1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-18 10:35:55 +00:00
Commit Graph

872 Commits

Author SHA1 Message Date
Ruslan Ermilov
5e8fc2d2d3 Spell PacketAliasRedirectAddr() correctly. 2000-04-27 18:06:05 +00:00
Ruslan Ermilov
6d20a77450 Load Sharing using IP Network Address Translation (RFC 2391, LSNAT).
LSNAT links are first created by either PacketAliasRedirectPort() or
PacketAliasRedirectAddress() and then set up by one or more calls to
PacketAliasAddServer().
2000-04-27 17:37:03 +00:00
Yoshinobu Inoue
34e3e010b6 Let initialize th_sum before in6_cksum(), again.
Without this fix, all IPv6 TCP RST packet has wrong cksum value,
so IPv6 connect() trial to 5.0 machine won't fail until tcp connect timeout,
when they should fail soon.

Thanks to haro@tk.kubota.co.jp (Munehiro Matsuda) for his much debugging
help and detailed info.
2000-04-19 15:05:00 +00:00
Poul-Henning Kamp
3389ae9350 Remove ~25 unneeded #include <sys/conf.h>
Remove ~60 unneeded #include <sys/malloc.h>
2000-04-19 14:58:28 +00:00
Ruslan Ermilov
483d2f2296 Add support for multiple PPTP sessions:
- new API function: PacketAliasRedirectPptp()
- new mode bit: PKT_ALIAS_DENY_PPTP

Please see manual page for details.
2000-04-18 10:18:21 +00:00
Munechika SUMIKAWA
5e0ab69d23 ND6_HINT() should not be called unless the connection status is
ESTABLISHED.

Obtained from:	KAME Project
2000-04-17 20:27:02 +00:00
Ruslan Ermilov
b5e819ec23 Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established
connections, after SYN packets were seen from both ends.  Before this,
it would get applied right after the first SYN packet was seen (either
from client or server).  With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory.  With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.

PR:		bin/17963
2000-04-14 15:34:55 +00:00
Ruslan Ermilov
a29006665c A complete reformatting of manual page. 2000-04-13 14:04:01 +00:00
Ruslan Ermilov
f167e54283 Make partially specified permanent links without `dst_addr'
but with `dst_port' work for outgoing packets.

This case was not handled properly when I first fixed this
in revision 1.17.

This change is also required for the upcoming improved PPTP
support patches -- that is how I found the problem.

Before this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] aliasIP:localPORT -> remoteIP:remotePORT

After this change:

# natd -v -a aliasIP \
  -redirect_port tcp localIP:localPORT publicIP:publicPORT 0:remotePORT

Out [TCP]  [TCP] localIP:localPORT -> remoteIP:remotePORT aliased to
           [TCP] publicIP:publicPORT -> remoteIP:remotePORT
2000-04-12 18:44:50 +00:00
Wes Peters
732f6a4376 PR: kern/17872
Submitted by:	csg@waterspout.com (C. Stephen Gunn)
2000-04-11 06:55:09 +00:00
Ruslan Ermilov
67b333b7e4 - Add support for FTP EPRT (RFC 2428) command.
- Minor optimizations.
- Minor spelling fixes.

PR:		14305
Submitted by:	ume
Rewritten by:	ru
2000-04-06 15:54:52 +00:00
Ruslan Ermilov
680c8244a9 - Remove unused includes.
- Minor spelling fixes.
- Make IcmpAliasOut2() really work.

Before this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[87923]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49562 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49562 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] A.A.A.A -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49562 > P.P.P.P.50000: udp 3
A.A.A.A > X.X.X.X: icmp: A.A.A.A udp port 50000 unreachable

After this change:

# natd -v -n PUB_IFACE -p 12345 -redirect_address 192.168.1.1 P.P.P.P
natd[89360]: Aliasing to A.A.A.A, mtu 1500 bytes
In  [UDP]  [UDP] X.X.X.X:49563 -> P.P.P.P:50000 aliased to
           [UDP] X.X.X.X:49563 -> 192.168.1.1:50000
Out [ICMP] [ICMP] 192.168.1.1 -> X.X.X.X 3(3) aliased to
           [ICMP] P.P.P.P -> X.X.X.X 3(3)

# tcpdump -n -t -i PUB_IFACE host X.X.X.X and "(udp or icmp)"
tcpdump: listening on PUB_IFACE
X.X.X.X.49563 > P.P.P.P.50000: udp 3
P.P.P.P > X.X.X.X: icmp: P.P.P.P udp port 50000 unreachable
2000-04-05 14:27:34 +00:00
Ruslan Ermilov
79eef4b611 - Moved NULL definition into private include file.
- Minor spelling fixes.
2000-04-05 14:23:42 +00:00
Ruslan Ermilov
91cc2995af Minor spelling fixes. 2000-04-05 07:45:39 +00:00
Brian Somers
3e6ac25bd6 Correct Charles Mott's email address
Requested by: Charles Mott <cmott@scientech.com>
2000-04-02 20:16:45 +00:00
Yoshinobu Inoue
7cba257ae5 Move htons() ip_len to after the in_delayed_cksum() call.
This should stop cksum error messages on IPsec communication
which was reported on freebsd-current.

Reviewed by: jlemon
2000-04-02 16:18:26 +00:00
Paul Saab
75daea9395 Try and make the kernel build again without INET6. 2000-04-02 03:49:25 +00:00
Yoshinobu Inoue
fdaf052eb3 Support per socket based IPv4 mapped IPv6 addr enable/disable control.
Submitted by: ume
2000-04-01 22:35:47 +00:00
Jonathan Lemon
ea53ecd9d4 Calculate any delayed checksums before handing an mbuf off to a
divert socket.  This fixes a problem with ppp/natd.

Reviewed by:	bsd	(Brian Dean, gotta love that login name)
2000-04-01 18:51:03 +00:00
Brian Somers
5dd44916b7 Allow PacketAliasSetTarget() to be passed the following:
INADDR_NONE:   Incoming packets go to the alias address (the default)
  INADDR_ANY:    Incoming packets are not NAT'd (direct access to the
                 internal network from outside)
  anything else: Incoming packets go to the specified address

Change a few inaddr::s_addr == 0 to inaddr::s_addr == INADDR_ANY
while I'm there.
2000-03-31 20:36:29 +00:00
Brian Somers
1c4e6d2544 When an incoming packet is received that is not specifically
redirected and when no target address has been specified, NAT
the destination address to the alias address rather than
allowing people direct access to your internal network from
outside.
2000-03-31 14:03:37 +00:00
Jonathan Lemon
20c822f399 If `ipfw fwd' loops an mbuf back to ip_input from ip_output and the
mbuf is marked for delayed checksums, then additionally mark the
packet as having it's checksums computed.  This allows us to bypass
computing/checking the checksum entirely, which isn't really needeed
as the packet has never hit the wire.

Reviewed by:		green
2000-03-30 02:16:40 +00:00
Joerg Wunsch
f72d9d83f5 Peter Johnson found another log() call without a trailing newline.
All three of them have been introduced in rev 1.64, so i guess i've
got all of them now. :)

Submitted by:	Peter Johnson <locke@mcs.net>
2000-03-29 07:50:39 +00:00
Joerg Wunsch
e44d62832c Added two missing newlines in calls to log(9).
Reported in Usenet by: locke@mcs.net (Peter Johnson)

While i was at it, prepended a 0x to the %D output, to make it clear that
the printed value is in hex (i assume %D has been chosen over %#x to
obey network byte order).
2000-03-28 21:14:35 +00:00
Jonathan Lemon
db4f9cc703 Add support for offloading IP/TCP/UDP checksums to NIC hardware which
supports them.
2000-03-27 19:14:27 +00:00
Matthew Dillon
84365e2bcb Fix parens in m_pullup() line in arp handling code. The code was
improperly doing the equivalent of (m = (function() == NULL)) instead
    of ((m = function()) == NULL).

    This fixes a NULL pointer dereference panic with runt arp packets.
2000-03-23 18:58:59 +00:00
Brian Feldman
333aa64d05 in6_pcb.c:
Remove a bogus (redundant, just weird, etc.) key_freeso(so).
	There are no consumers of it now, nor does it seem there
	ever will be.

in6?_pcb.c:
	Add an if (inp->in6?p_sp != NULL) before the call to
	ipsec[46]_delete_pcbpolicy(inp).  In low-memory conditions
	this can cause a crash because in6?_sp can be NULL...
2000-03-22 02:27:30 +00:00
Larry Lile
b149dd6c66 o Replace most magic numbers related to token ring with #defines
from iso88025.h.

o Add minimal llc support to iso88025_input.

o Clean up most of the source routing code.

* Submitted by: Nikolai Saoukh <nms@otdel-1.org>
2000-03-19 21:34:39 +00:00
Brian Somers
9da582e318 Make _FindLinkIn() static and only define GetDestPort when
NO_FW_PUNCH isn't defined.
2000-03-19 09:11:05 +00:00
Ruslan Ermilov
d137714f11 Fix reporting of src and dst IP addresses for ICMP and generic IP packets.
PR:		17319
Submitted by:	Mike Heffner <spock@techfour.net>
2000-03-14 14:11:53 +00:00
Yoshinobu Inoue
820b57927e Disable IPv4 over IPv4 tunnel on the 6to4 interface for better security.
Approved by: jkh
2000-03-11 22:11:57 +00:00
Yoshinobu Inoue
4739b8076f IPv6 6to4 support.
Now most big problem of IPv6 is getting IPv6 address
   assignment.
   6to4 solve the problem. 6to4 addr is defined like below,

          2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID

   The most important point of the address format is that an IPv4 addr
   is embeded in it. So any user who has IPv4 addr can get IPv6 address
   block with 2byte subnet space. Also, the IPv4 addr is used for
   semi-automatic IPv6 over IPv4 tunneling.

   With 6to4, getting IPv6 addr become dramatically easy.
   The attached patch enable 6to4 extension, and confirmed to work,
   between "Richard Seaman, Jr." <dick@tar.com> and me.

Approved by: jkh

Reviewed by: itojun
2000-03-11 11:17:24 +00:00
Robert Watson
76ec7b2f60 The function arpintr() incorrectly checks m->m_len to detect incomplete
ARP packets. This can incorrectly reject complete frames since the frame
could be stored in more than one mbuf.

The following patches fix the length comparisson, and add several
diagnostic log messages to the interrupt handler for out-of-the-norm ARP
packets. This should make ARP problems easier to detect, diagnose and
fix.

Submitted by:	C. Stephen Gunn <csg@waterspout.com>
Approved by:	jkh
Reviewed by:	rwatson
2000-03-11 00:24:29 +00:00
Yoshinobu Inoue
f63e7634ac Initialize mbuf pointer at getting ipsec policy.
Without this, kernel will panic at getsockopt() of IPSEC_POLICY.
Also make compilable libipsec/test-policy.c which tries getsockopt() of
IPSEC_POLICY.

Approved by: jkh

Submitted by: sakane@kame.net
2000-03-09 14:57:16 +00:00
Sheldon Hearn
c6ff3a1bf7 Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
2000-03-02 09:14:21 +00:00
Luigi Rizzo
da3fc682a7 Fix panic when doing keep-state and "forward".
Removed a redundant check.
Also move check for expired rules before using them.
Sorry for the whitespace changes.

Approved-by: jordan
2000-02-29 17:51:25 +00:00
Paul Saab
f885f63606 Limit the maximum permissible TCP window size to 65535 octets if
window scaling is disabled.

PR:		kern/16914
Submitted by:	Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
Reviewed by:	wollman
Approved by:	jkh
2000-02-28 21:18:21 +00:00
Alfred Perlstein
47a11f04b3 -it do, among other things, clear out any
+it does, amongst other things, clear out any

The old sentance didn't seem to make sense.
2000-02-28 00:31:18 +00:00
Guido van Rooij
6d37c73e26 Remove option IPFILTER_KLD. In case you wanted to kldload ipfilter,
the module would only work in kernels built with this option.

Approved by:	jkh
2000-02-23 20:11:57 +00:00
Peter Wemm
242c5536ea Clean up some loose ends in the network code, including the X.25 and ISO
#ifdefs.  Clean out unused netisr's and leftover netisr linker set gunk.
Tested on x86 and alpha, including world.

Approved by:	jkh
2000-02-13 03:32:07 +00:00
Luigi Rizzo
f42c0d553a Forgot one line: don't try to match flags when looking for a flow.
Approved-by: jordan
2000-02-11 13:23:14 +00:00
Guido van Rooij
a993ad154a Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)
2000-02-10 21:29:11 +00:00
Yoshinobu Inoue
1aa540eb03 Forbid include of soem inet6 header files from wrong place
KAME put INET6 related stuff into sys/netinet6 dir, but IPv6
  standard API(RFC2553) require following files to be under sys/netinet.
    netinet/ip6.h
    netinet/icmp6.h
  Now those header files just include each following files.
    netinet6/ip6.h
    netinet6/icmp6.h

  Also KAME has netinet6/in6.h for easy INET6 common defs
  sharing between different BSDs, but RFC2553 requires only
  netinet/in.h should be included from userland.
  So netinet/in.h also includes netinet6/in6.h inside.

  To keep apps portability, apps should not directly include
  above files from netinet6 dir.
  Ideally, all contents of,
    netinet6/ip6.h
    netinet6/icmp6.h
    netinet6/in6.h
  should be moved into
    netinet/ip6.h
    netinet/icmp6.h
    netinet/in.h
  but to avoid big changes in this stage, add some hack, that
    -Put some special macro define into those files under neitnet
    -Let files under netinet6 cause error if it is included
     from some apps, and, if the specifal macro define is not
     defined.
     (which should have been defined if files under netinet is
     included)
    -And let them print an error message which tells the
     correct name of the include file to be included.

  Also fix apps which includes invalid header files.

Approved by: jkh

Obtained from: KAME project
2000-02-10 19:33:58 +00:00
Luigi Rizzo
9fcc079584 Move definition of fw_enable from ip_fw.c to ip_input.c
so we can compile kernels without IPFIREWALL .

Reported-by: Robert Watson
Approved-by: jordan
2000-02-10 17:56:01 +00:00
Luigi Rizzo
6355710df8 Whoops... forgot braces in a conditional
Revealed-by: diff with -STABLE version (the advantage of having
    multiple lines of development...)
Approved-by: jordan
2000-02-10 16:50:53 +00:00
Luigi Rizzo
6bc748b057 Support the net.inet.ip.fw.enable variable, part of
the recent ipfw modifications.

Approved-by: jordan
2000-02-10 14:19:53 +00:00
Luigi Rizzo
03c612662b Support for stateful (dynamic) ipfw rules. They are very
similar to ipfilter's keep-state.

Look at the updated ipfw(8) manpage for details.

Approved-by: jordan
2000-02-10 14:17:40 +00:00
Guido van Rooij
6cd756a2b5 Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh
2000-02-09 20:56:36 +00:00
Yoshinobu Inoue
a683a7dd4f Avoid kernel panic when tcp rfc1323 and rfc1644 options are enabled
at the same time.

   When rfc1323 and rfc1644 option are enabled by sysctl,
   and tcp over IPv6 is tried, kernel panic happens by the
   following check in tcp_output(), because now hdrlen is bigger
   in such case than before.

/*#ifdef DIAGNOSTIC*/
        if (max_linkhdr + hdrlen > MHLEN)
                panic("tcphdr too big");
/*#endif*/

   So change the above check to compare with MCLBYTES in #ifdef INET6 case.
   Also, allocate a mbuf cluster for the header mbuf, in that case.

Bug reported at KAME environment.
Approved by: jkh

Reviewed by: sumikawa
Obtained from: KAME project
2000-02-09 00:34:40 +00:00
Luigi Rizzo
9fbf0caaac Fix a (mostly harmless) scheduling-in-the-past problem with
dummynet (already fixed in -stable, was waiting for Jordan's
approval due to the code freeze).

Reported-By: Mike Tancsa
Approved-By: Jordan
2000-02-04 16:45:33 +00:00