Commit Graph

639 Commits

Author SHA1 Message Date
luigi
8ea61cec80 Add a missing bzero which could be the source of instability
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
1999-01-11 11:08:07 +00:00
luigi
30243efc5e Remove check from where arp replies are coming from -- when doing bridging,
interfaces are used in clusters so the check does not apply.
1999-01-10 17:40:10 +00:00
brian
14b621f683 If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR:	9403
1999-01-10 02:05:13 +00:00
luigi
9a9b54b09d Partial fix for when ipfw is used with bridging. Bridged packets
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).

Reported-By: Dave Alden and others.
1998-12-31 07:43:29 +00:00
luigi
e3209601ce Remove some unused variables. 1998-12-31 07:35:49 +00:00
luigi
84c0ad49af 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be
static...
Reported by: Dave Alden
1998-12-22 20:38:06 +00:00
luigi
443facc34d Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
luigi
f1931f9580 Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
fenner
49dd6a55c1 Add missing "break"s to allow multicast routing to work.
Submitted by:	Amancio Hasty <hasty@rah.star-gate.com>
1998-12-16 18:07:11 +00:00
luigi
4b47760e63 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
dillon
ca62e7b743 Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
1998-12-14 02:25:32 +00:00
dillon
ed69540674 PR: kern/8990
If timer calculation results in degenerate value (0), force it to 1
    to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
    I considered simply adding 1 to the timer calculation, but was unsure
    if the calculation was part of the IGMP standard or not so did not want
    to mess with it for all cases.
1998-12-12 21:45:49 +00:00
archie
84bd80a4f9 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
eivind
c2339d86e3 Clean up some pointer usage. 1998-12-07 05:41:10 +00:00
archie
dcdc1187e3 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
dillon
9abfbf7ece Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.
1998-12-04 04:21:25 +00:00
dillon
e6f452b2c3 Obtained from: "Andrey A. Chernov" <ache@nagual.pp.ru>
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
     can #include icmp_var.h
1998-12-04 03:49:18 +00:00
dillon
792065e7a1 Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00
eivind
5a7826c415 Staticize some more. 1998-11-26 18:54:52 +00:00
jdp
2fd24fec3e Fix a couple of typos. 1998-11-19 18:07:28 +00:00
dfr
f708c75268 Remove stale references to ih_next and ih_prev.
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
1998-11-17 10:53:37 +00:00
dfr
553da9a3e6 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
guido
b5d8fc6f45 The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by:	Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from:	Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
1998-11-15 21:35:09 +00:00
dfr
c32ac350e1 Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
bde
f953549219 Finished updating module event handlers to be compatible with
modeventhand_t.
1998-11-15 15:33:52 +00:00
dg
0cf5d2e2ab Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
peter
8d4f5047ac add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
dfr
2322026603 Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
dfr
016ff070b8 Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
peter
f3a48cd733 *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
dfr
0b7f68ea8b Dike out some obsolete defines which referenced ih_next and ih_prev from
struct ipovly (they don't exist anymore because they don't work when
pointers are 64bit).
1998-09-26 14:26:59 +00:00
fenner
9200a8af86 Fix the bind security fix introduced in rev 1.38 to work with multicast:
- Don't bother checking for conflicting sockets if we're binding to a
  multicast address.
- Don't return an error if we're binding to INADDR_ANY, the conflicting
  socket is bound to INADDR_ANY, and the conflicting socket has SO_REUSEPORT
  set.

PR:		kern/7713
1998-09-17 18:42:16 +00:00
fenner
3d6ffa527b Prevent modification of permanent ARP entries (PR kern/7649)
Ignore ARP replies from the wrong interface (discussion on mailing list)
Add interface name to a couple of error messages
1998-09-17 00:04:21 +00:00
jkoshy
fda94a0862 Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>
1998-09-15 10:49:03 +00:00
luigi
fdccb703b5 Bring in new files for dummynet support 1998-09-12 22:03:21 +00:00
wollman
0f91bc6bca Fix RST validation.
PR:		7892
Submitted by:	Don.Lewis@tsc.tdk.com
1998-09-11 16:04:03 +00:00
dfr
7b12f74368 Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
phk
ab958c934d RFC 1644 has the status "Experimental Protocol", which means:
4.1.4.  Experimental Protocol

      A system should not implement an experimental protocol unless it
      is participating in the experiment and has coordinated its use of
      the protocol with the developer of the protocol.

Pointed out by:	Steinar Haug <sthaug@nethelp.no>
1998-09-06 08:17:35 +00:00
phk
672ae7a948 Widen and change the layout of the IPFW structures flag element.
This will allow us to add dummynet to 3.0

Recompile /sbin/ipfw AND your kernel.
1998-09-02 19:14:01 +00:00
wollman
cb8e1ebb47 Properly fragment multicast packets.
PR: 7802
Submitted by:	Steve McCanne <mccanne@cs.berkeley.edu>
1998-09-02 15:11:14 +00:00
brian
08c0787ab4 Remove OpenBSD build support - let the Makefile vary per
OS rather than making it a mess and potentially screwing
up cross builds.
Suggested by: bde

Add Id keyword.
1998-08-31 12:14:30 +00:00
brian
93d1e1a372 Add OpenBSD build support 1998-08-30 23:53:25 +00:00
dfr
5696ac3439 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
wollman
fc229edf09 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
bde
3589262c68 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
bde
6a16d85af1 Made some disgusting ifdefs even more disgusting to enable the support
for `u_long cmd' ioctl args if __FreeBSD_version >= 300003.  Some ioctls
were broken on machines with 32-bit ints and 64-bit longs.
1998-08-15 21:51:53 +00:00
bde
67bcdce4a0 Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != long
on some 64-bit systems).  print_ip() should use inet_ntoa() instead of
bloated inline code with 4 ntohl()s.
1998-08-11 19:08:42 +00:00
bde
4c48874671 Converted the last instance of hzto() to tvtohz(). 1998-08-05 16:59:20 +00:00
dfr
339b8bded1 Use explicitly sized types when digging through packet headers.
Reviewed by: Julian Elischer <julian@whistle.com>
1998-08-03 17:23:37 +00:00
peter
d4d64efac9 Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00