Commit Graph

661 Commits

Author SHA1 Message Date
Brian Somers
7d96f4efd2 Version 3.0: January 1, 1999
- Transparent proxying support added.
    - PPTP redirecting support added based on patches
      contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>
1999-02-27 02:16:01 +00:00
Dag-Erling Smørgrav
1b968362aa Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
Julian Elischer
722012cc0c World, I'd like you to meet the first FreeBSD token Ring driver.
This  is for various Olicom cards. An IBM driver is following.
This patch also adds support to tcpdump to decode packets on tokenring.
Congratulations to the proud father.. (below)

Submitted by:	Larry Lile <lile@stdio.com>
1999-02-20 11:18:00 +00:00
Luigi Rizzo
17458d3570 avoid panic with pkts larger than MTU and DF set coming out of a pipe. 1999-02-19 18:32:55 +00:00
Doug Rabson
ce02431ffa * Change sysctl from using linker_set to construct its tree using SLISTs.
This makes it possible to change the sysctl tree at runtime.

* Change KLD to find and register any sysctl nodes contained in the loaded
  file and to unregister them when the file is unloaded.

Reviewed by: Archie Cobbs <archie@whistle.com>,
	Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
1999-02-16 10:49:55 +00:00
Garrett Wollman
cc766e041e After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
Julian Elischer
a0c091ad1d remove leftover garbage line. 1999-02-08 05:53:39 +00:00
Julian Elischer
b0935ca284 Fix for PR 9309.
Divert was not feeding clean data to ifa_ifwithaddr() so it was
giving bad results.
Submitted by: kseel <kseel@utcorp.com>, Ruslan Ermilov <ru@ucb.crimea.ua>
1999-02-08 05:48:46 +00:00
Bill Fenner
51b7b33769 Use snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT.
This was missed in the 4.4-Lite2 merge.

Noticed by:	Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and
		jayanth@loc201.tandem.com (vijayaraghavan_jayanth)
		on the tcp-impl mailing list.
1999-02-06 00:47:45 +00:00
Mike Smith
ea95d6917a Nuke all the stupid ffs() stuff and use powerof2() instead.
Submitted by:	Bruce Evans <bde@zeta.org.au>
1999-02-04 03:27:43 +00:00
Mike Smith
609b6256fd Fix power-of-2 check for the TCB hash size.
Submitted by:	Brian Feldman <green@unixhelp.org>
1999-02-04 03:02:56 +00:00
Mike Smith
aa1458495d Make TCBHASHSIZE a boot-time tunable as well, taking its value from the
variable net.inet.tcp.tcbhashsize.

Requested by:	David Filo <filo@yahoo-inc.com>
1999-02-03 08:59:30 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Archie Cobbs
85abbaa800 Move kernel-only declarations to within #ifdef KERNEL
Prompted by:	gcc warnings when compiling /sbin/ipfw
1999-01-23 23:59:50 +00:00
Garrett Wollman
92af003dd8 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
Bill Fenner
b0acefa8d4 Add a flag, passed to pru_send routines, PRUS_MORETOCOME. This
flag means that there is more data to be put into the socket buffer.
Use it in TCP to reduce the interaction between mbuf sizes and the
Nagle algorithm.

Based on:	"Justin C. Walker" <justin@apple.com>'s description of Apple's
		fix for this problem.
1999-01-20 17:32:01 +00:00
Bill Fenner
cc133fa302 Fix bug in last commit (la was used uninitialized if no route was passed in). 1999-01-19 23:17:03 +00:00
Bill Fenner
01b7c0826f Use dynamic memory allocation instead of mbuf's for multicast routing
state.

Note: this requires a recompilation of netstat (but netstat has been
broken since rev 1.52 of ip_mroute.c anyway)

Obtained from:	Significantly based on Steve McCanne's
		<mccanne@cs.berkeley.edu> work for BSD/OS
1999-01-18 02:06:59 +00:00
Bill Fenner
9bb02c7b92 Rename igmp's MALLOC; it doesn't have anything to do with multicast routing. 1999-01-18 01:56:31 +00:00
Bill Fenner
e7bc5f272b If arpresolve() gets passed a route with a null llinfo, call
arplookup() to try again.  This gets rid of at least one user's
 "arpresolve: can't allocate llinfo" errors, and arplookup() gives
 better error messages to help track down the problem if there really
 is a problem with the routing table.
1999-01-18 01:54:36 +00:00
Eivind Eklund
0189b9a1fd ... _and_ the (void*) casts for %p. Next, I'll forget my own name :-( 1999-01-12 16:43:52 +00:00
Eivind Eklund
e23c7d8612 Avoid unnecessary GCCism - I hadn't noticed the __unused macro. 1999-01-12 16:40:57 +00:00
Eivind Eklund
19e5ea73d0 * Print pointers using the correct type (%p) instead of %x.
* Use the correct type for timeout function.
* Add missing #include.
1999-01-12 12:27:54 +00:00
Eivind Eklund
dee383e043 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
Eivind Eklund
ab54eac7a1 Remove unused statics. 1999-01-12 12:16:50 +00:00
Luigi Rizzo
4180488519 Add a missing bzero which could be the source of instability
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
1999-01-11 11:08:07 +00:00
Luigi Rizzo
a1a2de5139 Remove check from where arp replies are coming from -- when doing bridging,
interfaces are used in clusters so the check does not apply.
1999-01-10 17:40:10 +00:00
Brian Somers
a2743da670 If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR:	9403
1999-01-10 02:05:13 +00:00
Luigi Rizzo
cc277540ab Partial fix for when ipfw is used with bridging. Bridged packets
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).

Reported-By: Dave Alden and others.
1998-12-31 07:43:29 +00:00
Luigi Rizzo
ea1f41f65f Remove some unused variables. 1998-12-31 07:35:49 +00:00
Luigi Rizzo
549db363a7 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be
static...
Reported by: Dave Alden
1998-12-22 20:38:06 +00:00
Luigi Rizzo
af38c68c1e Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
Luigi Rizzo
f0f6d6434d Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
Bill Fenner
0b6205feca Add missing "break"s to allow multicast routing to work.
Submitted by:	Amancio Hasty <hasty@rah.star-gate.com>
1998-12-16 18:07:11 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Matthew Dillon
374fad8b17 Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
1998-12-14 02:25:32 +00:00
Matthew Dillon
4462d1a56f PR: kern/8990
If timer calculation results in degenerate value (0), force it to 1
    to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
    I considered simply adding 1 to the timer calculation, but was unsure
    if the calculation was part of the IGMP standard or not so did not want
    to mess with it for all cases.
1998-12-12 21:45:49 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Eivind Eklund
6572231d20 Clean up some pointer usage. 1998-12-07 05:41:10 +00:00
Archie Cobbs
2127f26023 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
Matthew Dillon
5fce7fc47f Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.
1998-12-04 04:21:25 +00:00
Matthew Dillon
a3e7459d60 Obtained from: "Andrey A. Chernov" <ache@nagual.pp.ru>
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
     can #include icmp_var.h
1998-12-04 03:49:18 +00:00
Matthew Dillon
51508de112 Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00
Eivind Eklund
29be051d68 Staticize some more. 1998-11-26 18:54:52 +00:00
John Polstra
b2052ac8cf Fix a couple of typos. 1998-11-19 18:07:28 +00:00
Doug Rabson
73c8631124 Remove stale references to ih_next and ih_prev.
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
1998-11-17 10:53:37 +00:00
Doug Rabson
7a94149e37 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
Guido van Rooij
d285db5598 The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by:	Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from:	Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
1998-11-15 21:35:09 +00:00
Doug Rabson
48a39a495a Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
Bruce Evans
c25ded316f Finished updating module event handlers to be compatible with
modeventhand_t.
1998-11-15 15:33:52 +00:00