Commit Graph

191 Commits

Author SHA1 Message Date
Cy Schubert
37e2d2e695 Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.

MFC after:	3 days
2017-05-14 21:18:01 +00:00
Cy Schubert
f7448f6347 Add missing linefeed in debug output. 2017-05-12 01:09:24 +00:00
Cy Schubert
9322c566a0 Implement outputting of IPv6 addresses in the ippool debug list of tree
type pools (ippool -l -d -t tree). Currently IPv6 in ippool tree type
pool handling is partially implemented (meaning it doesn't work).
This is the first of a series of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-11 04:39:11 +00:00
Cy Schubert
5207c6ac74 Ifdef out a redundant if statement when INET6 is disabled.
MFC after:	1 week
2017-05-05 14:34:09 +00:00
Cy Schubert
c6fd01fbbb Use warnx() to issue error message.
Reported by:	cem
MFC after:	1 week
X-MFC with:	r316993, r316994
2017-04-16 04:36:22 +00:00
Cy Schubert
ea5e026a0d Fix CID 1372600, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372600
MFC after:	1 week
2017-04-16 01:15:37 +00:00
Cy Schubert
a07d9e9af4 Fix CID 1372601, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372601
MFC after:	1 week
2017-04-16 01:13:47 +00:00
Gleb Smirnoff
cc65eb4e79 Hide struct inpcb, struct tcpcb from the userland.
This is a painful change, but it is needed.  On the one hand, we avoid
modifying them, and this slows down some ideas, on the other hand we still
eventually modify them and tools like netstat(1) never work on next version of
FreeBSD.  We maintain a ton of spares in them, and we already got some ifdef
hell at the end of tcpcb.

Details:
- Hide struct inpcb, struct tcpcb under _KERNEL || _WANT_FOO.
- Make struct xinpcb, struct xtcpcb pure API structures, not including
  kernel structures inpcb and tcpcb inside.  Export into these structures
  the fields from inpcb and tcpcb that are known to be used, and put there
  a ton of spare space.
- Make kernel and userland utilities compilable after these changes.
- Bump __FreeBSD_version.

Reviewed by:	rrs, gnn
Differential Revision:	D10018
2017-03-21 06:39:49 +00:00
Cy Schubert
3820c3aa3f calloc() and realloc() modernization.
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.

This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.

This has been tested on my production firewall and a laptop (also
running ipfilter).

Submitted by:	pfg
MFC after:	6 weeks
2017-03-16 04:40:07 +00:00
Cy Schubert
56d5bb4c63 Fix leak (free str before returning when ctx's calloc fails).
Submitted by:	trix_juniper.net (Tom Rix)
Discovered by:	clang's static analyzer
MFC after:	4 days
Relnotes:	ngie
Differential Revision:	D9877
2017-03-03 21:32:27 +00:00
Cy Schubert
520f089ad0 Use normal KNF cuddling of elses.
Reported by:	bde
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-26 04:51:48 +00:00
Cy Schubert
971fa117c0 Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by:	NetBSD ip_frag.c r1.4
MFC after:	1 month
2017-01-26 01:24:05 +00:00
Cy Schubert
26594bd1ee Remove extraneous blank line.
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-25 20:59:23 +00:00
Cy Schubert
d780a32bc5 Issue an error message when an incorrect flush argument is
encountered.`

MFC after:	2 weeks
2017-01-25 20:41:16 +00:00
Dimitry Andric
338dc8086d Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.

Pointy hat to:	dim
X-MFC-With:	r304959, r304953
MFC after:	3 days
2016-08-28 19:35:29 +00:00
Cy Schubert
53362bdcc5 Remove dead code.
Approved by:	re@ (hrs@)
MFC after:	1 week
2016-06-30 14:53:46 +00:00
Cy Schubert
ca94cc3b74 Clarify the wording to be more accurate.
Approved by:	re@ (gjb)
MFC after:	1 week
X-MFC with:	r301773
2016-06-10 01:10:48 +00:00
Cy Schubert
dbef02b209 Update the man ipf.8 man page to accurately reflect that the -6
option is a noop and only here for backward compatibility.

MFC after:	1 week
2016-06-10 00:06:58 +00:00
Cy Schubert
17dd2ae7fb Fix another typo.
Reported by:	cem
MFC after:	6 days
2016-05-19 03:18:54 +00:00
Cy Schubert
0003f67197 Fix typo.
Reported by:	Ruben Kerkhof <ruben@rubenkerkhof.com>
MFC after:	6 days
2016-05-19 02:06:48 +00:00
Cy Schubert
4bb37cd3af Static pointers need not be initialized.
MFC after:	4 weeks
2016-04-15 03:45:09 +00:00
Cy Schubert
ff34412a50 Use NULL instead of 0 for pointer comparison.
MFC after:	4 weeks
2016-04-15 03:43:16 +00:00
Ed Maste
8d121298ba ipf(1): Use strchr(3) instead of deprecated index(3)
Reviewed by:	cy
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D2607
2015-05-22 18:31:26 +00:00
Gleb Smirnoff
56d5e0967c Stop including if_var.h from userland.
Sponsored by:	Nginx, Inc.
2015-04-06 09:42:23 +00:00
Gleb Smirnoff
6d947416cc o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
  datagrams to any value, to improve performance. The behaviour is
  controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
  default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision:		https://reviews.freebsd.org/D2177
Reviewed by:			adrian, cy, rpaulo
Tested by:			Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by:			Netflix
Sponsored by:			Nginx, Inc.
Relnotes:			yes
2015-04-01 22:26:39 +00:00
Gleb Smirnoff
b0af3a5363 The ipftest(1) is a program that emulates ipf(4) operation and tests packets
against rules.  It definitely doesn't need to know about kernel internals,
such as 'struct ifaddr'.  What it does with ifaddr, is that it only takes
ifa_addr member of it, and treats it as sockaddr, while it is only a pointer
to sockaddr.  Fortunately, sizeof(struct ifaddr) > sizeof(struct sockaddr_in6),
so no problems arise.

Fix that declaring a private struct ifaddr in ipftest(1) and stop including
if_var.h.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2015-02-19 23:14:35 +00:00
Cy Schubert
24211cc919 #552 destination port not zero after parsing nat rule
Approved by:	glebius (mentor)
Obtained from:	netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)
2014-09-22 16:35:48 +00:00
Cy Schubert
19455ef7e4 3561691 gethost never returns an ipv6 address
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)
2014-09-22 16:21:25 +00:00
Cy Schubert
8a07b9a5c4 #551 ipf.conf address structure not properly zero filled
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)
2014-09-22 16:13:38 +00:00
Cy Schubert
01991654f8 #536 ipnat can try to print rule as dstlist incorrectly
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
2014-09-22 16:09:18 +00:00
Cy Schubert
3f3423a0ef #553 gethost needs to zero entire IP address structure
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11)
2014-09-22 16:06:37 +00:00
Cy Schubert
c5c5a79fce ipv6 address for test.hosts.dots in wrong byte order.
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
2014-09-22 16:03:29 +00:00
Sergey Kandaurov
2ddbae33f1 Unbreak with gcc.
I'm tired to see tinderbox spamming.  Feel free to fix it your way.
2014-07-13 10:38:01 +00:00
Cy Schubert
17ff561352 Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORT
(NO_INET6) are specified.

Approved by:	glebius
MFC after:	1 week
2014-07-05 07:15:19 +00:00
Gleb Smirnoff
6ed910fabe Hide 'struct ifaddr' definition from userland. Two tools left that use it,
namely ipftest(1) and ifmcstat(1). These sniff structure definition using
_WANT_IFADDR define.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2013-10-15 10:19:24 +00:00
Cy Schubert
c4d0c9d04e Remove redundant files.
Approved by:    glebius (mentor)
Approved by:    re (blanket)
2013-09-21 14:23:20 +00:00
Cy Schubert
8464e56e2a Check return code from inet_pton.
Discovered by:	Coverity.
Approved by:	glebius (mentor)
Approved by:	re (blanket)
2013-09-21 14:22:07 +00:00
Cy Schubert
bfc88dcbf7 Update ipfilter 4.1.28 --> 5.1.2.
Approved by:		glebius (mentor)
BSD Licensed by:	Darren Reed <darrenr@reed.wattle.id.au> (author)
2013-09-06 23:11:19 +00:00
Cy Schubert
f27f47054d As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)
2013-07-19 05:41:57 +00:00
Gleb Smirnoff
9711a168b9 Retire struct sockaddr_inarp.
Since ARP and routing are separated, "proxy only" entries
don't have any meaning, thus we don't need additional field
in sockaddr to pass SIN_PROXY flag.

New kernel is binary compatible with old tools, since sizes
of sockaddr_inarp and sockaddr_in match, and sa_family are
filled with same value.

The structure declaration is left for compatibility with
third party software, but in tree code no longer use it.

Reviewed by:	ru, andre, net@
2013-01-31 08:55:21 +00:00
Pedro F. Giffuni
646a7fea0c Clean some 'svn:executable' properties in the tree.
Submitted by:	Christoph Mallon
MFC after:	3 days
2013-01-26 22:08:21 +00:00
Mark Murray
c268cdfc23 Fix paths for example files. 2010-11-18 18:22:58 +00:00
Rui Paulo
be0479174b Use pcap's bpf header, not our own copy of it. 2010-10-29 21:23:34 +00:00
Christian Brueffer
26cad3b64f Comment in the BUGS section header. Matches what's in ipfilter 5.10.
PR:		144880
Submitted by:	Glen Barber <glen.j.barber@gmail.com>
MFC after:	1 week
2010-05-12 00:56:53 +00:00
Ed Schouten
bb505a4f0f Remove unneeded include of <sys/timeb.h>.
This header file should not be included by anything.
2010-03-09 20:58:15 +00:00
Darren Reed
7484474781 fix spelling mistake 2009-11-19 08:10:24 +00:00
Roman Divacky
5caf16048e Fix a typo that causes the for loop to exit immediately. There's
identical loop a few lines above.

Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
2009-06-16 13:31:01 +00:00
Stanislav Sedov
6760b335c6 - Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
  the 1024-byte buffer used to store a http request coudld easily overflow
  if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by:	Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from:	NetBSD CVS [2]
MFC after:	2 weeks
2009-05-29 16:24:23 +00:00
Bjoern A. Zeeb
01b5749292 Remove udp and tcp includes not needed here.
Tripped over by: a compile of an upcoming change
MFC after:	1 month
2009-04-25 19:14:22 +00:00
Qing Li
6e6b3f7cbc This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
   possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,

The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.

Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:

- Kip Macy revised the locking code completely, thus completing
  the last piece of the puzzle, Kip has also been conducting
  active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
  provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
  me maintaining that branch before the svn conversion
2008-12-15 06:10:57 +00:00