1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-18 10:35:55 +00:00
Commit Graph

896 Commits

Author SHA1 Message Date
Luigi Rizzo
44f1bb1a55 assorted dummynet cleanup:
+ plug an mbuf leak when dummynet used with bridging
 + make prototype of dummynet_io consistent with usage
 + code cleanup so that now bandwidth regulation is precise to the
   bit/s and not to (8*HZ) bit/s as before.
1999-05-04 07:30:08 +00:00
Bill Fumerola
3d177f465a Add sysctl descriptions to many SYSCTL_XXXs
PR:		kern/11197
Submitted by:	Adrian Chadd <adrian@FreeBSD.org>
Reviewed by:	billf(spelling/style/minor nits)
Looked at by:	bde(style)
1999-05-03 23:57:32 +00:00
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Dmitrij Tejblum
604359cf9b s/static foo_devsw_installed = 0;/static int foo_devsw_installed;/.
(Edited automatically)
1999-04-28 10:54:24 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Luigi Rizzo
1e83f7627b Make one pass through the firewall the default.
Multiple pass (which only affects dummynet) is too confusing.
1999-04-26 14:57:24 +00:00
Andrey A. Chernov
3879597f4f so_linger is in seconds, not in 1/HZ
PR: 11252
Submitted by: Martin Kammerhofer <dada@sbox.tu-graz.ac.at>
1999-04-24 18:25:35 +00:00
Dmitrij Tejblum
9d8da4723b Use pointer arithmetic as appropriate. 1999-04-24 13:23:48 +00:00
Luigi Rizzo
88a5354ece postpone the sending of IGMP LEAVE msg to after deleting the
mc address from the address list. The latter operation on some
hardware resets the card, potentially canceling the pending LEAVE
pkt.
1999-04-24 12:28:51 +00:00
Luoqi Chen
46d28b4462 Work around an egcs optimizer bug (i386). This should fix the active ftp
hang problem. A bug report has been sent to cygnus.
1999-04-21 21:28:01 +00:00
Peter Wemm
3a8e3ea548 s/IPFIREWALL_MODULE/KLD_MODULE/ 1999-04-20 14:29:59 +00:00
Peter Wemm
66e55756b5 Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW  (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
  compiled-in hooks in ip_init().  This means they initialize the same
  way both in-kernel and as kld modules.  (IPFW initializes now :-)
1999-04-20 13:32:06 +00:00
Peter Wemm
d95939af7a Zap LKM option and support. Farewell old friend. 1999-04-19 14:19:52 +00:00
Peter Wemm
a9013e8a77 Convert the dummynet lkm code to be kld aware (this isn't actually used
anywhere that I can see).
1999-04-17 11:09:08 +00:00
Peter Wemm
ffab0b4be1 Oops, forgot this part of lkm code that's been replaced with kld. 1999-04-17 08:56:38 +00:00
Eivind Eklund
243c4c6d7f Better handling for ARP/source routing on Token Ring
Submitted by:	Larry Lile <lile@stdio.com>
1999-04-15 17:58:24 +00:00
Eivind Eklund
66235db57f Staticize. 1999-04-11 02:50:42 +00:00
Julian Elischer
29089b519d Two cosmetic changes, one a typo and the other, a clarification. 1999-04-07 22:22:06 +00:00
Nick Sayer
a44e3914d5 Merge from RELENG_2_2, per luigi. Fixes the ntoh?() issue for the
firewall code when called from the bridge code.

PR:             10818
Submitted by:   nsayer
Obtained from:  luigi
1999-03-30 23:45:34 +00:00
Luigi Rizzo
6d41201fc5 Use the correct length from the mbuf header instead of the one from
the IP header (this would not work for bridged packets).
This has been fixed long ago in the 2.2 branch.

Problem noticed by: a few people
Fix suggested by: Remy Nonnenmacher
1999-03-26 14:15:59 +00:00
Brian Somers
42889ed1d5 PacketAliasProxyRule takes a const char *
Reminded by: bde
1999-03-25 06:48:05 +00:00
Brian Somers
942759e756 Add a ``const'' and remove some inconsistent prototype args. 1999-03-24 20:28:58 +00:00
Luigi Rizzo
efce68a2e9 add missing #include "opt_bdg.h" 1999-03-24 12:43:39 +00:00
Bill Fumerola
26bb956563 Remove duplicate line.
Reviewed by:	eivind
1999-03-23 23:01:15 +00:00
Luigi Rizzo
f0a53591ad Fix a dummynet bug caused by passing a bad next hop address (the
symptom was the msg "arp failure -- host is not on local network" that
some user have seen on multihomed machines.
Bug tracked down by Emmanuel Duros
1999-03-16 12:06:11 +00:00
Julian Elischer
ed1ff184f3 Fix the 'fwd' option to ipfw when asked to divert to another machine.
also rely less on other modules clearing static values, and clear them
in a few cases we missed before.
Submitted by: Matthew Reimer <mreimer@vpop.net>
1999-03-12 01:15:57 +00:00
Julian Elischer
fda82fc2b9 Submitted by: Larry Lile
Move the Olicom token ring driver to the officially sanctionned location of
/sys/contrib. Also fix some brokenness in the generic token ring support.

Be warned that if_dl.h has been changed and SOME programs might
like recompilation.
1999-03-10 10:11:43 +00:00
Brian Somers
4c32f5d217 Remove all diagnostics to stdout/stderr with #ifdef DEBUG
Statify functions in alias_nbt.c
1999-03-09 23:44:00 +00:00
Brian Somers
164928d385 Document PacketAliasPptp() and allow it to be disabled
by passing INADDR_NONE.
1999-03-07 18:13:23 +00:00
Brian Somers
b862eda467 Remove unused function stubs. 1999-03-07 15:36:58 +00:00
Brian Somers
ac8e3334de Mention that PacketAliasProxyRule() doesn't accept host names,
just IP numbers.
1999-03-07 15:02:22 +00:00
Archie Cobbs
94446a2ed6 When an incoming packet is reflected back as an ICMP reply, make sure we
zero "m->m_pkthdr.rcvif", otherwise ipfw may wrongly match the outgoing packet.
PR:		kern/9723
Submitted by:	David Malone <dwmalone@maths.tcd.ie>
1999-03-06 23:10:42 +00:00
Brian Somers
619d1a30a1 Document PacketAliasProxyRule() and fix a typo. 1999-03-06 21:58:43 +00:00
Garrett Wollman
4022a21d8b Move kernel-only declaration inside #ifdef KERNEL section. 1999-03-06 04:51:41 +00:00
Bill Paul
51e1b50529 arprequest() allocates an mbuf with m_gethdr() but does not initialize
m->m_pkthdr.rcvif to NULL. Bad arprequest(). No biscuit.
1999-03-04 04:03:57 +00:00
Brian Somers
7d96f4efd2 Version 3.0: January 1, 1999
- Transparent proxying support added.
    - PPTP redirecting support added based on patches
      contributed by Dru Nelson <dnelson@redwoodsoft.com>.

Submitted by: Charles Mott <cmott@srv.net>
1999-02-27 02:16:01 +00:00
Dag-Erling Smørgrav
1b968362aa Add support for stealth forwarding (forwarding packets without touching
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.

This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).

Reviewed by:	eivind, bde
1999-02-22 18:19:57 +00:00
Julian Elischer
722012cc0c World, I'd like you to meet the first FreeBSD token Ring driver.
This  is for various Olicom cards. An IBM driver is following.
This patch also adds support to tcpdump to decode packets on tokenring.
Congratulations to the proud father.. (below)

Submitted by:	Larry Lile <lile@stdio.com>
1999-02-20 11:18:00 +00:00
Luigi Rizzo
17458d3570 avoid panic with pkts larger than MTU and DF set coming out of a pipe. 1999-02-19 18:32:55 +00:00
Doug Rabson
ce02431ffa * Change sysctl from using linker_set to construct its tree using SLISTs.
This makes it possible to change the sysctl tree at runtime.

* Change KLD to find and register any sysctl nodes contained in the loaded
  file and to unregister them when the file is unloaded.

Reviewed by: Archie Cobbs <archie@whistle.com>,
	Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
1999-02-16 10:49:55 +00:00
Garrett Wollman
cc766e041e After wading in the cesspool of ip_input for an hour, I have managed to
convince myself that nothing will break if we permit IP input while
interface addresses are unconfigured.  (At worst, they will hit some
ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
that addresses must be configured before packets can be input.  Assume
that any unicast packet we receive while unconfigured is potentially ours.
1999-02-09 16:55:46 +00:00
Julian Elischer
a0c091ad1d remove leftover garbage line. 1999-02-08 05:53:39 +00:00
Julian Elischer
b0935ca284 Fix for PR 9309.
Divert was not feeding clean data to ifa_ifwithaddr() so it was
giving bad results.
Submitted by: kseel <kseel@utcorp.com>, Ruslan Ermilov <ru@ucb.crimea.ua>
1999-02-08 05:48:46 +00:00
Bill Fenner
51b7b33769 Use snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT.
This was missed in the 4.4-Lite2 merge.

Noticed by:	Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and
		jayanth@loc201.tandem.com (vijayaraghavan_jayanth)
		on the tcp-impl mailing list.
1999-02-06 00:47:45 +00:00
Mike Smith
ea95d6917a Nuke all the stupid ffs() stuff and use powerof2() instead.
Submitted by:	Bruce Evans <bde@zeta.org.au>
1999-02-04 03:27:43 +00:00
Mike Smith
609b6256fd Fix power-of-2 check for the TCB hash size.
Submitted by:	Brian Feldman <green@unixhelp.org>
1999-02-04 03:02:56 +00:00
Mike Smith
aa1458495d Make TCBHASHSIZE a boot-time tunable as well, taking its value from the
variable net.inet.tcp.tcbhashsize.

Requested by:	David Filo <filo@yahoo-inc.com>
1999-02-03 08:59:30 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Archie Cobbs
85abbaa800 Move kernel-only declarations to within #ifdef KERNEL
Prompted by:	gcc warnings when compiling /sbin/ipfw
1999-01-23 23:59:50 +00:00
Garrett Wollman
92af003dd8 Don't forward unicast packets received via link-layer multicast.
Suggested by: fenner
Original complaint: Shiva Shenoy <Shiva.Shenoy@yagosys.com>
1999-01-22 16:50:45 +00:00
Bill Fenner
b0acefa8d4 Add a flag, passed to pru_send routines, PRUS_MORETOCOME. This
flag means that there is more data to be put into the socket buffer.
Use it in TCP to reduce the interaction between mbuf sizes and the
Nagle algorithm.

Based on:	"Justin C. Walker" <justin@apple.com>'s description of Apple's
		fix for this problem.
1999-01-20 17:32:01 +00:00
Bill Fenner
cc133fa302 Fix bug in last commit (la was used uninitialized if no route was passed in). 1999-01-19 23:17:03 +00:00
Bill Fenner
01b7c0826f Use dynamic memory allocation instead of mbuf's for multicast routing
state.

Note: this requires a recompilation of netstat (but netstat has been
broken since rev 1.52 of ip_mroute.c anyway)

Obtained from:	Significantly based on Steve McCanne's
		<mccanne@cs.berkeley.edu> work for BSD/OS
1999-01-18 02:06:59 +00:00
Bill Fenner
9bb02c7b92 Rename igmp's MALLOC; it doesn't have anything to do with multicast routing. 1999-01-18 01:56:31 +00:00
Bill Fenner
e7bc5f272b If arpresolve() gets passed a route with a null llinfo, call
arplookup() to try again.  This gets rid of at least one user's
 "arpresolve: can't allocate llinfo" errors, and arplookup() gives
 better error messages to help track down the problem if there really
 is a problem with the routing table.
1999-01-18 01:54:36 +00:00
Eivind Eklund
0189b9a1fd ... _and_ the (void*) casts for %p. Next, I'll forget my own name :-( 1999-01-12 16:43:52 +00:00
Eivind Eklund
e23c7d8612 Avoid unnecessary GCCism - I hadn't noticed the __unused macro. 1999-01-12 16:40:57 +00:00
Eivind Eklund
19e5ea73d0 * Print pointers using the correct type (%p) instead of %x.
* Use the correct type for timeout function.
* Add missing #include.
1999-01-12 12:27:54 +00:00
Eivind Eklund
dee383e043 Add #ifdef's to avoid unused label warning in some cases. 1999-01-12 12:25:00 +00:00
Eivind Eklund
ab54eac7a1 Remove unused statics. 1999-01-12 12:16:50 +00:00
Luigi Rizzo
4180488519 Add a missing bzero which could be the source of instability
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
1999-01-11 11:08:07 +00:00
Luigi Rizzo
a1a2de5139 Remove check from where arp replies are coming from -- when doing bridging,
interfaces are used in clusters so the check does not apply.
1999-01-10 17:40:10 +00:00
Brian Somers
a2743da670 If we can't open alias.log, don't try to write to the
resulting NULL FILE *.
PR:	9403
1999-01-10 02:05:13 +00:00
Luigi Rizzo
cc277540ab Partial fix for when ipfw is used with bridging. Bridged packets
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).

Reported-By: Dave Alden and others.
1998-12-31 07:43:29 +00:00
Luigi Rizzo
ea1f41f65f Remove some unused variables. 1998-12-31 07:35:49 +00:00
Luigi Rizzo
549db363a7 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be
static...
Reported by: Dave Alden
1998-12-22 20:38:06 +00:00
Luigi Rizzo
af38c68c1e Recover from previous dummynet screwup 1998-12-21 22:40:54 +00:00
Luigi Rizzo
f0f6d6434d Restore 1.82->1.83 change deleted by mistake< per Bruce suggestion 1998-12-21 21:36:40 +00:00
Bill Fenner
0b6205feca Add missing "break"s to allow multicast routing to work.
Submitted by:	Amancio Hasty <hasty@rah.star-gate.com>
1998-12-16 18:07:11 +00:00
Luigi Rizzo
b715f178c6 Last bits (i think) of dummynet for -current. 1998-12-14 18:09:13 +00:00
Matthew Dillon
374fad8b17 Reviewed by: freebsd-current
Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
1998-12-14 02:25:32 +00:00
Matthew Dillon
4462d1a56f PR: kern/8990
If timer calculation results in degenerate value (0), force it to 1
    to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
    I considered simply adding 1 to the timer calculation, but was unsure
    if the calculation was part of the IGMP standard or not so did not want
    to mess with it for all cases.
1998-12-12 21:45:49 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Eivind Eklund
6572231d20 Clean up some pointer usage. 1998-12-07 05:41:10 +00:00
Archie Cobbs
2127f26023 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
Matthew Dillon
5fce7fc47f Cleanup icmp_var.h, make icmp bandlim sysctl permanent but if ICMP_BANDLIM
option not defined the sysctl int value is set to -1 and read-only.

    #ifdef KERNEL's added appropriately to wall off visibility of kernel
    routines from user code.
1998-12-04 04:21:25 +00:00
Matthew Dillon
a3e7459d60 Obtained from: "Andrey A. Chernov" <ache@nagual.pp.ru>
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
     can #include icmp_var.h
1998-12-04 03:49:18 +00:00
Matthew Dillon
51508de112 Reviewed by: freebsd-current
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl.  If option
    is specified in kernel config, icmplim defaults to 100 pps.  Setting it
    to 0 will disable the feature.  This feature limits ICMP error responses
    for packets sent to bad tcp or udp ports, which does a lot to help the
    machine handle network D.O.S. attacks.

    The kernel will report packet rates that exceed the limit at a rate of
    one kernel printf per second.  There is one issue in regards to the
    'tail end' of an attack... the kernel will not output the last report
    until some unrelated and valid icmp error packet is return at some
    point after the attack is over.  This is a minor reporting issue only.
1998-12-03 20:23:21 +00:00
Eivind Eklund
29be051d68 Staticize some more. 1998-11-26 18:54:52 +00:00
John Polstra
b2052ac8cf Fix a couple of typos. 1998-11-19 18:07:28 +00:00
Doug Rabson
73c8631124 Remove stale references to ih_next and ih_prev.
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
1998-11-17 10:53:37 +00:00
Doug Rabson
7a94149e37 Make the previous fix more portable.
Requested by: bde
1998-11-16 08:27:36 +00:00
Guido van Rooij
d285db5598 The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by:	Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from:	Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
1998-11-15 21:35:09 +00:00
Doug Rabson
48a39a495a Fix printf format errors on alpha. 1998-11-15 18:10:14 +00:00
Bruce Evans
c25ded316f Finished updating module event handlers to be compatible with
modeventhand_t.
1998-11-15 15:33:52 +00:00
David Greenman
9ec944bdb0 Be sure to pullup entire IP header when dealing with fragment packets. 1998-11-11 21:17:59 +00:00
Peter Wemm
1c5bb3eaa1 add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE() 1998-11-10 09:16:29 +00:00
Doug Rabson
e3f0338ead Some optimisations to the fragment reassembly code.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:19:03 +00:00
Doug Rabson
afb3fdba7c Fix a bug in the new fragment reassembly code which was tickled by recieving
a fragment which wholly overlapped one or more existing fragments.

Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
1998-10-27 09:11:41 +00:00
Peter Wemm
aa855a598d *gulp*. Jordan specifically OK'ed this..
This is the bulk of the support for doing kld modules.  Two linker_sets
were replaced by SYSINIT()'s.  VFS's and exec handlers are self registered.
kld is now a superset of lkm.  I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
1998-10-16 03:55:01 +00:00
Doug Rabson
e0dd9c3ed8 Dike out some obsolete defines which referenced ih_next and ih_prev from
struct ipovly (they don't exist anymore because they don't work when
pointers are 64bit).
1998-09-26 14:26:59 +00:00
Bill Fenner
52b65dbe85 Fix the bind security fix introduced in rev 1.38 to work with multicast:
- Don't bother checking for conflicting sockets if we're binding to a
  multicast address.
- Don't return an error if we're binding to INADDR_ANY, the conflicting
  socket is bound to INADDR_ANY, and the conflicting socket has SO_REUSEPORT
  set.

PR:		kern/7713
1998-09-17 18:42:16 +00:00
Bill Fenner
dd9b6dde89 Prevent modification of permanent ARP entries (PR kern/7649)
Ignore ARP replies from the wrong interface (discussion on mailing list)
Add interface name to a couple of error messages
1998-09-17 00:04:21 +00:00
Joseph Koshy
61a4defd54 Turn off replies to ICMP echo requests for broadcast and multicast
addresses by default.

Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".

Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).

Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>
1998-09-15 10:49:03 +00:00
Luigi Rizzo
2655eb498f Bring in new files for dummynet support 1998-09-12 22:03:21 +00:00
Garrett Wollman
80ab7c0ed8 Fix RST validation.
PR:		7892
Submitted by:	Don.Lewis@tsc.tdk.com
1998-09-11 16:04:03 +00:00
Doug Rabson
945aa40deb Ensure that m_nextpkt is set to NULL after reassembling fragments. 1998-09-10 08:56:40 +00:00
Poul-Henning Kamp
19ddafa3b3 RFC 1644 has the status "Experimental Protocol", which means:
4.1.4.  Experimental Protocol

      A system should not implement an experimental protocol unless it
      is participating in the experiment and has coordinated its use of
      the protocol with the developer of the protocol.

Pointed out by:	Steinar Haug <sthaug@nethelp.no>
1998-09-06 08:17:35 +00:00
Poul-Henning Kamp
67a895f650 Widen and change the layout of the IPFW structures flag element.
This will allow us to add dummynet to 3.0

Recompile /sbin/ipfw AND your kernel.
1998-09-02 19:14:01 +00:00
Garrett Wollman
db028362a0 Properly fragment multicast packets.
PR: 7802
Submitted by:	Steve McCanne <mccanne@cs.berkeley.edu>
1998-09-02 15:11:14 +00:00
Brian Somers
7100135f12 Remove OpenBSD build support - let the Makefile vary per
OS rather than making it a mess and potentially screwing
up cross builds.
Suggested by: bde

Add Id keyword.
1998-08-31 12:14:30 +00:00
Brian Somers
e8ede338eb Add OpenBSD build support 1998-08-30 23:53:25 +00:00
Doug Rabson
6effc71332 Re-implement tcp and ip fragment reassembly to not store pointers in the
ip header which can't work on alpha since pointers are too big.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
1998-08-24 07:47:39 +00:00
Garrett Wollman
cfe8b629f1 Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process.  Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
1998-08-23 03:07:17 +00:00
Bruce Evans
162886e237 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
Bruce Evans
bd3513170b Made some disgusting ifdefs even more disgusting to enable the support
for `u_long cmd' ioctl args if __FreeBSD_version >= 300003.  Some ioctls
were broken on machines with 32-bit ints and 64-bit longs.
1998-08-15 21:51:53 +00:00
Bruce Evans
e43b2ba087 Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != long
on some 64-bit systems).  print_ip() should use inet_ntoa() instead of
bloated inline code with 4 ntohl()s.
1998-08-11 19:08:42 +00:00
Bruce Evans
db176bbac6 Converted the last instance of hzto() to tvtohz(). 1998-08-05 16:59:20 +00:00
Doug Rabson
a467a475ab Use explicitly sized types when digging through packet headers.
Reviewed by: Julian Elischer <julian@whistle.com>
1998-08-03 17:23:37 +00:00
Peter Wemm
9de9737f47 Fix a compile error if IPFIREWALL_FORWARD active without IPDIVERT. 1998-08-01 08:44:33 +00:00
Kenjiro Cho
4f53e3cc7a update ATM driver. (base version: midway.c 1.67 --> 1.68)
several new features are added:
	- support vc/vp shaping
	- support pvc shadow interface

code cleanup:
	- remove WMAYBE related code.  ENI WMAYBE DMA doen't work.
	- remove updating if_lastchange for every packet.
	- BPF related code is moved to midway.c as it should be.
	  (bpfwrite should work if atm_pseudohdr and LLC/SNAP are
	  prepended.)
	- BPF link type is changed to DLT_ATM_RFC1483.
	  BPF now understands only LLC/SNAP!! (because bpf can't
	  handle variable link header length.)
	  It is recommended to use LLC/SNAP instead of NULL
	  encapsulation for various reasons.  (BPF, IPv6,
	  interoperability, etc.)

the code has been used for months in ALTQ and KAME IPv6.

OKed by phk long time ago.
1998-07-29 05:35:16 +00:00
Alexander Langer
a9a6d1042a Don't log ICMP type and subtype for non-zero offset packet fragments. 1998-07-18 23:27:15 +00:00
Bruce Evans
5914e1ea80 Removed a bogus forward struct declaration.
Cleaned up ifdefs.
1998-07-13 12:20:07 +00:00
Bruce Evans
0c8d2590e3 Fixed some longs that should have been fixed-sized types. 1998-07-13 12:12:25 +00:00
Bruce Evans
9105bb4680 Fixed overflow and sign extension bugs in
`len = min(so->so_snd.sb_cc, win) - off;'.  min() has type u_int
and `off' has type int, so when min() is 0 and `off' is 1, the RHS
overflows to 0U - 1 = UINT_MAX.  `len' has type long, so when
sizeof(long) == sizeof(int), the LHS normally overflows to to the
correct value of -1, but when sizeof(long) > sizeof(int), the LHS
is UINT_MAX.

Fixed some u_long's that should have been fixed-sized types.
1998-07-13 11:53:59 +00:00
Bruce Evans
07a4df4fee Declare tcp_seq and tcp_cc as fixed-size types. Half fixed type
mismatches exposed by this (the prototype for tcp_respond() didn't
match the  function definition lexically, and still depends on a
gcc feature to match if ints have more than 32 bits).
1998-07-13 11:09:52 +00:00
Bruce Evans
99c819ef77 Declare id_mask as a fixed-size type. 1998-07-13 11:01:03 +00:00
Bruce Evans
e53040ef71 Declare n_short, n_long and n_time as fixed-sized types. Don't ifdef
n_long or n_short specially for alphas.
1998-07-13 10:54:24 +00:00
David Greenman
0af8d3ec72 When not acting as a router (ipforwarding=0), silently discard source
routed packets that aren't destined for us, as required by RFC-1122.
PR: 7191
1998-07-08 08:49:51 +00:00
Julian Elischer
3a1ae084e2 oops ended comment before the comment ended.. 1998-07-06 09:10:56 +00:00
Julian Elischer
efe39c6a1a Bring back some slight cleanups from 2.2 1998-07-06 09:06:58 +00:00
Julian Elischer
1f7e052c16 Don't expect the new code to be used without the right option file being
included.
1998-07-06 05:04:33 +00:00
Julian Elischer
d4295c3248 Fix braino in switching to TAILQ macro. 1998-07-06 05:00:53 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Julian Elischer
7d82bea53d Remove out of date comment. 1998-07-02 06:31:25 +00:00
Julian Elischer
b3adeeb209 Remove the option to keep IPFW diversion backwards compatible
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
1998-07-02 05:49:12 +00:00
Poul-Henning Kamp
5fa7f62e66 Byte count statistics of multicast vifs are invalid.
The problem is caused by a wrong endianess in the sum.

PR:		7115
Submitted by:	Joao Carlos Mendes Luis <jonny@jonny.eng.br>
1998-06-30 10:56:31 +00:00
John Hay
a910fdcb88 Only make struct xtcpcb visable if _NETINET_IN_PCB_H_ and _SYS_SOCKETVAR_H_
are defined.
Reviewed by:	bde
1998-06-27 07:30:45 +00:00
Brian Somers
0579bd7175 Add CUSEEME support. This has *not* been tested, nor
could I find anyone to test it, so please report any
problems to me.
1998-06-24 06:58:00 +00:00
Bruce Evans
e5b19842ef Removed unused includes. 1998-06-21 14:53:44 +00:00
Peter Wemm
6054307b92 Merge ipfilter 3.2.3 -> 3.2.7 changes onto mainline. 1998-06-20 18:37:51 +00:00
Peter Wemm
122221ad20 This commit was generated by cvs2svn to compensate for changes in r37071,
which included commits to RCS files with non-trunk default branches.
1998-06-20 18:18:05 +00:00
Peter Wemm
aeee047f95 Import ipfilter 3.2.7 kernel components 1998-06-20 18:18:05 +00:00
Julian Elischer
2b8a366cf8 fix another typo 1998-06-15 00:35:47 +00:00
Julian Elischer
201c2527a9 Try narrow down the culprit sending undefined packet types through the loopback 1998-06-14 20:58:17 +00:00
Julian Elischer
6b1214b0fc Remove 3 occurances of __FUNCTION__ 1998-06-12 20:03:26 +00:00
Julian Elischer
ed7509ace4 Go through the loopback code with a broom..
Remove lots'o'hacks.
looutput is now static.

Other callers who want to use loopback to allow shortcutting
should call the special entrypoint for this, if_simloop(), which is
specifically designed for this purpose. Using looutput for this purpose
was problematic, particularly with bpf and trying to keep track
of whether one should be using the charateristics of the loopback interface
or the interface (e.g. if_ethersubr.c) that was requesting the loopback.
There was a whole class of errors due to this mis-use each of which had
hacks to cover them up.

Consists largly of hack removal :-)
1998-06-12 03:48:19 +00:00
Julian Elischer
0cab75363d include opt_ipdivert.h so we get correct options 1998-06-12 02:48:47 +00:00
Julian Elischer
bab04eb816 Allow diverted packets from the transmit side to remember if they
had a recv interface and allow that state to be available
after re-injection for further tests.
1998-06-12 01:54:29 +00:00
Brian Somers
dfcb634be3 Quieten gcc 2.8.1 1998-06-10 00:26:19 +00:00
Bruce Evans
a09bee1aa8 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int (this doesn't change the struct layout, size or
alignment in any of the files changed in this commit, at least for
gcc on i386's.  Using bitfields of type u_char may affect size and
alignment but not packing)).
1998-06-08 09:47:47 +00:00
Bruce Evans
42ef2606c3 ip_fil.h has 9 separate declarations of iplioctl() in a disgusting
ifdef tangle.  The previous commit to ip_fil.h didn't change the
one that actually applies to the current FreeBSD kernel, of course.
Fixed.

Fixed style bugs in previous commit to ip_fil.h.
1998-06-08 06:04:12 +00:00
Doug Rabson
ecbb00a262 This commit fixes various 64bit portability problems required for
FreeBSD/alpha.  The most significant item is to change the command
argument to ioctl functions from int to u_long.  This change brings us
inline with various other BSD versions.  Driver writers may like to
use (__FreeBSD_version == 300003) to detect this change.

The prototype FreeBSD/alpha machdep will follow in a couple of days
time.
1998-06-07 17:13:14 +00:00
Bruce Evans
57d05a62d1 Fixed pedantic semantics errors (bitfields not of type int, signed int
or unsigned int).
1998-06-07 12:00:13 +00:00
Brian Somers
b5ce85fe32 Don't call PunchFWHole() ifdef NO_FW_PUNCH
Pointed out by: "Steve Sims" <SimsS@IBM.Net>
1998-06-06 21:52:37 +00:00
Julian Elischer
b876049334 Make sure the default value of a dummy variable is 0
so that it doesn't do anything.
1998-06-06 21:49:17 +00:00
Julian Elischer
3ed81d03b3 Fix wrong data type for a pointer. 1998-06-06 20:45:28 +00:00
Julian Elischer
c977d4c735 clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
1998-06-06 19:39:10 +00:00
Joseph Koshy
9c727d2ca9 Spelling corrections.
PR: 6868
Submitted by: Josh Gilliam <josh@quick.net>
1998-06-06 05:50:53 +00:00
Julian Elischer
c2a239ebc7 Reviewed by: Kirk Mckusick (mckusick@mckusick.com)
Submitted by:	luoqi Chen
fix a type in fsck.
(also add a comment that got picked up by mistake but is worth adding)
1998-06-05 23:33:26 +00:00
Julian Elischer
e256a933a8 Reverse the default sense of the IPFW/DIVERT reinjection code
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.

The new code is in -stable as the NON default option.
1998-06-05 22:40:01 +00:00
Peter Wemm
04a3fd1276 Let the sowwakeup macro decide when to call sowakeup rather than have
tcp "know" about it.  A pending upcall would be missed, eg: used by NFS.

Obtained from: NetBSD
1998-05-31 18:42:49 +00:00
David Greenman
d311884fb6 Fixed logic in the test to drop ICMP echo and timestamp packets when
net.inet.ip.icmp.bmcastecho = 0 by removing the extra check for the
address being a multicast address. The test now relies on the link
layer flags that indicate it was received via multicast. The previous
logic was broken and replied to ICMP echo/timestamp broadcasts even
when the sysctl option disallowed them.
Reviewed by:	wollman
1998-05-26 11:34:30 +00:00
Julian Elischer
bb60f459a0 Add optional code to change the way that divert and ipfw work together.
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.

The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)

To enable the new code use

option	IPFW_DIVERT_RESTART

This should become the default as soon as people have looked at it a bit
1998-05-25 10:37:48 +00:00
Julian Elischer
436c7212e6 Hide the interface name in the sin_zero section of the sockaddr_in
passed to the user process for incoming packets. When the sockaddr_in
is passed back to the divert socket later, use thi sas the primary
interface lookup and only revert to the IP address when the name fails.
This solves a long standing bug with divert sockets:
When two interfaces had the same address (P2P for example) the interface
"assigned" to the reinjected packet was sometimes incorect.
Probably we should define a "sockaddr_div" to officially hold this
extended information in teh same manner as sockaddr_dl.
1998-05-25 08:44:31 +00:00
Julian Elischer
25e75fb320 Take the user's "IGNORE_DIVERT" argument from where the user put it
and not from the PCB which HAPPENS to contain the same number most
of the time, but not always.
1998-05-25 07:41:23 +00:00
Bill Fenner
a04884fcbe Take IP options into account when calculating the allowable length
of the TCP payload.  See RFC1122 section 4.2.2.6 .  This allows
Path MTU discovery to be used along with IP options.

PR:		problem discovered by Kevin Lahey <kml@nas.nasa.gov>
1998-05-24 18:41:04 +00:00
David Greenman
b8e8c209c5 The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),
so it must be adjusted (minus 1) before using it to do the length check.
I'm not sure who to give the credit to, but the bug was reported by
Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It
was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se,
and of course I did the homework to verify that the fix was correct per
the specification.
PR:	6738
1998-05-24 14:59:57 +00:00
Atsushi Murai
fb9cd36d0d Primary verison of NetBIOS over TCP/IP. Now you can connect Windows
DOMAIN as DOMAIN user through NAT function. See also RFC1002 for
futher detail of SMB structure.

Submitted by:	Atsushi Murai <amurai@spec.co.jp>
1998-05-24 03:03:10 +00:00
Poul-Henning Kamp
245086a062 Get more details on the "arpresolve: can't allocate llinfo" bogon.
PR:		2570
Reviewed by:	phk
Submitted by:	fenner
1998-05-23 08:03:40 +00:00
John Polstra
677c9dd6f3 Fix a typo-bug in ipflow_reap that could cause a NULL pointer
dereference.  I have also sent this fix to Matt Thomas.
1998-05-19 17:47:11 +00:00
Pierre Beyssac
4c711e6d04 Move (private) struct ipflow out of ip_var.h, to reduce dependencies
(for ipfw for example) on internal implementation details.
Add $Id$ where missing.
1998-05-19 15:53:50 +00:00
David Greenman
cc3205c24d Moved #define of IPFLOW_HASHBITS to ip_flow.c where I think it belongs. 1998-05-19 14:19:03 +00:00
David Greenman
1f91d8c563 Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
1998-05-19 14:04:36 +00:00
Guido van Rooij
068373b683 Grumble...It seems I'm suffering from some mental disease. Do it correct now. 1998-05-18 17:11:24 +00:00
Guido van Rooij
0bce271a1f Add some parenthesis for clarity and fix a bug
Pointed out by: Garrett Wollmand
1998-05-18 17:07:58 +00:00
Garrett Wollman
98271db4d5 Convert socket structures to be type-stable and add a version number.
Define a parameter which indicates the maximum number of sockets in a
system, and use this to size the zone allocators used for sockets and
for certain PCBs.

Convert PF_LOCAL PCB structures to be type-stable and add a version number.

Define an external format for infomation about socket structures and use
it in several places.

Define a mechanism to get all PF_LOCAL and PF_INET PCB lists through
sysctl(3) without blocking network interrupts for an unreasonable
length of time.  This probably still has some bugs and/or race
conditions, but it seems to work well enough on my machines.

It is now possible for `netstat' to get almost all of its information
via the sysctl(3) interface rather than reading kmem (changes to follow).
1998-05-15 20:11:40 +00:00
John Birrell
fac6d93b19 Treat all internet addresses as u_int32_t. 1998-05-10 20:51:46 +00:00
Mike Smith
7be2d30077 In the words of the submitter:
---------
Make callers of namei() responsible for releasing references or locks
instead of having the underlying filesystems do it.  This eliminates
redundancy in all terminal filesystems and makes it possible for stacked
transport layers such as umapfs or nullfs to operate correctly.

Quality testing was done with testvn, and lat_fs from the lmbench suite.

Some NFS client testing courtesy of Patrik Kudo.

vop_mknod and vop_symlink still release the returned vpp.  vop_rename
still releases 4 vnode arguments before it returns.  These remaining cases
will be corrected in the next set of patches.
---------

Submitted by:	Michael Hancock <michaelh@cet.co.jp>
1998-05-07 04:58:58 +00:00
Guido van Rooij
11ad455083 Refuse accellerated opens on listening sockets that have not set
the TCP_NOPUSH socket option.
This disables TAO for those  services that do not know about T/TCP.

Reviewed by:	Garrett Wollman
Submitted by:	Peter Wemm
1998-05-04 17:59:52 +00:00
David Greenman
84e33c9eea At the request of Garrett, changed sysctl:
net.inet.tcp.delack_enabled -> net.inet.tcp.delayed_ack
1998-04-24 10:08:57 +00:00
David Greenman
552b7df4c1 Ensure that TCP_REXMTVAL doesn't return a value less than t_rttmin. This
is believed to have been broken with the Brakmo/Peterson srtt
calculation changes. The result of this bug is that TCP connections
could time out extremely quickly (in 12 seconds).
Also backed out jdp's partial fix for this problem in rev 1.17 of
tcp_timer.c as it is obsoleted by this commit.
Bug was pointed out by Kevin Lehey <kml@roller.nas.nasa.gov>.

PR:	6068
1998-04-24 09:25:39 +00:00
Julian Elischer
20e427a519 Remove the artificial limit on the size of the ipfw filter structure.
This allows the addition of extra fields if we need them (I have plans).
1998-04-21 18:54:53 +00:00
Brian Somers
9feab75ab7 o Support a compile-time -DNO_FW_PUNCH for portability
(and those of us that don't want the functionality).
o Don't assume sizeof(long) == 4.
Ok'd by: Charles Mott <cmott@srv.net>
1998-04-19 21:42:07 +00:00
Poul-Henning Kamp
4565cbea29 According to:
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

port numbers are divided into three ranges:

	    0 -  1023 Well Known Ports
	 1024 - 49151 Registered Ports
	49152 - 65535 Dynamic and/or Private Ports

This patch changes the "local port range" from 40000-44999
to the range shown above (plus fix the comment in in_pcb.c).

WARNING: This may have an impact on firewall configurations!

PR:		5402
Reviewed by:	phk
Submitted by:	Stephen J. Roznowski <sjr@home.net>
1998-04-19 17:22:30 +00:00
Dag-Erling Smørgrav
dc73342347 Seventy-odd "its" / "it's" typos in comments fixed as per kern/6108. 1998-04-17 22:37:19 +00:00
Bruce Evans
c1087c1324 Support compiling with `gcc -ansi'. 1998-04-15 17:47:40 +00:00
Poul-Henning Kamp
81aee63d19 Wrong header length used for certain reassembled IP packets.
PR:		6177
Reviewed by:	phk, wollman
Submitted by:	Eric Sprinkle <eric@ennovatenetworks.com>
1998-04-13 17:27:08 +00:00
Poul-Henning Kamp
9f7d4611b3 Use read_random() 1998-04-06 11:40:42 +00:00
Poul-Henning Kamp
8e5db87cdb Remove the last traces of TUBA.
Inspired by:	PR kern/3317
1998-04-06 06:52:47 +00:00
Poul-Henning Kamp
227ee8a188 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
Bruce Evans
08637435f2 Moved some #includes from <sys/param.h> nearer to where they are actually
used.
1998-03-28 10:33:27 +00:00
Bruce Evans
8781d8e928 Fixed style bugs (mostly) in previous commit. 1998-03-28 10:18:26 +00:00
Bruce Evans
812d997c85 Get socket and locking stuff by including <sys/socket.h> and <sys/lock.h>,
not by including <sys/mount.h> and depending on namespace pollution in it.
1998-03-28 08:07:12 +00:00
Peter Wemm
4acf4a68c9 When building in in the kernel rather than as a LKM, don't compile
all the LKM load/unload junk, and don't forget to register the SYSINIT
so that the cdevsw entry is attached.

BTW: I think the way it builds it's /dev nodes on the fly as an LKM with
vnode ops is kinda cute - I guess that'd be one way to solve the devfs
persistance problems.. :-)  (ie: have the drivers make the nodes in /dev
on disk directly if they are missing, but leave them alone if present).
1998-03-27 18:08:08 +00:00
Peter Wemm
5e9135b2e1 allow open on all minors 1998-03-27 18:03:13 +00:00
Peter Wemm
5c3a5f4a20 A fix for a link down route cleanup panic, when the route cleanup
pulls the rug out from underneath itself.

Obtained from: wollman (a few months ago, I've been using this for ages)
1998-03-27 14:30:18 +00:00
Garrett Wollman
3d4d47f398 Use the zone allocator to allocate inpcbs and tcpcbs. Each protocol creates
its own zone; this is used particularly by TCP which allocates both inpcb and
tcpcb in a single allocation.  (Some hackery ensures that the tcpcb is
reasonably aligned.)  Also keep track of the number of pcbs of each type
allocated, and keep a generation count (instance version number) for future
use.
1998-03-24 18:06:34 +00:00
Bruce Evans
bf9a92b782 FixedSpellingErrorInAFunctionname. 1998-03-23 12:28:31 +00:00
Peter Wemm
e1ddf71b7b Make it compile.. missing "opt_ipfilter.h" and missing <sys/malloc.h> 1998-03-21 14:42:45 +00:00
Peter Wemm
0be272dc79 Some patchups for when this code is compiled in userland (!). 1998-03-21 13:37:44 +00:00
Peter Wemm
cf3fd327f4 replaced by FreeBSD specific version 1998-03-21 11:36:36 +00:00
Peter Wemm
1ee25934a9 Make this compile.. There are some unpleasing hacks in here.
A major unifdef session is sorely tempting but would destroy any remaining
chance of tracking the original sources.
1998-03-21 11:34:28 +00:00
Peter Wemm
48cb3612ce Merge vendor changes from 3.2.1 -> 3.2.3 onto mainline 1998-03-21 10:20:13 +00:00
Peter Wemm
27064bb159 Import kernel parts of ipfilter v3.2.3 1998-03-21 10:11:54 +00:00
Peter Wemm
65c83eff1e This commit was generated by cvs2svn to compensate for changes in r34742,
which included commits to RCS files with non-trunk default branches.
1998-03-21 10:11:54 +00:00
Bill Fenner
75daa6a53f Remove the check for SYN in SYN_RECEIVED state; it breaks simultaneous
connect.  This check was added as part of the defense against the "land"
attack, to prevent attacks which guess the ISS from going into ESTABLISHED.
The "src == dst" check will still prevent the single-homed case of the
"land" attack, and guessing ISS's should be hard anyway.

Submitted by:	David Borman <dab@bsdi.com>
1998-03-20 00:43:29 +00:00
Alexander Langer
6d473e818c Allow ICMP unreachable messages to be sent in response to ICMP query
packets (as per Stevens volume 1 section 6.2).
1998-03-15 00:36:27 +00:00
Guido van Rooij
4049a04253 Make sure that you can only bind a more specific address when it is
done by the same uid.
Obtained from: OpenBSD
1998-03-01 19:39:29 +00:00
Brian Somers
0ffaca1078 1) in CleanupAliasData, don't nullify entry in linkTableOut
since there might be permanent entries still left after
   calls to DeleteLink (it will be nullified by DeleteLink
   if all entries are deleted, won't it ?)

2) in PacketAliasSetAddress, set the aliasing address
   even when PKT_ALIAS_RESET_ON_ADDR_CHANGE is in effect.
   Just don't clean up links in this case.

Submitted by: Ari Suutari <ari@suutari.iki.fi>
         via: Charles Mott <cmott@srv.net>
PR: 5041
1998-02-27 23:07:07 +00:00
Dima Ruban
c383a33f06 NetBSD PR# 2772
Reviewed by:	David Greenman
1998-02-26 08:31:53 +00:00
David Greenman
f498eeeead Changes to support the addition of a new sysctl variable:
net.inet.tcp.delack_enabled
Which defaults to 1 and can be set to 0 to disable TCP delayed-ack
processing (i.e. all acks are immediate).
1998-02-26 05:25:39 +00:00
Julian Elischer
47f049d7d9 OOPs typo TCF, not TCP.... 1998-02-25 02:35:35 +00:00
Julian Elischer
cfaa93b26b Bring our in.h up to date with respect to allocated
IP protocol numbers. It is possible that the names may require tuning,
but the numbers represent what is in rfc1700 which is the present
active RFC.
1998-02-25 02:14:03 +00:00
Bruce Evans
d68fa50ccb Don't depend on "implicit int". 1998-02-20 13:37:40 +00:00
Guido van Rooij
4fce58048d Add new sysctl variable: net.inet.ip.accept_sourceroute
It controls if the system is to accept source routed packets.
It used to be such that, no matter if the setting of net.inet.ip.sourceroute,
source routed packets destined at us would be accepted. Now it is
controllable with eth default set to NOT accept those.
1998-02-16 19:23:58 +00:00
Andrey A. Chernov
47174b49b2 Replace non-existent ip_forwarding with ipforwarding
(compilation error)
1998-02-12 03:37:45 +00:00
Alexander Langer
ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
Guido van Rooij
a293037f7c Only forward source routed packets when ip_forwarding is set to 1.
This means that a FreeBSD will only forward source routed packets
when both net.inet.ip.forwarding and net.inet.ip.sourceroute are set
to 1.

You can hit me now ;-)
Submitted by:	Thomas Ptacek
1998-02-11 18:43:42 +00:00
Eivind Eklund
303b270b0a Staticize. 1998-02-09 06:11:36 +00:00
Eivind Eklund
0b08f5f737 Back out DIAGNOSTIC changes. 1998-02-06 12:14:30 +00:00
Alexander Langer
34c7729f52 Don't attempt to display information which we don't have: specifically,
TCP and UDP port numbers in fragmented packets when IP offset != 0.

2.2.6 candidate.

Discovered by:	Marc Slemko <marcs@znep.com>
Submitted by:	Archie Cobbs <archie@whistle.com> w/fix from me
1998-02-06 02:45:54 +00:00
Eivind Eklund
47cfdb166d Turn DIAGNOSTIC into a new-style option. 1998-02-04 22:34:03 +00:00
Eivind Eklund
0fec5b52a7 Add #include "opt_devfs.h" 1998-02-04 03:30:31 +00:00
Bruce Evans
e7a5897899 Added #include of <sys/queue.h> so that this file is more "self"-sufficent. 1998-02-03 22:19:35 +00:00
Bruce Evans
9cf2c3e77a Forward declare some structs so that this file is more self-sufficient. 1998-02-03 21:52:02 +00:00
Eivind Eklund
e0d781f3a5 Make POWERFAIL_NMI, PPS_SYNC and NATM new style options.
This also fixes a couple of defunct options; submitted by bde.
1998-01-31 05:00:21 +00:00
Eivind Eklund
e363c5ae0a Add #include "opt_devfs.h". 1998-01-31 02:58:53 +00:00
David Greenman
c3229e05a3 Improved connection establishment performance by doing local port lookups via
a hashed port list. In the new scheme, in_pcblookup() goes away and is
replaced by a new routine, in_pcblookup_local() for doing the local port
check. Note that this implementation is space inefficient in that the PCB
struct is now too large to fit into 128 bytes. I might deal with this in the
future by using the new zone allocator, but I wanted these changes to be
extensively tested in their current form first.

Also:
1) Fixed off-by-one errors in the port lookup loops in in_pcbbind().
2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash()
   to do the initialial hash insertion.
3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability.
4) Added a new routine, in_pcbremlists() to remove the PCB from the various
   hash lists.
5) Added/deleted comments where appropriate.
6) Removed unnecessary splnet() locking. In general, the PCB functions should
   be called at splnet()...there are unfortunately a few exceptions, however.
7) Reorganized a few structs for better cache line behavior.
8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in
   the future, however.

These changes have been tested on wcarchive for more than a month. In tests
done here, connection establishment overhead is reduced by more than 50
times, thus getting rid of one of the major networking scalability problems.

Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a
large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult.

WARNING: Anything that knows about inpcb and tcpcb structs will have to be
         recompiled; at the very least, this includes netstat(1).
1998-01-27 09:15:13 +00:00
Steve Price
694ad0a9b1 Fix a couple of operator precedence bugs.
PR:		5450
Submitted by:	Sakari Jalovaara <sja@tekla.fi>
1998-01-25 17:25:41 +00:00
Eivind Eklund
92252381f3 Make TCP_COMPAT_42 a new style option. 1998-01-25 04:23:33 +00:00
Bill Fenner
764d8cef56 A more complete fix for the "land" attack, removing the "quick fix" from
rev 1.66.  This fix contains both belt and suspenders.

Belt: ignore packets where src == dst and srcport == dstport in TCPS_LISTEN.
 These packets can only legitimately occur when connecting a socket to itself,
 which doesn't go through TCPS_LISTEN (it goes CLOSED->SYN_SENT->SYN_RCVD->
 ESTABLISHED).  This prevents the "standard" "land" attack, although doesn't
 prevent the multi-homed variation.

Suspenders: send a RST in response to a SYN/ACK in SYN_RECEIVED state.
 The only packets we should get in SYN_RECEIVED are
 1. A retransmitted SYN, or
 2. An ack of our SYN/ACK.
 The "land" attack depends on us accepting our own SYN/ACK as an ACK;
 in SYN_RECEIVED state; this should prevent all "land" attacks.

We also move up the sequence number check for the ACK in SYN_RECEIVED.
 This neither helps nor hurts with respect to the "land" attack, but
 puts more of the validation checking in one spot.

PR:             kern/5103
1998-01-21 02:05:59 +00:00
Bruce Evans
442a25bd7b Fixed a missing #include in the synopsis.
Fixed some wrong prototypes.
Fixed a misspelled function name.

The owner of this file should add a copyright and an Id.
1998-01-16 13:02:58 +00:00
Bruce Evans
bb6d5d9147 Added prototypes for functions that were documented in libalias.3
but not prototyped here.
1998-01-16 12:56:07 +00:00
Brian Somers
b563bd02f0 Remove __libalias_version. Ppp no longer uses it. 1998-01-14 01:24:49 +00:00
Eivind Eklund
58ba5f4a30 Remove use of <osreldate.h>.
Screwed up by: myself
1998-01-11 18:34:38 +00:00
Steve Price
1f48070a27 Put back __libalias_version so ppp(8) build again. 1998-01-10 19:37:19 +00:00
Alexander Langer
1e73fe2ae8 Sync with ipfw interface change: fw_pts is now part of a union (a
necessary evil due to the 108 byte setsockopt() limit).
1998-01-10 16:14:18 +00:00
Jordan K. Hubbard
20f16cfce3 include <net/if.h> and restore this to sanity. 1998-01-10 15:04:06 +00:00
Eivind Eklund
8ddc51bc8b Teach libalias to work with IPFW firewalls (controlled by a flag).
Obtained from: Yes development tree (+ 10 lines of patches from
	Charles Mott, original libalias author)
1998-01-09 21:13:35 +00:00
Eivind Eklund
e4f4247a08 Make the BOOTP family new-style options (in opt_bootp.h) 1998-01-09 03:21:07 +00:00
Eivind Eklund
1d5e9e2255 Make INET a proper option.
This will not make any of object files that LINT create change; there
might be differences with INET disabled, but hardly anything compiled
before without INET anyway.  Now the 'obvious' things will give a
proper error if compiled without inet - ipx_ip, ipfw, tcp_debug.  The
only thing that _should_ work (but can't be made to compile reasonably
easily) is sppp :-(

This commit move struct arpcom from <netinet/if_ether.h> to
<net/if_arp.h>.
1998-01-08 23:42:31 +00:00
Alexander Langer
1c910ddbf9 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
Alexander Langer
3415e12232 Use LIST_FIRST/LIST_NEXT macros instead of accessing the fields lh_first
and le_next.
1998-01-05 00:57:15 +00:00
Alexander Langer
52d581cd33 Added missing parens from previous commit. 1998-01-05 00:14:05 +00:00
Alexander Langer
4afea9ab84 Bound the ICMP type bitmap now that it doesn't cover all possible
ICMP type values.
1998-01-05 00:08:57 +00:00
Alexander Langer
51b5c80f31 Reduce the amount of time that network interrupts are blocked while
zeroing & deleting rules.

Return EINVAL when zeroing an nonexistent entry.
1998-01-04 22:36:12 +00:00
Alexander Langer
3b46e732a4 Bring back part of rev 1.44 which was commented out by rev 1.58.
Reviewed by:	nate
1997-12-27 18:44:56 +00:00
David Greenman
42fa505b7e The spl fixes in in_setsockaddr and in_setpeeraddr that were meant to
fix PR#3618 weren't sufficient since malloc() can block - allowing the
net interrupts in and leading to the same problem mentioned in the
PR (a panic). The order of operations has been changed so that this
is no longer a problem.
Needs to be brought into the 2.2.x branch.
PR:		3618
1997-12-25 06:57:36 +00:00
Alexander Langer
90d0144c05 Removed unnecessary setting of 'error' -- binding to a privileged port
by a non-root user always returns EACCES.
1997-12-23 01:40:40 +00:00
Bruce Evans
c5a1016bf4 Fixed gratuitous ANSIisms. 1997-12-20 00:07:11 +00:00
Bruce Evans
592071e854 Don't use ANSI string concatenation to misformat a string. 1997-12-19 23:46:21 +00:00
Bruce Evans
d342b533eb Removed a stale comment. (We don't declare ip_len and ip_offset as
short.  I guess we depend on bogus ANSI value-preserving extension
of u_short to int to avoid unsigned comparison bugs.)
1997-12-19 23:33:08 +00:00
Julian Elischer
45d6875df6 Fix an incredibly horrible bug in the ipfw code
where if you are using the "reset tcp" firewall command,
the kernel would write ethernet headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.
1997-12-19 03:36:15 +00:00
David Greenman
744f87ea73 Fixed a missing splx(s) bug in tcp_usr_send(). 1997-12-18 09:50:38 +00:00
David Greenman
86b3ebce35 Call in_pcballoc() at splnet(). As near as I can tell, this won't fix
any instability problems, but it was wrong nonetheless and will be
required in an upcoming round of PCB changes.
1997-12-18 09:13:39 +00:00
Eivind Eklund
430df5f4b7 Throw options IPX, IPXIP and IPTUNNEL into opt_ipx.h.
The #ifdef IPXIP in netipx/ipx_if.h is OK (used from ipx_usrreq.c and
ifconfig.c only).

I also fixed a typo IPXTUNNEL -> IPTUNNEL (and #ifdef'ed out the code
inside, as it never could have compiled - doh.)
1997-12-15 20:31:25 +00:00
Garrett Wollman
76d3eadb53 Add Matt Dillon's quick fix hack for the self-connect DoS.
PR:		5103
1997-11-20 20:04:49 +00:00
Peter Wemm
52aef1787c Import kernel parts of ipfilter-3.2.1 1997-11-16 05:55:52 +00:00
Peter Wemm
8ecccc4f64 This commit was generated by cvs2svn to compensate for changes in r31187,
which included commits to RCS files with non-trunk default branches.
1997-11-16 05:55:52 +00:00