pools, implement outputting of IPv6 addresses in the ippool debug list
of hash type pools (ippool -l -d -t hash). Currently IPv6 in ippool tree
type pool handling is mostly implemented.
This continues theseries of commits to remediate ippool.
This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.
PR: 218433
type pools (ippool -l -d -t tree). Currently IPv6 in ippool tree type
pool handling is partially implemented (meaning it doesn't work).
This is the first of a series of commits to remediate ippool.
This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.
PR: 218433
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.
This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.
This has been tested on my production firewall and a laptop (also
running ipfilter).
Submitted by: pfg
MFC after: 6 weeks
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.
This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).
The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.
The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).
Inspired by: NetBSD ip_frag.c r1.4
MFC after: 1 month
import of new ipfilter vendor sources by flattening them.
To keep the tags consistent with dist, the tags are also flattened.
Approved by: glebius (Mentor)
ipfilter tables via http by the user-level ippool utility. Previously
the 1024-byte buffer used to store a http request coudld easily overflow
if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]
Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from: NetBSD CVS [2]
MFC after: 2 weeks
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures
Approved by: re (dwhite)
ipf_dontuning.c - change the include to look in netinet for ipl.h
ipft_tx.c - make the private use of arrays with tcp flags info in them more
not use names that can be "confusing"