Commit Graph

166 Commits

Author SHA1 Message Date
Bill Fumerola
52cf11d8a1 the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information
about rules and dynamic rules. it later fills this buffer with these
rules.

it also takes the opporunity to compare the expiration of the dynamic
rules with the current time and either marks them for deletion or simply
charges the countdown.

unfortunatly it does this all (the sizing, the buffer copying, and the
expiration GC) with no spl protection whatsoever. it was possible for
the dynamic rule(s) to be ripped out from under the request before it
had completed, resulting in corrupt memory dereferencing.

Reviewed by:	ps
MFC before:	4.4-RELEASE, hopefully.
2001-08-26 10:09:47 +00:00
Crist J. Clark
92a99815a8 While in there fixing a fragment logging bug, fix it so we log
fragments "right." Log fragment information tcpdump(8)-style,

   Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+)

That is, instead of the old,

  ... Fragment = <offset/8>

Do,

  ... (frag <IP ID>:<data len>@<offset>[+])

PR:		kern/23446
Approved by:	ru
MFC after:	1 week
2001-07-02 15:50:31 +00:00
Bill Fumerola
0901f62e11 pipe/queue are the only consumers of flow_id, so only set it in those cases 2001-04-06 06:52:25 +00:00
Hidetoshi Shimokawa
110a013333 Replace dyn_fin_lifetime with dyn_ack_lifetime for half-closed state.
Half-closed state could last long for some connections and fin_lifetime
(default 20sec) is too short for that.

OK'ed by: luigi
2001-03-27 05:28:30 +00:00
Paul Richards
1789d85615 Only flush rules that have a rule number above that set by a new
sysctl, net.inet.ip.fw.permanent_rules.

This allows you to install rules that are persistent across flushes,
which is very useful if you want a default set of rules that
maintains your access to remote machines while you're reconfiguring
the other rules.

Reviewed by:	Mark Murray <markm@FreeBSD.org>
2001-03-21 08:19:31 +00:00
Jonathan Lemon
32676c2d1f The TCP sequence number used for sending a RST with the ipfw reset rule
is already in host byte order, so do not swap it again.

Reviewed by:	bfumerola
2001-03-09 08:13:08 +00:00
Bill Fumerola
2a6cb8804e The TCP header-specific section suffered a little bit of bitrot recently:
When we recieve a fragmented TCP packet (other than the first) we can't
extract header information (we don't have state to reference). In a rather
unelegant fashion we just move on and assume a non-match.

Recent additions to the TCP header-specific section of the code neglected
to add the logic to the fragment code so in those cases the match was
assumed to be positive and those parts of the rule (which should have
resulted in a non-match/continue) were instead skipped (which means
the processing of the rule continued even though it had already not
matched).

Fault can be spread out over Rich Steenbergen (tcpoptions) and myself
(tcp{seq,ack,win}).

rwatson sent me a patch that got me thinking about this whole situation
(but what I'm committing / this description is mine so don't blame him).
2001-02-27 10:20:44 +00:00
Jonathan Lemon
7c45cb9bca Clean up warning. 2001-02-15 22:32:06 +00:00
Poul-Henning Kamp
bb07ec8c84 Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
Luigi Rizzo
7e1cd0d23d Sync with the bridge/dummynet/ipfw code already tested in stable.
In ip_fw.[ch] change a couple of variable and field names to
avoid having types, variables and fields with the same name.
2001-02-10 00:10:18 +00:00
Poul-Henning Kamp
fc2ffbe604 Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
Luigi Rizzo
507b4b5432 MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
Luigi Rizzo
f8acf87bb5 Make sure we do not follow an invalid pointer in ipfw_report
when we get an incomplete packet or m_pullup fails.
2001-01-27 02:31:08 +00:00
Luigi Rizzo
26fb17bdd0 Minor cleanups after yesterday's patch.
The code (bridging and dummynet) actually worked fine!
2001-01-26 19:43:54 +00:00
Luigi Rizzo
6258acf88f Bring dummynet in line with the code that now works in -STABLE.
It compiles, but I cannot test functionality yet.
2001-01-26 06:49:34 +00:00
Robert Watson
65450f2f77 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
David Malone
7cc0979fd6 Convert more malloc+bzero to malloc+M_ZERO.
Submitted by:	josh@zipperup.org
Submitted by:	Robert Drehmel <robd@gmx.net>
2000-12-08 21:51:06 +00:00
Ruslan Ermilov
203de3b494 Fixed the security breach I introduced in rev 1.145.
Disallow getsockopt(IP_FW_ADD) if securelevel >= 3.

PR:		22600
2000-11-07 09:20:32 +00:00
Poul-Henning Kamp
53ce36d17a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
Ruslan Ermilov
3cebc3e4de Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment
of IP datagram.  This fixes the problem when firewall denied fragmented
packets whose last fragment was less than minimum protocol header size.

Found by:	Harti Brandt <brandt@fokus.gmd.de>
PR:		kern/22309
2000-10-27 07:19:17 +00:00
Luigi Rizzo
1f8ed85239 Close PR22152 and PR19511 -- correct the naming of a variable 2000-10-26 00:16:12 +00:00
Ruslan Ermilov
bc95ac80b2 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
Ruslan Ermilov
c0752e1657 As we now may check the TCP header window field, make sure we pullup
enough into the mbuf data area.  Solve this problem once and for all
by pulling up the entire (standard) header for TCP and UDP, and four
bytes of header for ICMP (enough for type, code and cksum fields).
2000-10-06 12:12:09 +00:00
Ruslan Ermilov
60f9125458 Added the missing ntohs() conversion when matching IP packet with
the IP_FW_IF_IPID rule.  (We have recently decided to keep the
ip_id field in network byte order inside the kernel, see revision
1.140 of src/sys/netinet/ip_input.c).

I did not like to have the conversion happen in userland, and I
think that the similar conversions for fw_tcp(seq|ack|win) should
be moved out of userland (src/sbin/ipfw/ipfw.c) into the kernel.
2000-10-03 12:18:11 +00:00
Bill Fumerola
9ad30943aa Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:  silence on freebsd-{net,ipfw}
2000-10-02 03:33:31 +00:00
Ruslan Ermilov
3ea420e391 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
Bill Fumerola
95d0db2b40 Fix screwup in previous commit. 2000-09-12 02:38:05 +00:00
Bill Fumerola
4897e8320e 1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green
2000-09-06 03:10:42 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
5d3fe434f8 Implement WF2Q+ in dummynet. 2000-06-08 09:45:23 +00:00
Jake Burkholder
e39756439c Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
Jake Burkholder
740a1973a6 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
Archie Cobbs
2e2de7f23f Move code to handle BPF and bridging for incoming Ethernet packets out
of the individual drivers and into the common routine ether_input().
Also, remove the (incomplete) hack for matching ethernet headers
in the ip_fw code.

The good news: net result of 1016 lines removed, and this should make
bridging now work with *all* Ethernet drivers.

The bad news: it's nearly impossible to test every driver, especially
for bridging, and I was unable to get much testing help on the mailing
lists.

Reviewed by:	freebsd-net
2000-05-14 02:18:43 +00:00
Luigi Rizzo
9078405886 Remove an unnecessary error message 2000-05-02 15:39:36 +00:00
Ruslan Ermilov
d137714f11 Fix reporting of src and dst IP addresses for ICMP and generic IP packets.
PR:		17319
Submitted by:	Mike Heffner <spock@techfour.net>
2000-03-14 14:11:53 +00:00
Luigi Rizzo
da3fc682a7 Fix panic when doing keep-state and "forward".
Removed a redundant check.
Also move check for expired rules before using them.
Sorry for the whitespace changes.

Approved-by: jordan
2000-02-29 17:51:25 +00:00
Luigi Rizzo
9fcc079584 Move definition of fw_enable from ip_fw.c to ip_input.c
so we can compile kernels without IPFIREWALL .

Reported-by: Robert Watson
Approved-by: jordan
2000-02-10 17:56:01 +00:00
Luigi Rizzo
6355710df8 Whoops... forgot braces in a conditional
Revealed-by: diff with -STABLE version (the advantage of having
    multiple lines of development...)
Approved-by: jordan
2000-02-10 16:50:53 +00:00
Luigi Rizzo
03c612662b Support for stateful (dynamic) ipfw rules. They are very
similar to ipfilter's keep-state.

Look at the updated ipfw(8) manpage for details.

Approved-by: jordan
2000-02-10 14:17:40 +00:00
Yoshinobu Inoue
fb59c426ff tcp updates to support IPv6.
also a small patch to sys/nfs/nfs_socket.c, as max_hdr size change.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
2000-01-09 19:17:30 +00:00
Luigi Rizzo
ec8fac2acf Add ipfw hooks for the new dummynet features.
Support masks on TCP/UDP ports.

Minor cleanup of ip_fw_chk() to avoid repeated calls to PULLUP_TO
at each rule.
2000-01-08 11:31:43 +00:00
Yoshinobu Inoue
cfa1ca9dfa udp IPv6 support, IPv6/IPv4 tunneling support in kernel,
packet divert at kernel for IPv6/IPv4 translater daemon

This includes queue related patch submitted by jburkhol@home.com.

Submitted by: queue related patch from jburkhol@home.com
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-07 17:39:16 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Brian Feldman
2f9a21326c Change so_cred's type to a ucred, not a pcred. THis makes more sense, actually.
Make a sonewconn3() which takes an extra argument (proc) so new sockets created
with sonewconn() from a user's system call get the correct credentials, not
just the parent's credentials.
1999-09-19 02:17:02 +00:00
Bruce Evans
684f9417a2 Oops, I missed a cast in rev.1.119. 1999-08-29 10:23:13 +00:00
Brian Feldman
78f9020e95 Also make the "other" packets counter resettable. 1999-08-28 07:20:59 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
Bruce Evans
ff0061bb1d Cast pointers to [u]intptr_t instead of casting them to [u_]long. Don't
depend on gcc's feature of casting lvalues, especially for direct
assignment where it doesn't even simplify the syntax.  Cosmetic.
1999-08-24 00:48:19 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
Luigi Rizzo
772759420f Implement probabilistic rule match in ipfw. Each rule can be associated
with a match probability to achieve non-deterministic behaviour of
the firewall. This can be extremely useful for testing purposes
such as simulating random packet drop without having to use dummynet
(which already does the same thing), and simulating multipath effects
and the associated out-of-order delivery (this time in conjunction
with dummynet).

The overhead on normal rules is just one comparison with 0.

Since it would have been trivial to implement this by just adding
a field to the ip_fw structure, I decided to do it in a
backward-compatible way (i.e. struct ip_fw is unchanged, and as a
consequence you don't need to recompile ipfw if you don't want to
use this feature), since this was also useful for -STABLE.

When, at some point, someone decides to change struct ip_fw, please
add a length field and a version number at the beginning, so userland
apps can keep working even if they are out of sync with the kernel.
1999-08-11 15:34:47 +00:00