Commit Graph

224 Commits

Author SHA1 Message Date
cjc
dd7bfe512b Lock the sysctl(8) knobs that turn ip{,6}fw(8) firewalling and
firewall logging on and off when at elevated securelevel(8). It would
be nice to be able to only lock these at securelevel >= 3, like rules
are, but there is no such functionality at present. I don't see reason
to be adding features to securelevel(8) with MAC being merged into 5.0.

PR:		kern/39396
Reviewed by:	luigi
MFC after:	1 week
2002-08-25 03:50:29 +00:00
ume
a37394066b check packet length before fetching ESP crypto checksum.
Obtained from:	KAME
MFC after:	2 days
2002-08-24 04:48:13 +00:00
archie
7a233d4c9f Replace (ab)uses of "NULL" where "0" is really meant. 2002-08-22 21:24:01 +00:00
mike
9e6f796b0d o Merge <machine/ansi.h> and <machine/types.h> into a new header
called <machine/_types.h>.
o <machine/ansi.h> will continue to live so it can define MD clock
  macros, which are only MD because of gratuitous differences between
  architectures.
o Change all headers to make use of this.  This mainly involves
  changing:
    #ifdef _BSD_FOO_T_
    typedef	_BSD_FOO_T_	foo_t;
    #undef _BSD_FOO_T_
    #endif
  to:
    #ifndef _FOO_T_DECLARED
    typedef	__foo_t	foo_t;
    #define	_FOO_T_DECLARED
    #endif

Concept by:	bde
Reviewed by:	jake, obrien
2002-08-21 16:20:02 +00:00
truckman
7199888e8f Create new functions in_sockaddr(), in6_sockaddr(), and
in6_v4mapsin6_sockaddr() which allocate the appropriate sockaddr_in*
structure and initialize it with the address and port information passed
as arguments.  Use calls to these new functions to replace code that is
replicated multiple times in in_setsockaddr(), in_setpeeraddr(),
in6_setsockaddr(), in6_setpeeraddr(), in6_mapped_sockaddr(), and
in6_mapped_peeraddr().  Inline COMMON_END in tcp_usr_accept() so that
we can call in_sockaddr() with temporary copies of the address and port
after the PCB is unlocked.

Fix the lock violation in tcp6_usr_accept() (caused by calling MALLOC()
inside in6_mapped_peeraddr() while the PCB is locked) by changing
the implementation of tcp6_usr_accept() to match tcp_usr_accept().

Reviewed by:	suz
2002-08-21 11:57:12 +00:00
jmallett
af73db292e Enclose IPv6 addresses in brackets when they are displayed printable with a
TCP/UDP port seperated by a colon.  This is for the log_in_vain facility.

Pointed out by:	Edward J. M. Brocklesby
Reviewed by:	ume
MFC after:	2 weeks
2002-08-19 19:47:13 +00:00
sobomax
f6cebc0606 Increase size of ifnet.if_flags from 16 bits (short) to 32 bits (int). To avoid
breaking application ABI use unused ifreq.ifru_flags[1] for upper 16 bits in
SIOCSIFFLAGS and SIOCGIFFLAGS ioctl's.

Reviewed by:	-hackers, -net
2002-08-18 07:05:00 +00:00
rwatson
1bd16d78e2 Introduce support for Mandatory Access Control and extensible
kernel access control.

When generating nd6 output on an interface, label the packet
appropriately.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-08-02 20:49:14 +00:00
ume
39f0e5c176 correct comment for setsockopt arg size.
Reported by:	Martin Laabs <martin@martin.erfurt.thur.de>
Obtained from:	KAME
MFC after:	1 week
2002-07-25 20:40:09 +00:00
ume
e96d7f2205 cleanup usage of ip6_mapped_addr_on and ip6_v6only. now,
ip6_mapped_addr_on is unified into ip6_v6only.

MFC after:	1 week
2002-07-25 17:40:45 +00:00
ume
afcf651cf8 Change the default setting of an IPv4-mapped IPv6 address to off.
Requested by:	many people
2002-07-25 15:44:01 +00:00
ume
ed0d6e9ce4 make sure to set/unset INP_IPV4 according to a value
of IN6P_IPV6_V6ONLY

Reviewed by:	Keiichi SHIMA <keiichi@iij.ad.jp>
2002-07-24 19:19:53 +00:00
ume
cd3f29ae66 do not refer to IN6P_BINDV6ONLY anymore.
Obtained from:	KAME
MFC after:	1 week
2002-07-22 15:51:02 +00:00
ume
881112a66c sin6_len is not an address family. I believe this doesn't
break compatibility with POSIX.1-2001.
2002-07-22 15:13:55 +00:00
ume
68bf681e90 fixed to make mbuf chain.
Obtained from:	KAME
MFC after:	1 week
2002-07-18 04:18:56 +00:00
ume
fd0b2bb03e - fixed a bug that we can't send a packet to ipv4mapped ipv6 address
using a udp6 socket without bind(2)ing.
- fbsd4/430 reported from the FreeBSD team.
- this fix is different from the fix reported in the above PR.  i think
  this better, but we need some test.

Obtained from:	KAME
MFC after:	3 weeks
2002-07-15 19:25:46 +00:00
hsu
abda76de0b Notify functions can destroy the pcb, so they have to return an
indication of whether this happenned so the calling function
knows whether or not to unlock the pcb.

Submitted by:	Jennifer Yang (yangjihui@yahoo.com)
Bug reported by:  Sid Carter (sidcarter@symonds.net)
2002-06-14 08:35:21 +00:00
hsu
561391ed94 As a stop-gap measure, add one INP_LOCK_DESTROY() to in6_pcbdetach() to
get kernel compiled with INET6 to boot.
2002-06-12 06:01:22 +00:00
hsu
cd25d4648f Lock up inpcb.
Submitted by:	Jennifer Yang <yangjihui@yahoo.com>
2002-06-10 20:05:46 +00:00
ume
21239aacf9 __FreeBSD__ is not a compiler constant. We must use
__FreeBSD_version here.

Submitted by:	rwatson
2002-05-31 17:56:45 +00:00
tanimura
e6fa9b9e92 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
mike
b0b9b58ef8 o Conditionalize sections for POSIX.1-2001 compatibility.
o Use POSIX spelling for types, where possible.
o Define size_t in the __BSD_VISIBLE case (this isn't really needed
  for standards conformance, but follows the tradition of not
  requiring <sys/types.h> as a prerequisite).
o Use _BYTE_ORDER and friends instead of BYTE_ORDER and friends, since
  there may not be enough pollution in order for the latter to work.
o Add an XXX note about the missing IPPROTO_IPV6 macro.
2002-05-23 18:48:27 +00:00
tanimura
92d8381dd5 Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
ume
231bd65333 Recent zlib does not like Z_FLUSH at the end of inflate().
Reported by:	quak@mydiax.ch
Obtained from:	KAME
MFC after:	2 days
		and approved by re
2002-05-12 14:12:30 +00:00
ume
0dc033806b Revised MLD-related definitions
- Used mld_xxx and MLD_xxx instead of mld6_xxx and MLD6_xxx according
  to the official defintions in rfc2292bis
  (macro definitions for backward compatibility were provided)
- Changed the first member of mld_hdr{} from mld_hdr to mld_icmp6_hdr
  to avoid name space conflict in C++

This change makes ports/net/pchar compilable again under -CURRENT.

Obtained from:	KAME
2002-05-06 16:28:25 +00:00
tanimura
89ec521d91 Revert the change of #includes in sys/filedesc.h and sys/socketvar.h.
Requested by:	bde

Since locking sigio_lock is usually followed by calling pgsigio(),
move the declaration of sigio_lock and the definitions of SIGIO_*() to
sys/signalvar.h.

While I am here, sort include files alphabetically, where possible.
2002-04-30 01:54:54 +00:00
ume
d2b734fd1e Correct timer management (deprecated) in nd6_timer.
Obtained from:	KAME
MFC after:	3 days
2002-04-24 19:09:48 +00:00
suz
553226e8e1 just merged cosmetic changes from KAME to ease sync between KAME and FreeBSD.
(based on freebsd4-snap-20020128)

Reviewed by:	ume
MFC after:	1 week
2002-04-19 04:46:24 +00:00
mike
4100d7ad0f Unconditionalize the definition of INET_ADDRSTRLEN and
INET6_ADDRSTRLEN.  Doing this helps expose bogus redefinitions in 3rd
party software.
2002-04-10 11:59:02 +00:00
mdodd
ec999f8323 Use <net/fddi.h> rather than <netinet/if_fddi.h>. 2002-04-06 03:21:46 +00:00
jhb
db9aa81e23 Change callers of mtx_init() to pass in an appropriate lock type name. In
most cases NULL is passed, but in some cases such as network driver locks
(which use the MTX_NETWORK_LOCK macro) and UMA zone locks, a name is used.

Tested on:	i386, alpha, sparc64
2002-04-04 21:03:38 +00:00
jhb
dc2e474f79 Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
ume
4d5783c847 In nd6_lookup(), check if rt_llinfo is non-NULL to avoid returning an
entry that has the LLINFO flag but is not a neighbor cache entry.

Obtained from:	KAME
MFC after:	1 week
2002-04-01 15:15:05 +00:00
ume
1787e9ff8d Fix cached route problem.
Submitted by:	Keiichi SHIMA <keiichi@iij.ad.jp> (KAME)
Reviewed by:	JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp> (KAME)
MFC after:	1 week
2002-03-29 15:42:44 +00:00
ume
3154e5831a double m_free() - not critical. from niklas@openbsd
Obtained from:	KAME
MFC after:	1 week
2002-03-29 05:14:58 +00:00
ume
31c9c349f8 Corrected arguments to key_allocsa called from
{esp6, ah6}_ctlinput.  Previous ones were uninitialized
auto variables, which were completely bogus.

Obtained from:	KAME
MFC after:	1 week
2002-03-25 10:46:24 +00:00
ume
37ae60983d 3rd arg to bcmp() was wrong. From: David Wang <dsw@juniper.net>
Obtained from:	KAME
MFC after:	1 week
2002-03-25 10:12:51 +00:00
jeff
3a6f53adc7 Remove references to vm_zone.h and switch over to the new uma API. 2002-03-20 08:03:54 +00:00
peter
5a70574f9c Pacify gcc-3.1. 2002-03-19 23:26:37 +00:00
alfred
f7f2a5dc47 Remove duplicate extern declarations to silence warnings. 2002-03-19 19:45:41 +00:00
darrenr
e8d1f239b7 put an extern for ip6_protox in here where it is only used for kernel compiling 2002-03-19 15:01:21 +00:00
darrenr
5d8547e590 put an extern for inet6sw in here and make it active only for kernel compiling 2002-03-19 14:56:59 +00:00
mike
b9910027dd o Add INET_ADDRSTRLEN and INET6_ADDRSTRLEN defines to <arpa/inet.h>
for POSIX.1-2001 conformance.
o Add magic to <netinet/in.h> and <netinet6/in6.h> to prevent
  redefining INET_ADDRSTRLEN and INET6_ADDRSTRLEN.
o Add a note about missing typedefs in <arpa/inet.h>.
2002-03-10 06:42:27 +00:00
ume
981ea9e4ae - use des_ecb3_encrypt().
- style: added spaces after /* and before */

Obtained from:	KAME
MFC after:	2 weeks
2002-03-05 21:12:41 +00:00
ume
e0782fc24b Oops, now, encription and decription are separate function.
MFC after:	2 weeks
2002-03-05 20:32:49 +00:00
ume
92361f6aad - Speedup 3DES by using assembly code for i386.
- Sync des/blowfish to more recent openssl.

Obtained from:	KAME/NetBSD
MFC after:	2 weeks
2002-03-05 09:19:02 +00:00
ume
7bf004382f - In nd6_rtrequest(), ignored a route when it is created by cloning and
is not a neighbor.  see comments for the detailed reason.

- Rejected the process of nd6_rtrequest() when the request is RESOLVE and
the interface does not need neighbor caches.

Obtained from:	KAME
MFC After:	1 week
2002-02-28 17:05:46 +00:00
peter
dfc212c6f1 Fix another boatload of warnings (missing include) and a cosmetic
-Wuninitialized warning.
2002-02-28 00:14:04 +00:00
dd
c8a6bd9922 Introduce a version field to `struct xucred' in place of one of the
spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being).  Accordingly, change users of
xucred to set and check this field as appropriate.  In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former.  This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by:	rwatson
2002-02-27 04:45:37 +00:00
alfred
9da4687481 Fix warnings caused by discarding const.
Hairy Eyeball At: peter
2002-02-27 02:44:45 +00:00