215 Commits

Author SHA1 Message Date
cy
ec308188e2 Replace AF_INET6 ifdefs with USE_INET6 to be consistent with the rest
of the ipfilter souce tree.
2017-06-27 04:54:58 +00:00
cy
781dbf5aab Replace AF_INET6 ifdefs with USE_INET6 ifdefs. This is more consistent
and guaranteed to build everywhere in ipfilter.

Not all of this commit can be MFCed. Some is original code while others
are not.
2017-06-23 02:42:04 +00:00
cy
ca30cf090a In poolnodcommand(): TTL (-T) is only valid when adding a node to a
pool (ippool -a) not when removing a node from a pool (ippool -r).
Flag -T as an error in ippool -r.
2017-06-22 12:46:48 +00:00
cy
57e30b47aa poolflush() has no positional arguments. 2017-06-22 06:25:34 +00:00
cy
38fb2e4725 Fix -S handling within poolcommand(). Specifying a seed (-S) is only
valid when adding a pool (ippool -A), not when removing a pool
(ippool -R). It is a command line syntax error if specifying a seed (-S)
is specified when emoving a pool (-R).
2017-06-21 12:19:05 +00:00
cy
5851e7d714 Flag poolnodecommand() (ippool -a and ippool -r) command line syntax
errors.
2017-06-20 12:31:58 +00:00
cy
833ba84432 poolcommand() (ippool -A and ippool -R) seed takes an argument. 2017-06-19 19:27:37 +00:00
cy
ed60aef022 Flag poolcommand() (ippool -A and ippool -R) command line syntax errors. 2017-06-19 12:33:22 +00:00
cy
bc4982d1b7 Correct example directory location.
Submitted by:	olivier@
MFC after:	3 days
2017-06-15 00:59:02 +00:00
cy
f27b45ddf0 Chase r319848: remove -v option from getopt() call. 2017-06-14 02:42:38 +00:00
cy
c8c30ee323 -n (do nothing) is not a commmand option. 2017-06-14 02:41:22 +00:00
cy
00488c6771 -v (verbose) is not a command option. (See ippool.1 for a definition
of command options).
2017-06-12 06:08:57 +00:00
cy
ececcb3d95 Flag loadpoolfile() (ippool -f) command line syntax errors. 2017-06-11 04:03:09 +00:00
cy
55eda8a54d Identify poolstats() (ippool -s) command line syntax errors. 2017-06-11 04:00:26 +00:00
cy
4ae75921d5 Identify command line syntax errors in poolflush() (ippool -F). 2017-06-11 03:56:13 +00:00
cy
033b1901a2 Remove redundant assignment of infile from optarg in loadpoolfile()
which was previously assigned from optarg in the argument list from
main().
2017-06-10 23:16:00 +00:00
cy
cbb4362af9 Disable the -O (output fields) option in poollist() (ippool -l) for
now. The option does not presently work. However, similar functions in
ipfstat (for state) and ipnat (for nat) do work and provide outputs that
can be easily parsed by shell scripts or subsequently loaded into CSV
files.  The intention here is to return to this option to make it work.
I suspect the problem is in printpoolfields.c.
2017-06-10 17:05:14 +00:00
cy
d2e66d41a3 Flag poollist() (ippool -l) command line syntax errors. 2017-06-10 16:42:39 +00:00
cy
9fe9387d01 Remove NORESOLVE (-R) option from poollist() (ippool -l). It is not
used in poollist().
2017-05-31 03:11:25 +00:00
cy
9c61a2bfad Implement ippool command line IPv6 address parse support (for the -i
option).

PR:		218433
2017-05-16 02:48:46 +00:00
cy
f69668025d Just like r318173, which was for outputting IPv6 addresses in tree
pools, implement outputting of IPv6 addresses in the ippool debug list
of hash type pools (ippool -l -d -t hash). Currently IPv6 in ippool tree
type pool handling is mostly implemented.
This continues theseries of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-15 03:39:35 +00:00
cy
0660ec85ae As of r318281, there is no need to put a colon (:) in the message
string.

MFC after:	3 days
X-MFC with:	r318281
2017-05-14 23:45:10 +00:00
cy
06484ccac0 Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.

MFC after:	3 days
2017-05-14 21:18:01 +00:00
cy
660a1945f5 Add missing linefeed in debug output. 2017-05-12 01:09:24 +00:00
cy
9333d761bc Implement outputting of IPv6 addresses in the ippool debug list of tree
type pools (ippool -l -d -t tree). Currently IPv6 in ippool tree type
pool handling is partially implemented (meaning it doesn't work).
This is the first of a series of commits to remediate ippool.

This will be MFCed with a yet to be committed series of fixes to ippool
after it has been fully remediated.

PR:		218433
2017-05-11 04:39:11 +00:00
cy
52a71a0488 Ifdef out a redundant if statement when INET6 is disabled.
MFC after:	1 week
2017-05-05 14:34:09 +00:00
cy
eed1dd1e6c Use warnx() to issue error message.
Reported by:	cem
MFC after:	1 week
X-MFC with:	r316993, r316994
2017-04-16 04:36:22 +00:00
cy
ff46ffd490 Fix CID 1372600, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372600
MFC after:	1 week
2017-04-16 01:15:37 +00:00
cy
f510ccbf5d Fix CID 1372601, possible NULL pointer dereference should
reallocarray() fail.

Reported by:	Coverity CID 1372601
MFC after:	1 week
2017-04-16 01:13:47 +00:00
glebius
3a5c9aaf2b Hide struct inpcb, struct tcpcb from the userland.
This is a painful change, but it is needed.  On the one hand, we avoid
modifying them, and this slows down some ideas, on the other hand we still
eventually modify them and tools like netstat(1) never work on next version of
FreeBSD.  We maintain a ton of spares in them, and we already got some ifdef
hell at the end of tcpcb.

Details:
- Hide struct inpcb, struct tcpcb under _KERNEL || _WANT_FOO.
- Make struct xinpcb, struct xtcpcb pure API structures, not including
  kernel structures inpcb and tcpcb inside.  Export into these structures
  the fields from inpcb and tcpcb that are known to be used, and put there
  a ton of spare space.
- Make kernel and userland utilities compilable after these changes.
- Bump __FreeBSD_version.

Reviewed by:	rrs, gnn
Differential Revision:	D10018
2017-03-21 06:39:49 +00:00
cy
8ddae1aa96 calloc() and realloc() modernization.
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.

This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.

This has been tested on my production firewall and a laptop (also
running ipfilter).

Submitted by:	pfg
MFC after:	6 weeks
2017-03-16 04:40:07 +00:00
cy
fbce1aab7d Fix leak (free str before returning when ctx's calloc fails).
Submitted by:	trix_juniper.net (Tom Rix)
Discovered by:	clang's static analyzer
MFC after:	4 days
Relnotes:	ngie
Differential Revision:	D9877
2017-03-03 21:32:27 +00:00
cy
bda5c972b3 Use normal KNF cuddling of elses.
Reported by:	bde
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-26 04:51:48 +00:00
cy
5fb5bda947 Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.

This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).

The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.

The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).

Inspired by:	NetBSD ip_frag.c r1.4
MFC after:	1 month
2017-01-26 01:24:05 +00:00
cy
2e63874c2a Remove extraneous blank line.
MFC after:	2 weeks
X-MFC with:	r312777
2017-01-25 20:59:23 +00:00
cy
35a953534e Issue an error message when an incorrect flush argument is
encountered.`

MFC after:	2 weeks
2017-01-25 20:41:16 +00:00
dim
c9c476987e Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.

Pointy hat to:	dim
X-MFC-With:	r304959, r304953
MFC after:	3 days
2016-08-28 19:35:29 +00:00
cy
956164118e Remove dead code.
Approved by:	re@ (hrs@)
MFC after:	1 week
2016-06-30 14:53:46 +00:00
cy
53d0f4a233 Clarify the wording to be more accurate.
Approved by:	re@ (gjb)
MFC after:	1 week
X-MFC with:	r301773
2016-06-10 01:10:48 +00:00
cy
181a4aa249 Update the man ipf.8 man page to accurately reflect that the -6
option is a noop and only here for backward compatibility.

MFC after:	1 week
2016-06-10 00:06:58 +00:00
cy
c7e47200dd Fix another typo.
Reported by:	cem
MFC after:	6 days
2016-05-19 03:18:54 +00:00
cy
18b57518bc Fix typo.
Reported by:	Ruben Kerkhof <ruben@rubenkerkhof.com>
MFC after:	6 days
2016-05-19 02:06:48 +00:00
cy
a750660049 Static pointers need not be initialized.
MFC after:	4 weeks
2016-04-15 03:45:09 +00:00
cy
804fd2b13b Use NULL instead of 0 for pointer comparison.
MFC after:	4 weeks
2016-04-15 03:43:16 +00:00
ngie
e1dd16d965 Revert r288682
I meant to do this on ^/user/ngie/more-tests

Pointyhat to: ngie (use svn info next time...)
2015-10-05 03:26:51 +00:00
ngie
115d008392 Remove some paths preparing for a re-copy from head 2015-10-05 03:25:30 +00:00
emaste
036bc0d6fa ipf(1): Use strchr(3) instead of deprecated index(3)
Reviewed by:	cy
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D2607
2015-05-22 18:31:26 +00:00
glebius
78d51c7b15 Stop including if_var.h from userland.
Sponsored by:	Nginx, Inc.
2015-04-06 09:42:23 +00:00
glebius
7c22152af0 o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
  datagrams to any value, to improve performance. The behaviour is
  controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
  default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision:		https://reviews.freebsd.org/D2177
Reviewed by:			adrian, cy, rpaulo
Tested by:			Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by:			Netflix
Sponsored by:			Nginx, Inc.
Relnotes:			yes
2015-04-01 22:26:39 +00:00
glebius
896e3f467b The ipftest(1) is a program that emulates ipf(4) operation and tests packets
against rules.  It definitely doesn't need to know about kernel internals,
such as 'struct ifaddr'.  What it does with ifaddr, is that it only takes
ifa_addr member of it, and treats it as sockaddr, while it is only a pointer
to sockaddr.  Fortunately, sizeof(struct ifaddr) > sizeof(struct sockaddr_in6),
so no problems arise.

Fix that declaring a private struct ifaddr in ipftest(1) and stop including
if_var.h.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2015-02-19 23:14:35 +00:00