Commit Graph

833 Commits

Author SHA1 Message Date
Geoff Rehmet
2e4e1b4c31 Slight tweak to tcp.blackhole to add optional behaviour to
drop any segment arriving at a closed port.
tcp.blackhole=1 - only drop SYN without RST
tcp.blackhole=2 - drop everything without RST
tcp.blackhole=0 - always send RST - default behaviour

This confuses nmap -sF or -sX or -sN quite badly.
1999-08-18 15:40:05 +00:00
Bill Fumerola
ed8bcdec67 Fix a printf() formatter to match its variable.
Reviewed by:	bde, luigi
1999-08-17 22:10:00 +00:00
Geoff Rehmet
16f7f31f04 Add net.inet.tcp.blackhole and net.inet.udp.blackhole
sysctl knobs.

With these knobs on, refused connection attempts are dropped
without sending a RST, or Port unreachable in the UDP case.
In the TCP case, sending of RST is inhibited iff the incoming
segment was a SYN.

Docs and rc.conf settings to follow.
1999-08-17 12:17:53 +00:00
Mike Pritchard
74804d58a0 Various man page cleanup:
- Sort xrefs
- FreeBSD.ORG -> FreeBSD.org
- Be consistent with section names as outlines in mdoc(7)
- Other misc mdoc cleanup.

PR:		doc/13144
Submitted by:	Alexy M. Zelkin <phantom@cris.net>
1999-08-15 09:51:25 +00:00
Luigi Rizzo
772759420f Implement probabilistic rule match in ipfw. Each rule can be associated
with a match probability to achieve non-deterministic behaviour of
the firewall. This can be extremely useful for testing purposes
such as simulating random packet drop without having to use dummynet
(which already does the same thing), and simulating multipath effects
and the associated out-of-order delivery (this time in conjunction
with dummynet).

The overhead on normal rules is just one comparison with 0.

Since it would have been trivial to implement this by just adding
a field to the ip_fw structure, I decided to do it in a
backward-compatible way (i.e. struct ip_fw is unchanged, and as a
consequence you don't need to recompile ipfw if you don't want to
use this feature), since this was also useful for -STABLE.

When, at some point, someone decides to change struct ip_fw, please
add a length field and a version number at the beginning, so userland
apps can keep working even if they are out of sync with the kernel.
1999-08-11 15:34:47 +00:00
Luigi Rizzo
706aa7f870 Add spl() protection to remove that the timer is invoked multiple
times resulting in higher bandwidth and lower delays.
Reported-by: Jamshid Madhavi
1999-08-11 14:37:58 +00:00
Dag-Erling Smørgrav
18d3153ead Add net.inet.icmp.log_redirect and net.inet.icmp.drop_redirect, for
respectively logging and dropping ICMP REDIRECT packets.

Note that there is no rate limiting on the log messages, so log_redirect
should be used with caution (preferrably only for debugging purposes).
1999-08-10 09:45:33 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7558f6aad9 8 -> NBBy 1999-07-28 22:27:27 +00:00
Brian Feldman
f8075bf9b3 Correct a really gross comment format. 1999-07-28 22:22:57 +00:00
Jonathan M. Bresler
e9bd3a37e8 fix comment re: RST received in TIME_WAIT to match the code. 1999-07-18 14:42:48 +00:00
Brian Feldman
24ad8fe519 Correct a mistake in so_cred changes. In practice, I don't think that it
would make a difference. However, my previous diff _did_ change the
behavior in some way (not necessarily break it), so I'm fixing it.

Found by:	bde
Submitted by:	bde
1999-07-12 18:58:23 +00:00
Brian Feldman
490d50b60a Two new sysctls: net.inet.tcp.getcred and net.inet.udp.getcred. These take
a sockaddr_in[2] (local, then remote) and return a struct ucred. Example
code for these is at:
	http://www.FreeBSD.org/~green/inetd_ident.patch
	http://www.FreeBSD.org/~green/freebsd4.c (for pidentd)

Reviewed by:	bde
1999-07-11 18:32:46 +00:00
Mike Smith
35ec852af5 Use the new tunable macros for the net.inet.tcp.tcbhashsize tunable. 1999-07-05 08:46:55 +00:00
Pierre Beyssac
5a903f8d73 In in_pcbconnect(), check the return value from in_pcbbind() and
exit on errors.

If we don't, in_pcbrehash() is called without a preceeding
in_pcbinshash(), causing a crash.

There are apparently several conditions that could cause the crash;
PR misc/12256 is only one of these.

PR:		misc/12256
1999-06-25 23:46:47 +00:00
Brian Somers
0622eafc89 Don't get caught in an infinite recursion when PKT_ALIAS_REVERSE
is set.
Document PKT_ALIAS_REVERSE.

Pointed out by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.home.com>
PR:		12304
1999-06-22 11:20:03 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Brian Feldman
ebe119ae6c Add RCS strings to kernel ipfilter files. 1999-06-19 11:35:41 +00:00
Brian Feldman
e214816bfc This should fix ipfilter for everyone it was broken for. CDEV_MAJOR is _not_
-1.

Noticed by: users on freebsd-current
1999-06-19 02:54:04 +00:00
Brian Feldman
f29be02190 Reviewed by: the cast of thousands
This is the change to struct sockets that gets rid of so_uid and replaces
it with a much more useful struct pcred *so_cred. This is here to be able
to do socket-level credential checks (i.e. IPFW uid/gid support, to be added
to HEAD soon). Along with this comes an update to pidentd which greatly
simplifies the code necessary to get a uid from a socket. Soon to come:
a sysctl() interface to finding individual sockets' credentials.
1999-06-17 23:54:50 +00:00
Tor Egge
23fc6cddce Close a race window where a tcp socket is closed while tcp_pcblist is
copying out tcp socket info, causing a NULL pointer to be dereferenced.
1999-06-16 19:05:17 +00:00
Ruslan Ermilov
adbdafc6b2 Don't accept divert/tee/pipe rules without corresponding option.
PR:		10324
Reviewed by:	luigi
1999-06-11 11:27:35 +00:00
Peter Wemm
9c9906e912 Plug a mbuf leak in tcp_usr_send(). pru_send() routines are expected
to either enqueue or free their mbuf chains, but tcp_usr_send() was
dropping them on the floor if the tcpcb/inpcb has been torn down in the
middle of a send/write attempt.  This has been responsible for a wide
variety of mbuf leak patterns, ranging from slow gradual leakage to rather
rapid exhaustion.  This has been a problem since before 2.2 was branched
and appears to have been fixed in rev 1.16 and lost in 1.23/1.28.

Thanks to Jayanth Vijayaraghavan <jayanth@yahoo-inc.com> for checking
(extensively) into this on a live production 2.2.x system and that it
was the actual cause of the leak and looks like it fixes it.  The machine
in question was loosing (from memory) about 150 mbufs per hour under
load and a change similar to this stopped it.  (Don't blame Jayanth
for this patch though)

An alternative approach to this would be to recheck SS_CANTSENDMORE etc
inside the splnet() right before calling pru_send() after all the potential
sleeps, interrupts and delays have happened.  However, this would mean
exposing knowledge of the tcp stack's reset handling and removal of the
pcb to the generic code.  There are other things that call pru_send()
directly though.

Problem originally noted by:  John Plevyak <jplevyak@inktomi.com>
1999-06-04 02:27:06 +00:00
Poul-Henning Kamp
2447bec829 Simplify cdevsw registration.
The cdevsw_add() function now finds the major number(s) in the
struct cdevsw passed to it.  cdevsw_add_generic() is no longer
needed, cdevsw_add() does the same thing.

cdevsw_add() will print an message if the d_maj field looks bogus.

Remove nblkdev and nchrdev variables.  Most places they were used
bogusly.  Instead check a dev_t for validity by seeing if devsw()
or bdevsw() returns NULL.

Move bdevsw() and devsw() functions to kern/kern_conf.c

Bump __FreeBSD_version to 400006

This commit removes:
        72 bogus makedev() calls
        26 bogus SYSINIT functions

if_xe.c bogusly accessed cdevsw[], author/maintainer please fix.

I4b and vinum not changed.  Patches emailed to authors.  LINT
probably broken until they catch up.
1999-05-31 11:29:30 +00:00
Poul-Henning Kamp
4e2f199e0c This commit should be a extensive NO-OP:
Reformat and initialize correctly all "struct cdevsw".

        Initialize the d_maj and d_bmaj fields.

        The d_reset field was not removed, although it is never used.

I used a program to do most of this, so all the files now use the
same consistent format.  Please keep it that way.

Vinum and i4b not modified, patches emailed to respective authors.
1999-05-30 16:53:49 +00:00
David Greenman
9a039a5fec Added net.inet.tcp.path_mtu_discovery variable which when set to 0
(default 1) disables PMTUD globally. Although PMTUD can be disabled in
the standard case by locking the MTU on a static route (including the
default route), this method doesn't work in the face of dynamic routing
protocols like gated.
1999-05-27 12:24:21 +00:00
David Greenman
afed137543 Made net.inet.ip.intr_queue_maxlen writeable. 1999-05-27 12:20:33 +00:00
Luigi Rizzo
e142fadecb close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
Brian Somers
6961f3da13 brucify
Mentioned by: sprice@hiwaay.net
1999-05-23 13:52:05 +00:00
Eivind Eklund
5164f52665 Make incoming packets work as keepalives, too. This should fix problems
for some games.

Notified of problem by:	tim@turbinegames.com
1999-05-20 20:20:24 +00:00
Peter Wemm
e2bd2a1bb7 "fix" warning. This still needs to be kld-ified some day (or removed). 1999-05-11 16:07:16 +00:00
Peter Wemm
ecbc643aca Pre-declare struct proc to avoid 'inside param list' warnings. 1999-05-08 14:28:52 +00:00
Peter Wemm
bb6f0e396b Fix two warnings; and note a problem where a pointer is stored in an
int variable - this can't work on an Alpha.
1999-05-06 22:08:57 +00:00
Peter Wemm
dfd5dee1b0 Add sufficient braces to keep egcs happy about potentially ambiguous
if/else nesting.
1999-05-06 18:13:11 +00:00
Luigi Rizzo
eaa726bed6 Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
1999-05-04 16:20:33 +00:00
Brian Somers
f1dfc9571e Add missing ``.''. 1999-05-04 10:56:13 +00:00
Luigi Rizzo
a7c219496c forgot passing the right pointer to dst to dummynet_io().
(-stable and releng2 were already safe).
Debugged-By: phk
1999-05-04 09:26:12 +00:00
Luigi Rizzo
44f1bb1a55 assorted dummynet cleanup:
+ plug an mbuf leak when dummynet used with bridging
 + make prototype of dummynet_io consistent with usage
 + code cleanup so that now bandwidth regulation is precise to the
   bit/s and not to (8*HZ) bit/s as before.
1999-05-04 07:30:08 +00:00
Bill Fumerola
3d177f465a Add sysctl descriptions to many SYSCTL_XXXs
PR:		kern/11197
Submitted by:	Adrian Chadd <adrian@FreeBSD.org>
Reviewed by:	billf(spelling/style/minor nits)
Looked at by:	bde(style)
1999-05-03 23:57:32 +00:00
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Dmitrij Tejblum
604359cf9b s/static foo_devsw_installed = 0;/static int foo_devsw_installed;/.
(Edited automatically)
1999-04-28 10:54:24 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Luigi Rizzo
1e83f7627b Make one pass through the firewall the default.
Multiple pass (which only affects dummynet) is too confusing.
1999-04-26 14:57:24 +00:00
Andrey A. Chernov
3879597f4f so_linger is in seconds, not in 1/HZ
PR: 11252
Submitted by: Martin Kammerhofer <dada@sbox.tu-graz.ac.at>
1999-04-24 18:25:35 +00:00
Dmitrij Tejblum
9d8da4723b Use pointer arithmetic as appropriate. 1999-04-24 13:23:48 +00:00
Luigi Rizzo
88a5354ece postpone the sending of IGMP LEAVE msg to after deleting the
mc address from the address list. The latter operation on some
hardware resets the card, potentially canceling the pending LEAVE
pkt.
1999-04-24 12:28:51 +00:00
Luoqi Chen
46d28b4462 Work around an egcs optimizer bug (i386). This should fix the active ftp
hang problem. A bug report has been sent to cygnus.
1999-04-21 21:28:01 +00:00
Peter Wemm
3a8e3ea548 s/IPFIREWALL_MODULE/KLD_MODULE/ 1999-04-20 14:29:59 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Peter Wemm
d95939af7a Zap LKM option and support. Farewell old friend. 1999-04-19 14:19:52 +00:00
Peter Wemm
a9013e8a77 Convert the dummynet lkm code to be kld aware (this isn't actually used
anywhere that I can see).
1999-04-17 11:09:08 +00:00
Peter Wemm
ffab0b4be1 Oops, forgot this part of lkm code that's been replaced with kld. 1999-04-17 08:56:38 +00:00
Eivind Eklund
243c4c6d7f Better handling for ARP/source routing on Token Ring
Submitted by:	Larry Lile <lile@stdio.com>
1999-04-15 17:58:24 +00:00
Eivind Eklund
66235db57f Staticize. 1999-04-11 02:50:42 +00:00
Julian Elischer
29089b519d Two cosmetic changes, one a typo and the other, a clarification. 1999-04-07 22:22:06 +00:00
Nick Sayer
a44e3914d5 Merge from RELENG_2_2, per luigi. Fixes the ntoh?() issue for the
firewall code when called from the bridge code.

PR:             10818
Submitted by:   nsayer
Obtained from:  luigi
1999-03-30 23:45:34 +00:00
Luigi Rizzo
6d41201fc5 Use the correct length from the mbuf header instead of the one from
the IP header (this would not work for bridged packets).
This has been fixed long ago in the 2.2 branch.

Problem noticed by: a few people
Fix suggested by: Remy Nonnenmacher
1999-03-26 14:15:59 +00:00
Brian Somers
42889ed1d5 PacketAliasProxyRule takes a const char *
Reminded by: bde
1999-03-25 06:48:05 +00:00
Brian Somers
942759e756 Add a ``const'' and remove some inconsistent prototype args. 1999-03-24 20:28:58 +00:00
Luigi Rizzo
efce68a2e9 add missing #include "opt_bdg.h" 1999-03-24 12:43:39 +00:00
Bill Fumerola
26bb956563 Remove duplicate line.
Reviewed by:	eivind
1999-03-23 23:01:15 +00:00
Luigi Rizzo
f0a53591ad Fix a dummynet bug caused by passing a bad next hop address (the
symptom was the msg "arp failure -- host is not on local network" that
some user have seen on multihomed machines.
Bug tracked down by Emmanuel Duros
1999-03-16 12:06:11 +00:00
Julian Elischer
ed1ff184f3 Fix the 'fwd' option to ipfw when asked to divert to another machine.
also rely less on other modules clearing static values, and clear them
in a few cases we missed before.
Submitted by: Matthew Reimer <mreimer@vpop.net>
1999-03-12 01:15:57 +00:00
Julian Elischer
fda82fc2b9 Submitted by: Larry Lile
Move the Olicom token ring driver to the officially sanctionned location of
/sys/contrib. Also fix some brokenness in the generic token ring support.

Be warned that if_dl.h has been changed and SOME programs might
like recompilation.
1999-03-10 10:11:43 +00:00
Brian Somers
4c32f5d217 Remove all diagnostics to stdout/stderr with #ifdef DEBUG
Statify functions in alias_nbt.c
1999-03-09 23:44:00 +00:00
Brian Somers
164928d385 Document PacketAliasPptp() and allow it to be disabled
by passing INADDR_NONE.
1999-03-07 18:13:23 +00:00
Brian Somers
b862eda467 Remove unused function stubs. 1999-03-07 15:36:58 +00:00
Brian Somers
ac8e3334de Mention that PacketAliasProxyRule() doesn't accept host names,
just IP numbers.
1999-03-07 15:02:22 +00:00
Archie Cobbs
94446a2ed6 When an incoming packet is reflected back as an ICMP reply, make sure we
zero "m->m_pkthdr.rcvif", otherwise ipfw may wrongly match the outgoing packet.
PR:		kern/9723
Submitted by:	David Malone <dwmalone@maths.tcd.ie>
1999-03-06 23:10:42 +00:00
Brian Somers
619d1a30a1 Document PacketAliasProxyRule() and fix a typo. 1999-03-06 21:58:43 +00:00
Garrett Wollman
4022a21d8b Move kernel-only declaration inside #ifdef KERNEL section. 1999-03-06 04:51:41 +00:00
Bill Paul
51e1b50529 arprequest() allocates an mbuf with m_gethdr() but does not initialize
m->m_pkthdr.rcvif to NULL. Bad arprequest(). No biscuit.
1999-03-04 04:03:57 +00:00
Brian Somers
7d96f4efd2 Version 3.0: January 1, 1999
- Transparent proxying support added.
    - PPTP redirecting support added based on patches
      contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>
1999-02-27 02:16:01 +00:00
Dag-Erling Smørgrav
1b968362aa Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
Julian Elischer
722012cc0c World, I'd like you to meet the first FreeBSD token Ring driver.
This  is for various Olicom cards. An IBM driver is following.
This patch also adds support to tcpdump to decode packets on tokenring.
Congratulations to the proud father.. (below)

Submitted by:	Larry Lile <lile@stdio.com>
1999-02-20 11:18:00 +00:00
Luigi Rizzo
17458d3570 avoid panic with pkts larger than MTU and DF set coming out of a pipe. 1999-02-19 18:32:55 +00:00
Doug Rabson
ce02431ffa * Change sysctl from using linker_set to construct its tree using SLISTs.
This makes it possible to change the sysctl tree at runtime.

* Change KLD to find and register any sysctl nodes contained in the loaded
  file and to unregister them when the file is unloaded.

Reviewed by: Archie Cobbs <archie@whistle.com>,
	Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
1999-02-16 10:49:55 +00:00
Garrett Wollman
cc766e041e After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
Julian Elischer
a0c091ad1d remove leftover garbage line. 1999-02-08 05:53:39 +00:00
Julian Elischer
b0935ca284 Fix for PR 9309.
Divert was not feeding clean data to ifa_ifwithaddr() so it was
giving bad results.
Submitted by: kseel <kseel@utcorp.com>, Ruslan Ermilov <ru@ucb.crimea.ua>
1999-02-08 05:48:46 +00:00
Bill Fenner
51b7b33769 Use snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT.
This was missed in the 4.4-Lite2 merge.

Noticed by:	Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and
		jayanth@loc201.tandem.com (vijayaraghavan_jayanth)
		on the tcp-impl mailing list.
1999-02-06 00:47:45 +00:00
Mike Smith
ea95d6917a Nuke all the stupid ffs() stuff and use powerof2() instead.
Submitted by:	Bruce Evans <bde@zeta.org.au>
1999-02-04 03:27:43 +00:00
Mike Smith
609b6256fd Fix power-of-2 check for the TCB hash size.
Submitted by:	Brian Feldman <green@unixhelp.org>
1999-02-04 03:02:56 +00:00
Mike Smith
aa1458495d Make TCBHASHSIZE a boot-time tunable as well, taking its value from the
variable net.inet.tcp.tcbhashsize.

Requested by:	David Filo <filo@yahoo-inc.com>
1999-02-03 08:59:30 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Archie Cobbs
85abbaa800 Move kernel-only declarations to within #ifdef KERNEL
Prompted by:	gcc warnings when compiling /sbin/ipfw
1999-01-23 23:59:50 +00:00
Garrett Wollman
92af003dd8 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
Bill Fenner
b0acefa8d4 Add a flag, passed to pru_send routines, PRUS_MORETOCOME. This
flag means that there is more data to be put into the socket buffer.
Use it in TCP to reduce the interaction between mbuf sizes and the
Nagle algorithm.

Based on:	"Justin C. Walker" <justin@apple.com>'s description of Apple's
		fix for this problem.
1999-01-20 17:32:01 +00:00
Bill Fenner
cc133fa302 Fix bug in last commit (la was used uninitialized if no route was passed in). 1999-01-19 23:17:03 +00:00
Bill Fenner
01b7c0826f Use dynamic memory allocation instead of mbuf's for multicast routing
state.

Note: this requires a recompilation of netstat (but netstat has been
broken since rev 1.52 of ip_mroute.c anyway)

Obtained from:	Significantly based on Steve McCanne's
		<mccanne@cs.berkeley.edu> work for BSD/OS
1999-01-18 02:06:59 +00:00
Bill Fenner
9bb02c7b92 Rename igmp's MALLOC; it doesn't have anything to do with multicast routing. 1999-01-18 01:56:31 +00:00
Bill Fenner
e7bc5f272b If arpresolve() gets passed a route with a null llinfo, call
arplookup() to try again.  This gets rid of at least one user's
 "arpresolve: can't allocate llinfo" errors, and arplookup() gives
 better error messages to help track down the problem if there really
 is a problem with the routing table.
1999-01-18 01:54:36 +00:00
Eivind Eklund
0189b9a1fd ... _and_ the (void*) casts for %p. Next, I'll forget my own name :-( 1999-01-12 16:43:52 +00:00
Eivind Eklund
e23c7d8612 Avoid unnecessary GCCism - I hadn't noticed the __unused macro. 1999-01-12 16:40:57 +00:00
Eivind Eklund
19e5ea73d0 * Print pointers using the correct type (%p) instead of %x.
* Use the correct type for timeout function.
* Add missing #include.
1999-01-12 12:27:54 +00:00
Eivind Eklund
dee383e043 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
Eivind Eklund
ab54eac7a1 Remove unused statics. 1999-01-12 12:16:50 +00:00
Luigi Rizzo
4180488519 Add a missing bzero which could be the source of instability
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
1999-01-11 11:08:07 +00:00
Luigi Rizzo
a1a2de5139 Remove check from where arp replies are coming from -- when doing bridging,
interfaces are used in clusters so the check does not apply.
1999-01-10 17:40:10 +00:00
Brian Somers
a2743da670 If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR:	9403
1999-01-10 02:05:13 +00:00
Luigi Rizzo
cc277540ab Partial fix for when ipfw is used with bridging. Bridged packets
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).

Reported-By: Dave Alden and others.
1998-12-31 07:43:29 +00:00
Luigi Rizzo
ea1f41f65f Remove some unused variables. 1998-12-31 07:35:49 +00:00
Luigi Rizzo
549db363a7 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be
static...
Reported by: Dave Alden
1998-12-22 20:38:06 +00:00
Luigi Rizzo
af38c68c1e Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
Luigi Rizzo
f0f6d6434d Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
Bill Fenner
0b6205feca Add missing "break"s to allow multicast routing to work.
Submitted by:	Amancio Hasty <hasty@rah.star-gate.com>
1998-12-16 18:07:11 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Matthew Dillon
374fad8b17 Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
1998-12-14 02:25:32 +00:00
Matthew Dillon
4462d1a56f PR: kern/8990
If timer calculation results in degenerate value (0), force it to 1
    to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
    I considered simply adding 1 to the timer calculation, but was unsure
    if the calculation was part of the IGMP standard or not so did not want
    to mess with it for all cases.
1998-12-12 21:45:49 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Eivind Eklund
6572231d20 Clean up some pointer usage. 1998-12-07 05:41:10 +00:00
Archie Cobbs
2127f26023 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
Matthew Dillon
5fce7fc47f Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.
1998-12-04 04:21:25 +00:00
Matthew Dillon
a3e7459d60 Obtained from: "Andrey A. Chernov" <ache@nagual.pp.ru>
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
     can #include icmp_var.h
1998-12-04 03:49:18 +00:00
Matthew Dillon
51508de112 Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00
Eivind Eklund
29be051d68 Staticize some more. 1998-11-26 18:54:52 +00:00
John Polstra
b2052ac8cf Fix a couple of typos. 1998-11-19 18:07:28 +00:00
Doug Rabson
73c8631124 Remove stale references to ih_next and ih_prev.
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
1998-11-17 10:53:37 +00:00
Doug Rabson
7a94149e37 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
Guido van Rooij
d285db5598 The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by:	Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from:	Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
1998-11-15 21:35:09 +00:00
Doug Rabson
48a39a495a Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
Bruce Evans
c25ded316f Finished updating module event handlers to be compatible with
modeventhand_t.
1998-11-15 15:33:52 +00:00
David Greenman
9ec944bdb0 Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
Peter Wemm
1c5bb3eaa1 add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
Doug Rabson
e3f0338ead Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
Doug Rabson
afb3fdba7c Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
Peter Wemm
aa855a598d *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
Doug Rabson
e0dd9c3ed8 Dike out some obsolete defines which referenced ih_next and ih_prev from
struct ipovly (they don't exist anymore because they don't work when
pointers are 64bit).
1998-09-26 14:26:59 +00:00
Bill Fenner
52b65dbe85 Fix the bind security fix introduced in rev 1.38 to work with multicast:
- Don't bother checking for conflicting sockets if we're binding to a
  multicast address.
- Don't return an error if we're binding to INADDR_ANY, the conflicting
  socket is bound to INADDR_ANY, and the conflicting socket has SO_REUSEPORT
  set.

PR:		kern/7713
1998-09-17 18:42:16 +00:00
Bill Fenner
dd9b6dde89 Prevent modification of permanent ARP entries (PR kern/7649)
Ignore ARP replies from the wrong interface (discussion on mailing list)
Add interface name to a couple of error messages
1998-09-17 00:04:21 +00:00
Joseph Koshy
61a4defd54 Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>
1998-09-15 10:49:03 +00:00
Luigi Rizzo
2655eb498f Bring in new files for dummynet support 1998-09-12 22:03:21 +00:00
Garrett Wollman
80ab7c0ed8 Fix RST validation.
PR:		7892
Submitted by:	Don.Lewis@tsc.tdk.com
1998-09-11 16:04:03 +00:00
Doug Rabson
945aa40deb Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
Poul-Henning Kamp
19ddafa3b3 RFC 1644 has the status "Experimental Protocol", which means:
4.1.4.  Experimental Protocol

      A system should not implement an experimental protocol unless it
      is participating in the experiment and has coordinated its use of
      the protocol with the developer of the protocol.

Pointed out by:	Steinar Haug <sthaug@nethelp.no>
1998-09-06 08:17:35 +00:00
Poul-Henning Kamp
67a895f650 Widen and change the layout of the IPFW structures flag element.
This will allow us to add dummynet to 3.0

Recompile /sbin/ipfw AND your kernel.
1998-09-02 19:14:01 +00:00
Garrett Wollman
db028362a0 Properly fragment multicast packets.
PR: 7802
Submitted by:	Steve McCanne <mccanne@cs.berkeley.edu>
1998-09-02 15:11:14 +00:00
Brian Somers
7100135f12 Remove OpenBSD build support - let the Makefile vary per
OS rather than making it a mess and potentially screwing
up cross builds.
Suggested by: bde

Add Id keyword.
1998-08-31 12:14:30 +00:00
Brian Somers
e8ede338eb Add OpenBSD build support 1998-08-30 23:53:25 +00:00
Doug Rabson
6effc71332 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Bruce Evans
162886e237 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
Bruce Evans
bd3513170b Made some disgusting ifdefs even more disgusting to enable the support
for `u_long cmd' ioctl args if __FreeBSD_version >= 300003.  Some ioctls
were broken on machines with 32-bit ints and 64-bit longs.
1998-08-15 21:51:53 +00:00
Bruce Evans
e43b2ba087 Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != long
on some 64-bit systems).  print_ip() should use inet_ntoa() instead of
bloated inline code with 4 ntohl()s.
1998-08-11 19:08:42 +00:00
Bruce Evans
db176bbac6 Converted the last instance of hzto() to tvtohz(). 1998-08-05 16:59:20 +00:00
Doug Rabson
a467a475ab Use explicitly sized types when digging through packet headers.
Reviewed by: Julian Elischer <julian@whistle.com>
1998-08-03 17:23:37 +00:00
Peter Wemm
9de9737f47 Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00
Kenjiro Cho
4f53e3cc7a update ATM driver. (base version: midway.c 1.67 --> 1.68)
several new features are added:
	- support vc/vp shaping
	- support pvc shadow interface

code cleanup:
	- remove WMAYBE related code.  ENI WMAYBE DMA doen't work.
	- remove updating if_lastchange for every packet.
	- BPF related code is moved to midway.c as it should be.
	  (bpfwrite should work if atm_pseudohdr and LLC/SNAP are
	  prepended.)
	- BPF link type is changed to DLT_ATM_RFC1483.
	  BPF now understands only LLC/SNAP!! (because bpf can't
	  handle variable link header length.)
	  It is recommended to use LLC/SNAP instead of NULL
	  encapsulation for various reasons.  (BPF, IPv6,
	  interoperability, etc.)

the code has been used for months in ALTQ and KAME IPv6.

OKed by phk long time ago.
1998-07-29 05:35:16 +00:00
Alexander Langer
a9a6d1042a Don't log ICMP type and subtype for non-zero offset packet fragments. 1998-07-18 23:27:15 +00:00
Bruce Evans
5914e1ea80 Removed a bogus forward struct declaration.
Cleaned up ifdefs.
1998-07-13 12:20:07 +00:00