Commit Graph

591 Commits

Author SHA1 Message Date
dfr
fc4cb2cea6 Use explicitly sized types when digging through packet headers.
Reviewed by: Julian Elischer <julian@whistle.com>
1998-08-03 17:23:37 +00:00
peter
0fadf3df6c Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00
kjc
bd9e5f5f5b update ATM driver. (base version: midway.c 1.67 --> 1.68)
several new features are added:
	- support vc/vp shaping
	- support pvc shadow interface

code cleanup:
	- remove WMAYBE related code.  ENI WMAYBE DMA doen't work.
	- remove updating if_lastchange for every packet.
	- BPF related code is moved to midway.c as it should be.
	  (bpfwrite should work if atm_pseudohdr and LLC/SNAP are
	  prepended.)
	- BPF link type is changed to DLT_ATM_RFC1483.
	  BPF now understands only LLC/SNAP!! (because bpf can't
	  handle variable link header length.)
	  It is recommended to use LLC/SNAP instead of NULL
	  encapsulation for various reasons.  (BPF, IPv6,
	  interoperability, etc.)

the code has been used for months in ALTQ and KAME IPv6.

OKed by phk long time ago.
1998-07-29 05:35:16 +00:00
alex
22c2ae2a77 Don't log ICMP type and subtype for non-zero offset packet fragments. 1998-07-18 23:27:15 +00:00
bde
b157e42b40 Removed a bogus forward struct declaration.
Cleaned up ifdefs.
1998-07-13 12:20:07 +00:00
bde
012bf0d7ba Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
bde
d16ff5c400 Fixed overflow and sign extension bugs in
`len = min(so->so_snd.sb_cc, win) - off;'.  min() has type u_int
and `off' has type int, so when min() is 0 and `off' is 1, the RHS
overflows to 0U - 1 = UINT_MAX.  `len' has type long, so when
sizeof(long) == sizeof(int), the LHS normally overflows to to the
correct value of -1, but when sizeof(long) > sizeof(int), the LHS
is UINT_MAX.

Fixed some u_long's that should have been fixed-sized types.
1998-07-13 11:53:59 +00:00
bde
b384a06abb Declare tcp_seq and tcp_cc as fixed-size types. Half fixed type
mismatches exposed by this (the prototype for tcp_respond() didn't
match the  function definition lexically, and still depends on a
gcc feature to match if ints have more than 32 bits).
1998-07-13 11:09:52 +00:00
bde
853889649e Declare id_mask as a fixed-size type. 1998-07-13 11:01:03 +00:00
bde
cffdc1edb6 Declare n_short, n_long and n_time as fixed-sized types. Don't ifdef
n_long or n_short specially for alphas.
1998-07-13 10:54:24 +00:00
dg
ea18dd7105 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
julian
1c2b90ea31 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
julian
8f07ff9316 Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
julian
3b5d08a30e Don't expect the new code to be used without the right option file being
included.
1998-07-06 05:04:33 +00:00
julian
d2e04c552c Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
julian
22a5d80812 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
julian
0985b04caf Remove out of date comment. 1998-07-02 06:31:25 +00:00
julian
8286a7feb0 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
phk
cdd3d49d95 Byte count statistics of multicast vifs are invalid.
The problem is caused by a wrong endianess in the sum.

PR:		7115
Submitted by:	Joao Carlos Mendes Luis <jonny@jonny.eng.br>
1998-06-30 10:56:31 +00:00
jhay
2922de5ede Only make struct xtcpcb visable if _NETINET_IN_PCB_H_ and _SYS_SOCKETVAR_H_
are defined.
Reviewed by:	bde
1998-06-27 07:30:45 +00:00
brian
5ed7f2c4ee Add CUSEEME support. This has *not* been tested, nor
could I find anyone to test it, so please report any
problems to me.
1998-06-24 06:58:00 +00:00
bde
403bdcb97b Removed unused includes. 1998-06-21 14:53:44 +00:00
peter
595e4ae373 Merge ipfilter 3.2.3 -> 3.2.7 changes onto mainline. 1998-06-20 18:37:51 +00:00
peter
dc2ce9cb96 This commit was generated by cvs2svn to compensate for changes in r37071,
which included commits to RCS files with non-trunk default branches.
1998-06-20 18:18:05 +00:00
peter
91edc33c5d Import ipfilter 3.2.7 kernel components 1998-06-20 18:18:05 +00:00
julian
fadb1f2352 fix another typo 1998-06-15 00:35:47 +00:00
julian
7e20c7add6 Try narrow down the culprit sending undefined packet types through the loopback 1998-06-14 20:58:17 +00:00
julian
fd91ad6629 Remove 3 occurances of __FUNCTION__ 1998-06-12 20:03:26 +00:00
julian
1ee51dd89f Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
julian
eaeb937aa0 include opt_ipdivert.h so we get correct options 1998-06-12 02:48:47 +00:00
julian
7fe2cc176d Allow diverted packets from the transmit side to remember if they
had a recv interface and allow that state to be available
after re-injection for further tests.
1998-06-12 01:54:29 +00:00
brian
4ff4152e09 Quieten gcc 2.8.1 1998-06-10 00:26:19 +00:00
bde
566ee5c323 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int (this doesn't change the struct layout, size or
alignment in any of the files changed in this commit, at least for
gcc on i386's.  Using bitfields of type u_char may affect size and
alignment but not packing)).
1998-06-08 09:47:47 +00:00
bde
0801d7c827 ip_fil.h has 9 separate declarations of iplioctl() in a disgusting
ifdef tangle.  The previous commit to ip_fil.h didn't change the
one that actually applies to the current FreeBSD kernel, of course.
Fixed.

Fixed style bugs in previous commit to ip_fil.h.
1998-06-08 06:04:12 +00:00
dfr
1d5f38ac22 This commit fixes various 64bit portability problems required for
FreeBSD/alpha.  The most significant item is to change the command
argument to ioctl functions from int to u_long.  This change brings us
inline with various other BSD versions.  Driver writers may like to
use (__FreeBSD_version == 300003) to detect this change.

The prototype FreeBSD/alpha machdep will follow in a couple of days
time.
1998-06-07 17:13:14 +00:00
bde
5b773a9c2c Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int).
1998-06-07 12:00:13 +00:00
brian
e56ba1efb9 Don't call PunchFWHole() ifdef NO_FW_PUNCH
Pointed out by: "Steve Sims" <SimsS@IBM.Net>
1998-06-06 21:52:37 +00:00
julian
4f3d4b5dd9 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
julian
30cc111a0f Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
julian
2cda12b561 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
jkoshy
0d7d76d982 Spelling corrections.
PR: 6868
Submitted by: Josh Gilliam <josh@quick.net>
1998-06-06 05:50:53 +00:00
julian
54743b71f3 Reviewed by: Kirk Mckusick (mckusick@mckusick.com)
Submitted by:	luoqi Chen
fix a type in fsck.
(also add a comment that got picked up by mistake but is worth adding)
1998-06-05 23:33:26 +00:00
julian
f7a6c64461 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
peter
10677f7b5c Let the sowwakeup macro decide when to call sowakeup rather than have
tcp "know" about it.  A pending upcall would be missed, eg: used by NFS.

Obtained from: NetBSD
1998-05-31 18:42:49 +00:00
dg
e3df194a9f Fixed logic in the test to drop ICMP echo and timestamp packets when
net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman
1998-05-26 11:34:30 +00:00
julian
8c304384d0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
julian
33ee3bc8fe Hide the interface name in the sin_zero section of the sockaddr_in
passed to the user process for incoming packets. When the sockaddr_in
is passed back to the divert socket later, use thi sas the primary
interface lookup and only revert to the IP address when the name fails.
This solves a long standing bug with divert sockets:
When two interfaces had the same address (P2P for example) the interface
"assigned" to the reinjected packet was sometimes incorect.
Probably we should define a "sockaddr_div" to officially hold this
extended information in teh same manner as sockaddr_dl.
1998-05-25 08:44:31 +00:00
julian
32d9589026 Take the user's "IGNORE_DIVERT" argument from where the user put it
and not from the PCB which HAPPENS to contain the same number most
of the time, but not always.
1998-05-25 07:41:23 +00:00
fenner
5aeeaf27d8 Take IP options into account when calculating the allowable length
of the TCP payload.  See RFC1122 section 4.2.2.6 .  This allows
Path MTU discovery to be used along with IP options.

PR:		problem discovered by Kevin Lahey <kml@nas.nasa.gov>
1998-05-24 18:41:04 +00:00
dg
1b7405b955 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00