Commit Graph

2235 Commits

Author SHA1 Message Date
Andre Oppermann
1600372b6b Ignore ICMP Source Quench messages for TCP sessions. Source Quench is
ineffective, depreciated and can be abused to degrade the performance
of active TCP sessions if spoofed.

Replace a bogus call to tcp_quench() in tcp_output() with the direct
equivalent tcpcb variable assignment.

Security:	draft-gont-tcpm-icmp-attacks-03.txt Section 7.1
MFC after:	3 days
2005-04-21 12:37:12 +00:00
Gleb Smirnoff
9dc1f8e41e Remove anti-LOR bandaid, it is not needed now.
Sponsored by:	Rambler
2005-04-20 09:32:05 +00:00
Poul-Henning Kamp
6196e2db3e Make DUMMYNET compile without INET6 2005-04-19 10:12:21 +00:00
Poul-Henning Kamp
d137deac11 typo 2005-04-19 10:04:38 +00:00
Poul-Henning Kamp
7292e12676 Make IPFIREWALL compile without INET6 2005-04-19 09:56:14 +00:00
Brooks Davis
8195404bed Add IPv6 support to IPFW and Dummynet.
Submitted by:	Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
2005-04-18 18:35:05 +00:00
Paul Saab
b7c755717c Rewrite of tcp_update_sack_list() to make it simpler and more readable
than our original OpenBSD derived version.

Submitted by:	Noritoshi Demizu
Reviewed by:	Mohan Srinivasan, Raja Mukerji
2005-04-18 18:10:56 +00:00
Brooks Davis
27a2f39bcf Centralized finding the protocol header in IP packets in preperation for
IPv6 support.  The header in IPv6 is more complex then in IPv4 so we
want to handle skipping over it in one location.

Submitted by:	Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
2005-04-15 00:47:44 +00:00
Paul Saab
25e6f9ed4b Fix for a TCP SACK bug where more than (win/2) bytes could have been
in flight in SACK recovery.

Found by:	Noritoshi Demizu
Submitted by:	Mohan Srinivasan <mohans at yahoo-inc dot com>
		Noritoshi Demizu <demizu at dd dot ij4u dot or dot jp>
		Raja Mukerji <raja at moselle dot com>
2005-04-14 20:09:52 +00:00
Paul Saab
cf09195ba5 - Tighten up the Timestamp checks to prevent a spoofed segment from
setting ts_recent to an arbitrary value, stopping further
  communication between the two hosts.
- If the Echoed Timestamp is greater than the current time,
  fall back to the non RFC 1323 RTT calculation.

Submitted by:	Raja Mukerji (raja at moselle dot com)
Reviewed by:	Noritoshi Demizu, Mohan Srinivasan
2005-04-10 05:24:59 +00:00
Paul Saab
e346eeff65 - If the reassembly queue limit was reached or if we couldn't allocate
a reassembly queue state structure, don't update (receiver) sack
  report.
- Similarly, if tcp_drain() is called, freeing up all items on the
  reassembly queue, clean the sack report.

Found, Submitted by:	Noritoshi Demizu <demizu at dd dot iij4u dot or dot jp>
Reviewed by:	Mohan Srinivasan (mohans at yahoo-inc dot com),
		Raja Mukerji (raja at moselle dot com).
2005-04-10 05:21:29 +00:00
Paul Saab
b962fa74b5 When the rightmost SACK block expands, rcv_lastsack should be updated.
(Fix for kern/78226).

Submitted by : Noritoshi Demizu <demizu at dd dot iij4u dot or dot jp>
Reviewed by  : Mohan Srinivasan (mohans at yahoo-inc dot com),
               Raja Mukerji (raja at moselle dot com).
2005-04-10 05:20:10 +00:00
Paul Saab
da39f5b963 Remove some unused sack fields.
Submitted by : Noritoshi Demizu, Mohan Srinivasan.
2005-04-10 05:19:22 +00:00
Maxim Konovalov
800af1fb81 o Nano optimize ip_reass() code path for the first fragment: do not
try to reasseble the packet from the fragments queue with the only
fragment, finish with the first fragment as soon as we create a queue.

Spotted by:	Vijay Singh

o Drop the fragment if maxfragsperpacket == 0, no chances we
will be able to reassemble the packet in future.

Reviewed by:	silby
2005-04-08 10:25:13 +00:00
Maxim Konovalov
29f2a6ec18 o Tweak the comment a bit. 2005-04-08 08:43:21 +00:00
Maxim Konovalov
e99971bf2f o Disable random port allocation when ip.portrange.first ==
ip.portrange.last and there is the only port for that because:
a) it is not wise; b) it leads to a panic in the random ip port
allocation code.  In general we need to disable ip port allocation
randomization if the last - first delta is ridiculous small.

PR:		kern/79342
Spotted by:	Anjali Kulkarni
Glanced at by:	silby
MFC after:	2 weeks
2005-04-08 08:42:10 +00:00
Gleb Smirnoff
8351d04f34 When a packet has been reinjected into ipfw(4) after dummynet(4) processing
we have a non-NULL args.rule. If the same packet later is subject to "tee"
rule, its original is sent again into ipfw_chk() and it reenters at the same
rule. This leads to infinite loop and frozen router.

Assign args.rule to NULL, any time we are going to send packet back to
ipfw_chk() after a tee rule. This is a temporary workaround, which we
will leave for RELENG_5. In HEAD we are going to make divert(4) save
next rule the same way as dummynet(4) does.

PR:		kern/79546
Submitted by:	Oleg Bulyzhin
Reviewed by:	maxim, andre
MFC after:	3 days
2005-04-06 14:00:33 +00:00
Brooks Davis
a0d17f7e98 Use ACTION_PTR(r) instead of (r->cmd + r->act_ofs).
Reviewed by:	md5
2005-04-06 00:26:08 +00:00
Brooks Davis
f4ff11976d Make dummynet_flush() match its prototype. 2005-04-05 23:38:16 +00:00
Poul-Henning Kamp
a8bc22b47a natd core dumps when -reverse switch is used because of a bug in
libalias.

In /usr/src/lib/libalias/alias.c, the functions LibAliasIn and
LibAliasOutTry call the legacy PacketAliasIn/PacketAliasOut instead
of LibAliasIn/LibAliasOut when the PKT_ALIAS_REVERSE option is set.
In this case, the context variable "la" gets lost because the legacy
compatibility routines expect "la" to be global.  This was obviously
an oversight when rewriting the PacketAlias* functions to the
LibAlias* functions.

The fix (as shown in the patch below) is to remove the legacy
subroutine calls and replace with the new ones using the "la" struct
as the first arg.

Submitted by:	Gil Kloepfer <fgil@kloepfer.org>
Confirmed by:	<nicolai@catpipe.net>
PR:		76839
MFC after:	3 days
2005-04-05 13:04:35 +00:00
Gleb Smirnoff
4cb39345c0 When several carp interfaces are attached to Ethernet interface,
carp_carpdev_state_locked() is called every time carp interface is attached.
The first call backs up flags of the first interface, and the second
call backs up them again, erasing correct values.
  To solve this, a carp_sc_state_locked() function is introduced. It is
called when interface is attached to parent, instead of calling
carp_carpdev_state_locked. carp_carpdev_state_locked() calls
carp_sc_state_locked() for each sc in chain.

Reported by:	Yuriy N. Shkandybin, sem
2005-03-30 11:44:43 +00:00
Gleb Smirnoff
d1a4742962 - Don't free mbuf, passed to interface output method if the latter
returns error. In this case mbuf has already been freed. [1]
- Remove redundant declaration.

PR:		kern/78893 [1]
Submitted by:	Liang Yi [1]
Reviewed by:	sam
MFC after:	1 day
2005-03-29 13:43:09 +00:00
Sam Leffler
812d865346 eliminate extraneous null ptr checks
Noticed by:	Coverity Prevent analysis tool
2005-03-29 01:10:46 +00:00
Sam Leffler
5309f84168 deal with malloc failures
Noticed by:	Coverity Prevent analysis tool
Together with:	mdodd
2005-03-26 22:20:22 +00:00
Maxim Konovalov
6ee79c59d2 o Document net.inet.ip.portrange.random* sysctls.
o Correct a comment about random port allocation threshold
implementation.

Reviewed by:	silby, ru
MFC after:	3 days
2005-03-23 09:26:38 +00:00
Gleb Smirnoff
d4d2297060 ifma_protospec is a pointer. Use NULL when assigning or compating it. 2005-03-20 14:31:45 +00:00
Gleb Smirnoff
50bb170471 Remove a workaround from previos revision. It proved to be incorrect.
Add two another workarounds for carp(4) interfaces:
- do not add connected route when address is assigned to carp(4) interface
- do not add connected route when other interface goes down

Embrace workarounds with #ifdef DEV_CARP
2005-03-20 10:27:17 +00:00
Gleb Smirnoff
ee6f227017 If vhid exists return more informative EEXIST instead of EINVAL. While here
remove redundant brackets.
2005-03-18 13:41:38 +00:00
Gleb Smirnoff
9860bab349 Fix a potential crash that could occur when CARP_LOG is being used.
Obtained from:	OpenBSD (pat)
2005-03-18 13:18:34 +00:00
Sam Leffler
6a9909b5e6 plug resource leak
Noticed by:	Coverity Prevent analysis tool
2005-03-16 05:27:19 +00:00
Robert Watson
d2bc35ab29 In tcp_usr_send(), broaden coverage of the socket buffer lock in the
non-OOB case so that the sbspace() check is performed under the same
lock instance as the append to the send socket buffer.

MFC after:	1 week
2005-03-14 22:15:14 +00:00
Gleb Smirnoff
422a115a4a Embrace with #ifdef DEV_CARP carp-related code. 2005-03-13 11:23:22 +00:00
Gleb Smirnoff
0504a89fdd Add antifootshooting workaround, which will make all routes "connected"
to carp(4) interfaces host routes. This prevents a problem, when connected
network is routed to carp(4) interface.
2005-03-10 15:26:45 +00:00
Paul Saab
e891d82b56 Add limits on the number of elements in the sack scoreboard both
per-connection and globally. This eliminates potential DoS attacks
where SACK scoreboard elements tie up too much memory.

Submitted by:	Raja Mukerji (raja at moselle dot com).
Reviewed by:	Mohan Srinivasan (mohans at yahoo-inc dot com).
2005-03-09 23:14:10 +00:00
Gleb Smirnoff
2ef4a436e0 Make ARP do not complain about wrong interface if correct interface
is a carp one and address matched it.

Reviewed by:	brooks
2005-03-09 10:00:01 +00:00
Joe Marcus Clarke
70037e98c4 Fix a problem in the Skinny ALG where a specially crafted packet could cause
a libalias application (e.g.  natd, ppp, etc.) to crash.  Note: Skinny support
is not enabled in natd or ppp by default.

Approved by:	secteam (nectar)
MFC after:	1 day
Secuiryt:	This fixes a remote DoS exploit
2005-03-03 03:06:37 +00:00
Gleb Smirnoff
b82936c5d4 Fix typo. Unbreak build. Take pointy hat. 2005-03-02 09:11:18 +00:00
Gleb Smirnoff
d220759b41 Add more locking when reading/writing to carp softc. When carp softc is
attached to a parent interface we use its mutex to lock the softc. This
means that in several places like carp_ioctl() we lock softc conditionaly.
This should be redesigned.

To avoid LORs when MII announces us a link state change, we schedule
a quick callout and call carp_carpdev_state_locked() from it.

Initialize callouts using NET_CALLOUT_MPSAFE.

Sponsored by:	Rambler
Reviewed by:	mlaier
2005-03-01 13:14:33 +00:00
Gleb Smirnoff
d92d54d54d - Add carp_mtx. Use it to protect list of all carp interfaces.
- In carp_send_ad_all() walk through list of all carp interfaces
  instead of walking through list of all interfaces.

Sponsored by:	Rambler
Reviewed by:	mlaier
2005-03-01 12:36:07 +00:00
Gleb Smirnoff
31199c8463 Use NET_CALLOUT_MPSAFE macro. 2005-03-01 12:01:17 +00:00
Gleb Smirnoff
3a84d72a78 Revert change to struct ifnet. Use ifnet pointer in softc. Embedding
ifnet into smth will soon be removed.

Requested by:	brooks
2005-03-01 10:59:14 +00:00
Gleb Smirnoff
4358dfc32f Remove debugging printf.
Reviewed by:	mlaier
2005-03-01 09:31:36 +00:00
Yaroslav Tykhiy
630481bb92 Support running carp(4) over a vlan(4) parent interface.
Encouraged by:	glebius
2005-02-28 16:19:11 +00:00
Gleb Smirnoff
1d0a237660 Remove unused field from carp softc.
OK'ed by:	mcbride@OpenBSD
2005-02-28 11:57:03 +00:00
Gleb Smirnoff
3e07def4cd Fix tcpdump(8) on carp(4) interface:
- Use our loop DLT type, not OpenBSD. [1]
- The fields that are converted to network byte order are not 32-bit
  fields but 16-bit fields, so htons should be used in htonl. [1]
- Secondly, ip_input changes ip->ip_len into its value without
  the ip-header length. So, restore the length to make bpf happy. [1]
- Use bpf_mtap2(), use temporary af1, since bpf_mtap2 doesn't
  understand uint8_t af identifier.

Submitted by:	Frank Volf [1]
2005-02-28 11:54:36 +00:00
Paul Saab
8291294024 If the receiver sends an ack that is out of [snd_una, snd_max],
ignore the sack options in that segment. Else we'd end up
corrupting the scoreboard.

Found by:	Raja Mukerji (raja at moselle dot com)
Submitted by:	Mohan Srinivasan
2005-02-27 20:39:04 +00:00
Max Laier
a4e5390551 Unbreak the build. carp_iamatch6 and carp_macmatch6 are not supposed to be
static as they are used elsewhere.
2005-02-27 11:32:26 +00:00
Gleb Smirnoff
e8c34a71eb Remove carp_softc.sc_ifp member in favor of union pointers in struct ifnet.
Obtained from:	OpenBSD
2005-02-26 13:55:07 +00:00
Gleb Smirnoff
5c1f0f6de5 Staticize local functions. 2005-02-26 10:33:14 +00:00
Gleb Smirnoff
88bf82a62e New lines when logging. 2005-02-25 11:26:39 +00:00