Commit Graph

1339 Commits

Author SHA1 Message Date
Matthew Dillon
262c1c1a4e Fix a bug with transmitter restart after receiving a 0 window. The
receiver was not sending an immediate ack with delayed acks turned on
when the input buffer is drained, preventing the transmitter from
restarting immediately.

Propogate the TCP_NODELAY option to accept()ed sockets.  (Helps tbench and
is a good idea anyway).

Some cleanup.  Identify additonal issues in comments.

MFC after:	1 day
2001-12-02 08:49:29 +00:00
Ruslan Ermilov
04d59553b2 Allow for ip_output() to be called with a NULL route pointer.
This fixes a panic I introduced yesterday in ip_icmp.c,v 1.64.
2001-12-01 13:48:16 +00:00
Mike Barcroft
de2656d0ed o Stop abusing MD headers with non-MD types.
o Hide nonstandard functions and types in <netinet/in.h> when
  _POSIX_SOURCE is defined.
o Add some missing types (required by POSIX.1-200x) to <netinet/in.h>.
o Restore vendor ID from Rev 1.1 in <netinet/in.h> and make use of new
  __FBSDID() macro.
o Fix some miscellaneous issues in <arpa/inet.h>.
o Correct final argument for the inet_ntop() function (POSIX.1-200x).
o Get rid of the namespace pollution from <sys/types.h> in
  <arpa/inet.h>.

Reviewed by:		fenner
Partially submitted by:	bde
2001-12-01 03:43:01 +00:00
Matthew Dillon
d912c694ee The transmit burst limit for newreno completely breaks TCP's performance
if the receive side is using delayed acks.  Temporarily remove it.

MFC after:	0 days
2001-11-30 21:33:39 +00:00
Brian Somers
0f02fdac67 During SIOCAIFADDR, if in_ifinit() fails and we've already added an
interface address, blow the address away again before returning the
error.

In in_ifinit(), if we get an error from rtinit() and we've also got
a destination address, return the error rather than masking EEXISTS.
Failing to create a host route when configuring an interface should
be treated as an error.
2001-11-30 14:00:55 +00:00
Ruslan Ermilov
bd7142087b - Make ip_rtaddr() global, and use it to look up the correct source
address in icmp_reflect().
- Two new "struct icmpstat" members: icps_badaddr and icps_noroute.

PR:		kern/31575
Obtained from:	BSD/OS
MFC after:	1 week
2001-11-30 10:40:28 +00:00
Dima Dorfman
3a33b1b3b7 ipfw_modevent(): Don't use an unnatural block to define a variable
(fcp) that's already defined in the outer block and isn't used
anywhere else.  This silences -Wunused.

Reviewed by:	md5(1)
2001-11-27 20:32:47 +00:00
Dima Dorfman
e8d41815df Remove debugging printfs that weren't conditional on any debugging
options in handling MOD_{UN,}LOAD (they weren't very useful, anyway).
2001-11-27 20:28:48 +00:00
Dima Dorfman
0d4bef5dd4 In icmp_reflect(): If the packet was not addressed to us and was
received on an interface without an IP address, try to find a
non-loopback AF_INET address to use.  If that fails, drop it.
Previously, we used the address at the top of the in_ifaddrhead list,
which didn't make much sense, and would cause a panic if there were no
AF_INET addresses configured on the system.

PR:		29337, 30524
Reviewed by:	ru, jlemon
Obtained from:	NetBSD
2001-11-27 19:58:09 +00:00
Robert Watson
38e04732fc Add include of net/route.h, as structures moved around due to the
syncache rely on 'struct route' being defined.  This fixes the
LINT build some.
2001-11-27 17:36:39 +00:00
Seigo Tanimura
df89626872 Clear a new syncache entry first, followed by filling in values. This
fixes route breakage due to uncleared gabage on my box.
2001-11-27 11:55:28 +00:00
Ruslan Ermilov
8573e68110 When servicing an internal FTP server, punch ipfirewall(4) holes
for passive mode data connections (PASV/EPSV -> 227/229).  Well,
the actual punching happens a bit later, when the aliasing link
becomes fully specified.

Prodded by:	Danny Carroll <dannycarroll@hotmail.com>
MFC after:	1 week
2001-11-27 10:50:23 +00:00
Ruslan Ermilov
8ba0396688 Restore the ability to use IP_FW_ADD with setsockopt(2) that got
broken in revision 1.86.  This broke natd(8)'s -punch_fw option.

Reported by:	Daniel Rock <D.Rock@t-online.de>,
		setantae <setantae@submonkey.net>
2001-11-26 10:05:58 +00:00
Bruce Evans
419d3454b1 Fixed a buffer overrun. In my kernel configuration, tcp_syncache happens
to be followed by nfsnodehashtbl, so bzeroing callouts beyond the end of
tcp_syncache soon caused a null pointer panic when nfsnodehashtbl was
accessed.
2001-11-23 12:31:27 +00:00
Jonathan Lemon
be2ac88c59 Introduce a syncache, which enables FreeBSD to withstand a SYN flood
DoS in an improved fashion over the existing code.

Reviewed by: silby  (in a previous iteration)
Sponsored by: DARPA, NAI Labs
2001-11-22 04:50:44 +00:00
Jonathan Lemon
d00fd2011d Move initialization of snd_recover into tcp_sendseqinit(). 2001-11-21 18:45:51 +00:00
Matthew Dillon
b1e4abd246 Give struct socket structures a ref counting interface similar to
vnodes.  This will hopefully serve as a base from which we can
expand the MP code.  We currently do not attempt to obtain any
mutex or SX locks, but the door is open to add them when we nail
down exactly how that part of it is going to work.
2001-11-17 03:07:11 +00:00
Robert Watson
ce17880650 o Replace reference to 'struct proc' with 'struct thread' in 'struct
sysctl_req', which describes in-progress sysctl requests.  This permits
  sysctl handlers to have access to the current thread, permitting work
  on implementing td->td_ucred, migration of suser() to using struct
  thread to derive the appropriate ucred, and allowing struct thread to be
  passed down to other code, such as network code where td is not currently
  available (and curproc is used).

o Note: netncp and netsmb are not updated to reflect this change, as they
  are not currently KSE-adapted.

Reviewed by:		julian
Obtained from:	TrustedBSD Project
2001-11-08 02:13:18 +00:00
Andrew R. Reiter
83103a7397 - Fixes non-zero'd out sin_zero field problem so that the padding
is used as it is supposed to be.

Inspired by: PR #31704
Approved by: jdp
Reviewed by: jhb, -net@
2001-11-06 00:48:01 +00:00
Poul-Henning Kamp
d3c64689d8 3.5 years ago Wollman wrote:
"[...] and removes the hostcache code from standard kernels---the
   code that depends on it is not going to happen any time soon,
   I'm afraid."
Time to clean up.
2001-11-05 21:25:02 +00:00
Luigi Rizzo
7b109fa404 MFS: sync the ipfw/dummynet/bridge code with the one recently merged
into stable (mostly , but not only, formatting and comments changes).
2001-11-04 22:56:25 +00:00
Luigi Rizzo
09b2ca212b s/FREE/free/ 2001-11-04 17:35:31 +00:00
Brian Somers
e83aaae350 cmott@scientech.com -> cm@linktel.net
Requested by:	Charles Mott <cmott@scientech.com>
2001-11-03 11:34:09 +00:00
Bill Paul
3528d68f71 Fix a (long standing?) bug in ip_output(): if ip_insertoptions() is
called and ip_output() encounters an error and bails (i.e. host
unreachable), we will leak an mbuf. This is because the code calls
m_freem(m0) after jumping to the bad: label at the end of the function,
when it should be calling m_freem(m). (m0 is the original mbuf list
_without_ the options mbuf prepended.)

Obtained from:	NetBSD
2001-10-30 18:15:48 +00:00
Dag-Erling Smørgrav
bc183b3fe8 Make sure the netmask always has an address family. This fixes Linux
ifconfig, which expects the address returned by the SIOCGIFNETMASK ioctl
to have a valid sa_family.  Similar changes may be necessary for IPv6.

While we're here, get rid of an unnecessary temp variable.

MFC after:	2 weeks
2001-10-30 15:57:20 +00:00
Jonathan Lemon
35609d458d When dropping a packet because there is no room in the queue (which itself
is somewhat bogus), update the statistics to indicate something was dropped.

PR: 13740
2001-10-30 14:58:27 +00:00
Josef Karthauser
06dae58b17 A few more style changes picked up whilst working on an MFC to -stable. 2001-10-29 15:09:07 +00:00
Josef Karthauser
f227535cd8 Fix some whitespace, and a comment that I missed in the last commit. 2001-10-29 14:08:51 +00:00
Josef Karthauser
25549c009a Clean up the style of this header file. 2001-10-29 04:41:28 +00:00
Matthew Dillon
2326da5db5 fix int argument used in printf w/ %ld (cast to long) 2001-10-29 02:19:19 +00:00
Jonathan Lemon
0751407193 Don't use the ip_timestamp structure to access timestamp options, as the
compiler may cause an unaligned access to be generated in some cases.

PR: 30982
2001-10-25 06:27:51 +00:00
Jonathan Lemon
ec691a10e6 If we are bridging, fall back to using any inet address in the system,
irrespective of receive interface, as a last resort.

Submitted by: ru
2001-10-25 06:14:21 +00:00
Jonathan Lemon
807b8338ba Relocate the KASSERT for a null recvif to a location where it will
actually do some good.

Pointed out by: ru
2001-10-25 05:56:30 +00:00
Hajimu UMEMOTO
cb34210012 restore the data of the ip header when extended udp header and data checksum
is calculated.  this caused some trouble in the code which the ip header
is not modified.  for example, inbound policy lookup failed.

Obtained from:	KAME
MFC after:	1 week
2001-10-22 12:43:30 +00:00
Jonathan Lemon
d8b84d9e07 Only examine inet addresses of the interface. This was broken in r1.83,
with the result that the system would reply to an ARP request of 0.0.0.0
2001-10-20 05:14:06 +00:00
Ruslan Ermilov
8071913df2 Pull post-4.4BSD change to sys/net/route.c from BSD/OS 4.2.
Have sys/net/route.c:rtrequest1(), which takes ``rt_addrinfo *''
as the argument.  Pass rt_addrinfo all the way down to rtrequest1
and ifa->ifa_rtrequest.  3rd argument of ifa->ifa_rtrequest is now
``rt_addrinfo *'' instead of ``sockaddr *'' (almost noone is
using it anyways).

Benefit: the following command now works.  Previously we needed
two route(8) invocations, "add" then "change".
# route add -inet6 default ::1 -ifp gif0

Remove unsafe typecast in rtrequest(), from ``rtentry *'' to
``sockaddr *''.  It was introduced by 4.3BSD-Reno and never
corrected.

Obtained from:	BSD/OS, NetBSD
MFC after:	1 month
PR:		kern/28360
2001-10-17 18:07:05 +00:00
Max Khon
322dcb8d3d bring in ARP support for variable length link level addresses
Reviewed by:	jdp
Approved by:	jdp
Obtained from:	NetBSD
MFC after:	6 weeks
2001-10-14 20:17:53 +00:00
Robert Watson
8a7d8cc675 - Combine kern.ps_showallprocs and kern.ipc.showallsockets into
a single kern.security.seeotheruids_permitted, describes as:
  "Unprivileged processes may see subjects/objects with different real uid"
  NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is
  an API change.  kern.ipc.showallsockets does not.
- Check kern.security.seeotheruids_permitted in cr_cansee().
- Replace visibility calls to socheckuid() with cr_cansee() (retain
  the change to socheckuid() in ipfw, where it is used for rule-matching).
- Remove prison_unpcb() and make use of cr_cansee() against the UNIX
  domain socket credential instead of comparing root vnodes for the
  UDS and the process.  This allows multiple jails to share the same
  chroot() and not see each others UNIX domain sockets.
- Remove unused socheckproc().

Now that cr_cansee() is used universally for socket visibility, a variety
of policies are more consistently enforced, including uid-based
restrictions and jail-based restrictions.  This also better-supports
the introduction of additional MAC models.

Reviewed by:	ps, billf
Obtained from:	TrustedBSD Project
2001-10-09 21:40:30 +00:00
Jayanth Vijayaraghavan
c24d5dae7a Add a flag TF_LASTIDLE, that forces a previously idle connection
to send all its data, especially when the data is less than one MSS.
This fixes an issue where the stack was delaying the sending
of data, eventhough there was enough window to send all the data and
the sending of data was emptying the socket buffer.

Problem found by Yoshihiro Tsuchiya (tsuchiya@flab.fujitsu.co.jp)

Submitted by: Jayanth Vijayaraghavan
2001-10-05 21:33:38 +00:00
Paul Saab
4787fd37af Only allow users to see their own socket connections if
kern.ipc.showallsockets is set to 0.

Submitted by:	billf (with modifications by me)
Inspired by:	Dave McKay (aka pm aka Packet Magnet)
Reviewed by:	peter
MFC after:	2 weeks
2001-10-05 07:06:32 +00:00
Paul Saab
db69a05dce Make it so dummynet and bridge can be loaded as modules.
Submitted by:	billf
2001-10-05 05:45:27 +00:00
Jonathan Lemon
22c819a73a in_ifinit apparently can be used to rewrite an ip address; recalculate
the correct hash bucket for the entry.

Submitted by: iedowse  (with some munging by me)
2001-10-01 18:07:08 +00:00
Luigi Rizzo
cc33247e33 Fix a problem with unnumbered rules introduced in latest commit.
Reported by: des
2001-10-01 17:35:54 +00:00
Ruslan Ermilov
32eef9aeb1 mdoc(7) police: Use the new .In macro for #include statements. 2001-10-01 16:09:29 +00:00
Matthew Dillon
e2505aa676 Add __FBSDID's to libalias 2001-09-30 21:03:33 +00:00
Jonathan Lemon
01a5f19070 Nuke unused (and incorrect) #define of INADDR_HMASK.
Spotted by: ru
2001-09-29 14:59:20 +00:00
Jonathan Lemon
a931d7ed29 Make the INADDR_TO_IFP macro use the IP address hash lookup instead of
walking the entire list of IP addresses.

Pointed out by: bfumerola
2001-09-29 06:16:02 +00:00
Jonathan Lemon
ca925d9c17 Add a hash table that contains the list of internet addresses, and use
this in place of the in_ifaddr list when appropriate.  This improves
performance on hosts which have a large number of IP aliases.
2001-09-29 04:34:11 +00:00
Jonathan Lemon
9a10980e2a Centralize satosin(), sintosa() and ifatoia() macros in <netinet/in.h>
Remove local definitions.
2001-09-29 03:23:44 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Luigi Rizzo
832d32eb5b Remove unused (and duplicate) struct ip_opts which is never used,
not referenced in Stevens, and does not compile with g++.
There is an equivalent structure, struct ipoption in ip_var.h
which is actually used in various parts of the kernel, and also referenced
in Stevens.

Bill Fenner also says:
... if you want the trivia, struct ip_opts was introduced
in in.h SCCS revision 7.9, on 6/28/1990, by Mike Karels.
struct ipoption was introduced in ip_var.h SCCS revision 6.5,
on 9/16/1985, by... Mike Karels.

MFC-after: 3 days
2001-09-27 11:53:22 +00:00
Brooks Davis
49c024e373 Include sys/proc.h for the definition of securelevel_ge().
Submitted by:	LINT
2001-09-26 21:53:20 +00:00
Robert Watson
785f9ffca3 o Modify IPFW and DUMMYNET administrative setsockopt() calls to use
securelevel_gt() to check the securelevel, rather than direct access
  to the securelevel variable.

Obtained from:	TrustedBSD Project
2001-09-26 19:58:29 +00:00
Brooks Davis
9494d5968f Make faith loadable, unloadable, and clonable. 2001-09-25 18:40:52 +00:00
Luigi Rizzo
078156d09d Fix a null pointer dereference introduced in the last commit, plus
remove a useless assignment and move a comment.

Submitted by: Thomas Moestl
2001-09-24 05:24:19 +00:00
Ruslan Ermilov
c1dd00f75c Fixed the bug that prevented communication with FTP servers behind
NAT in extended passive mode if the server's public IP address was
different from the main NAT address.  This caused a wrong aliasing
link to be created that did not route the incoming packets back to
the original IP address of the server.

	natd -v -n pub0 -redirect_address localFTP publicFTP

Note that even if localFTP == publicFTP, one still needs to supply
the -redirect_address directive.  It is needed as a helper because
extended passive mode's 229 reply does not contain the IP address.

MFC after:	1 week
2001-09-21 14:38:36 +00:00
Robert Watson
94088977c9 o Rename u_cansee() to cr_cansee(), making the name more comprehensible
in the face of a rename of ucred to cred, and possibly generally.

Obtained from:	TrustedBSD Project
2001-09-20 21:45:31 +00:00
Luigi Rizzo
32f967a3c0 A bunch of minor changes to the code (see below) for readability, code size
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.

BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).

OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.

Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.

keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations

initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.

merge zero_entry() and resetlog_entry(), they use basically the
same code.

clean up and reduce replication of code for removing rules,
both for readability and code size.

introduce a separate lifetime for dynamic UDP rules.

fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)

restructure dynamic rule descriptors

introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
2001-09-20 13:52:49 +00:00
Munechika SUMIKAWA
862e52ea61 Fixed comment: ipip_input -> mroute_encapcheck.
Reported by:	bde
2001-09-20 07:59:45 +00:00
Munechika SUMIKAWA
33ae84b7c6 Removed ipip_input(). No codes calls it anymore due to ip_encap.c's
encapsulation support.
2001-09-18 14:52:20 +00:00
Julian Elischer
b40ce4165d KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
Julian Elischer
aa1489d4fa Remove some un-needed code that was accidentally included in
the 2nd previous KAME patch.

Submitted by:	SUMIKAWA Munechika <sumikawa@ebina.hitachi.co.jp>
2001-09-07 07:24:28 +00:00
Julian Elischer
ff265614c1 Patches from KAME to remove usage of Varargs in existing
IPV4 code. For now they will still have some in the developing stuff (IPv6)

Submitted by:	Keiichi SHIMA / <keiichi@iij.ad.jp>
Obtained from:	KAME
2001-09-07 07:19:12 +00:00
Jonathan Lemon
f9132cebdc Wrap array accesses in macros, which also happen to be lvalues:
ifnet_addrs[i - 1]  -> ifaddr_byindex(i)
        ifindex2ifnet[i]    -> ifnet_byindex(i)

This is intended to ease the conversion to SMPng.
2001-09-06 02:40:43 +00:00
Alfred Perlstein
75ce322136 Fix sysctl comment field, s/the the/then the
Pointed out by: ru
2001-09-04 15:25:23 +00:00
Alfred Perlstein
e3d123d63d Allow disabling of "arp moved" messages.
Submitted by: Stephen Hurd <deuce@lordlegacy.org>
2001-09-03 21:53:15 +00:00
Julian Elischer
4d2c57188f I really hope this is the right answer.
call ip_input directly but take the offset off the
packet first if it's an IPV4 packet encapsulated.
2001-09-03 21:07:31 +00:00
Julian Elischer
7dd66b4ad8 Call ip_input() instead of ipip_input()
when decoding encapsulated ipv4 packets.
(allows line to compile again)
2001-09-03 20:55:35 +00:00
Julian Elischer
2e4f1ee934 One caller of rip_input failed to be converted in the last commit. 2001-09-03 20:40:35 +00:00
Julian Elischer
f0ffb944d2 Patches from Keiichi SHIMA <keiichi@iij.ad.jp>
to make ip use the standard protosw structure again.

Obtained from: Well, KAME I guess.
2001-09-03 20:03:55 +00:00
Jayanth Vijayaraghavan
e7e2b80184 when newreno is turned on, if dupacks = 1 or dupacks = 2 and
new data is acknowledged, reset the dupacks to 0.
The problem was spotted when a connection had its send buffer full
because the congestion window was only 1 MSS and was not being incremented
because dupacks was not reset to 0.

Obtained from:		Yahoo!
2001-08-29 23:54:13 +00:00
Jesper Skriver
3b8123b72c When net.inet.tcp.icmp_may_rst is enabled, report ECONNREFUSED not ENETRESET
to the application as a RST would, this way we're compatible with the most
applications.

MFC candidate.

Submitted by:	Scott Renfro <scott@renfro.org>
Reviewed by:	Mike Silbersack <silby@silby.com>
2001-08-27 22:10:07 +00:00
Bill Fumerola
52cf11d8a1 the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information
about rules and dynamic rules. it later fills this buffer with these
rules.

it also takes the opporunity to compare the expiration of the dynamic
rules with the current time and either marks them for deletion or simply
charges the countdown.

unfortunatly it does this all (the sizing, the buffer copying, and the
expiration GC) with no spl protection whatsoever. it was possible for
the dynamic rule(s) to be ripped out from under the request before it
had completed, resulting in corrupt memory dereferencing.

Reviewed by:	ps
MFC before:	4.4-RELEASE, hopefully.
2001-08-26 10:09:47 +00:00
Dima Dorfman
745bab7f84 Correct a typo in a comment: FIN_WAIT2 -> FIN_WAIT_2
PR:		29970
Submitted by:	Joseph Mallett <jmallett@xMach.org>
2001-08-23 22:34:29 +00:00
Mike Silbersack
b0e3ad758b Much delayed but now present: RFC 1948 style sequence numbers
In order to ensure security and functionality, RFC 1948 style
initial sequence number generation has been implemented.  Barring
any major crypographic breakthroughs, this algorithm should be
unbreakable.  In addition, the problems with TIME_WAIT recycling
which affect our currently used algorithm are not present.

Reviewed by: jesper
2001-08-22 00:58:16 +00:00
Ruslan Ermilov
d86293dbea Added TFTP support.
Submitted by:	Joe Clarke <marcus@marcuscom.com>
MFC after:	2 weeks
2001-08-21 16:25:38 +00:00
Ruslan Ermilov
04c3e33949 Close the "IRC DCC" security breach reported recently on Bugtraq.
Submitted by:	Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-21 11:21:08 +00:00
Brian Somers
f68e0a68d8 Make the copyright consistent.
Previously approved by:	Charles Mott <cmott@scientech.com>
2001-08-20 22:57:33 +00:00
Brian Somers
7806546c39 Handle snprintf() returning -1
MFC after: 2 weeks
2001-08-20 12:06:42 +00:00
Julian Elischer
2b6a0c4fcd Make the protoswitch definitiosn checkable in the same way that
cdevsw entries have been for a long time.
Discover that we now have two version sof the same structure.
I will shoot one of them shortly when I figure out why someone thinks
they need it. (And I can prove they don't)
(netinet/ipprotosw.h should GO AWAY)
2001-08-10 23:17:22 +00:00
Ruslan Ermilov
c4d9468ea0 mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
2001-08-07 15:48:51 +00:00
Hajimu UMEMOTO
e43cc4ae36 When running aplication joined multicast address,
removing network card, and kill aplication.
imo_membership[].inm_ifp refer interface pointer
after removing interface.
When kill aplication, release socket,and imo_membership.
imo_membership use already not exist interface pointer.
Then, kernel panic.

PR:		29345
Submitted by:	Inoue Yuichi <inoue@nd.net.fujitsu.co.jp>
Obtained from:	KAME
MFC after:	3 days
2001-08-04 17:10:14 +00:00
Daniel C. Sobral
07203494d2 MFS: Avoid dropping fragments in the absence of an interface address.
Noticed by:	fenner
Submitted by:	iedowse
Not committed to current by:	iedowse ;-)
2001-08-03 17:36:06 +00:00
Peter Wemm
57e119f6f2 Fix a warning. 2001-07-27 00:04:39 +00:00
Peter Wemm
016517247f Patch up some style(9) stuff in tcp_new_isn() 2001-07-27 00:03:49 +00:00
Peter Wemm
92971bd3f1 s/OpemBSD/OpenBSD/ 2001-07-27 00:01:48 +00:00
Hajimu UMEMOTO
13cf67f317 move ipsec security policy allocation into in_pcballoc, before
making pcbs available to the outside world.  otherwise, we will see
inpcb without ipsec security policy attached (-> panic() in ipsec.c).

Obtained from:	KAME
MFC after:	3 days
2001-07-26 19:19:49 +00:00
Bill Fenner
3f2e902a15 Somewhat modernize ip_mroute.c:
- Use sysctl to export stats
- Use ip_encap.c's encapsulation support
- Update lkm to kld (is 6 years a record for a broken module?)
- Remove some unused cruft
2001-07-25 20:15:49 +00:00
Ruslan Ermilov
38c1bc358b Avoid a NULL pointer derefence introduced in rev. 1.129.
Problem noticed by:	bde, gcc(1)
Panic caught by:	mjacob
Patch tested by:	mjacob
2001-07-23 16:50:01 +00:00
Ruslan Ermilov
f2c2962ee5 Backout non-functional changes from revision 1.128.
Not objected to by:	dcs
2001-07-19 07:10:30 +00:00
Daniel C. Sobral
3afefa3924 Skip the route checking in the case of multicast packets with known
interfaces.

Reviewed by:	people at that channel
Approved by:	silence on -net
2001-07-17 18:47:48 +00:00
Ruslan Ermilov
9f81cc840b Backout damage to the INADDR_TO_IFP() macro in revision 1.7.
This macro was supposed to only match local IP addresses of
interfaces, and all consumers of this macro assume this as
well.  (See IP_MULTICAST_IF and IP_ADD_MEMBERSHIP socket
options in the ip(4) manpage.)

This fixes a major security breach in IPFW-based firewalls
where the `me' keyword would match the other end of a P2P
link.

PR:		kern/28567
2001-07-17 10:30:21 +00:00
David E. O'Brien
81e561cdf2 Bump net.inet.tcp.sendspace to 32k and net.inet.tcp.recvspace to 65k.
This should help us in nieve benchmark "tests".

It seems a wide number of people think 32k buffers would not cause major
issues, and is in fact in use by many other OS's at this time.  The
receive buffers can be bumped higher as buffers are hardly used and several
research papers indicate that receive buffers rarely use much space at all.

Submitted by:			Leo Bicknell <bicknell@ufp.org>
				<20010713101107.B9559@ussenterprise.ufp.org>
Agreed to in principle by:	dillon (at the 32k level)
2001-07-13 18:38:04 +00:00
Ruslan Ermilov
a307d59838 mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 13:41:46 +00:00
Mike Silbersack
2d610a5028 Temporary feature: Runtime tuneable tcp initial sequence number
generation scheme.  Users may now select between the currently used
OpenBSD algorithm and the older random positive increment method.

While the OpenBSD algorithm is more secure, it also breaks TIME_WAIT
handling; this is causing trouble for an increasing number of folks.

To switch between generation schemes, one sets the sysctl
net.inet.tcp.tcp_seq_genscheme.  0 = random positive increments,
1 = the OpenBSD algorithm.  1 is still the default.

Once a secure _and_ compatible algorithm is implemented, this sysctl
will be removed.

Reviewed by: jlemon
Tested by: numerous subscribers of -net
2001-07-08 02:20:47 +00:00
Brooks Davis
53dab5fe7b gif(4) and stf(4) modernization:
- Remove gif dependencies from stf.
 - Make gif and stf into modules
 - Make gif cloneable.

PR:		kern/27983
Reviewed by:	ru, ume
Obtained from:	NetBSD
MFC after:	1 week
2001-07-02 21:02:09 +00:00
Crist J. Clark
92a99815a8 While in there fixing a fragment logging bug, fix it so we log
fragments "right." Log fragment information tcpdump(8)-style,

   Jul  1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+)

That is, instead of the old,

  ... Fragment = <offset/8>

Do,

  ... (frag <IP ID>:<data len>@<offset>[+])

PR:		kern/23446
Approved by:	ru
MFC after:	1 week
2001-07-02 15:50:31 +00:00
Ruslan Ermilov
8bf82a92d5 Backout CSRG revision 7.22 to this file (if in_losing notices an
RTF_DYNAMIC route, it got freed twice).  I am not sure what was
the actual problem in 1992, but the current behavior is memory
leak if PCB holds a reference to a dynamically created/modified
routing table entry.  (rt_refcnt>0 and we don't call rtfree().)

My test bed was:

1.  Set net.inet.tcp.msl to a low value (for test purposes), e.g.,
    5 seconds, to speed up the transition of TCP connection to a
    "closed" state.
2.  Add a network route which causes ICMP redirect from the gateway.
3.  ping(8) host H that matches this route; this creates RTF_DYNAMIC
    RTF_HOST route to H.  (I was forced to use ICMP to cause gateway
    to generate ICMP host redirect, because gateway in question is a
    4.2-STABLE system vulnerable to a problem that was fixed later in
    ip_icmp.c,v 1.39.2.6, and TCP packets with DF bit set were
    triggering this bug.)
4.  telnet(1) to H
5.  Block access to H with ipfw(8)
6.  Send something in telnet(1) session; this causes EPERM, followed
    by an in_losing() call in a few seconds.
7.  Delete ipfw(8) rule blocking access to H, and wait for TCP
    connection moving to a CLOSED state; PCB is freed.
8.  Delete host route to H.
9.  Watch with netstat(1) that `rttrash' increased.
10. Repeat steps 3-9, and watch `rttrash' increases.

PR:		kern/25421
MFC after:	2 weeks
2001-06-29 12:07:29 +00:00
Ruslan Ermilov
3277d1c498 Fixed the brain-o in rev. 1.10: the logic check was reversed.
Reported by:	Bernd Fuerwitt <bf@fuerwitt.de>
2001-06-27 14:11:25 +00:00
Ruslan Ermilov
a447a5ae06 Bring in fix from NetBSD's revision 1.16:
Pass the correct destination address for the route-to-gateway case.

PR:		kern/10607
MFC after:	2 weeks
2001-06-26 09:00:50 +00:00
David Malone
7ce87f1205 Allow getcred sysctl to work in jailed root processes. Processes can
only do getcred calls for sockets which were created in the same jail.
This should allow the ident to work in a reasonable way within jails.

PR:		28107
Approved by:	des, rwatson
2001-06-24 12:18:27 +00:00
Jonathan Lemon
f962cba5c3 Replace bzero() of struct ip with explicit zeroing of structure members,
which is faster.
2001-06-23 17:44:27 +00:00
Ruslan Ermilov
c73d99b567 Add netstat(1) knob to reset net.inet.{ip|icmp|tcp|udp|igmp}.stats.
For example, ``netstat -s -p ip -z'' will show and reset IP stats.

PR:		bin/17338
2001-06-23 17:17:59 +00:00
Mike Silbersack
08517d530e Eliminate the allocation of a tcp template structure for each
connection.  The information contained in a tcptemp can be
reconstructed from a tcpcb when needed.

Previously, tcp templates required the allocation of one
mbuf per connection.  On large systems, this change should
free up a large number of mbufs.

Reviewed by:	bmilekic, jlemon, ru
MFC after: 2 weeks
2001-06-23 03:21:46 +00:00
Munechika SUMIKAWA
a96c00661a - Renumber KAME local ICMP types and NDP options numberes beacaues they
are duplicated by newly defined types/options in RFC3121
- We have no backward compatibility issue. There is no apps in our
  distribution which use the above types/options.

Obtained from:	KAME
MFC after:	2 weeks
2001-06-21 07:08:43 +00:00
Hajimu UMEMOTO
ff2428299f made sure to use the correct sa_len for rtalloc().
sizeof(ro_dst) is not necessarily the correct one.
this change would also fix the recent path MTU discovery problem for the
destination of an incoming TCP connection.

Submitted by:	JINMEI Tatuya <jinmei@kame.net>
Obtained from:	KAME
MFC after:	2 weeks
2001-06-20 12:32:48 +00:00
Jonathan Lemon
08aadfbb98 Do not perform arp send/resolve on an interface marked NOARP.
PR: 25006
MFC after: 2 weeks
2001-06-15 21:00:32 +00:00
Peter Wemm
215db1379e Fix a stack of KAME netinet6/in6.h warnings:
592: warning: `struct mbuf' declared inside parameter list
595: warning: `struct ifnet' declared inside parameter list
2001-06-15 00:37:27 +00:00
Hajimu UMEMOTO
3384154590 Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks
2001-06-11 12:39:29 +00:00
Jesper Skriver
96c2b04290 Make the default value of net.inet.ip.maxfragpackets and
net.inet6.ip6.maxfragpackets dependent on nmbclusters,
defaulting to nmbclusters / 4

Reviewed by:	bde
MFC after:	1 week
2001-06-10 11:04:10 +00:00
Peter Wemm
0978669829 "Fix" the previous initial attempt at fixing TUNABLE_INT(). This time
around, use a common function for looking up and extracting the tunables
from the kernel environment.  This saves duplicating the same function
over and over again.  This way typically has an overhead of 8 bytes + the
path string, versus about 26 bytes + the path string.
2001-06-08 05:24:21 +00:00
Jonathan Lemon
0a52f59c36 Move IPFilter into contrib. 2001-06-07 05:13:35 +00:00
Peter Wemm
4422746fdf Back out part of my previous commit. This was a last minute change
and I botched testing.  This is a perfect example of how NOT to do
this sort of thing. :-(
2001-06-07 03:17:26 +00:00
Peter Wemm
81930014ef Make the TUNABLE_*() macros look and behave more consistantly like the
SYSCTL_*() macros.  TUNABLE_INT_DECL() was an odd name because it didn't
actually declare the int, which is what the name suggests it would do.
2001-06-06 22:17:08 +00:00
Jesper Skriver
65f28919b3 Silby's take one on increasing FreeBSD's resistance to SYN floods:
One way we can reduce the amount of traffic we send in response to a SYN
flood is to eliminate the RST we send when removing a connection from
the listen queue.  Since we are being flooded, we can assume that the
majority of connections in the queue are bogus.  Our RST is unwanted
by these hosts, just as our SYN-ACK was.  Genuine connection attempts
will result in hosts responding to our SYN-ACK with an ACK packet.  We
will automatically return a RST response to their ACK when it gets to us
if the connection has been dropped, so the early RST doesn't serve the
genuine class of connections much.  In summary, we can reduce the number
of packets we send by a factor of two without any loss in functionality
by ensuring that RST packets are not sent when dropping a connection
from the listen queue.

Submitted by:	Mike Silbersack <silby@silby.com>
Reviewed by:	jesper
MFC after:	2 weeks
2001-06-06 19:41:51 +00:00
Brian Somers
f987e1bd0f Add BSD-style copyright headers
Approved by: Charles Mott <cmott@scientech.com>
2001-06-04 15:09:51 +00:00
Brian Somers
888b1a7aa5 Change to a standard BSD-style copyright
Approved by:	Atsushi Murai <amurai@spec.co.jp>
2001-06-04 14:52:17 +00:00
Jesper Skriver
690a6055ff Prevent denial of service using bogus fragmented IPv4 packets.
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.

By setting a upper limit on the number of reassembly queues we
prevent this situation.

This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to 200,
as the IPv6 case, this should be sufficient for most
systmes, but you might want to increase it if you have
lots of TCP sessions.
I'm working on making the default value dependent on
nmbclusters.

If you want old behaviour (no upper limit) set this sysctl
to a negative value.

If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero).

Obtained from:	NetBSD
MFC after:	1 week
2001-06-03 23:33:23 +00:00
Kris Kennaway
64dddc1872 Add ``options RANDOM_IP_ID'' which randomizes the ID field of IP packets.
This closes a minor information leak which allows a remote observer to
determine the rate at which the machine is generating packets, since the
default behaviour is to increment a counter for each packet sent.

Reviewed by:    -net
Obtained from:  OpenBSD
2001-06-01 10:02:28 +00:00
David E. O'Brien
240ef84277 Back out jesper's 2001/05/31 14:58:11 PDT commit. It does not compile. 2001-06-01 09:51:14 +00:00
Jesper Skriver
2b1a209a17 Prevent denial of service using bogus fragmented IPv4 packets.
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.

By setting a upper limit on the number of reassembly queues we
prevent this situation.

This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to NMBCLUSTERS/4

If you want old behaviour (no upper limit) set this sysctl
to a negative value.

If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero)

Obtained from:	NetBSD (partially)
MFC after:	1 week
2001-05-31 21:57:29 +00:00
Jesper Skriver
7ceb778366 Disable rfc1323 and rfc1644 TCP extensions if we havn't got
any response to our third SYN to work-around some broken
terminal servers (most of which have hopefully been retired)
that have bad VJ header compression code which trashes TCP
segments containing unknown-to-them TCP options.

PR:		kern/1689
Submitted by:	jesper
Reviewed by:	wollman
MFC after:	2 weeks
2001-05-31 19:24:49 +00:00
Ruslan Ermilov
79ec1c507a Add an integer field to keep protocol-specific flags with links.
For FTP control connection, keep the CRLF end-of-line termination
status in there.

Fixed the bug when the first FTP command in a session was ignored.

PR:		24048
MFC after:	1 week
2001-05-30 14:24:35 +00:00
Jesper Skriver
e4b6428171 Inline TCP_REASS() in the single location where it's used,
just as OpenBSD and NetBSD has done.

No functional difference.

MFC after:	2 weeks
2001-05-29 19:54:45 +00:00
Jesper Skriver
853be1226e properly delay acks in half-closed TCP connections
PR:	24962
Submitted by:	Tony Finch <dot@dotat.at>
MFC after:	2 weeks
2001-05-29 19:51:45 +00:00
Ruslan Ermilov
9185426827 In in_ifadown(), differentiate between whether the interface goes
down or interface address is deleted.  Only delete static routes
in the latter case.

Reported by:	Alexander Leidinger <Alexander@leidinger.net>
2001-05-11 14:37:34 +00:00
Mark Murray
fb919e4d5a Undo part of the tangle of having sys/lock.h and sys/mutex.h included in
other "system" header files.

Also help the deprecation of lockmgr.h by making it a sub-include of
sys/lock.h and removing sys/lockmgr.h form kernel .c files.

Sort sys/*.h includes where possible in affected files.

OK'ed by:	bde (with reservations)
2001-05-01 08:13:21 +00:00
Jesper Skriver
d1745f454d Say goodbye to TCP_COMPAT_42
Reviewed by:	wollman
Requested by:	wollman
2001-04-20 11:58:56 +00:00
Kris Kennaway
f0a04f3f51 Randomize the TCP initial sequence numbers more thoroughly.
Obtained from:	OpenBSD
Reviewed by:	jesper, peter, -developers
2001-04-17 18:08:01 +00:00
Darren Reed
454a43c1f1 fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
Bill Fumerola
0901f62e11 pipe/queue are the only consumers of flow_id, so only set it in those cases 2001-04-06 06:52:25 +00:00
Jesper Skriver
b77d155dd3 MFC candidate.
Change code from PRC_UNREACH_ADMIN_PROHIB to PRC_UNREACH_PORT for
ICMP_UNREACH_PROTOCOL and ICMP_UNREACH_PORT

And let TCP treat PRC_UNREACH_PORT like PRC_UNREACH_ADMIN_PROHIB

This should fix the case where port unreachables for udp returned
ENETRESET instead of ECONNREFUSED

Problem found by:	Bill Fenner <fenner@research.att.com>
Reviewed by:		jlemon
2001-03-28 14:13:19 +00:00
Ruslan Ermilov
4a558355e5 MAN[1-9] -> MAN. 2001-03-27 17:27:19 +00:00
Yaroslav Tykhiy
4cbc8ad1bb Add a missing m_pullup() before a mtod() in in_arpinput().
PR: kern/22177
Reviewed by: wollman
2001-03-27 12:34:58 +00:00
Hidetoshi Shimokawa
110a013333 Replace dyn_fin_lifetime with dyn_ack_lifetime for half-closed state.
Half-closed state could last long for some connections and fin_lifetime
(default 20sec) is too short for that.

OK'ed by: luigi
2001-03-27 05:28:30 +00:00
Poul-Henning Kamp
f83880518b Send the remains (such as I have located) of "block major numbers" to
the bit-bucket.
2001-03-26 12:41:29 +00:00
Brian Somers
71593f95e0 Make header files conform to style(9).
Reviewed by (*): bde

(*) alias_local.h only got a cursory glance.
2001-03-25 12:05:10 +00:00
Brian Somers
adad9908fa Remove an extraneous declaration. 2001-03-25 03:34:29 +00:00
Hajimu UMEMOTO
2da24fa6e9 IPv4 address is not unsigned int. This change introduces in_addr_t.
PR:		9982
Adviced by:	des
Reviewed by:	-alpha and -net (no objection)
Obtained from:	OpenBSD
2001-03-23 18:59:31 +00:00
Brian Somers
30fcf11451 Remove (non-protected) variable names from function prototypes. 2001-03-22 11:55:26 +00:00
Paul Richards
1789d85615 Only flush rules that have a rule number above that set by a new
sysctl, net.inet.ip.fw.permanent_rules.

This allows you to install rules that are persistent across flushes,
which is very useful if you want a default set of rules that
maintains your access to remote machines while you're reconfiguring
the other rules.

Reviewed by:	Mark Murray <markm@FreeBSD.org>
2001-03-21 08:19:31 +00:00
Dag-Erling Smørgrav
c59319bf1a Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a few
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.

(last of three commits)
2001-03-19 22:09:00 +00:00
Ruslan Ermilov
1e3d5af041 Invalidate cached forwarding route (ipforward_rt) whenever a new route
is added to the routing table, otherwise we may end up using the wrong
route when forwarding.

PR:		kern/10778
Reviewed by:	silence on -net
2001-03-19 09:16:16 +00:00
Ruslan Ermilov
4078ffb154 Make sure the cached forwarding route (ipforward_rt) is still up before
using it.  Not checking this may have caused the wrong IP address to be
used when processing certain IP options (see example below).  This also
caused the wrong route to be passed to ip_output() when forwarding, but
fortunately ip_output() is smart enough to detect this.

This example demonstrates the wrong behavior of the Record Route option
observed with this bug.  Host ``freebsd'' is acting as the gateway for
the ``sysv''.

1. On the gateway, we add the route to the destination.  The new route
   will use the primary address of the loopback interface, 127.0.0.1:

:  freebsd# route add 10.0.0.66 -iface lo0 -reject
:  add host 10.0.0.66: gateway lo0

2. From the client, we ping the destination.  We see the correct replies.
   Please note that this also causes the relevant route on the ``freebsd''
   gateway to be cached in ipforward_rt variable:

:  sysv# ping -snv 10.0.0.66
:  PING 10.0.0.66: 56 data bytes
:  ICMP Host Unreachable from gateway 192.168.0.115
:  ICMP Host Unreachable from gateway 192.168.0.115
:  ICMP Host Unreachable from gateway 192.168.0.115
:
:  ----10.0.0.66 PING Statistics----
:  3 packets transmitted, 0 packets received, 100% packet loss

3. On the gateway, we delete the route to the destination, thus making
   the destination reachable through the `default' route:

:  freebsd# route delete 10.0.0.66
:  delete host 10.0.0.66

4. From the client, we ping destination again, now with the RR option
   turned on.  The surprise here is the 127.0.0.1 in the first reply.
   This is caused by the bug in ip_rtaddr() not checking the cached
   route is still up befor use.  The debug code also shows that the
   wrong (down) route is further passed to ip_output().  The latter
   detects that the route is down, and replaces the bogus route with
   the valid one, so we see the correct replies (192.168.0.115) on
   further probes:

:  sysv# ping -snRv 10.0.0.66
:  PING 10.0.0.66: 56 data bytes
:  64 bytes from 10.0.0.66: icmp_seq=0. time=10. ms
:    IP options:  <record route> 127.0.0.1, 10.0.0.65, 10.0.0.66,
:                                192.168.0.65, 192.168.0.115, 192.168.0.120,
:                                0.0.0.0(Current), 0.0.0.0, 0.0.0.0
:  64 bytes from 10.0.0.66: icmp_seq=1. time=0. ms
:    IP options:  <record route> 192.168.0.115, 10.0.0.65, 10.0.0.66,
:                                192.168.0.65, 192.168.0.115, 192.168.0.120,
:                                0.0.0.0(Current), 0.0.0.0, 0.0.0.0
:  64 bytes from 10.0.0.66: icmp_seq=2. time=0. ms
:    IP options:  <record route> 192.168.0.115, 10.0.0.65, 10.0.0.66,
:                                192.168.0.65, 192.168.0.115, 192.168.0.120,
:                                0.0.0.0(Current), 0.0.0.0, 0.0.0.0
:
:  ----10.0.0.66 PING Statistics----
:  3 packets transmitted, 3 packets received, 0% packet loss
:  round-trip (ms)  min/avg/max = 0/3/10
2001-03-18 13:04:07 +00:00
Poul-Henning Kamp
462b86fe91 <sys/queue.h> makeover. 2001-03-16 20:00:53 +00:00
Poul-Henning Kamp
ccd6f42dc9 Fix a style(9) nit. 2001-03-16 19:36:23 +00:00
Ruslan Ermilov
089cdfad78 net/route.c:
A route generated from an RTF_CLONING route had the RTF_WASCLONED flag
  set but did not have a reference to the parent route, as documented in
  the rtentry(9) manpage.  This prevented such routes from being deleted
  when their parent route is deleted.

  Now, for example, if you delete an IP address from a network interface,
  all ARP entries that were cloned from this interface route are flushed.

  This also has an impact on netstat(1) output.  Previously, dynamically
  created ARP cache entries (RTF_STATIC flag is unset) were displayed as
  part of the routing table display (-r).  Now, they are only printed if
  the -a option is given.

netinet/in.c, netinet/in_rmx.c:

  When address is removed from an interface, also delete all routes that
  point to this interface and address.  Previously, for example, if you
  changed the address on an interface, outgoing IP datagrams might still
  use the old address.  The only solution was to delete and re-add some
  routes.  (The problem is easily observed with the route(8) command.)

  Note, that if the socket was already bound to the local address before
  this address is removed, new datagrams generated from this socket will
  still be sent from the old address.

PR:		kern/20785, kern/21914
Reviewed by:	wollman (the idea)
2001-03-15 14:52:12 +00:00
Ruslan Ermilov
206a3274ef RFC768 (UDP) requires that "if the computed checksum is zero, it
is transmitted as all ones".  This got broken after introduction
of delayed checksums as follows.  Some guys (including Jonathan)
think that it is allowed to transmit all ones in place of a zero
checksum for TCP the same way as for UDP.  (The discussion still
takes place on -net.)  Thus, the 0 -> 0xffff checksum fixup was
first moved from udp_output() (see udp_usrreq.c, 1.64 -> 1.65)
to in_cksum_skip() (see sys/i386/i386/in_cksum.c, 1.17 -> 1.18,
INVERT expression).  Besides that I disagree that it is valid for
TCP, there was no real problem until in_cksum.c,v 1.20, where the
in_cksum() was made just a special version of in_cksum_skip().
The side effect was that now every incoming IP datagram failed to
pass the checksum test (in_cksum() returned 0xffff when it should
actually return zero).  It was fixed next day in revision 1.21,
by removing the INVERT expression.  The latter also broke the
0 -> 0xffff fixup for UDP checksums.

Before this change:
: tcpdump: listening on lo0
: 127.0.0.1.33005 > 127.0.0.1.33006:  udp 0 (ttl 64, id 1)
:                          4500 001c 0001 0000 4011 7cce 7f00 0001
:                          7f00 0001 80ed 80ee 0008 0000

After this change:
: tcpdump: listening on lo0
: 127.0.0.1.33005 > 127.0.0.1.33006:  udp 0 (ttl 64, id 1)
:                          4500 001c 0001 0000 4011 7cce 7f00 0001
:                          7f00 0001 80ed 80ee 0008 ffff
2001-03-13 17:07:06 +00:00
Ruslan Ermilov
fb9aaba000 Count and show incoming UDP datagrams with no checksum. 2001-03-13 13:26:06 +00:00
Poul-Henning Kamp
503d3c0277 Correctly cleanup in case of failure to bind a pcb.
PR:		25751
Submitted by:	<unicorn@Forest.Od.UA>
2001-03-12 21:53:23 +00:00