Commit Graph

338 Commits

Author SHA1 Message Date
Jonathan Lemon
35609d458d When dropping a packet because there is no room in the queue (which itself
is somewhat bogus), update the statistics to indicate something was dropped.

PR: 13740
2001-10-30 14:58:27 +00:00
Paul Saab
db69a05dce Make it so dummynet and bridge can be loaded as modules.
Submitted by:	billf
2001-10-05 05:45:27 +00:00
Jonathan Lemon
ca925d9c17 Add a hash table that contains the list of internet addresses, and use
this in place of the in_ifaddr list when appropriate.  This improves
performance on hosts which have a large number of IP aliases.
2001-09-29 04:34:11 +00:00
Jonathan Lemon
9a10980e2a Centralize satosin(), sintosa() and ifatoia() macros in <netinet/in.h>
Remove local definitions.
2001-09-29 03:23:44 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Brooks Davis
9494d5968f Make faith loadable, unloadable, and clonable. 2001-09-25 18:40:52 +00:00
Julian Elischer
b40ce4165d KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
Jonathan Lemon
f9132cebdc Wrap array accesses in macros, which also happen to be lvalues:
ifnet_addrs[i - 1]  -> ifaddr_byindex(i)
        ifindex2ifnet[i]    -> ifnet_byindex(i)

This is intended to ease the conversion to SMPng.
2001-09-06 02:40:43 +00:00
Daniel C. Sobral
07203494d2 MFS: Avoid dropping fragments in the absence of an interface address.
Noticed by:	fenner
Submitted by:	iedowse
Not committed to current by:	iedowse ;-)
2001-08-03 17:36:06 +00:00
Ruslan Ermilov
38c1bc358b Avoid a NULL pointer derefence introduced in rev. 1.129.
Problem noticed by:	bde, gcc(1)
Panic caught by:	mjacob
Patch tested by:	mjacob
2001-07-23 16:50:01 +00:00
Ruslan Ermilov
f2c2962ee5 Backout non-functional changes from revision 1.128.
Not objected to by:	dcs
2001-07-19 07:10:30 +00:00
Daniel C. Sobral
3afefa3924 Skip the route checking in the case of multicast packets with known
interfaces.

Reviewed by:	people at that channel
Approved by:	silence on -net
2001-07-17 18:47:48 +00:00
Hajimu UMEMOTO
3384154590 Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks
2001-06-11 12:39:29 +00:00
Kris Kennaway
64dddc1872 Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets.
This closes a minor information leak which allows a remote observer to
determine the rate at which the machine is generating packets, since the
default behaviour is to increment a counter for each packet sent.

Reviewed by:    -net
Obtained from:  OpenBSD
2001-06-01 10:02:28 +00:00
Ruslan Ermilov
206a3274ef RFC768 (UDP) requires that "if the computed checksum is zero, it
is transmitted as all ones".  This got broken after introduction
of delayed checksums as follows.  Some guys (including Jonathan)
think that it is allowed to transmit all ones in place of a zero
checksum for TCP the same way as for UDP.  (The discussion still
takes place on -net.)  Thus, the 0 -> 0xffff checksum fixup was
first moved from udp_output() (see udp_usrreq.c, 1.64 -> 1.65)
to in_cksum_skip() (see sys/i386/i386/in_cksum.c, 1.17 -> 1.18,
INVERT expression).  Besides that I disagree that it is valid for
TCP, there was no real problem until in_cksum.c,v 1.20, where the
in_cksum() was made just a special version of in_cksum_skip().
The side effect was that now every incoming IP datagram failed to
pass the checksum test (in_cksum() returned 0xffff when it should
actually return zero).  It was fixed next day in revision 1.21,
by removing the INVERT expression.  The latter also broke the
0 -> 0xffff fixup for UDP checksums.

Before this change:
: tcpdump: listening on lo0
: 127.0.0.1.33005 > 127.0.0.1.33006:  udp 0 (ttl 64, id 1)
:                          4500 001c 0001 0000 4011 7cce 7f00 0001
:                          7f00 0001 80ed 80ee 0008 0000

After this change:
: tcpdump: listening on lo0
: 127.0.0.1.33005 > 127.0.0.1.33006:  udp 0 (ttl 64, id 1)
:                          4500 001c 0001 0000 4011 7cce 7f00 0001
:                          7f00 0001 80ed 80ee 0008 ffff
2001-03-13 17:07:06 +00:00
Ian Dowse
5d936aa181 In ip_output(), initialise `ia' in the case where the packet has
come from a dummynet pipe. Without this, the code which increments
the per-ifaddr stats can dereference an uninitialised pointer. This
should make dummynet usable again.

Reported by:	"Dmitry A. Yanko" <fm@astral.ntu-kpi.kiev.ua>
Reviewed by:	luigi, joe
2001-03-11 17:50:19 +00:00
Jeroen Ruigrok van der Werven
05f15c3dc3 Remove conditionals for vax support.
People who care much about this are welcomed to try 2.11BSD. :)

Noticed by:	luigi
Reviewed by:	jesper
2001-02-26 20:05:32 +00:00
Poul-Henning Kamp
37d4006626 Another round of the <sys/queue.h> FOREACH transmogriffer.
Created with:   sed(1)
Reviewed by:    md5(1)
2001-02-04 16:08:18 +00:00
Poul-Henning Kamp
fc2ffbe604 Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
Luigi Rizzo
507b4b5432 MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
Luigi Rizzo
7a726a2dd1 Pass up errors returned by dummynet. The same should be done with
divert.
2001-01-25 02:06:38 +00:00
Bosko Milekic
2a0c503e7a * Rename M_WAIT mbuf subsystem flag to M_TRYWAIT.
This is because calls with M_WAIT (now M_TRYWAIT) may not wait
  forever when nothing is available for allocation, and may end up
  returning NULL. Hopefully we now communicate more of the right thing
  to developers and make it very clear that it's necessary to check whether
  calls with M_(TRY)WAIT also resulted in a failed allocation.
  M_TRYWAIT basically means "try harder, block if necessary, but don't
  necessarily wait forever." The time spent blocking is tunable with
  the kern.ipc.mbuf_wait sysctl.
  M_WAIT is now deprecated but still defined for the next little while.

* Fix a typo in a comment in mbuf.h

* Fix some code that was actually passing the mbuf subsystem's M_WAIT to
  malloc(). Made it pass M_WAITOK instead. If we were ever to redefine the
  value of the M_WAIT flag, this could have became a big problem.
2000-12-21 21:44:31 +00:00
Josef Karthauser
ffa37b3f9b It's no longer true that "nobody uses ia beyond here"; it's now
used to keep address based if_data statistics in.

Submitted by:	ru
2000-11-01 01:59:28 +00:00
Poul-Henning Kamp
cf9fa8e725 Move suser() and suser_xxx() prototypes and a related #define from
<sys/proc.h> to <sys/systm.h>.

Correctly document the #includes needed in the manpage.

Add one now needed #include of <sys/systm.h>.
Remove the consequent 48 unused #includes of <sys/proc.h>.
2000-10-29 16:06:56 +00:00
Josef Karthauser
fe93767490 Count per-address statistics for IP fragments.
Requested by:	ru
Obtained from:	BSD/OS
2000-10-29 01:05:09 +00:00
Ruslan Ermilov
cc22c7a746 Save a few CPU cycles in IP fragmentation code. 2000-10-20 14:10:37 +00:00
Josef Karthauser
5da9f8fa97 Augment the 'ifaddr' structure with a 'struct if_data' to keep
statistics on a per network address basis.

Teach the IPv4 and IPv6 input/output routines to log packets/bytes
against the network address connected to the flow.

Teach netstat to display the per-address stats for IP protocols
when 'netstat -i' is evoked, instead of displaying the per-interface
stats.
2000-10-19 23:15:54 +00:00
Ruslan Ermilov
e30177e024 Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.
Requested by:	wollman
2000-09-14 14:42:04 +00:00
Ruslan Ermilov
04287599db Fixed broken ICMP error generation, unified conversion of IP header
fields between host and network byte order.  The details:

o icmp_error() now does not add IP header length.  This fixes the problem
  when icmp_error() is called from ip_forward().  In this case the ip_len
  of the original IP datagram returned with ICMP error was wrong.

o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host
  byte order, so DTRT and convert these fields back to network byte order
  before sending a message.  This fixes the problem described in PR 16240
  and PR 20877 (ip_id field was returned in host byte order).

o ip_ttl decrement operation in ip_forward() was moved down to make sure
  that it does not corrupt the copy of original IP datagram passed later
  to icmp_error().

o A copy of original IP datagram in ip_forward() was made a read-write,
  independent copy.  This fixes the problem I first reported to Garrett
  Wollman and Bill Fenner and later put in audit trail of PR 16240:
  ip_output() (not always) converts fields of original datagram to network
  byte order, but because copy (mcopy) and its original (m) most likely
  share the same mbuf cluster, ip_output()'s manipulations on original
  also corrupted the copy.

o ip_output() now expects all three fields, ip_len, ip_off and (what is
  significant) ip_id in host byte order.  It was a headache for years that
  ip_id was handled differently.  The only compatibility issue here is the
  raw IP socket interface with IP_HDRINCL socket option set and a non-zero
  ip_id field, but ip.4 manual page was unclear on whether in this case
  ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
Darren Reed
c4ac87ea1c activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
Jun-ichiro itojun Hagino
686cdd19b1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
Jonathan Lemon
707d00a304 Add boundary checks against IP options.
Obtained from:	OpenBSD
2000-06-02 20:18:38 +00:00
Jonathan Lemon
50c6dc99d8 Mark the checksum as complete when looping back multicast packets.
Submitted by:	Jeff Gibbons <jgibbons@n2.net>
2000-05-25 02:27:14 +00:00
Archie Cobbs
06a429a3c8 Just need to pass the address family to if_simloop(), not the whole sockaddr. 2000-05-24 21:16:56 +00:00
Jonathan Lemon
1c23847582 Compute the checksum before handing the packet off to IPFilter.
Tested by:  Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
2000-05-21 21:26:06 +00:00
Yoshinobu Inoue
7cba257ae5 Move htons() ip_len to after the in_delayed_cksum() call.
This should stop cksum error messages on IPsec communication
which was reported on freebsd-current.

Reviewed by: jlemon
2000-04-02 16:18:26 +00:00
Jonathan Lemon
ea53ecd9d4 Calculate any delayed checksums before handing an mbuf off to a
divert socket.  This fixes a problem with ppp/natd.

Reviewed by:	bsd	(Brian Dean, gotta love that login name)
2000-04-01 18:51:03 +00:00
Jonathan Lemon
20c822f399 If `ipfw fwd' loops an mbuf back to ip_input from ip_output and the
mbuf is marked for delayed checksums, then additionally mark the
packet as having it's checksums computed.  This allows us to bypass
computing/checking the checksum entirely, which isn't really needeed
as the packet has never hit the wire.

Reviewed by:		green
2000-03-30 02:16:40 +00:00
Jonathan Lemon
db4f9cc703 Add support for offloading IP/TCP/UDP checksums to NIC hardware which
supports them.
2000-03-27 19:14:27 +00:00
Yoshinobu Inoue
f63e7634ac Initialize mbuf pointer at getting ipsec policy.
Without this, kernel will panic at getsockopt() of IPSEC_POLICY.
Also make compilable libipsec/test-policy.c which tries getsockopt() of
IPSEC_POLICY.

Approved by: jkh

Submitted by: sakane@kame.net
2000-03-09 14:57:16 +00:00
Guido van Rooij
6d37c73e26 Remove option IPFILTER_KLD. In case you wanted to kldload ipfilter,
the module would only work in kernels built with this option.

Approved by:	jkh
2000-02-23 20:11:57 +00:00
Luigi Rizzo
6bc748b057 Support the net.inet.ip.fw.enable variable, part of
the recent ipfw modifications.

Approved-by: jordan
2000-02-10 14:19:53 +00:00
Ruslan Ermilov
5db1e34ea4 MGETHDR() does not initialize m_pkthdr.rcvif, do it here.
This fixes page fault panic observed when diverting packets
with IP options (e.g. ping -R remoteIP over natd).

PR:	kern/8596, kern/11199
2000-01-10 18:46:05 +00:00
Yoshinobu Inoue
d0a98d79d2 enable IPsec over DUMMYNET again
Submitted by: luigi
Reviewed by: luigi
2000-01-09 03:06:28 +00:00
Luigi Rizzo
d1f04b29f0 Cleanup dummynet call interface so it should now work on the Alpha
as well. Also (probably) fix a bug introduced during the IPv6 import.
2000-01-08 11:28:23 +00:00
Yoshinobu Inoue
6a800098cc IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
Luigi Rizzo
eaa726bed6 Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
1999-05-04 16:20:33 +00:00
Luigi Rizzo
a7c219496c forgot passing the right pointer to dst to dummynet_io().
(-stable and releng2 were already safe).
Debugged-By: phk
1999-05-04 09:26:12 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Luigi Rizzo
f0a53591ad Fix a dummynet bug caused by passing a bad next hop address (the
symptom was the msg "arp failure -- host is not on local network" that
some user have seen on multihomed machines.
Bug tracked down by Emmanuel Duros
1999-03-16 12:06:11 +00:00
Luigi Rizzo
17458d3570 avoid panic with pkts larger than MTU and DF set coming out of a pipe. 1999-02-19 18:32:55 +00:00
Luigi Rizzo
f0f6d6434d Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Peter Wemm
1c5bb3eaa1 add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
Garrett Wollman
db028362a0 Properly fragment multicast packets.
PR: 7802
Submitted by:	Steve McCanne <mccanne@cs.berkeley.edu>
1998-09-02 15:11:14 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Peter Wemm
9de9737f47 Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00
Bruce Evans
0c8d2590e3 Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
Julian Elischer
1f7e052c16 Don't expect the new code to be used without the right option file being
included.
1998-07-06 05:04:33 +00:00
Julian Elischer
d4295c3248 Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Bruce Evans
e5b19842ef Removed unused includes. 1998-06-21 14:53:44 +00:00
Julian Elischer
2b8a366cf8 fix another typo 1998-06-15 00:35:47 +00:00
Julian Elischer
201c2527a9 Try narrow down the culprit sending undefined packet types through the loopback 1998-06-14 20:58:17 +00:00
Julian Elischer
ed7509ace4 Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
Julian Elischer
b876049334 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
Julian Elischer
3ed81d03b3 Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
Julian Elischer
c977d4c735 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
Peter Wemm
1ee25934a9 Make this compile.. There are some unpleasing hacks in here.
A major unifdef session is sorely tempting but would destroy any remaining
chance of tracking the original sources.
1998-03-21 11:34:28 +00:00
Bruce Evans
d68fa50ccb Don't depend on "implicit int". 1998-02-20 13:37:40 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
Poul-Henning Kamp
0abc78a697 Rename some local variables to avoid shadowing other local variables.
Found by: -Wshadow
1997-11-07 09:21:01 +00:00
Joerg Wunsch
fbd1372a0b Make IPDIVERT a supported option. Alas, in_var.h depends on it, i
hope i've found out all files that actually depend on this dependancy.
IMHO, it's not very good practice to change the size of internal
structs depending on kernel options.
1997-11-05 20:17:23 +00:00
Poul-Henning Kamp
a1c995b626 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
Poul-Henning Kamp
55166637cd Distribute and statizice a lot of the malloc M_* types.
Substantial input from:	bde
1997-10-11 18:31:40 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Bill Fenner
86b1d6d24d Pull up the IP header in ip_mloopback(). This makes sure that the
operations on the header inside ip_mloopback() are performed on
a private copy instead of a shared cluster.

PR:		kern/3410
1997-05-06 21:22:04 +00:00
Garrett Wollman
a29f300e80 The long-awaited mega-massive-network-code- cleanup. Part I.
This commit includes the following changes:
1) Old-style (pr_usrreq()) protocols are no longer supported, the compatibility
glue for them is deleted, and the kernel will panic on boot if any are compiled
in.

2) Certain protocol entry points are modified to take a process structure,
so they they can easily tell whether or not it is possible to sleep, and
also to access credentials.

3) SS_PRIV is no more, and with it goes the SO_PRIVSTATE setsockopt()
call.  Protocols should use the process pointer they are now passed.

4) The PF_LOCAL and PF_ROUTE families have been updated to use the new
style, as has the `raw' skeleton family.

5) PF_LOCAL sockets now obey the process's umask when creating a socket
in the filesystem.

As a result, LINT is now broken.  I'm hoping that some enterprising hacker
with a bit more time will either make the broken bits work (should be
easy for netipx) or dike them out.
1997-04-27 20:01:29 +00:00
Darren Reed
beec821495 Resolve conflicts created by import. 1997-04-03 10:47:12 +00:00
David Greenman
ca98b82c8d Reorganize elements of the inpcb struct to take better advantage of
cache lines. Removed the struct ip proto since only a couple of chars
were actually being used in it. Changed the order of compares in the
PCB hash lookup to take advantage of partial cache line fills (on PPro).

Discussed-with: wollman
1997-04-03 05:14:45 +00:00
Bill Fenner
e1596dff1e Fix a comment and some commented-out code in ip_mloopback to
reflect how multicast loopback really works.
1997-02-28 19:40:48 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Darren Reed
f1743588c7 change IP Filter hooks to match new 3.1.8 patches for FreeBSD 1997-02-19 14:02:27 +00:00
Darren Reed
afed1b4988 Add IP Filter hooks (from patches). 1997-02-10 11:45:37 +00:00
Brian Somers
d81e40431a Reset ip_divert_ignore to zero immediately after use - also,
set it in the first place, independent of whether sin->sin_port
is set.

The result is that diverted packets that are being forwarded
will be diverted once and only once on the way in (ip_input())
and again, once and only once on the way out (ip_output()) -
twice in total.  ICMP packets that don't contain a port will
now also be diverted.
1997-02-02 16:33:12 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Garrett Wollman
59562606b9 Convert the interface address and IP interface address structures
to TAILQs.  Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
1996-12-13 21:29:07 +00:00
Bill Fenner
82c23eba89 Add the IP_RECVIF socket option, which supplies a packet's incoming interface
using a sockaddr_dl.

Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR)
to work for multicast UDP and raw sockets as well.  (They previously only
worked for unicast UDP).
1996-11-11 04:56:32 +00:00
Søren Schmidt
6713d4a747 Changed args to the nat functions. 1996-10-22 22:26:02 +00:00
Garrett Wollman
5893891624 All three files: make COMPAT_IPFW==0 case work again.
ip_input.c:
	- delete some dusty code
	- _IP_VHL
	- use fast inline header checksum when possible
1996-10-07 19:21:46 +00:00
Søren Schmidt
fed1c7e9e4 Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Bruce Evans
0453d3cbb3 Changed some memcpy()'s back to bcopy()'s.
gcc only inlines memcpy()'s whose count is constant and didn't inline
these.  I want memcpy() in the kernel go away so that it's obvious that
it doesn't need to be optimized.  Now it is only used for one struct
copy in si.c.
1996-06-08 08:19:03 +00:00
Garrett Wollman
f9493383fc Conditionalize calls to IPFW code on COMPAT_IPFW. This is done slightly
unconventionally:
	If COMPAT_IPFW is not defined, or if it is defined to 1, enable;
otherwise, disable.

This means that these changes actually have no effect on anyone at the
moment.  (It just makes it easier for me to keep my code in sync.)
In the future, the `not defined' part of the hack should be eliminated,
but doing this now would require everyone to change their config files.

The same conditionals need to be made in ip_input.c as well for this to
ave any useful effect, but I'm not ready to do that right now.
1996-05-22 17:23:09 +00:00
Peter Wemm
ce8c72b147 Fix an embarresing error on my part that made the IP_PORTRANGE options
return a failure code (even though it worked).
This commit brought to you by the 'C' keyword "break".. :-)
1996-05-21 20:47:31 +00:00
Garrett Wollman
9f9b3dc4ae Add three new route flags to help determine what sort of address
the destination represents.  For IP:

- Iff it is a host route, RTF_LOCAL and RTF_BROADCAST indicate local
  (belongs to this host) and broadcast addresses, respectively.

- For all routes, RTF_MULTICAST is set if the destination is multicast.

The RTF_BROADCAST flag is used by ip_output() to eliminate a call to
in_broadcast() in a common case; this gives about 1% in our packet-generation
experiments.  All three flags might be used (although they aren't now)
to determine whether a packet can be forwarded; a given host route can
represent a forwardable address if:

	(rt->rt_flags & (RTF_HOST | RTF_LOCAL | RTF_BROADCAST | RTF_MULTICAST))
	== RTF_HOST

Obviously, one still has to do all the work if a host route is not present,
but this code allows one to cache the results of such a lookup if rtalloc1()
is called without masking RTF_PRCLONING.
1996-05-06 17:42:13 +00:00
Bruce Evans
e2184122c5 Fixed in-line IP header checksumming. It was performed on the wrong header
in one case.
1996-04-21 13:47:43 +00:00
Garrett Wollman
9c9137ea6c Three speed-ups in the output path (two small, one substantial):
1) Require all callers to pass a valid route pointer to ip_output()
   so that we don't have to check and allocate one off the stack
   as was done before.  This eliminates one test and some stack
    bloat from the common (UDP and TCP) case.

2) Perform the IP header checksum in-line if it's of the usual length.
    This results in about a 5% speed-up in my packet-generation test.

3) Use ip_vhl field rather than ip_v and ip_hl bitfields.
1996-04-18 15:49:06 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Bill Fenner
fbc6ab006d Add missing splx(s) in IP_MULTICAST_IF
Submitted by:	Jim Binkley <jrb@cs.pdx.edu>
1996-03-26 18:56:51 +00:00
Paul Traina
072b9b24e3 Fix ip option processing for raw IP sockets. This whole thing is a compromise
between ignoring options specified in the setsockopt call if IP_HDRINCL is set
(the UCB choice when VJ's code was brought in) vs allowing them (what everyone
else did, and what is assumed by programs everywhere...sigh).

Also perform some checking of the passed down packet to avoid running off
the end of a mbuf chain.

Reviewed by:	fenner
1996-03-13 08:02:45 +00:00
David Greenman
2ee45d7d28 Move or add #include <queue.h> in preparation for upcoming struct socket
changes.
1996-03-11 15:13:58 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Peter Wemm
33b3ac0633 Make the default behavior of local port assignment match traditional
systems (my last change did not mix well with some firewall
configurations).  As much as I dislike firewalls, this is one thing I
I was not prepared to break by default.. :-)

Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call.  The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.*

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it.

Partly suggested by: pst
Reviewed by: wollman
1996-02-22 21:32:23 +00:00
Garrett Wollman
994fdef98a Added a comment about why trying to make a one-behind cache for
the route in ip_output() is a bad idea.
1995-12-19 21:24:19 +00:00
Garrett Wollman
b7a44e3486 Path MTU Discovery is now standard. 1995-12-05 17:46:50 +00:00
Poul-Henning Kamp
0312fbe97d New style sysctl & staticize alot of stuff. 1995-11-14 20:34:56 +00:00
Garrett Wollman
3d1f141b23 The ability to administratively change the MTU of an interface presents
a few new wrinkles for MTU discovery which tcp_output() had better
be prepared to handle.  ip_output() is also modified to do something
helpful in this case, since it has already calculated the information
we need.
1995-10-16 18:21:26 +00:00
Garrett Wollman
b124e4f284 Fix test for determining when RSVP is inactive in a router. (In this
case, multicast options are not passed to ip_mforward().)  The previous
version had a wrong test, thus causing RSVP mrouters to forward RSVP messages
in violation of the spec.
1995-07-26 18:05:16 +00:00
Joerg Wunsch
40a63d93aa Slightly modify my previous change to return EINVAL instead of
EFAULT.

Submitted by:	Peter Wemm
1995-07-02 16:45:07 +00:00
Joerg Wunsch
d700586c3a I saw a very low-key commit message on the netbsd mailing lists and
figured out what the problem was..  Anyway, I rate it as "highly
serious".

Submitted by:	peter@haywire.DIALix.COM (Peter Wemm)
1995-07-01 19:09:40 +00:00
Garrett Wollman
1c5de19afb Kernel side of 3.5 multicast routing code, based on work by Bill Fenner
and other work done here.  The LKM support is probably broken, but it
still compiles and will be fixed later.
1995-06-13 17:51:16 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
David Greenman
94a5d9b6a1 Replaced some bcopy()'s with memcpy()'s so that gcc while inline/optimize. 1995-05-09 13:35:48 +00:00
Paul Traina
f5fea3ddc9 Cleanup loopback interface support.
Reviewed by:	wollman
1995-04-26 18:10:58 +00:00
David Greenman
15bd2b4385 Implemented PCB hashing. Includes new functions in_pcbinshash, in_pcbrehash,
and in_pcblookuphash.
1995-04-09 01:29:31 +00:00
Garrett Wollman
20e8807c09 This should be splimp() rather than splnet() since ifaddrs might go away
as a result of link-layer processing.
1995-03-20 18:31:51 +00:00
Garrett Wollman
9b626c29f7 Fix race conditions involved in setting IP multicast options. This should
fix Dennis Fortin's problem for good, if I've got it figured out right.

(The problem was that a `struct ifaddr' could get deleted out from under
the current requester, thus leaving him with an invalid interface pointer
and causing even more bogus accesses.)
1995-03-20 18:11:31 +00:00
Bruce Evans
b5e8ce9f12 Add and move declarations to fix all of the warnings from `gcc -Wimplicit'
(except in netccitt, netiso and netns) and most of the warnings from
`gcc -Wnested-externs'.  Fix all the bugs found.  There were no serious
ones.
1995-03-16 18:17:34 +00:00
Ugen J.S. Antsilevich
4dd1662b4c Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
1995-01-12 13:06:32 +00:00
Garrett Wollman
2c17fe9339 Call rtalloc_ign() so that protocol cloning will not occur at the IP layer. 1994-12-13 23:08:12 +00:00
Ugen J.S. Antsilevich
10a642bb05 Add match by interface from which packet arrived (via)
Handle right fragmented packets. Remove checking option
from kernel..
1994-12-12 17:20:55 +00:00
Jordan K. Hubbard
63f8d699ac Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul:  Please take this into BETA.  It's non-intrusive, and a rather
substantial improvement over what was there before.
1994-11-16 10:17:11 +00:00
Garrett Wollman
5e9ae478ac Shuffle some functions and variables around to make it possible for
multicast routing to be implemented as an LKM.  (There's still a bit of
work to do in this area.)
1994-09-14 03:10:15 +00:00
Garrett Wollman
01d6dc8860 Disable IPMULTICAST_VIF socket option when MROUTING is not defined,
since it doesn'tmake any sense for non-routers.
CVS:
1994-09-09 22:05:02 +00:00
Garrett Wollman
f0068c4a70 Initial get-the-easy-case-working upgrade of the multicast code
to something more recent than the ancient 1.2 release contained in
4.4.  This code has the following advantages as compared to
previous versions (culled from the README file for the SunOS release):

- True multicast delivery
- Configurable rate-limiting of forwarded multicast traffic on each
  physical interface or tunnel, using a token-bucket limiter.
- Simplistic classification of packets for prioritized dropping.
- Administrative scoping of multicast address ranges.
- Faster detection of hosts leaving groups.
- Support for multicast traceroute (code not yet available).
- Support for RSVP, the Resource Reservation Protocol.

What still needs to be done:

- The multicast forwarder needs testing.
- The multicast routing daemon needs to be ported.
- Network interface drivers need to have the `#ifdef MULTICAST' goop ripped
  out of them.
- The IGMP code should probably be bogon-tested.

Some notes about the porting process:

In some cases, the Berkeley people decided to incorporate functionality from
later releases of the multicast code, but then had to do things differently.
As a result, if you look at Deering's patches, and then look at
our code, it is not always obvious whether the patch even applies.  Let
the reader beware.

I ran ip_mroute.c through several passes of `unifdef' to get rid of
useless grot, and to permanently enable the RSVP support, which we will
include as standard.

Ported by: 	Garrett Wollman
Submitted by:	Steve Deering and Ajit Thyagarajan (among others)
1994-09-06 22:42:31 +00:00
Garrett Wollman
f23b4c91c4 Fix up some sloppy coding practices:
- Delete redundant declarations.
- Add -Wredundant-declarations to Makefile.i386 so they don't come back.
- Delete sloppy COMMON-style declarations of uninitialized data in
  header files.
- Add a few prototypes.
- Clean up warnings resulting from the above.

NB: ioconf.c will still generate a redundant-declaration warning, which
is unavoidable unless somebody volunteers to make `config' smarter.
1994-08-18 22:36:09 +00:00
David Greenman
3c4dd3568f Added $Id$ 1994-08-02 07:55:43 +00:00
David Greenman
b53902964f fixed bug where large amounts of unidirectional UDP traffic would fill
the interface output queue and further udp packets would be fragmented
and only partially sent - keeping the output queue full and jamming the
network, but not actually getting any real work done (because you can't
send just 'part' of a udp packet - if you fragment it, you must send
the whole thing). The fix involves adding a check to make sure that the
output queue has sufficient space for all of the fragments.
1994-08-01 12:01:45 +00:00
Rodney W. Grimes
26f9a76710 The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch.
Reviewed by:	Rodney W. Grimes
Submitted by:	John Dyson and David Greenman
1994-05-25 09:21:21 +00:00
Rodney W. Grimes
df8bae1de4 BSD 4.4 Lite Kernel Sources 1994-05-24 10:09:53 +00:00