Commit Graph

185 Commits

Author SHA1 Message Date
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
David Greenman
1f91d8c563 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00
Julian Elischer
20e427a519 Remove the artificial limit on the size of the ipfw filter structure.
This allows the addition of extra fields if we need them (I have plans).
1998-04-21 18:54:53 +00:00
Bruce Evans
c1087c1324 Support compiling with `gcc -ansi'. 1998-04-15 17:47:40 +00:00
Poul-Henning Kamp
227ee8a188 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
Alexander Langer
6d473e818c Allow ICMP unreachable messages to be sent in response to ICMP query
packets (as per Stevens volume 1 section 6.2).
1998-03-15 00:36:27 +00:00
Alexander Langer
ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
Eivind Eklund
303b270b0a Staticize. 1998-02-09 06:11:36 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Alexander Langer
34c7729f52 Don't attempt to display information which we don't have: specifically,
TCP and UDP port numbers in fragmented packets when IP offset != 0.

2.2.6 candidate.

Discovered by:	Marc Slemko <marcs@znep.com>
Submitted by:	Archie Cobbs <archie@whistle.com> w/fix from me
1998-02-06 02:45:54 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
Eivind Eklund
1d5e9e2255 Make INET a proper option.
This will not make any of object files that LINT create change; there
might be differences with INET disabled, but hardly anything compiled
before without INET anyway.  Now the 'obvious' things will give a
proper error if compiled without inet - ipx_ip, ipfw, tcp_debug.  The
only thing that _should_ work (but can't be made to compile reasonably
easily) is sppp :-(

This commit move struct arpcom from <netinet/if_ether.h> to
<net/if_arp.h>.
1998-01-08 23:42:31 +00:00
Alexander Langer
1c910ddbf9 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
Alexander Langer
3415e12232 Use LIST_FIRST/LIST_NEXT macros instead of accessing the fields lh_first
and le_next.
1998-01-05 00:57:15 +00:00
Alexander Langer
52d581cd33 Added missing parens from previous commit. 1998-01-05 00:14:05 +00:00
Alexander Langer
4afea9ab84 Bound the ICMP type bitmap now that it doesn't cover all possible
ICMP type values.
1998-01-05 00:08:57 +00:00
Alexander Langer
51b5c80f31 Reduce the amount of time that network interrupts are blocked while
zeroing & deleting rules.

Return EINVAL when zeroing an nonexistent entry.
1998-01-04 22:36:12 +00:00
Alexander Langer
3b46e732a4 Bring back part of rev 1.44 which was commented out by rev 1.58.
Reviewed by:	nate
1997-12-27 18:44:56 +00:00
Julian Elischer
45d6875df6 Fix an incredibly horrible bug in the ipfw code
where if you are using the "reset tcp" firewall command,
the kernel would write ethernet headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.
1997-12-19 03:36:15 +00:00
Joerg Wunsch
fbd1372a0b Make IPDIVERT a supported option. Alas, in_var.h depends on it, i
hope i've found out all files that actually depend on this dependancy.
IMHO, it's not very good practice to change the size of internal
structs depending on kernel options.
1997-11-05 20:17:23 +00:00
Poul-Henning Kamp
a1c995b626 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
Peter Wemm
ffdd472de7 Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you
use ipfw as an as-needed casual filter as needed which normally runs as
'allow all' then having the kernel and /sbin/ipfw get out of sync is a
*MAJOR* pain in the behind.

PR: 4141
Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
1997-09-10 03:07:14 +00:00
Alexander Langer
643811317c Fixed logging of verbose limited packets.
PR:		4351
Submitted by:	Ron Bickers <rbickers@intercenter.net>
1997-08-23 14:28:22 +00:00
Alexander Langer
37d06d64cd Ensure that the interface name is terminated. 1997-08-06 00:19:05 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Julian Elischer
c7c219131b make it compile with -Wall
Submitted by: Archi Cobbs, archie@whistle.com
1997-06-04 22:09:15 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Alexander Langer
af28de7ca8 Create the default rule with flags IP_FW_F_IN | IP_FW_F_OUT.
Closes PR#3100.
1997-05-06 02:12:18 +00:00
Peter Dufault
0ddf9be1f0 Make MOD_* macros almost consistent:
Use the name argument almost the same in all LKM types.  Maintain
the current behavior for the external (e.g., modstat) name for DEV,
EXEC, and MISC types being #name ## "_mod" and SYCALL and VFS only
#name.  This is a candidate for change and I vote just the name without
the "_mod".

Change the DISPATCH macro to MOD_DISPATCH for consistency with the
other macros.

Add an LKM_ANON #define to eliminate the magic -1 and associated
signed/unsigned warnings.

Add MOD_PRIVATE to support wcd.c's poking around in the lkm structure.

Change source in tree to use the new interface.

Reviewed by:	Bruce Evans
1997-04-06 11:14:13 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Adam David
839cc09e53 implement "not" keyword for inverting the address logic 1997-01-16 21:04:29 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Garrett Wollman
59562606b9 Convert the interface address and IP interface address structures
to TAILQs.  Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
1996-12-13 21:29:07 +00:00
Bruce Evans
4458ac71b1 Removed nested include if <sys/socket.h> from <net/if.h> and
<net/if_arp.h> and fixed the things that depended on it.  The nested
include just allowed unportable programs to compile and made my
simple #include checking program report that networking code doesn't
need to include <sys/socket.h>.
1996-10-12 19:49:43 +00:00
Alexander Langer
bfcffdaf03 Log the interface name which received the packet.
Suggested by:	Hal Snyder <hsndyer@thoughtport.com>
1996-10-12 19:38:50 +00:00
Alexander Langer
80afcdeef5 Fix the visibility of the sysctl variables.
Submitted by:	phk
1996-08-31 21:05:20 +00:00
Paul Traina
cc98643e68 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Discussed with: fenner & alex
1996-08-13 19:43:41 +00:00
Alexander Langer
71c011477f Filter by IP protocol.
Submitted by: fenner (with modifications by me)

Use a common prefix string for all warning messages generated during
ip_fw_ctl.
1996-08-05 02:35:04 +00:00
Alexander Langer
889fe95791 Switch back to logging accepted packets with the text "Allow" instead
of "Accept"
1996-07-14 21:12:52 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Nate Williams
bce2d3379e Functionality for IPFIREWALL_VERBOSE logging:
- State when we've reached the limit on a particular rule in the kernel logfile
- State when a rule or all rules have been zero'd.

This gives a log of all actions that occur w/regard to the firewall
occurances, and can explain why a particular break-in attempt might not
get logged due to the limit being reached.

Reviewed by:	alex
1996-07-09 20:49:38 +00:00
Alexander Langer
32fb6c089b Reject rules which try to mix ports with incompatible protocols. 1996-06-29 03:33:20 +00:00
Alexander Langer
830b0d3039 Allow fragment checking to work with specific protocols.
Reviewed by:	phk

Reject the addition of rules that will never match (for example,
1.2.3.4:255.255.255.0).  User level utilities specify the policy by either
masking the IP address for the user (as ipfw(8) does) or rejecting the
entry with an error.  In either case, the kernel should not modify chain
entries to make them work.
1996-06-25 00:22:20 +00:00
Bruce Evans
7472e2e0f8 Use IPFIREWALL_MODULE instead of ACTUALLY_LKM_NOT_KERNEL to indicate
LKM'ness.  ACTUALLY_LKM_NOT_KERNEL is supposed to be so ugly that it
only gets used until <machine/conf.h> goes away.  bsd.kmod.mk should
define a better-named general macro for this.  Some places use
PSEUDO_LKM.  This is another bad name.

Makefile:
Added IPFIREWALL_VERBOSE_LIMIT option (commented out).
1996-06-23 14:28:02 +00:00
Alexander Langer
6875d5c1b3 Fix chain numbering bug when the highest line number installed >= 65435
and the rule being added has no explicit line number set.

Submitted by:	Archie Cobbs <archie@whistle.com>
1996-06-17 00:00:35 +00:00
Gary Palmer
5d2541dab0 Don't try to include opt_ipfw.h in LKMs
Submitted by:	Ollivier Robert <roberto@keltia.freenix.fr>
1996-06-13 17:35:28 +00:00
Gary Palmer
74a9466cc2 Convert ipfw to use opt_ipfw.h 1996-06-12 19:34:33 +00:00
Alexander Langer
7a99108603 Big sweep over ipfw, picking up where Poul left off:
- Log ICMP type during verbose output.
  - Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
    attacks via syslog flooding.
  - Filter based on ICMP type.
  - Timestamp chain entries when they are matched.
  - Interfaces can now be matched with a wildcard specification (i.e.
    will match any interface unit for a given name).
  - Prevent the firewall chain from being manipulated when securelevel
    is greater than 2.
  - Fixed bug that allowed the default policy to be deleted.
  - Ability to zero individual accounting entries.
  - Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
    ipfw as a lkm.
  - Remove some redundant code shared between ip_fw_init and ipfw_load.

Closes PRs: 1192, 1219, and 1267.
1996-06-09 23:46:21 +00:00
Gary Palmer
6ddbf1e299 Clean up various compiler warnings. Most (if not all) were benign
Reviewed by:	bde
1996-05-08 04:29:08 +00:00
Poul-Henning Kamp
83606d2247 Several locations in sys/netinet/ip_fw.c are lacking or incorrectly
use spl() functions.

Reviewed by:	phk
Submitted by:	Alex Nash <alex@zen.nash.org>
1996-05-06 20:31:04 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Poul-Henning Kamp
ae2a1587f0 Fix wrong logic, certain rules never matched. 1996-02-26 15:28:15 +00:00
Poul-Henning Kamp
09bb5f7589 Make getsockopt() capable of handling more than one mbuf worth of data.
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
1996-02-24 13:38:28 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
a2ebc3ee0f I overlooked this one. 1996-02-23 20:11:37 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Poul-Henning Kamp
821c204e91 Make the sorting of IPFW rules an option. You don't want it to sort them.
>>>WARNING<<<  you may have to revisit your firewall setup.
1996-02-03 11:48:12 +00:00
Bruce Evans
ce7609a49c Completed function declarations and/or added prototypes. 1995-12-02 19:38:06 +00:00
Poul-Henning Kamp
0312fbe97d New style sysctl & staticize alot of stuff. 1995-11-14 20:34:56 +00:00
Poul-Henning Kamp
a98ca4699e Second batch of cleanup changes.
This time mostly making a lot of things static and some unused
variables here and there.
1995-10-29 15:33:36 +00:00
Ugen J.S. Antsilevich
7934237885 Support all the tcpflag options in firewall.
Add reading options from file, now ipfw <filename> will
read commands string after string from file , form of strings
same as command line interface.
1995-10-23 03:58:06 +00:00
Ugen J.S. Antsilevich
37afa1e829 Well..finally..this is the first part..it should take care of
matching IP options..Check and test this - i made only a couple
of rough tests and this could be buggy.. Ipaccounting can't use
IP Options (and i don't see any need to cound packets with specific
options either..)
More to come...
1995-10-01 21:52:50 +00:00
Gary Palmer
7d4aa0825d Try to make the `syn' blocking code act a bit more sensibly - don't
block `syn' packets that have `ack' set.
Reviewed by:
Submitted by:
Obtained from:
1995-07-31 13:58:35 +00:00
David Greenman
f70b105004 Added $Id$. 1995-07-23 05:36:31 +00:00
David Greenman
c6e8c3576e Fixed panic that occurs on certain firewall rejected packets that was
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.

Submitted by:	Bill Fenner
1995-07-09 14:29:46 +00:00
David Greenman
09270166bb This is the end result of about a dozen passes through this code to fix
incorrect indents, a variety of poor coding practices such as comparing
pointers to constants ('0'), poor code structuring, etc, etc. This brings
the code up to the minimum standards for inclusion in FreeBSD.
1995-07-04 05:39:03 +00:00
David Greenman
ed64321cec Define TRUE and FALSE. 1995-07-04 05:29:30 +00:00
David Greenman
7e9367a410 1) Removed bogus #include
2) Rewrote "bad_packet" code to be less buggy and more readable.
3) Removed a pile of goto's; the code is now somewhat less reminiscent
   of a certain Italian pasta.
4) Changed all boolean returns of "0" and "1" to FALSE/TRUE.
1995-07-04 03:35:20 +00:00
Gary Palmer
06cf932bcb Add a missing `goto' statement so that this compiles yet again. 1995-06-28 13:22:36 +00:00
Guido van Rooij
a0aa52a646 reject option in ip_fw used to panic the system. This fixes it.
-Guido
Reviewed by:
Submitted by:
Obtained from:
1995-06-27 17:26:27 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
Rodney W. Grimes
b2b795f07c Fix -Wformat warnings from LINT kernel. 1995-05-11 19:26:53 +00:00
Ugen J.S. Antsilevich
9870b4d2de Allocate memory as M_IPFW,now we can watch firewall memory usage
in vmstat..
1995-03-12 13:28:13 +00:00
Ugen J.S. Antsilevich
29fe22b93f Allow "via" to be specified ever as IP adress or
as interface name/unit...
1995-02-24 14:33:54 +00:00
Ugen J.S. Antsilevich
4dd1662b4c Actual firewall change.
1) Firewall is not subdivided on forwarding / blocking chains
   anymore.Actually only one chain left-it was the blocking one.
2) LKM support.ip_fwdef.c is function pointers definition and
goes into kernel along with all INET stuff.
1995-01-12 13:06:32 +00:00
Ugen J.S. Antsilevich
3107b31b8d Add clear one accounting entry control.
Structure fields changed to seem more standart.
1994-12-13 15:57:34 +00:00
Ugen J.S. Antsilevich
f3caf95e23 Late patch for delete control.. 1994-12-12 18:10:41 +00:00
Ugen J.S. Antsilevich
10a642bb05 Add match by interface from which packet arrived (via)
Handle right fragmented packets. Remove checking option
from kernel..
1994-12-12 17:20:55 +00:00
Ugen J.S. Antsilevich
c334f8666a Added: ICMP reply,TCP SYN check,logging.. 1994-11-28 12:35:14 +00:00
Jordan K. Hubbard
63f8d699ac Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul:  Please take this into BETA.  It's non-intrusive, and a rather
substantial improvement over what was there before.
1994-11-16 10:17:11 +00:00
Jordan K. Hubbard
72e8fea57e Almost 12th hour (the 11th hour was almost an hour ago :-) patches
from Ugen.
1994-11-08 12:47:29 +00:00
Jordan K. Hubbard
ad63b51399 2 11th-hour fixes from Ugen (not Uben, sorry!) J.S.Antsilevich.
I think it's time for Ugen to get a freefall account, just so I can
direct mail at him directly and let him drop off patches for us here.  Ugen?
Done!
Submitted by:	ugen
1994-11-07 10:01:32 +00:00
Jordan K. Hubbard
0a87b23329 Latest changes from Uben.
Submitted by:	uben
1994-10-31 23:58:04 +00:00
Jordan K. Hubbard
100ba1a617 IP Firewall code from Daniel Boulet and J.S.Antsilevich
Submitted by:	danny ugen
1994-10-28 15:09:49 +00:00