Commit Graph

879 Commits

Author SHA1 Message Date
itojun e44d476e4e typo in comment 2001-05-27 23:46:51 +00:00
matt 524a19371f Make t_flags a u_int instead of u_short. It's followed by a mbuf pointer
so there's padding around it already.  And it increases the amount of bits
available for TF_* flags.
2001-05-26 22:02:57 +00:00
matt 24f26c957e Add TCP_MD5SIGNATURE option. 2001-05-26 21:40:55 +00:00
ragge 7952ffd61f defined(vax) -> defined(__vax__). This may fix PR#12919. 2001-05-26 21:29:45 +00:00
ragge 474bc8ee6d Remove one #ifdef vax, bugfix another. Should probably be #ifdef i386 also. 2001-05-26 21:27:09 +00:00
itojun a7596d1912 call icmp6_mtudisc_update(foo, 0) even if ICMPv6 messages are very short.
let icmp6 layer decide whether we take PMTUD routes or not.
2001-05-24 07:22:27 +00:00
lukem 07d4fbd104 fix spelo in comment 2001-05-21 03:31:36 +00:00
martin 449c740399 Remove tests for IPN_FRAG bits.
There is no place in the source where this bit could ever be set (or I'm
to blind to find it).

This fixes PR 12671.

If someone thinks this is the wrong solution, please make sure to (a) reopen
the PR and (b) explain to me how the tested bits would ever get set. I'll
be glad to then look further for the real cause (i.e. the flags not getting
set in the case described in the PR).
2001-05-20 13:03:39 +00:00
thorpej 937cea769e Brain'o in last. Pointed out by Steve Woodford <scw@netbsd.org>. 2001-05-19 14:20:40 +00:00
thorpej 905e7935a9 Don't compute psuedo header checksum if nxt == 0. 2001-05-19 00:13:53 +00:00
matt 0c779d0a01 Use the LIST_NEXT & LIST_FIRST macros instead of refering to
le_next & lh_first.
2001-05-14 19:50:43 +00:00
itojun 498fdebcd7 drop multi destination mode (IFF_LINK0). 2001-05-14 13:35:20 +00:00
christos 00adbfd8d6 - Handle realloc failure without leaking memory
(reported by: grendel@heorot.stanford.edu (Ted U)
- Don't cast malloc/realloc/calloc return values because they hide LP64 bugs.
- Don't destroy the whole array when realloc fails
- Use calloc in all cases (malloc was used inconsistently).
- Avoid duplicating code.

Reviewed by: ross
2001-05-12 19:21:57 +00:00
itojun 63181d71c1 correct ecn consideration on tunnel encap/decap. sync with kame. 2001-05-10 01:37:42 +00:00
itojun 1bec764d78 correct faith prefix determination. use sys/netinet/if_faith.c:faithprefix()
to determine.  sync with kame.
(without this change, non-faith socket may mistakenly accept for-faith traffic)
2001-05-08 10:15:13 +00:00
itojun 02077e028f pull encapsulated packet for vif* via ip_encap framework. 2001-05-08 10:07:15 +00:00
fvdl b7025ec37b Make it possible to override TCP_NDEBUG. The default value of 100
wastes quite a bit of space (0xfa00).
2001-04-29 15:18:01 +00:00
itojun 8799a9c64b give a default value to net.inet.ip.maxfragpackets, to protect us from
"lots of fragmented packets" DoS attack.

the current default value is derived from ipv6 counterpart, which is
a magical value "200".  it should be enough for normal systems, not sure
if it is enough when you take hundreds of thousands of tcp connections on
your system.  if you have proposal for a better value with concrete reasons,
let me know.
2001-04-16 17:03:33 +00:00
thorpej bf2dcec4f5 Remove the use of splimp() from the NetBSD kernel. splnet()
and only splnet() is allowed for the protection of data structures
used by network devices.
2001-04-13 23:29:55 +00:00
thorpej b978c269f5 Delete SPL_IMP(). It is not used in IP Filter, and it aids me
on my quest to eliminate the foul beast known as splimp.
2001-04-12 19:41:53 +00:00
darrenr 0b6031033d fix fragment cache security hole 2001-04-06 15:32:40 +00:00
itojun 6e45c58f53 check ip_mtudisc only for TCP over IPv4.
PMTUD is mandatory for TCP over IPv6 (if packets > 1280).
2001-04-03 06:14:31 +00:00
itojun 4b72eeeee5 net.inet.ip.maxfragpackets defines the maximum size of ip reass queue
(prevents fragment flood from chewing up mbuf memory space).
derived from KAME net.inet6.ip6.maxfragpackets.
2001-03-27 02:24:38 +00:00
mike fb2dc295a6 Resolve conflicts. 2001-03-26 06:11:46 +00:00
thorpej 20fe4e2d96 Add a protosw flag, PR_ABRTACPTDIS (Abort on Accept of Disconnected
Socket), and add it to the protocols that use that behavior (all
PR_LISTEN protocols except for PF_LOCAL stream sockets).
2001-03-21 19:22:27 +00:00
chs 5947ce8284 make this compile without rnd. 2001-03-21 03:35:11 +00:00
thorpej 7a3c8f81a5 Two changes, designed to make us even more resilient against TCP
ISS attacks (which we already fend off quite well).

1. First-cut implementation of RFC1948, Steve Bellovin's cryptographic
   hash method of generating TCP ISS values.  Note, this code is experimental
   and disabled by default (experimental enough that I don't export the
   variable via sysctl yet, either).  There are a couple of issues I'd
   like to discuss with Steve, so this code should only be used by people
   who really know what they're doing.

2. Per a recent thread on Bugtraq, it's possible to determine a system's
   uptime by snooping the RFC1323 TCP timestamp options sent by a host; in
   4.4BSD, timestamps are created by incrementing the tcp_now variable
   at 2 Hz; there's even a company out there that uses this to determine
   web server uptime.  According to Newsham's paper "The Problem With
   Random Increments", while NetBSD's TCP ISS generation method is much
   better than the "random increment" method used by FreeBSD and OpenBSD,
   it is still theoretically possible to mount an attack against NetBSD's
   method if the attacker knows how many times the tcp_iss_seq variable
   has been incremented.  By not leaking uptime information, we can make
   that much harder to determine.  So, we avoid the leak by giving each
   TCP connection a timebase of 0.
2001-03-20 20:07:51 +00:00
itojun 5a30bafe14 Remove a bogus rtfree(); OpenBSD PR 1706. 2001-03-08 00:17:05 +00:00
itojun 7806b5d1f3 increase ipstat.ips_badaddr if the packet fails to pass address checks. 2001-03-02 04:26:10 +00:00
itojun 89b4c3edc6 reject packets with 127/8 on IPv4 src/dst, they must not appear on wire
(RFC1122).  torture-tests will be welcomed.
XXX do we want to check source routing headers as well?
2001-03-02 02:05:36 +00:00
itojun 2d6047cff9 make sure to enforce inbound ipsec policy checking, for any protocols on top
of ip (check it when final header is visited).  sync with kame.
XXX kame team will need to re-check policy engine code
2001-03-01 16:31:37 +00:00
itojun 5e57143c4a remove obsolete #if 0'ed section
(IPsec and DF bit interaction - the code was incorrect anyways)
2001-02-27 10:32:03 +00:00
itojun 233e3963ed make sure to validate packet against ipsec policy. 2001-02-26 07:20:44 +00:00
itojun c9928e0ab1 need PR_ADDR|PR_ATOMIC for IPPROTO_EON. fix typo. from chopps, sync with kame 2001-02-21 00:11:53 +00:00
itojun da8a3f0179 add AF_ISO case to output. from chopps. 2001-02-20 10:41:47 +00:00
itojun 176db3e930 ISO over IPv4/v6 by EON encapsulation. from chopps, sync with kame. 2001-02-20 08:49:15 +00:00
itojun bc5a6e2482 pull latest kame pcbnotify code. synchronizes ICMPv6 path mtu discovery
behavior with other protocols (i.e. validation, use of hiwat/lowat).
2001-02-11 06:49:49 +00:00
itojun 52e23efa5f make sure we call tcp_output() only if we have template. 2001-02-11 06:39:35 +00:00
itojun 22b473e0f6 during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).
2001-02-07 08:59:47 +00:00
chs c92d60cfce expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 11:16:31 +00:00
chs 09cb38f22b expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 10:42:40 +00:00
is 29d5f56206 Make diagnostic actually useful - needed to debug other ARP PRs.
Suggested by Geoff C. Wing in PR 10815.
2001-01-26 11:40:32 +00:00
itojun 617b3fab7e - record IPsec packet history into m_aux structure.
- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation
2001-01-24 09:04:15 +00:00
itojun 696bcad865 put attribute(packed) for ip6 option headers. they will appear at
strange alignment positions.  sync with kame
2001-01-23 07:21:07 +00:00
itojun 5a4703fbfe revert revision 1.15 (on ingress, DF bit copied from inner to outer).
since we do not have feedback mechanism from path MTU to tunnel MTU
(not sure if we should), and inner packet source will not get informed of
outer PMTUD (we shouldn't do this), 1.15 behavior can lead us to
blackhole behavior.

configurable behavior (as suggested in RFC2401 6.1) would be nice to have,
however, reusing net.inet.ipsec.dfbit would be hairy.
2001-01-22 07:57:34 +00:00
itojun a836499e32 make it possible to turn off ingress filter on gif/stf tunnel egress,
by using IFF_LINK2.  (part of) PR 11163 from Ken Raeburn.
2001-01-22 07:51:01 +00:00
itojun 93deb6a97f fix RR result bit in little endian systems. sync with kame 2001-01-22 02:28:02 +00:00
itojun 69622e75ab sync with latest kame.
- make icmp6.h spec conformant to 2292bis-02, regarding to router reumbering
  flag bit.
- latest rtadvd.
2001-01-21 15:39:32 +00:00
kleink 4c96c6b51f Add IPPROTO_VRRP. 2001-01-19 09:01:48 +00:00
jdolecek 34c8ae80da constify 2001-01-18 20:28:15 +00:00