1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-20 11:11:24 +00:00
Commit Graph

332 Commits

Author SHA1 Message Date
Paul Traina
ebb0cbea75 Increase robustness of FreeBSD against high-rate connection attempt
denial of service attacks.

Reviewed by:	bde,wollman,olah
Inspired by:	vjs@sgi.com
1996-10-07 04:32:42 +00:00
Paul Traina
12eafeb016 I don't understand, I committed this fix (move a counter and fixed a typo)
this evening.

I think I'm going insane.
1996-09-21 06:39:20 +00:00
Andrey A. Chernov
96d719e6e0 Syntax error: so_incom -> so_incomp 1996-09-21 06:30:06 +00:00
Paul Traina
4195b4af58 If the incomplete listen queue for a given socket is full,
drop the oldest entry in the queue.

There was a fair bit of discussion as to whether or not the
proper action is to drop a random entry in the queue.  It's
my conclusion that a random drop is better than a head drop,
however profiling this section of code (done by John Capo)
shows that a head-drop results in a significant performance
increase.

There are scenarios where a random drop is more appropriate.
If I find one in reality, I'll add the random drop code under
a conditional.

Obtained from: discussions and code done by Vernon Schryver (vjs@sgi.com).
1996-09-20 21:25:18 +00:00
Paul Traina
9c4b2574d4 Handle ICMP codes defined in RFC1812 more appropriately 1996-09-20 08:23:54 +00:00
Paul Traina
561c2ad31c Move TCPCTL_KEEPINIT to end of MIB list (sigh) 1996-09-13 23:54:03 +00:00
Paul Traina
7b40aa327d Make the misnamed tcp initial keepalive timer value (which is really the
time, in seconds, that state for non-established TCP sessions stays about)
a sysctl modifyable variable.

[part 1 of two commits, I just realized I can't play with the indices as
 I was typing this commit message.]
1996-09-13 23:51:44 +00:00
Paul Traina
7ff19458de Receipt of two SYN's are sufficient to set the t_timer[TCPT_KEEP]
to "keepidle".  this should not occur unless the connection has
been established via the 3-way handshake which requires an ACK

Submitted by:	jmb
Obtained from:	problem discussed in Stevens vol. 3
1996-09-13 18:47:03 +00:00
Garrett Wollman
f87313106d Set subnetsarelocal to false. In a classless world, the other case
is almost never useful.  (This is only a quick hack; someone should
go back and delete the entire subnetsarelocal==1 code path.)
1996-09-09 20:17:24 +00:00
David Greenman
e7c819442a Dequeue mbuf before freeing it. Fixes mbuf leak and a potential crash when
handling IP fragments.

Submitted by:	Darren Reed <avalon@coombs.anu.edu.au>
1996-09-08 13:45:49 +00:00
Alexander Langer
80afcdeef5 Fix the visibility of the sysctl variables.
Submitted by:	phk
1996-08-31 21:05:20 +00:00
Søren Schmidt
8f52c18724 Oops, send the operation type, not the name to the NAT code... 1996-08-27 20:52:27 +00:00
Poul-Henning Kamp
321a284625 Mark sockets where the kernel chose the port# for.
This can be used by netstat to behave more intelligently.
1996-08-23 18:59:07 +00:00
Søren Schmidt
fed1c7e9e4 Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00
Bill Fenner
e329301e65 Add #define's for RFC1716/RFC1812 new ICMP UNREACHABLE types.
Obtained from:	LBL's tcpdump distribution
1996-08-20 23:11:30 +00:00
Paul Traina
cc98643e68 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Discussed with: fenner & alex
1996-08-13 19:43:41 +00:00
Peter Wemm
bbd42ad0e5 Add two more portrange sysctls, which control the area of the below
IPPORT_RESERVED that is used for selection when bind() is told to allocate
a reserved port.

Also, implement simple sanity checking for all the addresses set, to make
it a little harder for a user/sysadmin to shoot themselves in the feet.
1996-08-12 14:05:54 +00:00
Poul-Henning Kamp
26a8b0bf7e Megacommit to straigthen out ETHER_ mess.
I'm pretty convinced after looking at this that the majority of our
drivers are confused about the in/exclusion of ETHER_CRC_LEN :-(
1996-08-06 21:14:36 +00:00
Alexander Langer
71c011477f Filter by IP protocol.
Submitted by: fenner (with modifications by me)

Use a common prefix string for all warning messages generated during
ip_fw_ctl.
1996-08-05 02:35:04 +00:00
Garrett Wollman
5e2d069649 Eliminate some more references to separate ip_v and ip_hl fields. 1996-07-24 18:46:19 +00:00
Alexander Langer
c616bf2a71 Removed extraneous return. 1996-07-20 00:16:20 +00:00
Alexander Langer
889fe95791 Switch back to logging accepted packets with the text "Allow" instead
of "Accept"
1996-07-14 21:12:52 +00:00
David Greenman
af7a299930 Fixed two bugs in previous commit: be sure to include tcp_debug.h when
TCPDEBUG is defined, and fix typo in TCPDEBUG2() macro.
1996-07-12 17:28:47 +00:00
Bill Fenner
32bd8943f8 Fix braino in rev 1.30 fix; m_copy() the mbuf that has the header
pulled up already.  This bug can cause the first packet from a source
to a group to be corrupted when it is delivered to a process listening
on the mrouter.
1996-07-12 17:22:32 +00:00
Bruce Evans
6ab46d52a5 Don't use NULL in non-pointer contexts. 1996-07-12 04:12:25 +00:00
Garrett Wollman
2c37256e5a Modify the kernel to use the new pr_usrreqs interface rather than the old
pr_usrreq mechanism which was poorly designed and error-prone.  This
commit renames pr_usrreq to pr_ousrreq so that old code which depended on it
would break in an obvious manner.  This commit also implements the new
interface for TCP, although the old function is left as an example
(#ifdef'ed out).  This commit ALSO fixes a longstanding bug in the
TCP timer processing (introduced by davidg on 1995/04/12) which caused
timer processing on a TCB to always stop after a single timer had
expired (because it misinterpreted the return value from tcp_usrreq()
to indicate that the TCB had been deleted).  Finally, some code
related to polling has been deleted from if.c because it is not
relevant t -current and doesn't look at all like my current code.
1996-07-11 16:32:50 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Nate Williams
bce2d3379e Functionality for IPFIREWALL_VERBOSE logging:
- State when we've reached the limit on a particular rule in the kernel logfile
- State when a rule or all rules have been zero'd.

This gives a log of all actions that occur w/regard to the firewall
occurances, and can explain why a particular break-in attempt might not
get logged due to the limit being reached.

Reviewed by:	alex
1996-07-09 20:49:38 +00:00
Alexander Langer
32fb6c089b Reject rules which try to mix ports with incompatible protocols. 1996-06-29 03:33:20 +00:00
Alexander Langer
830b0d3039 Allow fragment checking to work with specific protocols.
Reviewed by:	phk

Reject the addition of rules that will never match (for example,
1.2.3.4:255.255.255.0).  User level utilities specify the policy by either
masking the IP address for the user (as ipfw(8) does) or rejecting the
entry with an error.  In either case, the kernel should not modify chain
entries to make them work.
1996-06-25 00:22:20 +00:00
Bruce Evans
7472e2e0f8 Use IPFIREWALL_MODULE instead of ACTUALLY_LKM_NOT_KERNEL to indicate
LKM'ness.  ACTUALLY_LKM_NOT_KERNEL is supposed to be so ugly that it
only gets used until <machine/conf.h> goes away.  bsd.kmod.mk should
define a better-named general macro for this.  Some places use
PSEUDO_LKM.  This is another bad name.

Makefile:
Added IPFIREWALL_VERBOSE_LIMIT option (commented out).
1996-06-23 14:28:02 +00:00
Peter Wemm
51a109a174 Set the rmx.rmx_expire to 0 when creating fake ethernet addresses for the
broadcast and multicast routes, otherwise they will be expired by
arptimeout after a few minutes, reverting to " (incomplete)". This makes
the work done by rev 1.27 stay around until the route itself is deleted.
This is mainly cosmetic for 'arp' and 'netstat -r'.
1996-06-21 21:45:58 +00:00
Bill Fenner
94334d8fc4 Use the route that's guaranteed to exist when picking a source address
for ARP requests.

The NetBSD version of this patch (see NetBSD PR kern/2381) has this change
already.  This should close our PR kern/1140 .

Although it's not quite what he submitted, I got the idea from him so
Submitted by:	Jin Guojun <jin@george.lbl.gov>
1996-06-20 22:53:08 +00:00
Bill Fenner
d7e74838d6 Remove one last rip_output from inetsw (gpalmer missed it in rev 1.30) 1996-06-20 17:52:32 +00:00
Nate Williams
17040b78cd Put the 'debug' messages of the type:
/kernel: in_rtqtimo: adjusted rtq_reallyold to 1066
  /kernel: in_rtqtimo: adjusted rtq_reallyold to 710
inside of #ifdef DIAGNOSTIC to avoid the support questions from folks
asking what this means.
1996-06-20 15:41:23 +00:00
Alexander Langer
6875d5c1b3 Fix chain numbering bug when the highest line number installed >= 65435
and the rule being added has no explicit line number set.

Submitted by:	Archie Cobbs <archie@whistle.com>
1996-06-17 00:00:35 +00:00
Garrett Wollman
51fb392203 Better selection of initial retransmit timeout when no cached
RTT information is available.

Submitted by: kbracey@art.acorn.co.uk (Kevin Bracey)
(slightly modified by me)
1996-06-14 17:17:32 +00:00
Gary Palmer
5d2541dab0 Don't try to include opt_ipfw.h in LKMs
Submitted by:	Ollivier Robert <roberto@keltia.freenix.fr>
1996-06-13 17:35:28 +00:00
David Greenman
34bed8b0ee Keep ether_type in network order for BPF to be consistent with other
systems.

Submitted by:	Ted Lemon, Matt Thomas, and others. Retrofitted for
		-current by me.
1996-06-13 02:54:19 +00:00
Gary Palmer
74a9466cc2 Convert ipfw to use opt_ipfw.h 1996-06-12 19:34:33 +00:00
Gary Palmer
c23670e294 Clean up -Wunused warnings.
Reviewed by:		bde
1996-06-12 05:11:41 +00:00
Alexander Langer
7a99108603 Big sweep over ipfw, picking up where Poul left off:
- Log ICMP type during verbose output.
  - Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
    attacks via syslog flooding.
  - Filter based on ICMP type.
  - Timestamp chain entries when they are matched.
  - Interfaces can now be matched with a wildcard specification (i.e.
    will match any interface unit for a given name).
  - Prevent the firewall chain from being manipulated when securelevel
    is greater than 2.
  - Fixed bug that allowed the default policy to be deleted.
  - Ability to zero individual accounting entries.
  - Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
    ipfw as a lkm.
  - Remove some redundant code shared between ip_fw_init and ipfw_load.

Closes PRs: 1192, 1219, and 1267.
1996-06-09 23:46:21 +00:00
Bruce Evans
0453d3cbb3 Changed some memcpy()'s back to bcopy()'s.
gcc only inlines memcpy()'s whose count is constant and didn't inline
these.  I want memcpy() in the kernel go away so that it's obvious that
it doesn't need to be optimized.  Now it is only used for one struct
copy in si.c.
1996-06-08 08:19:03 +00:00
Garrett Wollman
c611d82e64 Instrument UDP PCB hashing to see how often the hash lookup is effective
for incoming packets.
1996-06-05 17:20:35 +00:00
Garrett Wollman
6da5712b60 Correct formula for TCP RTO calculation. Also try to do a better job in
filling in a new PCB's rttvar (but this is not the last word on the subject).
And get rid of `#ifdef RTV_RTT', it's been true for four years now...
1996-06-05 16:57:38 +00:00
John Polstra
588c92252f Fix a bug in the handling of the "persist" state which, under certain
circumstances, caused perfectly good connections to be dropped.  This
happened for connections over a LAN, where the retransmit timer
calculation TCP_REXMTVAL(tp) returned 0.  If sending was blocked by flow
control for long enough, the old code dropped the connection, even
though timely replies were being received for all window probes.

Reviewed by:	W. Richard Stevens <rstevens@noao.edu>
1996-06-03 15:37:52 +00:00
Gary Palmer
b750974745 Correct spelling error in comment 1996-06-02 00:15:19 +00:00
Peter Wemm
62d2e87ec1 More closely preserve the original operation of rresvport() when using
IP_PORTRANGE_LOW.
1996-05-31 05:11:22 +00:00
Garrett Wollman
f9493383fc Conditionalize calls to IPFW code on COMPAT_IPFW. This is done slightly
unconventionally:
	If COMPAT_IPFW is not defined, or if it is defined to 1, enable;
otherwise, disable.

This means that these changes actually have no effect on anyone at the
moment.  (It just makes it easier for me to keep my code in sync.)
In the future, the `not defined' part of the hack should be eliminated,
but doing this now would require everyone to change their config files.

The same conditionals need to be made in ip_input.c as well for this to
ave any useful effect, but I'm not ready to do that right now.
1996-05-22 17:23:09 +00:00
Peter Wemm
ce8c72b147 Fix an embarresing error on my part that made the IP_PORTRANGE options
return a failure code (even though it worked).
This commit brought to you by the 'C' keyword "break".. :-)
1996-05-21 20:47:31 +00:00