Commit Graph

222 Commits

Author SHA1 Message Date
Cy Schubert
480717af29 Remove ipsd (IP Scan Detetor). It is unused and to my knowledge has
never been used on any platform that ipfilter has been on. However
it looks like it could be a useful utility, therefore there are plans
to make it a port one day. It lacks a man page as well.

MFC after:	1 month
2019-01-06 21:24:44 +00:00
Cy Schubert
da7e48c690 TCP_PAWS_IDLE is does not exist in NetBSD and illumos. In FreeBSD
TCP_PAWS_IDLE is defined in netinet/tcp_seq.h, however this header
isn't included explicitly or implicitly at this point therefore
as far ipfilter is concerned TCP_PAWS_IDLE is not defined. Remove
the #ifdef and include netinet/tcp.h unconditionally.

MFC after:	1 week
2018-12-30 04:25:48 +00:00
Cy Schubert
efc4145a6e Remove an ugly Ultrix hack. Ultrix has been AWOL since the last ice
age, more to come.

MFC after:	1 week
2018-12-06 20:15:54 +00:00
Cy Schubert
b1ece51fb8 As part of the general cleanup of the ipfilter code, special cases
are committed separately to document fixing them separately from
the general cleanup. In this case we don't want to hide the utter
brokenness of what is being fixed.

Clean up a discombobulated block of #if's, with one block unreachable.
ip_fil.c is used in ipftest which is used to dry-run test ipfilter
rules in userspace without loading them in the kernel. The call to
(*ifp->if_output) matches that in the FreeBSD kernel.

Further testing and work will be required to make ipftest fully
functional.

MFC after:	1 week
2018-12-04 06:11:04 +00:00
Cy Schubert
11b5e0cd9c loadpoolfile() implements a -R (NORESOLVE) option which is not listed
in usage(). This commit trues up usage() with loadpoolfile().
2017-08-05 06:46:06 +00:00
Cy Schubert
223428af47 As in r315225, discard 3072 bytes of RC4 bytestream instead of 1024.
PR:		217920
Submitted by:	codarren@hackers.mu
Reviewed by:	emaste, cem
Approved by:	so (implicit, in r315225)
MFC after:	1 week
Differential Revision:	D11747
Patterned after:	r315225
2017-07-27 06:26:15 +00:00
Cy Schubert
e7df11b869 Document supported poollist() (ippool -l) options in usage() and in
ippool.8 man page.
2017-07-05 05:50:36 +00:00
Cy Schubert
e5426b9f65 Ansify entry and exit points.
MFC after:	1 month
2017-06-28 19:08:07 +00:00
Cy Schubert
3fe0d81e1f In poolnodecommand() (ippool -a and ippool -r) -m (pool name) is not
optional.
2017-06-28 02:30:32 +00:00
Cy Schubert
f21680fd98 Replace AF_INET6 ifdefs with USE_INET6 to be consistent with the rest
of the ipfilter souce tree.
2017-06-27 04:54:58 +00:00
Cy Schubert
43988e3f50 Replace AF_INET6 ifdefs with USE_INET6 ifdefs. This is more consistent
and guaranteed to build everywhere in ipfilter.

Not all of this commit can be MFCed. Some is original code while others
are not.
2017-06-23 02:42:04 +00:00
Cy Schubert
cd32671786 In poolnodcommand(): TTL (-T) is only valid when adding a node to a
pool (ippool -a) not when removing a node from a pool (ippool -r).
Flag -T as an error in ippool -r.
2017-06-22 12:46:48 +00:00
Cy Schubert
3f296d78cc poolflush() has no positional arguments. 2017-06-22 06:25:34 +00:00
Cy Schubert
3f6a9d3760 Fix -S handling within poolcommand(). Specifying a seed (-S) is only
valid when adding a pool (ippool -A), not when removing a pool
(ippool -R). It is a command line syntax error if specifying a seed (-S)
is specified when emoving a pool (-R).
2017-06-21 12:19:05 +00:00
Cy Schubert
49742409a3 Flag poolnodecommand() (ippool -a and ippool -r) command line syntax
errors.
2017-06-20 12:31:58 +00:00
Cy Schubert
254a06e0b3 poolcommand() (ippool -A and ippool -R) seed takes an argument. 2017-06-19 19:27:37 +00:00
Cy Schubert
eeafb4bc10 Flag poolcommand() (ippool -A and ippool -R) command line syntax errors. 2017-06-19 12:33:22 +00:00
Cy Schubert
ed840c526f Correct example directory location.
Submitted by:	olivier@
MFC after:	3 days
2017-06-15 00:59:02 +00:00
Cy Schubert
2d1353a21d Chase r319848: remove -v option from getopt() call. 2017-06-14 02:42:38 +00:00
Cy Schubert
40ad94e00a -n (do nothing) is not a commmand option. 2017-06-14 02:41:22 +00:00
Cy Schubert
bfff7435ed -v (verbose) is not a command option. (See ippool.1 for a definition
of command options).
2017-06-12 06:08:57 +00:00
Cy Schubert
215b15da57 Flag loadpoolfile() (ippool -f) command line syntax errors. 2017-06-11 04:03:09 +00:00
Cy Schubert
d05afd2252 Identify poolstats() (ippool -s) command line syntax errors. 2017-06-11 04:00:26 +00:00
Cy Schubert
0fc43621ce Identify command line syntax errors in poolflush() (ippool -F). 2017-06-11 03:56:13 +00:00
Cy Schubert
5910b44e7d Remove redundant assignment of infile from optarg in loadpoolfile()
which was previously assigned from optarg in the argument list from
main().
2017-06-10 23:16:00 +00:00
Cy Schubert
2540ef60c7 Disable the -O (output fields) option in poollist() (ippool -l) for
now. The option does not presently work. However, similar functions in
ipfstat (for state) and ipnat (for nat) do work and provide outputs that
can be easily parsed by shell scripts or subsequently loaded into CSV
files.  The intention here is to return to this option to make it work.
I suspect the problem is in printpoolfields.c.
2017-06-10 17:05:14 +00:00
Cy Schubert
a0489e3eeb Flag poollist() (ippool -l) command line syntax errors. 2017-06-10 16:42:39 +00:00
Cy Schubert
0dda2c25d4 Remove NORESOLVE (-R) option from poollist() (ippool -l). It is not
used in poollist().
2017-05-31 03:11:25 +00:00
Cy Schubert
d86be5fa4f Implement ippool command line IPv6 address parse support (for the -i
option).

PR:		218433
2017-05-16 02:48:46 +00:00
Cy Schubert
344add7203 Just like r318173, which was for outputting IPv6 addresses in tree
pools, implement outputting of IPv6 addresses in the ippool debug list
of hash type pools (ippool -l -d -t hash). Currently IPv6 in ippool tree
type pool handling is mostly implemented.
This continues theseries of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-15 03:39:35 +00:00
Cy Schubert
7ee662e8d8 As of r318281, there is no need to put a colon (:) in the message
string.

MFC after:	3 days
X-MFC with:	r318281
2017-05-14 23:45:10 +00:00
Cy Schubert
37e2d2e695 Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.

MFC after:	3 days
2017-05-14 21:18:01 +00:00
Cy Schubert
f7448f6347 Add missing linefeed in debug output. 2017-05-12 01:09:24 +00:00
Cy Schubert
9322c566a0 Implement outputting of IPv6 addresses in the ippool debug list of tree
type pools (ippool -l -d -t tree). Currently IPv6 in ippool tree type
pool handling is partially implemented (meaning it doesn't work).
This is the first of a series of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-11 04:39:11 +00:00
Cy Schubert
5207c6ac74 Ifdef out a redundant if statement when INET6 is disabled.
MFC after:	1 week
2017-05-05 14:34:09 +00:00
Cy Schubert
c6fd01fbbb Use warnx() to issue error message.
Reported by:	cem
MFC after:	1 week
X-MFC with:	r316993, r316994
2017-04-16 04:36:22 +00:00
Cy Schubert
ea5e026a0d Fix CID 1372600, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372600
MFC after:	1 week
2017-04-16 01:15:37 +00:00
Cy Schubert
a07d9e9af4 Fix CID 1372601, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372601
MFC after:	1 week
2017-04-16 01:13:47 +00:00
Gleb Smirnoff
cc65eb4e79 Hide struct inpcb, struct tcpcb from the userland.
This is a painful change, but it is needed.  On the one hand, we avoid
modifying them, and this slows down some ideas, on the other hand we still
eventually modify them and tools like netstat(1) never work on next version of
FreeBSD.  We maintain a ton of spares in them, and we already got some ifdef
hell at the end of tcpcb.

Details:
- Hide struct inpcb, struct tcpcb under _KERNEL || _WANT_FOO.
- Make struct xinpcb, struct xtcpcb pure API structures, not including
  kernel structures inpcb and tcpcb inside.  Export into these structures
  the fields from inpcb and tcpcb that are known to be used, and put there
  a ton of spare space.
- Make kernel and userland utilities compilable after these changes.
- Bump __FreeBSD_version.

Reviewed by:	rrs, gnn
Differential Revision:	D10018
2017-03-21 06:39:49 +00:00
Cy Schubert
3820c3aa3f calloc() and realloc() modernization.
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.

This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.

This has been tested on my production firewall and a laptop (also
running ipfilter).

Submitted by:	pfg
MFC after:	6 weeks
2017-03-16 04:40:07 +00:00
Cy Schubert
56d5bb4c63 Fix leak (free str before returning when ctx's calloc fails).
Submitted by:	trix_juniper.net (Tom Rix)
Discovered by:	clang's static analyzer
MFC after:	4 days
Relnotes:	ngie
Differential Revision:	D9877
2017-03-03 21:32:27 +00:00
Cy Schubert
520f089ad0 Use normal KNF cuddling of elses.
Reported by:	bde
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-26 04:51:48 +00:00
Cy Schubert
971fa117c0 Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by:	NetBSD ip_frag.c r1.4
MFC after:	1 month
2017-01-26 01:24:05 +00:00
Cy Schubert
26594bd1ee Remove extraneous blank line.
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-25 20:59:23 +00:00
Cy Schubert
d780a32bc5 Issue an error message when an incorrect flush argument is
encountered.`

MFC after:	2 weeks
2017-01-25 20:41:16 +00:00
Dimitry Andric
338dc8086d Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.

Pointy hat to:	dim
X-MFC-With:	r304959, r304953
MFC after:	3 days
2016-08-28 19:35:29 +00:00
Cy Schubert
53362bdcc5 Remove dead code.
Approved by:	re@ (hrs@)
MFC after:	1 week
2016-06-30 14:53:46 +00:00
Cy Schubert
ca94cc3b74 Clarify the wording to be more accurate.
Approved by:	re@ (gjb)
MFC after:	1 week
X-MFC with:	r301773
2016-06-10 01:10:48 +00:00
Cy Schubert
dbef02b209 Update the man ipf.8 man page to accurately reflect that the -6
option is a noop and only here for backward compatibility.

MFC after:	1 week
2016-06-10 00:06:58 +00:00
Cy Schubert
17dd2ae7fb Fix another typo.
Reported by:	cem
MFC after:	6 days
2016-05-19 03:18:54 +00:00