Commit Graph

966 Commits

Author SHA1 Message Date
billf
541dc0d9da Fix screwup in previous commit. 2000-09-12 02:38:05 +00:00
archie
51e519827f Don't do snd_nxt rollback optimization (rev. 1.46) for SYN packets.
It causes a panic when/if snd_una is incremented elsewhere (this
is a conservative change, because originally no rollback occurred
for any packets at all).

Submitted by:	Vivek Sadananda Pai <vivek@imimic.com>
2000-09-11 19:11:33 +00:00
alfred
f80149566d Forget to include sysctl.h
Submitted by: des
2000-09-09 18:47:46 +00:00
alfred
baac93215b Accept filter maintainance
Update copyrights.

Introduce a new sysctl node:
  net.inet.accf

Although acceptfilters need refcounting to be properly (safely) unloaded
as a temporary hack allow them to be unloaded if the sysctl
net.inet.accf.unloadable is set, this is really for developers who want
to work on thier own filters.

A near complete re-write of the accf_http filter:
  1) Parse check if the request is HTTP/1.0 or HTTP/1.1 if not dump
     to the application.
     Because of the performance implications of this there is a sysctl
     'net.inet.accf.http.parsehttpversion' that when set to non-zero
     parses the HTTP version.
     The default is to parse the version.
  2) Check if a socket has filled and dump to the listener
  3) optimize the way that mbuf boundries are handled using some voodoo
  4) even though you'd expect accept filters to only be used on TCP
     connections that don't use m_nextpkt I've fixed the accept filter
     for socket connections that use this.

This rewrite of accf_http should allow someone to use them and maintain
full HTTP compliance as long as net.inet.accf.http.parsehttpversion is
set.
2000-09-06 18:49:13 +00:00
billf
b1549fa803 1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green
2000-09-06 03:10:42 +00:00
ru
c183e5be0a Match IPPROTO_ICMP with IP protocol field of the original IP
datagram embedded into ICMP error message, not with protocol
field of ICMP message itself (which is always IPPROTO_ICMP).

Pointed by:	Erik Salander <erik@whistle.com>
2000-09-01 16:38:53 +00:00
ru
326b00612b Fixed broken ICMP error generation, unified conversion of IP header
fields between host and network byte order.  The details:

o icmp_error() now does not add IP header length.  This fixes the problem
  when icmp_error() is called from ip_forward().  In this case the ip_len
  of the original IP datagram returned with ICMP error was wrong.

o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host
  byte order, so DTRT and convert these fields back to network byte order
  before sending a message.  This fixes the problem described in PR 16240
  and PR 20877 (ip_id field was returned in host byte order).

o ip_ttl decrement operation in ip_forward() was moved down to make sure
  that it does not corrupt the copy of original IP datagram passed later
  to icmp_error().

o A copy of original IP datagram in ip_forward() was made a read-write,
  independent copy.  This fixes the problem I first reported to Garrett
  Wollman and Bill Fenner and later put in audit trail of PR 16240:
  ip_output() (not always) converts fields of original datagram to network
  byte order, but because copy (mcopy) and its original (m) most likely
  share the same mbuf cluster, ip_output()'s manipulations on original
  also corrupted the copy.

o ip_output() now expects all three fields, ip_len, ip_off and (what is
  significant) ip_id in host byte order.  It was a headache for years that
  ip_id was handled differently.  The only compatibility issue here is the
  raw IP socket interface with IP_HDRINCL socket option set and a non-zero
  ip_id field, but ip.4 manual page was unclear on whether in this case
  ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
ru
3e30fdbd5a Changed the way we handle outgoing ICMP error messages -- do
not alias `ip_src' unless it comes from the host an original
datagram that triggered this error message was destined for.

PR:		20712
Reviewed by:	brian, Charles Mott <cmott@scientech.com>
2000-09-01 09:32:44 +00:00
ru
e01f2b2835 Grab ADJUST_CHECKSUM() macro from alias_local.h. 2000-08-31 12:54:55 +00:00
ru
5feb1713fe Create aliasing links for incoming ICMP echo/timestamp requests.
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.
2000-08-31 12:47:57 +00:00
ru
789ebca13b Fixed the bug that div_bind() always returned zero
even if there was an error (broken in rev 1.9).
2000-08-30 14:43:02 +00:00
ru
8088e79630 Backout the hack in rev 1.71, I am working on a better patch
that should cover almost all inconsistencies in ICMP error
generation.
2000-08-30 08:28:06 +00:00
ache
58751a777a strtok -> strsep (no strtok allowed in libraries)
add unsigned char cast to ctype macro
2000-08-29 21:34:55 +00:00
darrenr
0290d697a8 Apply appropriate patch.
PR:		20877
Submitted by:	Frank Volf (volf@oasis.IAEhv.nl)
2000-08-29 10:41:55 +00:00
archie
2fcdc74c0a Remove obsolete comment. 2000-08-22 00:32:52 +00:00
bde
e326bfd05c Fixed a missing splx() in if_addmulti(). Was broken in rev.1.28. 2000-08-19 22:10:10 +00:00
itojun
7059b1cfa8 repair endianness issue in IN_MULTICAST().
again, *BSD difference...

From: Nick Sayer <nsayer@quack.kfu.com>
2000-08-15 07:34:08 +00:00
ru
5d654e2338 Fixed PunchFW code segmentation violation bug.
Reported by:	Christian Schade <chris@cube.sax.de>
2000-08-14 15:24:47 +00:00
ru
e8f5de8393 Use queue(3) LIST_* macros for doubly-linked lists. 2000-08-14 14:18:16 +00:00
darrenr
24d61c1ea6 resolve conflicts 2000-08-13 04:31:06 +00:00
ru
e064241011 - Do not modify Peer's Call ID in outgoing Incoming-Call-Connected
PPTP control messages.

- Cosmetics: replace `GRE link' with `PPTP link'.

Reviewed by:	Erik Salander <erik@whistle.com>
2000-08-09 11:25:44 +00:00
ru
12eac35afe Adjust TCP checksum rather than compute it afresh.
Submitted by:	Erik Salander <erik@whistle.com>
2000-08-07 09:51:04 +00:00
archie
be99417f31 Improve performance in the case where ip_output() returns an error.
When this happens, we know for sure that the packet data was not
received by the peer. Therefore, back out any advancing of the
transmit sequence number so that we send the same data the next
time we transmit a packet, avoiding a guaranteed missed packet and
its resulting TCP transmit slowdown.

In most systems ip_output() probably never returns an error, and
so this problem is never seen. However, it is more likely to occur
with device drivers having short output queues (causing ENOBUFS to
be returned when they are full), not to mention low memory situations.

Moreover, because of this problem writers of slow devices were
required to make an unfortunate choice between (a) having a relatively
short output queue (with low latency but low TCP bandwidth because
of this problem) or (b) a long output queue (with high latency and
high TCP bandwidth). In my particular application (ISDN) it took
an output queue equal to ~5 seconds of transmission to avoid ENOBUFS.
A more reasonable output queue of 0.5 seconds resulted in only about
50% TCP throughput. With this patch full throughput was restored in
the latter case.

Reviewed by:	freebsd-net
2000-08-03 23:23:36 +00:00
ru
50604c7621 Make netstat(1) to be aware of divert(4) sockets. 2000-08-03 14:09:52 +00:00
roberto
aab96ffa41 Change __FreeBSD_Version into the proper __FreeBSD_version.
Submitted by:	Alain.Thivillon@hsc.fr (Alain Thivillon) (for ip_fil.c)
2000-08-01 17:14:38 +00:00
ache
16cb133f9b Add missing '0' to FreeBSD_version test: 50011 -> 500011 2000-08-01 00:04:24 +00:00
ache
31d77bcfb1 Nonexistent <sys/pfil.h> -> <net/pfil.h>
Kernel 'make depend' fails otherwise
2000-07-31 23:41:47 +00:00
sheldonh
c07b9583c6 Whitespace only:
Fix an overlong line and trailing whitespace that crept in, in the
previous commit.
2000-07-31 13:49:21 +00:00
darrenr
d18ce92d58 activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
archie
ce3ae491d0 Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by:	Erik Salander <erik@whistle.com>
2000-07-26 23:15:46 +00:00
jayanth
8c2fae5374 When a connection is being dropped due to a listen queue overflow,
delete the cloned route that is associated with the connection.
This does not exhaust the routing table memory when the system
is under a SYN flood attack. The route entry is not deleted if there
is any prior information cached in it.

Reviewed by: Peter Wemm,asmodai
2000-07-21 23:26:37 +00:00
darrenr
9f3624548b fix conflicts 2000-07-19 14:02:09 +00:00
sheldonh
ad4d3ab768 Fix a comment which was broken in rev 1.36.
PR:		19947
Submitted by:	Tetsuya Isaki <isaki@net.ipc.hiroshima-u.ac.jp>
2000-07-18 16:43:29 +00:00
luigi
a44e53d698 close PR 19544 - ipfw pipe delete causes panic when no pipes defined
PR: 19544
2000-07-17 20:03:27 +00:00
dwmalone
7fa1d09d5f Extra sanity check when arp proxyall is enabled. Don't send an arp
reply if the requesting machine isn't on the interface we believe
it should be. Prevents arp wars when you plug cables in the wrong
way around.

PR:		9848
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>
Not objected to by:	wollman
2000-07-13 19:31:01 +00:00
jayanth
f7e133ab0b re-enable the tcp newreno code. 2000-07-12 22:00:46 +00:00
itojun
a0611dac11 remove m_pulldown statistics, which is highly experimental and does not
belong to *bsd-merged tree
2000-07-12 16:39:13 +00:00
itojun
56bc1eab2d be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 13:01:59 +00:00
itojun
5f4e854de1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
phk
e5de271d47 Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.
Pointed out by:	bde
2000-07-04 11:25:35 +00:00
phk
61ff05be25 Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:
Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our
sources:

        -sysctl_vm_zone SYSCTL_HANDLER_ARGS
        +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
2000-07-03 09:35:31 +00:00
ru
268f00dee9 Fixed PunchFWHole():
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.
2000-06-27 14:56:07 +00:00
ru
6031a74ba6 - Removed PacketAliasPptp() API function.
- SHLIB_MAJOR++.
2000-06-20 13:07:52 +00:00
ru
ee3c5d1c8d Added true support for PPTP aliasing. Some nice features include:
- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
  port 1723 to a local machine.  Multiple servers behind NAT is
  possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
Rewritten by:	ru
Reviewed by:	Erik Salander <erik@whistle.com>
2000-06-20 11:41:48 +00:00
alfred
e3e72a583b return of the accept filter part II
accept filters are now loadable as well as able to be compiled into
the kernel.

two accept filters are provided, one that returns sockets when data
arrives the other when an http request is completed (doesn't work
with 0.9 requests)

Reviewed by: jmg
2000-06-20 01:09:23 +00:00
ru
610da3502a - Improved passive mode FTP support by aliasing 229 replies.
- Stricter checking of PORT/EPRT/227/229 messages format.
- Moved all security checks into one place.
2000-06-16 20:36:16 +00:00
ru
3fa18b8916 - Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
  server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
  o the segment preceding a PORT/227 segment terminates with a \r\n;
  o the IP address in the PORT/227 matches the source IP address of
    the packet;
  o the port number in the PORT command or 277 reply is greater than
    or equal to 1024.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
2000-06-14 16:09:35 +00:00
luigi
021d03f5bf Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
dan
c3897dad80 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
e2bccbe2b7 Implement WF2Q+ in dummynet. 2000-06-08 09:45:23 +00:00