Commit Graph

169 Commits

Author SHA1 Message Date
emaste
036bc0d6fa ipf(1): Use strchr(3) instead of deprecated index(3)
Reviewed by:	cy
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D2607
2015-05-22 18:31:26 +00:00
glebius
78d51c7b15 Stop including if_var.h from userland.
Sponsored by:	Nginx, Inc.
2015-04-06 09:42:23 +00:00
glebius
7c22152af0 o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
  datagrams to any value, to improve performance. The behaviour is
  controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
  default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision:		https://reviews.freebsd.org/D2177
Reviewed by:			adrian, cy, rpaulo
Tested by:			Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by:			Netflix
Sponsored by:			Nginx, Inc.
Relnotes:			yes
2015-04-01 22:26:39 +00:00
glebius
896e3f467b The ipftest(1) is a program that emulates ipf(4) operation and tests packets
against rules.  It definitely doesn't need to know about kernel internals,
such as 'struct ifaddr'.  What it does with ifaddr, is that it only takes
ifa_addr member of it, and treats it as sockaddr, while it is only a pointer
to sockaddr.  Fortunately, sizeof(struct ifaddr) > sizeof(struct sockaddr_in6),
so no problems arise.

Fix that declaring a private struct ifaddr in ipftest(1) and stop including
if_var.h.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2015-02-19 23:14:35 +00:00
cy
bc2167fa66 #552 destination port not zero after parsing nat rule
Approved by:	glebius (mentor)
Obtained from:	netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)
2014-09-22 16:35:48 +00:00
cy
8937a6a4b7 3561691 gethost never returns an ipv6 address
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)
2014-09-22 16:21:25 +00:00
cy
7a5d515231 #551 ipf.conf address structure not properly zero filled
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)
2014-09-22 16:13:38 +00:00
cy
dcdb35188c #536 ipnat can try to print rule as dstlist incorrectly
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
2014-09-22 16:09:18 +00:00
cy
ac03311bc5 #553 gethost needs to zero entire IP address structure
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11)
2014-09-22 16:06:37 +00:00
cy
5d69c962d9 ipv6 address for test.hosts.dots in wrong byte order.
Approved by:	glebius (mentor)
Obtained from:	ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
2014-09-22 16:03:29 +00:00
pluknet
3c6883782f Unbreak with gcc.
I'm tired to see tinderbox spamming.  Feel free to fix it your way.
2014-07-13 10:38:01 +00:00
cy
de8f7474ba Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORT
(NO_INET6) are specified.

Approved by:	glebius
MFC after:	1 week
2014-07-05 07:15:19 +00:00
glebius
1c87562bdb Hide 'struct ifaddr' definition from userland. Two tools left that use it,
namely ipftest(1) and ifmcstat(1). These sniff structure definition using
_WANT_IFADDR define.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2013-10-15 10:19:24 +00:00
cy
1f79bda80f Remove redundant files.
Approved by:    glebius (mentor)
Approved by:    re (blanket)
2013-09-21 14:23:20 +00:00
cy
b3f0452e34 Check return code from inet_pton.
Discovered by:	Coverity.
Approved by:	glebius (mentor)
Approved by:	re (blanket)
2013-09-21 14:22:07 +00:00
cy
c1298c7a07 Update ipfilter 4.1.28 --> 5.1.2.
Approved by:		glebius (mentor)
BSD Licensed by:	Darren Reed <darrenr@reed.wattle.id.au> (author)
2013-09-06 23:11:19 +00:00
cy
672af8808c As per the developers handbook (5.3.1 step 1), prepare the vendor trees for
import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)
2013-07-19 05:41:57 +00:00
glebius
7f832c3059 Retire struct sockaddr_inarp.
Since ARP and routing are separated, "proxy only" entries
don't have any meaning, thus we don't need additional field
in sockaddr to pass SIN_PROXY flag.

New kernel is binary compatible with old tools, since sizes
of sockaddr_inarp and sockaddr_in match, and sa_family are
filled with same value.

The structure declaration is left for compatibility with
third party software, but in tree code no longer use it.

Reviewed by:	ru, andre, net@
2013-01-31 08:55:21 +00:00
pfg
245e35ae97 Clean some 'svn:executable' properties in the tree.
Submitted by:	Christoph Mallon
MFC after:	3 days
2013-01-26 22:08:21 +00:00
markm
04e0bb722d Fix paths for example files. 2010-11-18 18:22:58 +00:00
rpaulo
bd0a652fbe Use pcap's bpf header, not our own copy of it. 2010-10-29 21:23:34 +00:00
brueffer
c9526c3f50 Comment in the BUGS section header. Matches what's in ipfilter 5.10.
PR:		144880
Submitted by:	Glen Barber <glen.j.barber@gmail.com>
MFC after:	1 week
2010-05-12 00:56:53 +00:00
ed
4d3d204932 Remove unneeded include of <sys/timeb.h>.
This header file should not be included by anything.
2010-03-09 20:58:15 +00:00
darrenr
2aed81f206 fix spelling mistake 2009-11-19 08:10:24 +00:00
rdivacky
9d18ee7303 Fix a typo that causes the for loop to exit immediately. There's
identical loop a few lines above.

Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
2009-06-16 13:31:01 +00:00
stas
b6666822bf - Prevent buffer overflow in IPFilter's load_http function used to load
ipfilter tables via http by the user-level ippool utility. Previously
  the 1024-byte buffer used to store a http request coudld easily overflow
  if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]

Reported by:	Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from:	NetBSD CVS [2]
MFC after:	2 weeks
2009-05-29 16:24:23 +00:00
bz
1d1c15a5ac Remove udp and tcp includes not needed here.
Tripped over by: a compile of an upcoming change
MFC after:	1 month
2009-04-25 19:14:22 +00:00
qingli
ec826ad5c7 This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
   possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,

The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.

Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:

- Kip Macy revised the locking code completely, thus completing
  the last piece of the puzzle, Kip has also been conducting
  active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
  provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
  me maintaining that branch before the svn conversion
2008-12-15 06:10:57 +00:00
mlaier
21efffe9d5 Fix build when WITHOUT_DYNAMICROOT is specified in src.conf(5). 2008-08-04 22:45:27 +00:00
darrenr
49ad2adb91 2020447 IPFilter's NAT can undo name server random port selection
Approved by:	darrenr
MFC after:	1 week
Security:	CERT VU#521769
2008-07-24 12:35:05 +00:00
des
4cb5c18630 For unfathomable reasons, ipfilter abuses kernel data structures for its
own purposes.  To pull this off, it defines _KERNEL before including the
headers where these structures are defined.  This leads to no end of
trouble when some of these headers, or other headers that they include,
change, as demonstrated by r180755.

The quick fix in this particular case is to define _WANT_FILE instead of
_KERNEL, conditional on __FreeBSD__.  A better long-term fix is left as
an exercise to the reader.
2008-07-23 16:34:53 +00:00
darrenr
fd172ed327 Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after:	7 days
2007-10-18 21:52:14 +00:00
darrenr
71e82d94e8 Import IPFilter 4.1.28 2007-10-18 21:42:51 +00:00
darrenr
3345281d0a This commit was generated by cvs2svn to compensate for changes in r172771,
which included commits to RCS files with non-trunk default branches.
2007-10-18 21:42:51 +00:00
darrenr
e784ce0e33 ipfstat should parse "any" when used with -D/-S command line options
PR:	bin/113879
Submitted by:	kabe@sra-tohoku.co.jp
Reviewed by:	darrenr
Approved by:	re
2007-06-24 16:39:12 +00:00
darrenr
27a50eee47 Remove files no longer required to build IPFilter 2007-06-04 03:07:34 +00:00
darrenr
a33069b532 Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:54:36 +00:00
darrenr
e2e28d4361 Import IPFilter 4.1.23 to vendor branch.
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
2007-06-04 02:50:28 +00:00
darrenr
1dd4fa592d This commit was generated by cvs2svn to compensate for changes in r170263,
which included commits to RCS files with non-trunk default branches.
2007-06-04 02:50:28 +00:00
guido
e49049679f Resolve conflicts
MFC after:	1 weeks
2006-08-16 12:23:02 +00:00
guido
092f5d1218 Import IP Filter 4.1.13 2006-08-16 11:51:32 +00:00
guido
3a39cf5435 This commit was generated by cvs2svn to compensate for changes in r161351,
which included commits to RCS files with non-trunk default branches.
2006-08-16 11:51:32 +00:00
darrenr
a3ec5442cc fix "ipf -Z" reporting rubbish and possibly panic'ing box
MFC after:	4 days
2006-04-18 13:24:14 +00:00
darrenr
aacbf565b5 Add a man page for mkfilters(1) and put the corrected perl script in the
ipfilter usr/share directory

PR:     docs/26879
2006-02-27 11:22:20 +00:00
guido
7ee0924750 Resolve conflicts (and believe me...you don't want to know). 2005-12-30 11:52:26 +00:00
guido
9749beb9e3 Import IP Filter 4.1.10 2005-12-30 11:34:54 +00:00
guido
530bf89f14 This commit was generated by cvs2svn to compensate for changes in r153877,
which included commits to RCS files with non-trunk default branches.
2005-12-30 11:34:54 +00:00
darrenr
529d7c08ef Remove these files from src/contrib/ipfilter as they are already present
in src/sys/contrib/ipfilter/netinet.  Makefile's reachover bits find what
they need so building is unaffected.

Approved by: re (dwhite)
2005-06-23 14:22:02 +00:00
darrenr
22c343ffc8 Fix some minor problems before release:
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures

Approved by: re (dwhite)
2005-06-23 14:19:02 +00:00
eivind
e998be30e5 Since this is already off the vendor branch: Our kernel is now in
/boot/kernel/kernel, not plain /kernel
2005-05-27 01:09:42 +00:00