1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-25 11:37:56 +00:00
Commit Graph

6143 Commits

Author SHA1 Message Date
Luigi Rizzo
9758b77ff1 The new ipfw code.
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.

The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).

The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c .  Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw).  The old files are still there, and will be removed
in due time.

I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.

In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.

On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like

ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any

This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.

Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:

        10.20.30.0/26{18,44,33,22,9}

which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).

Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.

The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
2002-06-27 23:02:18 +00:00
David E. O'Brien
95190a2df6 Add these libs from the 4.6-RELEASE.
libstdc++ was bumped with the switch to Gcc 3.1, and libpam was bumped with
the switch to OpenPAM.
2002-06-27 18:53:50 +00:00
David E. O'Brien
d320e50003 Add these libs from the 4.6-RELEASE.
libstdc++ was bumped with the switch to Gcc 3.1, and libpam was bumped with
the switch to OpenPAM.
2002-06-27 18:44:05 +00:00
Mike Silbersack
11289efd80 Fix style bugs I added in last commit.
Spotted by:	bde
2002-06-27 14:16:21 +00:00
Daniel Eischen
eee80fbd9c Remove pselect from application namespace and instead use a weak reference
to the actual implementation.  This is to allow libc_r to override
pselect() making it a cancellation point.

Prompted by: wollman
2002-06-27 13:23:46 +00:00
Daniel Eischen
53154da089 Remove improper use of <namespace.h>.
Remove fmtcheck from application name space (fix the weak reference).
2002-06-27 13:20:54 +00:00
Daniel Eischen
c40995b36a Remove improper use of <namespace.h> 2002-06-27 13:18:27 +00:00
Mike Silbersack
1228a1c634 Modify bcopy (and memcpy/memmove) so that the length value is not
re-read from the stack mid copy.  This may help mitigate the recent
Apache buffer overrun and future overruns of the sort.

Reviewed by:	jdp
MFC after:	2 days
2002-06-27 03:55:36 +00:00
Warner Losh
ecddb03f1e Remove two lines that were cvs merged that shouldn't have been. This
fixes the build.

Reported by: dillon.
2002-06-26 18:03:31 +00:00
Warner Losh
145ec10619 Remove two stray lines that snuck in the cvs merge 2002-06-26 14:18:36 +00:00
Maxim Sobolev
07a1fb30e3 Backout previous delta (addition of -I${.CURDIR}/../../sys).
Submitted by:	bde
2002-06-26 13:25:23 +00:00
Maxim Sobolev
af244dd67c Add -I${.CURDIR}/../../sys into CFLAGS, which should fix the world broken
by RLIMIT_VMEM addition.
2002-06-26 10:33:10 +00:00
Jacques Vidrine
9a370b24b5 Initialize a pointer that was left uninitialized with the previous
commit.
2002-06-26 08:48:34 +00:00
Warner Losh
d6af58f572 Include more robust checking of end of buffer that more completely
plugs the hole.
2002-06-26 08:18:05 +00:00
Warner Losh
4cbd2472b3 Don't allow buffer overflow here either. 2002-06-26 06:31:06 +00:00
Warner Losh
fda8311189 Fix a minor last, minute issue that came in after I committed.
Noticed by: nectar
2002-06-26 06:23:22 +00:00
Warner Losh
4cf0747073 Avoid remote buffer overflow on hostbuf[].
Submitted by: joost Pol <joost@pine.nl>
2002-06-26 06:04:46 +00:00
Matthew Dillon
b5c7be5728 Add documentation for vmemoryuse 2002-06-26 03:58:31 +00:00
Matthew Dillon
67577126f9 Make libutil aware of vmemoryuse in its login.conf cap processing (aka
sshd, /usr/bin/login, etc)
2002-06-26 03:54:18 +00:00
David E. O'Brien
c02ba8a8d2 WARNS=6'ify.
Style nits.
2002-06-25 18:05:16 +00:00
David E. O'Brien
ad275bd760 Prototype _start.
Submitted by:	markm

Mark some _start formal parameters __unused.
2002-06-25 18:01:12 +00:00
David E. O'Brien
cf99709c16 Update our compat libs to the 4.6-RELEASE level. 2002-06-25 04:59:48 +00:00
David E. O'Brien
05e3d9f7fc Add the [Linux] PAM modules that are still used in RELENG_4, but not -CURRENT.
These are at the 4.6-RELEASE level.

Requested by:	des
2002-06-25 04:55:07 +00:00
David E. O'Brien
7ca89f08b7 Fix a typo. 2002-06-25 04:51:12 +00:00
David E. O'Brien
8dcabf895e Add the [Linux] PAM modules that are still used in RELENG_4, but not -CURRENT.
These are at the 4.6-RELEASE level.

Requested by:	DES
2002-06-25 04:18:45 +00:00
David E. O'Brien
022f3e9092 Update our compat libs to the 4.6-RELEASE level. 2002-06-25 04:11:45 +00:00
Andrew R. Reiter
927c042095 - Remove UM_* memory handling macros as they just obfuscate code. 2002-06-24 22:29:01 +00:00
Maxime Henrion
f6a3055159 Add missing const's. 2002-06-24 13:52:26 +00:00
Dag-Erling Smørgrav
66ffb8a371 Reintroduce debugging code that somehow got lost in a previous revision. 2002-06-24 12:18:41 +00:00
Robert Drehmel
4b571b192a Fix a bug which prevented the duplication of the standard i/o
file descriptors in programs linked with libc_r with flags
other than the default ones.  This kept, inter alia, freopen()
from working correctly when reopening standard streams.

reviewed by:	deischen
PR:		misc/39377
2002-06-23 20:41:30 +00:00
Nick Hibma
074dccd545 Be more clear in error messages.
Distinguish between a held lock and a failed lock op.

If rpc.lockd is not running on a diskless client this makes clearer
what the problem is.
2002-06-23 19:23:46 +00:00
Poul-Henning Kamp
af03a3cbd6 Improve the handling of Encode and Decode operations in MD5.
Use memcpy for all little-endian architectures, sys/kern/md5c.c indicates
this should be safe for all currently supported LE archs.

Change the Encode and Decode functions for other archs to use le32toh()
and htole32() functions instead of explicit byte shuffling.

On sparc64 this gives md5(1) about 8% speed increase.
2002-06-22 12:54:11 +00:00
Dag-Erling Smørgrav
a7a4510fd8 Fix incorrect library ordering. I thought I'd committed this already... 2002-06-21 09:56:38 +00:00
Kirk McKusick
1c85e6a35d This commit adds basic support for the UFS2 filesystem. The UFS2
filesystem expands the inode to 256 bytes to make space for 64-bit
block pointers. It also adds a file-creation time field, an ability
to use jumbo blocks per inode to allow extent like pointer density,
and space for extended attributes (up to twice the filesystem block
size worth of attributes, e.g., on a 16K filesystem, there is space
for 32K of attributes). UFS2 fully supports and runs existing UFS1
filesystems. New filesystems built using newfs can be built in either
UFS1 or UFS2 format using the -O option. In this commit UFS1 is
the default format, so if you want to build UFS2 format filesystems,
you must specify -O 2. This default will be changed to UFS2 when
UFS2 proves itself to be stable. In this commit the boot code for
reading UFS2 filesystems is not compiled (see /sys/boot/common/ufsread.c)
as there is insufficient space in the boot block. Once the size of the
boot block is increased, this code can be defined.

Things to note: the definition of SBSIZE has changed to SBLOCKSIZE.
The header file <ufs/ufs/dinode.h> must be included before
<ufs/ffs/fs.h> so as to get the definitions of ufs2_daddr_t and
ufs_lbn_t.

Still TODO:
Verify that the first level bootstraps work for all the architectures.
Convert the utility ffsinfo to understand UFS2 and test growfs.
Add support for the extended attribute storage. Update soft updates
to ensure integrity of extended attribute storage. Switch the
current extended attribute interfaces to use the extended attribute
storage. Add the extent like functionality (framework is there,
but is currently never used).

Sponsored by: DARPA & NAI Labs.
Reviewed by:	Poul-Henning Kamp <phk@freebsd.org>
2002-06-21 06:18:05 +00:00
Bill Fenner
87d7b72262 Update for libpcap 0.7.1 2002-06-21 01:35:37 +00:00
Dag-Erling Smørgrav
f8bd33a0ae Don't try to dereference conn when we know it's NULL. 2002-06-19 08:36:00 +00:00
Chris Costello
1b5c321d3f Fix style and wording bugs introduced in my last commit.
Sponsored by:	DARPA, NAI Labs
2002-06-18 08:55:17 +00:00
Jake Burkholder
dbf51f8db4 Remove unneeded include of machine/emul.h. 2002-06-18 02:15:11 +00:00
Bruce Evans
3e2ec6ea88 e_pow.c:
Fixed pow(x, y) when x is very close to -1.0 and y is a very large odd
integer.  E.g., pow(-1.0 - pow(2.0, -52.0), 1.0 + pow(2.0, 52.0)) was
0.0 instead of being very close to -exp(1.0).

PR:		39236
Submitted by:	Stephen L Moshier <steve@moshier.net>

e_powf.c:
Apply the same patch although it is just cosmetic because odd integers
large enough to cause the problem are too large to be precisely represented
as floats.

MFC after:	1 week
2002-06-17 15:28:59 +00:00
Garrett Wollman
50d0eead10 Actually document pselect(3) so that Bruce can mention it in the release
notes. :-)
2002-06-17 02:21:17 +00:00
Garrett Wollman
8466ae9033 Move dillon's time conversion functions to a new header <timeconv.h>.
Since they were never documented and have never appeared in a FreeBSD
release, no repo-copy of the header is done.  This removes namespace
pollution from <time.h>.
2002-06-17 01:42:33 +00:00
Matthew N. Dodd
2b13992856 Restore local bits lost in recent merge from NetBSD. 2002-06-16 08:29:35 +00:00
Garrett Wollman
7d0f66cbc3 Add pselect(3) to the build. Need to figure out the most appropriate
way to document this interface.
2002-06-15 23:42:59 +00:00
Chris Costello
5f9c048ce7 o Move more information from BUGS into SECURITY CONSIDERATIONS and
condense the redundant bits.
o Provide an example for using snprintf over sprintf.  This may be
  supplemented with an asprintf() example soon.

Sponsored by:	DARPA, NAI Labs
2002-06-15 06:00:56 +00:00
Robert Watson
4a85ccbe6d Missed in earlier commit -- I did cvs commit src/lib/libc. Oops. 2002-06-14 04:02:25 +00:00
Robert Watson
820a52632e No POSIX.1e capabilities in the main tree yet. 2002-06-13 23:40:13 +00:00
Chris Costello
7bc7869122 Include information on the dangers of passing a user-supplied string as
a format string.  This will later on be changed to a reference to the
FreeBSD Security Architecture after it has been committed.

PR:		docs/39320
Sposnored by:	DARPA, NAI Labs
2002-06-13 23:35:22 +00:00
Brian Somers
628e6cd45f Add the following functions:
rad_request_authenticator()
    Returns the Request-Authenticator relevant to the most recently received
    RADIUS response.

  rad_server_secret()
    Returns the Shared Secret relevant to the most recently received
    RADIUS response.

Neither of these functions should be necessary, however, the
MS-MPPE-Recv-Key and MS-MPPE-Send-Key Microsoft Vendor Specific
attributes are supplied in a mangled (encrypted) format, requiring
this information to demangle.

It's not clear whether these functions should be replaced with a
rad_demangle() function or whether these attributes are one-offs.

Sponsored by: Monzoon
2002-06-12 00:21:07 +00:00
Dag-Erling Smørgrav
f606d589b9 Add a reference count to struct fetchconn so we don't prematurely close and
free a cached FTP connection.
2002-06-11 11:27:28 +00:00
Hajimu UMEMOTO
82684fa6da Return HOSTNAME_INVALIDADDR when reverse lookup is fail.
Submitted by:	Sergey Zorin <sergey@cc.tpu.edu.ru>
2002-06-07 17:25:19 +00:00