Commit Graph

857 Commits

Author SHA1 Message Date
eivind
3611f42c01 Make incoming packets work as keepalives, too. This should fix problems
for some games.

Notified of problem by:	tim@turbinegames.com
1999-05-20 20:20:24 +00:00
peter
b661ab30e3 "fix" warning. This still needs to be kld-ified some day (or removed). 1999-05-11 16:07:16 +00:00
peter
41db63d93a Pre-declare struct proc to avoid 'inside param list' warnings. 1999-05-08 14:28:52 +00:00
peter
28b30d72a3 Fix two warnings; and note a problem where a pointer is stored in an
int variable - this can't work on an Alpha.
1999-05-06 22:08:57 +00:00
peter
73556bfee1 Add sufficient braces to keep egcs happy about potentially ambiguous
if/else nesting.
1999-05-06 18:13:11 +00:00
luigi
2085d1a050 Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
1999-05-04 16:20:33 +00:00
brian
189ed9cc1b Add missing ``.''. 1999-05-04 10:56:13 +00:00
luigi
cfc02369fe forgot passing the right pointer to dst to dummynet_io().
(-stable and releng2 were already safe).
Debugged-By: phk
1999-05-04 09:26:12 +00:00
luigi
61851a14d7 assorted dummynet cleanup:
+ plug an mbuf leak when dummynet used with bridging
 + make prototype of dummynet_io consistent with usage
 + code cleanup so that now bandwidth regulation is precise to the
   bit/s and not to (8*HZ) bit/s as before.
1999-05-04 07:30:08 +00:00
billf
dd35516544 Add sysctl descriptions to many SYSCTL_XXXs
PR:		kern/11197
Submitted by:	Adrian Chadd <adrian@FreeBSD.org>
Reviewed by:	billf(spelling/style/minor nits)
Looked at by:	bde(style)
1999-05-03 23:57:32 +00:00
phk
ca21a25f17 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
dt
ba8c622703 s/static foo_devsw_installed = 0;/static int foo_devsw_installed;/.
(Edited automatically)
1999-04-28 10:54:24 +00:00
phk
16e3fbd2c1 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
luigi
e73255d2dc Make one pass through the firewall the default.
Multiple pass (which only affects dummynet) is too confusing.
1999-04-26 14:57:24 +00:00
ache
b9837c617f so_linger is in seconds, not in 1/HZ
PR: 11252
Submitted by: Martin Kammerhofer <dada@sbox.tu-graz.ac.at>
1999-04-24 18:25:35 +00:00
dt
ce1c742794 Use pointer arithmetic as appropriate. 1999-04-24 13:23:48 +00:00
luigi
069fcdc17d postpone the sending of IGMP LEAVE msg to after deleting the
mc address from the address list. The latter operation on some
hardware resets the card, potentially canceling the pending LEAVE
pkt.
1999-04-24 12:28:51 +00:00
luoqi
6ea0e19959 Work around an egcs optimizer bug (i386). This should fix the active ftp
hang problem. A bug report has been sent to cygnus.
1999-04-21 21:28:01 +00:00
peter
ab84101dc3 s/IPFIREWALL_MODULE/KLD_MODULE/ 1999-04-20 14:29:59 +00:00
peter
f9bc841320 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
peter
725616780f Zap LKM option and support. Farewell old friend. 1999-04-19 14:19:52 +00:00
peter
8dc2affd00 Convert the dummynet lkm code to be kld aware (this isn't actually used
anywhere that I can see).
1999-04-17 11:09:08 +00:00
peter
5c2c67ae8e Oops, forgot this part of lkm code that's been replaced with kld. 1999-04-17 08:56:38 +00:00
eivind
ab4a6b37f8 Better handling for ARP/source routing on Token Ring
Submitted by:	Larry Lile <lile@stdio.com>
1999-04-15 17:58:24 +00:00
eivind
57f5464515 Staticize. 1999-04-11 02:50:42 +00:00
julian
9e60b40925 Two cosmetic changes, one a typo and the other, a clarification. 1999-04-07 22:22:06 +00:00
nsayer
5588dd15e1 Merge from RELENG_2_2, per luigi. Fixes the ntoh?() issue for the
firewall code when called from the bridge code.

PR:             10818
Submitted by:   nsayer
Obtained from:  luigi
1999-03-30 23:45:34 +00:00
luigi
bb2e8627df Use the correct length from the mbuf header instead of the one from
the IP header (this would not work for bridged packets).
This has been fixed long ago in the 2.2 branch.

Problem noticed by: a few people
Fix suggested by: Remy Nonnenmacher
1999-03-26 14:15:59 +00:00
brian
831f0d7d92 PacketAliasProxyRule takes a const char *
Reminded by: bde
1999-03-25 06:48:05 +00:00
brian
f046bc6b79 Add a ``const'' and remove some inconsistent prototype args. 1999-03-24 20:28:58 +00:00
luigi
2e53da61af add missing #include "opt_bdg.h" 1999-03-24 12:43:39 +00:00
billf
da0438ea6a Remove duplicate line.
Reviewed by:	eivind
1999-03-23 23:01:15 +00:00
luigi
8c71b04183 Fix a dummynet bug caused by passing a bad next hop address (the
symptom was the msg "arp failure -- host is not on local network" that
some user have seen on multihomed machines.
Bug tracked down by Emmanuel Duros
1999-03-16 12:06:11 +00:00
julian
10962136cf Fix the 'fwd' option to ipfw when asked to divert to another machine.
also rely less on other modules clearing static values, and clear them
in a few cases we missed before.
Submitted by: Matthew Reimer <mreimer@vpop.net>
1999-03-12 01:15:57 +00:00
julian
6eb9a9adf9 Submitted by: Larry Lile
Move the Olicom token ring driver to the officially sanctionned location of
/sys/contrib. Also fix some brokenness in the generic token ring support.

Be warned that if_dl.h has been changed and SOME programs might
like recompilation.
1999-03-10 10:11:43 +00:00
brian
d5ccc1beb2 Remove all diagnostics to stdout/stderr with #ifdef DEBUG
Statify functions in alias_nbt.c
1999-03-09 23:44:00 +00:00
brian
8b7bf74482 Document PacketAliasPptp() and allow it to be disabled
by passing INADDR_NONE.
1999-03-07 18:13:23 +00:00
brian
958883fc96 Remove unused function stubs. 1999-03-07 15:36:58 +00:00
brian
1b7dfc8070 Mention that PacketAliasProxyRule() doesn't accept host names,
just IP numbers.
1999-03-07 15:02:22 +00:00
archie
095548bf2b When an incoming packet is reflected back as an ICMP reply, make sure we
zero "m->m_pkthdr.rcvif", otherwise ipfw may wrongly match the outgoing packet.
PR:		kern/9723
Submitted by:	David Malone <dwmalone@maths.tcd.ie>
1999-03-06 23:10:42 +00:00
brian
5a72bcc3c3 Document PacketAliasProxyRule() and fix a typo. 1999-03-06 21:58:43 +00:00
wollman
5f67587686 Move kernel-only declaration inside #ifdef KERNEL section. 1999-03-06 04:51:41 +00:00
wpaul
2d467639d3 arprequest() allocates an mbuf with m_gethdr() but does not initialize
m->m_pkthdr.rcvif to NULL. Bad arprequest(). No biscuit.
1999-03-04 04:03:57 +00:00
brian
087590fb63 Version 3.0: January 1, 1999
- Transparent proxying support added.
    - PPTP redirecting support added based on patches
      contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>
1999-02-27 02:16:01 +00:00
des
2f3574b0d4 Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
julian
16c8d9e8d0 World, I'd like you to meet the first FreeBSD token Ring driver.
This  is for various Olicom cards. An IBM driver is following.
This patch also adds support to tcpdump to decode packets on tokenring.
Congratulations to the proud father.. (below)

Submitted by:	Larry Lile <lile@stdio.com>
1999-02-20 11:18:00 +00:00
luigi
fd3fec4801 avoid panic with pkts larger than MTU and DF set coming out of a pipe. 1999-02-19 18:32:55 +00:00
dfr
22ceb237f0 * Change sysctl from using linker_set to construct its tree using SLISTs.
This makes it possible to change the sysctl tree at runtime.

* Change KLD to find and register any sysctl nodes contained in the loaded
  file and to unregister them when the file is unloaded.

Reviewed by: Archie Cobbs <archie@whistle.com>,
	Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
1999-02-16 10:49:55 +00:00
wollman
433e0009a0 After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
julian
be76d440ee remove leftover garbage line. 1999-02-08 05:53:39 +00:00
julian
82933dc0a1 Fix for PR 9309.
Divert was not feeding clean data to ifa_ifwithaddr() so it was
giving bad results.
Submitted by: kseel <kseel@utcorp.com>, Ruslan Ermilov <ru@ucb.crimea.ua>
1999-02-08 05:48:46 +00:00
fenner
51a5faf6ae Use snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT.
This was missed in the 4.4-Lite2 merge.

Noticed by:	Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and
		jayanth@loc201.tandem.com (vijayaraghavan_jayanth)
		on the tcp-impl mailing list.
1999-02-06 00:47:45 +00:00
msmith
a05a2cf59e Nuke all the stupid ffs() stuff and use powerof2() instead.
Submitted by:	Bruce Evans <bde@zeta.org.au>
1999-02-04 03:27:43 +00:00
msmith
8ec6127468 Fix power-of-2 check for the TCB hash size.
Submitted by:	Brian Feldman <green@unixhelp.org>
1999-02-04 03:02:56 +00:00
msmith
35606d39dd Make TCBHASHSIZE a boot-time tunable as well, taking its value from the
variable net.inet.tcp.tcbhashsize.

Requested by:	David Filo <filo@yahoo-inc.com>
1999-02-03 08:59:30 +00:00
dillon
dbf5cd2b57 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
archie
19d9007c62 Move kernel-only declarations to within #ifdef KERNEL
Prompted by:	gcc warnings when compiling /sbin/ipfw
1999-01-23 23:59:50 +00:00
wollman
a6bfe64533 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
fenner
505f7489c7 Add a flag, passed to pru_send routines, PRUS_MORETOCOME. This
flag means that there is more data to be put into the socket buffer.
Use it in TCP to reduce the interaction between mbuf sizes and the
Nagle algorithm.

Based on:	"Justin C. Walker" <justin@apple.com>'s description of Apple's
		fix for this problem.
1999-01-20 17:32:01 +00:00
fenner
1b9be3b5a8 Fix bug in last commit (la was used uninitialized if no route was passed in). 1999-01-19 23:17:03 +00:00
fenner
c9e9dccbb7 Use dynamic memory allocation instead of mbuf's for multicast routing
state.

Note: this requires a recompilation of netstat (but netstat has been
broken since rev 1.52 of ip_mroute.c anyway)

Obtained from:	Significantly based on Steve McCanne's
		<mccanne@cs.berkeley.edu> work for BSD/OS
1999-01-18 02:06:59 +00:00
fenner
331c793e65 Rename igmp's MALLOC; it doesn't have anything to do with multicast routing. 1999-01-18 01:56:31 +00:00
fenner
30dc804fc7 If arpresolve() gets passed a route with a null llinfo, call
arplookup() to try again.  This gets rid of at least one user's
 "arpresolve: can't allocate llinfo" errors, and arplookup() gives
 better error messages to help track down the problem if there really
 is a problem with the routing table.
1999-01-18 01:54:36 +00:00
eivind
8a19f89957 ... _and_ the (void*) casts for %p. Next, I'll forget my own name :-( 1999-01-12 16:43:52 +00:00
eivind
5eadf1333f Avoid unnecessary GCCism - I hadn't noticed the __unused macro. 1999-01-12 16:40:57 +00:00
eivind
cf51804cbf * Print pointers using the correct type (%p) instead of %x.
* Use the correct type for timeout function.
* Add missing #include.
1999-01-12 12:27:54 +00:00
eivind
f5da386ea6 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
eivind
e06f86cff9 Remove unused statics. 1999-01-12 12:16:50 +00:00
luigi
4d0780a914 Add a missing bzero which could be the source of instability
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
1999-01-11 11:08:07 +00:00
luigi
45794144c5 Remove check from where arp replies are coming from -- when doing bridging,
interfaces are used in clusters so the check does not apply.
1999-01-10 17:40:10 +00:00
brian
9efaefb948 If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR:	9403
1999-01-10 02:05:13 +00:00
luigi
09f08ede8d Partial fix for when ipfw is used with bridging. Bridged packets
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).

Reported-By: Dave Alden and others.
1998-12-31 07:43:29 +00:00
luigi
d3efa9889b Remove some unused variables. 1998-12-31 07:35:49 +00:00
luigi
fa2dcdbf3d 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be
static...
Reported by: Dave Alden
1998-12-22 20:38:06 +00:00
luigi
c797b9a57d Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
luigi
4eebef513c Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
fenner
8532cc33d7 Add missing "break"s to allow multicast routing to work.
Submitted by:	Amancio Hasty <hasty@rah.star-gate.com>
1998-12-16 18:07:11 +00:00
luigi
4b628fa86d Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
dillon
14901c04b7 Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
1998-12-14 02:25:32 +00:00
dillon
21b42c731e PR: kern/8990
If timer calculation results in degenerate value (0), force it to 1
    to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
    I considered simply adding 1 to the timer calculation, but was unsure
    if the calculation was part of the IGMP standard or not so did not want
    to mess with it for all cases.
1998-12-12 21:45:49 +00:00
archie
60d13c7a9d The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
eivind
ef7d200c7e Clean up some pointer usage. 1998-12-07 05:41:10 +00:00
archie
982e80577d Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
dillon
7da0628e55 Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.
1998-12-04 04:21:25 +00:00
dillon
b152822d79 Obtained from: "Andrey A. Chernov" <ache@nagual.pp.ru>
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
     can #include icmp_var.h
1998-12-04 03:49:18 +00:00
dillon
ed174536c8 Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00
eivind
da99bd7667 Staticize some more. 1998-11-26 18:54:52 +00:00
jdp
6f8c78ca1a Fix a couple of typos. 1998-11-19 18:07:28 +00:00
dfr
35c2dd579e Remove stale references to ih_next and ih_prev.
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
1998-11-17 10:53:37 +00:00
dfr
27d260c1d9 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
guido
23fa293e87 The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by:	Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from:	Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
1998-11-15 21:35:09 +00:00
dfr
7e9b664232 Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
bde
51ad68ca2d Finished updating module event handlers to be compatible with
modeventhand_t.
1998-11-15 15:33:52 +00:00
dg
a0c398294e Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
peter
73192d8050 add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
dfr
4131cb7a36 Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
dfr
a5bf24db74 Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
peter
464de37ce6 *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
dfr
3a723223f4 Dike out some obsolete defines which referenced ih_next and ih_prev from
struct ipovly (they don't exist anymore because they don't work when
pointers are 64bit).
1998-09-26 14:26:59 +00:00
fenner
f32632b69e Fix the bind security fix introduced in rev 1.38 to work with multicast:
- Don't bother checking for conflicting sockets if we're binding to a
  multicast address.
- Don't return an error if we're binding to INADDR_ANY, the conflicting
  socket is bound to INADDR_ANY, and the conflicting socket has SO_REUSEPORT
  set.

PR:		kern/7713
1998-09-17 18:42:16 +00:00
fenner
7394d510b4 Prevent modification of permanent ARP entries (PR kern/7649)
Ignore ARP replies from the wrong interface (discussion on mailing list)
Add interface name to a couple of error messages
1998-09-17 00:04:21 +00:00
jkoshy
ed7cc86037 Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>
1998-09-15 10:49:03 +00:00
luigi
d45d8a3cde Bring in new files for dummynet support 1998-09-12 22:03:21 +00:00
wollman
bc0a684817 Fix RST validation.
PR:		7892
Submitted by:	Don.Lewis@tsc.tdk.com
1998-09-11 16:04:03 +00:00
dfr
efaab0e58f Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
phk
554e90e43f RFC 1644 has the status "Experimental Protocol", which means:
4.1.4.  Experimental Protocol

      A system should not implement an experimental protocol unless it
      is participating in the experiment and has coordinated its use of
      the protocol with the developer of the protocol.

Pointed out by:	Steinar Haug <sthaug@nethelp.no>
1998-09-06 08:17:35 +00:00
phk
256218ff32 Widen and change the layout of the IPFW structures flag element.
This will allow us to add dummynet to 3.0

Recompile /sbin/ipfw AND your kernel.
1998-09-02 19:14:01 +00:00
wollman
1228ff1417 Properly fragment multicast packets.
PR: 7802
Submitted by:	Steve McCanne <mccanne@cs.berkeley.edu>
1998-09-02 15:11:14 +00:00
brian
f2c69105f2 Remove OpenBSD build support - let the Makefile vary per
OS rather than making it a mess and potentially screwing
up cross builds.
Suggested by: bde

Add Id keyword.
1998-08-31 12:14:30 +00:00
brian
0d85445a6a Add OpenBSD build support 1998-08-30 23:53:25 +00:00
dfr
b9492066e9 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
wollman
a76fb5eefa Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
bde
08a3400100 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
bde
d1358702bf Made some disgusting ifdefs even more disgusting to enable the support
for `u_long cmd' ioctl args if __FreeBSD_version >= 300003.  Some ioctls
were broken on machines with 32-bit ints and 64-bit longs.
1998-08-15 21:51:53 +00:00
bde
e86a04ed70 Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != long
on some 64-bit systems).  print_ip() should use inet_ntoa() instead of
bloated inline code with 4 ntohl()s.
1998-08-11 19:08:42 +00:00
bde
ada6e9f52b Converted the last instance of hzto() to tvtohz(). 1998-08-05 16:59:20 +00:00
dfr
fc4cb2cea6 Use explicitly sized types when digging through packet headers.
Reviewed by: Julian Elischer <julian@whistle.com>
1998-08-03 17:23:37 +00:00
peter
0fadf3df6c Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00
kjc
bd9e5f5f5b update ATM driver. (base version: midway.c 1.67 --> 1.68)
several new features are added:
	- support vc/vp shaping
	- support pvc shadow interface

code cleanup:
	- remove WMAYBE related code.  ENI WMAYBE DMA doen't work.
	- remove updating if_lastchange for every packet.
	- BPF related code is moved to midway.c as it should be.
	  (bpfwrite should work if atm_pseudohdr and LLC/SNAP are
	  prepended.)
	- BPF link type is changed to DLT_ATM_RFC1483.
	  BPF now understands only LLC/SNAP!! (because bpf can't
	  handle variable link header length.)
	  It is recommended to use LLC/SNAP instead of NULL
	  encapsulation for various reasons.  (BPF, IPv6,
	  interoperability, etc.)

the code has been used for months in ALTQ and KAME IPv6.

OKed by phk long time ago.
1998-07-29 05:35:16 +00:00
alex
22c2ae2a77 Don't log ICMP type and subtype for non-zero offset packet fragments. 1998-07-18 23:27:15 +00:00
bde
b157e42b40 Removed a bogus forward struct declaration.
Cleaned up ifdefs.
1998-07-13 12:20:07 +00:00
bde
012bf0d7ba Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
bde
d16ff5c400 Fixed overflow and sign extension bugs in
`len = min(so->so_snd.sb_cc, win) - off;'.  min() has type u_int
and `off' has type int, so when min() is 0 and `off' is 1, the RHS
overflows to 0U - 1 = UINT_MAX.  `len' has type long, so when
sizeof(long) == sizeof(int), the LHS normally overflows to to the
correct value of -1, but when sizeof(long) > sizeof(int), the LHS
is UINT_MAX.

Fixed some u_long's that should have been fixed-sized types.
1998-07-13 11:53:59 +00:00
bde
b384a06abb Declare tcp_seq and tcp_cc as fixed-size types. Half fixed type
mismatches exposed by this (the prototype for tcp_respond() didn't
match the  function definition lexically, and still depends on a
gcc feature to match if ints have more than 32 bits).
1998-07-13 11:09:52 +00:00
bde
853889649e Declare id_mask as a fixed-size type. 1998-07-13 11:01:03 +00:00
bde
cffdc1edb6 Declare n_short, n_long and n_time as fixed-sized types. Don't ifdef
n_long or n_short specially for alphas.
1998-07-13 10:54:24 +00:00
dg
ea18dd7105 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
julian
1c2b90ea31 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
julian
8f07ff9316 Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
julian
3b5d08a30e Don't expect the new code to be used without the right option file being
included.
1998-07-06 05:04:33 +00:00
julian
d2e04c552c Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
julian
22a5d80812 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
julian
0985b04caf Remove out of date comment. 1998-07-02 06:31:25 +00:00
julian
8286a7feb0 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
phk
cdd3d49d95 Byte count statistics of multicast vifs are invalid.
The problem is caused by a wrong endianess in the sum.

PR:		7115
Submitted by:	Joao Carlos Mendes Luis <jonny@jonny.eng.br>
1998-06-30 10:56:31 +00:00
jhay
2922de5ede Only make struct xtcpcb visable if _NETINET_IN_PCB_H_ and _SYS_SOCKETVAR_H_
are defined.
Reviewed by:	bde
1998-06-27 07:30:45 +00:00
brian
5ed7f2c4ee Add CUSEEME support. This has *not* been tested, nor
could I find anyone to test it, so please report any
problems to me.
1998-06-24 06:58:00 +00:00
bde
403bdcb97b Removed unused includes. 1998-06-21 14:53:44 +00:00
peter
595e4ae373 Merge ipfilter 3.2.3 -> 3.2.7 changes onto mainline. 1998-06-20 18:37:51 +00:00
peter
dc2ce9cb96 This commit was generated by cvs2svn to compensate for changes in r37071,
which included commits to RCS files with non-trunk default branches.
1998-06-20 18:18:05 +00:00
peter
91edc33c5d Import ipfilter 3.2.7 kernel components 1998-06-20 18:18:05 +00:00
julian
fadb1f2352 fix another typo 1998-06-15 00:35:47 +00:00
julian
7e20c7add6 Try narrow down the culprit sending undefined packet types through the loopback 1998-06-14 20:58:17 +00:00
julian
fd91ad6629 Remove 3 occurances of __FUNCTION__ 1998-06-12 20:03:26 +00:00
julian
1ee51dd89f Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
julian
eaeb937aa0 include opt_ipdivert.h so we get correct options 1998-06-12 02:48:47 +00:00
julian
7fe2cc176d Allow diverted packets from the transmit side to remember if they
had a recv interface and allow that state to be available
after re-injection for further tests.
1998-06-12 01:54:29 +00:00
brian
4ff4152e09 Quieten gcc 2.8.1 1998-06-10 00:26:19 +00:00
bde
566ee5c323 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int (this doesn't change the struct layout, size or
alignment in any of the files changed in this commit, at least for
gcc on i386's.  Using bitfields of type u_char may affect size and
alignment but not packing)).
1998-06-08 09:47:47 +00:00
bde
0801d7c827 ip_fil.h has 9 separate declarations of iplioctl() in a disgusting
ifdef tangle.  The previous commit to ip_fil.h didn't change the
one that actually applies to the current FreeBSD kernel, of course.
Fixed.

Fixed style bugs in previous commit to ip_fil.h.
1998-06-08 06:04:12 +00:00
dfr
1d5f38ac22 This commit fixes various 64bit portability problems required for
FreeBSD/alpha.  The most significant item is to change the command
argument to ioctl functions from int to u_long.  This change brings us
inline with various other BSD versions.  Driver writers may like to
use (__FreeBSD_version == 300003) to detect this change.

The prototype FreeBSD/alpha machdep will follow in a couple of days
time.
1998-06-07 17:13:14 +00:00
bde
5b773a9c2c Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int).
1998-06-07 12:00:13 +00:00
brian
e56ba1efb9 Don't call PunchFWHole() ifdef NO_FW_PUNCH
Pointed out by: "Steve Sims" <SimsS@IBM.Net>
1998-06-06 21:52:37 +00:00
julian
4f3d4b5dd9 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
julian
30cc111a0f Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
julian
2cda12b561 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
jkoshy
0d7d76d982 Spelling corrections.
PR: 6868
Submitted by: Josh Gilliam <josh@quick.net>
1998-06-06 05:50:53 +00:00
julian
54743b71f3 Reviewed by: Kirk Mckusick (mckusick@mckusick.com)
Submitted by:	luoqi Chen
fix a type in fsck.
(also add a comment that got picked up by mistake but is worth adding)
1998-06-05 23:33:26 +00:00
julian
f7a6c64461 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
peter
10677f7b5c Let the sowwakeup macro decide when to call sowakeup rather than have
tcp "know" about it.  A pending upcall would be missed, eg: used by NFS.

Obtained from: NetBSD
1998-05-31 18:42:49 +00:00
dg
e3df194a9f Fixed logic in the test to drop ICMP echo and timestamp packets when
net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman
1998-05-26 11:34:30 +00:00
julian
8c304384d0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
julian
33ee3bc8fe Hide the interface name in the sin_zero section of the sockaddr_in
passed to the user process for incoming packets. When the sockaddr_in
is passed back to the divert socket later, use thi sas the primary
interface lookup and only revert to the IP address when the name fails.
This solves a long standing bug with divert sockets:
When two interfaces had the same address (P2P for example) the interface
"assigned" to the reinjected packet was sometimes incorect.
Probably we should define a "sockaddr_div" to officially hold this
extended information in teh same manner as sockaddr_dl.
1998-05-25 08:44:31 +00:00
julian
32d9589026 Take the user's "IGNORE_DIVERT" argument from where the user put it
and not from the PCB which HAPPENS to contain the same number most
of the time, but not always.
1998-05-25 07:41:23 +00:00
fenner
5aeeaf27d8 Take IP options into account when calculating the allowable length
of the TCP payload.  See RFC1122 section 4.2.2.6 .  This allows
Path MTU discovery to be used along with IP options.

PR:		problem discovered by Kevin Lahey <kml@nas.nasa.gov>
1998-05-24 18:41:04 +00:00
dg
1b7405b955 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00
amurai
60356ac1dd Primary verison of NetBIOS over TCP/IP. Now you can connect Windows
DOMAIN as DOMAIN user through NAT function. See also RFC1002 for
futher detail of SMB structure.

Submitted by:	Atsushi Murai <amurai@spec.co.jp>
1998-05-24 03:03:10 +00:00
phk
b76b646154 Get more details on the "arpresolve: can't allocate llinfo" bogon.
PR:		2570
Reviewed by:	phk
Submitted by:	fenner
1998-05-23 08:03:40 +00:00
jdp
d796fafffb Fix a typo-bug in ipflow_reap that could cause a NULL pointer
dereference.  I have also sent this fix to Matt Thomas.
1998-05-19 17:47:11 +00:00
pb
d5dbf35cd8 Move (private) struct ipflow out of ip_var.h, to reduce dependencies
(for ipfw for example) on internal implementation details.
Add $Id$ where missing.
1998-05-19 15:53:50 +00:00
dg
337c39bf08 Moved #define of IPFLOW_HASHBITS to ip_flow.c where I think it belongs. 1998-05-19 14:19:03 +00:00
dg
5f8a4130d8 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00
guido
8a46909d1a Grumble...It seems I'm suffering from some mental disease. Do it correct now. 1998-05-18 17:11:24 +00:00
guido
636533efef Add some parenthesis for clarity and fix a bug
Pointed out by: Garrett Wollmand
1998-05-18 17:07:58 +00:00
wollman
bbc4497ada Convert socket structures to be type-stable and add a version number.
Define a parameter which indicates the maximum number of sockets in a
system, and use this to size the zone allocators used for sockets and
for certain PCBs.

Convert PF_LOCAL PCB structures to be type-stable and add a version number.

Define an external format for infomation about socket structures and use
it in several places.

Define a mechanism to get all PF_LOCAL and PF_INET PCB lists through
sysctl(3) without blocking network interrupts for an unreasonable
length of time.  This probably still has some bugs and/or race
conditions, but it seems to work well enough on my machines.

It is now possible for `netstat' to get almost all of its information
via the sysctl(3) interface rather than reading kmem (changes to follow).
1998-05-15 20:11:40 +00:00
jb
7467b35443 Treat all internet addresses as u_int32_t. 1998-05-10 20:51:46 +00:00
msmith
964ce778b1 In the words of the submitter:
---------
Make callers of namei() responsible for releasing references or locks
instead of having the underlying filesystems do it.  This eliminates
redundancy in all terminal filesystems and makes it possible for stacked
transport layers such as umapfs or nullfs to operate correctly.

Quality testing was done with testvn, and lat_fs from the lmbench suite.

Some NFS client testing courtesy of Patrik Kudo.

vop_mknod and vop_symlink still release the returned vpp.  vop_rename
still releases 4 vnode arguments before it returns.  These remaining cases
will be corrected in the next set of patches.
---------

Submitted by:	Michael Hancock <michaelh@cet.co.jp>
1998-05-07 04:58:58 +00:00
guido
8d0d7f7ab4 Refuse accellerated opens on listening sockets that have not set
the TCP_NOPUSH socket option.
This disables TAO for those  services that do not know about T/TCP.

Reviewed by:	Garrett Wollman
Submitted by:	Peter Wemm
1998-05-04 17:59:52 +00:00
dg
c0b0bc1742 At the request of Garrett, changed sysctl:
net.inet.tcp.delack_enabled -> net.inet.tcp.delayed_ack
1998-04-24 10:08:57 +00:00
dg
a30ffaa134 Ensure that TCP_REXMTVAL doesn't return a value less than t_rttmin. This
is believed to have been broken with the Brakmo/Peterson srtt
calculation changes. The result of this bug is that TCP connections
could time out extremely quickly (in 12 seconds).
Also backed out jdp's partial fix for this problem in rev 1.17 of
tcp_timer.c as it is obsoleted by this commit.
Bug was pointed out by Kevin Lehey <kml@roller.nas.nasa.gov>.

PR:	6068
1998-04-24 09:25:39 +00:00
julian
119056be05 Remove the artificial limit on the size of the ipfw filter structure.
This allows the addition of extra fields if we need them (I have plans).
1998-04-21 18:54:53 +00:00
brian
182404b274 o Support a compile-time -DNO_FW_PUNCH for portability
(and those of us that don't want the functionality).
o Don't assume sizeof(long) == 4.
Ok'd by: Charles Mott <cmott@srv.net>
1998-04-19 21:42:07 +00:00
phk
0f961b2277 According to:
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

port numbers are divided into three ranges:

	    0 -  1023 Well Known Ports
	 1024 - 49151 Registered Ports
	49152 - 65535 Dynamic and/or Private Ports

This patch changes the "local port range" from 40000-44999
to the range shown above (plus fix the comment in in_pcb.c).

WARNING: This may have an impact on firewall configurations!

PR:		5402
Reviewed by:	phk
Submitted by:	Stephen J. Roznowski <sjr@home.net>
1998-04-19 17:22:30 +00:00
des
396b114475 Seventy-odd "its" / "it's" typos in comments fixed as per kern/6108. 1998-04-17 22:37:19 +00:00
bde
b598f559b2 Support compiling with `gcc -ansi'. 1998-04-15 17:47:40 +00:00
phk
808bee281c Wrong header length used for certain reassembled IP packets.
PR:		6177
Reviewed by:	phk, wollman
Submitted by:	Eric Sprinkle <eric@ennovatenetworks.com>
1998-04-13 17:27:08 +00:00
phk
4b6dfe92bd Use read_random() 1998-04-06 11:40:42 +00:00
phk
e9827cb58f Remove the last traces of TUBA.
Inspired by:	PR kern/3317
1998-04-06 06:52:47 +00:00
phk
9b703b1455 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
bde
cd450d6714 Moved some #includes from <sys/param.h> nearer to where they are actually
used.
1998-03-28 10:33:27 +00:00
bde
dee7f44b92 Fixed style bugs (mostly) in previous commit. 1998-03-28 10:18:26 +00:00
bde
f6e8fc035e Get socket and locking stuff by including <sys/socket.h> and <sys/lock.h>,
not by including <sys/mount.h> and depending on namespace pollution in it.
1998-03-28 08:07:12 +00:00
peter
c169f0d4ec When building in in the kernel rather than as a LKM, don't compile
all the LKM load/unload junk, and don't forget to register the SYSINIT
so that the cdevsw entry is attached.

BTW: I think the way it builds it's /dev nodes on the fly as an LKM with
vnode ops is kinda cute - I guess that'd be one way to solve the devfs
persistance problems.. :-)  (ie: have the drivers make the nodes in /dev
on disk directly if they are missing, but leave them alone if present).
1998-03-27 18:08:08 +00:00
peter
817278db3e allow open on all minors 1998-03-27 18:03:13 +00:00
peter
3d734edb31 A fix for a link down route cleanup panic, when the route cleanup
pulls the rug out from underneath itself.

Obtained from: wollman (a few months ago, I've been using this for ages)
1998-03-27 14:30:18 +00:00
wollman
d43e6115b6 Use the zone allocator to allocate inpcbs and tcpcbs. Each protocol creates
its own zone; this is used particularly by TCP which allocates both inpcb and
tcpcb in a single allocation.  (Some hackery ensures that the tcpcb is
reasonably aligned.)  Also keep track of the number of pcbs of each type
allocated, and keep a generation count (instance version number) for future
use.
1998-03-24 18:06:34 +00:00
bde
b050b13250 FixedSpellingErrorInAFunctionname. 1998-03-23 12:28:31 +00:00
peter
e34da97453 Make it compile.. missing "opt_ipfilter.h" and missing <sys/malloc.h> 1998-03-21 14:42:45 +00:00
peter
6858636bc2 Some patchups for when this code is compiled in userland (!). 1998-03-21 13:37:44 +00:00
peter
5ff823240b replaced by FreeBSD specific version 1998-03-21 11:36:36 +00:00