Commit Graph

348 Commits

Author SHA1 Message Date
Ruslan Ermilov
60123168be Wrong checksum used for certain reassembled IP packets before diverting. 2000-11-01 11:21:45 +00:00
Poul-Henning Kamp
46aa3347cb Convert all users of fldoff() to offsetof(). fldoff() is bad
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.

Define __offsetof() in <machine/ansi.h>

Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>

Remove myriad of local offsetof() definitions.

Remove includes of <stddef.h> in kernel code.

NB: Kernelcode should *never* include from /usr/include !

Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.

Deprecate <struct.h> with a warning.  The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.

Paritials reviews by:   various.
Significant brucifications by:  bde
2000-10-27 11:45:49 +00:00
Ruslan Ermilov
b6ea1aa58d RFC 791 says that IP_RF bit should always be zero, but nothing
in the code enforces this.  So, do not check for and attempt a
false reassembly if only IP_RF is set.

Also, removed the dead code, since we no longer use dtom() on
return from ip_reass().
2000-10-26 13:14:48 +00:00
Ruslan Ermilov
7e2df4520d Wrong header length used for certain reassembled IP packets.
This was first fixed in rev 1.82 but then broken in rev 1.125.

PR:		6177
2000-10-26 12:18:13 +00:00
Josef Karthauser
5da9f8fa97 Augment the 'ifaddr' structure with a 'struct if_data' to keep
statistics on a per network address basis.

Teach the IPv4 and IPv6 input/output routines to log packets/bytes
against the network address connected to the flow.

Teach netstat to display the per-address stats for IP protocols
when 'netstat -i' is evoked, instead of displaying the per-interface
stats.
2000-10-19 23:15:54 +00:00
Ruslan Ermilov
487bdb3855 Backout my wrong attempt to fix the compilation warning in ip_input.c
and instead reapply the revision 1.49 of mbuf.h, i.e.

Fixed regression of the type of the `header' member of struct pkthdr from
`void *' to caddr_t in rev.1.51.  This mainly caused an annoying warning
for compiling ip_input.c.

Requested by:	bde
2000-10-12 16:33:41 +00:00
Ruslan Ermilov
e6c89c1bd2 Fix the compilation warning. 2000-10-12 10:42:32 +00:00
Jonathan Lemon
a8db1d93f1 m_cat() can free its second argument, so collect the checksum information
from the fragment before calling m_cat().
2000-09-14 21:06:48 +00:00
Ruslan Ermilov
e30177e024 Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.
Requested by:	wollman
2000-09-14 14:42:04 +00:00
Ruslan Ermilov
04287599db Fixed broken ICMP error generation, unified conversion of IP header
fields between host and network byte order.  The details:

o icmp_error() now does not add IP header length.  This fixes the problem
  when icmp_error() is called from ip_forward().  In this case the ip_len
  of the original IP datagram returned with ICMP error was wrong.

o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host
  byte order, so DTRT and convert these fields back to network byte order
  before sending a message.  This fixes the problem described in PR 16240
  and PR 20877 (ip_id field was returned in host byte order).

o ip_ttl decrement operation in ip_forward() was moved down to make sure
  that it does not corrupt the copy of original IP datagram passed later
  to icmp_error().

o A copy of original IP datagram in ip_forward() was made a read-write,
  independent copy.  This fixes the problem I first reported to Garrett
  Wollman and Bill Fenner and later put in audit trail of PR 16240:
  ip_output() (not always) converts fields of original datagram to network
  byte order, but because copy (mcopy) and its original (m) most likely
  share the same mbuf cluster, ip_output()'s manipulations on original
  also corrupted the copy.

o ip_output() now expects all three fields, ip_len, ip_off and (what is
  significant) ip_id in host byte order.  It was a headache for years that
  ip_id was handled differently.  The only compatibility issue here is the
  raw IP socket interface with IP_HDRINCL socket option set and a non-zero
  ip_id field, but ip.4 manual page was unclear on whether in this case
  ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
Andrey A. Chernov
c85540dd55 Nonexistent <sys/pfil.h> -> <net/pfil.h>
Kernel 'make depend' fails otherwise
2000-07-31 23:41:47 +00:00
Darren Reed
c4ac87ea1c activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
Jun-ichiro itojun Hagino
686cdd19b1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
Jonathan Lemon
707d00a304 Add boundary checks against IP options.
Obtained from:	OpenBSD
2000-06-02 20:18:38 +00:00
Jonathan Lemon
5d5d5fc0bf Cast sizeof() calls to be of type (int) when they appear in a signed
integer expression.  Otherwise the sizeof() call will force the expression
to be evaluated as unsigned, which is not the intended behavior.

Obtained from:  NetBSD   (in a different form)
2000-05-17 04:05:07 +00:00
Ruslan Ermilov
3a06e3e02c Do not call icmp_error() if ipfirewall(4) denied packet.
PR:		kern/10747, kern/18382
2000-05-15 18:41:01 +00:00
Jun-ichiro itojun Hagino
fdcb8debf6 correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.
similar to recent fix to sys/netinet/ipf.c (by darren).
2000-05-10 01:25:33 +00:00
Jonathan Lemon
db4f9cc703 Add support for offloading IP/TCP/UDP checksums to NIC hardware which
supports them.
2000-03-27 19:14:27 +00:00
Guido van Rooij
6d37c73e26 Remove option IPFILTER_KLD. In case you wanted to kldload ipfilter,
the module would only work in kernels built with this option.

Approved by:	jkh
2000-02-23 20:11:57 +00:00
Peter Wemm
242c5536ea Clean up some loose ends in the network code, including the X.25 and ISO
#ifdefs.  Clean out unused netisr's and leftover netisr linker set gunk.
Tested on x86 and alpha, including world.

Approved by:	jkh
2000-02-13 03:32:07 +00:00
Luigi Rizzo
9fcc079584 Move definition of fw_enable from ip_fw.c to ip_input.c
so we can compile kernels without IPFIREWALL .

Reported-by: Robert Watson
Approved-by: jordan
2000-02-10 17:56:01 +00:00
Luigi Rizzo
6bc748b057 Support the net.inet.ip.fw.enable variable, part of
the recent ipfw modifications.

Approved-by: jordan
2000-02-10 14:19:53 +00:00
Brian Somers
367d34f853 Move the *intrq variables into net/intrq.c and unconditionally
include this in all kernels.  Declare some const *intrq_present
variables that can be checked by a module prior to using *intrq
to queue data.

Make the if_tun module capable of processing atm, ip, ip6, ipx,
natm and netatalk packets when TUNSIFHEAD is ioctl()d on.

Review not required by: freebsd-hackers
2000-01-24 20:39:02 +00:00
Yoshinobu Inoue
6a800098cc IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
Guido van Rooij
05ec607970 Revive mlfk_ipl here. This version is slightly changed from
the old one: an unnecessary define (KLD_MODULE) has been deleted and
the initialisation of the module is  done after domaininit was called
to be sure inet is running.

Some slight changed were made to ip_auth.c and ip_state.c in order
to assure including of sys/systm.h in case we make a kld

Make sure ip_fil does nmot include osreldate in kernel mode

Remove mlfk_ipl.c from here: no sources allowed in these directories!
1999-12-06 20:36:50 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Dag-Erling Smørgrav
27108a1511 Include the correct header for the IPSTEALTH option. 1999-08-29 12:18:39 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
David Greenman
afed137543 Made net.inet.ip.intr_queue_maxlen writeable. 1999-05-27 12:20:33 +00:00
Luigi Rizzo
eaa726bed6 Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
1999-05-04 16:20:33 +00:00
Bill Fumerola
3d177f465a Add sysctl descriptions to many SYSCTL_XXXs
PR:		kern/11197
Submitted by:	Adrian Chadd <adrian@FreeBSD.org>
Reviewed by:	billf(spelling/style/minor nits)
Looked at by:	bde(style)
1999-05-03 23:57:32 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Julian Elischer
ed1ff184f3 Fix the 'fwd' option to ipfw when asked to divert to another machine.
also rely less on other modules clearing static values, and clear them
in a few cases we missed before.
Submitted by: Matthew Reimer <mreimer@vpop.net>
1999-03-12 01:15:57 +00:00
Dag-Erling Smørgrav
1b968362aa Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
Garrett Wollman
cc766e041e After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Garrett Wollman
92af003dd8 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
Eivind Eklund
dee383e043 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
Luigi Rizzo
af38c68c1e Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Doug Rabson
7a94149e37 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
Doug Rabson
48a39a495a Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
David Greenman
9ec944bdb0 Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
Doug Rabson
e3f0338ead Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
Doug Rabson
afb3fdba7c Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
Peter Wemm
aa855a598d *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
Doug Rabson
945aa40deb Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
Doug Rabson
6effc71332 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Bruce Evans
162886e237 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
Bruce Evans
0c8d2590e3 Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
David Greenman
0af8d3ec72 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
Julian Elischer
3a1ae084e2 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
Julian Elischer
efe39c6a1a Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
Julian Elischer
d4295c3248 Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Julian Elischer
b3adeeb209 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
Julian Elischer
ed7509ace4 Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
Julian Elischer
b876049334 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
Julian Elischer
3ed81d03b3 Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
Julian Elischer
c977d4c735 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
David Greenman
b8e8c209c5 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00
David Greenman
1f91d8c563 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00
Poul-Henning Kamp
81aee63d19 Wrong header length used for certain reassembled IP packets.
PR:		6177
Reviewed by:	phk, wollman
Submitted by:	Eric Sprinkle <eric@ennovatenetworks.com>
1998-04-13 17:27:08 +00:00
Poul-Henning Kamp
227ee8a188 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
Peter Wemm
1ee25934a9 Make this compile.. There are some unpleasing hacks in here.
A major unifdef session is sorely tempting but would destroy any remaining
chance of tracking the original sources.
1998-03-21 11:34:28 +00:00
Dima Ruban
c383a33f06 NetBSD PR# 2772
Reviewed by:	David Greenman
1998-02-26 08:31:53 +00:00
Guido van Rooij
4fce58048d Add new sysctl variable: net.inet.ip.accept_sourceroute
It controls if the system is to accept source routed packets.
It used to be such that, no matter if the setting of net.inet.ip.sourceroute,
source routed packets destined at us would be accepted. Now it is
controllable with eth default set to NOT accept those.
1998-02-16 19:23:58 +00:00
Andrey A. Chernov
47174b49b2 Replace non-existent ip_forwarding with ipforwarding
(compilation error)
1998-02-12 03:37:45 +00:00
Guido van Rooij
a293037f7c Only forward source routed packets when ip_forwarding is set to 1.
This means that a FreeBSD will only forward source routed packets
when both net.inet.ip.forwarding and net.inet.ip.sourceroute are set
to 1.

You can hit me now ;-)
Submitted by:	Thomas Ptacek
1998-02-11 18:43:42 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
Eivind Eklund
e4f4247a08 Make the BOOTP family new-style options (in opt_bootp.h) 1998-01-09 03:21:07 +00:00
Julian Elischer
79755dc52b Submitted by: Archie cobbs (IPDIVERT author)
close small security hole where an atacker could sendpackets with
IPDIVERT protocol, and select how it would be diverted thus bypassing
the ipfirewall.  Discovered by inspection rather than attack.
(you'd have to know how the firewall was configured (EXACTLY) to
make use of this but..)
1997-11-13 22:57:57 +00:00
Joerg Wunsch
fbd1372a0b Make IPDIVERT a supported option. Alas, in_var.h depends on it, i
hope i've found out all files that actually depend on this dependancy.
IMHO, it's not very good practice to change the size of internal
structs depending on kernel options.
1997-11-05 20:17:23 +00:00
Julian Elischer
d314ad7b73 Return the entire if info, rather than just the index number. (at least try)
Interface index numbers are an abomination that should go away
(at least in that form)
1997-11-05 02:51:32 +00:00
Guido van Rooij
bc189bf8f7 Fix bugs from my previous commit
Submitted by:	Bruce Evans
1997-10-28 18:55:21 +00:00
Bruce Evans
55b211e3af Removed unused #includes. 1997-10-28 15:59:26 +00:00
Guido van Rooij
efa4858705 When dosourcerouting is set do not sourceoute.... 1997-10-27 21:07:26 +00:00
Garrett Wollman
6fce01c990 Export ipstat via sysctl. Don't understand why this wasn't done before. 1997-09-25 00:34:35 +00:00
Andrey A. Chernov
194a213eff Prevent overflow with fragmented packets
Reviewed by: wollman
1997-09-15 23:07:01 +00:00
Brian Somers
af782f1c59 Recalculate ip_sum before passing a
re-assembled packet to a divert port.
Pointed-out by:	Ari Suutari <ari@suutari.iki.fi>
VS:   then name the system in this line, otherwise delete it.
1997-07-25 03:58:21 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Tor Egge
432aad0e98 Bring in some kernel bootp support. This removes the need for netboot
to fill in the nfs_diskless structure, at the cost of some kernel
bloat. The advantage is that this code works on a wider range of
network adapters than netboot. Several new kernel options are
documented in LINT.
Obtained from: parts of the code comes from NetBSD.
1997-05-11 18:05:39 +00:00
Darren Reed
beec821495 Resolve conflicts created by import. 1997-04-03 10:47:12 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Darren Reed
f1743588c7 change IP Filter hooks to match new 3.1.8 patches for FreeBSD 1997-02-19 14:02:27 +00:00
Darren Reed
afed1b4988 Add IP Filter hooks (from patches). 1997-02-10 11:45:37 +00:00
Brian Somers
47c861ecc7 Don't zero ip->ip_sum during sum validation. This should only
affect programs that sit on top of divert(4) sockets.  The
multicast routing code already unconditionally zeros the sum
before recalculating.

Any code that unconditionaly sums a packet without first zeroing
the sum (assuming that it's already zero'd) will break.  No such
code seems to exist.
1997-02-06 11:14:22 +00:00
Brian Somers
d81e40431a Reset ip_divert_ignore to zero immediately after use - also,
set it in the first place, independent of whether sin->sin_port
is set.

The result is that diverted packets that are being forwarded
will be diverted once and only once on the way in (ip_input())
and again, once and only once on the way out (ip_output()) -
twice in total.  ICMP packets that don't contain a port will
now also be diverted.
1997-02-02 16:33:12 +00:00
Garrett Wollman
82c39223b9 Count multicast packets received for groups of which we are not
a member separately from generic ``can't forward'' packets.  This
would have helped me find the previous bug much faster.
1997-01-21 21:08:09 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Garrett Wollman
59562606b9 Convert the interface address and IP interface address structures
to TAILQs.  Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
1996-12-13 21:29:07 +00:00
David Greenman
c7a6ccb33e Only pay attention to the offset and the IP_MF flag in ip_off. Pointed
out by Nathaniel D. Daw (daw@panix.com), but fixed differently by me.
1996-12-11 03:26:36 +00:00
Bill Fenner
82c23eba89 Add the IP_RECVIF socket option, which supplies a packet's incoming interface
using a sockaddr_dl.

Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR)
to work for multicast UDP and raw sockets as well.  (They previously only
worked for unicast UDP).
1996-11-11 04:56:32 +00:00
Bill Fenner
430d30d837 Don't allow reassembly to create packets bigger than IP_MAXPACKET, and count
attempts to do so.
Don't allow users to source packets bigger than IP_MAXPACKET.
Make UDP length and ipovly's protocol length unsigned short.

Reviewed by:	wollman
Submitted by:	(partly by) kml@nas.nasa.gov (Kevin Lahey)
1996-10-25 17:57:53 +00:00
Søren Schmidt
6713d4a747 Changed args to the nat functions. 1996-10-22 22:26:02 +00:00
Garrett Wollman
5893891624 All three files: make COMPAT_IPFW==0 case work again.
ip_input.c:
	- delete some dusty code
	- _IP_VHL
	- use fast inline header checksum when possible
1996-10-07 19:21:46 +00:00
David Greenman
e7c819442a Dequeue mbuf before freeing it. Fixes mbuf leak and a potential crash when
handling IP fragments.

Submitted by:	Darren Reed <avalon@coombs.anu.edu.au>
1996-09-08 13:45:49 +00:00
Søren Schmidt
fed1c7e9e4 Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Gary Palmer
74a9466cc2 Convert ipfw to use opt_ipfw.h 1996-06-12 19:34:33 +00:00
Bruce Evans
0453d3cbb3 Changed some memcpy()'s back to bcopy()'s.
gcc only inlines memcpy()'s whose count is constant and didn't inline
these.  I want memcpy() in the kernel go away so that it's obvious that
it doesn't need to be optimized.  Now it is only used for one struct
copy in si.c.
1996-06-08 08:19:03 +00:00
Gary Palmer
6ddbf1e299 Clean up various compiler warnings. Most (if not all) were benign
Reviewed by:	bde
1996-05-08 04:29:08 +00:00
Poul-Henning Kamp
539e53bad3 Fix a bogon I introduced with my last change.
Submitted by:	Andreas Klemm <andreas@knobel.gun.de>
1996-04-12 09:24:22 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Poul-Henning Kamp
6ed666afb9 Check the validity of ia->ia_ifp before we dereference it. 1996-03-25 17:41:23 +00:00
Poul-Henning Kamp
09bb5f7589 Make getsockopt() capable of handling more than one mbuf worth of data.
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
1996-02-24 13:38:28 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Garrett Wollman
c67b1d17da Provide a direct entry point for IP input. This actually results
in a slight decrease in performance, but will lead to better
performance later.
1996-02-05 20:36:02 +00:00
Garrett Wollman
d4fb926c62 Finally demolished the last, tottering remnants of GATEWAY. If you want
to enable IP forwarding, use sysctl(8).  Also did the same for IPX,
which involved inventing a completely new MIB from whole cloth (which
I may not quite have correct); be aware of this if you use IPX forwarding.
(The two should never have been controlled by the same option anyway.)
1996-01-05 20:47:05 +00:00
Garrett Wollman
3dbdcb2c95 Delete old-style-broadcast-address compatibility cruft in IP input path.
If users want to use the old-style broadcast addresses, they will have to
currectly configure their systems.
1995-12-21 21:12:22 +00:00
Garrett Wollman
b97d15cbb7 Demolish DIRECTED_BROADCAST. It was always a bad idea, and nobody uses it. 1995-12-20 18:04:19 +00:00
Garrett Wollman
ce29ab3ac6 Actually call in_rtqdrain()as was originally intended. 1995-12-19 20:46:15 +00:00
Poul-Henning Kamp
f708ef1b9e Another mega commit to staticize things. 1995-12-14 09:55:16 +00:00
Bruce Evans
2baeef32b6 Removed unnecessary #includes of vm stuff. Most of them were once
prerequisites for <sys/sysctl.h>.

subr_prof.c:
Also replaced #include of <sys/user.h> by #include of <sys/resourcevar.h>.
1995-12-06 23:37:44 +00:00
Poul-Henning Kamp
0312fbe97d New style sysctl & staticize alot of stuff. 1995-11-14 20:34:56 +00:00
Garrett Wollman
054ef37088 Instrument the IP input queue with two new read-only MIB entries:
net.inet.ip.intr-queue-maxlen (=== ipintrq.ifq_maxlen)
and	net.inet.ip.intr-queue-drops (=== ipintrq.ifq_drops)

There should probably be a standard way of getting the same information
going the other way.
1995-11-01 17:18:27 +00:00
Peter Wemm
42c03a52ba Change the compile-time option of DIRECTED_BROADCAST into a sysctl
variable underneath ip, "directed-broadcast".
Reviewed by:	David Greenman
Obtained from:	NetBSD, by Darren Reed.
1995-07-18 09:56:44 +00:00
David Greenman
c6e8c3576e Fixed panic that occurs on certain firewall rejected packets that was
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.

Submitted by:	Bill Fenner
1995-07-09 14:29:46 +00:00
Guido van Rooij
a0aa52a646 reject option in ip_fw used to panic the system. This fixes it.
-Guido
Reviewed by:
Submitted by:
Obtained from:
1995-06-27 17:26:27 +00:00
Garrett Wollman
1c5de19afb Kernel side of 3.5 multicast routing code, based on work by Bill Fenner
and other work done here.  The LKM support is probably broken, but it
still compiles and will be fixed later.
1995-06-13 17:51:16 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
Garrett Wollman
748e0b0acc Make networking domains drop-ins, through the magic of GNU ld. (Some day,
there may even be LKMs.)  Also, change the internal name of `unixdomain'
to `localdomain' since AF_LOCAL is now the preferred name of this family.
Declare netisr correctly and in the right place.
1995-05-11 00:13:26 +00:00
David Greenman
94a5d9b6a1 Replaced some bcopy()'s with memcpy()'s so that gcc while inline/optimize. 1995-05-09 13:35:48 +00:00
Garrett Wollman
1025071f85 Reject source routes unless configured on by administrator. 1995-03-16 18:22:28 +00:00
Bruce Evans
b5e8ce9f12 Add and move declarations to fix all of the warnings from `gcc -Wimplicit'
(except in netccitt, netiso and netns) and most of the warnings from
`gcc -Wnested-externs'.  Fix all the bugs found.  There were no serious
ones.
1995-03-16 18:17:34 +00:00
Garrett Wollman
ea80aed1a9 Attempt to make the host route cache a bit smarter under conditions of
high load:

	1) If there ever get to be more than net.inet.ip.rtmaxcache entries
	   in the cache, in_rtqtimo() will reduce net.inet.ip.rtexpire by
	   1/3 and do another round, unles net.inet.ip.rtexpire is less than
	   net.inet.ip.rtminexpire, and never more than once in ten minutes
	   (rtq_timeout).

	2) If net.inet.ip.rtexpire is set to zero, don't bother to cache
	   anything.
1995-02-14 23:04:52 +00:00
Gary Palmer
6db216a6d7 Remove a possible loophole - previously the code wouldn't pass packets destined
to the loopback address to the packet filter.

Reviewed by:	"Ugen J.S.Antsilevich" <ugen@netvision.net.il>
1995-02-07 20:30:42 +00:00
Ugen J.S. Antsilevich
4dd1662b4c Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
1995-01-12 13:06:32 +00:00
Garrett Wollman
5be2baf843 Make rtq_reallyold user-configurable via sysctl. 1994-12-14 19:06:37 +00:00
Garrett Wollman
2c17fe9339 Call rtalloc_ign() so that protocol cloning will not occur at the IP layer. 1994-12-13 23:08:12 +00:00
Ugen J.S. Antsilevich
10a642bb05 Add match by interface from which packet arrived (via)
Handle right fragmented packets. Remove checking option
from kernel..
1994-12-12 17:20:55 +00:00
Jordan K. Hubbard
63f8d699ac Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul:  Please take this into BETA.  It's non-intrusive, and a rather
substantial improvement over what was there before.
1994-11-16 10:17:11 +00:00
Jordan K. Hubbard
72e8fea57e Almost 12th hour (the 11th hour was almost an hour ago :-) patches
from Ugen.
1994-11-08 12:47:29 +00:00
Jordan K. Hubbard
100ba1a617 IP Firewall code from Daniel Boulet and J.S.Antsilevich
Submitted by:	danny ugen
1994-10-28 15:09:49 +00:00
Poul-Henning Kamp
61ce519bad Cosmetics. Silence gcc -Wall. 1994-10-10 07:56:07 +00:00
Poul-Henning Kamp
623ae52e4e GCC cleanup.
Reviewed by:
Submitted by:
Obtained from:
1994-10-02 17:48:58 +00:00
Garrett Wollman
5e9ae478ac Shuffle some functions and variables around to make it possible for
multicast routing to be implemented as an LKM.  (There's still a bit of
work to do in this area.)
1994-09-14 03:10:15 +00:00
Garrett Wollman
f0068c4a70 Initial get-the-easy-case-working upgrade of the multicast code
to something more recent than the ancient 1.2 release contained in
4.4.  This code has the following advantages as compared to
previous versions (culled from the README file for the SunOS release):

- True multicast delivery
- Configurable rate-limiting of forwarded multicast traffic on each
  physical interface or tunnel, using a token-bucket limiter.
- Simplistic classification of packets for prioritized dropping.
- Administrative scoping of multicast address ranges.
- Faster detection of hosts leaving groups.
- Support for multicast traceroute (code not yet available).
- Support for RSVP, the Resource Reservation Protocol.

What still needs to be done:

- The multicast forwarder needs testing.
- The multicast routing daemon needs to be ported.
- Network interface drivers need to have the `#ifdef MULTICAST' goop ripped
  out of them.
- The IGMP code should probably be bogon-tested.

Some notes about the porting process:

In some cases, the Berkeley people decided to incorporate functionality from
later releases of the multicast code, but then had to do things differently.
As a result, if you look at Deering's patches, and then look at
our code, it is not always obvious whether the patch even applies.  Let
the reader beware.

I ran ip_mroute.c through several passes of `unifdef' to get rid of
useless grot, and to permanently enable the RSVP support, which we will
include as standard.

Ported by: 	Garrett Wollman
Submitted by:	Steve Deering and Ajit Thyagarajan (among others)
1994-09-06 22:42:31 +00:00
Garrett Wollman
f23b4c91c4 Fix up some sloppy coding practices:
- Delete redundant declarations.
- Add -Wredundant-declarations to Makefile.i386 so they don't come back.
- Delete sloppy COMMON-style declarations of uninitialized data in
  header files.
- Add a few prototypes.
- Clean up warnings resulting from the above.

NB: ioconf.c will still generate a redundant-declaration warning, which
is unavoidable unless somebody volunteers to make `config' smarter.
1994-08-18 22:36:09 +00:00
David Greenman
3c4dd3568f Added $Id$ 1994-08-02 07:55:43 +00:00
Rodney W. Grimes
26f9a76710 The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch.
Reviewed by:	Rodney W. Grimes
Submitted by:	John Dyson and David Greenman
1994-05-25 09:21:21 +00:00
Rodney W. Grimes
df8bae1de4 BSD 4.4 Lite Kernel Sources 1994-05-24 10:09:53 +00:00