Commit Graph

154 Commits

Author SHA1 Message Date
Cy Schubert
bfc88dcbf7 Update ipfilter 4.1.28 --> 5.1.2.
Approved by:		glebius (mentor)
BSD Licensed by:	Darren Reed <darrenr@reed.wattle.id.au> (author)
2013-09-06 23:11:19 +00:00
Cy Schubert
f27f47054d As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)
2013-07-19 05:41:57 +00:00
Gleb Smirnoff
9711a168b9 Retire struct sockaddr_inarp.
Since ARP and routing are separated, "proxy only" entries
don't have any meaning, thus we don't need additional field
in sockaddr to pass SIN_PROXY flag.

New kernel is binary compatible with old tools, since sizes
of sockaddr_inarp and sockaddr_in match, and sa_family are
filled with same value.

The structure declaration is left for compatibility with
third party software, but in tree code no longer use it.

Reviewed by:	ru, andre, net@
2013-01-31 08:55:21 +00:00
Pedro F. Giffuni
646a7fea0c Clean some 'svn:executable' properties in the tree.
Submitted by:	Christoph Mallon
MFC after:	3 days
2013-01-26 22:08:21 +00:00
Mark Murray
c268cdfc23 Fix paths for example files. 2010-11-18 18:22:58 +00:00
Rui Paulo
be0479174b Use pcap's bpf header, not our own copy of it. 2010-10-29 21:23:34 +00:00
Christian Brueffer
26cad3b64f Comment in the BUGS section header. Matches what's in ipfilter 5.10.
PR:		144880
Submitted by:	Glen Barber <glen.j.barber@gmail.com>
MFC after:	1 week
2010-05-12 00:56:53 +00:00
Ed Schouten
bb505a4f0f Remove unneeded include of <sys/timeb.h>.
This header file should not be included by anything.
2010-03-09 20:58:15 +00:00
Darren Reed
7484474781 fix spelling mistake 2009-11-19 08:10:24 +00:00
Roman Divacky
5caf16048e Fix a typo that causes the for loop to exit immediately. There's
identical loop a few lines above.

Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
2009-06-16 13:31:01 +00:00
Stanislav Sedov
6760b335c6 - Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
  the 1024-byte buffer used to store a http request coudld easily overflow
  if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by:	Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from:	NetBSD CVS [2]
MFC after:	2 weeks
2009-05-29 16:24:23 +00:00
Bjoern A. Zeeb
01b5749292 Remove udp and tcp includes not needed here.
Tripped over by: a compile of an upcoming change
MFC after:	1 month
2009-04-25 19:14:22 +00:00
Qing Li
6e6b3f7cbc This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
   possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,

The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.

Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:

- Kip Macy revised the locking code completely, thus completing
  the last piece of the puzzle, Kip has also been conducting
  active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
  provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
  me maintaining that branch before the svn conversion
2008-12-15 06:10:57 +00:00
Max Laier
cf179d53ae Fix build when WITHOUT_DYNAMICROOT is specified in src.conf(5). 2008-08-04 22:45:27 +00:00
Darren Reed
52c7653383 2020447 IPFilter's NAT can undo name server random port selection
Approved by:	darrenr
MFC after:	1 week
Security:	CERT VU#521769
2008-07-24 12:35:05 +00:00
Dag-Erling Smørgrav
c3c6456251 For unfathomable reasons, ipfilter abuses kernel data structures for its
own purposes.  To pull this off, it defines _KERNEL before including the
headers where these structures are defined.  This leads to no end of
trouble when some of these headers, or other headers that they include,
change, as demonstrated by r180755.

The quick fix in this particular case is to define _WANT_FILE instead of
_KERNEL, conditional on __FreeBSD__.  A better long-term fix is left as
an exercise to the reader.
2008-07-23 16:34:53 +00:00
Darren Reed
e86e344222 Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after:	7 days
2007-10-18 21:52:14 +00:00
Darren Reed
39ff65a633 Import IPFilter 4.1.28 2007-10-18 21:42:51 +00:00
Darren Reed
9a214eca1f This commit was generated by cvs2svn to compensate for changes in r172771,
which included commits to RCS files with non-trunk default branches.
2007-10-18 21:42:51 +00:00
Darren Reed
a909f8869b ipfstat should parse "any" when used with -D/-S command line options
PR:	bin/113879
Submitted by:	kabe@sra-tohoku.co.jp
Reviewed by:	darrenr
Approved by:	re
2007-06-24 16:39:12 +00:00
Darren Reed
c485ab2d8d Remove files no longer required to build IPFilter 2007-06-04 03:07:34 +00:00
Darren Reed
d7eeb25225 Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:54:36 +00:00
Darren Reed
4a9a9e0514 Import IPFilter 4.1.23 to vendor branch.
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:50:28 +00:00
Darren Reed
2bf2a702cc This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.
2007-06-04 02:50:28 +00:00
Guido van Rooij
dac098f2c9 Resolve conflicts
MFC after:	1 weeks
2006-08-16 12:23:02 +00:00
Guido van Rooij
4e39c44e09 Import IP Filter 4.1.13 2006-08-16 11:51:32 +00:00
Guido van Rooij
2b8b5c44fc This commit was generated by cvs2svn to compensate for changes in r161351,
which included commits to RCS files with non-trunk default branches.
2006-08-16 11:51:32 +00:00
Darren Reed
649a43212c fix "ipf -Z" reporting rubbish and possibly panic'ing box
MFC after:	4 days
2006-04-18 13:24:14 +00:00
Darren Reed
94341e74d5 Add a man page for mkfilters(1) and put the corrected perl script in the
ipfilter usr/share directory

PR:     docs/26879
2006-02-27 11:22:20 +00:00
Guido van Rooij
25508d6cfb Resolve conflicts (and believe me...you don't want to know). 2005-12-30 11:52:26 +00:00
Guido van Rooij
e246b3be6f Import IP Filter 4.1.10 2005-12-30 11:34:54 +00:00
Guido van Rooij
855921cec5 This commit was generated by cvs2svn to compensate for changes in r153877,
which included commits to RCS files with non-trunk default branches.
2005-12-30 11:34:54 +00:00
Darren Reed
0e6e3d9f1c Remove these files from src/contrib/ipfilter as they are already present
in src/sys/contrib/ipfilter/netinet.  Makefile's reachover bits find what
they need so building is unaffected.

Approved by: re (dwhite)
2005-06-23 14:22:02 +00:00
Darren Reed
721c3c7cc6 Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)
2005-06-23 14:19:02 +00:00
Eivind Eklund
466aa63579 Since this is already off the vendor branch: Our kernel is now in
/boot/kernel/kernel, not plain /kernel
2005-05-27 01:09:42 +00:00
Olivier Houchard
6ffb8d33c7 arm defaults to unsigned char as well. 2005-05-24 21:25:32 +00:00
Darren Reed
051adc35a2 Enable building /sbin/ipf (but not the rescue version) with the ability to
parse bpf strings for filter rules in ipf.conf
2005-05-16 16:22:55 +00:00
Peter Grehan
9fce4d1d91 Fix tinderbox build on ppc.
Requested by:  mlaier
2005-05-08 00:29:15 +00:00
Darren Reed
e01de6cda3 Don't use quad_t on FreeBSD (deprecated) so use "long long" instead.
Someday this should be converted to uint64_t and printstate.c changed to
use those horrid PRiud64 things.
2005-04-28 21:36:30 +00:00
Darren Reed
cf4ee2c933 Patches from Ruslam Ermilov to remove NetBSD bits from Makefiles and cleanup
build problems with rescue.
2005-04-28 16:26:35 +00:00
Darren Reed
dfb07485de Fix include directives that were missing the netinet include directory, where
the ipl.h file is found.  Also add back in ip_fil.c, which somehow went missing
in action.
2005-04-26 15:18:45 +00:00
Darren Reed
984f8800d4 Missing file from vendor branch import. 2005-04-26 14:59:26 +00:00
Darren Reed
eaa8e3e8c5 Fix problems with building libipf:
ipf_dontuning.c - change the include to look in netinet for ipl.h
ipft_tx.c - make the private use of arrays with tcp flags info in them more
            not use names that can be "confusing"
2005-04-26 14:27:12 +00:00
Darren Reed
0eb958a2b7 this file does not belong in a freebsd distribution 2005-04-25 19:15:19 +00:00
Darren Reed
750e88322f * Someone imported a lot of files with the wrong CVS tag, so lots of files need
that fixed in them....
* Keep unnecessary files out of the non-vendor part of this CVS repository.
2005-04-25 18:20:15 +00:00
Darren Reed
74708a0492 these files should never have been imported...they are junk 2005-04-25 17:40:37 +00:00
Darren Reed
83b71dcb90 This commit was generated by cvs2svn to compensate for changes in r145513,
which included commits to RCS files with non-trunk default branches.
2005-04-25 17:40:37 +00:00
Darren Reed
144279dcb8 import ipfilter 4.1.8 into the vendor branch 2005-04-25 17:31:50 +00:00
Darren Reed
3c911a00da This commit was generated by cvs2svn to compensate for changes in r145510,
which included commits to RCS files with non-trunk default branches.
2005-04-25 17:31:50 +00:00
Darren Reed
0076f43158 Committ changes from 3.4.31 -> 3.4.35
* fix bug parsing port comparisons in proxy rules
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make ipfstat work as a set{g,u}id thing - gave up privs before opening
  /dev/ipl
* fix ipfstat -A
* make "ipfstat -f" output more informative
* various changes to ipsend for sending packets with ipv4 options
* ipmon was not correctly calculating the length of the IPv6 packet (excluded
  ipv6 header length)

MFC:	1 week
2004-06-21 22:53:03 +00:00