0x20
/* IPv6 options: common part */
struct ip6_opt {
u_int8_t ip6o_type;
u_int8_t ip6o_len;
} __packed;
/* Jumbo Payload Option */
struct ip6_opt_jumbo {
u_int8_t ip6oj_type;
u_int8_t ip6oj_len;
u_int8_t ip6oj_jumbo_len[4];
} __packed;
#define IP6OPT_JUMBO_LEN 6
/* NSAP Address Option */
struct ip6_opt_nsap {
u_int8_t ip6on_type;
u_int8_t ip6on_len;
u_int8_t ip6on_src_nsap_len;
u_int8_t ip6on_dst_nsap_len;
/* followed by source NSAP */
/* followed by destination NSAP */
} __packed;
/* Tunnel Limit Option */
struct ip6_opt_tunnel {
u_int8_t ip6ot_type;
u_int8_t ip6ot_len;
u_int8_t ip6ot_encap_limit;
} __packed;
/* Router Alert Option */
struct ip6_opt_router {
u_int8_t ip6or_type;
u_int8_t ip6or_len;
u_int8_t ip6or_value[2];
} __packed;
/* Router alert values (in network byte order) */
#if BYTE_ORDER == BIG_ENDIAN
#define IP6_ALERT_MLD 0x0000
#define IP6_ALERT_RSVP 0x0001
#define IP6_ALERT_AN 0x0002
#else
#if BYTE_ORDER == LITTLE_ENDIAN
#define IP6_ALERT_MLD 0x0000
#define IP6_ALERT_RSVP 0x0100
#define IP6_ALERT_AN 0x0200
#endif /* LITTLE_ENDIAN */
#endif
/* Routing header */
struct ip6_rthdr {
u_int8_t ip6r_nxt; /* next header */
u_int8_t ip6r_len; /* length in units of 8 octets */
u_int8_t ip6r_type; /* routing type */
u_int8_t ip6r_segleft; /* segments left */
/* followed by routing type specific data */
} __packed;
/* Type 0 Routing header, deprecated by RFC 5095. */
struct ip6_rthdr0 {
u_int8_t ip6r0_nxt; /* next header */
u_int8_t ip6r0_len; /* length in units of 8 octets */
u_int8_t ip6r0_type; /* always zero */
u_int8_t ip6r0_segleft; /* segments left */
u_int32_t ip6r0_reserved; /* reserved field */
/* followed by up to 127 struct in6_addr */
} __packed;
/* Fragment header */
struct ip6_frag {
u_int8_t ip6f_nxt; /* next header */
u_int8_t ip6f_reserved; /* reserved field */
u_int16_t ip6f_offlg; /* offset, reserved, and flag */
u_int32_t ip6f_ident; /* identification */
} __packed;
#if BYTE_ORDER == BIG_ENDIAN
#define IP6F_OFF_MASK 0xfff8 /* mask out offset from _offlg */
#define IP6F_RESERVED_MASK 0x0006 /* reserved bits in ip6f_offlg */
#define IP6F_MORE_FRAG 0x0001 /* more-fragments flag */
#else /* BYTE_ORDER == LITTLE_ENDIAN */
#define IP6F_OFF_MASK 0xf8ff /* mask out offset from _offlg */
#define IP6F_RESERVED_MASK 0x0600 /* reserved bits in ip6f_offlg */
#define IP6F_MORE_FRAG 0x0100 /* more-fragments flag */
#endif /* BYTE_ORDER == LITTLE_ENDIAN */
/*
* Internet implementation parameters.
*/
#define IPV6_MAXHLIM 255 /* maximum hoplimit */
#define IPV6_DEFHLIM 64 /* default hlim */
#define IPV6_FRAGTTL 120 /* ttl for fragment packets, in slowtimo tick */
#define IPV6_HLIMDEC 1 /* subtracted when forwarding */
#define IPV6_MMTU 1280 /* minimal MTU and reassembly. 1024 + 256 */
#define IPV6_MAXPACKET 65535 /* ip6 max packet size without Jumbo payload*/
#define IPV6_MAXOPTHDR 2048 /* max option header size, 256 64-bit words */
#ifdef _KERNEL
/*
* IP6_EXTHDR_CHECK ensures that region between the IP6 header and the
* target header (including IPv6 itself, extension headers and
* TCP/UDP/ICMP6 headers) are contiguous. KAME requires drivers
* to store incoming data into one internal mbuf or one or more external
* mbufs(never into two or more internal mbufs). Thus, the third case is
* supposed to never be matched but is prepared just in case.
*/
#define IP6_EXTHDR_CHECK(m, off, hlen, ret) \
do { \
if ((m)->m_next != NULL) { \
if (((m)->m_flags & M_LOOP) && \
((m)->m_len < (off) + (hlen)) && \
(((m) = m_pullup((m), (off) + (hlen))) == NULL)) { \
IP6STAT_INC(ip6s_exthdrtoolong); \
return ret; \
} else { \
if ((m)->m_len < (off) + (hlen)) { \
IP6STAT_INC(ip6s_exthdrtoolong); \
m_freem(m); \
return ret; \
} \
} \
} else { \
if ((m)->m_len < (off) + (hlen)) { \
IP6STAT_INC(ip6s_tooshort); \
in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); \
m_freem(m); \
return ret; \
} \
} \
} while (/*CONSTCOND*/ 0)
/*
* IP6_EXTHDR_GET ensures that intermediate protocol header (from "off" to
* "len") is located in single mbuf, on contiguous memory region.
* The pointer to the region will be returned to pointer variable "val",
* with type "typ".
* IP6_EXTHDR_GET0 does the same, except that it aligns the structure at the
* very top of mbuf. GET0 is likely to make memory copy than GET.
*
* XXX we're now testing this, needs m_pulldown()
*/
#define IP6_EXTHDR_GET(val, typ, m, off, len) \
do { \
struct mbuf *t; \
int tmp; \
if ((m)->m_len >= (off) + (len)) \
(val) = (typ)(mtod((m), caddr_t) + (off)); \
else { \
t = m_pulldown((m), (off), (len), &tmp); \
if (t) { \
if (t->m_len < tmp + (len)) \
panic("m_pulldown malfunction"); \
(val) = (typ)(mtod(t, caddr_t) + tmp); \
} else { \
(val) = (typ)NULL; \
(m) = NULL; \
} \
} \
} while (/*CONSTCOND*/ 0)
#define IP6_EXTHDR_GET0(val, typ, m, off, len) \
do { \
struct mbuf *t; \
if ((off) == 0) \
(val) = (typ)mtod(m, caddr_t); \
else { \
t = m_pulldown((m), (off), (len), NULL); \
if (t) { \
if (t->m_len < (len)) \
panic("m_pulldown malfunction"); \
(val) = (typ)mtod(t, caddr_t); \
} else { \
(val) = (typ)NULL; \
(m) = NULL; \
} \
} \
} while (/*CONSTCOND*/ 0)
#endif /*_KERNEL*/
#endif /* not _NETINET_IP6_H_ */
Index: stable/11/sys/netinet/ip_carp.c
===================================================================
--- stable/11/sys/netinet/ip_carp.c (revision 346754)
+++ stable/11/sys/netinet/ip_carp.c (revision 346755)
@@ -1,2168 +1,2198 @@
/*-
* Copyright (c) 2002 Michael Shalayeff.
* Copyright (c) 2003 Ryan McBride.
* Copyright (c) 2011 Gleb Smirnoff <glebius@FreeBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_bpf.h"
#include "opt_inet.h"
#include "opt_inet6.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/bus.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/limits.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/module.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <sys/sysctl.h>
#include <sys/syslog.h>
#include <sys/taskqueue.h>
#include <sys/counter.h>
#include <net/ethernet.h>
#include <net/fddi.h>
#include <net/if.h>
#include <net/if_var.h>
#include <net/if_dl.h>
#include <net/if_llatbl.h>
#include <net/if_types.h>
#include <net/iso88025.h>
#include <net/route.h>
#include <net/vnet.h>
#if defined(INET) || defined(INET6)
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/ip_carp.h>
#include <netinet/ip.h>
#include <machine/in_cksum.h>
#endif
#ifdef INET
#include <netinet/ip_var.h>
#include <netinet/if_ether.h>
#endif
#ifdef INET6
#include <netinet/icmp6.h>
#include <netinet/ip6.h>
#include <netinet6/in6_var.h>
#include <netinet6/ip6_var.h>
#include <netinet6/scope6_var.h>
#include <netinet6/nd6.h>
#endif
#include <crypto/sha1.h>
static MALLOC_DEFINE(M_CARP, "CARP", "CARP addresses");
struct carp_softc {
struct ifnet *sc_carpdev; /* Pointer to parent ifnet. */
struct ifaddr **sc_ifas; /* Our ifaddrs. */
struct sockaddr_dl sc_addr; /* Our link level address. */
struct callout sc_ad_tmo; /* Advertising timeout. */
#ifdef INET
struct callout sc_md_tmo; /* Master down timeout. */
#endif
#ifdef INET6
struct callout sc_md6_tmo; /* XXX: Master down timeout. */
#endif
struct mtx sc_mtx;
int sc_vhid;
int sc_advskew;
int sc_advbase;
int sc_naddrs;
int sc_naddrs6;
int sc_ifasiz;
enum { INIT = 0, BACKUP, MASTER } sc_state;
int sc_suppress;
int sc_sendad_errors;
#define CARP_SENDAD_MAX_ERRORS 3
int sc_sendad_success;
#define CARP_SENDAD_MIN_SUCCESS 3
int sc_init_counter;
uint64_t sc_counter;
/* authentication */
#define CARP_HMAC_PAD 64
unsigned char sc_key[CARP_KEY_LEN];
unsigned char sc_pad[CARP_HMAC_PAD];
SHA1_CTX sc_sha1;
TAILQ_ENTRY(carp_softc) sc_list; /* On the carp_if list. */
LIST_ENTRY(carp_softc) sc_next; /* On the global list. */
};
struct carp_if {
#ifdef INET
int cif_naddrs;
#endif
#ifdef INET6
int cif_naddrs6;
#endif
TAILQ_HEAD(, carp_softc) cif_vrs;
#ifdef INET
struct ip_moptions cif_imo;
#endif
#ifdef INET6
struct ip6_moptions cif_im6o;
#endif
struct ifnet *cif_ifp;
struct mtx cif_mtx;
uint32_t cif_flags;
#define CIF_PROMISC 0x00000001
};
#define CARP_INET 0
#define CARP_INET6 1
static int proto_reg[] = {-1, -1};
/*
* Brief design of carp(4).
*
* Any carp-capable ifnet may have a list of carp softcs hanging off
* its ifp->if_carp pointer. Each softc represents one unique virtual
* host id, or vhid. The softc has a back pointer to the ifnet. All
* softcs are joined in a global list, which has quite limited use.
*
* Any interface address that takes part in CARP negotiation has a
* pointer to the softc of its vhid, ifa->ifa_carp. That could be either
* AF_INET or AF_INET6 address.
*
* Although, one can get the softc's backpointer to ifnet and traverse
* through its ifp->if_addrhead queue to find all interface addresses
* involved in CARP, we keep a growable array of ifaddr pointers. This
* allows us to avoid grabbing the IF_ADDR_LOCK() in many traversals that
* do calls into the network stack, thus avoiding LORs.
*
* Locking:
*
* Each softc has a lock sc_mtx. It is used to synchronise carp_input_c(),
* callout-driven events and ioctl()s.
*
* To traverse the list of softcs on an ifnet we use CIF_LOCK() or carp_sx.
* To traverse the global list we use the mutex carp_mtx.
*
* Known issues with locking:
*
* - Sending ad, we put the pointer to the softc in an mtag, and no reference
* counting is done on the softc.
* - On module unload we may race (?) with packet processing thread
* dereferencing our function pointers.
*/
/* Accept incoming CARP packets. */
static VNET_DEFINE(int, carp_allow) = 1;
#define V_carp_allow VNET(carp_allow)
+/* Set DSCP in outgoing CARP packets. */
+static VNET_DEFINE(int, carp_dscp) = 56;
+#define V_carp_dscp VNET(carp_dscp)
+
/* Preempt slower nodes. */
static VNET_DEFINE(int, carp_preempt) = 0;
#define V_carp_preempt VNET(carp_preempt)
/* Log level. */
static VNET_DEFINE(int, carp_log) = 1;
#define V_carp_log VNET(carp_log)
/* Global advskew demotion. */
static VNET_DEFINE(int, carp_demotion) = 0;
#define V_carp_demotion VNET(carp_demotion)
/* Send error demotion factor. */
static VNET_DEFINE(int, carp_senderr_adj) = CARP_MAXSKEW;
#define V_carp_senderr_adj VNET(carp_senderr_adj)
/* Iface down demotion factor. */
static VNET_DEFINE(int, carp_ifdown_adj) = CARP_MAXSKEW;
#define V_carp_ifdown_adj VNET(carp_ifdown_adj)
+static int carp_dscp_sysctl(SYSCTL_HANDLER_ARGS);
static int carp_demote_adj_sysctl(SYSCTL_HANDLER_ARGS);
SYSCTL_NODE(_net_inet, IPPROTO_CARP, carp, CTLFLAG_RW, 0, "CARP");
SYSCTL_INT(_net_inet_carp, OID_AUTO, allow, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(carp_allow), 0, "Accept incoming CARP packets");
+SYSCTL_PROC(_net_inet_carp, OID_AUTO, dscp,
+ CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW, 0, 0, carp_dscp_sysctl, "I",
+ "DSCP value for carp packets");
SYSCTL_INT(_net_inet_carp, OID_AUTO, preempt, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(carp_preempt), 0, "High-priority backup preemption mode");
SYSCTL_INT(_net_inet_carp, OID_AUTO, log, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(carp_log), 0, "CARP log level");
SYSCTL_PROC(_net_inet_carp, OID_AUTO, demotion,
CTLFLAG_VNET | CTLTYPE_INT | CTLFLAG_RW,
0, 0, carp_demote_adj_sysctl, "I",
"Adjust demotion factor (skew of advskew)");
SYSCTL_INT(_net_inet_carp, OID_AUTO, senderr_demotion_factor,
CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(carp_senderr_adj), 0, "Send error demotion factor adjustment");
SYSCTL_INT(_net_inet_carp, OID_AUTO, ifdown_demotion_factor,
CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(carp_ifdown_adj), 0,
"Interface down demotion factor adjustment");
VNET_PCPUSTAT_DEFINE(struct carpstats, carpstats);
VNET_PCPUSTAT_SYSINIT(carpstats);
VNET_PCPUSTAT_SYSUNINIT(carpstats);
#define CARPSTATS_ADD(name, val) \
counter_u64_add(VNET(carpstats)[offsetof(struct carpstats, name) / \
sizeof(uint64_t)], (val))
#define CARPSTATS_INC(name) CARPSTATS_ADD(name, 1)
SYSCTL_VNET_PCPUSTAT(_net_inet_carp, OID_AUTO, stats, struct carpstats,
carpstats, "CARP statistics (struct carpstats, netinet/ip_carp.h)");
#define CARP_LOCK_INIT(sc) mtx_init(&(sc)->sc_mtx, "carp_softc", \
NULL, MTX_DEF)
#define CARP_LOCK_DESTROY(sc) mtx_destroy(&(sc)->sc_mtx)
#define CARP_LOCK_ASSERT(sc) mtx_assert(&(sc)->sc_mtx, MA_OWNED)
#define CARP_LOCK(sc) mtx_lock(&(sc)->sc_mtx)
#define CARP_UNLOCK(sc) mtx_unlock(&(sc)->sc_mtx)
#define CIF_LOCK_INIT(cif) mtx_init(&(cif)->cif_mtx, "carp_if", \
NULL, MTX_DEF)
#define CIF_LOCK_DESTROY(cif) mtx_destroy(&(cif)->cif_mtx)
#define CIF_LOCK_ASSERT(cif) mtx_assert(&(cif)->cif_mtx, MA_OWNED)
#define CIF_LOCK(cif) mtx_lock(&(cif)->cif_mtx)
#define CIF_UNLOCK(cif) mtx_unlock(&(cif)->cif_mtx)
#define CIF_FREE(cif) do { \
CIF_LOCK(cif); \
if (TAILQ_EMPTY(&(cif)->cif_vrs)) \
carp_free_if(cif); \
else \
CIF_UNLOCK(cif); \
} while (0)
#define CARP_LOG(...) do { \
if (V_carp_log > 0) \
log(LOG_INFO, "carp: " __VA_ARGS__); \
} while (0)
#define CARP_DEBUG(...) do { \
if (V_carp_log > 1) \
log(LOG_DEBUG, __VA_ARGS__); \
} while (0)
#define IFNET_FOREACH_IFA(ifp, ifa) \
IF_ADDR_LOCK_ASSERT(ifp); \
TAILQ_FOREACH((ifa), &(ifp)->if_addrhead, ifa_link) \
if ((ifa)->ifa_carp != NULL)
#define CARP_FOREACH_IFA(sc, ifa) \
CARP_LOCK_ASSERT(sc); \
for (int _i = 0; \
_i < (sc)->sc_naddrs + (sc)->sc_naddrs6 && \
((ifa) = sc->sc_ifas[_i]) != NULL; \
++_i)
#define IFNET_FOREACH_CARP(ifp, sc) \
KASSERT(mtx_owned(&ifp->if_carp->cif_mtx) || \
sx_xlocked(&carp_sx), ("cif_vrs not locked")); \
TAILQ_FOREACH((sc), &(ifp)->if_carp->cif_vrs, sc_list)
#define DEMOTE_ADVSKEW(sc) \
(((sc)->sc_advskew + V_carp_demotion > CARP_MAXSKEW) ? \
CARP_MAXSKEW : ((sc)->sc_advskew + V_carp_demotion))
static void carp_input_c(struct mbuf *, struct carp_header *, sa_family_t);
static struct carp_softc
*carp_alloc(struct ifnet *);
static void carp_destroy(struct carp_softc *);
static struct carp_if
*carp_alloc_if(struct ifnet *);
static void carp_free_if(struct carp_if *);
static void carp_set_state(struct carp_softc *, int, const char* reason);
static void carp_sc_state(struct carp_softc *);
static void carp_setrun(struct carp_softc *, sa_family_t);
static void carp_master_down(void *);
static void carp_master_down_locked(struct carp_softc *,
const char* reason);
static void carp_send_ad(void *);
static void carp_send_ad_locked(struct carp_softc *);
static void carp_addroute(struct carp_softc *);
static void carp_ifa_addroute(struct ifaddr *);
static void carp_delroute(struct carp_softc *);
static void carp_ifa_delroute(struct ifaddr *);
static void carp_send_ad_all(void *, int);
static void carp_demote_adj(int, char *);
static LIST_HEAD(, carp_softc) carp_list;
static struct mtx carp_mtx;
static struct sx carp_sx;
static struct task carp_sendall_task =
TASK_INITIALIZER(0, carp_send_ad_all, NULL);
static void
carp_hmac_prepare(struct carp_softc *sc)
{
uint8_t version = CARP_VERSION, type = CARP_ADVERTISEMENT;
uint8_t vhid = sc->sc_vhid & 0xff;
struct ifaddr *ifa;
int i, found;
#ifdef INET
struct in_addr last, cur, in;
#endif
#ifdef INET6
struct in6_addr last6, cur6, in6;
#endif
CARP_LOCK_ASSERT(sc);
/* Compute ipad from key. */
bzero(sc->sc_pad, sizeof(sc->sc_pad));
bcopy(sc->sc_key, sc->sc_pad, sizeof(sc->sc_key));
for (i = 0; i < sizeof(sc->sc_pad); i++)
sc->sc_pad[i] ^= 0x36;
/* Precompute first part of inner hash. */
SHA1Init(&sc->sc_sha1);
SHA1Update(&sc->sc_sha1, sc->sc_pad, sizeof(sc->sc_pad));
SHA1Update(&sc->sc_sha1, (void *)&version, sizeof(version));
SHA1Update(&sc->sc_sha1, (void *)&type, sizeof(type));
SHA1Update(&sc->sc_sha1, (void *)&vhid, sizeof(vhid));
#ifdef INET
cur.s_addr = 0;
do {
found = 0;
last = cur;
cur.s_addr = 0xffffffff;
CARP_FOREACH_IFA(sc, ifa) {
in.s_addr = ifatoia(ifa)->ia_addr.sin_addr.s_addr;
if (ifa->ifa_addr->sa_family == AF_INET &&
ntohl(in.s_addr) > ntohl(last.s_addr) &&
ntohl(in.s_addr) < ntohl(cur.s_addr)) {
cur.s_addr = in.s_addr;
found++;
}
}
if (found)
SHA1Update(&sc->sc_sha1, (void *)&cur, sizeof(cur));
} while (found);
#endif /* INET */
#ifdef INET6
memset(&cur6, 0, sizeof(cur6));
do {
found = 0;
last6 = cur6;
memset(&cur6, 0xff, sizeof(cur6));
CARP_FOREACH_IFA(sc, ifa) {
in6 = ifatoia6(ifa)->ia_addr.sin6_addr;
if (IN6_IS_SCOPE_EMBED(&in6))
in6.s6_addr16[1] = 0;
if (ifa->ifa_addr->sa_family == AF_INET6 &&
memcmp(&in6, &last6, sizeof(in6)) > 0 &&
memcmp(&in6, &cur6, sizeof(in6)) < 0) {
cur6 = in6;
found++;
}
}
if (found)
SHA1Update(&sc->sc_sha1, (void *)&cur6, sizeof(cur6));
} while (found);
#endif /* INET6 */
/* convert ipad to opad */
for (i = 0; i < sizeof(sc->sc_pad); i++)
sc->sc_pad[i] ^= 0x36 ^ 0x5c;
}
static void
carp_hmac_generate(struct carp_softc *sc, uint32_t counter[2],
unsigned char md[20])
{
SHA1_CTX sha1ctx;
CARP_LOCK_ASSERT(sc);
/* fetch first half of inner hash */
bcopy(&sc->sc_sha1, &sha1ctx, sizeof(sha1ctx));
SHA1Update(&sha1ctx, (void *)counter, sizeof(sc->sc_counter));
SHA1Final(md, &sha1ctx);
/* outer hash */
SHA1Init(&sha1ctx);
SHA1Update(&sha1ctx, sc->sc_pad, sizeof(sc->sc_pad));
SHA1Update(&sha1ctx, md, 20);
SHA1Final(md, &sha1ctx);
}
static int
carp_hmac_verify(struct carp_softc *sc, uint32_t counter[2],
unsigned char md[20])
{
unsigned char md2[20];
CARP_LOCK_ASSERT(sc);
carp_hmac_generate(sc, counter, md2);
return (bcmp(md, md2, sizeof(md2)));
}
/*
* process input packet.
* we have rearranged checks order compared to the rfc,
* but it seems more efficient this way or not possible otherwise.
*/
#ifdef INET
int
carp_input(struct mbuf **mp, int *offp, int proto)
{
struct mbuf *m = *mp;
struct ip *ip = mtod(m, struct ip *);
struct carp_header *ch;
int iplen, len;
iplen = *offp;
*mp = NULL;
CARPSTATS_INC(carps_ipackets);
if (!V_carp_allow) {
m_freem(m);
return (IPPROTO_DONE);
}
/* verify that the IP TTL is 255. */
if (ip->ip_ttl != CARP_DFLTTL) {
CARPSTATS_INC(carps_badttl);
CARP_DEBUG("%s: received ttl %d != 255 on %s\n", __func__,
ip->ip_ttl,
m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
iplen = ip->ip_hl << 2;
if (m->m_pkthdr.len < iplen + sizeof(*ch)) {
CARPSTATS_INC(carps_badlen);
CARP_DEBUG("%s: received len %zd < sizeof(struct carp_header) "
"on %s\n", __func__, m->m_len - sizeof(struct ip),
m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
if (iplen + sizeof(*ch) < m->m_len) {
if ((m = m_pullup(m, iplen + sizeof(*ch))) == NULL) {
CARPSTATS_INC(carps_hdrops);
CARP_DEBUG("%s: pullup failed\n", __func__);
return (IPPROTO_DONE);
}
ip = mtod(m, struct ip *);
}
ch = (struct carp_header *)((char *)ip + iplen);
/*
* verify that the received packet length is
* equal to the CARP header
*/
len = iplen + sizeof(*ch);
if (len > m->m_pkthdr.len) {
CARPSTATS_INC(carps_badlen);
CARP_DEBUG("%s: packet too short %d on %s\n", __func__,
m->m_pkthdr.len,
m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
if ((m = m_pullup(m, len)) == NULL) {
CARPSTATS_INC(carps_hdrops);
return (IPPROTO_DONE);
}
ip = mtod(m, struct ip *);
ch = (struct carp_header *)((char *)ip + iplen);
/* verify the CARP checksum */
m->m_data += iplen;
if (in_cksum(m, len - iplen)) {
CARPSTATS_INC(carps_badsum);
CARP_DEBUG("%s: checksum failed on %s\n", __func__,
m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
m->m_data -= iplen;
carp_input_c(m, ch, AF_INET);
return (IPPROTO_DONE);
}
#endif
#ifdef INET6
int
carp6_input(struct mbuf **mp, int *offp, int proto)
{
struct mbuf *m = *mp;
struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
struct carp_header *ch;
u_int len;
CARPSTATS_INC(carps_ipackets6);
if (!V_carp_allow) {
m_freem(m);
return (IPPROTO_DONE);
}
/* check if received on a valid carp interface */
if (m->m_pkthdr.rcvif->if_carp == NULL) {
CARPSTATS_INC(carps_badif);
CARP_DEBUG("%s: packet received on non-carp interface: %s\n",
__func__, m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
/* verify that the IP TTL is 255 */
if (ip6->ip6_hlim != CARP_DFLTTL) {
CARPSTATS_INC(carps_badttl);
CARP_DEBUG("%s: received ttl %d != 255 on %s\n", __func__,
ip6->ip6_hlim, m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
/* verify that we have a complete carp packet */
len = m->m_len;
IP6_EXTHDR_GET(ch, struct carp_header *, m, *offp, sizeof(*ch));
if (ch == NULL) {
CARPSTATS_INC(carps_badlen);
CARP_DEBUG("%s: packet size %u too small\n", __func__, len);
return (IPPROTO_DONE);
}
/* verify the CARP checksum */
m->m_data += *offp;
if (in_cksum(m, sizeof(*ch))) {
CARPSTATS_INC(carps_badsum);
CARP_DEBUG("%s: checksum failed, on %s\n", __func__,
m->m_pkthdr.rcvif->if_xname);
m_freem(m);
return (IPPROTO_DONE);
}
m->m_data -= *offp;
carp_input_c(m, ch, AF_INET6);
return (IPPROTO_DONE);
}
#endif /* INET6 */
static void
carp_input_c(struct mbuf *m, struct carp_header *ch, sa_family_t af)
{
struct ifnet *ifp = m->m_pkthdr.rcvif;
struct ifaddr *ifa;
struct carp_softc *sc;
uint64_t tmp_counter;
struct timeval sc_tv, ch_tv;
/* verify that the VHID is valid on the receiving interface */
IF_ADDR_RLOCK(ifp);
IFNET_FOREACH_IFA(ifp, ifa)
if (ifa->ifa_addr->sa_family == af &&
ifa->ifa_carp->sc_vhid == ch->carp_vhid) {
ifa_ref(ifa);
break;
}
IF_ADDR_RUNLOCK(ifp);
if (ifa == NULL) {
CARPSTATS_INC(carps_badvhid);
m_freem(m);
return;
}
/* verify the CARP version. */
if (ch->carp_version != CARP_VERSION) {
CARPSTATS_INC(carps_badver);
CARP_DEBUG("%s: invalid version %d\n", ifp->if_xname,
ch->carp_version);
ifa_free(ifa);
m_freem(m);
return;
}
sc = ifa->ifa_carp;
CARP_LOCK(sc);
ifa_free(ifa);
if (carp_hmac_verify(sc, ch->carp_counter, ch->carp_md)) {
CARPSTATS_INC(carps_badauth);
CARP_DEBUG("%s: incorrect hash for VHID %u@%s\n", __func__,
sc->sc_vhid, ifp->if_xname);
goto out;
}
tmp_counter = ntohl(ch->carp_counter[0]);
tmp_counter = tmp_counter<<32;
tmp_counter += ntohl(ch->carp_counter[1]);
/* XXX Replay protection goes here */
sc->sc_init_counter = 0;
sc->sc_counter = tmp_counter;
sc_tv.tv_sec = sc->sc_advbase;
sc_tv.tv_usec = DEMOTE_ADVSKEW(sc) * 1000000 / 256;
ch_tv.tv_sec = ch->carp_advbase;
ch_tv.tv_usec = ch->carp_advskew * 1000000 / 256;
switch (sc->sc_state) {
case INIT:
break;
case MASTER:
/*
* If we receive an advertisement from a master who's going to
* be more frequent than us, go into BACKUP state.
*/
if (timevalcmp(&sc_tv, &ch_tv, >) ||
timevalcmp(&sc_tv, &ch_tv, ==)) {
callout_stop(&sc->sc_ad_tmo);
carp_set_state(sc, BACKUP,
"more frequent advertisement received");
carp_setrun(sc, 0);
carp_delroute(sc);
}
break;
case BACKUP:
/*
* If we're pre-empting masters who advertise slower than us,
* and this one claims to be slower, treat him as down.
*/
if (V_carp_preempt && timevalcmp(&sc_tv, &ch_tv, <)) {
carp_master_down_locked(sc,
"preempting a slower master");
break;
}
/*
* If the master is going to advertise at such a low frequency
* that he's guaranteed to time out, we'd might as well just
* treat him as timed out now.
*/
sc_tv.tv_sec = sc->sc_advbase * 3;
if (timevalcmp(&sc_tv, &ch_tv, <)) {
carp_master_down_locked(sc, "master will time out");
break;
}
/*
* Otherwise, we reset the counter and wait for the next
* advertisement.
*/
carp_setrun(sc, af);
break;
}
out:
CARP_UNLOCK(sc);
m_freem(m);
}
static int
carp_prepare_ad(struct mbuf *m, struct carp_softc *sc, struct carp_header *ch)
{
struct m_tag *mtag;
if (sc->sc_init_counter) {
/* this could also be seconds since unix epoch */
sc->sc_counter = arc4random();
sc->sc_counter = sc->sc_counter << 32;
sc->sc_counter += arc4random();
} else
sc->sc_counter++;
ch->carp_counter[0] = htonl((sc->sc_counter>>32)&0xffffffff);
ch->carp_counter[1] = htonl(sc->sc_counter&0xffffffff);
carp_hmac_generate(sc, ch->carp_counter, ch->carp_md);
/* Tag packet for carp_output */
if ((mtag = m_tag_get(PACKET_TAG_CARP, sizeof(struct carp_softc *),
M_NOWAIT)) == NULL) {
m_freem(m);
CARPSTATS_INC(carps_onomem);
return (ENOMEM);
}
bcopy(&sc, mtag + 1, sizeof(sc));
m_tag_prepend(m, mtag);
return (0);
}
/*
* To avoid LORs and possible recursions this function shouldn't
* be called directly, but scheduled via taskqueue.
*/
static void
carp_send_ad_all(void *ctx __unused, int pending __unused)
{
struct carp_softc *sc;
mtx_lock(&carp_mtx);
LIST_FOREACH(sc, &carp_list, sc_next)
if (sc->sc_state == MASTER) {
CARP_LOCK(sc);
CURVNET_SET(sc->sc_carpdev->if_vnet);
carp_send_ad_locked(sc);
CURVNET_RESTORE();
CARP_UNLOCK(sc);
}
mtx_unlock(&carp_mtx);
}
/* Send a periodic advertisement, executed in callout context. */
static void
carp_send_ad(void *v)
{
struct carp_softc *sc = v;
CARP_LOCK_ASSERT(sc);
CURVNET_SET(sc->sc_carpdev->if_vnet);
carp_send_ad_locked(sc);
CURVNET_RESTORE();
CARP_UNLOCK(sc);
}
static void
carp_send_ad_error(struct carp_softc *sc, int error)
{
if (error) {
if (sc->sc_sendad_errors < INT_MAX)
sc->sc_sendad_errors++;
if (sc->sc_sendad_errors == CARP_SENDAD_MAX_ERRORS) {
static const char fmt[] = "send error %d on %s";
char msg[sizeof(fmt) + IFNAMSIZ];
sprintf(msg, fmt, error, sc->sc_carpdev->if_xname);
carp_demote_adj(V_carp_senderr_adj, msg);
}
sc->sc_sendad_success = 0;
} else {
if (sc->sc_sendad_errors >= CARP_SENDAD_MAX_ERRORS &&
++sc->sc_sendad_success >= CARP_SENDAD_MIN_SUCCESS) {
static const char fmt[] = "send ok on %s";
char msg[sizeof(fmt) + IFNAMSIZ];
sprintf(msg, fmt, sc->sc_carpdev->if_xname);
carp_demote_adj(-V_carp_senderr_adj, msg);
sc->sc_sendad_errors = 0;
} else
sc->sc_sendad_errors = 0;
}
}
static void
carp_send_ad_locked(struct carp_softc *sc)
{
struct carp_header ch;
struct timeval tv;
struct sockaddr sa;
struct ifaddr *ifa;
struct carp_header *ch_ptr;
struct mbuf *m;
int len, advskew;
CARP_LOCK_ASSERT(sc);
advskew = DEMOTE_ADVSKEW(sc);
tv.tv_sec = sc->sc_advbase;
tv.tv_usec = advskew * 1000000 / 256;
ch.carp_version = CARP_VERSION;
ch.carp_type = CARP_ADVERTISEMENT;
ch.carp_vhid = sc->sc_vhid;
ch.carp_advbase = sc->sc_advbase;
ch.carp_advskew = advskew;
ch.carp_authlen = 7; /* XXX DEFINE */
ch.carp_pad1 = 0; /* must be zero */
ch.carp_cksum = 0;
/* XXXGL: OpenBSD picks first ifaddr with needed family. */
#ifdef INET
if (sc->sc_naddrs) {
struct ip *ip;
m = m_gethdr(M_NOWAIT, MT_DATA);
if (m == NULL) {
CARPSTATS_INC(carps_onomem);
goto resched;
}
len = sizeof(*ip) + sizeof(ch);
m->m_pkthdr.len = len;
m->m_pkthdr.rcvif = NULL;
m->m_len = len;
M_ALIGN(m, m->m_len);
m->m_flags |= M_MCAST;
ip = mtod(m, struct ip *);
ip->ip_v = IPVERSION;
ip->ip_hl = sizeof(*ip) >> 2;
- ip->ip_tos = IPTOS_LOWDELAY;
+ ip->ip_tos = V_carp_dscp << IPTOS_DSCP_OFFSET;
ip->ip_len = htons(len);
ip->ip_off = htons(IP_DF);
ip->ip_ttl = CARP_DFLTTL;
ip->ip_p = IPPROTO_CARP;
ip->ip_sum = 0;
ip_fillid(ip);
bzero(&sa, sizeof(sa));
sa.sa_family = AF_INET;
ifa = ifaof_ifpforaddr(&sa, sc->sc_carpdev);
if (ifa != NULL) {
ip->ip_src.s_addr =
ifatoia(ifa)->ia_addr.sin_addr.s_addr;
ifa_free(ifa);
} else
ip->ip_src.s_addr = 0;
ip->ip_dst.s_addr = htonl(INADDR_CARP_GROUP);
ch_ptr = (struct carp_header *)(&ip[1]);
bcopy(&ch, ch_ptr, sizeof(ch));
if (carp_prepare_ad(m, sc, ch_ptr))
goto resched;
m->m_data += sizeof(*ip);
ch_ptr->carp_cksum = in_cksum(m, len - sizeof(*ip));
m->m_data -= sizeof(*ip);
CARPSTATS_INC(carps_opackets);
carp_send_ad_error(sc, ip_output(m, NULL, NULL, IP_RAWOUTPUT,
&sc->sc_carpdev->if_carp->cif_imo, NULL));
}
#endif /* INET */
#ifdef INET6
if (sc->sc_naddrs6) {
struct ip6_hdr *ip6;
m = m_gethdr(M_NOWAIT, MT_DATA);
if (m == NULL) {
CARPSTATS_INC(carps_onomem);
goto resched;
}
len = sizeof(*ip6) + sizeof(ch);
m->m_pkthdr.len = len;
m->m_pkthdr.rcvif = NULL;
m->m_len = len;
M_ALIGN(m, m->m_len);
m->m_flags |= M_MCAST;
ip6 = mtod(m, struct ip6_hdr *);
bzero(ip6, sizeof(*ip6));
ip6->ip6_vfc |= IPV6_VERSION;
+ /* Traffic class isn't defined in ip6 struct instead
+ * it gets offset into flowid field */
+ ip6->ip6_flow |= htonl(V_carp_dscp << (IPV6_FLOWLABEL_LEN +
+ IPTOS_DSCP_OFFSET));
ip6->ip6_hlim = CARP_DFLTTL;
ip6->ip6_nxt = IPPROTO_CARP;
bzero(&sa, sizeof(sa));
/* set the source address */
sa.sa_family = AF_INET6;
ifa = ifaof_ifpforaddr(&sa, sc->sc_carpdev);
if (ifa != NULL) {
bcopy(IFA_IN6(ifa), &ip6->ip6_src,
sizeof(struct in6_addr));
ifa_free(ifa);
} else
/* This should never happen with IPv6. */
bzero(&ip6->ip6_src, sizeof(struct in6_addr));
/* Set the multicast destination. */
ip6->ip6_dst.s6_addr16[0] = htons(0xff02);
ip6->ip6_dst.s6_addr8[15] = 0x12;
if (in6_setscope(&ip6->ip6_dst, sc->sc_carpdev, NULL) != 0) {
m_freem(m);
CARP_DEBUG("%s: in6_setscope failed\n", __func__);
goto resched;
}
ch_ptr = (struct carp_header *)(&ip6[1]);
bcopy(&ch, ch_ptr, sizeof(ch));
if (carp_prepare_ad(m, sc, ch_ptr))
goto resched;
m->m_data += sizeof(*ip6);
ch_ptr->carp_cksum = in_cksum(m, len - sizeof(*ip6));
m->m_data -= sizeof(*ip6);
CARPSTATS_INC(carps_opackets6);
carp_send_ad_error(sc, ip6_output(m, NULL, NULL, 0,
&sc->sc_carpdev->if_carp->cif_im6o, NULL, NULL));
}
#endif /* INET6 */
resched:
callout_reset(&sc->sc_ad_tmo, tvtohz(&tv), carp_send_ad, sc);
}
static void
carp_addroute(struct carp_softc *sc)
{
struct ifaddr *ifa;
CARP_FOREACH_IFA(sc, ifa)
carp_ifa_addroute(ifa);
}
static void
carp_ifa_addroute(struct ifaddr *ifa)
{
switch (ifa->ifa_addr->sa_family) {
#ifdef INET
case AF_INET:
in_addprefix(ifatoia(ifa), RTF_UP);
ifa_add_loopback_route(ifa,
(struct sockaddr *)&ifatoia(ifa)->ia_addr);
break;
#endif
#ifdef INET6
case AF_INET6:
ifa_add_loopback_route(ifa,
(struct sockaddr *)&ifatoia6(ifa)->ia_addr);
nd6_add_ifa_lle(ifatoia6(ifa));
break;
#endif
}
}
static void
carp_delroute(struct carp_softc *sc)
{
struct ifaddr *ifa;
CARP_FOREACH_IFA(sc, ifa)
carp_ifa_delroute(ifa);
}
static void
carp_ifa_delroute(struct ifaddr *ifa)
{
switch (ifa->ifa_addr->sa_family) {
#ifdef INET
case AF_INET:
ifa_del_loopback_route(ifa,
(struct sockaddr *)&ifatoia(ifa)->ia_addr);
in_scrubprefix(ifatoia(ifa), LLE_STATIC);
break;
#endif
#ifdef INET6
case AF_INET6:
ifa_del_loopback_route(ifa,
(struct sockaddr *)&ifatoia6(ifa)->ia_addr);
nd6_rem_ifa_lle(ifatoia6(ifa), 1);
break;
#endif
}
}
int
carp_master(struct ifaddr *ifa)
{
struct carp_softc *sc = ifa->ifa_carp;
return (sc->sc_state == MASTER);
}
#ifdef INET
/*
* Broadcast a gratuitous ARP request containing
* the virtual router MAC address for each IP address
* associated with the virtual router.
*/
static void
carp_send_arp(struct carp_softc *sc)
{
struct ifaddr *ifa;
struct in_addr addr;
CARP_FOREACH_IFA(sc, ifa) {
if (ifa->ifa_addr->sa_family != AF_INET)
continue;
addr = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr;
arp_announce_ifaddr(sc->sc_carpdev, addr, LLADDR(&sc->sc_addr));
}
}
int
carp_iamatch(struct ifaddr *ifa, uint8_t **enaddr)
{
struct carp_softc *sc = ifa->ifa_carp;
if (sc->sc_state == MASTER) {
*enaddr = LLADDR(&sc->sc_addr);
return (1);
}
return (0);
}
#endif
#ifdef INET6
static void
carp_send_na(struct carp_softc *sc)
{
static struct in6_addr mcast = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
struct ifaddr *ifa;
struct in6_addr *in6;
CARP_FOREACH_IFA(sc, ifa) {
if (ifa->ifa_addr->sa_family != AF_INET6)
continue;
in6 = IFA_IN6(ifa);
nd6_na_output(sc->sc_carpdev, &mcast, in6,
ND_NA_FLAG_OVERRIDE, 1, NULL);
DELAY(1000); /* XXX */
}
}
/*
* Returns ifa in case it's a carp address and it is MASTER, or if the address
* matches and is not a carp address. Returns NULL otherwise.
*/
struct ifaddr *
carp_iamatch6(struct ifnet *ifp, struct in6_addr *taddr)
{
struct ifaddr *ifa;
ifa = NULL;
IF_ADDR_RLOCK(ifp);
TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
if (ifa->ifa_addr->sa_family != AF_INET6)
continue;
if (!IN6_ARE_ADDR_EQUAL(taddr, IFA_IN6(ifa)))
continue;
if (ifa->ifa_carp && ifa->ifa_carp->sc_state != MASTER)
ifa = NULL;
else
ifa_ref(ifa);
break;
}
IF_ADDR_RUNLOCK(ifp);
return (ifa);
}
caddr_t
carp_macmatch6(struct ifnet *ifp, struct mbuf *m, const struct in6_addr *taddr)
{
struct ifaddr *ifa;
IF_ADDR_RLOCK(ifp);
IFNET_FOREACH_IFA(ifp, ifa)
if (ifa->ifa_addr->sa_family == AF_INET6 &&
IN6_ARE_ADDR_EQUAL(taddr, IFA_IN6(ifa))) {
struct carp_softc *sc = ifa->ifa_carp;
struct m_tag *mtag;
IF_ADDR_RUNLOCK(ifp);
mtag = m_tag_get(PACKET_TAG_CARP,
sizeof(struct carp_softc *), M_NOWAIT);
if (mtag == NULL)
/* Better a bit than nothing. */
return (LLADDR(&sc->sc_addr));
bcopy(&sc, mtag + 1, sizeof(sc));
m_tag_prepend(m, mtag);
return (LLADDR(&sc->sc_addr));
}
IF_ADDR_RUNLOCK(ifp);
return (NULL);
}
#endif /* INET6 */
int
carp_forus(struct ifnet *ifp, u_char *dhost)
{
struct carp_softc *sc;
uint8_t *ena = dhost;
if (ena[0] || ena[1] || ena[2] != 0x5e || ena[3] || ena[4] != 1)
return (0);
CIF_LOCK(ifp->if_carp);
IFNET_FOREACH_CARP(ifp, sc) {
CARP_LOCK(sc);
if (sc->sc_state == MASTER && !bcmp(dhost, LLADDR(&sc->sc_addr),
ETHER_ADDR_LEN)) {
CARP_UNLOCK(sc);
CIF_UNLOCK(ifp->if_carp);
return (1);
}
CARP_UNLOCK(sc);
}
CIF_UNLOCK(ifp->if_carp);
return (0);
}
/* Master down timeout event, executed in callout context. */
static void
carp_master_down(void *v)
{
struct carp_softc *sc = v;
CARP_LOCK_ASSERT(sc);
CURVNET_SET(sc->sc_carpdev->if_vnet);
if (sc->sc_state == BACKUP) {
carp_master_down_locked(sc, "master timed out");
}
CURVNET_RESTORE();
CARP_UNLOCK(sc);
}
static void
carp_master_down_locked(struct carp_softc *sc, const char *reason)
{
CARP_LOCK_ASSERT(sc);
switch (sc->sc_state) {
case BACKUP:
carp_set_state(sc, MASTER, reason);
carp_send_ad_locked(sc);
#ifdef INET
carp_send_arp(sc);
#endif
#ifdef INET6
carp_send_na(sc);
#endif
carp_setrun(sc, 0);
carp_addroute(sc);
break;
case INIT:
case MASTER:
#ifdef INVARIANTS
panic("carp: VHID %u@%s: master_down event in %s state\n",
sc->sc_vhid,
sc->sc_carpdev->if_xname,
sc->sc_state ? "MASTER" : "INIT");
#endif
break;
}
}
/*
* When in backup state, af indicates whether to reset the master down timer
* for v4 or v6. If it's set to zero, reset the ones which are already pending.
*/
static void
carp_setrun(struct carp_softc *sc, sa_family_t af)
{
struct timeval tv;
CARP_LOCK_ASSERT(sc);
if ((sc->sc_carpdev->if_flags & IFF_UP) == 0 ||
sc->sc_carpdev->if_link_state != LINK_STATE_UP ||
(sc->sc_naddrs == 0 && sc->sc_naddrs6 == 0))
return;
switch (sc->sc_state) {
case INIT:
carp_set_state(sc, BACKUP, "initialization complete");
carp_setrun(sc, 0);
break;
case BACKUP:
callout_stop(&sc->sc_ad_tmo);
tv.tv_sec = 3 * sc->sc_advbase;
tv.tv_usec = sc->sc_advskew * 1000000 / 256;
switch (af) {
#ifdef INET
case AF_INET:
callout_reset(&sc->sc_md_tmo, tvtohz(&tv),
carp_master_down, sc);
break;
#endif
#ifdef INET6
case AF_INET6:
callout_reset(&sc->sc_md6_tmo, tvtohz(&tv),
carp_master_down, sc);
break;
#endif
default:
#ifdef INET
if (sc->sc_naddrs)
callout_reset(&sc->sc_md_tmo, tvtohz(&tv),
carp_master_down, sc);
#endif
#ifdef INET6
if (sc->sc_naddrs6)
callout_reset(&sc->sc_md6_tmo, tvtohz(&tv),
carp_master_down, sc);
#endif
break;
}
break;
case MASTER:
tv.tv_sec = sc->sc_advbase;
tv.tv_usec = sc->sc_advskew * 1000000 / 256;
callout_reset(&sc->sc_ad_tmo, tvtohz(&tv),
carp_send_ad, sc);
break;
}
}
/*
* Setup multicast structures.
*/
static int
carp_multicast_setup(struct carp_if *cif, sa_family_t sa)
{
struct ifnet *ifp = cif->cif_ifp;
int error = 0;
switch (sa) {
#ifdef INET
case AF_INET:
{
struct ip_moptions *imo = &cif->cif_imo;
struct in_addr addr;
if (imo->imo_membership)
return (0);
imo->imo_membership = (struct in_multi **)malloc(
(sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_CARP,
M_WAITOK);
imo->imo_mfilters = NULL;
imo->imo_max_memberships = IP_MIN_MEMBERSHIPS;
imo->imo_multicast_vif = -1;
addr.s_addr = htonl(INADDR_CARP_GROUP);
if ((error = in_joingroup(ifp, &addr, NULL,
&imo->imo_membership[0])) != 0) {
free(imo->imo_membership, M_CARP);
break;
}
imo->imo_num_memberships++;
imo->imo_multicast_ifp = ifp;
imo->imo_multicast_ttl = CARP_DFLTTL;
imo->imo_multicast_loop = 0;
break;
}
#endif
#ifdef INET6
case AF_INET6:
{
struct ip6_moptions *im6o = &cif->cif_im6o;
struct in6_addr in6;
struct in6_multi *in6m;
if (im6o->im6o_membership)
return (0);
im6o->im6o_membership = (struct in6_multi **)malloc(
(sizeof(struct in6_multi *) * IPV6_MIN_MEMBERSHIPS), M_CARP,
M_ZERO | M_WAITOK);
im6o->im6o_mfilters = NULL;
im6o->im6o_max_memberships = IPV6_MIN_MEMBERSHIPS;
im6o->im6o_multicast_hlim = CARP_DFLTTL;
im6o->im6o_multicast_ifp = ifp;
/* Join IPv6 CARP multicast group. */
bzero(&in6, sizeof(in6));
in6.s6_addr16[0] = htons(0xff02);
in6.s6_addr8[15] = 0x12;
if ((error = in6_setscope(&in6, ifp, NULL)) != 0) {
free(im6o->im6o_membership, M_CARP);
break;
}
in6m = NULL;
if ((error = in6_mc_join(ifp, &in6, NULL, &in6m, 0)) != 0) {
free(im6o->im6o_membership, M_CARP);
break;
}
im6o->im6o_membership[0] = in6m;
im6o->im6o_num_memberships++;
/* Join solicited multicast address. */
bzero(&in6, sizeof(in6));
in6.s6_addr16[0] = htons(0xff02);
in6.s6_addr32[1] = 0;
in6.s6_addr32[2] = htonl(1);
in6.s6_addr32[3] = 0;
in6.s6_addr8[12] = 0xff;
if ((error = in6_setscope(&in6, ifp, NULL)) != 0) {
in6_mc_leave(im6o->im6o_membership[0], NULL);
free(im6o->im6o_membership, M_CARP);
break;
}
in6m = NULL;
if ((error = in6_mc_join(ifp, &in6, NULL, &in6m, 0)) != 0) {
in6_mc_leave(im6o->im6o_membership[0], NULL);
free(im6o->im6o_membership, M_CARP);
break;
}
im6o->im6o_membership[1] = in6m;
im6o->im6o_num_memberships++;
break;
}
#endif
}
return (error);
}
/*
* Free multicast structures.
*/
static void
carp_multicast_cleanup(struct carp_if *cif, sa_family_t sa)
{
sx_assert(&carp_sx, SA_XLOCKED);
switch (sa) {
#ifdef INET
case AF_INET:
if (cif->cif_naddrs == 0) {
struct ip_moptions *imo = &cif->cif_imo;
in_leavegroup(imo->imo_membership[0], NULL);
KASSERT(imo->imo_mfilters == NULL,
("%s: imo_mfilters != NULL", __func__));
free(imo->imo_membership, M_CARP);
imo->imo_membership = NULL;
}
break;
#endif
#ifdef INET6
case AF_INET6:
if (cif->cif_naddrs6 == 0) {
struct ip6_moptions *im6o = &cif->cif_im6o;
in6_mc_leave(im6o->im6o_membership[0], NULL);
in6_mc_leave(im6o->im6o_membership[1], NULL);
KASSERT(im6o->im6o_mfilters == NULL,
("%s: im6o_mfilters != NULL", __func__));
free(im6o->im6o_membership, M_CARP);
im6o->im6o_membership = NULL;
}
break;
#endif
}
}
int
carp_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *sa)
{
struct m_tag *mtag;
struct carp_softc *sc;
if (!sa)
return (0);
switch (sa->sa_family) {
#ifdef INET
case AF_INET:
break;
#endif
#ifdef INET6
case AF_INET6:
break;
#endif
default:
return (0);
}
mtag = m_tag_find(m, PACKET_TAG_CARP, NULL);
if (mtag == NULL)
return (0);
bcopy(mtag + 1, &sc, sizeof(sc));
/* Set the source MAC address to the Virtual Router MAC Address. */
switch (ifp->if_type) {
case IFT_ETHER:
case IFT_BRIDGE:
case IFT_L2VLAN: {
struct ether_header *eh;
eh = mtod(m, struct ether_header *);
eh->ether_shost[0] = 0;
eh->ether_shost[1] = 0;
eh->ether_shost[2] = 0x5e;
eh->ether_shost[3] = 0;
eh->ether_shost[4] = 1;
eh->ether_shost[5] = sc->sc_vhid;
}
break;
case IFT_FDDI: {
struct fddi_header *fh;
fh = mtod(m, struct fddi_header *);
fh->fddi_shost[0] = 0;
fh->fddi_shost[1] = 0;
fh->fddi_shost[2] = 0x5e;
fh->fddi_shost[3] = 0;
fh->fddi_shost[4] = 1;
fh->fddi_shost[5] = sc->sc_vhid;
}
break;
case IFT_ISO88025: {
struct iso88025_header *th;
th = mtod(m, struct iso88025_header *);
th->iso88025_shost[0] = 3;
th->iso88025_shost[1] = 0;
th->iso88025_shost[2] = 0x40 >> (sc->sc_vhid - 1);
th->iso88025_shost[3] = 0x40000 >> (sc->sc_vhid - 1);
th->iso88025_shost[4] = 0;
th->iso88025_shost[5] = 0;
}
break;
default:
printf("%s: carp is not supported for the %d interface type\n",
ifp->if_xname, ifp->if_type);
return (EOPNOTSUPP);
}
return (0);
}
static struct carp_softc*
carp_alloc(struct ifnet *ifp)
{
struct carp_softc *sc;
struct carp_if *cif;
sx_assert(&carp_sx, SA_XLOCKED);
if ((cif = ifp->if_carp) == NULL)
cif = carp_alloc_if(ifp);
sc = malloc(sizeof(*sc), M_CARP, M_WAITOK|M_ZERO);
sc->sc_advbase = CARP_DFLTINTV;
sc->sc_vhid = -1; /* required setting */
sc->sc_init_counter = 1;
sc->sc_state = INIT;
sc->sc_ifasiz = sizeof(struct ifaddr *);
sc->sc_ifas = malloc(sc->sc_ifasiz, M_CARP, M_WAITOK|M_ZERO);
sc->sc_carpdev = ifp;
CARP_LOCK_INIT(sc);
#ifdef INET
callout_init_mtx(&sc->sc_md_tmo, &sc->sc_mtx, CALLOUT_RETURNUNLOCKED);
#endif
#ifdef INET6
callout_init_mtx(&sc->sc_md6_tmo, &sc->sc_mtx, CALLOUT_RETURNUNLOCKED);
#endif
callout_init_mtx(&sc->sc_ad_tmo, &sc->sc_mtx, CALLOUT_RETURNUNLOCKED);
CIF_LOCK(cif);
TAILQ_INSERT_TAIL(&cif->cif_vrs, sc, sc_list);
CIF_UNLOCK(cif);
mtx_lock(&carp_mtx);
LIST_INSERT_HEAD(&carp_list, sc, sc_next);
mtx_unlock(&carp_mtx);
return (sc);
}
static void
carp_grow_ifas(struct carp_softc *sc)
{
struct ifaddr **new;
new = malloc(sc->sc_ifasiz * 2, M_CARP, M_WAITOK | M_ZERO);
CARP_LOCK(sc);
bcopy(sc->sc_ifas, new, sc->sc_ifasiz);
free(sc->sc_ifas, M_CARP);
sc->sc_ifas = new;
sc->sc_ifasiz *= 2;
CARP_UNLOCK(sc);
}
static void
carp_destroy(struct carp_softc *sc)
{
struct ifnet *ifp = sc->sc_carpdev;
struct carp_if *cif = ifp->if_carp;
sx_assert(&carp_sx, SA_XLOCKED);
if (sc->sc_suppress)
carp_demote_adj(-V_carp_ifdown_adj, "vhid removed");
CARP_UNLOCK(sc);
CIF_LOCK(cif);
TAILQ_REMOVE(&cif->cif_vrs, sc, sc_list);
CIF_UNLOCK(cif);
mtx_lock(&carp_mtx);
LIST_REMOVE(sc, sc_next);
mtx_unlock(&carp_mtx);
callout_drain(&sc->sc_ad_tmo);
#ifdef INET
callout_drain(&sc->sc_md_tmo);
#endif
#ifdef INET6
callout_drain(&sc->sc_md6_tmo);
#endif
CARP_LOCK_DESTROY(sc);
free(sc->sc_ifas, M_CARP);
free(sc, M_CARP);
}
static struct carp_if*
carp_alloc_if(struct ifnet *ifp)
{
struct carp_if *cif;
int error;
cif = malloc(sizeof(*cif), M_CARP, M_WAITOK|M_ZERO);
if ((error = ifpromisc(ifp, 1)) != 0)
printf("%s: ifpromisc(%s) failed: %d\n",
__func__, ifp->if_xname, error);
else
cif->cif_flags |= CIF_PROMISC;
CIF_LOCK_INIT(cif);
cif->cif_ifp = ifp;
TAILQ_INIT(&cif->cif_vrs);
IF_ADDR_WLOCK(ifp);
ifp->if_carp = cif;
if_ref(ifp);
IF_ADDR_WUNLOCK(ifp);
return (cif);
}
static void
carp_free_if(struct carp_if *cif)
{
struct ifnet *ifp = cif->cif_ifp;
CIF_LOCK_ASSERT(cif);
KASSERT(TAILQ_EMPTY(&cif->cif_vrs), ("%s: softc list not empty",
__func__));
IF_ADDR_WLOCK(ifp);
ifp->if_carp = NULL;
IF_ADDR_WUNLOCK(ifp);
CIF_LOCK_DESTROY(cif);
if (cif->cif_flags & CIF_PROMISC)
ifpromisc(ifp, 0);
if_rele(ifp);
free(cif, M_CARP);
}
static void
carp_carprcp(struct carpreq *carpr, struct carp_softc *sc, int priv)
{
CARP_LOCK(sc);
carpr->carpr_state = sc->sc_state;
carpr->carpr_vhid = sc->sc_vhid;
carpr->carpr_advbase = sc->sc_advbase;
carpr->carpr_advskew = sc->sc_advskew;
if (priv)
bcopy(sc->sc_key, carpr->carpr_key, sizeof(carpr->carpr_key));
else
bzero(carpr->carpr_key, sizeof(carpr->carpr_key));
CARP_UNLOCK(sc);
}
int
carp_ioctl(struct ifreq *ifr, u_long cmd, struct thread *td)
{
struct carpreq carpr;
struct ifnet *ifp;
struct carp_softc *sc = NULL;
int error = 0, locked = 0;
if ((error = copyin(ifr_data_get_ptr(ifr), &carpr, sizeof carpr)))
return (error);
ifp = ifunit_ref(ifr->ifr_name);
if (ifp == NULL)
return (ENXIO);
switch (ifp->if_type) {
case IFT_ETHER:
case IFT_L2VLAN:
case IFT_BRIDGE:
case IFT_FDDI:
case IFT_ISO88025:
break;
default:
error = EOPNOTSUPP;
goto out;
}
if ((ifp->if_flags & IFF_MULTICAST) == 0) {
error = EADDRNOTAVAIL;
goto out;
}
sx_xlock(&carp_sx);
switch (cmd) {
case SIOCSVH:
if ((error = priv_check(td, PRIV_NETINET_CARP)))
break;
if (carpr.carpr_vhid <= 0 || carpr.carpr_vhid > CARP_MAXVHID ||
carpr.carpr_advbase < 0 || carpr.carpr_advskew < 0) {
error = EINVAL;
break;
}
if (ifp->if_carp) {
IFNET_FOREACH_CARP(ifp, sc)
if (sc->sc_vhid == carpr.carpr_vhid)
break;
}
if (sc == NULL) {
sc = carp_alloc(ifp);
CARP_LOCK(sc);
sc->sc_vhid = carpr.carpr_vhid;
LLADDR(&sc->sc_addr)[0] = 0;
LLADDR(&sc->sc_addr)[1] = 0;
LLADDR(&sc->sc_addr)[2] = 0x5e;
LLADDR(&sc->sc_addr)[3] = 0;
LLADDR(&sc->sc_addr)[4] = 1;
LLADDR(&sc->sc_addr)[5] = sc->sc_vhid;
} else
CARP_LOCK(sc);
locked = 1;
if (carpr.carpr_advbase > 0) {
if (carpr.carpr_advbase > 255 ||
carpr.carpr_advbase < CARP_DFLTINTV) {
error = EINVAL;
break;
}
sc->sc_advbase = carpr.carpr_advbase;
}
if (carpr.carpr_advskew >= 255) {
error = EINVAL;
break;
}
sc->sc_advskew = carpr.carpr_advskew;
if (carpr.carpr_key[0] != '\0') {
bcopy(carpr.carpr_key, sc->sc_key, sizeof(sc->sc_key));
carp_hmac_prepare(sc);
}
if (sc->sc_state != INIT &&
carpr.carpr_state != sc->sc_state) {
switch (carpr.carpr_state) {
case BACKUP:
callout_stop(&sc->sc_ad_tmo);
carp_set_state(sc, BACKUP,
"user requested via ifconfig");
carp_setrun(sc, 0);
carp_delroute(sc);
break;
case MASTER:
carp_master_down_locked(sc,
"user requested via ifconfig");
break;
default:
break;
}
}
break;
case SIOCGVH:
{
int priveleged;
if (carpr.carpr_vhid < 0 || carpr.carpr_vhid > CARP_MAXVHID) {
error = EINVAL;
break;
}
if (carpr.carpr_count < 1) {
error = EMSGSIZE;
break;
}
if (ifp->if_carp == NULL) {
error = ENOENT;
break;
}
priveleged = (priv_check(td, PRIV_NETINET_CARP) == 0);
if (carpr.carpr_vhid != 0) {
IFNET_FOREACH_CARP(ifp, sc)
if (sc->sc_vhid == carpr.carpr_vhid)
break;
if (sc == NULL) {
error = ENOENT;
break;
}
carp_carprcp(&carpr, sc, priveleged);
error = copyout(&carpr, ifr_data_get_ptr(ifr),
sizeof(carpr));
} else {
int i, count;
count = 0;
IFNET_FOREACH_CARP(ifp, sc)
count++;
if (count > carpr.carpr_count) {
CIF_UNLOCK(ifp->if_carp);
error = EMSGSIZE;
break;
}
i = 0;
IFNET_FOREACH_CARP(ifp, sc) {
carp_carprcp(&carpr, sc, priveleged);
carpr.carpr_count = count;
error = copyout(&carpr,
(caddr_t)ifr_data_get_ptr(ifr) +
(i * sizeof(carpr)), sizeof(carpr));
if (error) {
CIF_UNLOCK(ifp->if_carp);
break;
}
i++;
}
}
break;
}
default:
error = EINVAL;
}
sx_xunlock(&carp_sx);
out:
if (locked)
CARP_UNLOCK(sc);
if_rele(ifp);
return (error);
}
static int
carp_get_vhid(struct ifaddr *ifa)
{
if (ifa == NULL || ifa->ifa_carp == NULL)
return (0);
return (ifa->ifa_carp->sc_vhid);
}
int
carp_attach(struct ifaddr *ifa, int vhid)
{
struct ifnet *ifp = ifa->ifa_ifp;
struct carp_if *cif = ifp->if_carp;
struct carp_softc *sc;
int index, error;
KASSERT(ifa->ifa_carp == NULL, ("%s: ifa %p attached", __func__, ifa));
switch (ifa->ifa_addr->sa_family) {
#ifdef INET
case AF_INET:
#endif
#ifdef INET6
case AF_INET6:
#endif
break;
default:
return (EPROTOTYPE);
}
sx_xlock(&carp_sx);
if (ifp->if_carp == NULL) {
sx_xunlock(&carp_sx);
return (ENOPROTOOPT);
}
IFNET_FOREACH_CARP(ifp, sc)
if (sc->sc_vhid == vhid)
break;
if (sc == NULL) {
sx_xunlock(&carp_sx);
return (ENOENT);
}
error = carp_multicast_setup(cif, ifa->ifa_addr->sa_family);
if (error) {
CIF_FREE(cif);
sx_xunlock(&carp_sx);
return (error);
}
index = sc->sc_naddrs + sc->sc_naddrs6 + 1;
if (index > sc->sc_ifasiz / sizeof(struct ifaddr *))
carp_grow_ifas(sc);
switch (ifa->ifa_addr->sa_family) {
#ifdef INET
case AF_INET:
cif->cif_naddrs++;
sc->sc_naddrs++;
break;
#endif
#ifdef INET6
case AF_INET6:
cif->cif_naddrs6++;
sc->sc_naddrs6++;
break;
#endif
}
ifa_ref(ifa);
CARP_LOCK(sc);
sc->sc_ifas[index - 1] = ifa;
ifa->ifa_carp = sc;
carp_hmac_prepare(sc);
carp_sc_state(sc);
CARP_UNLOCK(sc);
sx_xunlock(&carp_sx);
return (0);
}
void
carp_detach(struct ifaddr *ifa, bool keep_cif)
{
struct ifnet *ifp = ifa->ifa_ifp;
struct carp_if *cif = ifp->if_carp;
struct carp_softc *sc = ifa->ifa_carp;
int i, index;
KASSERT(sc != NULL, ("%s: %p not attached", __func__, ifa));
sx_xlock(&carp_sx);
CARP_LOCK(sc);
/* Shift array. */
index = sc->sc_naddrs + sc->sc_naddrs6;
for (i = 0; i < index; i++)
if (sc->sc_ifas[i] == ifa)
break;
KASSERT(i < index, ("%s: %p no backref", __func__, ifa));
for (; i < index - 1; i++)
sc->sc_ifas[i] = sc->sc_ifas[i+1];
sc->sc_ifas[index - 1] = NULL;
switch (ifa->ifa_addr->sa_family) {
#ifdef INET
case AF_INET:
cif->cif_naddrs--;
sc->sc_naddrs--;
break;
#endif
#ifdef INET6
case AF_INET6:
cif->cif_naddrs6--;
sc->sc_naddrs6--;
break;
#endif
}
carp_ifa_delroute(ifa);
carp_multicast_cleanup(cif, ifa->ifa_addr->sa_family);
ifa->ifa_carp = NULL;
ifa_free(ifa);
carp_hmac_prepare(sc);
carp_sc_state(sc);
if (!keep_cif && sc->sc_naddrs == 0 && sc->sc_naddrs6 == 0)
carp_destroy(sc);
else
CARP_UNLOCK(sc);
if (!keep_cif)
CIF_FREE(cif);
sx_xunlock(&carp_sx);
}
static void
carp_set_state(struct carp_softc *sc, int state, const char *reason)
{
CARP_LOCK_ASSERT(sc);
if (sc->sc_state != state) {
const char *carp_states[] = { CARP_STATES };
char subsys[IFNAMSIZ+5];
snprintf(subsys, IFNAMSIZ+5, "%u@%s", sc->sc_vhid,
sc->sc_carpdev->if_xname);
CARP_LOG("%s: %s -> %s (%s)\n", subsys,
carp_states[sc->sc_state], carp_states[state], reason);
sc->sc_state = state;
devctl_notify("CARP", subsys, carp_states[state], NULL);
}
}
static void
carp_linkstate(struct ifnet *ifp)
{
struct carp_softc *sc;
CIF_LOCK(ifp->if_carp);
IFNET_FOREACH_CARP(ifp, sc) {
CARP_LOCK(sc);
carp_sc_state(sc);
CARP_UNLOCK(sc);
}
CIF_UNLOCK(ifp->if_carp);
}
static void
carp_sc_state(struct carp_softc *sc)
{
CARP_LOCK_ASSERT(sc);
if (sc->sc_carpdev->if_link_state != LINK_STATE_UP ||
!(sc->sc_carpdev->if_flags & IFF_UP)) {
callout_stop(&sc->sc_ad_tmo);
#ifdef INET
callout_stop(&sc->sc_md_tmo);
#endif
#ifdef INET6
callout_stop(&sc->sc_md6_tmo);
#endif
carp_set_state(sc, INIT, "hardware interface down");
carp_setrun(sc, 0);
if (!sc->sc_suppress)
carp_demote_adj(V_carp_ifdown_adj, "interface down");
sc->sc_suppress = 1;
} else {
carp_set_state(sc, INIT, "hardware interface up");
carp_setrun(sc, 0);
if (sc->sc_suppress)
carp_demote_adj(-V_carp_ifdown_adj, "interface up");
sc->sc_suppress = 0;
}
}
static void
carp_demote_adj(int adj, char *reason)
{
atomic_add_int(&V_carp_demotion, adj);
CARP_LOG("demoted by %d to %d (%s)\n", adj, V_carp_demotion, reason);
taskqueue_enqueue(taskqueue_swi, &carp_sendall_task);
+}
+
+static int
+carp_dscp_sysctl(SYSCTL_HANDLER_ARGS)
+{
+ int new, error;
+
+ new = V_carp_dscp;
+ error = sysctl_handle_int(oidp, &new, 0, req);
+ if (error || !req->newptr)
+ return (error);
+
+ if (new < 0 || new > 63)
+ return (EINVAL);
+
+ V_carp_dscp = new;
+
+ return (0);
}
static int
carp_demote_adj_sysctl(SYSCTL_HANDLER_ARGS)
{
int new, error;
new = V_carp_demotion;
error = sysctl_handle_int(oidp, &new, 0, req);
if (error || !req->newptr)
return (error);
carp_demote_adj(new, "sysctl");
return (0);
}
#ifdef INET
extern struct domain inetdomain;
static struct protosw in_carp_protosw = {
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
.pr_protocol = IPPROTO_CARP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = carp_input,
.pr_output = rip_output,
.pr_ctloutput = rip_ctloutput,
.pr_usrreqs = &rip_usrreqs
};
#endif
#ifdef INET6
extern struct domain inet6domain;
static struct protosw in6_carp_protosw = {
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
.pr_protocol = IPPROTO_CARP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = carp6_input,
.pr_output = rip6_output,
.pr_ctloutput = rip6_ctloutput,
.pr_usrreqs = &rip6_usrreqs
};
#endif
static void
carp_mod_cleanup(void)
{
#ifdef INET
if (proto_reg[CARP_INET] == 0) {
(void)ipproto_unregister(IPPROTO_CARP);
pf_proto_unregister(PF_INET, IPPROTO_CARP, SOCK_RAW);
proto_reg[CARP_INET] = -1;
}
carp_iamatch_p = NULL;
#endif
#ifdef INET6
if (proto_reg[CARP_INET6] == 0) {
(void)ip6proto_unregister(IPPROTO_CARP);
pf_proto_unregister(PF_INET6, IPPROTO_CARP, SOCK_RAW);
proto_reg[CARP_INET6] = -1;
}
carp_iamatch6_p = NULL;
carp_macmatch6_p = NULL;
#endif
carp_ioctl_p = NULL;
carp_attach_p = NULL;
carp_detach_p = NULL;
carp_get_vhid_p = NULL;
carp_linkstate_p = NULL;
carp_forus_p = NULL;
carp_output_p = NULL;
carp_demote_adj_p = NULL;
carp_master_p = NULL;
mtx_unlock(&carp_mtx);
taskqueue_drain(taskqueue_swi, &carp_sendall_task);
mtx_destroy(&carp_mtx);
sx_destroy(&carp_sx);
}
static int
carp_mod_load(void)
{
int err;
mtx_init(&carp_mtx, "carp_mtx", NULL, MTX_DEF);
sx_init(&carp_sx, "carp_sx");
LIST_INIT(&carp_list);
carp_get_vhid_p = carp_get_vhid;
carp_forus_p = carp_forus;
carp_output_p = carp_output;
carp_linkstate_p = carp_linkstate;
carp_ioctl_p = carp_ioctl;
carp_attach_p = carp_attach;
carp_detach_p = carp_detach;
carp_demote_adj_p = carp_demote_adj;
carp_master_p = carp_master;
#ifdef INET6
carp_iamatch6_p = carp_iamatch6;
carp_macmatch6_p = carp_macmatch6;
proto_reg[CARP_INET6] = pf_proto_register(PF_INET6,
(struct protosw *)&in6_carp_protosw);
if (proto_reg[CARP_INET6]) {
printf("carp: error %d attaching to PF_INET6\n",
proto_reg[CARP_INET6]);
carp_mod_cleanup();
return (proto_reg[CARP_INET6]);
}
err = ip6proto_register(IPPROTO_CARP);
if (err) {
printf("carp: error %d registering with INET6\n", err);
carp_mod_cleanup();
return (err);
}
#endif
#ifdef INET
carp_iamatch_p = carp_iamatch;
proto_reg[CARP_INET] = pf_proto_register(PF_INET, &in_carp_protosw);
if (proto_reg[CARP_INET]) {
printf("carp: error %d attaching to PF_INET\n",
proto_reg[CARP_INET]);
carp_mod_cleanup();
return (proto_reg[CARP_INET]);
}
err = ipproto_register(IPPROTO_CARP);
if (err) {
printf("carp: error %d registering with INET\n", err);
carp_mod_cleanup();
return (err);
}
#endif
return (0);
}
static int
carp_modevent(module_t mod, int type, void *data)
{
switch (type) {
case MOD_LOAD:
return carp_mod_load();
/* NOTREACHED */
case MOD_UNLOAD:
mtx_lock(&carp_mtx);
if (LIST_EMPTY(&carp_list))
carp_mod_cleanup();
else {
mtx_unlock(&carp_mtx);
return (EBUSY);
}
break;
default:
return (EINVAL);
}
return (0);
}
static moduledata_t carp_mod = {
"carp",
carp_modevent,
0
};
DECLARE_MODULE(carp, carp_mod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
Index: stable/11
===================================================================
--- stable/11 (revision 346754)
+++ stable/11 (revision 346755)
Property changes on: stable/11
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
Merged /head:r335837