1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-20 11:11:24 +00:00
Commit Graph

1223 Commits

Author SHA1 Message Date
Poul-Henning Kamp
442fad6798 Update the "icmp_admin_prohib_like_rst" code to check the tcp-window and
to be configurable with respect to acting only in SYN or in all TCP states.

PR:		23665
Submitted by:	Jesper Skriver <jesper@skriver.dk>
2000-12-24 10:57:21 +00:00
Bosko Milekic
2a0c503e7a * Rename M_WAIT mbuf subsystem flag to M_TRYWAIT.
This is because calls with M_WAIT (now M_TRYWAIT) may not wait
  forever when nothing is available for allocation, and may end up
  returning NULL. Hopefully we now communicate more of the right thing
  to developers and make it very clear that it's necessary to check whether
  calls with M_(TRY)WAIT also resulted in a failed allocation.
  M_TRYWAIT basically means "try harder, block if necessary, but don't
  necessarily wait forever." The time spent blocking is tunable with
  the kern.ipc.mbuf_wait sysctl.
  M_WAIT is now deprecated but still defined for the next little while.

* Fix a typo in a comment in mbuf.h

* Fix some code that was actually passing the mbuf subsystem's M_WAIT to
  malloc(). Made it pass M_WAITOK instead. If we were ever to redefine the
  value of the M_WAIT flag, this could have became a big problem.
2000-12-21 21:44:31 +00:00
Bill Fumerola
16cd6db04f Use getmicrotime() instead of microtime() when timestamping ICMP packets,
the former is quicker and accurate enough for use here.

Submitted by:	Jason Slagle <raistlin@toledolink.com> (on IRC)
Reviewed by:	phk
2000-12-16 21:39:48 +00:00
Poul-Henning Kamp
b11d7a4a2f We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.

rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.

quote begin.

            A Destination Unreachable message that is received MUST be
            reported to the transport layer.  The transport layer SHOULD
            use the information appropriately; for example, see Sections
            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.

quote end.

I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.

When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.

The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.

I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.

PR:		23086
Submitted by:	Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
Bosko Milekic
09f81a46a5 Change the following:
1.  ICMP ECHO and TSTAMP replies are now rate limited.
  2.  RSTs generated due to packets sent to open and unopen ports
      are now limited by seperate counters.
  3.  Each rate limiting queue now has its own description, as
      follows:

      Limiting icmp unreach response from 439 to 200 packets per second
      Limiting closed port RST response from 283 to 200 packets per second
      Limiting open port RST response from 18724 to 200 packets per second
      Limiting icmp ping response from 211 to 200 packets per second
      Limiting icmp tstamp response from 394 to 200 packets per second

Submitted by: Mike Silbersack <silby@silby.com>
2000-12-15 21:45:49 +00:00
David Malone
7cc0979fd6 Convert more malloc+bzero to malloc+M_ZERO.
Submitted by:	josh@zipperup.org
Submitted by:	Robert Drehmel <robd@gmx.net>
2000-12-08 21:51:06 +00:00
Poul-Henning Kamp
959b7375ed Staticize some malloc M_ instances. 2000-12-08 20:09:00 +00:00
Jonathan Lemon
df5e198723 Lock down the network interface queues. The queue mutex must be obtained
before adding/removing packets from the queue.  Also, the if_obytes and
if_omcasts fields should only be manipulated under protection of the mutex.

IF_ENQUEUE, IF_PREPEND, and IF_DEQUEUE perform all necessary locking on
the queue.  An IF_LOCK macro is provided, as well as the old (mutex-less)
versions of the macros in the form _IF_ENQUEUE, _IF_QFULL, for code which
needs them, but their use is discouraged.

Two new macros are introduced: IF_DRAIN() to drain a queue, and IF_HANDOFF,
which takes care of locking/enqueue, and also statistics updating/start
if necessary.
2000-11-25 07:35:38 +00:00
Jonathan Lemon
e82ac18e52 Revert the last commit to the callout interface, and add a flag to
callout_init() indicating whether the callout is safe or not.  Update
the callers of callout_init() to reflect the new interface.

Okayed by: Jake
2000-11-25 06:22:16 +00:00
Bosko Milekic
a352dd9a71 Fixup (hopefully) bridging + ipfw + dummynet together...
* Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf
  header structure, called "pkt," and could consequently pollute the mbuf
  free list if it was ever passed to m_freem(). The fix involved passing not
  pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf
  utility routines.

* Also, for dummynet, in bdg_forward(), made the code copy the ethernet header
  back into the mbuf (prepended) because the dummynet code that follows expects
  it to be there but it is, unfortunately for dummynet, passed to bdg_forward
  as a seperate argument.

PRs: kern/19551 ; misc/21534 ; kern/23010
Submitted by: Thomas Moestl <tmoestl@gmx.net>
Reviewed by: bmilekic
Approved by: luigi
2000-11-23 22:25:03 +00:00
Ruslan Ermilov
1b7b85c4d6 mdoc(7) police: use the new feature of the An macro. 2000-11-22 08:47:35 +00:00
Bosko Milekic
0a1df235ba While I'm here, get rid of (now useless) MCLISREFERENCED and use MEXT_IS_REF
instead.
Also, fix a small set of "avail." If we're setting `avail,' we shouldn't
be re-checking whether m_flags is M_EXT, because we know that it is, as if
it wasn't, we would have already returned several lines above.

Reviewed by: jlemon
2000-11-11 23:05:59 +00:00
Ruslan Ermilov
203de3b494 Fixed the security breach I introduced in rev 1.145.
Disallow getsockopt(IP_FW_ADD) if securelevel >= 3.

PR:		22600
2000-11-07 09:20:32 +00:00
Jonathan Lemon
8735719e43 tp->snd_recover is part of the New Reno recovery algorithm, and should
only be checked if the system is currently performing New Reno style
fast recovery.  However, this value was being checked regardless of the
NR state, with the end result being that the congestion window was never
opened.

Change the logic to check t_dupack instead; the only code path that
allows it to be nonzero at this point is NewReno, so if it is nonzero,
we are in fast recovery mode and should not touch the congestion window.

Tested by:	phk
2000-11-04 15:59:39 +00:00
Ruslan Ermilov
1d02752206 Fixed the bug I have introduced in icmp_error() in revision 1.44.
The amount of data we copy from the original IP datagram into the
ICMP message was computed incorrectly for IP packets with payload
less than 8 bytes.
2000-11-02 09:46:23 +00:00
Ruslan Ermilov
506f494939 Wrong checksum may have been computed for certain UDP packets.
Reviewed by:	jlemon
2000-11-01 16:56:33 +00:00
Ruslan Ermilov
60123168be Wrong checksum used for certain reassembled IP packets before diverting. 2000-11-01 11:21:45 +00:00
Josef Karthauser
ffa37b3f9b It's no longer true that "nobody uses ia beyond here"; it's now
used to keep address based if_data statistics in.

Submitted by:	ru
2000-11-01 01:59:28 +00:00
Ruslan Ermilov
48cb400fb1 Do not waste a time saving a copy of IP header if we are certainly
not going to send an ICMP error message (net.inet.udp.blackhole=1).
2000-10-31 09:13:02 +00:00
Ruslan Ermilov
642cd09fb3 Added boolean argument to link searching functions, indicating
whether they should create a link if lookup has failed or not.
2000-10-30 17:24:12 +00:00
Ruslan Ermilov
03453c5e87 A significant rewrite of PPTP aliasing code.
PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.

It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.

Problems were reported and the fix was tested by:
		Michael Adler <Michael.Adler@compaq.com>,
		David Andersen <dga@lcs.mit.edu>
2000-10-30 12:39:41 +00:00
Poul-Henning Kamp
cf9fa8e725 Move suser() and suser_xxx() prototypes and a related #define from
<sys/proc.h> to <sys/systm.h>.

Correctly document the #includes needed in the manpage.

Add one now needed #include of <sys/systm.h>.
Remove the consequent 48 unused #includes of <sys/proc.h>.
2000-10-29 16:06:56 +00:00
Poul-Henning Kamp
53ce36d17a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
Darren Reed
0c72e2855d Fix conflicts creted by import. 2000-10-29 07:53:05 +00:00
Josef Karthauser
fe93767490 Count per-address statistics for IP fragments.
Requested by:	ru
Obtained from:	BSD/OS
2000-10-29 01:05:09 +00:00
David E. O'Brien
d0eaa94443 Include sys/param.h for `__FreeBSD_version' rather than the non-existent
osreldate.h.

Submitted by:	dougb
2000-10-27 12:53:31 +00:00
Poul-Henning Kamp
46aa3347cb Convert all users of fldoff() to offsetof(). fldoff() is bad
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.

Define __offsetof() in <machine/ansi.h>

Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>

Remove myriad of local offsetof() definitions.

Remove includes of <stddef.h> in kernel code.

NB: Kernelcode should *never* include from /usr/include !

Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.

Deprecate <struct.h> with a warning.  The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.

Paritials reviews by:   various.
Significant brucifications by:  bde
2000-10-27 11:45:49 +00:00
Ruslan Ermilov
3cebc3e4de Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment
of IP datagram.  This fixes the problem when firewall denied fragmented
packets whose last fragment was less than minimum protocol header size.

Found by:	Harti Brandt <brandt@fokus.gmd.de>
PR:		kern/22309
2000-10-27 07:19:17 +00:00
Ruslan Ermilov
b6ea1aa58d RFC 791 says that IP_RF bit should always be zero, but nothing
in the code enforces this.  So, do not check for and attempt a
false reassembly if only IP_RF is set.

Also, removed the dead code, since we no longer use dtom() on
return from ip_reass().
2000-10-26 13:14:48 +00:00
Darren Reed
60b88d9681 fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
Ruslan Ermilov
7e2df4520d Wrong header length used for certain reassembled IP packets.
This was first fixed in rev 1.82 but then broken in rev 1.125.

PR:		6177
2000-10-26 12:18:13 +00:00
Luigi Rizzo
1f8ed85239 Close PR22152 and PR19511 -- correct the naming of a variable 2000-10-26 00:16:12 +00:00
Ruslan Ermilov
8829f4ee0b We now keep the ip_id field in network byte order all the
time, so there is no need to make the distinction between
ip_output() and ip_input() cases.

Reviewed by:	silence on freebsd-net
2000-10-25 10:56:41 +00:00
Jun-ichiro itojun Hagino
d31944e6ec be careful on mbuf overrun on ctlinput.
short icmp6 packet may be able to panic the kernel.
sync with kame.
2000-10-23 07:11:01 +00:00
Ruslan Ermilov
cc22c7a746 Save a few CPU cycles in IP fragmentation code. 2000-10-20 14:10:37 +00:00
Josef Karthauser
5da9f8fa97 Augment the 'ifaddr' structure with a 'struct if_data' to keep
statistics on a per network address basis.

Teach the IPv4 and IPv6 input/output routines to log packets/bytes
against the network address connected to the flow.

Teach netstat to display the per-address stats for IP protocols
when 'netstat -i' is evoked, instead of displaying the per-interface
stats.
2000-10-19 23:15:54 +00:00
Ruslan Ermilov
f136389613 A failure to allocate memory for auxiliary TCP data is now fatal.
This fixes a null pointer dereference problem that is unlikely to
happen in normal circumstances.
2000-10-19 10:44:44 +00:00
Ruslan Ermilov
0531ca1fd8 If we do not byte-swap the ip_id in the first place, don't do it in
the second.  NetBSD (from where I've taken this originally) needs
to fix this too.
2000-10-18 11:36:09 +00:00
Ruslan Ermilov
487bdb3855 Backout my wrong attempt to fix the compilation warning in ip_input.c
and instead reapply the revision 1.49 of mbuf.h, i.e.

Fixed regression of the type of the `header' member of struct pkthdr from
`void *' to caddr_t in rev.1.51.  This mainly caused an annoying warning
for compiling ip_input.c.

Requested by:	bde
2000-10-12 16:33:41 +00:00
Ruslan Ermilov
e6c89c1bd2 Fix the compilation warning. 2000-10-12 10:42:32 +00:00
Ruslan Ermilov
bc95ac80b2 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
Alfred Perlstein
abbfaeb87b Remove headers not needed.
Pointed out by: phk
2000-10-07 23:15:17 +00:00
Ruslan Ermilov
c0752e1657 As we now may check the TCP header window field, make sure we pullup
enough into the mbuf data area.  Solve this problem once and for all
by pulling up the entire (standard) header for TCP and UDP, and four
bytes of header for ICMP (enough for type, code and cksum fields).
2000-10-06 12:12:09 +00:00
Ruslan Ermilov
60f9125458 Added the missing ntohs() conversion when matching IP packet with
the IP_FW_IF_IPID rule.  (We have recently decided to keep the
ip_id field in network byte order inside the kernel, see revision
1.140 of src/sys/netinet/ip_input.c).

I did not like to have the conversion happen in userland, and I
think that the similar conversions for fw_tcp(seq|ack|win) should
be moved out of userland (src/sbin/ipfw/ipfw.c) into the kernel.
2000-10-03 12:18:11 +00:00
Jonathan Lemon
d17e895b5f If TCPDEBUG is defined, we could dereference a tp which was freed. 2000-10-02 15:00:13 +00:00
Ruslan Ermilov
c7f95f5372 A bit of indentation reformatting. 2000-10-02 13:13:24 +00:00
Bill Fumerola
9ad30943aa Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:  silence on freebsd-{net,ipfw}
2000-10-02 03:33:31 +00:00
Bill Fumerola
98b829924f Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
Ruslan Ermilov
3ea420e391 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
Kris Kennaway
be515d91ad Use stronger random number generation for TCP_ISSINCR and tcp_iss.
Reviewed by:	peter, jlemon
2000-09-29 01:37:19 +00:00
Bosko Milekic
9d8c8a672c Finally make do_tcpdrain sysctl live under correct parent, _net_inet_tcp,
as opposed to _debug. Like before, default value remains 1.
2000-09-25 23:40:22 +00:00
Ruslan Ermilov
0122d6f195 Fixed the calculations with UDP header length field.
The field is in network byte order and contains the
size of the header.

Reviewed by:	brian
2000-09-21 06:52:59 +00:00
Kenjiro Cho
e645a1ca27 change the evaluation order of the rsvp socket in rsvp_input()
in favor of the new-style per-vif socket.

this does not affect the behavior of the ISI rsvpd but allows
another rsvp implementation (e.g., KOM rsvp) to take advantage
of the new style for particular sockets while using the old style
for others.

in the future, rsvp supporn should be replaced by more generic
router-alert support.

PR:		kern/20984
Submitted by:	Martin Karsten <Martin.Karsten@KOM.tu-darmstadt.de>
Reviewed by:	kjc
2000-09-17 13:50:12 +00:00
Poul-Henning Kamp
e4bdf25dc8 Properly jail UDP sockets. This is quite a bit more tricky than TCP.
This fixes a !root userland panic, and some cases where the wrong
interface was chosen for a jailed UDP socket.

PR:		20167, 19839, 20946
2000-09-17 13:35:42 +00:00
Poul-Henning Kamp
24b261c720 Reverse last commit, a better fix has been found. 2000-09-17 13:34:18 +00:00
Poul-Henning Kamp
e2cabba9d7 Make sure UDP sockets are explicitly bind(2)'ed [sic] before we connect(2)
them.

PR:     20946
Isolated by:    Aaron Gifford <agifford@infowest.com>
2000-09-17 11:34:33 +00:00
Jonathan Lemon
af1270f87f It is possible for a TCP callout to be removed from the timing wheel,
but have a network interrupt arrive and deactivate the timeout before
the callout routine runs.  Check for this case in the callout routine;
it should only run if the callout is active and not on the wheel.
2000-09-16 00:53:53 +00:00
Ruslan Ermilov
4996f02545 Add -Wmissing-prototypes. 2000-09-15 15:37:16 +00:00
Jonathan Lemon
a8db1d93f1 m_cat() can free its second argument, so collect the checksum information
from the fragment before calling m_cat().
2000-09-14 21:06:48 +00:00
Ruslan Ermilov
e30177e024 Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.
Requested by:	wollman
2000-09-14 14:42:04 +00:00
Bill Fumerola
95d0db2b40 Fix screwup in previous commit. 2000-09-12 02:38:05 +00:00
Archie Cobbs
6612c70eb1 Don't do snd_nxt rollback optimization (rev. 1.46) for SYN packets.
It causes a panic when/if snd_una is incremented elsewhere (this
is a conservative change, because originally no rollback occurred
for any packets at all).

Submitted by:	Vivek Sadananda Pai <vivek@imimic.com>
2000-09-11 19:11:33 +00:00
Alfred Perlstein
b47ce7f5cb Forget to include sysctl.h
Submitted by: des
2000-09-09 18:47:46 +00:00
Alfred Perlstein
34b94e8b82 Accept filter maintainance
Update copyrights.

Introduce a new sysctl node:
  net.inet.accf

Although acceptfilters need refcounting to be properly (safely) unloaded
as a temporary hack allow them to be unloaded if the sysctl
net.inet.accf.unloadable is set, this is really for developers who want
to work on thier own filters.

A near complete re-write of the accf_http filter:
  1) Parse check if the request is HTTP/1.0 or HTTP/1.1 if not dump
     to the application.
     Because of the performance implications of this there is a sysctl
     'net.inet.accf.http.parsehttpversion' that when set to non-zero
     parses the HTTP version.
     The default is to parse the version.
  2) Check if a socket has filled and dump to the listener
  3) optimize the way that mbuf boundries are handled using some voodoo
  4) even though you'd expect accept filters to only be used on TCP
     connections that don't use m_nextpkt I've fixed the accept filter
     for socket connections that use this.

This rewrite of accf_http should allow someone to use them and maintain
full HTTP compliance as long as net.inet.accf.http.parsehttpversion is
set.
2000-09-06 18:49:13 +00:00
Bill Fumerola
4897e8320e 1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green
2000-09-06 03:10:42 +00:00
Ruslan Ermilov
76e6ebd64e Match IPPROTO_ICMP with IP protocol field of the original IP
datagram embedded into ICMP error message, not with protocol
field of ICMP message itself (which is always IPPROTO_ICMP).

Pointed by:	Erik Salander <erik@whistle.com>
2000-09-01 16:38:53 +00:00
Ruslan Ermilov
04287599db Fixed broken ICMP error generation, unified conversion of IP header
fields between host and network byte order.  The details:

o icmp_error() now does not add IP header length.  This fixes the problem
  when icmp_error() is called from ip_forward().  In this case the ip_len
  of the original IP datagram returned with ICMP error was wrong.

o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host
  byte order, so DTRT and convert these fields back to network byte order
  before sending a message.  This fixes the problem described in PR 16240
  and PR 20877 (ip_id field was returned in host byte order).

o ip_ttl decrement operation in ip_forward() was moved down to make sure
  that it does not corrupt the copy of original IP datagram passed later
  to icmp_error().

o A copy of original IP datagram in ip_forward() was made a read-write,
  independent copy.  This fixes the problem I first reported to Garrett
  Wollman and Bill Fenner and later put in audit trail of PR 16240:
  ip_output() (not always) converts fields of original datagram to network
  byte order, but because copy (mcopy) and its original (m) most likely
  share the same mbuf cluster, ip_output()'s manipulations on original
  also corrupted the copy.

o ip_output() now expects all three fields, ip_len, ip_off and (what is
  significant) ip_id in host byte order.  It was a headache for years that
  ip_id was handled differently.  The only compatibility issue here is the
  raw IP socket interface with IP_HDRINCL socket option set and a non-zero
  ip_id field, but ip.4 manual page was unclear on whether in this case
  ip_id field should be in host or network byte order.
2000-09-01 12:33:03 +00:00
Ruslan Ermilov
816fa7febc Changed the way we handle outgoing ICMP error messages -- do
not alias `ip_src' unless it comes from the host an original
datagram that triggered this error message was destined for.

PR:		20712
Reviewed by:	brian, Charles Mott <cmott@scientech.com>
2000-09-01 09:32:44 +00:00
Ruslan Ermilov
0ac308534e Grab ADJUST_CHECKSUM() macro from alias_local.h. 2000-08-31 12:54:55 +00:00
Ruslan Ermilov
305d10699e Create aliasing links for incoming ICMP echo/timestamp requests.
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.
2000-08-31 12:47:57 +00:00
Ruslan Ermilov
3e065e76ac Fixed the bug that div_bind() always returned zero
even if there was an error (broken in rev 1.9).
2000-08-30 14:43:02 +00:00
Ruslan Ermilov
2160daba07 Backout the hack in rev 1.71, I am working on a better patch
that should cover almost all inconsistencies in ICMP error
generation.
2000-08-30 08:28:06 +00:00
Andrey A. Chernov
d9e630b592 strtok -> strsep (no strtok allowed in libraries)
add unsigned char cast to ctype macro
2000-08-29 21:34:55 +00:00
Darren Reed
473998719e Apply appropriate patch.
PR:		20877
Submitted by:	Frank Volf (volf@oasis.IAEhv.nl)
2000-08-29 10:41:55 +00:00
Archie Cobbs
11840b0692 Remove obsolete comment. 2000-08-22 00:32:52 +00:00
Bruce Evans
4153a3a323 Fixed a missing splx() in if_addmulti(). Was broken in rev.1.28. 2000-08-19 22:10:10 +00:00
Jun-ichiro itojun Hagino
d1d1144bd7 repair endianness issue in IN_MULTICAST().
again, *BSD difference...

From: Nick Sayer <nsayer@quack.kfu.com>
2000-08-15 07:34:08 +00:00
Ruslan Ermilov
a05f06d79f Fixed PunchFW code segmentation violation bug.
Reported by:	Christian Schade <chris@cube.sax.de>
2000-08-14 15:24:47 +00:00
Ruslan Ermilov
b834663f47 Use queue(3) LIST_* macros for doubly-linked lists. 2000-08-14 14:18:16 +00:00
Darren Reed
5e90b39cba resolve conflicts 2000-08-13 04:31:06 +00:00
Ruslan Ermilov
0eb10a0963 - Do not modify Peer's Call ID in outgoing Incoming-Call-Connected
PPTP control messages.

- Cosmetics: replace `GRE link' with `PPTP link'.

Reviewed by:	Erik Salander <erik@whistle.com>
2000-08-09 11:25:44 +00:00
Ruslan Ermilov
934a4fb381 Adjust TCP checksum rather than compute it afresh.
Submitted by:	Erik Salander <erik@whistle.com>
2000-08-07 09:51:04 +00:00
Archie Cobbs
7734ea0612 Improve performance in the case where ip_output() returns an error.
When this happens, we know for sure that the packet data was not
received by the peer. Therefore, back out any advancing of the
transmit sequence number so that we send the same data the next
time we transmit a packet, avoiding a guaranteed missed packet and
its resulting TCP transmit slowdown.

In most systems ip_output() probably never returns an error, and
so this problem is never seen. However, it is more likely to occur
with device drivers having short output queues (causing ENOBUFS to
be returned when they are full), not to mention low memory situations.

Moreover, because of this problem writers of slow devices were
required to make an unfortunate choice between (a) having a relatively
short output queue (with low latency but low TCP bandwidth because
of this problem) or (b) a long output queue (with high latency and
high TCP bandwidth). In my particular application (ISDN) it took
an output queue equal to ~5 seconds of transmission to avoid ENOBUFS.
A more reasonable output queue of 0.5 seconds resulted in only about
50% TCP throughput. With this patch full throughput was restored in
the latter case.

Reviewed by:	freebsd-net
2000-08-03 23:23:36 +00:00
Ruslan Ermilov
cec335f937 Make netstat(1) to be aware of divert(4) sockets. 2000-08-03 14:09:52 +00:00
Ollivier Robert
c34f578dd2 Change __FreeBSD_Version into the proper __FreeBSD_version.
Submitted by:	Alain.Thivillon@hsc.fr (Alain Thivillon) (for ip_fil.c)
2000-08-01 17:14:38 +00:00
Andrey A. Chernov
a089741a74 Add missing '0' to FreeBSD_version test: 50011 -> 500011 2000-08-01 00:04:24 +00:00
Andrey A. Chernov
c85540dd55 Nonexistent <sys/pfil.h> -> <net/pfil.h>
Kernel 'make depend' fails otherwise
2000-07-31 23:41:47 +00:00
Sheldon Hearn
71845bffc3 Whitespace only:
Fix an overlong line and trailing whitespace that crept in, in the
previous commit.
2000-07-31 13:49:21 +00:00
Darren Reed
c4ac87ea1c activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
Archie Cobbs
642e43b39b Add address translation support for RTSP/RTP used by RealPlayer and
Quicktime streaming media applications.

Add a BUGS section to the man page.

Submitted by:	Erik Salander <erik@whistle.com>
2000-07-26 23:15:46 +00:00
Jayanth Vijayaraghavan
e7f3269307 When a connection is being dropped due to a listen queue overflow,
delete the cloned route that is associated with the connection.
This does not exhaust the routing table memory when the system
is under a SYN flood attack. The route entry is not deleted if there
is any prior information cached in it.

Reviewed by: Peter Wemm,asmodai
2000-07-21 23:26:37 +00:00
Darren Reed
72130853fb fix conflicts 2000-07-19 14:02:09 +00:00
Sheldon Hearn
571214d4fe Fix a comment which was broken in rev 1.36.
PR:		19947
Submitted by:	Tetsuya Isaki <isaki@net.ipc.hiroshima-u.ac.jp>
2000-07-18 16:43:29 +00:00
Luigi Rizzo
e07e817462 close PR 19544 - ipfw pipe delete causes panic when no pipes defined
PR: 19544
2000-07-17 20:03:27 +00:00
David Malone
cc72822764 Extra sanity check when arp proxyall is enabled. Don't send an arp
reply if the requesting machine isn't on the interface we believe
it should be. Prevents arp wars when you plug cables in the wrong
way around.

PR:		9848
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>
Not objected to by:	wollman
2000-07-13 19:31:01 +00:00
Jayanth Vijayaraghavan
7d20010979 re-enable the tcp newreno code. 2000-07-12 22:00:46 +00:00
Jun-ichiro itojun Hagino
f38211642f remove m_pulldown statistics, which is highly experimental and does not
belong to *bsd-merged tree
2000-07-12 16:39:13 +00:00
Jun-ichiro itojun Hagino
b474779f46 be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 13:01:59 +00:00
Jun-ichiro itojun Hagino
686cdd19b1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
Poul-Henning Kamp
77978ab8bc Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.
Pointed out by:	bde
2000-07-04 11:25:35 +00:00
Poul-Henning Kamp
82d9ae4e32 Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:
Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our
sources:

        -sysctl_vm_zone SYSCTL_HANDLER_ARGS
        +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
2000-07-03 09:35:31 +00:00
Ruslan Ermilov
36e6576b44 Fixed PunchFWHole():
- ipfw always rejected rule with `neither in nor out' diagnostics.
- number of src/dst ports was not set properly.
2000-06-27 14:56:07 +00:00
Ruslan Ermilov
d15583713a - Removed PacketAliasPptp() API function.
- SHLIB_MAJOR++.
2000-06-20 13:07:52 +00:00
Ruslan Ermilov
55a39fc5a2 Added true support for PPTP aliasing. Some nice features include:
- Multiple PPTP clients behind NAT to the same or different servers.

- Single PPTP server behind NAT -- you just need to redirect TCP
  port 1723 to a local machine.  Multiple servers behind NAT is
  possible but would require a simple API change.

- No API changes!

For more information on how this works see comments at the start of
the alias_pptp.c.

PacketAliasPptp() is no longer necessary and will be removed soon.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
Rewritten by:	ru
Reviewed by:	Erik Salander <erik@whistle.com>
2000-06-20 11:41:48 +00:00
Alfred Perlstein
a79b71281c return of the accept filter part II
accept filters are now loadable as well as able to be compiled into
the kernel.

two accept filters are provided, one that returns sockets when data
arrives the other when an http request is completed (doesn't work
with 0.9 requests)

Reviewed by: jmg
2000-06-20 01:09:23 +00:00
Ruslan Ermilov
b766604065 - Improved passive mode FTP support by aliasing 229 replies.
- Stricter checking of PORT/EPRT/227/229 messages format.
- Moved all security checks into one place.
2000-06-16 20:36:16 +00:00
Ruslan Ermilov
7652512976 - Added support for passive mode FTP by aliasing 227 replies.
It does mean that it is now possible to run passive-mode FTP
  server behind NAT.

- SECURITY: FTP aliasing engine now ensures that:
  o the segment preceding a PORT/227 segment terminates with a \r\n;
  o the IP address in the PORT/227 matches the source IP address of
    the packet;
  o the port number in the PORT command or 277 reply is greater than
    or equal to 1024.

Submitted by:	Erik Salander <erik@whistle.com>
Reviewed by:	ru
2000-06-14 16:09:35 +00:00
Luigi Rizzo
8a0b95d610 Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
5d3fe434f8 Implement WF2Q+ in dummynet. 2000-06-08 09:45:23 +00:00
Jonathan Lemon
707d00a304 Add boundary checks against IP options.
Obtained from:	OpenBSD
2000-06-02 20:18:38 +00:00
Jonathan Lemon
59f577ad8c When attempting to transmit a packet, if the system fails to allocate
a mbuf, it may return without setting any timers.  If no more data is
scheduled to be transmitted (this was a FIN) the system will sit in
LAST_ACK state forever.

Thus, when mbuf allocation fails, set the retransmit timer if neither
the retransmit or persist timer is already pending.

Problem discovered by:  Mike Silbersack (silby@silby.com)
Pushed for a fix by:    Bosko Milekic <bmilekic@dsuper.net>
Reviewed by:            jayanth
2000-06-02 17:38:45 +00:00
Darren Reed
6de9811ef7 define CSUM_DELAY_DATA to match merge 2000-05-26 07:28:03 +00:00
Jake Burkholder
e39756439c Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
Darren Reed
f1beb78299 fix up #ifdef jungle for FreeBSD 2000-05-25 16:24:46 +00:00
Darren Reed
6774c05335 remove duplicate prototypes 2000-05-25 16:23:30 +00:00
Jonathan Lemon
50c6dc99d8 Mark the checksum as complete when looping back multicast packets.
Submitted by:	Jeff Gibbons <jgibbons@n2.net>
2000-05-25 02:27:14 +00:00
Archie Cobbs
06a429a3c8 Just need to pass the address family to if_simloop(), not the whole sockaddr. 2000-05-24 21:16:56 +00:00
Darren Reed
a4f66d8f4c fix duplicate rcsid's 2000-05-24 19:38:17 +00:00
Bruce Evans
582a77606f Fixed some style bugs (mainly convoluted logic for blackhole processing). 2000-05-24 12:57:52 +00:00
Peter Wemm
ebb6049b1f It would have been nice if this actually compiled. Close the header
comment */.
2000-05-24 09:08:55 +00:00
Darren Reed
6e067727a7 fix up conflicts 2000-05-24 04:40:17 +00:00
Darren Reed
255c925eef fix conflicts 2000-05-24 04:21:35 +00:00
Darren Reed
6dda709260 fix conflicts 2000-05-24 04:09:13 +00:00
Darren Reed
8982edd714 fix conflicts 2000-05-24 04:01:49 +00:00
Darren Reed
d2138b8dd4 fix conflicts 2000-05-24 04:01:30 +00:00
Darren Reed
329247db38 fix conflicts 2000-05-24 03:43:24 +00:00
Darren Reed
fe646be69a fix conflicts 2000-05-24 03:17:16 +00:00
Jake Burkholder
740a1973a6 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
Dan Moschuk
4f14ee00f2 sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.
Suggested by: des/nbm
2000-05-22 16:12:28 +00:00
Dan Moschuk
fcdc02160f Add option ICMP_BANDLIM_SUPPRESS_OUTPUT to the mix. With this option,
badport_bandlim() will not muck up your console with printf() messages.
2000-05-22 15:00:41 +00:00
Jonathan Lemon
1c23847582 Compute the checksum before handing the packet off to IPFilter.
Tested by:  Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
2000-05-21 21:26:06 +00:00
Peter Wemm
ff079ca4b1 Return ECONNRESET instead of EINVAL if the connection has been shot
down as a result of a reset.  Returning EINVAL in that case makes no
sense at all and just confuses people as to what happened.  It could be
argued that we should save the original address somewhere so that
getsockname() etc can tell us what it used to be so we know where the
problem connection attempts are coming from.
2000-05-19 00:55:21 +00:00
Jayanth Vijayaraghavan
d841727499 snd_cwnd was updated twice in the tcp_newreno function. 2000-05-18 21:21:42 +00:00
Jayanth Vijayaraghavan
75c6e0e253 Sigh, fix a rookie patch merge error.
Also-missed-by:	peter
2000-05-17 06:55:00 +00:00
Jonathan Lemon
5d5d5fc0bf Cast sizeof() calls to be of type (int) when they appear in a signed
integer expression.  Otherwise the sizeof() call will force the expression
to be evaluated as unsigned, which is not the intended behavior.

Obtained from:  NetBSD   (in a different form)
2000-05-17 04:05:07 +00:00
Jayanth Vijayaraghavan
6b2a5f92ba snd_una was being updated incorrectly, this resulted in the newreno
code retransmitting data from the wrong offset.

As a footnote, the newreno code was partially derived from NetBSD
and Tom Henderson <tomh@cs.berkeley.edu>
2000-05-16 03:13:59 +00:00
Ruslan Ermilov
3a06e3e02c Do not call icmp_error() if ipfirewall(4) denied packet.
PR:		kern/10747, kern/18382
2000-05-15 18:41:01 +00:00
Archie Cobbs
2e2de7f23f Move code to handle BPF and bridging for incoming Ethernet packets out
of the individual drivers and into the common routine ether_input().
Also, remove the (incomplete) hack for matching ethernet headers
in the ip_fw code.

The good news: net result of 1016 lines removed, and this should make
bridging now work with *all* Ethernet drivers.

The bad news: it's nearly impossible to test every driver, especially
for bridging, and I was unable to get much testing help on the mailing
lists.

Reviewed by:	freebsd-net
2000-05-14 02:18:43 +00:00
Jayanth Vijayaraghavan
4aae1da6dd Temporarily turn off the newreno flag until we can track down the known
data corruption problem.
2000-05-11 22:28:28 +00:00
Brian Somers
151682eadc Revert the default behaviour for incoming connections so
that they (once again) go to the target machine rather than
the alias address.

PR:		18354
Submitted by:	ru
2000-05-11 07:52:21 +00:00
Jun-ichiro itojun Hagino
fdcb8debf6 correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.
similar to recent fix to sys/netinet/ipf.c (by darren).
2000-05-10 01:25:33 +00:00
Darren Reed
68b16578ca Fix bug in dealing with "hlen == 1 and opt > 1" 2000-05-09 23:35:24 +00:00
Paul Saab
88c7d46bdc Add missing include machine/in_cksum.h.
Submitted by:	n_hibma
2000-05-09 16:56:51 +00:00
Kenneth D. Merry
62771f86e3 Include machine/in_cksum.h to unbreak options MROUTING. 2000-05-08 23:56:30 +00:00
Jonathan Lemon
72a52a35b4 Add #include <machine/in_cksum.h>, in order to pick up the checksum
inline functions and prototypes.
2000-05-06 18:19:58 +00:00
Jonathan Lemon
46f5848237 Implement TCP NewReno, as documented in RFC 2582. This allows
better recovery for multiple packet losses in a single window.
The algorithm can be toggled via the sysctl net.inet.tcp.newreno,
which defaults to "on".

Submitted by:  Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
2000-05-06 03:31:09 +00:00
Paul Richards
7a04c4f85a Force the address of the socket to be INADDR_ANY immediately before
calling in_pcbbind so that in_pcbbind sees a valid address if no
address was specified (since divert sockets ignore them).

PR:		17552
Reviewed by:	Brian
2000-05-02 23:53:46 +00:00
Luigi Rizzo
9078405886 Remove an unnecessary error message 2000-05-02 15:39:36 +00:00
Peter Wemm
365c5db0a7 Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
Ruslan Ermilov
8060760500 Replace PacketAliasRedirectPptp() (which had nothing specific
to PPTP) with more generic PacketAliasRedirectProto().

Major number is not bumped because it is believed that noone
has started using PacketAliasRedirectPptp() yet.
2000-04-28 13:44:49 +00:00
Ruslan Ermilov
5e8fc2d2d3 Spell PacketAliasRedirectAddr() correctly. 2000-04-27 18:06:05 +00:00
Ruslan Ermilov
6d20a77450 Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
LSNAT links are first created by either PacketAliasRedirectPort() or
PacketAliasRedirectAddress() and then set up by one or more calls to
PacketAliasAddServer().
2000-04-27 17:37:03 +00:00
Yoshinobu Inoue
34e3e010b6 Let initialize th_sum before in6_cksum(), again.
Without this fix, all IPv6 TCP RST packet has wrong cksum value,
so IPv6 connect() trial to 5.0 machine won't fail until tcp connect timeout,
when they should fail soon.

Thanks to haro@tk.kubota.co.jp (Munehiro Matsuda) for his much debugging
help and detailed info.
2000-04-19 15:05:00 +00:00
Poul-Henning Kamp
3389ae9350 Remove ~25 unneeded #include <sys/conf.h>
Remove ~60 unneeded #include <sys/malloc.h>
2000-04-19 14:58:28 +00:00
Ruslan Ermilov
483d2f2296 Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.
2000-04-18 10:18:21 +00:00
Munechika SUMIKAWA
5e0ab69d23 ND6_HINT() should not be called unless the connection status is
ESTABLISHED.

Obtained from:	KAME Project
2000-04-17 20:27:02 +00:00
Ruslan Ermilov
b5e819ec23 Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established
connections, after SYN packets were seen from both ends.  Before this,
it would get applied right after the first SYN packet was seen (either
from client or server).  With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory.  With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.

PR:		bin/17963
2000-04-14 15:34:55 +00:00
Ruslan Ermilov
a29006665c A complete reformatting of manual page. 2000-04-13 14:04:01 +00:00
Ruslan Ermilov
f167e54283 Make partially specified permanent links without `dst_addr'
but with `dst_port' work for outgoing packets.

This case was not handled properly when I first fixed this
in revision 1.17.

This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.

Before this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] aliasIP:localPORT -> remoteIP:remotePORT

After this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] publicIP:publicPORT -> remoteIP:remotePORT
2000-04-12 18:44:50 +00:00
Wes Peters
732f6a4376 PR: kern/17872
Submitted by:	csg@waterspout.com (C. Stephen Gunn)
2000-04-11 06:55:09 +00:00
Ruslan Ermilov
67b333b7e4 - Add support for FTP EPRT (RFC 2428) command.
- Minor optimizations.
- Minor spelling fixes.

PR:		14305
Submitted by:	ume
Rewritten by:	ru
2000-04-06 15:54:52 +00:00
Ruslan Ermilov
680c8244a9 - Remove unused includes.
- Minor spelling fixes.
- Make IcmpAliasOut2() really work.

Before this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49562 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] A.A.A.A -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49562 > P.P.P.P.50000: udp 3
A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable

After this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49563 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] P.P.P.P -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49563 > P.P.P.P.50000: udp 3
P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
2000-04-05 14:27:34 +00:00
Ruslan Ermilov
79eef4b611 - Moved NULL definition into private include file.
- Minor spelling fixes.
2000-04-05 14:23:42 +00:00
Ruslan Ermilov
91cc2995af Minor spelling fixes. 2000-04-05 07:45:39 +00:00
Brian Somers
3e6ac25bd6 Correct Charles Mott's email address
Requested by: Charles Mott <cmott@scientech.com>
2000-04-02 20:16:45 +00:00
Yoshinobu Inoue
7cba257ae5 Move htons() ip_len to after the in_delayed_cksum() call.
This should stop cksum error messages on IPsec communication
which was reported on freebsd-current.

Reviewed by: jlemon
2000-04-02 16:18:26 +00:00
Paul Saab
75daea9395 Try and make the kernel build again without INET6. 2000-04-02 03:49:25 +00:00
Yoshinobu Inoue
fdaf052eb3 Support per socket based IPv4 mapped IPv6 addr enable/disable control.
Submitted by: ume
2000-04-01 22:35:47 +00:00
Jonathan Lemon
ea53ecd9d4 Calculate any delayed checksums before handing an mbuf off to a
divert socket.  This fixes a problem with ppp/natd.

Reviewed by:	bsd	(Brian Dean, gotta love that login name)
2000-04-01 18:51:03 +00:00
Brian Somers
5dd44916b7 Allow PacketAliasSetTarget() to be passed the following:
INADDR_NONE:   Incoming packets go to the alias address (the default)
  INADDR_ANY:    Incoming packets are not NAT'd (direct access to the
                 internal network from outside)
  anything else: Incoming packets go to the specified address

Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.
2000-03-31 20:36:29 +00:00
Brian Somers
1c4e6d2544 When an incoming packet is received that is not specifically
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.
2000-03-31 14:03:37 +00:00
Jonathan Lemon
20c822f399 If `ipfw fwd' loops an mbuf back to ip_input from ip_output and the
mbuf is marked for delayed checksums, then additionally mark the
packet as having it's checksums computed.  This allows us to bypass
computing/checking the checksum entirely, which isn't really needeed
as the packet has never hit the wire.

Reviewed by:		green
2000-03-30 02:16:40 +00:00
Joerg Wunsch
f72d9d83f5 Peter Johnson found another log() call without a trailing newline.
All three of them have been introduced in rev 1.64, so i guess i've
got all of them now. :)

Submitted by:	Peter Johnson <locke@mcs.net>
2000-03-29 07:50:39 +00:00
Joerg Wunsch
e44d62832c Added two missing newlines in calls to log(9).
Reported in Usenet by: locke@mcs.net (Peter Johnson)

While i was at it, prepended a 0x to the %D output, to make it clear that
the printed value is in hex (i assume %D has been chosen over %#x to
obey network byte order).
2000-03-28 21:14:35 +00:00
Jonathan Lemon
db4f9cc703 Add support for offloading IP/TCP/UDP checksums to NIC hardware which
supports them.
2000-03-27 19:14:27 +00:00
Matthew Dillon
84365e2bcb Fix parens in m_pullup() line in arp handling code. The code was
improperly doing the equivalent of (m = (function() == NULL)) instead
    of ((m = function()) == NULL).

    This fixes a NULL pointer dereference panic with runt arp packets.
2000-03-23 18:58:59 +00:00
Brian Feldman
333aa64d05 in6_pcb.c:
Remove a bogus (redundant, just weird, etc.) key_freeso(so).
	There are no consumers of it now, nor does it seem there
	ever will be.

in6?_pcb.c:
	Add an if (inp->in6?p_sp != NULL) before the call to
	ipsec[46]_delete_pcbpolicy(inp).  In low-memory conditions
	this can cause a crash because in6?_sp can be NULL...
2000-03-22 02:27:30 +00:00
Larry Lile
b149dd6c66 o Replace most magic numbers related to token ring with #defines
from iso88025.h.

o Add minimal llc support to iso88025_input.

o Clean up most of the source routing code.

* Submitted by: Nikolai Saoukh <nms@otdel-1.org>
2000-03-19 21:34:39 +00:00
Brian Somers
9da582e318 Make _FindLinkIn() static and only define GetDestPort when
NO_FW_PUNCH isn't defined.
2000-03-19 09:11:05 +00:00
Ruslan Ermilov
d137714f11 Fix reporting of src and dst IP addresses for ICMP and generic IP packets.
PR:		17319
Submitted by:	Mike Heffner <spock@techfour.net>
2000-03-14 14:11:53 +00:00
Yoshinobu Inoue
820b57927e Disable IPv4 over IPv4 tunnel on the 6to4 interface for better security.
Approved by: jkh
2000-03-11 22:11:57 +00:00
Yoshinobu Inoue
4739b8076f IPv6 6to4 support.
Now most big problem of IPv6 is getting IPv6 address
   assignment.
   6to4 solve the problem. 6to4 addr is defined like below,

          2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID

   The most important point of the address format is that an IPv4 addr
   is embeded in it. So any user who has IPv4 addr can get IPv6 address
   block with 2byte subnet space. Also, the IPv4 addr is used for
   semi-automatic IPv6 over IPv4 tunneling.

   With 6to4, getting IPv6 addr become dramatically easy.
   The attached patch enable 6to4 extension, and confirmed to work,
   between "Richard Seaman, Jr." <dick@tar.com> and me.

Approved by: jkh

Reviewed by: itojun
2000-03-11 11:17:24 +00:00
Robert Watson
76ec7b2f60 The function arpintr() incorrectly checks m->m_len to detect incomplete
ARP packets. This can incorrectly reject complete frames since the frame
could be stored in more than one mbuf.

The following patches fix the length comparisson, and add several
diagnostic log messages to the interrupt handler for out-of-the-norm ARP
packets. This should make ARP problems easier to detect, diagnose and
fix.

Submitted by:	C. Stephen Gunn <csg@waterspout.com>
Approved by:	jkh
Reviewed by:	rwatson
2000-03-11 00:24:29 +00:00
Yoshinobu Inoue
f63e7634ac Initialize mbuf pointer at getting ipsec policy.
Without this, kernel will panic at getsockopt() of IPSEC_POLICY.
Also make compilable libipsec/test-policy.c which tries getsockopt() of
IPSEC_POLICY.

Approved by: jkh

Submitted by: sakane@kame.net
2000-03-09 14:57:16 +00:00
Sheldon Hearn
c6ff3a1bf7 Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
2000-03-02 09:14:21 +00:00
Luigi Rizzo
da3fc682a7 Fix panic when doing keep-state and "forward".
Removed a redundant check.
Also move check for expired rules before using them.
Sorry for the whitespace changes.

Approved-by: jordan
2000-02-29 17:51:25 +00:00
Paul Saab
f885f63606 Limit the maximum permissible TCP window size to 65535 octets if
window scaling is disabled.

PR:		kern/16914
Submitted by:	Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
Reviewed by:	wollman
Approved by:	jkh
2000-02-28 21:18:21 +00:00
Alfred Perlstein
47a11f04b3 -it do, among other things, clear out any
+it does, amongst other things, clear out any

The old sentance didn't seem to make sense.
2000-02-28 00:31:18 +00:00
Guido van Rooij
6d37c73e26 Remove option IPFILTER_KLD. In case you wanted to kldload ipfilter,
the module would only work in kernels built with this option.

Approved by:	jkh
2000-02-23 20:11:57 +00:00
Peter Wemm
242c5536ea Clean up some loose ends in the network code, including the X.25 and ISO
#ifdefs.  Clean out unused netisr's and leftover netisr linker set gunk.
Tested on x86 and alpha, including world.

Approved by:	jkh
2000-02-13 03:32:07 +00:00
Luigi Rizzo
f42c0d553a Forgot one line: don't try to match flags when looking for a flow.
Approved-by: jordan
2000-02-11 13:23:14 +00:00
Guido van Rooij
a993ad154a Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)
2000-02-10 21:29:11 +00:00
Yoshinobu Inoue
1aa540eb03 Forbid include of soem inet6 header files from wrong place
KAME put INET6 related stuff into sys/netinet6 dir, but IPv6
  standard API(RFC2553) require following files to be under sys/netinet.
    netinet/ip6.h
    netinet/icmp6.h
  Now those header files just include each following files.
    netinet6/ip6.h
    netinet6/icmp6.h

  Also KAME has netinet6/in6.h for easy INET6 common defs
  sharing between different BSDs, but RFC2553 requires only
  netinet/in.h should be included from userland.
  So netinet/in.h also includes netinet6/in6.h inside.

  To keep apps portability, apps should not directly include
  above files from netinet6 dir.
  Ideally, all contents of,
    netinet6/ip6.h
    netinet6/icmp6.h
    netinet6/in6.h
  should be moved into
    netinet/ip6.h
    netinet/icmp6.h
    netinet/in.h
  but to avoid big changes in this stage, add some hack, that
    -Put some special macro define into those files under neitnet
    -Let files under netinet6 cause error if it is included
     from some apps, and, if the specifal macro define is not
     defined.
     (which should have been defined if files under netinet is
     included)
    -And let them print an error message which tells the
     correct name of the include file to be included.

  Also fix apps which includes invalid header files.

Approved by: jkh

Obtained from: KAME project
2000-02-10 19:33:58 +00:00
Luigi Rizzo
9fcc079584 Move definition of fw_enable from ip_fw.c to ip_input.c
so we can compile kernels without IPFIREWALL .

Reported-by: Robert Watson
Approved-by: jordan
2000-02-10 17:56:01 +00:00
Luigi Rizzo
6355710df8 Whoops... forgot braces in a conditional
Revealed-by: diff with -STABLE version (the advantage of having
    multiple lines of development...)
Approved-by: jordan
2000-02-10 16:50:53 +00:00
Luigi Rizzo
6bc748b057 Support the net.inet.ip.fw.enable variable, part of
the recent ipfw modifications.

Approved-by: jordan
2000-02-10 14:19:53 +00:00
Luigi Rizzo
03c612662b Support for stateful (dynamic) ipfw rules. They are very
similar to ipfilter's keep-state.

Look at the updated ipfw(8) manpage for details.

Approved-by: jordan
2000-02-10 14:17:40 +00:00
Guido van Rooij
6cd756a2b5 Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh
2000-02-09 20:56:36 +00:00
Yoshinobu Inoue
a683a7dd4f Avoid kernel panic when tcp rfc1323 and rfc1644 options are enabled
at the same time.

   When rfc1323 and rfc1644 option are enabled by sysctl,
   and tcp over IPv6 is tried, kernel panic happens by the
   following check in tcp_output(), because now hdrlen is bigger
   in such case than before.

/*#ifdef DIAGNOSTIC*/
        if (max_linkhdr + hdrlen > MHLEN)
                panic("tcphdr too big");
/*#endif*/

   So change the above check to compare with MCLBYTES in #ifdef INET6 case.
   Also, allocate a mbuf cluster for the header mbuf, in that case.

Bug reported at KAME environment.
Approved by: jkh

Reviewed by: sumikawa
Obtained from: KAME project
2000-02-09 00:34:40 +00:00
Luigi Rizzo
9fbf0caaac Fix a (mostly harmless) scheduling-in-the-past problem with
dummynet (already fixed in -stable, was waiting for Jordan's
approval due to the code freeze).

Reported-By: Mike Tancsa
Approved-By: Jordan
2000-02-04 16:45:33 +00:00
Archie Cobbs
b12cbc348c The flags PKT_ALIAS_PUNCH_FW and PKT_ALIAS_PROXY_ONLY were both
being defined as 0x40.  Change the former to be 0x100.

Submitted by:	Erik Salander <erik@whistle.com>
Approved by:	jkh
2000-02-02 23:49:32 +00:00
Brian Somers
21b9df573d Mention what PKT_ALIAS_PROXY_ONLY does.
Prompted by: archie
2000-02-02 23:42:06 +00:00
Yoshinobu Inoue
ae8d522734 Sorry in this just befor code freeze commit.
This is fix to usr.sbin/trpt and tcp_debug.[ch]
I think of putting this after 4.0 but,,,

 -There was bug that when INET6 is defined,
  IPv4 socket is not traced by trpt.

 -I received request from a person who distribute a program
  which use tcp_debug interface and print performance statistics,
  that
    -leave comptibility with old program as much as possible
    -use same interface with other OSes

  So, I talked with itojun, and synced API with netbsd IPv6 extension.

makeworld check, kernel build check(includes GENERIC) is done.

But if there happen to any problem, please let me know and
I soon backout this change.
2000-01-29 11:49:07 +00:00
Warner Losh
173c0f9f5c Mitigate the stream.c attacks
o Drop all broadcast and multicast source addresses in tcp_input.
o Enable ICMP_BANDLIM in GENERIC.
o Change default to 200/s from 100/s.  This will still stop the attack, but
  is conservative enough to do this close to code freeze.

This is not the optimal patch for the problem, but is likely the least
intrusive patch that can be made for this.

Obtained from: Don Lewis and Matt Dillon.
Reviewed by: freebsd-security
2000-01-28 06:13:09 +00:00
Yoshinobu Inoue
69a3468578 Avoid m_len and m_pkthdr.len inconsistency when changing m_len
for an mbuf whose M_PKTHDR is set.

PR: related to kern/15175
Reviewed by: archie
2000-01-25 01:26:47 +00:00
Yoshinobu Inoue
e2de10abe4 Fix the bug that IPv4 ttl is not initialized when AF_INET6 socket is used
for IPv4 communication.(IPv4 mapped IPv6 addr.)
Also removed IPv6 hoplimit initialization because it is alway done at
tcp_output.

Confirmed by: Bernd Walter <ticso@cicely5.cicely.de>
2000-01-25 01:05:18 +00:00
Brian Somers
367d34f853 Move the *intrq variables into net/intrq.c and unconditionally
include this in all kernels.  Declare some const *intrq_present
variables that can be checked by a module prior to using *intrq
to queue data.

Make the if_tun module capable of processing atm, ip, ip6, ipx,
natm and netatalk packets when TUNSIFHEAD is ioctl()d on.

Review not required by: freebsd-hackers
2000-01-24 20:39:02 +00:00
Yoshinobu Inoue
3a2a9f7976 Fixed the problem that IPsec connection hangs when bigger data is sent.
-opt_ipsec.h was missing on some tcp files (sorry for basic mistake)
  -made buildable as above fix
  -also added some missing IPv4 mapped IPv6 addr consideration into
   ipsec4_getpolicybysock
2000-01-15 14:56:38 +00:00
Yoshinobu Inoue
0567ae029a Added missing 'else' for 'if (isipv6)' at IPv6 length setting in tcp_respond().
By this bug, IPv6 reset was not sent.
(I checked around same kind of bug, but no other found.)
2000-01-15 14:34:56 +00:00
Yoshinobu Inoue
595ad28111 Removed wrong(unnecessary) & operators for pointer, in ipsec_hdrsiz_tcp().
This must be one of the reason why connections over IPsec hangs for
bigger packets.(which was reported on freebsd-current@freebsd.org)

But there still seems to be another bug and the problem is not yet fixed.
2000-01-15 05:39:28 +00:00
Yoshinobu Inoue
bb913f0f78 add forward declarations, and small cosmetic changes.
Submitted by: bde
2000-01-15 05:20:40 +00:00
Guido van Rooij
b33271069e Apply patches in rev 1.2 and 1.9 that I forgot
Pointe out by:	bde
2000-01-14 19:48:42 +00:00
Rodney W. Grimes
d05257b0f2 Replace beforeinstall target with new variables used by .mk system.
Reviewed by:	marcel, and make world
2000-01-14 07:57:47 +00:00
Guido van Rooij
0f9f7e9f23 Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
Yoshinobu Inoue
5d60ed0e69 Change struct sockaddr_storage member name, because following change
is very likely to become consensus as recent ietf/ipng mailing list
discussion. Also recent KAME repository and other KAME patched BSDs
also applied it.

  s/__ss_family/ss_family/
  s/__ss_len/ss_len/

Makeworld is confirmed, and no application should be affected by this change
yet.
2000-01-13 14:52:53 +00:00
Yoshinobu Inoue
21ab895ff5 Clear rt after RTFREE. This might have sometime caused kernel panic at rtfree()
on INET6 enabled environment.
2000-01-13 14:21:30 +00:00
Yoshinobu Inoue
8972cdb14e add a comment for some possible? IPv4 option processing. 2000-01-13 05:21:05 +00:00
Yoshinobu Inoue
72e174286c removed incorrect ip6 length setting for IPv6 tcp reset packet. 2000-01-13 05:18:30 +00:00
Ruslan Ermilov
5db1e34ea4 MGETHDR() does not initialize m_pkthdr.rcvif, do it here.
This fixes page fault panic observed when diverting packets
with IP options (e.g. ping -R remoteIP over natd).

PR:	kern/8596, kern/11199
2000-01-10 18:46:05 +00:00
Yoshinobu Inoue
fb59c426ff tcp updates to support IPv6.
also a small patch to sys/nfs/nfs_socket.c, as max_hdr size change.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
2000-01-09 19:17:30 +00:00
Yoshinobu Inoue
d0a98d79d2 enable IPsec over DUMMYNET again
Submitted by: luigi
Reviewed by: luigi
2000-01-09 03:06:28 +00:00
Yoshinobu Inoue
0ba9128b0c prevent kernel panic which happens when either of IPSEC and IPDIVERT
is enabled.

Confirmed by: Eugene M. Kim <ab@astralblue.com>
2000-01-08 12:53:48 +00:00
Luigi Rizzo
ec8fac2acf Add ipfw hooks for the new dummynet features.
Support masks on TCP/UDP ports.

Minor cleanup of ip_fw_chk() to avoid repeated calls to PULLUP_TO
at each rule.
2000-01-08 11:31:43 +00:00
Luigi Rizzo
d1f04b29f0 Cleanup dummynet call interface so it should now work on the Alpha
as well. Also (probably) fix a bug introduced during the IPv6 import.
2000-01-08 11:28:23 +00:00
Luigi Rizzo
988790bfd9 Implement per-flow queueing. Using a single pipe config rule,
now you can dynamically create rate-limited queues for different
flows using masks on dst/src IP, port and protocols.
Read the ipfw(8) manpage for details and examples.

Restructure the internals of the traffic shaper to use heaps,
so that it manages efficiently large number of queues.

Fix a bug which was present in the previous versions which could
cause, under certain unfrequent conditions, to send out very large
bursts of traffic.

All in all, this new code is much cleaner than the previous one and
should also perform better.

Work supported by Akamba Corp.
2000-01-08 11:24:46 +00:00
Eivind Eklund
3418fe8734 KERNEL -> _KERNEL 2000-01-05 16:25:20 +00:00
Peter Wemm
664a31e496 Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot).  This is consistant with the other
BSD's who made this change quite some time ago.  More commits to come.
1999-12-29 04:46:21 +00:00
Mike Smith
052a6aad2c Make tcp_drain() actually do something. When invoked (usually as a
desperation measure in low-memory situations), walk the tcpbs and
flush the reassembly queues.

This behaviour is currently controlled by the debug.do_tcpdrain sysctl
(defaults to on).

Submitted by:	Bosko Milekic <bmilekic@dsuper.net>
Reviewed by:	wollman
1999-12-28 23:18:33 +00:00
Yoshinobu Inoue
6a800098cc IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
Eivind Eklund
369dc8ceb8 Change incorrect NULLs to 0s 1999-12-21 11:14:12 +00:00
Peter Wemm
bbc6383b4a The ipfilter module name wasn't exactly conventional.. 1999-12-20 15:49:38 +00:00
Brian Feldman
d25f3712b7 M_PREPEND-related cleanups (unregisterifying struct mbuf *s). 1999-12-19 01:55:37 +00:00
Jonathan Lemon
c0f7fd5575 Use SEQ_* macros for comparing sequence space numbers.
Reviewed by:	truckman
1999-12-14 15:43:56 +00:00
Yoshinobu Inoue
79ea3cf110 Always set INP_IPV4 flag for IPv4 pcb entries, because netstat needs it
to print out protocol specific pcb info.

A patch submitted by guido@gvr.org, and asmodai@wxs.nl also reported
the problem.
Thanks and sorry for your troubles.

Submitted by: guido@gvr.org
Reviewed by: shin
1999-12-13 00:39:20 +00:00
Jonathan Lemon
1a244a616d According to RFC 793, a reset should be honored if the sequence number
is within the receive window.  Follow this behavior, instead of only
allowing resets at last_ack_sent.

Pointed out by:	jayanth@yahoo-inc.com
1999-12-11 04:05:52 +00:00
Archie Cobbs
a9405f0edb Fix a '&&' that should have been a '&'.
Submitted by:	Erik Salander <erik@whistle.com>
1999-12-10 20:04:53 +00:00
Archie Cobbs
61989d76a5 Fix several typos.
Submitted by:	Erik Salander <erik@whistle.com>
1999-12-09 21:36:34 +00:00
Yoshinobu Inoue
f51ff7fadd Make this buildable with MROUTING defined.
Specified by: eivind, phk
1999-12-08 11:57:36 +00:00
Yoshinobu Inoue
cfa1ca9dfa udp IPv6 support, IPv6/IPv4 tunneling support in kernel,
packet divert at kernel for IPv6/IPv4 translater daemon

This includes queue related patch submitted by jburkhol@home.com.

Submitted by: queue related patch from jburkhol@home.com
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-07 17:39:16 +00:00
Guido van Rooij
ba5d8fc721 Last minute patch that I forgot to apply: check return code of iplattach() 1999-12-06 21:21:47 +00:00
Guido van Rooij
05ec607970 Revive mlfk_ipl here. This version is slightly changed from
the old one: an unnecessary define (KLD_MODULE) has been deleted and
the initialisation of the module is  done after domaininit was called
to be sure inet is running.

Some slight changed were made to ip_auth.c and ip_state.c in order
to assure including of sys/systm.h in case we make a kld

Make sure ip_fil does nmot include osreldate in kernel mode

Remove mlfk_ipl.c from here: no sources allowed in these directories!
1999-12-06 20:36:50 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Jonathan Lemon
c0a929b430 Change the delayed ack time from 200ms to 100ms.
This results in closer behavior to earlier versions, where the fixed
200ms timer actually resulted in a delay anywhere from 1..200ms, with
the average delay being 100ms.

Pointed out by:	 dg
1999-12-02 03:25:19 +00:00
Luigi Rizzo
b73ccac130 RTFREE the correct route entry in dummynet_io(). The previous
code failed in handling things like "forward" actions.

Reported-and-tested-by: Jean-Hugues ROYER jhroyer@joher.com
1999-11-26 13:37:09 +00:00
Guido van Rooij
47e3b8ce13 Get rid of useless osreldate include for KLD/LKM modules (sys/param.h
already carries what is needed).
This is needed for the KLD support.
1999-11-23 22:16:41 +00:00
Guido van Rooij
9cc86ee930 Add kernel parts of revived ipfilter (3.3.3.) 1999-11-23 21:44:59 +00:00
Yoshinobu Inoue
82cd038d51 KAME netinet6 basic part(no IPsec,no V6 Multicast Forwarding, no UDP/TCP
for IPv6 yet)

With this patch, you can assigne IPv6 addr automatically, and can reply to
IPv6 ping.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-11-22 02:45:11 +00:00
Peter Wemm
45d3a132c4 Fix a warning and a potential panic if TCPDEBUG is active. (tp is
a wild pointer and used by TCPDEBUG2())
1999-11-18 08:28:24 +00:00
Poul-Henning Kamp
12b4fd063c The logic for blackhole processing does not free mbufs if the
blackhole flag is set.

PR:		14958
Submitted by:	Larry Baird <lab@gta.com>
Reviewed by:	phk
1999-11-17 20:57:49 +00:00