Commit Graph

563 Commits

Author SHA1 Message Date
Daniel Hartmeier
d4f925e4df Use the packet's address family instead of the rule's when selecting a
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.

Found by:	Gustavo A. Baratto
2005-01-20 18:07:35 +00:00
Daniel Hartmeier
9624b04d64 Prohibit ruleset changes at securelevel > 2, not > 1. It's documented
like this in init(8), but the code didn't match the documentation.

Submitted by:	Juraj Lutter <otis at sk dot FreeBSD dot org>
Agrees:		mlaier
2005-01-19 21:37:00 +00:00
Nate Lawson
d26e4b9a02 This commit was generated by cvs2svn to compensate for changes in r140216,
which included commits to RCS files with non-trunk default branches.
2005-01-14 06:37:43 +00:00
Nate Lawson
edd973a013 Clean up a small memory leak introduced with the previous commit to
dsutils.c.  We need to GC the implicitly-returned object.

Submitted by:	Robert.Moore at Intel
MFC after:	1 day
2005-01-14 06:37:43 +00:00
Nate Lawson
4802655124 Fix handling of the implicit return case for methods called from an
external source (i.e., _STA).  The previous case only handled calls
occurring within AML.  This should fix Toshibas, among others.  Thanks
to Robert Moore of Intel for the fix.

MFC after:	2 days
2005-01-12 00:52:40 +00:00
Nate Lawson
6023610d63 This commit was generated by cvs2svn to compensate for changes in r140094,
which included commits to RCS files with non-trunk default branches.
2005-01-12 00:52:40 +00:00
Darren Reed
4d7cb202f1 Elminate 1 LOR (actually a recursive mutex grab) involving ipfilter where
we loop through all the list of NICs (struct ifnet), holding the lock on
it and then do a name lookup with ifunit() whilst holding it.
2005-01-08 04:32:02 +00:00
Darren Reed
4541c49f79 * Remove some code that's in a #ifndef FreeBSD that's no longer used. 2004-12-26 09:09:29 +00:00
Darren Reed
2fb1eb06a7 * The #ifdef's to cause mutex's for freebsd to be declared were meant to pick
up on USE_MUTEX being defined, but this patch
* Remove some code that's in a #ifndef FreeBSD that's no longer used.
2004-12-26 09:08:42 +00:00
Scott Long
98331badc2 Darnit, through a maze of twisty passages, ipfilter needs to have PFIL_HOOKS
defined.  Revert part of the previous commit to fix this.
2004-12-25 00:48:27 +00:00
Scott Long
0ca8ae1641 Sprinkle in some __FreeBSD_version checks so that this compiles again. Don't
define PFIL_HOOKS anymore.

Submitted by: keramida
2004-12-25 00:22:25 +00:00
Darren Reed
77bb8ca4a3 Enable fine grained locking within IPFilter, using mtx(9) and sx(9) allowing
the the "needs giant" flag to be removed from the driver.
2004-12-24 09:14:26 +00:00
Daniel Hartmeier
2726bbe221 Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.

PR:			kern/74930
Reported and tested by:	Hugo Silva, Srebrenko Sehic
MFC after:		3 days
2004-12-19 19:43:04 +00:00
Max Laier
905c6b87b7 Make ip_nat compile again. Should read #if->n<-def LARGE_NAT as in ipf 4.x 2004-12-18 03:47:54 +00:00
Darren Reed
f42b5dbebb Move two variables that are unused if LARGE_NAT is defined inside an #ifdef
to keep them out of harms way when compiling.

PR:	72783
2004-12-17 15:59:16 +00:00
Darren Reed
8a377db272 Allow ipnat redirect rules to work for non-TCP/UDP packets.
PR:             70038
Submitted by:   fming@borderware.com
Reviewed by:    darrenr
Obtained from:  fming@borderware.com
2004-12-17 02:29:34 +00:00
Darren Reed
6de0f6c8b8 Using just m_pullup to get all of the interesting bits in packet into one
buffer doesn't work for ipv6 packets, so use m_defrag() here instead as an
easy drop-in replacement.

PR:	70399
2004-12-16 21:02:16 +00:00
Max Laier
7cadbe4109 Compile pfsync w/o bpf.
Noticed by:	"Jayel Villamin" <jarthel operamail com>
2004-12-10 17:42:47 +00:00
Sam Leffler
8c489f7420 clear old files now in public 2004-12-08 18:27:44 +00:00
Sam Leffler
7a4700cda9 resolve merge conflict 2004-12-08 18:18:39 +00:00
Sam Leffler
230d5663fc This commit was generated by cvs2svn to compensate for changes in r138583,
which included commits to RCS files with non-trunk default branches.
2004-12-08 18:06:09 +00:00
Sam Leffler
31801f0d36 Version 0.9.14.12:
[Changes listed only since last public release 0.9.12.14; for changes
 prior to that consult the CVS logs at http://madwifi.sourceforge.net]

o reorg directory structure to have a single set of public binary builds
  shared by all systems
o support for new parts (all shipping pci/cardbus parts to this date work)
o new capabilities for identifying various chip features
o set/get tx power cap for supporting 802.11h information element
o revised api for set/get tx queue properties
o support for updating CTS in frames when doing packet bursting
o support for querying which tx queues have pending interrupts
2004-12-08 18:06:09 +00:00
Daniel Hartmeier
8092705059 IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.

Discovered by:	Bernhard Schmidt
MFC after:	1 week
2004-12-05 12:15:43 +00:00
Mark Santcroos
697831d611 Oops, remove unnecessary cast in original, out-commented code.
This was a debug leftover.

MFC after:	1 week
2004-12-02 00:12:19 +00:00
Mark Santcroos
cdb35b24fe This commit was generated by cvs2svn to compensate for changes in r138298,
which included commits to RCS files with non-trunk default branches.
2004-12-02 00:12:19 +00:00
Mark Santcroos
f42941d3ec Local change: Supporting code not yet available, use previous behavior
instead for the time being. Intel should fix this.

Note that if this commit is correct, it is made on the vendor branch.
We expect the Intel folks to fix it, and we don't want to unnecessarily
take files off the vendor branch.

Approved by:	njl
MFC after:	1 week
2004-12-02 00:05:02 +00:00
Mark Santcroos
cc50c2376d This commit was generated by cvs2svn to compensate for changes in r138296,
which included commits to RCS files with non-trunk default branches.
2004-12-02 00:05:02 +00:00
Mark Santcroos
3e5f2bd199 Local change: Remove warnings from vendor files.
Approved by:	njl
MFC after:	1 week
2004-12-01 23:42:21 +00:00
Mark Santcroos
0f190207e6 Local change: In the resume path, give up after waiting for a while
for WAK_STS to be set.  Some BIOSs never set it.

Approved by:	njl
MFC after:	1 week
2004-12-01 23:40:48 +00:00
Mark Santcroos
40047a89b4 Local change: Put various debugging options under ACPI_DISASSEMBLER.
Approved by:	njl
MFC after:	1 week
2004-12-01 23:39:45 +00:00
Mark Santcroos
8baa584183 Unchanged files that are off the vendor branch.
Approved by:	njl
MFC after:	1 week
2004-12-01 23:34:39 +00:00
Mark Santcroos
c846686064 Vendor import of Intel ACPI-CA 20041119 2004-12-01 23:14:10 +00:00
Mark Santcroos
3a36dacc92 This commit was generated by cvs2svn to compensate for changes in r138287,
which included commits to RCS files with non-trunk default branches.
2004-12-01 23:14:10 +00:00
Daniel Hartmeier
1a4a376387 fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.

Discovered by:	kos(at)bastard(dot)net
Analyzed by:	Pyun YongHyeon
Approved by:	mlaier (mentor)
MFC after:	1 week
2004-11-24 00:43:34 +00:00
Ruslan Ermilov
9528cdfa6e Removed the remnants of gx(4). 2004-11-08 20:24:52 +00:00
Max Laier
a9052a1691 Improved interface handling. This should fix the use of renamed interfaces
(ifconfig xl0 name foo) as well as some special interfaces such as the 6to4
tunnel.

Reported by:	Ed Schouten <ed (at) il ! fontys , nl>
Tested by:	freebsd-pf
PR:		kern/72444
MFC after:	3 weeks
2004-11-03 17:21:12 +00:00
Max Laier
b6b3698c8e Fix a panic discovered with some apache2 configure test (that seemed to
trigger a socket creation race some some kind). Checking for non-NULL socket
and credential is not a bad idea anyway. Unfortunatly too late for the
release.

Reported & tested by:	Gilbert Cao
MFC after:		2 weeks
2004-10-24 19:35:02 +00:00
Scott Long
7d9aed9c4c Fix some warnings that only triggered in LINT. 2004-10-24 09:23:07 +00:00
Scott Long
f01be89133 Embed the correct name. 2004-10-24 08:48:32 +00:00
Scott Long
1713e81b9c Import the HighPoint RocketRAID 182x driver. Thanks to HighPoint for
providing the original driver, and thanks to IronSystems for providing
hardware for testing.
2004-10-24 05:37:23 +00:00
Max Laier
d6a8d58875 Add an additional struct inpcb * argument to pfil(9) in order to enable
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.

This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.

Suggested by:		rwatson
A lot of work by:	csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by:		rwatson, csjp
Tested by:		-pf, -ipfw, LINT, csjp and myself
MFC after:		3 days

LOR IDs:		14 - 17 (not fixed yet)
2004-09-29 04:54:33 +00:00
Max Laier
7ea7663ca4 Protect sockaddr_union definitions with a protecting define. This allows to
build kernels with FAST_IPSEC and PF. This is the least disruptive fix.

PR:		kern/71836
Reviewed by:	bms, various mailing lists
MFC after:	3 days
2004-09-23 12:44:40 +00:00
Max Laier
abd627ebb7 Break out altq_enable/disable from DIOC{START,STOP}ALTQ into seprate
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.

PR:		kern/71746
Tested by:	Aurilien "beorn" Rougemont (PR submitter)
MFC after:	3 days
2004-09-17 02:15:05 +00:00
Max Laier
4758aa2bd4 Reactivate skipping over bogus IPCP addresses on ppp interfaces. Be more
careful with the skip condition this time. Addresses are only not taken into
account if:
	- The interface is POINTTOPOINT
	- There is no route installed for the address
	- The user specified noalias (:0)
and	- We are looking at an IPv4 address.

This should be enough paranoia to not cause any false positives.

PR:	 	misc/69954
Discussed with:	yongari
MFC after:	4 days
2004-09-14 15:20:24 +00:00
Max Laier
f78086efb6 Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.

Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.

Requested by:			rwatson
Discussed with and tested by:	yongari (a while ago)
PR:				kern/70393
MFC after:			5 days
2004-09-14 03:12:01 +00:00
Max Laier
c9f6794e2e One more round on the H/W supported checksum code: Fix NICs that can't do
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.

Submitted by:	yongari
Tested by:	Nicolas Linard, yongari (sparc64 + hme)
MFC after:	5 days
2004-09-11 11:18:25 +00:00
Andre Oppermann
5f56967319 From __FreeBSD_version 600001 on PFIL_HOOKS is permanently in the kernel and
doesn't require to include opt_pfil_hooks.h.
2004-08-27 20:01:08 +00:00
Max Laier
7fff37fc15 Use securelevel_gt instead of reading global securelevel unprotected.
Submitted by:	yongari
MFC after:	3 days
2004-08-22 15:23:48 +00:00
Nate Lawson
aaff1d4cfa Add a padding member to the header overlaid on data allocated in the
ACPI_DEBUG case.  Without this, use of allocated memory is unaligned and
causes a trap on ia64.  Intel may fix this differently in a subsequent
release but this is adequate for now.

Submitted by:	marcel
MFC after:	2 days
2004-08-18 05:41:21 +00:00
Nate Lawson
ca36a5dc0d This commit was generated by cvs2svn to compensate for changes in r133931,
which included commits to RCS files with non-trunk default branches.
2004-08-18 05:41:21 +00:00