Commit Graph

145 Commits

Author SHA1 Message Date
rdivacky
9d18ee7303 Fix a typo that causes the for loop to exit immediately. There's
identical loop a few lines above.

Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
2009-06-16 13:31:01 +00:00
stas
b6666822bf - Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
  the 1024-byte buffer used to store a http request coudld easily overflow
  if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by:	Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from:	NetBSD CVS [2]
MFC after:	2 weeks
2009-05-29 16:24:23 +00:00
bz
1d1c15a5ac Remove udp and tcp includes not needed here.
Tripped over by: a compile of an upcoming change
MFC after:	1 month
2009-04-25 19:14:22 +00:00
qingli
ec826ad5c7 This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
   possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,

The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.

Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:

- Kip Macy revised the locking code completely, thus completing
  the last piece of the puzzle, Kip has also been conducting
  active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
  provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
  me maintaining that branch before the svn conversion
2008-12-15 06:10:57 +00:00
mlaier
21efffe9d5 Fix build when WITHOUT_DYNAMICROOT is specified in src.conf(5). 2008-08-04 22:45:27 +00:00
darrenr
49ad2adb91 2020447 IPFilter's NAT can undo name server random port selection
Approved by:	darrenr
MFC after:	1 week
Security:	CERT VU#521769
2008-07-24 12:35:05 +00:00
des
4cb5c18630 For unfathomable reasons, ipfilter abuses kernel data structures for its
own purposes.  To pull this off, it defines _KERNEL before including the
headers where these structures are defined.  This leads to no end of
trouble when some of these headers, or other headers that they include,
change, as demonstrated by r180755.

The quick fix in this particular case is to define _WANT_FILE instead of
_KERNEL, conditional on __FreeBSD__.  A better long-term fix is left as
an exercise to the reader.
2008-07-23 16:34:53 +00:00
darrenr
fd172ed327 Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after:	7 days
2007-10-18 21:52:14 +00:00
darrenr
3345281d0a This commit was generated by cvs2svn to compensate for changes in r172771,
which included commits to RCS files with non-trunk default branches.
2007-10-18 21:42:51 +00:00
darrenr
71e82d94e8 Import IPFilter 4.1.28 2007-10-18 21:42:51 +00:00
darrenr
e784ce0e33 ipfstat should parse "any" when used with -D/-S command line options
PR:	bin/113879
Submitted by:	kabe@sra-tohoku.co.jp
Reviewed by:	darrenr
Approved by:	re
2007-06-24 16:39:12 +00:00
darrenr
27a50eee47 Remove files no longer required to build IPFilter 2007-06-04 03:07:34 +00:00
darrenr
a33069b532 Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:54:36 +00:00
darrenr
e2e28d4361 Import IPFilter 4.1.23 to vendor branch.
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:50:28 +00:00
darrenr
1dd4fa592d This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.
2007-06-04 02:50:28 +00:00
guido
e49049679f Resolve conflicts
MFC after:	1 weeks
2006-08-16 12:23:02 +00:00
guido
092f5d1218 Import IP Filter 4.1.13 2006-08-16 11:51:32 +00:00
guido
3a39cf5435 This commit was generated by cvs2svn to compensate for changes in r161351,
which included commits to RCS files with non-trunk default branches.
2006-08-16 11:51:32 +00:00
darrenr
a3ec5442cc fix "ipf -Z" reporting rubbish and possibly panic'ing box
MFC after:	4 days
2006-04-18 13:24:14 +00:00
darrenr
aacbf565b5 Add a man page for mkfilters(1) and put the corrected perl script in the
ipfilter usr/share directory

PR:     docs/26879
2006-02-27 11:22:20 +00:00
guido
7ee0924750 Resolve conflicts (and believe me...you don't want to know). 2005-12-30 11:52:26 +00:00
guido
9749beb9e3 Import IP Filter 4.1.10 2005-12-30 11:34:54 +00:00
guido
530bf89f14 This commit was generated by cvs2svn to compensate for changes in r153877,
which included commits to RCS files with non-trunk default branches.
2005-12-30 11:34:54 +00:00
darrenr
529d7c08ef Remove these files from src/contrib/ipfilter as they are already present
in src/sys/contrib/ipfilter/netinet.  Makefile's reachover bits find what
they need so building is unaffected.

Approved by: re (dwhite)
2005-06-23 14:22:02 +00:00
darrenr
22c343ffc8 Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)
2005-06-23 14:19:02 +00:00
eivind
e998be30e5 Since this is already off the vendor branch: Our kernel is now in
/boot/kernel/kernel, not plain /kernel
2005-05-27 01:09:42 +00:00
cognet
8f10c3fc8a arm defaults to unsigned char as well. 2005-05-24 21:25:32 +00:00
darrenr
7b001e5d5e Enable building /sbin/ipf (but not the rescue version) with the ability to
parse bpf strings for filter rules in ipf.conf
2005-05-16 16:22:55 +00:00
grehan
e9af45b288 Fix tinderbox build on ppc.
Requested by:  mlaier
2005-05-08 00:29:15 +00:00
darrenr
a57939d5ce Don't use quad_t on FreeBSD (deprecated) so use "long long" instead.
Someday this should be converted to uint64_t and printstate.c changed to
use those horrid PRiud64 things.
2005-04-28 21:36:30 +00:00
darrenr
f739412edd Patches from Ruslam Ermilov to remove NetBSD bits from Makefiles and cleanup
build problems with rescue.
2005-04-28 16:26:35 +00:00
darrenr
c7e59108a8 Fix include directives that were missing the netinet include directory, where
the ipl.h file is found.  Also add back in ip_fil.c, which somehow went missing
in action.
2005-04-26 15:18:45 +00:00
darrenr
b8892e0b0c Missing file from vendor branch import. 2005-04-26 14:59:26 +00:00
darrenr
6941302010 Fix problems with building libipf:
ipf_dontuning.c - change the include to look in netinet for ipl.h
ipft_tx.c - make the private use of arrays with tcp flags info in them more
            not use names that can be "confusing"
2005-04-26 14:27:12 +00:00
darrenr
671e5d7cb6 this file does not belong in a freebsd distribution 2005-04-25 19:15:19 +00:00
darrenr
d643bc9db0 * Someone imported a lot of files with the wrong CVS tag, so lots of files need
that fixed in them....
* Keep unnecessary files out of the non-vendor part of this CVS repository.
2005-04-25 18:20:15 +00:00
darrenr
bf14e64afe these files should never have been imported...they are junk 2005-04-25 17:40:37 +00:00
darrenr
15f9876206 This commit was generated by cvs2svn to compensate for changes in r145513,
which included commits to RCS files with non-trunk default branches.
2005-04-25 17:40:37 +00:00
darrenr
d438802dcb import ipfilter 4.1.8 into the vendor branch 2005-04-25 17:31:50 +00:00
darrenr
1c27d898b4 This commit was generated by cvs2svn to compensate for changes in r145510,
which included commits to RCS files with non-trunk default branches.
2005-04-25 17:31:50 +00:00
darrenr
a444d606d5 Committ changes from 3.4.31 -> 3.4.35
* fix bug parsing port comparisons in proxy rules
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make parsing errors in ipf/ipnat return an error rather than return
  indicating success.
* make ipfstat work as a set{g,u}id thing - gave up privs before opening
  /dev/ipl
* fix ipfstat -A
* make "ipfstat -f" output more informative
* various changes to ipsend for sending packets with ipv4 options
* ipmon was not correctly calculating the length of the IPv6 packet (excluded
  ipv6 header length)

MFC:	1 week
2004-06-21 22:53:03 +00:00
darrenr
590450fec6 Import ipfilter 3.4.35 onto vendor branch 2004-06-21 22:47:51 +00:00
darrenr
ac063842a5 This commit was generated by cvs2svn to compensate for changes in r130887,
which included commits to RCS files with non-trunk default branches.
2004-06-21 22:47:51 +00:00
guido
588931c924 if_name and if_unit renaming to if_xname should be dealth with in
ipmon as well.
2004-01-02 13:10:47 +00:00
brooks
244f075414 This is a direct commit to the vendor branch with code from the vendor.
Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Submitted by:	darrenr
Approved by:	re (scottl)
2003-12-02 18:33:36 +00:00
brooks
5c7716ee9f This commit was generated by cvs2svn to compensate for changes in r123109,
which included commits to RCS files with non-trunk default branches.
2003-12-02 18:33:36 +00:00
darrenr
72ec972c34 update man page to reflect change in default syslog level ipmon is now compiled with 2003-04-05 21:12:58 +00:00
darrenr
20b8c1f5c4 Change the default syslog facility from LOG_LOCAL0 to LOG_SECURITY after
discussion on security@freebsd.org.
2003-04-05 09:25:19 +00:00
darrenr
e818bd682c bring changes in IPFilter to 3.4.31 on to the head 2003-02-15 06:32:48 +00:00
darrenr
bb1b56a0d0 Import userland tools for IPFilter 3.4.31 into -current 2003-02-15 06:27:40 +00:00