Commit Graph

768 Commits

Author SHA1 Message Date
Peter Wemm
088f7c5d38 Nuke the old antique copy of ipfilter from the tree. This is old enough
to be dangerous.  It will better serve us as a port building a KLD,
ala SKIP.

The hooks are staying although it would be better to port and use
the NetBSD pfil interface rather than have custom hooks.
1999-10-10 15:09:59 +00:00
Brian Feldman
ecf723083f Implement RLIMIT_SBSIZE in the kernel. This is a per-uid sockbuf total
usage limit.
1999-10-09 20:42:17 +00:00
Ruslan Ermilov
838d9af2c8 Properly handle the case when either the aliasing or source address of
the link are equal to the default aliasing address.  Do not zero them!

This will fix the problem with non-working links added with the source
and/or aliasing address equal to the default aliasing address, but the
default aliasing address is set later, after the link has been set up,
like both natd(8) and ppp(8) do (for objective reasons).

Reviewed by:	Brian Somers <brian@FreeBSD.org>,
		Eivind Eklund <eivind@FreeBSD.org>,
		Charles Mott <cmott@srv.net>
1999-09-27 08:40:36 +00:00
Poul-Henning Kamp
d6a0e38a1b Remove five now unused fields from struct cdevsw. They should never
have been there in the first place.  A GENERIC kernel shrinks almost 1k.

Add a slightly different safetybelt under nostop for tty drivers.

Add some missing FreeBSD tags
1999-09-25 18:24:47 +00:00
Ruslan Ermilov
bd3ed4542d ReLink() partial links in FindLinkOut() in the same manner as we do it
in FindLinkIn().  This will make TcpMonitorIn()/TcpMonitorOut() happy.

Reviewed by:	eivind
1999-09-22 13:22:26 +00:00
Ruslan Ermilov
f3baa77e5e Restore previous version of FindLinkIn().
Instead, natd(8) should be fixed to call PacketAliasSetAddress()
as part of initialization, as required by libalias(3).
1999-09-21 14:44:32 +00:00
Ruslan Ermilov
02136bf8b0 - Make partially specified permanent links (without `dst_addr' and/or
`dst_port') work for outgoing packets.

- Make permanent links whose `alias_addr' matches the primary aliasing
  address `aliasAddress' work for incoming packets.

- Typo fixes.

Reviewed by:	brian, eivind
1999-09-21 08:40:20 +00:00
Brian Somers
32277d8b6d sys/errno.h -> errno.h 1999-09-21 01:26:49 +00:00
Brian Feldman
2f9a21326c Change so_cred's type to a ucred, not a pcred. THis makes more sense, actually.
Make a sonewconn3() which takes an extra argument (proc) so new sockets created
with sonewconn() from a user's system call get the correct credentials, not
just the parent's credentials.
1999-09-19 02:17:02 +00:00
Larry Lile
f9083fdb2a Re-arrange the arp code so that fddi arps work properly. 1999-09-16 00:35:39 +00:00
Dag-Erling Smørgrav
6c3b5f69ba Reorder. 1999-09-14 16:40:28 +00:00
Dag-Erling Smørgrav
f861330504 Fix some more disordering, as well as the description string for the
net.inet.tcp.drop_synfin sysctl, which for some mysterious reason said
"Drop TCP packets with FIN+ACK set" (instead of "...with SYN+FIN set")
1999-09-14 16:14:05 +00:00
Dag-Erling Smørgrav
e46cd3d4d2 Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctl
variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.
1999-09-12 17:22:08 +00:00
Ruslan Ermilov
92da29a00d - Optimization to the previous (rev 1.15) commit.
Requested by:	eivind
Discussed with:	eivind
Reviewed by:	brian, eivind
1999-09-10 15:27:34 +00:00
Ruslan Ermilov
29d958bb8a Handle TCP reset sequence properly.
In the words of originator:
:If an incoming connection is initiated through natd and deny_incoming is
:not set, then a new alias_link structure is created to handle the link.
:If there is nothing listening for the incoming connection, then the kernel
:responds with a RST for the connection. However, this is not processed
:correctly in libalias/alias.c:TcpMonitor{In,Out} and
:libalias/alias_db.c:SetState{In,Out} as it thinks a connection
:has been established and therefore applies a timeout of 86400 seconds
:to the link.
:
:If many of these half-connections are initiated (during, for example, a
:port scan of the host), then many thousands of unnecessary links are
:created and the resident size of natd balloons to 20MB or more.

PR:		13639
Reviewed by:	brian
1999-09-09 13:42:51 +00:00
Ruslan Ermilov
2f89696765 Fix typo. 1999-09-08 16:37:14 +00:00
Jonathan Lemon
9fc2bcf662 Simplify, and return an error if the user attempts to set a TCP
time value which results in < 1 tick.

Suggested by: 	bde
1999-08-31 16:34:20 +00:00
Jonathan Lemon
9987d77844 Remove conversion macros that were used during development. 1999-08-31 16:31:07 +00:00
Jonathan Lemon
ccb4d0c653 Add a SYSCTL_PROC so that TCP timer values are now expressed to
the user in ms, while they are stored internally as ticks. Note
that there probably are rounding bogons here, especially on the
alpha.
1999-08-31 03:40:24 +00:00
Jonathan Lemon
9b8b58e033 Restructure TCP timeout handling:
- eliminate the fast/slow timeout lists for TCP and instead use a
    callout entry for each timer.
  - increase the TCP timer granularity to HZ
  - implement "bad retransmit" recovery, as presented in
    "On Estimating End-to-End Network Path Properties", by Allman and Paxson.

Submitted by:	jlemon, wollmann
1999-08-30 21:17:07 +00:00
Bill Fumerola
a5a388c7ab Add $FreeBSD$ and spell Eklund properly.
Approved by:	brian (well, he approved adding $Id$)
1999-08-29 23:17:04 +00:00
David E. O'Brien
5a8c77a83c Remove extra indenting of `break' statements introducted in rev 1.89,
plus wrap some long lines from that revision.

While here, wrap some other long lines.
1999-08-29 21:59:03 +00:00
Dag-Erling Smørgrav
27108a1511 Include the correct header for the IPSTEALTH option. 1999-08-29 12:18:39 +00:00
Bruce Evans
684f9417a2 Oops, I missed a cast in rev.1.119. 1999-08-29 10:23:13 +00:00
Larry Lile
fcf11853dc It is much easier to arp if you don't truncate your arp-reply's.
[affects token-ring only]
1999-08-28 14:57:12 +00:00
Brian Feldman
78f9020e95 Also make the "other" packets counter resettable. 1999-08-28 07:20:59 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Brian Feldman
4d1bb12d6c Correction: uid -> gid (comment) 1999-08-27 23:46:02 +00:00
Jonathan Lemon
6da3d6578b Add readonly OID ``net.inet.tcp.tcbhashsize'' so it is possible to
discover the size of the TCB hashtable on a running system.
1999-08-26 19:52:17 +00:00
Bruce Evans
ff0061bb1d Cast pointers to [u]intptr_t instead of casting them to [u_]long. Don't
depend on gcc's feature of casting lvalues, especially for direct
assignment where it doesn't even simplify the syntax.  Cosmetic.
1999-08-24 00:48:19 +00:00
Brian Somers
7765ab6476 Aallow ppp to work with Nortel Networks Extranet Switch
product and Windows NT tunneling.

Submitted by: Chain Lee <chain@nortelnetworks.com>
1999-08-22 23:32:01 +00:00
Tim Vanderhoek
a395af9036 Typo: 102 => 192 (PR: docs/13310 - Maxim Sobolev <sobomax@altavista.net>) 1999-08-22 19:23:33 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
Geoff Rehmet
828b7f4069 Fix breakage if blackhole=1 and tiflags & TH_SYN, plus
style(9) fixes

Submitted by:	 Jonathon Lemon
1999-08-19 05:22:12 +00:00
Geoff Rehmet
2e4e1b4c31 Slight tweak to tcp.blackhole to add optional behaviour to
drop any segment arriving at a closed port.
tcp.blackhole=1 - only drop SYN without RST
tcp.blackhole=2 - drop everything without RST
tcp.blackhole=0 - always send RST - default behaviour

This confuses nmap -sF or -sX or -sN quite badly.
1999-08-18 15:40:05 +00:00
Bill Fumerola
ed8bcdec67 Fix a printf() formatter to match its variable.
Reviewed by:	bde, luigi
1999-08-17 22:10:00 +00:00
Geoff Rehmet
16f7f31f04 Add net.inet.tcp.blackhole and net.inet.udp.blackhole
sysctl knobs.

With these knobs on, refused connection attempts are dropped
without sending a RST, or Port unreachable in the UDP case.
In the TCP case, sending of RST is inhibited iff the incoming
segment was a SYN.

Docs and rc.conf settings to follow.
1999-08-17 12:17:53 +00:00
Mike Pritchard
74804d58a0 Various man page cleanup:
- Sort xrefs
- FreeBSD.ORG -> FreeBSD.org
- Be consistent with section names as outlines in mdoc(7)
- Other misc mdoc cleanup.

PR:		doc/13144
Submitted by:	Alexy M. Zelkin <phantom@cris.net>
1999-08-15 09:51:25 +00:00
Luigi Rizzo
772759420f Implement probabilistic rule match in ipfw. Each rule can be associated
with a match probability to achieve non-deterministic behaviour of
the firewall. This can be extremely useful for testing purposes
such as simulating random packet drop without having to use dummynet
(which already does the same thing), and simulating multipath effects
and the associated out-of-order delivery (this time in conjunction
with dummynet).

The overhead on normal rules is just one comparison with 0.

Since it would have been trivial to implement this by just adding
a field to the ip_fw structure, I decided to do it in a
backward-compatible way (i.e. struct ip_fw is unchanged, and as a
consequence you don't need to recompile ipfw if you don't want to
use this feature), since this was also useful for -STABLE.

When, at some point, someone decides to change struct ip_fw, please
add a length field and a version number at the beginning, so userland
apps can keep working even if they are out of sync with the kernel.
1999-08-11 15:34:47 +00:00
Luigi Rizzo
706aa7f870 Add spl() protection to remove that the timer is invoked multiple
times resulting in higher bandwidth and lower delays.
Reported-by: Jamshid Madhavi
1999-08-11 14:37:58 +00:00
Dag-Erling Smørgrav
18d3153ead Add net.inet.icmp.log_redirect and net.inet.icmp.drop_redirect, for
respectively logging and dropping ICMP REDIRECT packets.

Note that there is no rate limiting on the log messages, so log_redirect
should be used with caution (preferrably only for debugging purposes).
1999-08-10 09:45:33 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7558f6aad9 8 -> NBBy 1999-07-28 22:27:27 +00:00
Brian Feldman
f8075bf9b3 Correct a really gross comment format. 1999-07-28 22:22:57 +00:00
Jonathan M. Bresler
e9bd3a37e8 fix comment re: RST received in TIME_WAIT to match the code. 1999-07-18 14:42:48 +00:00
Brian Feldman
24ad8fe519 Correct a mistake in so_cred changes. In practice, I don't think that it
would make a difference. However, my previous diff _did_ change the
behavior in some way (not necessarily break it), so I'm fixing it.

Found by:	bde
Submitted by:	bde
1999-07-12 18:58:23 +00:00
Brian Feldman
490d50b60a Two new sysctls: net.inet.tcp.getcred and net.inet.udp.getcred. These take
a sockaddr_in[2] (local, then remote) and return a struct ucred. Example
code for these is at:
	http://www.FreeBSD.org/~green/inetd_ident.patch
	http://www.FreeBSD.org/~green/freebsd4.c (for pidentd)

Reviewed by:	bde
1999-07-11 18:32:46 +00:00
Mike Smith
35ec852af5 Use the new tunable macros for the net.inet.tcp.tcbhashsize tunable. 1999-07-05 08:46:55 +00:00
Pierre Beyssac
5a903f8d73 In in_pcbconnect(), check the return value from in_pcbbind() and
exit on errors.

If we don't, in_pcbrehash() is called without a preceeding
in_pcbinshash(), causing a crash.

There are apparently several conditions that could cause the crash;
PR misc/12256 is only one of these.

PR:		misc/12256
1999-06-25 23:46:47 +00:00