Commit Graph

582 Commits

Author SHA1 Message Date
Bruce Evans
9105bb4680 Fixed overflow and sign extension bugs in
`len = min(so->so_snd.sb_cc, win) - off;'.  min() has type u_int
and `off' has type int, so when min() is 0 and `off' is 1, the RHS
overflows to 0U - 1 = UINT_MAX.  `len' has type long, so when
sizeof(long) == sizeof(int), the LHS normally overflows to to the
correct value of -1, but when sizeof(long) > sizeof(int), the LHS
is UINT_MAX.

Fixed some u_long's that should have been fixed-sized types.
1998-07-13 11:53:59 +00:00
Bruce Evans
07a4df4fee Declare tcp_seq and tcp_cc as fixed-size types. Half fixed type
mismatches exposed by this (the prototype for tcp_respond() didn't
match the  function definition lexically, and still depends on a
gcc feature to match if ints have more than 32 bits).
1998-07-13 11:09:52 +00:00
Bruce Evans
99c819ef77 Declare id_mask as a fixed-size type. 1998-07-13 11:01:03 +00:00
Bruce Evans
e53040ef71 Declare n_short, n_long and n_time as fixed-sized types. Don't ifdef
n_long or n_short specially for alphas.
1998-07-13 10:54:24 +00:00
David Greenman
0af8d3ec72 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
Julian Elischer
3a1ae084e2 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
Julian Elischer
efe39c6a1a Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
Julian Elischer
1f7e052c16 Don't expect the new code to be used without the right option file being
included.
1998-07-06 05:04:33 +00:00
Julian Elischer
d4295c3248 Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Julian Elischer
7d82bea53d Remove out of date comment. 1998-07-02 06:31:25 +00:00
Julian Elischer
b3adeeb209 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
Poul-Henning Kamp
5fa7f62e66 Byte count statistics of multicast vifs are invalid.
The problem is caused by a wrong endianess in the sum.

PR:		7115
Submitted by:	Joao Carlos Mendes Luis <jonny@jonny.eng.br>
1998-06-30 10:56:31 +00:00
John Hay
a910fdcb88 Only make struct xtcpcb visable if _NETINET_IN_PCB_H_ and _SYS_SOCKETVAR_H_
are defined.
Reviewed by:	bde
1998-06-27 07:30:45 +00:00
Brian Somers
0579bd7175 Add CUSEEME support. This has *not* been tested, nor
could I find anyone to test it, so please report any
problems to me.
1998-06-24 06:58:00 +00:00
Bruce Evans
e5b19842ef Removed unused includes. 1998-06-21 14:53:44 +00:00
Peter Wemm
6054307b92 Merge ipfilter 3.2.3 -> 3.2.7 changes onto mainline. 1998-06-20 18:37:51 +00:00
Peter Wemm
122221ad20 This commit was generated by cvs2svn to compensate for changes in r37071,
which included commits to RCS files with non-trunk default branches.
1998-06-20 18:18:05 +00:00
Peter Wemm
aeee047f95 Import ipfilter 3.2.7 kernel components 1998-06-20 18:18:05 +00:00
Julian Elischer
2b8a366cf8 fix another typo 1998-06-15 00:35:47 +00:00
Julian Elischer
201c2527a9 Try narrow down the culprit sending undefined packet types through the loopback 1998-06-14 20:58:17 +00:00
Julian Elischer
6b1214b0fc Remove 3 occurances of __FUNCTION__ 1998-06-12 20:03:26 +00:00
Julian Elischer
ed7509ace4 Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
Julian Elischer
0cab75363d include opt_ipdivert.h so we get correct options 1998-06-12 02:48:47 +00:00
Julian Elischer
bab04eb816 Allow diverted packets from the transmit side to remember if they
had a recv interface and allow that state to be available
after re-injection for further tests.
1998-06-12 01:54:29 +00:00
Brian Somers
dfcb634be3 Quieten gcc 2.8.1 1998-06-10 00:26:19 +00:00
Bruce Evans
a09bee1aa8 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int (this doesn't change the struct layout, size or
alignment in any of the files changed in this commit, at least for
gcc on i386's.  Using bitfields of type u_char may affect size and
alignment but not packing)).
1998-06-08 09:47:47 +00:00
Bruce Evans
42ef2606c3 ip_fil.h has 9 separate declarations of iplioctl() in a disgusting
ifdef tangle.  The previous commit to ip_fil.h didn't change the
one that actually applies to the current FreeBSD kernel, of course.
Fixed.

Fixed style bugs in previous commit to ip_fil.h.
1998-06-08 06:04:12 +00:00
Doug Rabson
ecbb00a262 This commit fixes various 64bit portability problems required for
FreeBSD/alpha.  The most significant item is to change the command
argument to ioctl functions from int to u_long.  This change brings us
inline with various other BSD versions.  Driver writers may like to
use (__FreeBSD_version == 300003) to detect this change.

The prototype FreeBSD/alpha machdep will follow in a couple of days
time.
1998-06-07 17:13:14 +00:00
Bruce Evans
57d05a62d1 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int).
1998-06-07 12:00:13 +00:00
Brian Somers
b5ce85fe32 Don't call PunchFWHole() ifdef NO_FW_PUNCH
Pointed out by: "Steve Sims" <SimsS@IBM.Net>
1998-06-06 21:52:37 +00:00
Julian Elischer
b876049334 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
Julian Elischer
3ed81d03b3 Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
Julian Elischer
c977d4c735 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
Joseph Koshy
9c727d2ca9 Spelling corrections.
PR: 6868
Submitted by: Josh Gilliam <josh@quick.net>
1998-06-06 05:50:53 +00:00
Julian Elischer
c2a239ebc7 Reviewed by: Kirk Mckusick (mckusick@mckusick.com)
Submitted by:	luoqi Chen
fix a type in fsck.
(also add a comment that got picked up by mistake but is worth adding)
1998-06-05 23:33:26 +00:00
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Peter Wemm
04a3fd1276 Let the sowwakeup macro decide when to call sowakeup rather than have
tcp "know" about it.  A pending upcall would be missed, eg: used by NFS.

Obtained from: NetBSD
1998-05-31 18:42:49 +00:00
David Greenman
d311884fb6 Fixed logic in the test to drop ICMP echo and timestamp packets when
net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman
1998-05-26 11:34:30 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
Julian Elischer
436c7212e6 Hide the interface name in the sin_zero section of the sockaddr_in
passed to the user process for incoming packets. When the sockaddr_in
is passed back to the divert socket later, use thi sas the primary
interface lookup and only revert to the IP address when the name fails.
This solves a long standing bug with divert sockets:
When two interfaces had the same address (P2P for example) the interface
"assigned" to the reinjected packet was sometimes incorect.
Probably we should define a "sockaddr_div" to officially hold this
extended information in teh same manner as sockaddr_dl.
1998-05-25 08:44:31 +00:00
Julian Elischer
25e75fb320 Take the user's "IGNORE_DIVERT" argument from where the user put it
and not from the PCB which HAPPENS to contain the same number most
of the time, but not always.
1998-05-25 07:41:23 +00:00
Bill Fenner
a04884fcbe Take IP options into account when calculating the allowable length
of the TCP payload.  See RFC1122 section 4.2.2.6 .  This allows
Path MTU discovery to be used along with IP options.

PR:		problem discovered by Kevin Lahey <kml@nas.nasa.gov>
1998-05-24 18:41:04 +00:00
David Greenman
b8e8c209c5 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00
Atsushi Murai
fb9cd36d0d Primary verison of NetBIOS over TCP/IP. Now you can connect Windows
DOMAIN as DOMAIN user through NAT function. See also RFC1002 for
futher detail of SMB structure.

Submitted by:	Atsushi Murai <amurai@spec.co.jp>
1998-05-24 03:03:10 +00:00
Poul-Henning Kamp
245086a062 Get more details on the "arpresolve: can't allocate llinfo" bogon.
PR:		2570
Reviewed by:	phk
Submitted by:	fenner
1998-05-23 08:03:40 +00:00
John Polstra
677c9dd6f3 Fix a typo-bug in ipflow_reap that could cause a NULL pointer
dereference.  I have also sent this fix to Matt Thomas.
1998-05-19 17:47:11 +00:00
Pierre Beyssac
4c711e6d04 Move (private) struct ipflow out of ip_var.h, to reduce dependencies
(for ipfw for example) on internal implementation details.
Add $Id$ where missing.
1998-05-19 15:53:50 +00:00
David Greenman
cc3205c24d Moved #define of IPFLOW_HASHBITS to ip_flow.c where I think it belongs. 1998-05-19 14:19:03 +00:00
David Greenman
1f91d8c563 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00