Commit Graph

40 Commits

Author SHA1 Message Date
Cy Schubert
e5426b9f65 Ansify entry and exit points.
MFC after:	1 month
2017-06-28 19:08:07 +00:00
Cy Schubert
43988e3f50 Replace AF_INET6 ifdefs with USE_INET6 ifdefs. This is more consistent
and guaranteed to build everywhere in ipfilter.

Not all of this commit can be MFCed. Some is original code while others
are not.
2017-06-23 02:42:04 +00:00
Cy Schubert
344add7203 Just like r318173, which was for outputting IPv6 addresses in tree
pools, implement outputting of IPv6 addresses in the ippool debug list
of hash type pools (ippool -l -d -t hash). Currently IPv6 in ippool tree
type pool handling is mostly implemented.
This continues theseries of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-15 03:39:35 +00:00
Cy Schubert
7ee662e8d8 As of r318281, there is no need to put a colon (:) in the message
string.

MFC after:	3 days
X-MFC with:	r318281
2017-05-14 23:45:10 +00:00
Cy Schubert
37e2d2e695 Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.

MFC after:	3 days
2017-05-14 21:18:01 +00:00
Cy Schubert
f7448f6347 Add missing linefeed in debug output. 2017-05-12 01:09:24 +00:00
Cy Schubert
9322c566a0 Implement outputting of IPv6 addresses in the ippool debug list of tree
type pools (ippool -l -d -t tree). Currently IPv6 in ippool tree type
pool handling is partially implemented (meaning it doesn't work).
This is the first of a series of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-11 04:39:11 +00:00
Cy Schubert
c6fd01fbbb Use warnx() to issue error message.
Reported by:	cem
MFC after:	1 week
X-MFC with:	r316993, r316994
2017-04-16 04:36:22 +00:00
Cy Schubert
a07d9e9af4 Fix CID 1372601, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372601
MFC after:	1 week
2017-04-16 01:13:47 +00:00
Cy Schubert
3820c3aa3f calloc() and realloc() modernization.
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.

This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.

This has been tested on my production firewall and a laptop (also
running ipfilter).

Submitted by:	pfg
MFC after:	6 weeks
2017-03-16 04:40:07 +00:00
Cy Schubert
56d5bb4c63 Fix leak (free str before returning when ctx's calloc fails).
Submitted by:	trix_juniper.net (Tom Rix)
Discovered by:	clang's static analyzer
MFC after:	4 days
Relnotes:	ngie
Differential Revision:	D9877
2017-03-03 21:32:27 +00:00
Cy Schubert
971fa117c0 Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by:	NetBSD ip_frag.c r1.4
MFC after:	1 month
2017-01-26 01:24:05 +00:00
Gleb Smirnoff
56d5e0967c Stop including if_var.h from userland.
Sponsored by:	Nginx, Inc.
2015-04-06 09:42:23 +00:00
Cy Schubert
01991654f8 #536 ipnat can try to print rule as dstlist incorrectly
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
2014-09-22 16:09:18 +00:00
Cy Schubert
3f3423a0ef #553 gethost needs to zero entire IP address structure
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11)
2014-09-22 16:06:37 +00:00
Cy Schubert
c5c5a79fce ipv6 address for test.hosts.dots in wrong byte order.
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
2014-09-22 16:03:29 +00:00
Sergey Kandaurov
2ddbae33f1 Unbreak with gcc.
I'm tired to see tinderbox spamming.  Feel free to fix it your way.
2014-07-13 10:38:01 +00:00
Cy Schubert
17ff561352 Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORT
(NO_INET6) are specified.

Approved by:	glebius
MFC after:	1 week
2014-07-05 07:15:19 +00:00
Cy Schubert
bfc88dcbf7 Update ipfilter 4.1.28 --> 5.1.2.
Approved by:		glebius (mentor)
BSD Licensed by:	Darren Reed <darrenr@reed.wattle.id.au> (author)
2013-09-06 23:11:19 +00:00
Cy Schubert
f27f47054d As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)
2013-07-19 05:41:57 +00:00
Stanislav Sedov
6760b335c6 - Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
  the 1024-byte buffer used to store a http request coudld easily overflow
  if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by:	Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from:	NetBSD CVS [2]
MFC after:	2 weeks
2009-05-29 16:24:23 +00:00
Darren Reed
52c7653383 2020447 IPFilter's NAT can undo name server random port selection
Approved by:	darrenr
MFC after:	1 week
Security:	CERT VU#521769
2008-07-24 12:35:05 +00:00
Darren Reed
e86e344222 Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after:	7 days
2007-10-18 21:52:14 +00:00
Darren Reed
39ff65a633 Import IPFilter 4.1.28 2007-10-18 21:42:51 +00:00
Darren Reed
9a214eca1f This commit was generated by cvs2svn to compensate for changes in r172771,
which included commits to RCS files with non-trunk default branches.
2007-10-18 21:42:51 +00:00
Darren Reed
c485ab2d8d Remove files no longer required to build IPFilter 2007-06-04 03:07:34 +00:00
Darren Reed
d7eeb25225 Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:54:36 +00:00
Darren Reed
4a9a9e0514 Import IPFilter 4.1.23 to vendor branch.
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:50:28 +00:00
Darren Reed
2bf2a702cc This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.
2007-06-04 02:50:28 +00:00
Guido van Rooij
dac098f2c9 Resolve conflicts
MFC after:	1 weeks
2006-08-16 12:23:02 +00:00
Guido van Rooij
4e39c44e09 Import IP Filter 4.1.13 2006-08-16 11:51:32 +00:00
Guido van Rooij
2b8b5c44fc This commit was generated by cvs2svn to compensate for changes in r161351,
which included commits to RCS files with non-trunk default branches.
2006-08-16 11:51:32 +00:00
Guido van Rooij
25508d6cfb Resolve conflicts (and believe me...you don't want to know). 2005-12-30 11:52:26 +00:00
Guido van Rooij
e246b3be6f Import IP Filter 4.1.10 2005-12-30 11:34:54 +00:00
Guido van Rooij
855921cec5 This commit was generated by cvs2svn to compensate for changes in r153877,
which included commits to RCS files with non-trunk default branches.
2005-12-30 11:34:54 +00:00
Darren Reed
721c3c7cc6 Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)
2005-06-23 14:19:02 +00:00
Darren Reed
e01de6cda3 Don't use quad_t on FreeBSD (deprecated) so use "long long" instead.
Someday this should be converted to uint64_t and printstate.c changed to
use those horrid PRiud64 things.
2005-04-28 21:36:30 +00:00
Darren Reed
eaa8e3e8c5 Fix problems with building libipf:
ipf_dontuning.c - change the include to look in netinet for ipl.h
ipft_tx.c - make the private use of arrays with tcp flags info in them more
            not use names that can be "confusing"
2005-04-26 14:27:12 +00:00
Darren Reed
750e88322f * Someone imported a lot of files with the wrong CVS tag, so lots of files need
that fixed in them....
* Keep unnecessary files out of the non-vendor part of this CVS repository.
2005-04-25 18:20:15 +00:00
Darren Reed
144279dcb8 import ipfilter 4.1.8 into the vendor branch 2005-04-25 17:31:50 +00:00