Commit Graph

117 Commits

Author SHA1 Message Date
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
Peter Wemm
1ee25934a9 Make this compile.. There are some unpleasing hacks in here.
A major unifdef session is sorely tempting but would destroy any remaining
chance of tracking the original sources.
1998-03-21 11:34:28 +00:00
Bruce Evans
d68fa50ccb Don't depend on "implicit int". 1998-02-20 13:37:40 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
Poul-Henning Kamp
0abc78a697 Rename some local variables to avoid shadowing other local variables.
Found by: -Wshadow
1997-11-07 09:21:01 +00:00
Joerg Wunsch
fbd1372a0b Make IPDIVERT a supported option. Alas, in_var.h depends on it, i
hope i've found out all files that actually depend on this dependancy.
IMHO, it's not very good practice to change the size of internal
structs depending on kernel options.
1997-11-05 20:17:23 +00:00
Poul-Henning Kamp
a1c995b626 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
Poul-Henning Kamp
55166637cd Distribute and statizice a lot of the malloc M_* types.
Substantial input from:	bde
1997-10-11 18:31:40 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Bill Fenner
86b1d6d24d Pull up the IP header in ip_mloopback(). This makes sure that the
operations on the header inside ip_mloopback() are performed on
a private copy instead of a shared cluster.

PR:		kern/3410
1997-05-06 21:22:04 +00:00
Garrett Wollman
a29f300e80 The long-awaited mega-massive-network-code- cleanup. Part I.
This commit includes the following changes:
1) Old-style (pr_usrreq()) protocols are no longer supported, the compatibility
glue for them is deleted, and the kernel will panic on boot if any are compiled
in.

2) Certain protocol entry points are modified to take a process structure,
so they they can easily tell whether or not it is possible to sleep, and
also to access credentials.

3) SS_PRIV is no more, and with it goes the SO_PRIVSTATE setsockopt()
call.  Protocols should use the process pointer they are now passed.

4) The PF_LOCAL and PF_ROUTE families have been updated to use the new
style, as has the `raw' skeleton family.

5) PF_LOCAL sockets now obey the process's umask when creating a socket
in the filesystem.

As a result, LINT is now broken.  I'm hoping that some enterprising hacker
with a bit more time will either make the broken bits work (should be
easy for netipx) or dike them out.
1997-04-27 20:01:29 +00:00
Darren Reed
beec821495 Resolve conflicts created by import. 1997-04-03 10:47:12 +00:00
David Greenman
ca98b82c8d Reorganize elements of the inpcb struct to take better advantage of
cache lines. Removed the struct ip proto since only a couple of chars
were actually being used in it. Changed the order of compares in the
PCB hash lookup to take advantage of partial cache line fills (on PPro).

Discussed-with: wollman
1997-04-03 05:14:45 +00:00
Bill Fenner
e1596dff1e Fix a comment and some commented-out code in ip_mloopback to
reflect how multicast loopback really works.
1997-02-28 19:40:48 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Darren Reed
f1743588c7 change IP Filter hooks to match new 3.1.8 patches for FreeBSD 1997-02-19 14:02:27 +00:00
Darren Reed
afed1b4988 Add IP Filter hooks (from patches). 1997-02-10 11:45:37 +00:00
Brian Somers
d81e40431a Reset ip_divert_ignore to zero immediately after use - also,
set it in the first place, independent of whether sin->sin_port
is set.

The result is that diverted packets that are being forwarded
will be diverted once and only once on the way in (ip_input())
and again, once and only once on the way out (ip_output()) -
twice in total.  ICMP packets that don't contain a port will
now also be diverted.
1997-02-02 16:33:12 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Garrett Wollman
59562606b9 Convert the interface address and IP interface address structures
to TAILQs.  Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
1996-12-13 21:29:07 +00:00
Bill Fenner
82c23eba89 Add the IP_RECVIF socket option, which supplies a packet's incoming interface
using a sockaddr_dl.

Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR)
to work for multicast UDP and raw sockets as well.  (They previously only
worked for unicast UDP).
1996-11-11 04:56:32 +00:00
Søren Schmidt
6713d4a747 Changed args to the nat functions. 1996-10-22 22:26:02 +00:00
Garrett Wollman
5893891624 All three files: make COMPAT_IPFW==0 case work again.
ip_input.c:
	- delete some dusty code
	- _IP_VHL
	- use fast inline header checksum when possible
1996-10-07 19:21:46 +00:00
Søren Schmidt
fed1c7e9e4 Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Bruce Evans
0453d3cbb3 Changed some memcpy()'s back to bcopy()'s.
gcc only inlines memcpy()'s whose count is constant and didn't inline
these.  I want memcpy() in the kernel go away so that it's obvious that
it doesn't need to be optimized.  Now it is only used for one struct
copy in si.c.
1996-06-08 08:19:03 +00:00
Garrett Wollman
f9493383fc Conditionalize calls to IPFW code on COMPAT_IPFW. This is done slightly
unconventionally:
	If COMPAT_IPFW is not defined, or if it is defined to 1, enable;
otherwise, disable.

This means that these changes actually have no effect on anyone at the
moment.  (It just makes it easier for me to keep my code in sync.)
In the future, the `not defined' part of the hack should be eliminated,
but doing this now would require everyone to change their config files.

The same conditionals need to be made in ip_input.c as well for this to
ave any useful effect, but I'm not ready to do that right now.
1996-05-22 17:23:09 +00:00
Peter Wemm
ce8c72b147 Fix an embarresing error on my part that made the IP_PORTRANGE options
return a failure code (even though it worked).
This commit brought to you by the 'C' keyword "break".. :-)
1996-05-21 20:47:31 +00:00
Garrett Wollman
9f9b3dc4ae Add three new route flags to help determine what sort of address
the destination represents.  For IP:

- Iff it is a host route, RTF_LOCAL and RTF_BROADCAST indicate local
  (belongs to this host) and broadcast addresses, respectively.

- For all routes, RTF_MULTICAST is set if the destination is multicast.

The RTF_BROADCAST flag is used by ip_output() to eliminate a call to
in_broadcast() in a common case; this gives about 1% in our packet-generation
experiments.  All three flags might be used (although they aren't now)
to determine whether a packet can be forwarded; a given host route can
represent a forwardable address if:

	(rt->rt_flags & (RTF_HOST | RTF_LOCAL | RTF_BROADCAST | RTF_MULTICAST))
	== RTF_HOST

Obviously, one still has to do all the work if a host route is not present,
but this code allows one to cache the results of such a lookup if rtalloc1()
is called without masking RTF_PRCLONING.
1996-05-06 17:42:13 +00:00
Bruce Evans
e2184122c5 Fixed in-line IP header checksumming. It was performed on the wrong header
in one case.
1996-04-21 13:47:43 +00:00
Garrett Wollman
9c9137ea6c Three speed-ups in the output path (two small, one substantial):
1) Require all callers to pass a valid route pointer to ip_output()
   so that we don't have to check and allocate one off the stack
   as was done before.  This eliminates one test and some stack
    bloat from the common (UDP and TCP) case.

2) Perform the IP header checksum in-line if it's of the usual length.
    This results in about a 5% speed-up in my packet-generation test.

3) Use ip_vhl field rather than ip_v and ip_hl bitfields.
1996-04-18 15:49:06 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Bill Fenner
fbc6ab006d Add missing splx(s) in IP_MULTICAST_IF
Submitted by:	Jim Binkley <jrb@cs.pdx.edu>
1996-03-26 18:56:51 +00:00
Paul Traina
072b9b24e3 Fix ip option processing for raw IP sockets. This whole thing is a compromise
between ignoring options specified in the setsockopt call if IP_HDRINCL is set
(the UCB choice when VJ's code was brought in) vs allowing them (what everyone
else did, and what is assumed by programs everywhere...sigh).

Also perform some checking of the passed down packet to avoid running off
the end of a mbuf chain.

Reviewed by:	fenner
1996-03-13 08:02:45 +00:00
David Greenman
2ee45d7d28 Move or add #include <queue.h> in preparation for upcoming struct socket
changes.
1996-03-11 15:13:58 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Peter Wemm
33b3ac0633 Make the default behavior of local port assignment match traditional
systems (my last change did not mix well with some firewall
configurations).  As much as I dislike firewalls, this is one thing I
I was not prepared to break by default.. :-)

Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call.  The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.*

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it.

Partly suggested by: pst
Reviewed by: wollman
1996-02-22 21:32:23 +00:00
Garrett Wollman
994fdef98a Added a comment about why trying to make a one-behind cache for
the route in ip_output() is a bad idea.
1995-12-19 21:24:19 +00:00
Garrett Wollman
b7a44e3486 Path MTU Discovery is now standard. 1995-12-05 17:46:50 +00:00
Poul-Henning Kamp
0312fbe97d New style sysctl & staticize alot of stuff. 1995-11-14 20:34:56 +00:00
Garrett Wollman
3d1f141b23 The ability to administratively change the MTU of an interface presents
a few new wrinkles for MTU discovery which tcp_output() had better
be prepared to handle.  ip_output() is also modified to do something
helpful in this case, since it has already calculated the information
we need.
1995-10-16 18:21:26 +00:00
Garrett Wollman
b124e4f284 Fix test for determining when RSVP is inactive in a router. (In this
case, multicast options are not passed to ip_mforward().)  The previous
version had a wrong test, thus causing RSVP mrouters to forward RSVP messages
in violation of the spec.
1995-07-26 18:05:16 +00:00
Joerg Wunsch
40a63d93aa Slightly modify my previous change to return EINVAL instead of
EFAULT.

Submitted by:	Peter Wemm
1995-07-02 16:45:07 +00:00
Joerg Wunsch
d700586c3a I saw a very low-key commit message on the netbsd mailing lists and
figured out what the problem was..  Anyway, I rate it as "highly
serious".

Submitted by:	peter@haywire.DIALix.COM (Peter Wemm)
1995-07-01 19:09:40 +00:00
Garrett Wollman
1c5de19afb Kernel side of 3.5 multicast routing code, based on work by Bill Fenner
and other work done here.  The LKM support is probably broken, but it
still compiles and will be fixed later.
1995-06-13 17:51:16 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
David Greenman
94a5d9b6a1 Replaced some bcopy()'s with memcpy()'s so that gcc while inline/optimize. 1995-05-09 13:35:48 +00:00
Paul Traina
f5fea3ddc9 Cleanup loopback interface support.
Reviewed by:	wollman
1995-04-26 18:10:58 +00:00
David Greenman
15bd2b4385 Implemented PCB hashing. Includes new functions in_pcbinshash, in_pcbrehash,
and in_pcblookuphash.
1995-04-09 01:29:31 +00:00
Garrett Wollman
20e8807c09 This should be splimp() rather than splnet() since ifaddrs might go away
as a result of link-layer processing.
1995-03-20 18:31:51 +00:00
Garrett Wollman
9b626c29f7 Fix race conditions involved in setting IP multicast options. This should
fix Dennis Fortin's problem for good, if I've got it figured out right.

(The problem was that a `struct ifaddr' could get deleted out from under
the current requester, thus leaving him with an invalid interface pointer
and causing even more bogus accesses.)
1995-03-20 18:11:31 +00:00
Bruce Evans
b5e8ce9f12 Add and move declarations to fix all of the warnings from `gcc -Wimplicit'
(except in netccitt, netiso and netns) and most of the warnings from
`gcc -Wnested-externs'.  Fix all the bugs found.  There were no serious
ones.
1995-03-16 18:17:34 +00:00
Ugen J.S. Antsilevich
4dd1662b4c Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
1995-01-12 13:06:32 +00:00
Garrett Wollman
2c17fe9339 Call rtalloc_ign() so that protocol cloning will not occur at the IP layer. 1994-12-13 23:08:12 +00:00
Ugen J.S. Antsilevich
10a642bb05 Add match by interface from which packet arrived (via)
Handle right fragmented packets. Remove checking option
from kernel..
1994-12-12 17:20:55 +00:00
Jordan K. Hubbard
63f8d699ac Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul:  Please take this into BETA.  It's non-intrusive, and a rather
substantial improvement over what was there before.
1994-11-16 10:17:11 +00:00
Garrett Wollman
5e9ae478ac Shuffle some functions and variables around to make it possible for
multicast routing to be implemented as an LKM.  (There's still a bit of
work to do in this area.)
1994-09-14 03:10:15 +00:00
Garrett Wollman
01d6dc8860 Disable IPMULTICAST_VIF socket option when MROUTING is not defined,
since it doesn'tmake any sense for non-routers.
CVS:
1994-09-09 22:05:02 +00:00
Garrett Wollman
f0068c4a70 Initial get-the-easy-case-working upgrade of the multicast code
to something more recent than the ancient 1.2 release contained in
4.4.  This code has the following advantages as compared to
previous versions (culled from the README file for the SunOS release):

- True multicast delivery
- Configurable rate-limiting of forwarded multicast traffic on each
  physical interface or tunnel, using a token-bucket limiter.
- Simplistic classification of packets for prioritized dropping.
- Administrative scoping of multicast address ranges.
- Faster detection of hosts leaving groups.
- Support for multicast traceroute (code not yet available).
- Support for RSVP, the Resource Reservation Protocol.

What still needs to be done:

- The multicast forwarder needs testing.
- The multicast routing daemon needs to be ported.
- Network interface drivers need to have the `#ifdef MULTICAST' goop ripped
  out of them.
- The IGMP code should probably be bogon-tested.

Some notes about the porting process:

In some cases, the Berkeley people decided to incorporate functionality from
later releases of the multicast code, but then had to do things differently.
As a result, if you look at Deering's patches, and then look at
our code, it is not always obvious whether the patch even applies.  Let
the reader beware.

I ran ip_mroute.c through several passes of `unifdef' to get rid of
useless grot, and to permanently enable the RSVP support, which we will
include as standard.

Ported by: 	Garrett Wollman
Submitted by:	Steve Deering and Ajit Thyagarajan (among others)
1994-09-06 22:42:31 +00:00
Garrett Wollman
f23b4c91c4 Fix up some sloppy coding practices:
- Delete redundant declarations.
- Add -Wredundant-declarations to Makefile.i386 so they don't come back.
- Delete sloppy COMMON-style declarations of uninitialized data in
  header files.
- Add a few prototypes.
- Clean up warnings resulting from the above.

NB: ioconf.c will still generate a redundant-declaration warning, which
is unavoidable unless somebody volunteers to make `config' smarter.
1994-08-18 22:36:09 +00:00
David Greenman
3c4dd3568f Added $Id$ 1994-08-02 07:55:43 +00:00
David Greenman
b53902964f fixed bug where large amounts of unidirectional UDP traffic would fill
the interface output queue and further udp packets would be fragmented
and only partially sent - keeping the output queue full and jamming the
network, but not actually getting any real work done (because you can't
send just 'part' of a udp packet - if you fragment it, you must send
the whole thing). The fix involves adding a check to make sure that the
output queue has sufficient space for all of the fragments.
1994-08-01 12:01:45 +00:00
Rodney W. Grimes
26f9a76710 The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch.
Reviewed by:	Rodney W. Grimes
Submitted by:	John Dyson and David Greenman
1994-05-25 09:21:21 +00:00
Rodney W. Grimes
df8bae1de4 BSD 4.4 Lite Kernel Sources 1994-05-24 10:09:53 +00:00