1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-21 11:13:30 +00:00
Commit Graph

125 Commits

Author SHA1 Message Date
Yoshinobu Inoue
6a800098cc IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
Guido van Rooij
05ec607970 Revive mlfk_ipl here. This version is slightly changed from
the old one: an unnecessary define (KLD_MODULE) has been deleted and
the initialisation of the module is  done after domaininit was called
to be sure inet is running.

Some slight changed were made to ip_auth.c and ip_state.c in order
to assure including of sys/systm.h in case we make a kld

Make sure ip_fil does nmot include osreldate in kernel mode

Remove mlfk_ipl.c from here: no sources allowed in these directories!
1999-12-06 20:36:50 +00:00
Archie Cobbs
8948e4ba8e Miscellaneous fixes/cleanups relating to ipfw and divert(4):
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
  of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
  to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
  to ip_reass()
- style(9) fixes

Reviewed by:	julian, green
1999-12-06 00:43:07 +00:00
Dag-Erling Smørgrav
27108a1511 Include the correct header for the IPSTEALTH option. 1999-08-29 12:18:39 +00:00
Peter Wemm
c3aac50f28 $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
David Greenman
afed137543 Made net.inet.ip.intr_queue_maxlen writeable. 1999-05-27 12:20:33 +00:00
Luigi Rizzo
eaa726bed6 Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
1999-05-04 16:20:33 +00:00
Bill Fumerola
3d177f465a Add sysctl descriptions to many SYSCTL_XXXs
PR:		kern/11197
Submitted by:	Adrian Chadd <adrian@FreeBSD.org>
Reviewed by:	billf(spelling/style/minor nits)
Looked at by:	bde(style)
1999-05-03 23:57:32 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Julian Elischer
ed1ff184f3 Fix the 'fwd' option to ipfw when asked to divert to another machine.
also rely less on other modules clearing static values, and clear them
in a few cases we missed before.
Submitted by: Matthew Reimer <mreimer@vpop.net>
1999-03-12 01:15:57 +00:00
Dag-Erling Smørgrav
1b968362aa Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
Garrett Wollman
cc766e041e After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Garrett Wollman
92af003dd8 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
Eivind Eklund
dee383e043 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
Luigi Rizzo
af38c68c1e Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Doug Rabson
7a94149e37 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
Doug Rabson
48a39a495a Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
David Greenman
9ec944bdb0 Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
Doug Rabson
e3f0338ead Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
Doug Rabson
afb3fdba7c Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
Peter Wemm
aa855a598d *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
Doug Rabson
945aa40deb Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
Doug Rabson
6effc71332 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Bruce Evans
162886e237 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
Bruce Evans
0c8d2590e3 Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
David Greenman
0af8d3ec72 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
Julian Elischer
3a1ae084e2 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
Julian Elischer
efe39c6a1a Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
Julian Elischer
d4295c3248 Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Julian Elischer
b3adeeb209 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
Julian Elischer
ed7509ace4 Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
Julian Elischer
b876049334 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
Julian Elischer
3ed81d03b3 Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
Julian Elischer
c977d4c735 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
David Greenman
b8e8c209c5 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00
David Greenman
1f91d8c563 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00
Poul-Henning Kamp
81aee63d19 Wrong header length used for certain reassembled IP packets.
PR:		6177
Reviewed by:	phk, wollman
Submitted by:	Eric Sprinkle <eric@ennovatenetworks.com>
1998-04-13 17:27:08 +00:00
Poul-Henning Kamp
227ee8a188 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
Peter Wemm
1ee25934a9 Make this compile.. There are some unpleasing hacks in here.
A major unifdef session is sorely tempting but would destroy any remaining
chance of tracking the original sources.
1998-03-21 11:34:28 +00:00
Dima Ruban
c383a33f06 NetBSD PR# 2772
Reviewed by:	David Greenman
1998-02-26 08:31:53 +00:00
Guido van Rooij
4fce58048d Add new sysctl variable: net.inet.ip.accept_sourceroute
It controls if the system is to accept source routed packets.
It used to be such that, no matter if the setting of net.inet.ip.sourceroute,
source routed packets destined at us would be accepted. Now it is
controllable with eth default set to NOT accept those.
1998-02-16 19:23:58 +00:00
Andrey A. Chernov
47174b49b2 Replace non-existent ip_forwarding with ipforwarding
(compilation error)
1998-02-12 03:37:45 +00:00
Guido van Rooij
a293037f7c Only forward source routed packets when ip_forwarding is set to 1.
This means that a FreeBSD will only forward source routed packets
when both net.inet.ip.forwarding and net.inet.ip.sourceroute are set
to 1.

You can hit me now ;-)
Submitted by:	Thomas Ptacek
1998-02-11 18:43:42 +00:00