Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
130,438 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1378 Commits

Author SHA1 Message Date
yamt d676f9e5b0 fr_check_wrapper: as ipf modifies application data as well when 
doing application proxy, it's needed to ensure that the whole packet
is writable here.
 2004-09-06 10:46:02 +00:00
yamt d73bcfeb33 fr_check_wrapper, fr_check_wrapper6: 
ensure that mbufs are writable beforehand as ipf assumes.
PR/26773 and PR/26850.
 2004-09-06 10:00:43 +00:00
darrenr 9ec77d6329 Do not allow packets flagged with "out-of-window" (oow) to match "keep state" 
rules and try to prevent such rules ("keep state with oow") from being loaded
into the kernel.

Pr: kern/26581
 2004-09-06 09:55:13 +00:00
manu 85111f912e IPv4 PIM support, based on submission from Pavlin Radoslavov on tech-net@ : 
two new files I forgot to add on the first cvs commit.
 2004-09-04 23:32:29 +00:00
manu 6e3c639957 IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on 
tech-net@
 2004-09-04 23:29:44 +00:00
darrenr 02c34673a3 add a per-socket counter for dropped UDP packets when the internal buffers 
are full.
 2004-09-03 18:14:09 +00:00
smb 57643d12c5 Don't try and add a state session if the packet has already been checked 
and marked as out of window - trying to do the add will result in a failure
and the packet being blocked, incorrectly.

Committed By: darrenr
Tested By: smb
 2004-09-03 04:18:09 +00:00
chs 34187f4589 fix m_pulldown() usage, it's different from m_pullup(). 
fixes PRs 26666 and 26701.
 2004-08-22 21:38:21 +00:00
itojun 682ddb0274 initialize max_keylen for ip_encap.c earlier 2004-08-17 07:05:34 +00:00
yamt 28b17ac69e in_control: fix address leaks on error, which causes a panic 
("no domain for AF 0") on if_detach.
- SIOCAIFADDR, SIOCSIFADDR: free an address on error.
- SIOCSIFNETMASK, SIOCSIFDSTADDR: reject operations for an interface which
  has no AF_INET addresses.

partly from OpenBSD and FreeBSD.
reviewed by Christos Zoulas on tech-net@.
 2004-08-08 09:52:41 +00:00
christos f3a2c3728b remove the avail = 0; assignment which is superfluous. pointed out by enami. 2004-08-04 03:55:06 +00:00
christos 5ab21dfa5d PR/26471: Arto Selonen: ipfilter 4.1.3 crashes the system every few hours 
Remove extraneous m = NULL assignment that will cause a NULL dereference
later.
 2004-08-03 16:16:30 +00:00
cube 19861ea4fe Remove a common (icmpstat). 2004-08-03 13:58:59 +00:00
yamt 48d156e320 call PFIL_NEWIF hooks at a correct place. 
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
 2004-07-26 13:43:14 +00:00
martti 7ff15b917f Upgraded IPFilter to 4.1.3 2004-07-23 05:39:03 +00:00
martti 9e82a8bf0d Import IPFilter 4.1.3 2004-07-23 05:33:55 +00:00
yamt 4374881880 fix typos. PFIL_HOOK -> PFIL_HOOKS 2004-07-18 11:37:38 +00:00
itojun 5807e550e5 typo. Bruno Rohee 2004-07-09 09:15:02 +00:00
christos d397fc692a Bring in flags from 4.1.2 to make things compile. 2004-07-08 02:52:02 +00:00
mycroft cc559c8583 Fix SIOCSIFNETMASK -- it needs to use in_ifscrub() and in_ifinit() to update 
the interface route and various internal state.  Also, it should use an ifreq,
not an if_aliasreq.  Addresses PR 9604.  (Nothing in our source tree uses
SIOCSIFNETMASK, though.  Perhaps it should be deprecated.)
 2004-07-07 01:39:00 +00:00
minoura c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
heas 192b371d42 Adjust description for net.inet.udp.checksum; it does not controll checking, 
only computing.
 2004-07-02 18:19:51 +00:00
christos 01a2047486 PR/25999: Jeff Rizzo: ipf: ipnat is corrupting "bimap" translations in 2.0_BETA and -current 2004-06-29 22:44:59 +00:00
itojun 2aef0b1784 correct TCP-MD5 support. Jeff Rizzo 2004-06-26 03:29:15 +00:00
itojun db45a6f189 icmp_reflect: check if m_pkthdr.rcvif is non-NULL before touching it. 
icmp_reflect could be called from the output path, so m_pkthdr.rcvif may not
be set.  (found by panic when PF is configured "block return all")
 2004-06-25 15:43:00 +00:00
itojun 59302fc979 be careful touching m_pkthdr.rcvif, it could be NULL if the packet was 
generated from local node and icmp_error calls icmp_reflect.
 2004-06-25 15:24:41 +00:00
itojun 047170b1cc prepare PF-related hooks. reviewed by matt, perry, christos 2004-06-22 12:50:41 +00:00
tron c465794d70 Correct two errors in fr_check(): 
1.) Make sure that "pass" is always initialized.
2.) Make sure the code doesn't use a stale mbuf pointer after fr_makefrip()
    has been called. This fixes PR kern/25868.

Analyzed and reviewed by Steve Woodford.
 2004-06-16 14:06:23 +00:00
tron fcda778c8f Don't leak mbuf if ipfr_fastroute6() fails. 
Reviewed by Steve Woodford.
 2004-06-16 14:02:39 +00:00
itojun b834441eb5 update mtu value if outgoing interface changes with ipsec ops 
(draft-touch-vpn case only?)  iij seil team
 2004-06-01 05:06:56 +00:00
itojun b4ea6633c0 fix SIOC*LIFADDR for IPv4. markus friedl 2004-05-30 06:37:07 +00:00
atatat 4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
jonathan 349ad018c7 Remove now-unused variable. 2004-05-23 00:37:27 +00:00
jonathan c8c7a6dbab With FAST_IPSEC, include <netipsec/key.h>, as Itojun's recent changes 
now require KEY_FREESAV() to be in scope.
 2004-05-20 22:59:02 +00:00
christos bd67b97d6a PR/25622: IPV6 return RST and through cloned interfaces was broken. 
- checksum was computed incorrectly.
- ipv6 packet was not initialized properly.
- fixed code to be more similar to the v4 counterpart.
 2004-05-20 13:55:31 +00:00
christos b78a596c7a PR/25646: Perry Metzger: Commit a patch that compiles awaiting feedback. 2004-05-20 13:54:19 +00:00
christos c046c90643 - remove superfluous assignment 
- rt_gateway is already a pointer to struct sockaddr; don't take its address
  when assigning it to struct sockaddr_in *
 2004-05-18 21:47:45 +00:00
christos 0d17293b81 Fix buffer overrun in in_pcbopts() (FreeBSD PR/66386) 2004-05-18 16:47:08 +00:00
itojun 4ebcfcf29a fix MD5 signature support to actually validate inbound signature, and 
drop packet if fails.
 2004-05-18 14:44:14 +00:00
christos 540c75a594 PR/25103: Martin Husemann: IP Filter 4.4.1 breaks some connections when NATing 
patch from Darren applied.
 2004-05-10 12:10:31 +00:00
christos f07e678b45 PR/24969: Arto Selonen: /usr/sbin/ipfs from ipfilter 4.1.1 does not work 
patch applied.
 2004-05-10 01:34:59 +00:00
taca 3657b758c0 Make it comiple without warning; void function fr_checkv4sum() and 
fr_checkv6sum() should not return value.
 2004-05-09 08:29:30 +00:00
christos e982110b53 PR/24981: Steven M. Bellovin: ipfilter in 2.0 branch panics the system 
patch applied.
 2004-05-09 04:17:34 +00:00
christos 865c473c96 PR/25332: HIROSE yuuji: "fastroute(to)" in ipf.conf doesn't work; patch applied 2004-05-09 04:02:32 +00:00
christos 5592d4d1fa PR/25441: Matthew Green: IP-Filter uses M_TEMP when it already has M_IPFILTER 2004-05-09 03:54:43 +00:00
chs bd3ff85ff7 work around an LP64 problem where we report an excessively large window 
due to incorrect mixing of types.
 2004-05-08 14:41:47 +00:00
kleink 542839207d Add definitions for the (currently unimplemented) ECN TCP flags; 
from Chuck Swiger in PR standards/25058.
 2004-05-07 20:11:52 +00:00
jonathan 85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch. 
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
 2004-05-07 00:55:14 +00:00
skd 1b1b474faa Fix to update all references to mbuf. Fixes case where mbuf is freed twice. 2004-05-04 11:31:52 +00:00
darrenr 39ee9f396a at line 543, we do a pullup here of hlen bytes into the mbuf, 
so these later ones are superfluous.
 2004-05-02 05:02:53 +00:00