Commit Graph

1279 Commits

Author SHA1 Message Date
jlemon
dd84ad82bf When iterating over our list of interface addresses in order to determine
if an arriving packet belongs to us, also check that the packet arrived
through the correct interface.  Skip this check if the packet was locally
generated.
2001-02-27 19:43:14 +00:00
billf
7a0c52088d The TCP header-specific section suffered a little bit of bitrot recently:
When we recieve a fragmented TCP packet (other than the first) we can't
extract header information (we don't have state to reference). In a rather
unelegant fashion we just move on and assume a non-match.

Recent additions to the TCP header-specific section of the code neglected
to add the logic to the fragment code so in those cases the match was
assumed to be positive and those parts of the rule (which should have
resulted in a non-match/continue) were instead skipped (which means
the processing of the rule continued even though it had already not
matched).

Fault can be spread out over Rich Steenbergen (tcpoptions) and myself
(tcp{seq,ack,win}).

rwatson sent me a patch that got me thinking about this whole situation
(but what I'm committing / this description is mine so don't blame him).
2001-02-27 10:20:44 +00:00
jlemon
825b685ed9 Use more aggressive retransmit timeouts for the initial SYN packet.
As we currently drop the connection after 4 retransmits + 2 ICMP errors,
this allows initial connection attempts to be dropped much faster.
2001-02-26 21:33:55 +00:00
jlemon
8260da124e Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly.
For TCP, verify that the sequence number in the ICMP packet falls within
the tcp receive window before performing any actions indicated by the
icmp packet.

Clean up some layering violations (access to tcp internals from in_pcb)
2001-02-26 21:19:47 +00:00
asmodai
c5bcdc4848 Remove struct full_tcpiphdr{}.
This piece of code has not been referenced since it was put there
in 1995.  Also done a codebased search on popular networking libraries
and third-party applications.  This is an orphan.

Reviewed by:	jesper
2001-02-26 20:10:16 +00:00
asmodai
0a64ce36e0 Remove conditionals for vax support.
People who care much about this are welcomed to try 2.11BSD. :)

Noticed by:	luigi
Reviewed by:	jesper
2001-02-26 20:05:32 +00:00
jesper
c2e4de2602 Remove tcp_drop_all_states, which is unneeded after jlemon removed it
from tcp_subr.c in rev 1.92
2001-02-25 17:20:19 +00:00
jlemon
3b8f8e9938 Do not delay a new ack if there already is a delayed ack pending on the
connection, but send it immediately.  Prior to this change, it was possible
to delay a delayed-ack for multiple times, resulting in degraded TCP
behavior in certain corner cases.
2001-02-25 15:17:24 +00:00
jlemon
fde6b04ed5 When converting soft error into a hard error, drop the connection. The
error will be passed up to the user, who will close the connection, so
it does not appear to make a sense to leave the connection open.

This also fixes a bug with kqueue, where the filter does not set EOF
on the connection, because the connection is still open.

Also remove calls to so{rw}wakeup, as we aren't doing anything with
them at the moment anyway.

Reviewed by: alfred, jesper
2001-02-23 21:07:06 +00:00
jlemon
ee6eb4ed42 Allow ICMP unreachables which map into PRC_UNREACH_ADMIN_PROHIB to
reset TCP connections which are in the SYN_SENT state, if the sequence
number in the echoed ICMP reply is correct.  This behavior can be
controlled by the sysctl net.inet.tcp.icmp_may_rst.

Currently, only subtypes 2,3,10,11,12 are treated as such
(port, protocol and administrative unreachables).

Assocaiate an error code with these resets which is reported to the
user application: ENETRESET.

Disallow resetting TCP sessions which are not in a SYN_SENT state.

Reviewed by: jesper, -net
2001-02-23 20:51:46 +00:00
jesper
65fa889a56 Redo the security update done in rev 1.54 of src/sys/netinet/tcp_subr.c
and 1.84 of src/sys/netinet/udp_usrreq.c

The changes broken down:

- remove 0 as a wildcard for addresses and port numbers in
  src/sys/netinet/in_pcb.c:in_pcbnotify()
- add src/sys/netinet/in_pcb.c:in_pcbnotifyall() used to notify
  all sessions with the specific remote address.
- change
  - src/sys/netinet/udp_usrreq.c:udp_ctlinput()
  - src/sys/netinet/tcp_subr.c:tcp_ctlinput()
  to use in_pcbnotifyall() to notify multiple sessions, instead of
  using in_pcbnotify() with 0 as src address and as port numbers.
- remove check for src port == 0 in
  - src/sys/netinet/tcp_subr.c:tcp_ctlinput()
  - src/sys/netinet/udp_usrreq.c:udp_ctlinput()
  as they are no longer needed.
- move handling of redirects and host dead from in_pcbnotify() to
  udp_ctlinput() and tcp_ctlinput(), so they will call
  in_pcbnotifyall() to notify all sessions with the specific
  remote address.

Approved by:	jlemon
Inspired by:    NetBSD
2001-02-22 21:23:45 +00:00
jesper
65c79ba639 Backout change in 1.153, as it violate rfc1122 section 3.2.1.3.
Requested by:	jlemon,ru
2001-02-21 16:59:47 +00:00
rwatson
ab5676fc87 o Move per-process jail pointer (p->pr_prison) to inside of the subject
credential structure, ucred (cr->cr_prison).
o Allow jail inheritence to be a function of credential inheritence.
o Abstract prison structure reference counting behind pr_hold() and
  pr_free(), invoked by the similarly named credential reference
  management functions, removing this code from per-ABI fork/exit code.
o Modify various jail() functions to use struct ucred arguments instead
  of struct proc arguments.
o Introduce jailed() function to determine if a credential is jailed,
  rather than directly checking pointers all over the place.
o Convert PRISON_CHECK() macro to prison_check() function.
o Move jail() function prototypes to jail.h.
o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the
  flag in the process flags field itself.
o Eliminate that "const" qualifier from suser/p_can/etc to reflect
  mutex use.

Notes:

o Some further cleanup of the linux/jail code is still required.
o It's now possible to consider resolving some of the process vs
  credential based permission checking confusion in the socket code.
o Mutex protection of struct prison is still not present, and is
  required to protect the reference count plus some fields in the
  structure.

Reviewed by:	freebsd-arch
Obtained from:	TrustedBSD Project
2001-02-21 06:39:57 +00:00
jesper
7a1cf4a126 Only call in_pcbnotify if the src port number != 0, as we
treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify()

It's sufficient to check for src|local port, as we'll have no
sessions with src|local port == 0

Without this a attacker sending ICMP messages, where the attached
IP header (+ 8 bytes) has the address and port numbers == 0, would
have the ICMP message applied to all sessions.

PR:		kern/25195
Submitted by:	originally by jesper, reimplimented by jlemon's advice
Reviewed by:	jlemon
Approved by:	jlemon
2001-02-20 23:25:04 +00:00
jesper
066acfda78 Send a ICMP unreachable instead of dropping the packet silent, if we
receive a packet not for us, and forwarding disabled.

PR:		kern/24512
Reviewed by:	jlemon
Approved by:	jlemon
2001-02-20 21:31:47 +00:00
jesper
36f802a12c Remove unneeded loop increment in src/sys/netinet/in_pcb.c:in_pcbnotify
Forgotten by phk, when committing fix in kern/23986

PR:		kern/23986
Reviewed by:	phk
Approved by:	phk
2001-02-20 21:11:29 +00:00
green
18d474781f Switch to using a struct xucred instead of a struct xucred when not
actually in the kernel.  This structure is a different size than
what is currently in -CURRENT, but should hopefully be the last time
any application breakage is caused there.  As soon as any major
inconveniences are removed, the definition of the in-kernel struct
ucred should be conditionalized upon defined(_KERNEL).

This also changes struct export_args to remove dependency on the
constantly-changing struct ucred, as well as limiting the bounds
of the size fields to the correct size.  This means: a) mountd and
friends won't break all the time, b) mountd and friends won't crash
the kernel all the time if they don't know what they're doing wrt
actual struct export_args layout.

Reviewed by:	bde
2001-02-18 13:30:20 +00:00
phk
e33961c592 Remove unneeded loop increment in src/sys/netinet/in_pcb.c:in_pcbnotify
Add new PRC_UNREACH_ADMIN_PROHIB in sys/sys/protosw.h

Remove condition on TCP in src/sys/netinet/ip_icmp.c:icmp_input

In src/sys/netinet/ip_icmp.c:icmp_input set code = PRC_UNREACH_ADMIN_PROHIB
or PRC_UNREACH_HOST for all unreachables except ICMP_UNREACH_NEEDFRAG

Rename sysctl icmp_admin_prohib_like_rst to icmp_unreach_like_rst
to reflect the fact that we also react on ICMP unreachables that
are not administrative prohibited.  Also update the comments to
reflect this.

In sys/netinet/tcp_subr.c:tcp_ctlinput add code to treat
PRC_UNREACH_ADMIN_PROHIB and PRC_UNREACH_HOST different.

PR:		23986
Submitted by:	Jesper Skriver <jesper@skriver.dk>
2001-02-18 09:34:55 +00:00
luigi
e8bf28f429 remove unused data structure definition, and corresponding macro into*() 2001-02-18 07:10:03 +00:00
jlemon
d8f8e6f368 Clean up warning. 2001-02-15 22:32:06 +00:00
asmodai
ec09e340ce Add definitions for IPPROTO numbers 55-57. 2001-02-14 13:51:20 +00:00
phk
be4fee4a9b Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
bmilekic
0f9088da56 Clean up RST ratelimiting. Previously, ratelimiting occured before tests
were performed to determine if the received packet should be reset. This
created erroneous ratelimiting and false alarms in some cases. The code
has now been reorganized so that the checks for validity come before
the call to badport_bandlim. Additionally, a few changes in the symbolic
names of the bandlim types have been made, as well as a clarification of
exactly which type each RST case falls under.

Submitted by: Mike Silbersack <silby@silby.com>
2001-02-11 07:39:51 +00:00
luigi
bc66105b1d Sync with the bridge/dummynet/ipfw code already tested in stable.
In ip_fw.[ch] change a couple of variable and field names to
avoid having types, variables and fields with the same name.
2001-02-10 00:10:18 +00:00
asmodai
2f1d3e2cdf Fix typo: seperate -> separate.
Seperate does not exist in the english language.
2001-02-06 11:21:58 +00:00
phk
d214ae2171 Convert if_multiaddrs from LIST to TAILQ so that it can be traversed
backwards in the three drivers which want to do that.

Reviewed by:    mikeh
2001-02-06 10:12:15 +00:00
julian
b617346dc6 Fix bad patch from a few days ago. It broke some bridging. 2001-02-05 21:25:27 +00:00
phk
709379c1ae Another round of the <sys/queue.h> FOREACH transmogriffer.
Created with:   sed(1)
Reviewed by:    md5(1)
2001-02-04 16:08:18 +00:00
darrenr
c4fdb153ac fix duplicate rcsid 2001-02-04 15:25:15 +00:00
darrenr
48b4ca8e6a fix conflicts 2001-02-04 14:26:56 +00:00
phk
e87f7a15ad Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
phk
f3b4fbe35f Use <sys/queue.h> macro API. 2001-02-04 12:37:48 +00:00
julian
da7b413f65 Make the code act the same in the case of BRIDGE being defined, but not
turned on, and the case of it not being defined at all.
i.e. Disabling bridging re-enables some of the checks it disables.

Submitted by: "Rogier R. Mulhuijzen" <drwilco@drwilco.net>
2001-02-03 17:25:21 +00:00
jlemon
8d293e58ce When turning off TCP_NOPUSH, call tcp_output to immediately flush
out any data pending in the buffer.

Submitted by: Tony Finch <dot@dotat.at>
2001-02-02 18:48:25 +00:00
luigi
afaf9310f9 MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
brian
2509160a79 Add a few ``const''s to silence some -Wwrite-strings warnings 2001-01-29 11:44:13 +00:00
brian
5728ea1f1d Ignore leading witespace in the string given to PacketAliasProxyRule(). 2001-01-29 00:30:01 +00:00
luigi
2ce587262d Make sure we do not follow an invalid pointer in ipfw_report
when we get an incomplete packet or m_pullup fails.
2001-01-27 02:31:08 +00:00
luigi
3366175318 Minor cleanups after yesterday's patch.
The code (bridging and dummynet) actually worked fine!
2001-01-26 19:43:54 +00:00
luigi
8a9237833e Bring dummynet in line with the code that now works in -STABLE.
It compiles, but I cannot test functionality yet.
2001-01-26 06:49:34 +00:00
luigi
08392d8bb0 Pass up errors returned by dummynet. The same should be done with
divert.
2001-01-25 02:06:38 +00:00
wollman
08d0e8d96f Correct a comment. 2001-01-24 16:25:36 +00:00
wes
eeda0df2a3 When attempting to bind to an ephemeral port, if no such port is
available, the error return should be EADDRNOTAVAIL rather than
EAGAIN.

PR:		14181
Submitted by:	Dima Dorfman <dima@unixfreak.org>
Reviewed by:	Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
2001-01-23 07:27:56 +00:00
luigi
2d9565a950 Change critical section protection for dummynet from splnet() to
splimp() -- we need it because dummynet can be invoked by the
bridging code at splimp().

This should cure the pipe "stalls" that several people have been
reporting on -stable while using bridging+dummynet (the problem
would not affect routers using dummynet).
2001-01-22 23:04:13 +00:00
des
b3c27aaaf7 First step towards an MP-safe zone allocator:
- have zalloc() and zfree() always lock the vm_zone.
 - remove zalloci() and zfreei(), which are now redundant.

Reviewed by:	bmilekic, jasone
2001-01-21 22:23:11 +00:00
luigi
02bffeb68b Document data structures and operation on dummynet so next time
I or someone else browse through this code I do not have a hard
time understanding what is going on.
2001-01-17 01:09:40 +00:00
luigi
e09ccfbadf Some dummynet patches that I forgot to commit last summer.
One of them fixes a potential panic when bridging is used and
you run out of mbufs (though i have no idea if the bug has
ever hit anyone).
2001-01-16 23:49:49 +00:00
bmilekic
4cc04a654f Prototype inet_ntoa_r and thereby silence a warning from GCC. The function
is prototyped immediately under inet_ntoa, which is also from libkern.
2001-01-12 07:47:53 +00:00
rwatson
0080a88967 o Minor style(9)ism to make consistent with -STABLE 2001-01-09 18:26:17 +00:00
rwatson
c4fb1f7419 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
alfred
e06f071f56 provide a sysctl 'net.link.ether.inet.log_arp_wrong_iface' to allow one
to supress logging when ARP replies arrive on the wrong interface:
 "/kernel: arp: 1.2.3.4 is on dc0 but got reply from 00:00:c5:79:d0:0c on dc1"

the default is to log just to give notice about possibly incorrectly
configured networks.
2001-01-06 00:45:08 +00:00
alfred
43233d1e5a Fix incorrect logic wouldn't disconnect incomming connections that had been
disconnected because they were not full.

Submitted by: David Filo
2001-01-03 19:50:23 +00:00
assar
9df0aaf2c1 include tcp header files to get the prototype for tcp_seq_vs_sess 2000-12-27 03:02:29 +00:00
phk
6bfb7240b8 Update the "icmp_admin_prohib_like_rst" code to check the tcp-window and
to be configurable with respect to acting only in SYN or in all TCP states.

PR:		23665
Submitted by:	Jesper Skriver <jesper@skriver.dk>
2000-12-24 10:57:21 +00:00
bmilekic
4b6a7bddad * Rename M_WAIT mbuf subsystem flag to M_TRYWAIT.
This is because calls with M_WAIT (now M_TRYWAIT) may not wait
  forever when nothing is available for allocation, and may end up
  returning NULL. Hopefully we now communicate more of the right thing
  to developers and make it very clear that it's necessary to check whether
  calls with M_(TRY)WAIT also resulted in a failed allocation.
  M_TRYWAIT basically means "try harder, block if necessary, but don't
  necessarily wait forever." The time spent blocking is tunable with
  the kern.ipc.mbuf_wait sysctl.
  M_WAIT is now deprecated but still defined for the next little while.

* Fix a typo in a comment in mbuf.h

* Fix some code that was actually passing the mbuf subsystem's M_WAIT to
  malloc(). Made it pass M_WAITOK instead. If we were ever to redefine the
  value of the M_WAIT flag, this could have became a big problem.
2000-12-21 21:44:31 +00:00
billf
d8586c3f20 Use getmicrotime() instead of microtime() when timestamping ICMP packets,
the former is quicker and accurate enough for use here.

Submitted by:	Jason Slagle <raistlin@toledolink.com> (on IRC)
Reviewed by:	phk
2000-12-16 21:39:48 +00:00
phk
7c7359c504 We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.

rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.

quote begin.

            A Destination Unreachable message that is received MUST be
            reported to the transport layer.  The transport layer SHOULD
            use the information appropriately; for example, see Sections
            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.

quote end.

I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.

When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.

The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.

I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.

PR:		23086
Submitted by:	Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
bmilekic
e94f2430fb Change the following:
1.  ICMP ECHO and TSTAMP replies are now rate limited.
  2.  RSTs generated due to packets sent to open and unopen ports
      are now limited by seperate counters.
  3.  Each rate limiting queue now has its own description, as
      follows:

      Limiting icmp unreach response from 439 to 200 packets per second
      Limiting closed port RST response from 283 to 200 packets per second
      Limiting open port RST response from 18724 to 200 packets per second
      Limiting icmp ping response from 211 to 200 packets per second
      Limiting icmp tstamp response from 394 to 200 packets per second

Submitted by: Mike Silbersack <silby@silby.com>
2000-12-15 21:45:49 +00:00
dwmalone
dd75d1d73b Convert more malloc+bzero to malloc+M_ZERO.
Submitted by:	josh@zipperup.org
Submitted by:	Robert Drehmel <robd@gmx.net>
2000-12-08 21:51:06 +00:00
phk
c3f2ee9700 Staticize some malloc M_ instances. 2000-12-08 20:09:00 +00:00
jlemon
954e1d2ccd Lock down the network interface queues. The queue mutex must be obtained
before adding/removing packets from the queue.  Also, the if_obytes and
if_omcasts fields should only be manipulated under protection of the mutex.

IF_ENQUEUE, IF_PREPEND, and IF_DEQUEUE perform all necessary locking on
the queue.  An IF_LOCK macro is provided, as well as the old (mutex-less)
versions of the macros in the form _IF_ENQUEUE, _IF_QFULL, for code which
needs them, but their use is discouraged.

Two new macros are introduced: IF_DRAIN() to drain a queue, and IF_HANDOFF,
which takes care of locking/enqueue, and also statistics updating/start
if necessary.
2000-11-25 07:35:38 +00:00
jlemon
7f57729d27 Revert the last commit to the callout interface, and add a flag to
callout_init() indicating whether the callout is safe or not.  Update
the callers of callout_init() to reflect the new interface.

Okayed by: Jake
2000-11-25 06:22:16 +00:00
bmilekic
ebe3dfc2d8 Fixup (hopefully) bridging + ipfw + dummynet together...
* Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf
  header structure, called "pkt," and could consequently pollute the mbuf
  free list if it was ever passed to m_freem(). The fix involved passing not
  pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf
  utility routines.

* Also, for dummynet, in bdg_forward(), made the code copy the ethernet header
  back into the mbuf (prepended) because the dummynet code that follows expects
  it to be there but it is, unfortunately for dummynet, passed to bdg_forward
  as a seperate argument.

PRs: kern/19551 ; misc/21534 ; kern/23010
Submitted by: Thomas Moestl <tmoestl@gmx.net>
Reviewed by: bmilekic
Approved by: luigi
2000-11-23 22:25:03 +00:00
ru
bcfcc24426 mdoc(7) police: use the new feature of the An macro. 2000-11-22 08:47:35 +00:00
bmilekic
22569f9f96 While I'm here, get rid of (now useless) MCLISREFERENCED and use MEXT_IS_REF
instead.
Also, fix a small set of "avail." If we're setting `avail,' we shouldn't
be re-checking whether m_flags is M_EXT, because we know that it is, as if
it wasn't, we would have already returned several lines above.

Reviewed by: jlemon
2000-11-11 23:05:59 +00:00
ru
989e1579f6 Fixed the security breach I introduced in rev 1.145.
Disallow getsockopt(IP_FW_ADD) if securelevel >= 3.

PR:		22600
2000-11-07 09:20:32 +00:00
jlemon
88c9bb192d tp->snd_recover is part of the New Reno recovery algorithm, and should
only be checked if the system is currently performing New Reno style
fast recovery.  However, this value was being checked regardless of the
NR state, with the end result being that the congestion window was never
opened.

Change the logic to check t_dupack instead; the only code path that
allows it to be nonzero at this point is NewReno, so if it is nonzero,
we are in fast recovery mode and should not touch the congestion window.

Tested by:	phk
2000-11-04 15:59:39 +00:00
ru
e238590f91 Fixed the bug I have introduced in icmp_error() in revision 1.44.
The amount of data we copy from the original IP datagram into the
ICMP message was computed incorrectly for IP packets with payload
less than 8 bytes.
2000-11-02 09:46:23 +00:00
ru
549eb5cb6b Wrong checksum may have been computed for certain UDP packets.
Reviewed by:	jlemon
2000-11-01 16:56:33 +00:00
ru
add1652da4 Wrong checksum used for certain reassembled IP packets before diverting. 2000-11-01 11:21:45 +00:00
joe
cfd1f32fed It's no longer true that "nobody uses ia beyond here"; it's now
used to keep address based if_data statistics in.

Submitted by:	ru
2000-11-01 01:59:28 +00:00
ru
d498e11914 Do not waste a time saving a copy of IP header if we are certainly
not going to send an ICMP error message (net.inet.udp.blackhole=1).
2000-10-31 09:13:02 +00:00
ru
e25226e0c4 Added boolean argument to link searching functions, indicating
whether they should create a link if lookup has failed or not.
2000-10-30 17:24:12 +00:00
ru
390de194cd A significant rewrite of PPTP aliasing code.
PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.

It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.

Problems were reported and the fix was tested by:
		Michael Adler <Michael.Adler@compaq.com>,
		David Andersen <dga@lcs.mit.edu>
2000-10-30 12:39:41 +00:00
phk
ff5cdfae2d Move suser() and suser_xxx() prototypes and a related #define from
<sys/proc.h> to <sys/systm.h>.

Correctly document the #includes needed in the manpage.

Add one now needed #include of <sys/systm.h>.
Remove the consequent 48 unused #includes of <sys/proc.h>.
2000-10-29 16:06:56 +00:00
phk
94a5006c9a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
darrenr
df59a7ec10 Fix conflicts creted by import. 2000-10-29 07:53:05 +00:00
joe
1ade5b1eab Count per-address statistics for IP fragments.
Requested by:	ru
Obtained from:	BSD/OS
2000-10-29 01:05:09 +00:00
obrien
1712fe1dbd Include sys/param.h for `__FreeBSD_version' rather than the non-existent
osreldate.h.

Submitted by:	dougb
2000-10-27 12:53:31 +00:00
phk
54ca48450c Convert all users of fldoff() to offsetof(). fldoff() is bad
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.

Define __offsetof() in <machine/ansi.h>

Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>

Remove myriad of local offsetof() definitions.

Remove includes of <stddef.h> in kernel code.

NB: Kernelcode should *never* include from /usr/include !

Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.

Deprecate <struct.h> with a warning.  The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.

Paritials reviews by:   various.
Significant brucifications by:  bde
2000-10-27 11:45:49 +00:00
ru
1eb23e9e86 Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment
of IP datagram.  This fixes the problem when firewall denied fragmented
packets whose last fragment was less than minimum protocol header size.

Found by:	Harti Brandt <brandt@fokus.gmd.de>
PR:		kern/22309
2000-10-27 07:19:17 +00:00
ru
9018a02c92 RFC 791 says that IP_RF bit should always be zero, but nothing
in the code enforces this.  So, do not check for and attempt a
false reassembly if only IP_RF is set.

Also, removed the dead code, since we no longer use dtom() on
return from ip_reass().
2000-10-26 13:14:48 +00:00
darrenr
1a1de29bc0 fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
ru
5ef89cdbba Wrong header length used for certain reassembled IP packets.
This was first fixed in rev 1.82 but then broken in rev 1.125.

PR:		6177
2000-10-26 12:18:13 +00:00
luigi
066ba04e21 Close PR22152 and PR19511 -- correct the naming of a variable 2000-10-26 00:16:12 +00:00
ru
1c21cf3de3 We now keep the ip_id field in network byte order all the
time, so there is no need to make the distinction between
ip_output() and ip_input() cases.

Reviewed by:	silence on freebsd-net
2000-10-25 10:56:41 +00:00
itojun
4bd5d6f83f be careful on mbuf overrun on ctlinput.
short icmp6 packet may be able to panic the kernel.
sync with kame.
2000-10-23 07:11:01 +00:00
ru
7e387c1f6a Save a few CPU cycles in IP fragmentation code. 2000-10-20 14:10:37 +00:00
joe
c6d8349444 Augment the 'ifaddr' structure with a 'struct if_data' to keep
statistics on a per network address basis.

Teach the IPv4 and IPv6 input/output routines to log packets/bytes
against the network address connected to the flow.

Teach netstat to display the per-address stats for IP protocols
when 'netstat -i' is evoked, instead of displaying the per-interface
stats.
2000-10-19 23:15:54 +00:00
ru
eb6db61651 A failure to allocate memory for auxiliary TCP data is now fatal.
This fixes a null pointer dereference problem that is unlikely to
happen in normal circumstances.
2000-10-19 10:44:44 +00:00
ru
75996829e6 If we do not byte-swap the ip_id in the first place, don't do it in
the second.  NetBSD (from where I've taken this originally) needs
to fix this too.
2000-10-18 11:36:09 +00:00
ru
529896e0ea Backout my wrong attempt to fix the compilation warning in ip_input.c
and instead reapply the revision 1.49 of mbuf.h, i.e.

Fixed regression of the type of the `header' member of struct pkthdr from
`void *' to caddr_t in rev.1.51.  This mainly caused an annoying warning
for compiling ip_input.c.

Requested by:	bde
2000-10-12 16:33:41 +00:00
ru
3df47d29ba Fix the compilation warning. 2000-10-12 10:42:32 +00:00
ru
26ce601f70 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
alfred
1d991e1b3c Remove headers not needed.
Pointed out by: phk
2000-10-07 23:15:17 +00:00
ru
d3c4500dd0 As we now may check the TCP header window field, make sure we pullup
enough into the mbuf data area.  Solve this problem once and for all
by pulling up the entire (standard) header for TCP and UDP, and four
bytes of header for ICMP (enough for type, code and cksum fields).
2000-10-06 12:12:09 +00:00
ru
6922fb3fac Added the missing ntohs() conversion when matching IP packet with
the IP_FW_IF_IPID rule.  (We have recently decided to keep the
ip_id field in network byte order inside the kernel, see revision
1.140 of src/sys/netinet/ip_input.c).

I did not like to have the conversion happen in userland, and I
think that the similar conversions for fw_tcp(seq|ack|win) should
be moved out of userland (src/sbin/ipfw/ipfw.c) into the kernel.
2000-10-03 12:18:11 +00:00
jlemon
66c1d6a33b If TCPDEBUG is defined, we could dereference a tp which was freed. 2000-10-02 15:00:13 +00:00
ru
f35f4e93b2 A bit of indentation reformatting. 2000-10-02 13:13:24 +00:00
billf
bdb732a321 Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:  silence on freebsd-{net,ipfw}
2000-10-02 03:33:31 +00:00
billf
e80d3292ca Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
ru
105baa72f0 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
kris
6105160a23 Use stronger random number generation for TCP_ISSINCR and tcp_iss.
Reviewed by:	peter, jlemon
2000-09-29 01:37:19 +00:00
bmilekic
52664bd5ff Finally make do_tcpdrain sysctl live under correct parent, _net_inet_tcp,
as opposed to _debug. Like before, default value remains 1.
2000-09-25 23:40:22 +00:00
ru
13420271d1 Fixed the calculations with UDP header length field.
The field is in network byte order and contains the
size of the header.

Reviewed by:	brian
2000-09-21 06:52:59 +00:00
kjc
0a7adf3296 change the evaluation order of the rsvp socket in rsvp_input()
in favor of the new-style per-vif socket.

this does not affect the behavior of the ISI rsvpd but allows
another rsvp implementation (e.g., KOM rsvp) to take advantage
of the new style for particular sockets while using the old style
for others.

in the future, rsvp supporn should be replaced by more generic
router-alert support.

PR:		kern/20984
Submitted by:	Martin Karsten <Martin.Karsten@KOM.tu-darmstadt.de>
Reviewed by:	kjc
2000-09-17 13:50:12 +00:00
phk
cb69a028ad Properly jail UDP sockets. This is quite a bit more tricky than TCP.
This fixes a !root userland panic, and some cases where the wrong
interface was chosen for a jailed UDP socket.

PR:		20167, 19839, 20946
2000-09-17 13:35:42 +00:00
phk
1d9c0d533e Reverse last commit, a better fix has been found. 2000-09-17 13:34:18 +00:00
phk
f0509c05ef Make sure UDP sockets are explicitly bind(2)'ed [sic] before we connect(2)
them.

PR:     20946
Isolated by:    Aaron Gifford <agifford@infowest.com>
2000-09-17 11:34:33 +00:00
jlemon
fcb3d1e56c It is possible for a TCP callout to be removed from the timing wheel,
but have a network interrupt arrive and deactivate the timeout before
the callout routine runs.  Check for this case in the callout routine;
it should only run if the callout is active and not on the wheel.
2000-09-16 00:53:53 +00:00
ru
8f94bca53c Add -Wmissing-prototypes. 2000-09-15 15:37:16 +00:00
jlemon
78394a5493 m_cat() can free its second argument, so collect the checksum information
from the fragment before calling m_cat().
2000-09-14 21:06:48 +00:00
ru
92269e49c4 Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.
Requested by:	wollman
2000-09-14 14:42:04 +00:00
billf
541dc0d9da Fix screwup in previous commit. 2000-09-12 02:38:05 +00:00
archie
51e519827f Don't do snd_nxt rollback optimization (rev. 1.46) for SYN packets.
It causes a panic when/if snd_una is incremented elsewhere (this
is a conservative change, because originally no rollback occurred
for any packets at all).

Submitted by:	Vivek Sadananda Pai <vivek@imimic.com>
2000-09-11 19:11:33 +00:00
alfred
f80149566d Forget to include sysctl.h
Submitted by: des
2000-09-09 18:47:46 +00:00
alfred
baac93215b Accept filter maintainance
Update copyrights.

Introduce a new sysctl node:
  net.inet.accf

Although acceptfilters need refcounting to be properly (safely) unloaded
as a temporary hack allow them to be unloaded if the sysctl
net.inet.accf.unloadable is set, this is really for developers who want
to work on thier own filters.

A near complete re-write of the accf_http filter:
  1) Parse check if the request is HTTP/1.0 or HTTP/1.1 if not dump
     to the application.
     Because of the performance implications of this there is a sysctl
     'net.inet.accf.http.parsehttpversion' that when set to non-zero
     parses the HTTP version.
     The default is to parse the version.
  2) Check if a socket has filled and dump to the listener
  3) optimize the way that mbuf boundries are handled using some voodoo
  4) even though you'd expect accept filters to only be used on TCP
     connections that don't use m_nextpkt I've fixed the accept filter
     for socket connections that use this.

This rewrite of accf_http should allow someone to use them and maintain
full HTTP compliance as long as net.inet.accf.http.parsehttpversion is
set.
2000-09-06 18:49:13 +00:00
billf
b1549fa803 1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green
2000-09-06 03:10:42 +00:00
ru
c183e5be0a Match IPPROTO_ICMP with IP protocol field of the original IP
datagram embedded into ICMP error message, not with protocol
field of ICMP message itself (which is always IPPROTO_ICMP).

Pointed by:	Erik Salander <erik@whistle.com>
2000-09-01 16:38:53 +00:00
ru
326b00612b Fixed broken ICMP error generation, unified conversion of IP header
fields between host and network byte order.  The details:

o icmp_error() now does not add IP header length.  This fixes the problem
  when icmp_error() is called from ip_forward().  In this case the ip_len
  of the original IP datagram returned with ICMP error was wrong.

o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host
  byte order, so DTRT and convert these fields back to network byte order
  before sending a message.  This fixes the problem described in PR 16240
  and PR 20877 (ip_id field was returned in host byte order).

o ip_ttl decrement operation in ip_forward() was moved down to make sure
  that it does not corrupt the copy of original IP datagram passed later
  to icmp_error().

o A copy of original IP datagram in ip_forward() was made a read-write,
  independent copy.  This fixes the problem I first reported to Garrett
  Wollman and Bill Fenner and later put in audit trail of PR 16240:
  ip_output() (not always) converts fields of original datagram to network
  byte order, but because copy (mcopy) and its original (m) most likely
  share the same mbuf cluster, ip_output()'s manipulations on original
  also corrupted the copy.

o ip_output() now expects all three fields, ip_len, ip_off and (what is
  significant) ip_id in host byte order.  It was a headache for years that
  ip_id was handled differently.  The only compatibility issue here is the
  raw IP socket interface with IP_HDRINCL socket option set and a non-zero
  ip_id field, but ip.4 manual page was unclear on whether in this case
  ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
ru
3e30fdbd5a Changed the way we handle outgoing ICMP error messages -- do
not alias `ip_src' unless it comes from the host an original
datagram that triggered this error message was destined for.

PR:		20712
Reviewed by:	brian, Charles Mott <cmott@scientech.com>
2000-09-01 09:32:44 +00:00
ru
e01f2b2835 Grab ADJUST_CHECKSUM() macro from alias_local.h. 2000-08-31 12:54:55 +00:00
ru
5feb1713fe Create aliasing links for incoming ICMP echo/timestamp requests.
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.
2000-08-31 12:47:57 +00:00
ru
789ebca13b Fixed the bug that div_bind() always returned zero
even if there was an error (broken in rev 1.9).
2000-08-30 14:43:02 +00:00
ru
8088e79630 Backout the hack in rev 1.71, I am working on a better patch
that should cover almost all inconsistencies in ICMP error
generation.
2000-08-30 08:28:06 +00:00
ache
58751a777a strtok -> strsep (no strtok allowed in libraries)
add unsigned char cast to ctype macro
2000-08-29 21:34:55 +00:00
darrenr
0290d697a8 Apply appropriate patch.
PR:		20877
Submitted by:	Frank Volf (volf@oasis.IAEhv.nl)
2000-08-29 10:41:55 +00:00
archie
2fcdc74c0a Remove obsolete comment. 2000-08-22 00:32:52 +00:00
bde
e326bfd05c Fixed a missing splx() in if_addmulti(). Was broken in rev.1.28. 2000-08-19 22:10:10 +00:00
itojun
7059b1cfa8 repair endianness issue in IN_MULTICAST().
again, *BSD difference...

From: Nick Sayer <nsayer@quack.kfu.com>
2000-08-15 07:34:08 +00:00
ru
5d654e2338 Fixed PunchFW code segmentation violation bug.
Reported by:	Christian Schade <chris@cube.sax.de>
2000-08-14 15:24:47 +00:00
ru
e8f5de8393 Use queue(3) LIST_* macros for doubly-linked lists. 2000-08-14 14:18:16 +00:00
darrenr
24d61c1ea6 resolve conflicts 2000-08-13 04:31:06 +00:00
ru
e064241011 - Do not modify Peer's Call ID in outgoing Incoming-Call-Connected
PPTP control messages.

- Cosmetics: replace `GRE link' with `PPTP link'.

Reviewed by:	Erik Salander <erik@whistle.com>
2000-08-09 11:25:44 +00:00
ru
12eac35afe Adjust TCP checksum rather than compute it afresh.
Submitted by:	Erik Salander <erik@whistle.com>
2000-08-07 09:51:04 +00:00
archie
be99417f31 Improve performance in the case where ip_output() returns an error.
When this happens, we know for sure that the packet data was not
received by the peer. Therefore, back out any advancing of the
transmit sequence number so that we send the same data the next
time we transmit a packet, avoiding a guaranteed missed packet and
its resulting TCP transmit slowdown.

In most systems ip_output() probably never returns an error, and
so this problem is never seen. However, it is more likely to occur
with device drivers having short output queues (causing ENOBUFS to
be returned when they are full), not to mention low memory situations.

Moreover, because of this problem writers of slow devices were
required to make an unfortunate choice between (a) having a relatively
short output queue (with low latency but low TCP bandwidth because
of this problem) or (b) a long output queue (with high latency and
high TCP bandwidth). In my particular application (ISDN) it took
an output queue equal to ~5 seconds of transmission to avoid ENOBUFS.
A more reasonable output queue of 0.5 seconds resulted in only about
50% TCP throughput. With this patch full throughput was restored in
the latter case.

Reviewed by:	freebsd-net
2000-08-03 23:23:36 +00:00
ru
50604c7621 Make netstat(1) to be aware of divert(4) sockets. 2000-08-03 14:09:52 +00:00
roberto
aab96ffa41 Change __FreeBSD_Version into the proper __FreeBSD_version.
Submitted by:	Alain.Thivillon@hsc.fr (Alain Thivillon) (for ip_fil.c)
2000-08-01 17:14:38 +00:00
ache
16cb133f9b Add missing '0' to FreeBSD_version test: 50011 -> 500011 2000-08-01 00:04:24 +00:00
ache
31d77bcfb1 Nonexistent <sys/pfil.h> -> <net/pfil.h>
Kernel 'make depend' fails otherwise
2000-07-31 23:41:47 +00:00
sheldonh
c07b9583c6 Whitespace only:
Fix an overlong line and trailing whitespace that crept in, in the
previous commit.
2000-07-31 13:49:21 +00:00
darrenr
d18ce92d58 activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
archie
ce3ae491d0 Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by:	Erik Salander <erik@whistle.com>
2000-07-26 23:15:46 +00:00
jayanth
8c2fae5374 When a connection is being dropped due to a listen queue overflow,
delete the cloned route that is associated with the connection.
This does not exhaust the routing table memory when the system
is under a SYN flood attack. The route entry is not deleted if there
is any prior information cached in it.

Reviewed by: Peter Wemm,asmodai
2000-07-21 23:26:37 +00:00
darrenr
9f3624548b fix conflicts 2000-07-19 14:02:09 +00:00
sheldonh
ad4d3ab768 Fix a comment which was broken in rev 1.36.
PR:		19947
Submitted by:	Tetsuya Isaki <isaki@net.ipc.hiroshima-u.ac.jp>
2000-07-18 16:43:29 +00:00
luigi
a44e53d698 close PR 19544 - ipfw pipe delete causes panic when no pipes defined
PR: 19544
2000-07-17 20:03:27 +00:00
dwmalone
7fa1d09d5f Extra sanity check when arp proxyall is enabled. Don't send an arp
reply if the requesting machine isn't on the interface we believe
it should be. Prevents arp wars when you plug cables in the wrong
way around.

PR:		9848
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>
Not objected to by:	wollman
2000-07-13 19:31:01 +00:00
jayanth
f7e133ab0b re-enable the tcp newreno code. 2000-07-12 22:00:46 +00:00
itojun
a0611dac11 remove m_pulldown statistics, which is highly experimental and does not
belong to *bsd-merged tree
2000-07-12 16:39:13 +00:00
itojun
56bc1eab2d be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 13:01:59 +00:00
itojun
5f4e854de1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
phk
e5de271d47 Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.
Pointed out by:	bde
2000-07-04 11:25:35 +00:00
phk
61ff05be25 Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:
Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our
sources:

        -sysctl_vm_zone SYSCTL_HANDLER_ARGS
        +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
2000-07-03 09:35:31 +00:00
ru
268f00dee9 Fixed PunchFWHole():
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.
2000-06-27 14:56:07 +00:00
ru
6031a74ba6 - Removed PacketAliasPptp() API function.
- SHLIB_MAJOR++.
2000-06-20 13:07:52 +00:00
ru
ee3c5d1c8d Added true support for PPTP aliasing. Some nice features include:
- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
  port 1723 to a local machine.  Multiple servers behind NAT is
  possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
Rewritten by:	ru
Reviewed by:	Erik Salander <erik@whistle.com>
2000-06-20 11:41:48 +00:00
alfred
e3e72a583b return of the accept filter part II
accept filters are now loadable as well as able to be compiled into
the kernel.

two accept filters are provided, one that returns sockets when data
arrives the other when an http request is completed (doesn't work
with 0.9 requests)

Reviewed by: jmg
2000-06-20 01:09:23 +00:00
ru
610da3502a - Improved passive mode FTP support by aliasing 229 replies.
- Stricter checking of PORT/EPRT/227/229 messages format.
- Moved all security checks into one place.
2000-06-16 20:36:16 +00:00
ru
3fa18b8916 - Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
  server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
  o the segment preceding a PORT/227 segment terminates with a \r\n;
  o the IP address in the PORT/227 matches the source IP address of
    the packet;
  o the port number in the PORT command or 277 reply is greater than
    or equal to 1024.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
2000-06-14 16:09:35 +00:00
luigi
021d03f5bf Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
dan
c3897dad80 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
e2bccbe2b7 Implement WF2Q+ in dummynet. 2000-06-08 09:45:23 +00:00
jlemon
d94fab6e66 Add boundary checks against IP options.
Obtained from:	OpenBSD
2000-06-02 20:18:38 +00:00
jlemon
c7145aec0f When attempting to transmit a packet, if the system fails to allocate
a mbuf, it may return without setting any timers.  If no more data is
scheduled to be transmitted (this was a FIN) the system will sit in
LAST_ACK state forever.

Thus, when mbuf allocation fails, set the retransmit timer if neither
the retransmit or persist timer is already pending.

Problem discovered by:  Mike Silbersack (silby@silby.com)
Pushed for a fix by:    Bosko Milekic <bmilekic@dsuper.net>
Reviewed by:            jayanth
2000-06-02 17:38:45 +00:00
darrenr
1816cb0fd4 define CSUM_DELAY_DATA to match merge 2000-05-26 07:28:03 +00:00
jake
961b97d434 Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
darrenr
f8a289a9a1 fix up #ifdef jungle for FreeBSD 2000-05-25 16:24:46 +00:00
darrenr
8e62250edd remove duplicate prototypes 2000-05-25 16:23:30 +00:00
jlemon
c7424ba4ea Mark the checksum as complete when looping back multicast packets.
Submitted by:	Jeff Gibbons <jgibbons@n2.net>
2000-05-25 02:27:14 +00:00
archie
4ba625d0ce Just need to pass the address family to if_simloop(), not the whole sockaddr. 2000-05-24 21:16:56 +00:00
darrenr
ac5003302a fix duplicate rcsid's 2000-05-24 19:38:17 +00:00
bde
120b8e7f47 Fixed some style bugs (mainly convoluted logic for blackhole processing). 2000-05-24 12:57:52 +00:00
peter
4133b85951 It would have been nice if this actually compiled. Close the header
comment */.
2000-05-24 09:08:55 +00:00
darrenr
af0a4a0591 fix up conflicts 2000-05-24 04:40:17 +00:00
darrenr
28218f546c fix conflicts 2000-05-24 04:21:35 +00:00
darrenr
08110f1e41 fix conflicts 2000-05-24 04:09:13 +00:00
darrenr
9c90494417 fix conflicts 2000-05-24 04:01:49 +00:00
darrenr
3a99aee60f fix conflicts 2000-05-24 04:01:30 +00:00
darrenr
9c26b06dba fix conflicts 2000-05-24 03:43:24 +00:00
darrenr
e517ff28a4 fix conflicts 2000-05-24 03:17:16 +00:00
jake
d93fbc9916 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
dan
4e9d022872 sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.
Suggested by: des/nbm
2000-05-22 16:12:28 +00:00
dan
187df3a0fb Add option ICMP_BANDLIM_SUPPRESS_OUTPUT to the mix. With this option,
badport_bandlim() will not muck up your console with printf() messages.
2000-05-22 15:00:41 +00:00
jlemon
8ad2993760 Compute the checksum before handing the packet off to IPFilter.
Tested by:  Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
2000-05-21 21:26:06 +00:00
peter
e7bffe5da6 Return ECONNRESET instead of EINVAL if the connection has been shot
down as a result of a reset.  Returning EINVAL in that case makes no
sense at all and just confuses people as to what happened.  It could be
argued that we should save the original address somewhere so that
getsockname() etc can tell us what it used to be so we know where the
problem connection attempts are coming from.
2000-05-19 00:55:21 +00:00
jayanth
d854ffaa25 snd_cwnd was updated twice in the tcp_newreno function. 2000-05-18 21:21:42 +00:00
jayanth
e7034ee2a7 Sigh, fix a rookie patch merge error.
Also-missed-by:	peter
2000-05-17 06:55:00 +00:00
jlemon
e68744c276 Cast sizeof() calls to be of type (int) when they appear in a signed
integer expression.  Otherwise the sizeof() call will force the expression
to be evaluated as unsigned, which is not the intended behavior.

Obtained from:  NetBSD   (in a different form)
2000-05-17 04:05:07 +00:00
jayanth
ba14a43fa0 snd_una was being updated incorrectly, this resulted in the newreno
code retransmitting data from the wrong offset.

As a footnote, the newreno code was partially derived from NetBSD
and Tom Henderson <tomh@cs.berkeley.edu>
2000-05-16 03:13:59 +00:00
ru
b3014de216 Do not call icmp_error() if ipfirewall(4) denied packet.
PR:		kern/10747, kern/18382
2000-05-15 18:41:01 +00:00
archie
fa21035b4e Move code to handle BPF and bridging for incoming Ethernet packets out
of the individual drivers and into the common routine ether_input().
Also, remove the (incomplete) hack for matching ethernet headers
in the ip_fw code.

The good news: net result of 1016 lines removed, and this should make
bridging now work with *all* Ethernet drivers.

The bad news: it's nearly impossible to test every driver, especially
for bridging, and I was unable to get much testing help on the mailing
lists.

Reviewed by:	freebsd-net
2000-05-14 02:18:43 +00:00
jayanth
eff95a482d Temporarily turn off the newreno flag until we can track down the known
data corruption problem.
2000-05-11 22:28:28 +00:00
brian
b8a9bbd08b Revert the default behaviour for incoming connections so
that they (once again) go to the target machine rather than
the alias address.

PR:		18354
Submitted by:	ru
2000-05-11 07:52:21 +00:00
itojun
d6b56ece4b correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.
similar to recent fix to sys/netinet/ipf.c (by darren).
2000-05-10 01:25:33 +00:00
darrenr
4e731bbb1b Fix bug in dealing with "hlen == 1 and opt > 1" 2000-05-09 23:35:24 +00:00
ps
cffec0416c Add missing include machine/in_cksum.h.
Submitted by:	n_hibma
2000-05-09 16:56:51 +00:00
ken
1b9ed80d5c Include machine/in_cksum.h to unbreak options MROUTING. 2000-05-08 23:56:30 +00:00
jlemon
2b2c2a8b66 Add #include <machine/in_cksum.h>, in order to pick up the checksum
inline functions and prototypes.
2000-05-06 18:19:58 +00:00
jlemon
8a3c72bb35 Implement TCP NewReno, as documented in RFC 2582. This allows
better recovery for multiple packet losses in a single window.
The algorithm can be toggled via the sysctl net.inet.tcp.newreno,
which defaults to "on".

Submitted by:  Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
2000-05-06 03:31:09 +00:00
paul
718dc1ac42 Force the address of the socket to be INADDR_ANY immediately before
calling in_pcbbind so that in_pcbbind sees a valid address if no
address was specified (since divert sockets ignore them).

PR:		17552
Reviewed by:	Brian
2000-05-02 23:53:46 +00:00
luigi
4955e8ae95 Remove an unnecessary error message 2000-05-02 15:39:36 +00:00
peter
22f6069a2a Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
ru
68665ff505 Replace PacketAliasRedirectPptp() (which had nothing specific
to PPTP) with more generic PacketAliasRedirectProto().

Major number is not bumped because it is believed that noone
has started using PacketAliasRedirectPptp() yet.
2000-04-28 13:44:49 +00:00
ru
6eed67e4a4 Spell PacketAliasRedirectAddr() correctly. 2000-04-27 18:06:05 +00:00
ru
c6bc2e1ae7 Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
LSNAT links are first created by either PacketAliasRedirectPort() or
PacketAliasRedirectAddress() and then set up by one or more calls to
PacketAliasAddServer().
2000-04-27 17:37:03 +00:00
shin
b90287b571 Let initialize th_sum before in6_cksum(), again.
Without this fix, all IPv6 TCP RST packet has wrong cksum value,
so IPv6 connect() trial to 5.0 machine won't fail until tcp connect timeout,
when they should fail soon.

Thanks to haro@tk.kubota.co.jp (Munehiro Matsuda) for his much debugging
help and detailed info.
2000-04-19 15:05:00 +00:00
phk
6be1308ad1 Remove ~25 unneeded #include <sys/conf.h>
Remove ~60 unneeded #include <sys/malloc.h>
2000-04-19 14:58:28 +00:00
ru
d297953a9f Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.
2000-04-18 10:18:21 +00:00
sumikawa
52e19e3399 ND6_HINT() should not be called unless the connection status is
ESTABLISHED.

Obtained from:	KAME Project
2000-04-17 20:27:02 +00:00
ru
314acb2e38 Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established
connections, after SYN packets were seen from both ends.  Before this,
it would get applied right after the first SYN packet was seen (either
from client or server).  With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory.  With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.

PR:		bin/17963
2000-04-14 15:34:55 +00:00
ru
0e49e08db1 A complete reformatting of manual page. 2000-04-13 14:04:01 +00:00
ru
c93d494562 Make partially specified permanent links without `dst_addr'
but with `dst_port' work for outgoing packets.

This case was not handled properly when I first fixed this
in revision 1.17.

This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.

Before this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] aliasIP:localPORT -> remoteIP:remotePORT

After this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] publicIP:publicPORT -> remoteIP:remotePORT
2000-04-12 18:44:50 +00:00
wes
6944dfb6ec PR: kern/17872
Submitted by:	csg@waterspout.com (C. Stephen Gunn)
2000-04-11 06:55:09 +00:00
ru
f8d3448a0b - Add support for FTP EPRT (RFC 2428) command.
- Minor optimizations.
- Minor spelling fixes.

PR:		14305
Submitted by:	ume
Rewritten by:	ru
2000-04-06 15:54:52 +00:00
ru
73d40971f4 - Remove unused includes.
- Minor spelling fixes.
- Make IcmpAliasOut2() really work.

Before this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49562 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] A.A.A.A -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49562 > P.P.P.P.50000: udp 3
A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable

After this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49563 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] P.P.P.P -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49563 > P.P.P.P.50000: udp 3
P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
2000-04-05 14:27:34 +00:00
ru
d5c73e2c54 - Moved NULL definition into private include file.
- Minor spelling fixes.
2000-04-05 14:23:42 +00:00
ru
f3f77cc662 Minor spelling fixes. 2000-04-05 07:45:39 +00:00
brian
cf3efd5926 Correct Charles Mott's email address
Requested by: Charles Mott <cmott@scientech.com>
2000-04-02 20:16:45 +00:00
shin
7a67542f8a Move htons() ip_len to after the in_delayed_cksum() call.
This should stop cksum error messages on IPsec communication
which was reported on freebsd-current.

Reviewed by: jlemon
2000-04-02 16:18:26 +00:00
ps
7de430ad34 Try and make the kernel build again without INET6. 2000-04-02 03:49:25 +00:00
shin
09037f119d Support per socket based IPv4 mapped IPv6 addr enable/disable control.
Submitted by: ume
2000-04-01 22:35:47 +00:00
jlemon
bdc5c086d9 Calculate any delayed checksums before handing an mbuf off to a
divert socket.  This fixes a problem with ppp/natd.

Reviewed by:	bsd	(Brian Dean, gotta love that login name)
2000-04-01 18:51:03 +00:00
brian
67534b228a Allow PacketAliasSetTarget() to be passed the following:
INADDR_NONE:   Incoming packets go to the alias address (the default)
  INADDR_ANY:    Incoming packets are not NAT'd (direct access to the
                 internal network from outside)
  anything else: Incoming packets go to the specified address

Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.
2000-03-31 20:36:29 +00:00
brian
942ce5d318 When an incoming packet is received that is not specifically
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.
2000-03-31 14:03:37 +00:00
jlemon
67671838e9 If `ipfw fwd' loops an mbuf back to ip_input from ip_output and the
mbuf is marked for delayed checksums, then additionally mark the
packet as having it's checksums computed.  This allows us to bypass
computing/checking the checksum entirely, which isn't really needeed
as the packet has never hit the wire.

Reviewed by:		green
2000-03-30 02:16:40 +00:00
joerg
31c17d3863 Peter Johnson found another log() call without a trailing newline.
All three of them have been introduced in rev 1.64, so i guess i've
got all of them now. :)

Submitted by:	Peter Johnson <locke@mcs.net>
2000-03-29 07:50:39 +00:00
joerg
1c82e2d762 Added two missing newlines in calls to log(9).
Reported in Usenet by: locke@mcs.net (Peter Johnson)

While i was at it, prepended a 0x to the %D output, to make it clear that
the printed value is in hex (i assume %D has been chosen over %#x to
obey network byte order).
2000-03-28 21:14:35 +00:00
jlemon
0dcc5bc0d1 Add support for offloading IP/TCP/UDP checksums to NIC hardware which
supports them.
2000-03-27 19:14:27 +00:00
dillon
0c55db51df Fix parens in m_pullup() line in arp handling code. The code was
improperly doing the equivalent of (m = (function() == NULL)) instead
    of ((m = function()) == NULL).

    This fixes a NULL pointer dereference panic with runt arp packets.
2000-03-23 18:58:59 +00:00
green
08e4f07002 in6_pcb.c:
Remove a bogus (redundant, just weird, etc.) key_freeso(so).
	There are no consumers of it now, nor does it seem there
	ever will be.

in6?_pcb.c:
	Add an if (inp->in6?p_sp != NULL) before the call to
	ipsec[46]_delete_pcbpolicy(inp).  In low-memory conditions
	this can cause a crash because in6?_sp can be NULL...
2000-03-22 02:27:30 +00:00
lile
f14c3bda44 o Replace most magic numbers related to token ring with #defines
from iso88025.h.

o Add minimal llc support to iso88025_input.

o Clean up most of the source routing code.

* Submitted by: Nikolai Saoukh <nms@otdel-1.org>
2000-03-19 21:34:39 +00:00
brian
ab3c427b15 Make _FindLinkIn() static and only define GetDestPort when
NO_FW_PUNCH isn't defined.
2000-03-19 09:11:05 +00:00
ru
f28f5915b4 Fix reporting of src and dst IP addresses for ICMP and generic IP packets.
PR:		17319
Submitted by:	Mike Heffner <spock@techfour.net>
2000-03-14 14:11:53 +00:00
shin
86bd670bb2 Disable IPv4 over IPv4 tunnel on the 6to4 interface for better security.
Approved by: jkh
2000-03-11 22:11:57 +00:00
shin
4897d4b884 IPv6 6to4 support.
Now most big problem of IPv6 is getting IPv6 address
   assignment.
   6to4 solve the problem. 6to4 addr is defined like below,

          2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID

   The most important point of the address format is that an IPv4 addr
   is embeded in it. So any user who has IPv4 addr can get IPv6 address
   block with 2byte subnet space. Also, the IPv4 addr is used for
   semi-automatic IPv6 over IPv4 tunneling.

   With 6to4, getting IPv6 addr become dramatically easy.
   The attached patch enable 6to4 extension, and confirmed to work,
   between "Richard Seaman, Jr." <dick@tar.com> and me.

Approved by: jkh

Reviewed by: itojun
2000-03-11 11:17:24 +00:00
rwatson
2bf7fb4443 The function arpintr() incorrectly checks m->m_len to detect incomplete
ARP packets. This can incorrectly reject complete frames since the frame
could be stored in more than one mbuf.

The following patches fix the length comparisson, and add several
diagnostic log messages to the interrupt handler for out-of-the-norm ARP
packets. This should make ARP problems easier to detect, diagnose and
fix.

Submitted by:	C. Stephen Gunn <csg@waterspout.com>
Approved by:	jkh
Reviewed by:	rwatson
2000-03-11 00:24:29 +00:00
shin
23a1d7aeed Initialize mbuf pointer at getting ipsec policy.
Without this, kernel will panic at getsockopt() of IPSEC_POLICY.
Also make compilable libipsec/test-policy.c which tries getsockopt() of
IPSEC_POLICY.

Approved by: jkh

Submitted by: sakane@kame.net
2000-03-09 14:57:16 +00:00
sheldonh
329223e6f2 Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
2000-03-02 09:14:21 +00:00
luigi
9620475aa1 Fix panic when doing keep-state and "forward".
Removed a redundant check.
Also move check for expired rules before using them.
Sorry for the whitespace changes.

Approved-by: jordan
2000-02-29 17:51:25 +00:00
ps
8c1d813591 Limit the maximum permissible TCP window size to 65535 octets if
window scaling is disabled.

PR:		kern/16914
Submitted by:	Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
Reviewed by:	wollman
Approved by:	jkh
2000-02-28 21:18:21 +00:00
alfred
83fb25d036 -it do, among other things, clear out any
+it does, amongst other things, clear out any

The old sentance didn't seem to make sense.
2000-02-28 00:31:18 +00:00
guido
8d05fe1c7c Remove option IPFILTER_KLD. In case you wanted to kldload ipfilter,
the module would only work in kernels built with this option.

Approved by:	jkh
2000-02-23 20:11:57 +00:00
peter
a5441090de Clean up some loose ends in the network code, including the X.25 and ISO
#ifdefs.  Clean out unused netisr's and leftover netisr linker set gunk.
Tested on x86 and alpha, including world.

Approved by:	jkh
2000-02-13 03:32:07 +00:00
luigi
61618b1620 Forgot one line: don't try to match flags when looking for a flow.
Approved-by: jordan
2000-02-11 13:23:14 +00:00
guido
e515e856f2 Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)
2000-02-10 21:29:11 +00:00
shin
a0c9aca93b Forbid include of soem inet6 header files from wrong place
KAME put INET6 related stuff into sys/netinet6 dir, but IPv6
  standard API(RFC2553) require following files to be under sys/netinet.
    netinet/ip6.h
    netinet/icmp6.h
  Now those header files just include each following files.
    netinet6/ip6.h
    netinet6/icmp6.h

  Also KAME has netinet6/in6.h for easy INET6 common defs
  sharing between different BSDs, but RFC2553 requires only
  netinet/in.h should be included from userland.
  So netinet/in.h also includes netinet6/in6.h inside.

  To keep apps portability, apps should not directly include
  above files from netinet6 dir.
  Ideally, all contents of,
    netinet6/ip6.h
    netinet6/icmp6.h
    netinet6/in6.h
  should be moved into
    netinet/ip6.h
    netinet/icmp6.h
    netinet/in.h
  but to avoid big changes in this stage, add some hack, that
    -Put some special macro define into those files under neitnet
    -Let files under netinet6 cause error if it is included
     from some apps, and, if the specifal macro define is not
     defined.
     (which should have been defined if files under netinet is
     included)
    -And let them print an error message which tells the
     correct name of the include file to be included.

  Also fix apps which includes invalid header files.

Approved by: jkh

Obtained from: KAME project
2000-02-10 19:33:58 +00:00
luigi
ca6bc8a505 Move definition of fw_enable from ip_fw.c to ip_input.c
so we can compile kernels without IPFIREWALL .

Reported-by: Robert Watson
Approved-by: jordan
2000-02-10 17:56:01 +00:00
luigi
7257b4f371 Whoops... forgot braces in a conditional
Revealed-by: diff with -STABLE version (the advantage of having
    multiple lines of development...)
Approved-by: jordan
2000-02-10 16:50:53 +00:00
luigi
4c77286bf0 Support the net.inet.ip.fw.enable variable, part of
the recent ipfw modifications.

Approved-by: jordan
2000-02-10 14:19:53 +00:00