1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-28 11:57:28 +00:00
Commit Graph

1264 Commits

Author SHA1 Message Date
Yaroslav Tykhiy
d0ebc0d2f1 Don't reveal a router in the IPSTEALTH mode through IP options.
The following steps are involved:
a) the IP options related to routing (LSRR and SSRR) are processed
   as though the router were a host,
b) the other IP options are processed as usual only if the packet
   is destined for the router; otherwise they are ignored.

PR:		kern/23123
Discussed in:	freebsd-hackers
2001-12-29 09:24:18 +00:00
Julian Elischer
3efc30142c Fix ipfw fwd so that it acts as the docs say
when forwarding an incoming packet to another machine.

Obtained from:	Vicor Production tree
MFC after: 3 weeks
2001-12-28 21:21:57 +00:00
Yaroslav Tykhiy
37b5d6e33d Implement matching IP precedence in ipfw(4).
Submitted by:	Igor Timkin <ivt@gamma.ru>
2001-12-21 18:43:02 +00:00
Jonathan Lemon
6c19b85f43 Remove a change that snuck in from my private tree. 2001-12-21 05:07:39 +00:00
Jonathan Lemon
45a0329051 If syncookies are disabled (net.inet.tcp.syncookies) then use the faster
arc4random() routine to generate ISNs instead of creating them with MD5().

Suggested by: silby
2001-12-21 04:41:08 +00:00
Jonathan Lemon
e579ba1aea When storing an int value in a void *, use intptr_t as the cast type
(instead of int) to keep the 64 bit platforms happy.
2001-12-19 15:57:43 +00:00
Yaroslav Tykhiy
3f9e31220b Don't try to free a NULL route when doing IPFIREWALL_FORWARD.
An old route will be NULL at that point if a packet were initially
routed to an interface (using the IP_ROUTETOIF flag.)

Submitted by:	Igor Timkin <ivt@gamma.ru>
2001-12-19 14:54:13 +00:00
Jonathan Lemon
a9c9684163 Extend the SYN DoS defense by adding syncookies to the syncache.
All TCP ISNs that are sent out are valid cookies, which allows entries
in the syncache to be dropped and still have the ACK accepted later.
As all entries pass through the syncache, there is no sudden switchover
from cache -> cookies when the cache is full; instead, syncache entries
simply have a reduced lifetime.  More details may be found in the
"Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002
conference proceedings.

Sponsored by: DARPA, NAI Labs
2001-12-19 06:12:14 +00:00
Ruslan Ermilov
4aa5d00e3d Fixed the bug in transparent TCP proxying with the "encode_ip_hdr"
option -- TcpAliasOut() did not catch the IP header length change.

Submitted by:	Stepachev Andrey <aka50@mail.ru>
2001-12-18 16:13:45 +00:00
Robert Watson
365979cdac o Add IPOPT_ESO for the 'Extended Security' IP option (RFC1108)
Obtained from:	TrustedBSD Project
2001-12-14 19:37:32 +00:00
Robert Watson
18e2b6a995 o Add definition for IPOPT_CIPSO, the commercial security IP option
number.

Submitted by:	Ilmar S. Habibulin <ilmar@watson.org>
Obtained from:	TrustedBSD Project
2001-12-14 19:34:42 +00:00
Jonathan Lemon
aa1f5daa31 whitespace and style fixes recovered from -stable. 2001-12-14 19:34:11 +00:00
Jonathan Lemon
6f00486cfd minor style and whitespace fixes. 2001-12-14 19:33:29 +00:00
Jonathan Lemon
effa274e9e whitespace fixes. 2001-12-14 19:32:47 +00:00
Jonathan Lemon
f8b6a631a2 minor whitespace fixes. 2001-12-14 19:32:00 +00:00
Mike Silbersack
3260eb18f3 Reduce the local network slowstart flightsize from infinity to 4 packets.
Now that we've increased the size of our send / receive buffers, bursting
an entire window onto the network may cause congestion.  As a result,
we will slow start beginning with a flightsize of 4 packets.

Problem reported by: Thomas Zenker <thz@Lennartz-electronic.de>

MFC after:	3 days
2001-12-14 18:26:52 +00:00
Jonathan Lemon
04cad5adb1 Undo one of my last minute changes; move sc_iss up earlier so it
is initialized in case we take the T/TCP path.
2001-12-13 04:05:26 +00:00
Jonathan Lemon
7c183182bf Fix up tabs from cut&n&paste. 2001-12-13 04:02:31 +00:00
Jonathan Lemon
0ef3206bf5 Fix up tabs in comments. 2001-12-13 04:02:09 +00:00
Jonathan Lemon
eaa6d8efe5 Minor style fixes. 2001-12-13 04:01:23 +00:00
Jonathan Lemon
c448c89c59 Minor style fix. 2001-12-13 04:01:01 +00:00
David E. O'Brien
6e551fb628 Update to C99, s/__FUNCTION__/__func__/,
also don't use ANSI string concatenation.
2001-12-10 08:09:49 +00:00
Robert Watson
c39a614e0d o Our currenty userland boot code (due to rc.conf and rc.network) always
enables TCP keepalives using the net.inet.tcp.always_keepalive by default.
  Synchronize the kernel default with the userland default.
2001-12-07 17:01:28 +00:00
Ruslan Ermilov
47891de1a5 Fixed remotely exploitable DoS in arpresolve().
Easily exploitable by flood pinging the target
host over an interface with the IFF_NOARP flag
set (all you need to know is the target host's
MAC address).

MFC after:	0 days
2001-12-05 18:13:34 +00:00
Robert Watson
011376308f o Introduce pr_mtx into struct prison, providing protection for the
mutable contents of struct prison (hostname, securelevel, refcount,
  pr_linux, ...)
o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/
  so as to enforce these protections, in particular, in kern_mib.c
  protection sysctl access to the hostname and securelevel, as well as
  kern_prot.c access to the securelevel for access control purposes.
o Rewrite linux emulator abstractions for accessing per-jail linux
  mib entries (osname, osrelease, osversion) so that they don't return
  a pointer to the text in the struct linux_prison, rather, a copy
  to an array passed into the calls.  Likewise, update linprocfs to
  use these primitives.
o Update in_pcb.c to always use prison_getip() rather than directly
  accessing struct prison.

Reviewed by:	jhb
2001-12-03 16:12:27 +00:00
Matthew Dillon
262c1c1a4e Fix a bug with transmitter restart after receiving a 0 window. The
receiver was not sending an immediate ack with delayed acks turned on
when the input buffer is drained, preventing the transmitter from
restarting immediately.

Propogate the TCP_NODELAY option to accept()ed sockets.  (Helps tbench and
is a good idea anyway).

Some cleanup.  Identify additonal issues in comments.

MFC after:	1 day
2001-12-02 08:49:29 +00:00
Ruslan Ermilov
04d59553b2 Allow for ip_output() to be called with a NULL route pointer.
This fixes a panic I introduced yesterday in ip_icmp.c,v 1.64.
2001-12-01 13:48:16 +00:00
Mike Barcroft
de2656d0ed o Stop abusing MD headers with non-MD types.
o Hide nonstandard functions and types in <netinet/in.h> when
  _POSIX_SOURCE is defined.
o Add some missing types (required by POSIX.1-200x) to <netinet/in.h>.
o Restore vendor ID from Rev 1.1 in <netinet/in.h> and make use of new
  __FBSDID() macro.
o Fix some miscellaneous issues in <arpa/inet.h>.
o Correct final argument for the inet_ntop() function (POSIX.1-200x).
o Get rid of the namespace pollution from <sys/types.h> in
  <arpa/inet.h>.

Reviewed by:		fenner
Partially submitted by:	bde
2001-12-01 03:43:01 +00:00
Matthew Dillon
d912c694ee The transmit burst limit for newreno completely breaks TCP's performance
if the receive side is using delayed acks.  Temporarily remove it.

MFC after:	0 days
2001-11-30 21:33:39 +00:00
Brian Somers
0f02fdac67 During SIOCAIFADDR, if in_ifinit() fails and we've already added an
interface address, blow the address away again before returning the
error.

In in_ifinit(), if we get an error from rtinit() and we've also got
a destination address, return the error rather than masking EEXISTS.
Failing to create a host route when configuring an interface should
be treated as an error.
2001-11-30 14:00:55 +00:00
Ruslan Ermilov
bd7142087b - Make ip_rtaddr() global, and use it to look up the correct source
address in icmp_reflect().
- Two new "struct icmpstat" members: icps_badaddr and icps_noroute.

PR:		kern/31575
Obtained from:	BSD/OS
MFC after:	1 week
2001-11-30 10:40:28 +00:00
Dima Dorfman
3a33b1b3b7 ipfw_modevent(): Don't use an unnatural block to define a variable
(fcp) that's already defined in the outer block and isn't used
anywhere else.  This silences -Wunused.

Reviewed by:	md5(1)
2001-11-27 20:32:47 +00:00
Dima Dorfman
e8d41815df Remove debugging printfs that weren't conditional on any debugging
options in handling MOD_{UN,}LOAD (they weren't very useful, anyway).
2001-11-27 20:28:48 +00:00
Dima Dorfman
0d4bef5dd4 In icmp_reflect(): If the packet was not addressed to us and was
received on an interface without an IP address, try to find a
non-loopback AF_INET address to use.  If that fails, drop it.
Previously, we used the address at the top of the in_ifaddrhead list,
which didn't make much sense, and would cause a panic if there were no
AF_INET addresses configured on the system.

PR:		29337, 30524
Reviewed by:	ru, jlemon
Obtained from:	NetBSD
2001-11-27 19:58:09 +00:00
Robert Watson
38e04732fc Add include of net/route.h, as structures moved around due to the
syncache rely on 'struct route' being defined.  This fixes the
LINT build some.
2001-11-27 17:36:39 +00:00
Seigo Tanimura
df89626872 Clear a new syncache entry first, followed by filling in values. This
fixes route breakage due to uncleared gabage on my box.
2001-11-27 11:55:28 +00:00
Ruslan Ermilov
8573e68110 When servicing an internal FTP server, punch ipfirewall(4) holes
for passive mode data connections (PASV/EPSV -> 227/229).  Well,
the actual punching happens a bit later, when the aliasing link
becomes fully specified.

Prodded by:	Danny Carroll <dannycarroll@hotmail.com>
MFC after:	1 week
2001-11-27 10:50:23 +00:00
Ruslan Ermilov
8ba0396688 Restore the ability to use IP_FW_ADD with setsockopt(2) that got
broken in revision 1.86.  This broke natd(8)'s -punch_fw option.

Reported by:	Daniel Rock <D.Rock@t-online.de>,
		setantae <setantae@submonkey.net>
2001-11-26 10:05:58 +00:00
Bruce Evans
419d3454b1 Fixed a buffer overrun. In my kernel configuration, tcp_syncache happens
to be followed by nfsnodehashtbl, so bzeroing callouts beyond the end of
tcp_syncache soon caused a null pointer panic when nfsnodehashtbl was
accessed.
2001-11-23 12:31:27 +00:00
Jonathan Lemon
be2ac88c59 Introduce a syncache, which enables FreeBSD to withstand a SYN flood
DoS in an improved fashion over the existing code.

Reviewed by: silby  (in a previous iteration)
Sponsored by: DARPA, NAI Labs
2001-11-22 04:50:44 +00:00
Jonathan Lemon
d00fd2011d Move initialization of snd_recover into tcp_sendseqinit(). 2001-11-21 18:45:51 +00:00
Matthew Dillon
b1e4abd246 Give struct socket structures a ref counting interface similar to
vnodes.  This will hopefully serve as a base from which we can
expand the MP code.  We currently do not attempt to obtain any
mutex or SX locks, but the door is open to add them when we nail
down exactly how that part of it is going to work.
2001-11-17 03:07:11 +00:00
Robert Watson
ce17880650 o Replace reference to 'struct proc' with 'struct thread' in 'struct
sysctl_req', which describes in-progress sysctl requests.  This permits
  sysctl handlers to have access to the current thread, permitting work
  on implementing td->td_ucred, migration of suser() to using struct
  thread to derive the appropriate ucred, and allowing struct thread to be
  passed down to other code, such as network code where td is not currently
  available (and curproc is used).

o Note: netncp and netsmb are not updated to reflect this change, as they
  are not currently KSE-adapted.

Reviewed by:		julian
Obtained from:	TrustedBSD Project
2001-11-08 02:13:18 +00:00
Andrew R. Reiter
83103a7397 - Fixes non-zero'd out sin_zero field problem so that the padding
is used as it is supposed to be.

Inspired by: PR #31704
Approved by: jdp
Reviewed by: jhb, -net@
2001-11-06 00:48:01 +00:00
Poul-Henning Kamp
d3c64689d8 3.5 years ago Wollman wrote:
"[...] and removes the hostcache code from standard kernels---the
   code that depends on it is not going to happen any time soon,
   I'm afraid."
Time to clean up.
2001-11-05 21:25:02 +00:00
Luigi Rizzo
7b109fa404 MFS: sync the ipfw/dummynet/bridge code with the one recently merged
into stable (mostly , but not only, formatting and comments changes).
2001-11-04 22:56:25 +00:00
Luigi Rizzo
09b2ca212b s/FREE/free/ 2001-11-04 17:35:31 +00:00
Brian Somers
e83aaae350 cmott@scientech.com -> cm@linktel.net
Requested by:	Charles Mott <cmott@scientech.com>
2001-11-03 11:34:09 +00:00
Bill Paul
3528d68f71 Fix a (long standing?) bug in ip_output(): if ip_insertoptions() is
called and ip_output() encounters an error and bails (i.e. host
unreachable), we will leak an mbuf. This is because the code calls
m_freem(m0) after jumping to the bad: label at the end of the function,
when it should be calling m_freem(m). (m0 is the original mbuf list
_without_ the options mbuf prepended.)

Obtained from:	NetBSD
2001-10-30 18:15:48 +00:00
Dag-Erling Smørgrav
bc183b3fe8 Make sure the netmask always has an address family. This fixes Linux
ifconfig, which expects the address returned by the SIOCGIFNETMASK ioctl
to have a valid sa_family.  Similar changes may be necessary for IPv6.

While we're here, get rid of an unnecessary temp variable.

MFC after:	2 weeks
2001-10-30 15:57:20 +00:00