Commit Graph

63 Commits

Author SHA1 Message Date
Peter Wemm
ffdd472de7 Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you
use ipfw as an as-needed casual filter as needed which normally runs as
'allow all' then having the kernel and /sbin/ipfw get out of sync is a
*MAJOR* pain in the behind.

PR: 4141
Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
1997-09-10 03:07:14 +00:00
Alexander Langer
643811317c Fixed logging of verbose limited packets.
PR:		4351
Submitted by:	Ron Bickers <rbickers@intercenter.net>
1997-08-23 14:28:22 +00:00
Alexander Langer
37d06d64cd Ensure that the interface name is terminated. 1997-08-06 00:19:05 +00:00
Bruce Evans
1fd0b0588f Removed unused #includes. 1997-08-02 14:33:27 +00:00
Julian Elischer
c7c219131b make it compile with -Wall
Submitted by: Archi Cobbs, archie@whistle.com
1997-06-04 22:09:15 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Alexander Langer
af28de7ca8 Create the default rule with flags IP_FW_F_IN | IP_FW_F_OUT.
Closes PR#3100.
1997-05-06 02:12:18 +00:00
Peter Dufault
0ddf9be1f0 Make MOD_* macros almost consistent:
Use the name argument almost the same in all LKM types.  Maintain
the current behavior for the external (e.g., modstat) name for DEV,
EXEC, and MISC types being #name ## "_mod" and SYCALL and VFS only
#name.  This is a candidate for change and I vote just the name without
the "_mod".

Change the DISPATCH macro to MOD_DISPATCH for consistency with the
other macros.

Add an LKM_ANON #define to eliminate the magic -1 and associated
signed/unsigned warnings.

Add MOD_PRIVATE to support wcd.c's poking around in the lkm structure.

Change source in tree to use the new interface.

Reviewed by:	Bruce Evans
1997-04-06 11:14:13 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
Adam David
839cc09e53 implement "not" keyword for inverting the address logic 1997-01-16 21:04:29 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Garrett Wollman
59562606b9 Convert the interface address and IP interface address structures
to TAILQs.  Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
1996-12-13 21:29:07 +00:00
Bruce Evans
4458ac71b1 Removed nested include if <sys/socket.h> from <net/if.h> and
<net/if_arp.h> and fixed the things that depended on it.  The nested
include just allowed unportable programs to compile and made my
simple #include checking program report that networking code doesn't
need to include <sys/socket.h>.
1996-10-12 19:49:43 +00:00
Alexander Langer
bfcffdaf03 Log the interface name which received the packet.
Suggested by:	Hal Snyder <hsndyer@thoughtport.com>
1996-10-12 19:38:50 +00:00
Alexander Langer
80afcdeef5 Fix the visibility of the sysctl variables.
Submitted by:	phk
1996-08-31 21:05:20 +00:00
Paul Traina
cc98643e68 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Discussed with: fenner & alex
1996-08-13 19:43:41 +00:00
Alexander Langer
71c011477f Filter by IP protocol.
Submitted by: fenner (with modifications by me)

Use a common prefix string for all warning messages generated during
ip_fw_ctl.
1996-08-05 02:35:04 +00:00
Alexander Langer
889fe95791 Switch back to logging accepted packets with the text "Allow" instead
of "Accept"
1996-07-14 21:12:52 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Nate Williams
bce2d3379e Functionality for IPFIREWALL_VERBOSE logging:
- State when we've reached the limit on a particular rule in the kernel logfile
- State when a rule or all rules have been zero'd.

This gives a log of all actions that occur w/regard to the firewall
occurances, and can explain why a particular break-in attempt might not
get logged due to the limit being reached.

Reviewed by:	alex
1996-07-09 20:49:38 +00:00
Alexander Langer
32fb6c089b Reject rules which try to mix ports with incompatible protocols. 1996-06-29 03:33:20 +00:00
Alexander Langer
830b0d3039 Allow fragment checking to work with specific protocols.
Reviewed by:	phk

Reject the addition of rules that will never match (for example,
1.2.3.4:255.255.255.0).  User level utilities specify the policy by either
masking the IP address for the user (as ipfw(8) does) or rejecting the
entry with an error.  In either case, the kernel should not modify chain
entries to make them work.
1996-06-25 00:22:20 +00:00
Bruce Evans
7472e2e0f8 Use IPFIREWALL_MODULE instead of ACTUALLY_LKM_NOT_KERNEL to indicate
LKM'ness.  ACTUALLY_LKM_NOT_KERNEL is supposed to be so ugly that it
only gets used until <machine/conf.h> goes away.  bsd.kmod.mk should
define a better-named general macro for this.  Some places use
PSEUDO_LKM.  This is another bad name.

Makefile:
Added IPFIREWALL_VERBOSE_LIMIT option (commented out).
1996-06-23 14:28:02 +00:00
Alexander Langer
6875d5c1b3 Fix chain numbering bug when the highest line number installed >= 65435
and the rule being added has no explicit line number set.

Submitted by:	Archie Cobbs <archie@whistle.com>
1996-06-17 00:00:35 +00:00
Gary Palmer
5d2541dab0 Don't try to include opt_ipfw.h in LKMs
Submitted by:	Ollivier Robert <roberto@keltia.freenix.fr>
1996-06-13 17:35:28 +00:00
Gary Palmer
74a9466cc2 Convert ipfw to use opt_ipfw.h 1996-06-12 19:34:33 +00:00
Alexander Langer
7a99108603 Big sweep over ipfw, picking up where Poul left off:
- Log ICMP type during verbose output.
  - Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
    attacks via syslog flooding.
  - Filter based on ICMP type.
  - Timestamp chain entries when they are matched.
  - Interfaces can now be matched with a wildcard specification (i.e.
    will match any interface unit for a given name).
  - Prevent the firewall chain from being manipulated when securelevel
    is greater than 2.
  - Fixed bug that allowed the default policy to be deleted.
  - Ability to zero individual accounting entries.
  - Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
    ipfw as a lkm.
  - Remove some redundant code shared between ip_fw_init and ipfw_load.

Closes PRs: 1192, 1219, and 1267.
1996-06-09 23:46:21 +00:00
Gary Palmer
6ddbf1e299 Clean up various compiler warnings. Most (if not all) were benign
Reviewed by:	bde
1996-05-08 04:29:08 +00:00
Poul-Henning Kamp
83606d2247 Several locations in sys/netinet/ip_fw.c are lacking or incorrectly
use spl() functions.

Reviewed by:	phk
Submitted by:	Alex Nash <alex@zen.nash.org>
1996-05-06 20:31:04 +00:00
Poul-Henning Kamp
23bf99538c Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
1996-04-03 13:52:20 +00:00
Poul-Henning Kamp
ae2a1587f0 Fix wrong logic, certain rules never matched. 1996-02-26 15:28:15 +00:00
Poul-Henning Kamp
09bb5f7589 Make getsockopt() capable of handling more than one mbuf worth of data.
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
1996-02-24 13:38:28 +00:00
Poul-Henning Kamp
b83e431483 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
Poul-Henning Kamp
a2ebc3ee0f I overlooked this one. 1996-02-23 20:11:37 +00:00
Poul-Henning Kamp
e7319bab6b Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
Poul-Henning Kamp
821c204e91 Make the sorting of IPFW rules an option. You don't want it to sort them.
>>>WARNING<<<  you may have to revisit your firewall setup.
1996-02-03 11:48:12 +00:00
Bruce Evans
ce7609a49c Completed function declarations and/or added prototypes. 1995-12-02 19:38:06 +00:00
Poul-Henning Kamp
0312fbe97d New style sysctl & staticize alot of stuff. 1995-11-14 20:34:56 +00:00
Poul-Henning Kamp
a98ca4699e Second batch of cleanup changes.
This time mostly making a lot of things static and some unused
variables here and there.
1995-10-29 15:33:36 +00:00
Ugen J.S. Antsilevich
7934237885 Support all the tcpflag options in firewall.
Add reading options from file, now ipfw <filename> will
read commands string after string from file , form of strings
same as command line interface.
1995-10-23 03:58:06 +00:00
Ugen J.S. Antsilevich
37afa1e829 Well..finally..this is the first part..it should take care of
matching IP options..Check and test this - i made only a couple
of rough tests and this could be buggy.. Ipaccounting can't use
IP Options (and i don't see any need to cound packets with specific
options either..)
More to come...
1995-10-01 21:52:50 +00:00
Gary Palmer
7d4aa0825d Try to make the `syn' blocking code act a bit more sensibly - don't
block `syn' packets that have `ack' set.
Reviewed by:
Submitted by:
Obtained from:
1995-07-31 13:58:35 +00:00
David Greenman
f70b105004 Added $Id$. 1995-07-23 05:36:31 +00:00
David Greenman
c6e8c3576e Fixed panic that occurs on certain firewall rejected packets that was
caused by dtom() being used on an mbuf cluster. The fix involves passing
around the mbuf pointer.

Submitted by:	Bill Fenner
1995-07-09 14:29:46 +00:00
David Greenman
09270166bb This is the end result of about a dozen passes through this code to fix
incorrect indents, a variety of poor coding practices such as comparing
pointers to constants ('0'), poor code structuring, etc, etc. This brings
the code up to the minimum standards for inclusion in FreeBSD.
1995-07-04 05:39:03 +00:00
David Greenman
ed64321cec Define TRUE and FALSE. 1995-07-04 05:29:30 +00:00
David Greenman
7e9367a410 1) Removed bogus #include
2) Rewrote "bad_packet" code to be less buggy and more readable.
3) Removed a pile of goto's; the code is now somewhat less reminiscent
   of a certain Italian pasta.
4) Changed all boolean returns of "0" and "1" to FALSE/TRUE.
1995-07-04 03:35:20 +00:00
Gary Palmer
06cf932bcb Add a missing `goto' statement so that this compiles yet again. 1995-06-28 13:22:36 +00:00
Guido van Rooij
a0aa52a646 reject option in ip_fw used to panic the system. This fixes it.
-Guido
Reviewed by:
Submitted by:
Obtained from:
1995-06-27 17:26:27 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00