From owner-svn-ports-all@FreeBSD.ORG Tue Dec 9 14:34:58 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06E1675F; Tue, 9 Dec 2014 14:34:58 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E4FECCA8; Tue, 9 Dec 2014 14:34:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sB9EYvDM098498; Tue, 9 Dec 2014 14:34:57 GMT (envelope-from kuriyama@FreeBSD.org) Received: (from kuriyama@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sB9EYvU9098494; Tue, 9 Dec 2014 14:34:57 GMT (envelope-from kuriyama@FreeBSD.org) Message-Id: <201412091434.sB9EYvU9098494@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: kuriyama set sender to kuriyama@FreeBSD.org using -f From: Jun Kuriyama Date: Tue, 9 Dec 2014 14:34:57 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r374398 - in head/net/stf-6rd-kmod: . files files-10 files-8 files-9 files-9.1 files-9.2 X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 14:34:58 -0000 Author: kuriyama Date: Tue Dec 9 14:34:56 2014 New Revision: 374398 URL: https://svnweb.freebsd.org/changeset/ports/374398 QAT: https://qat.redports.org/buildarchive/r374398/ Log: Add support for 10.1R and drop 9.2R. Added: head/net/stf-6rd-kmod/files-10/ head/net/stf-6rd-kmod/files-10/patch-aa (contents, props changed) head/net/stf-6rd-kmod/files-8/ head/net/stf-6rd-kmod/files-8/patch-aa (contents, props changed) head/net/stf-6rd-kmod/files-9/ head/net/stf-6rd-kmod/files-9.1/ head/net/stf-6rd-kmod/files-9.1/patch-aa (contents, props changed) head/net/stf-6rd-kmod/files-9/patch-aa (contents, props changed) head/net/stf-6rd-kmod/files/fixup_mtime.sh (contents, props changed) Deleted: head/net/stf-6rd-kmod/files-9.2/ head/net/stf-6rd-kmod/files/patch-stf_6rd_20100923-1.diff Modified: head/net/stf-6rd-kmod/Makefile head/net/stf-6rd-kmod/distinfo Modified: head/net/stf-6rd-kmod/Makefile ============================================================================== --- head/net/stf-6rd-kmod/Makefile Tue Dec 9 14:22:10 2014 (r374397) +++ head/net/stf-6rd-kmod/Makefile Tue Dec 9 14:34:56 2014 (r374398) @@ -14,25 +14,22 @@ COMMENT= 6rd patched stf(4) kernel modul ONLY_FOR_ARCHS= amd64 i386 WRKSRC= ${WRKDIR} -SVN_REV= 267655 +SVN_REV= 275558 +PATCH_STRIP= -p1 +#PATCH_DEBUG= YES USES= kmod .include .if ${OSREL} == "8.4" -#SVN_REV= 255447 +PATCHDIR= ${MASTERDIR}/files-8 .elif ${OSREL} == "9.1" -#SVN_REV= 255448 -.elif ${OSREL} == "9.2" -#SVN_REV= 255444 -PATCHDIR= ${MASTERDIR}/files-9.2 +PATCHDIR= ${MASTERDIR}/files-9.1 .elif ${OSREL} == "9.3" -#SVN_REV= 267655 -PATCHDIR= ${MASTERDIR}/files-9.2 -#.elif ${OSREL} == "10.0" -##SVN_REV= 258913 -#PATCHDIR= ${MASTERDIR}/files-10.0 +PATCHDIR= ${MASTERDIR}/files-9 +.elif ${OSREL} == "10.1" +PATCHDIR= ${MASTERDIR}/files-10 .else IGNORE= not supported $${OSREL} (${OSREL}) .endif @@ -44,9 +41,6 @@ post-extract: ${CP} -Rp ${SRC_BASE}/share/man/man4 ${WRKSRC}/share/man/ ${CP} -Rp ${WRKSRC}/tmp/* ${WRKSRC}/sys/ -pre-patch: - ${REINPLACE_CMD} -e 's|\.Dd July 23, 2011|.Dd April 27, 2001|' ${WRKSRC}/share/man/man4/stf.4 - do-build: cd ${WRKSRC}/sys/modules/if_stf; ${MAKE} DEBUG_FLAGS=-g @@ -59,14 +53,24 @@ do-install: # For maintainer only. SVN_MIRROR?= http://svn.freebsd.org/base EXPDIR= ${WRKSRC}/src/sys +maintainer-tar-all: +.for r in 8.4 9.1 9.3 10.1 + ${MAKE} OSREL=${r} OSVERSION=${r:C/\.//}0000 UNAMER=${r}-RELEASE maintainer-tar +.endfor + +maintainer-diff: +.for r in 8 9 10 + ${FETCH_CMD} -o ${MASTERDIR}/files-${r}/patch-aa https://github.com/kuriyama/freebsd/compare/freebsd:stable/${r}...6rd-stable-${r}.diff +.endfor + ${FETCH_CMD} -o ${MASTERDIR}/files-9.1/patch-aa https://github.com/kuriyama/freebsd/compare/freebsd:releng/9.1...6rd-releng-9.1.diff + maintainer-tar: -.for _osrel in 8.4 9.1 9.2 9.3 10.0 -${RM} -rf ${EXPDIR} ${MKDIR} ${EXPDIR} - cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${_osrel}/sys/net net - cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${_osrel}/sys/modules/if_stf modules/if_stf - cd ${EXPDIR} && ${TAR} cfz ${DISTDIR}/freebsd-stf-${_osrel}-${PORTVERSION}${EXTRACT_SUFX} net modules -.endfor + cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${OSREL}/sys/net net + cd ${EXPDIR} && svn export -r ${SVN_REV} ${SVN_MIRROR}/releng/${OSREL}/sys/modules/if_stf modules/if_stf + ${SH} ${MASTERDIR}/files/fixup_mtime.sh ${EXPDIR} ${SVN_REV} ${SVN_MIRROR} ${OSREL} + cd ${EXPDIR} && ${TAR} cfz ${DISTDIR}/freebsd-stf-${OSREL}-${PORTVERSION}${EXTRACT_SUFX} net modules maintainer-check: @new=`svn log -ql 1 ${SVN_MIRROR}@HEAD releng/${OSREL}/sys/net/if_stf.c | ${GREP} -v ^- | ${SED} -e 's| .*||'`;\ @@ -75,9 +79,10 @@ maintainer-check: make-distinfo: ${RM} -f distinfo.tmp.* -.for r in 8.4 9.1 9.2 9.3 10.0 - ${MAKE} OSREL=${r} DISTINFO_FILE=${MASTERDIR}/distinfo.tmp.${r} makesum +.for r in 8.4 9.1 9.3 10.1 + ${MAKE} OSREL=${r} OSVERSION=${r:C/\.//}0000 UNAMER=${r}-RELEASE DISTINFO_FILE=${MASTERDIR}/distinfo.tmp.${r} makesum .endfor ${CAT} ${MASTERDIR}/distinfo.tmp.* > ${MASTERDIR}/distinfo + ${RM} -f distinfo.tmp.* .include Modified: head/net/stf-6rd-kmod/distinfo ============================================================================== --- head/net/stf-6rd-kmod/distinfo Tue Dec 9 14:22:10 2014 (r374397) +++ head/net/stf-6rd-kmod/distinfo Tue Dec 9 14:34:56 2014 (r374398) @@ -1,10 +1,8 @@ -SHA256 (freebsd-stf-10.0-0.267655.tar.gz) = 492bc45cf0b9651dde008199920435c782bad71616398e0c52814a381578adae -SIZE (freebsd-stf-10.0-0.267655.tar.gz) = 535733 -SHA256 (freebsd-stf-8.4-0.267655.tar.gz) = 0c4dc42d0bbf8946cbde58f7047cd293a7de647f88db100ffe5db37125c635c0 -SIZE (freebsd-stf-8.4-0.267655.tar.gz) = 504670 -SHA256 (freebsd-stf-9.1-0.267655.tar.gz) = 239f90a4ac81d4b6f3ceb82a59e3d9a9152b08f611c9d7557dbca17877bb0ab9 -SIZE (freebsd-stf-9.1-0.267655.tar.gz) = 510463 -SHA256 (freebsd-stf-9.2-0.267655.tar.gz) = 7acfa2a90d6abf87302008a5357411b0732217d10b1e1c0b4cce292626a2024b -SIZE (freebsd-stf-9.2-0.267655.tar.gz) = 514295 -SHA256 (freebsd-stf-9.3-0.267655.tar.gz) = 2ffb08ff5abcbed586623237e9e4a3891492ac592557eef250b67fd74c3749de -SIZE (freebsd-stf-9.3-0.267655.tar.gz) = 529933 +SHA256 (freebsd-stf-10.1-0.275558.tar.gz) = f63f044ff403702601caf77ea6be8471df6cc63a747870eb8c1b618720508b6a +SIZE (freebsd-stf-10.1-0.275558.tar.gz) = 543214 +SHA256 (freebsd-stf-8.4-0.275558.tar.gz) = 0496e8a23e55725f47e72e587b74b4963c11fdc98afe49e94aee861a0fad83bf +SIZE (freebsd-stf-8.4-0.275558.tar.gz) = 500025 +SHA256 (freebsd-stf-9.1-0.275558.tar.gz) = dbcecda506697d7255220838146a8af3d10a3986e67f942ef4efe0cb91d5a72e +SIZE (freebsd-stf-9.1-0.275558.tar.gz) = 509740 +SHA256 (freebsd-stf-9.3-0.275558.tar.gz) = 09c9a4dbafbb13bd1d6bbbe99792a7185725cd028a34228ed4be8bdc656e331b +SIZE (freebsd-stf-9.3-0.275558.tar.gz) = 528285 Added: head/net/stf-6rd-kmod/files-10/patch-aa ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/stf-6rd-kmod/files-10/patch-aa Tue Dec 9 14:34:56 2014 (r374398) @@ -0,0 +1,1298 @@ +diff --git a/share/man/man4/stf.4 b/share/man/man4/stf.4 +index 5e210df..1f3da39 100644 +--- a/share/man/man4/stf.4 ++++ b/share/man/man4/stf.4 +@@ -1,6 +1,7 @@ + .\" $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $ + .\" + .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. ++.\" Copyright (c) 2010 Hiroki Sato + .\" All rights reserved. + .\" + .\" Redistribution and use in source and binary forms, with or without +@@ -42,21 +43,11 @@ tunnel interface + .Sh DESCRIPTION + The + .Nm +-interface supports +-.Dq 6to4 +-IPv6 in IPv4 encapsulation. +-It can tunnel IPv6 traffic over IPv4, as specified in +-.Li RFC3056 . +-.Pp +-For ordinary nodes in 6to4 site, you do not need +-.Nm +-interface. +-The +-.Nm +-interface is necessary for site border router +-(called +-.Dq 6to4 router +-in the specification). ++interface supports IPv6 in IPv4 encapsulation by ++tunneling IPv6 traffic over IPv4, as specified in ++.Li RFC3056 Pq 6to4 ++and ++.Li RFC5569 Pq 6rd . + .Pp + Each + .Nm +@@ -72,12 +63,28 @@ variable in + .Pp + Due to the way 6to4 protocol is specified, + .Nm +-interface requires certain configuration to work properly. ++interface requires certain configuration to work properly. Two ++different protocols defined in RFC3056 and RFC5569 are basically the ++same as each other except for address handling, so ++.Nm ++decides its behavior based on the configured IPv6 addresses as ++explained in the following. ++The ++.Nm ++interface can be configured with multiple IPv6 addresses including ++both 6to4 and 6rd. ++.Sh RFC3056 (a.k.a. 6to4) + Single +-(no more than 1) +-valid 6to4 address needs to be configured to the interface. +-.Dq A valid 6to4 address +-is an address which has the following properties. ++.Pq no more than 1 valid 6to4 address needs to be configured to the interface. ++.Dq a valid 6to4 address ++is an address which has the following properties. For ordinary nodes ++in 6to4 site, you do not need ++.Nm ++interface; it is necessary only for site border router ++(called ++.Dq 6to4 router ++in the specification). ++.Pp + If any of the following properties are not satisfied, + .Nm + raises runtime error on packet transmission. +@@ -110,6 +117,78 @@ you may want to configure IPv6 prefix length as + .Nm + interface will check the IPv4 source address on packets, + if the IPv6 prefix length is larger than 16. ++.Sh RFC5569 (a.k.a. 6rd) ++The ++.Nm ++interface works in the 6rd mode when one or more IPv6 addresses that ++consists of an IPv6 prefix and 32-bit IPv4 part with a prefix length ++equal to or shorter than 64. In 6rd protocol, an IPv6 address ++.Li 2001:db8:c000:205::1/32 ++means the following, for example: ++.Bl -bullet ++.It ++The 6rd relay prefix is ++.Li 2001:db8::/32 . ++.It ++The 6rd router's IPv4 address is ++.Li 192.0.2.5 . ++.El ++.Pp ++As you can see the IPv4 address is embedded in the IPv6 address just ++after the prefix. While you can choose an IPv6 prefix length other ++than 32, it must be from 0 to 32. ++.Pp ++Assuming this address is configured on the ++.Nm ++interface, it does the following: ++.Bl -bullet ++.It ++An incoming IPv6 packet on ++.Nm ++will be encapsuled in an IPv4 packet with the source address ++.Li 192.0.2.5 ++and then the IPv4 packet is delivered based on the IPv4 routing table. ++The IPv4 destination address is calculated from the destination ++address of the original IPv6 packet in the same way as the source. ++.It ++An incoming IPv4 packet which encapsules an IPv6 packet whose ++destination address matches a 6rd prefix with embedded IPv4 address ++configured on the ++.Nm ++interface, the IPv6 packet will be decapsulated and delivered based on ++the IPv6 routing table. Note that ++.Nm ++interface normally has a route which covers whole range of a 6rd relay ++prefix, the delivered IPv6 packet can return to ++.Nm ++if there is no more specific route. In that case, the returned packet ++will be discarded silently. ++.El ++.\" XXX: example configuration will be added ++.\" .Pp ++.\" By using this interface, you can configure a 6rd domain. For simplicity, ++.\" we assume the following here: ++.\" .Bl -bullet ++.\" .It ++.\" A 6rd Customer, who has an IPv6/IPv4 LAN and an IPv4-only access ++.\" toward network of his Internet Service Provider. The Customer has ++.\" a router called ++.\" .Dq CE Pq Customer Edge ++.\" Router, which can communicate between his LAN and the ISP over IPv4 ++.\" and encapsulate ++.\" his networks. ++.\" .It ++.\" A 6rd Provider, who provides IPv6 Internet reachability by using 6rd ++.\" protocol. The Provider offers access to a router called ++.\" .Dq PE Pq Provider Edge ++.\" Router, which can communicate with ++.\" .El ++.\" .Pp ++.\" A 6rd customer ++.\" needs to configure ++.\" .Nm ++.\" on his CE (Customer Edge) router. ++.Sh Other Functionality of the Interface + .Pp + .Nm + can be configured to be ECN friendly. +@@ -147,9 +226,6 @@ Packets with IPv4 multicast address as outer IPv4 source/destination + Packets with limited broadcast address as outer IPv4 source/destination + .Pq Li 255.0.0.0/8 + .It +-Packets with private address as outer IPv4 source/destination +-.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 +-.It + Packets with subnet broadcast address as outer IPv4 source/destination. + The check is made against subnet broadcast addresses for + all of the directly connected subnets. +@@ -164,6 +240,11 @@ The same set of rules are applied against the IPv4 address embedded into + inner IPv6 address, if the IPv6 address matches 6to4 prefix. + .El + .Pp ++In addition to them, packets with private address as outer IPv4 ++source/destination ++.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 ++are filtered out only in the 6to4 mode. ++.Pp + It is recommended to filter/audit + incoming IPv4 packet with IP protocol number 41, as necessary. + It is also recommended to filter/audit encapsulated IPv6 packets as well. +diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c +index 20251dc..37d96a9 100644 +--- a/sys/net/if_stf.c ++++ b/sys/net/if_stf.c +@@ -3,6 +3,7 @@ + + /*- + * Copyright (C) 2000 WIDE Project. ++ * Copyright (c) 2010 Hiroki Sato + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -31,7 +32,7 @@ + */ + + /* +- * 6to4 interface, based on RFC3056. ++ * 6to4 interface, based on RFC3056 + 6rd (RFC5569) support. + * + * 6to4 interface is NOT capable of link-layer (I mean, IPv4) multicasting. + * There is no address mapping defined from IPv6 multicast address to IPv4 +@@ -60,7 +61,7 @@ + * ICMPv6: + * - Redirects cannot be used due to the lack of link-local address. + * +- * stf interface does not have, and will not need, a link-local address. ++ * stf interface does not have, and will not need, a link-local address. + * It seems to have no real benefit and does not help the above symptoms much. + * Even if we assign link-locals to interface, we cannot really + * use link-local unicast/multicast on top of 6to4 cloud (since there's no +@@ -72,6 +73,12 @@ + * http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt + * for details. The code tries to filter out some of malicious packets. + * Note that there is no way to be 100% secure. ++ * ++ * 6rd (RFC5569) extension is enabled when an IPv6 GUA other than ++ * 2002::/16 is assigned. The stf(4) recognizes a 32-bit just after ++ * prefixlen as the IPv4 address of the 6rd customer site. The ++ * prefixlen must be shorter than 32. ++ * + */ + + #include "opt_inet.h" +@@ -120,20 +127,45 @@ + + #include + ++#define STF_DEBUG 1 ++#define ip_sprintf(buf, a) \ ++ sprintf(buf, "%d.%d.%d.%d", \ ++ (ntohl((a)->s_addr)>>24)&0xFF, \ ++ (ntohl((a)->s_addr)>>16)&0xFF, \ ++ (ntohl((a)->s_addr)>>8)&0xFF, \ ++ (ntohl((a)->s_addr))&0xFF); ++#if STF_DEBUG ++#define DEBUG_PRINTF(a, ...) \ ++ do { \ ++ if (V_stf_debug >= a) \ ++ printf(__VA_ARGS__); \ ++ } while (0) ++#else ++#define DEBUG_PRINTF(a, ...) ++#endif ++ + SYSCTL_DECL(_net_link); + static SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface"); + +-static int stf_route_cache = 1; +-SYSCTL_INT(_net_link_stf, OID_AUTO, route_cache, CTLFLAG_RW, +- &stf_route_cache, 0, "Caching of IPv4 routes for 6to4 Output"); ++static VNET_DEFINE(int, stf_route_cache) = 1; ++#define V_stf_route_cache VNET(stf_route_cache) ++SYSCTL_VNET_INT(_net_link_stf, OID_AUTO, route_cache, CTLFLAG_RW, ++ &VNET_NAME(stf_route_cache), 0, ++ "Enable caching of IPv4 routes for 6to4 output."); ++ ++#if STF_DEBUG ++static VNET_DEFINE(int, stf_debug) = 0; ++#define V_stf_debug VNET(stf_debug) ++SYSCTL_VNET_INT(_net_link_stf, OID_AUTO, stf_debug, CTLFLAG_RW, ++ &VNET_NAME(stf_debug), 0, ++ "Enable displaying verbose debug message of stf interfaces"); ++#endif + + static int stf_permit_rfc1918 = 0; + TUNABLE_INT("net.link.stf.permit_rfc1918", &stf_permit_rfc1918); + SYSCTL_INT(_net_link_stf, OID_AUTO, permit_rfc1918, CTLFLAG_RW | CTLFLAG_TUN, + &stf_permit_rfc1918, 0, "Permit the use of private IPv4 addresses"); + +-#define STFUNIT 0 +- + #define IN6_IS_ADDR_6TO4(x) (ntohs((x)->s6_addr16[0]) == 0x2002) + + /* +@@ -149,19 +181,28 @@ struct stf_softc { + struct route_in6 __sc_ro6; /* just for safety */ + } __sc_ro46; + #define sc_ro __sc_ro46.__sc_ro4 +- struct mtx sc_ro_mtx; ++ struct mtx sc_mtx; + u_int sc_fibnum; + const struct encaptab *encap_cookie; ++ u_int sc_flags; ++ LIST_ENTRY(stf_softc) stf_list; + }; + #define STF2IFP(sc) ((sc)->sc_ifp) + + static const char stfname[] = "stf"; + +-/* +- * Note that mutable fields in the softc are not currently locked. +- * We do lock sc_ro in stf_output though. +- */ ++static struct mtx stf_mtx; + static MALLOC_DEFINE(M_STF, stfname, "6to4 Tunnel Interface"); ++static VNET_DEFINE(LIST_HEAD(, stf_softc), stf_softc_list); ++#define V_stf_softc_list VNET(stf_softc_list) ++ ++#define STF_LOCK_INIT(sc) mtx_init(&(sc)->sc_mtx, "stf softc", \ ++ NULL, MTX_DEF); ++#define STF_LOCK_DESTROY(sc) mtx_destroy(&(sc)->sc_mtx) ++#define STF_LOCK(sc) mtx_lock(&(sc)->sc_mtx) ++#define STF_UNLOCK(sc) mtx_unlock(&(sc)->sc_mtx) ++#define STF_LOCK_ASSERT(sc) mtx_assert(&(sc)->sc_mtx, MA_OWNED) ++ + static const int ip_stf_ttl = 40; + + extern struct domain inetdomain; +@@ -190,7 +231,18 @@ static int stf_checkaddr6(struct stf_softc *, struct in6_addr *, + struct ifnet *); + static void stf_rtrequest(int, struct rtentry *, struct rt_addrinfo *); + static int stf_ioctl(struct ifnet *, u_long, caddr_t); +- ++static int stf_is_up(struct ifnet *); ++ ++#define STF_GETIN4_USE_CACHE 1 ++static struct sockaddr_in *stf_getin4addr(struct sockaddr_in *, ++ struct ifaddr *, ++ int); ++static struct sockaddr_in *stf_getin4addr_in6(struct sockaddr_in *, ++ struct ifaddr *, ++ const struct in6_addr *); ++static struct sockaddr_in *stf_getin4addr_sin6(struct sockaddr_in *, ++ struct ifaddr *, ++ struct sockaddr_in6 *); + static int stf_clone_match(struct if_clone *, const char *); + static int stf_clone_create(struct if_clone *, char *, size_t, caddr_t); + static int stf_clone_destroy(struct if_clone *, struct ifnet *); +@@ -212,45 +264,38 @@ stf_clone_match(struct if_clone *ifc, const char *name) + static int + stf_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params) + { +- int err, unit; + struct stf_softc *sc; + struct ifnet *ifp; +- +- /* +- * We can only have one unit, but since unit allocation is +- * already locked, we use it to keep from allocating extra +- * interfaces. +- */ +- unit = STFUNIT; +- err = ifc_alloc_unit(ifc, &unit); +- if (err != 0) +- return (err); ++ char *dp; ++ int error, unit, wildcard; + + sc = malloc(sizeof(struct stf_softc), M_STF, M_WAITOK | M_ZERO); ++ sc->sc_fibnum = curthread->td_proc->p_fibnum; + ifp = STF2IFP(sc) = if_alloc(IFT_STF); +- if (ifp == NULL) { ++ if (sc->sc_ifp == NULL) { + free(sc, M_STF); +- ifc_free_unit(ifc, unit); +- return (ENOSPC); ++ return (ENOMEM); + } ++ STF_LOCK_INIT(sc); + ifp->if_softc = sc; +- sc->sc_fibnum = curthread->td_proc->p_fibnum; +- +- /* +- * Set the name manually rather then using if_initname because +- * we don't conform to the default naming convention for interfaces. +- */ ++ error = ifc_name2unit(name, &unit); ++ if (error != 0) ++ return (error); ++ wildcard = (unit < 0); ++ /* In the wildcard case, we need to update the name. */ ++ if (wildcard) { ++ for (dp = name; *dp != '\0'; dp++); ++ if (snprintf(dp, len - (dp-name), "%d", unit) > len - (dp-name) - 1) { ++ panic("%s: interface name too long", __func__); ++ } ++ } ++ ifp->if_dname = name; + strlcpy(ifp->if_xname, name, IFNAMSIZ); +- ifp->if_dname = stfname; +- ifp->if_dunit = IF_DUNIT_NONE; +- +- mtx_init(&(sc)->sc_ro_mtx, "stf ro", NULL, MTX_DEF); + sc->encap_cookie = encap_attach_func(AF_INET, IPPROTO_IPV6, + stf_encapcheck, &in_stf_protosw, sc); + if (sc->encap_cookie == NULL) { + if_printf(ifp, "attach failed\n"); + free(sc, M_STF); +- ifc_free_unit(ifc, unit); + return (ENOMEM); + } + +@@ -260,6 +305,11 @@ stf_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params) + ifp->if_snd.ifq_maxlen = ifqmaxlen; + if_attach(ifp); + bpfattach(ifp, DLT_NULL, sizeof(u_int32_t)); ++ ++ mtx_lock(&stf_mtx); ++ LIST_INSERT_HEAD(&V_stf_softc_list, sc, stf_list); ++ mtx_unlock(&stf_mtx); ++ + return (0); + } + +@@ -269,33 +319,44 @@ stf_clone_destroy(struct if_clone *ifc, struct ifnet *ifp) + struct stf_softc *sc = ifp->if_softc; + int err; + ++ mtx_lock(&stf_mtx); ++ LIST_REMOVE(sc, stf_list); ++ mtx_unlock(&stf_mtx); ++ + err = encap_detach(sc->encap_cookie); + KASSERT(err == 0, ("Unexpected error detaching encap_cookie")); +- mtx_destroy(&(sc)->sc_ro_mtx); + bpfdetach(ifp); + if_detach(ifp); + if_free(ifp); + ++ STF_LOCK_DESTROY(sc); + free(sc, M_STF); +- ifc_free_unit(ifc, STFUNIT); + + return (0); + } + ++static void ++vnet_stf_init(const void *unused __unused) ++{ ++ ++ LIST_INIT(&V_stf_softc_list); ++} ++VNET_SYSINIT(vnet_stf_init, SI_SUB_PSEUDO, SI_ORDER_MIDDLE, vnet_stf_init, ++ NULL); ++ + static int +-stfmodevent(mod, type, data) +- module_t mod; +- int type; +- void *data; ++stfmodevent(module_t mod, int type, void *data) + { + + switch (type) { + case MOD_LOAD: ++ mtx_init(&stf_mtx, "stf_mtx", NULL, MTX_DEF); + stf_cloner = if_clone_advanced(stfname, 0, stf_clone_match, + stf_clone_create, stf_clone_destroy); + break; + case MOD_UNLOAD: + if_clone_detach(stf_cloner); ++ mtx_destroy(&stf_mtx); + break; + default: + return (EOPNOTSUPP); +@@ -311,28 +372,31 @@ static moduledata_t stf_mod = { + }; + + DECLARE_MODULE(if_stf, stf_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); ++MODULE_VERSION(if_stf, 1); + + static int +-stf_encapcheck(m, off, proto, arg) +- const struct mbuf *m; +- int off; +- int proto; +- void *arg; ++stf_encapcheck(const struct mbuf *m, int off, int proto, void *arg) + { + struct ip ip; + struct in6_ifaddr *ia6; ++ struct sockaddr_in ia6_in4addr; ++ struct sockaddr_in ia6_in4mask; ++ struct sockaddr_in *sin; + struct stf_softc *sc; +- struct in_addr a, b, mask; ++ struct ifnet *ifp; ++ int ret = 0; + ++ DEBUG_PRINTF(1, "%s: enter\n", __func__); + sc = (struct stf_softc *)arg; + if (sc == NULL) + return 0; ++ ifp = STF2IFP(sc); + +- if ((STF2IFP(sc)->if_flags & IFF_UP) == 0) ++ if ((ifp->if_flags & IFF_UP) == 0) + return 0; + + /* IFF_LINK0 means "no decapsulation" */ +- if ((STF2IFP(sc)->if_flags & IFF_LINK0) != 0) ++ if ((ifp->if_flags & IFF_LINK0) != 0) + return 0; + + if (proto != IPPROTO_IPV6) +@@ -344,83 +408,162 @@ stf_encapcheck(m, off, proto, arg) + if (ip.ip_v != 4) + return 0; + +- ia6 = stf_getsrcifa6(STF2IFP(sc)); ++ /* Lookup an ia6 whose IPv4 addr encoded in the IPv6 addr is valid. */ ++ ia6 = stf_getsrcifa6(ifp); + if (ia6 == NULL) + return 0; ++ sin = stf_getin4addr(&ia6_in4addr, &ia6->ia_ifa, STF_GETIN4_USE_CACHE); ++ if (sin == NULL) ++ return 0; + ++#if STF_DEBUG ++ { ++ char buf[INET6_ADDRSTRLEN + 1]; ++ memset(&buf, 0, sizeof(buf)); ++ ++ ip6_sprintf(buf, &satosin6(ia6->ia_ifa.ifa_addr)->sin6_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_ifa.ifa_addr = %s\n", __func__, buf); ++ ip6_sprintf(buf, &ia6->ia_addr.sin6_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_addr = %s\n", __func__, buf); ++ ip6_sprintf(buf, &satosin6(ia6->ia_ifa.ifa_netmask)->sin6_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_ifa.ifa_netmask = %s\n", __func__, buf); ++ ip6_sprintf(buf, &ia6->ia_prefixmask.sin6_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_prefixmask = %s\n", __func__, buf); ++ ++ ip_sprintf(buf, &ia6_in4addr.sin_addr); ++ DEBUG_PRINTF(1, "%s: ia6_in4addr.sin_addr = %s\n", __func__, buf); ++ ip_sprintf(buf, &ip.ip_src); ++ DEBUG_PRINTF(1, "%s: ip.ip_src = %s\n", __func__, buf); ++ ip_sprintf(buf, &ip.ip_dst); ++ DEBUG_PRINTF(1, "%s: ip.ip_dst = %s\n", __func__, buf); ++ } ++#endif + /* + * check if IPv4 dst matches the IPv4 address derived from the + * local 6to4 address. + * success on: dst = 10.1.1.1, ia6->ia_addr = 2002:0a01:0101:... + */ +- if (bcmp(GET_V4(&ia6->ia_addr.sin6_addr), &ip.ip_dst, +- sizeof(ip.ip_dst)) != 0) { +- ifa_free(&ia6->ia_ifa); +- return 0; ++ DEBUG_PRINTF(1, "%s: check1: ia6_in4addr.sin_addr == ip.ip_dst?\n", __func__); ++ if (ia6_in4addr.sin_addr.s_addr != ip.ip_dst.s_addr) { ++ DEBUG_PRINTF(1, "%s: check1: false. Ignore this packet.\n", __func__); ++ goto freeit; + } + +- /* +- * check if IPv4 src matches the IPv4 address derived from the +- * local 6to4 address masked by prefixmask. +- * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24 +- * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24 +- */ +- bzero(&a, sizeof(a)); +- bcopy(GET_V4(&ia6->ia_addr.sin6_addr), &a, sizeof(a)); +- bcopy(GET_V4(&ia6->ia_prefixmask.sin6_addr), &mask, sizeof(mask)); +- ifa_free(&ia6->ia_ifa); +- a.s_addr &= mask.s_addr; +- b = ip.ip_src; +- b.s_addr &= mask.s_addr; +- if (a.s_addr != b.s_addr) +- return 0; ++ DEBUG_PRINTF(1, "%s: check2: ia6->ia_addr is 2002::/16?\n", __func__); ++ if (IN6_IS_ADDR_6TO4(&ia6->ia_addr.sin6_addr)) { ++ /* 6to4 (RFC 3056) */ ++ /* ++ * check if IPv4 src matches the IPv4 address derived ++ * from the local 6to4 address masked by prefixmask. ++ * success on: src = 10.1.1.1, ia6->ia_addr = 2002:0a00:.../24 ++ * fail on: src = 10.1.1.1, ia6->ia_addr = 2002:0b00:.../24 ++ */ ++ DEBUG_PRINTF(1, "%s: check2: true.\n", __func__); ++ ++ memcpy(&ia6_in4mask.sin_addr, ++ GET_V4(&ia6->ia_prefixmask.sin6_addr), ++ sizeof(ia6_in4mask)); ++#if STF_DEBUG ++ { ++ char buf[INET6_ADDRSTRLEN + 1]; ++ memset(&buf, 0, sizeof(buf)); ++ ++ ip_sprintf(buf, &ia6_in4addr.sin_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_addr = %s\n", ++ __func__, buf); ++ ip_sprintf(buf, &ip.ip_src); ++ DEBUG_PRINTF(1, "%s: ip.ip_src = %s\n", ++ __func__, buf); ++ ip_sprintf(buf, &ia6_in4mask.sin_addr); ++ DEBUG_PRINTF(1, "%s: ia6->ia_prefixmask = %s\n", ++ __func__, buf); ++ ++ DEBUG_PRINTF(1, "%s: check3: ia6_in4addr.sin_addr & mask == ip.ip_src & mask\n", ++ __func__); ++ } ++#endif + ++ if ((ia6_in4addr.sin_addr.s_addr & ia6_in4mask.sin_addr.s_addr) != ++ (ip.ip_src.s_addr & ia6_in4mask.sin_addr.s_addr)) { ++ DEBUG_PRINTF(1, "%s: check3: false. Ignore this packet.\n", ++ __func__); ++ goto freeit; ++ } ++ } else { ++ /* 6rd (RFC 5569) */ ++ DEBUG_PRINTF(1, "%s: check2: false. 6rd.\n", __func__); ++ /* ++ * No restriction on the src address in the case of ++ * 6rd because the stf(4) interface always has a ++ * prefix which covers whole of IPv4 src address ++ * range. So, stf_output() will catch all of ++ * 6rd-capsuled IPv4 traffic with suspicious inner dst ++ * IPv4 address (i.e. the IPv6 destination address is ++ * one the admin does not like to route to outside), ++ * and then it discard them silently. ++ */ ++ } ++ DEBUG_PRINTF(1, "%s: all clear!\n", __func__); + /* stf interface makes single side match only */ +- return 32; ++ ret = 32; ++freeit: ++ ifa_free(&ia6->ia_ifa); ++ ++ return (ret); + } + + static struct in6_ifaddr * +-stf_getsrcifa6(ifp) +- struct ifnet *ifp; ++stf_getsrcifa6(struct ifnet *ifp) + { +- struct ifaddr *ia; ++ struct ifaddr *ifa; + struct in_ifaddr *ia4; +- struct sockaddr_in6 *sin6; +- struct in_addr in; ++ struct sockaddr_in *sin; ++ struct sockaddr_in in4; + + if_addr_rlock(ifp); +- TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) { +- if (ia->ifa_addr->sa_family != AF_INET6) ++ TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { ++ if (ifa->ifa_addr->sa_family != AF_INET6) + continue; +- sin6 = (struct sockaddr_in6 *)ia->ifa_addr; +- if (!IN6_IS_ADDR_6TO4(&sin6->sin6_addr)) ++ if ((sin = stf_getin4addr(&in4, ifa, ++ STF_GETIN4_USE_CACHE)) == NULL) + continue; +- +- bcopy(GET_V4(&sin6->sin6_addr), &in, sizeof(in)); +- LIST_FOREACH(ia4, INADDR_HASH(in.s_addr), ia_hash) +- if (ia4->ia_addr.sin_addr.s_addr == in.s_addr) ++ LIST_FOREACH(ia4, INADDR_HASH(sin->sin_addr.s_addr), ia_hash) ++ if (ia4->ia_addr.sin_addr.s_addr == sin->sin_addr.s_addr) + break; + if (ia4 == NULL) + continue; + +- ifa_ref(ia); ++#if STF_DEBUG ++ { ++ char buf[INET6_ADDRSTRLEN + 1]; ++ memset(&buf, 0, sizeof(buf)); ++ ++ ip6_sprintf(buf, &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr); ++ DEBUG_PRINTF(1, "%s: ifa->ifa_addr->sin6_addr = %s\n", ++ __func__, buf); ++ ip_sprintf(buf, &ia4->ia_addr.sin_addr); ++ DEBUG_PRINTF(1, "%s: ia4->ia_addr.sin_addr = %s\n", ++ __func__, buf); ++ } ++#endif ++ ifa_ref(ifa); + if_addr_runlock(ifp); +- return (struct in6_ifaddr *)ia; ++ return (ifatoia6(ifa)); + } + if_addr_runlock(ifp); + ++ + return NULL; + } + + static int +-stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, +- struct route *ro) ++stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, struct route *ro) + { + struct stf_softc *sc; + const struct sockaddr_in6 *dst6; + struct route *cached_route; +- struct in_addr in4; +- const void *ptr; ++ struct sockaddr_in *sin; ++ struct sockaddr_in in4; + struct sockaddr_in *dst4; + u_int8_t tos; + struct ip *ip; +@@ -472,20 +615,28 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + /* + * Pickup the right outer dst addr from the list of candidates. + * ip6_dst has priority as it may be able to give us shorter IPv4 hops. ++ * ip6_dst: destination addr in the packet header. ++ * dst6: destination addr specified in function argument. + */ +- ptr = NULL; +- if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst)) +- ptr = GET_V4(&ip6->ip6_dst); +- else if (IN6_IS_ADDR_6TO4(&dst6->sin6_addr)) +- ptr = GET_V4(&dst6->sin6_addr); +- else { ++ DEBUG_PRINTF(1, "%s: dst addr selection\n", __func__); ++ sin = stf_getin4addr_in6(&in4, &ia6->ia_ifa, &ip6->ip6_dst); ++ if (sin == NULL) ++ sin = stf_getin4addr_in6(&in4, &ia6->ia_ifa, &dst6->sin6_addr); ++ if (sin == NULL) { + ifa_free(&ia6->ia_ifa); + m_freem(m); + ifp->if_oerrors++; + return ENETUNREACH; + } +- bcopy(ptr, &in4, sizeof(in4)); ++#if STF_DEBUG ++ { ++ char buf[INET6_ADDRSTRLEN + 1]; ++ memset(&buf, 0, sizeof(buf)); + ++ ip_sprintf(buf, &sin->sin_addr); ++ DEBUG_PRINTF(1, "%s: ip_dst = %s\n", __func__, buf); ++ } ++#endif + if (bpf_peers_present(ifp->if_bpf)) { + /* + * We need to prepend the address family as +@@ -509,11 +660,26 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + ip = mtod(m, struct ip *); + + bzero(ip, sizeof(*ip)); ++ bcopy(&in4.sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)); + +- bcopy(GET_V4(&((struct sockaddr_in6 *)&ia6->ia_addr)->sin6_addr), +- &ip->ip_src, sizeof(ip->ip_src)); ++ sin = stf_getin4addr_sin6(&in4, &ia6->ia_ifa, &ia6->ia_addr); ++ if (sin == NULL) { ++ ifa_free(&ia6->ia_ifa); ++ m_freem(m); ++ ifp->if_oerrors++; ++ return ENETUNREACH; ++ } ++ bcopy(&in4.sin_addr, &ip->ip_src, sizeof(ip->ip_src)); ++#if STF_DEBUG ++ { ++ char buf[INET6_ADDRSTRLEN + 1]; ++ memset(&buf, 0, sizeof(buf)); ++ ++ ip_sprintf(buf, &ip->ip_src); ++ DEBUG_PRINTF(1, "%s: ip_src = %s\n", __func__, buf); ++ } ++#endif + ifa_free(&ia6->ia_ifa); +- bcopy(&in4, &ip->ip_dst, sizeof(ip->ip_dst)); + ip->ip_p = IPPROTO_IPV6; + ip->ip_ttl = ip_stf_ttl; + ip->ip_len = htons(m->m_pkthdr.len); +@@ -522,7 +688,7 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + else + ip_ecn_ingress(ECN_NOCARE, &ip->ip_tos, &tos); + +- if (!stf_route_cache) { ++ if (!V_stf_route_cache) { + cached_route = NULL; + goto sendit; + } +@@ -530,7 +696,7 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + /* + * Do we have a cached route? + */ +- mtx_lock(&(sc)->sc_ro_mtx); ++ STF_LOCK(sc); + dst4 = (struct sockaddr_in *)&sc->sc_ro.ro_dst; + if (dst4->sin_family != AF_INET || + bcmp(&dst4->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)) != 0) { +@@ -548,8 +714,15 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + rtalloc_fib(&sc->sc_ro, sc->sc_fibnum); + if (sc->sc_ro.ro_rt == NULL) { + m_freem(m); +- mtx_unlock(&(sc)->sc_ro_mtx); + ifp->if_oerrors++; ++ STF_UNLOCK(sc); ++ return ENETUNREACH; ++ } ++ if (sc->sc_ro.ro_rt->rt_ifp == ifp) { ++ /* infinite loop detection */ ++ m_free(m); ++ ifp->if_oerrors++; ++ STF_UNLOCK(sc); + return ENETUNREACH; + } + } +@@ -558,35 +731,32 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, + sendit: + M_SETFIB(m, sc->sc_fibnum); + ifp->if_opackets++; ++ DEBUG_PRINTF(1, "%s: ip_output dispatch.\n", __func__); + error = ip_output(m, NULL, cached_route, 0, NULL, NULL); + + if (cached_route != NULL) +- mtx_unlock(&(sc)->sc_ro_mtx); ++ STF_UNLOCK(sc); + return error; + } + + static int +-isrfc1918addr(in) +- struct in_addr *in; ++isrfc1918addr(struct in_addr *in) + { + /* + * returns 1 if private address range: + * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 + */ + if (stf_permit_rfc1918 == 0 && ( +- (ntohl(in->s_addr) & 0xff000000) >> 24 == 10 || +- (ntohl(in->s_addr) & 0xfff00000) >> 16 == 172 * 256 + 16 || +- (ntohl(in->s_addr) & 0xffff0000) >> 16 == 192 * 256 + 168)) ++ (ntohl(in->s_addr) & 0xff000000) == 10 << 24 || ++ (ntohl(in->s_addr) & 0xfff00000) == (172 * 256 + 16) << 16 || ++ (ntohl(in->s_addr) & 0xffff0000) == (192 * 256 + 168) << 16 )) + return 1; + + return 0; + } + + static int +-stf_checkaddr4(sc, in, inifp) +- struct stf_softc *sc; +- struct in_addr *in; +- struct ifnet *inifp; /* incoming interface */ ++stf_checkaddr4(struct stf_softc *sc, struct in_addr *in, struct ifnet *inifp) + { + struct in_ifaddr *ia4; + +@@ -602,13 +772,6 @@ stf_checkaddr4(sc, in, inifp) + } + + /* +- * reject packets with private address range. +- * (requirement from RFC3056 section 2 1st paragraph) +- */ +- if (isrfc1918addr(in)) +- return -1; +- +- /* + * reject packets with broadcast + */ + IN_IFADDR_RLOCK(); +@@ -631,7 +794,7 @@ stf_checkaddr4(sc, in, inifp) + + bzero(&sin, sizeof(sin)); + sin.sin_family = AF_INET; +- sin.sin_len = sizeof(struct sockaddr_in); ++ sin.sin_len = sizeof(sin); + sin.sin_addr = *in; + rt = rtalloc1_fib((struct sockaddr *)&sin, 0, + 0UL, sc->sc_fibnum); +@@ -652,10 +815,7 @@ stf_checkaddr4(sc, in, inifp) + } + + static int +-stf_checkaddr6(sc, in6, inifp) +- struct stf_softc *sc; +- struct in6_addr *in6; +- struct ifnet *inifp; /* incoming interface */ ++stf_checkaddr6(struct stf_softc *sc, struct in6_addr *in6, struct ifnet *inifp) + { + /* + * check 6to4 addresses +@@ -679,9 +839,7 @@ stf_checkaddr6(sc, in6, inifp) + } + + void +-in_stf_input(m, off) +- struct mbuf *m; +- int off; ++in_stf_input(struct mbuf *m, int off) + { + int proto; + struct stf_softc *sc; +@@ -689,6 +847,7 @@ in_stf_input(m, off) + struct ip6_hdr *ip6; + u_int8_t otos, itos; + struct ifnet *ifp; ++ struct route_in6 rin6; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***