Commit Graph

322 Commits

Author SHA1 Message Date
christos 35190634ec fix incomplete initializers 2006-08-30 01:58:00 +00:00
christos f9cd3d1167 more version lossage 2006-08-26 20:37:50 +00:00
christos cb5c9c5f42 PR/34287: Gene ENonymous: ipf/ippool enabled kernel fails build.sh build due to
use of "version" variable name
2006-08-26 20:36:17 +00:00
christos c762f34e0e PR/34284: Gene ENonymous: when "ippool -F" is invoked, error is
"ioctl(SIOCLOOKUPFLUSH): Bad address"
2006-08-26 20:25:23 +00:00
martin 30b452e3dc Some interfaces are initially created with zero addresses on them
(like pppoe). Make the loop over all interface addresses cope.
Problem reported by Christian Hattemer.
2006-07-12 17:26:11 +00:00
christos 5ed3dd2fe3 don't allocate > 1K on the stack. 2006-06-13 02:08:20 +00:00
kardel de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
peter a3fa0e8e3f Initialize h4 and h6 to NULL.
Fixes a panic reported by Mipam on -current-users.
2006-05-23 22:24:32 +00:00
christos a75306c3a4 Fix strict aliasing issues and while I am here fix a memory leak on error 2006-05-21 04:30:03 +00:00
elad fc9422c9d9 integrate kauth. 2006-05-14 21:31:52 +00:00
christos ca0ec852e6 XXX: GCC uninitialized 2006-05-14 03:40:02 +00:00
martti 0f3d8a43c2 Make sure IPF can correctly pullup short headers. Patch received from
darrenr@. This fixes kern/33423.
2006-05-11 07:37:09 +00:00
mrg 84ab62db88 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 01:08:38 +00:00
mrg 1e7e4f5c0c caddr_t -> u_char *, to match the variable type 2006-05-11 01:08:19 +00:00
mrg 5755809507 - include <sys/selinfo.h> on BSD, for ipfselwait[].
- mask off the bits that don't fit in IP_HL_A().
2006-05-11 01:07:01 +00:00
mrg 084c052803 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
darrenr 0df9b5fe68 ipf -Z returns junk and/or can cause a panic (seen on solaris.) 2006-04-18 12:40:49 +00:00
darrenr b817a6b4f0 This change corrects what 1.6 tried to do. This feels like a coverity fix
for a code path that should never actually happen (fr_newauth() should only
be called for auth rules - i.e. when fin_fr != NULL.  If it is possible to
call fr_newauth() with fin_fr == NULL then this change introduces a
regression compared to prior importing of 4.1.13.
2006-04-15 13:58:43 +00:00
garbled 2355e5cd00 Fix a typo. fin->fin->fr should be fin->fin_fr 2006-04-14 04:32:26 +00:00
christos 0a1c2ab0b8 Coverity CID 2855: If fin->fin_fr is NULL, return 0, don't crash. 2006-04-13 18:59:58 +00:00
kochi 62f4a841c7 Fix return without free (resource leakage).
Detected by Coverity (CID 2309).
2006-04-13 08:43:17 +00:00
kochi 656c03f555 This is better fix than the previous commit for
saner cleanup path.
2006-04-13 07:31:29 +00:00
kochi 691e781111 Fix usage after free of NextWalkState.
Closes Coverity CID 2672 and this is reported to intel people.
2006-04-13 07:21:20 +00:00
cube 7db196715b Protect config(1)-generated include files inclusion with
#ifdef _KERNEL_OPT.  ACPI-CA might be used by standalone code in the
future.  Suggested by cherry@.
2006-04-07 13:49:20 +00:00
martti 7967220333 Removed BROKEN_TCP_WINDOW_CHECK hack. 2006-04-04 16:19:05 +00:00
martti 9ea58d54bc Upgraded IPFilter to 4.1.13 2006-04-04 16:17:18 +00:00
kochi ec7315b11c Moved from sys/dev/acpi/acpica/Subsystem.
suggested by cube.
2006-03-23 13:36:31 +00:00
christos 5a57baa413 don't use MALLOC with a non-constant size; use malloc instead. 2006-03-17 23:29:07 +00:00
lukem a1f606d3fd Use the SI capitalization for "Hz", "kHz", and "MHz" in comments and strings.
Add a space between numbers and Hz unit.
2006-03-08 23:46:22 +00:00
peter 8f83cde4e3 Fix TCP/UDP checksum handling as pointed out by Daniel Hartmeier in:
http://mail-index.netbsd.org/tech-net/2006/01/21/0000.html.

Problem reported and patch tested by der Mouse & Nino Dehne (PR/32874).
2006-02-19 12:15:33 +00:00
rpaulo 99513cfd59 In pf_socket_lookup() fix copy & paste problem when in6_pcblookup_bind()
returns NULL.
2006-02-07 22:53:03 +00:00
peter 10f6d07582 apply a fix from OpenBSD:
> revision 1.104
> date: 2006/01/18 22:03:21;  author: dhartmei;  state: Exp;  lines: +2 -2
> fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl',
> but not 'fragment reassemble'), which can cause some fragments to get
> inserted into the cache twice, thereby violating an invariant, and panic-
> ing the system subsequently. ok deraadt@
2006-01-25 10:45:20 +00:00
peter 5d1968b1c0 Include netinet/in.h, for compatibility with OpenBSD (we #ifdef'ed out a
header which includes netinet/in.h on OpenBSD).

Pointed out by Thomas E. Spanjaard.
No objection from yamt@.
2006-01-17 12:24:53 +00:00
christos 97dec287fc make the kernel link without options INET.
XXX: this is of dubious use.
2005-12-28 09:29:48 +00:00
christos 08e11b2039 make this compile with no INET options. 2005-12-28 09:05:54 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
christos a751ffb4fe Adjust for icmp_error signature. 2005-10-23 19:40:20 +00:00
yamt 3a2482b78f fr_check_wrapper6: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:38 +00:00
yamt bbfb2033ff pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:24 +00:00
yamt d6d72a6dc9 wrap INET only code by #if defined(INET). (in __NetBSD__ part) 2005-08-06 11:22:39 +00:00
peter 84fa01a154 pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.
2005-07-26 13:09:23 +00:00
christos b132d4d5fd Fix typo 2005-07-10 09:22:56 +00:00
christos 4a35068121 Small correction to skd's patch from darren. 2005-07-10 05:49:38 +00:00
christos 20dd96aff1 Don't drop fragments that are smalled than the ip header size. From skd 2005-07-09 14:51:11 +00:00
peter 9710741485 Resolve conflicts (pf from OpenBSD 3.7, kernel part). 2005-07-01 12:37:34 +00:00
lukem fd8956d5fa Use an "XXXGCC -Wuninitalized" style that is consistent with that used
elsewhere in the tree.
2005-06-15 01:48:20 +00:00
jmc 6724401235 Cleanup XXGCC in a few places to make it easier to see. 2005-06-14 21:20:30 +00:00
jmc c3073778d2 Fix unitialized warnings that only crop up on m68k. XXGCC taggedd 2005-06-13 20:33:53 +00:00
darrenr 4e1ba8b46a bin/29508 - fix "ipf -T" - kernel wasn't setting ipft_cookie and userland
was expecting it to be set, thus ignored it.
bin/29509 - because ipft_cookie wasn't reset to 0 before making the ioctl
call for each variable, only the first name to find was used, each successive
call just used the cookie.
CVn: ----------------------------------------------------------------------
2005-06-11 12:31:40 +00:00
darrenr e5f523e30c Using USE_SPL should be done after the last place it is defined. 2005-06-11 12:12:59 +00:00
darrenr 486aaa2c70 kern/30082 - fr_check() is missing SPL_NET() macros for non-mutex using
platforms, allowing it to be preempted and restarted in an inconsistent
state.
2005-06-11 11:25:28 +00:00
yamt 656adb750b pf_reassemble: clear stale csum_flags. 2005-06-08 11:50:46 +00:00
christos f9aeac0ab7 - sprinkle const
- avoid variable shadowing.
2005-05-29 21:57:49 +00:00
christos 966656bbac more fallout from so_uid -> so_uidinfo. 2005-05-07 19:59:56 +00:00
martti 58b8abcbf8 Upgraded IPFilter to 4.1.8 2005-04-03 15:05:30 +00:00
martti c775aec128 Import IPFilter 4.1.8 2005-04-03 15:01:04 +00:00
christos 3136f75efa defopt IPFILTER_DEFAULT_BLOCK 2005-03-26 18:08:42 +00:00
peter 851064ccf9 Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.
2005-03-15 18:08:59 +00:00
hannken 4e0e09fd14 frpr_udpcommon() failed to handle fragmented packets. Packets with less than
8 bytes of data were dropped.

- If the packet is a fragment, return. There is no UDP header in this case.
- Don't set the FI_SHORT flag. Already tested in `frpr_short()'.
- Remove unneeded test `!fin->fin_off'.

Approved by: Christos Zoulas <christos@netbsd.org>
2005-03-07 13:59:30 +00:00
christos 2a8316cc91 Add a change lost in the transition from 4.1.3->4.1.6. Don't block packets
for which we cannot add state. Explanation in the code. Fixes PR/29560.
2005-03-01 13:41:43 +00:00
itojun 57eaa97695 with IPv6 intermediate host will not perform PMTUD. ip6_getpmtu() is for
end node cases, so do not use it.
2005-02-28 09:26:36 +00:00
martin 65c3e91025 When we call m_makewritable() the mbuf might be copied - so don't use
stale mtod()'d pointers from before.
2005-02-21 22:01:52 +00:00
martti 460bbcc960 Upgraded IPFilter to 4.1.6 2005-02-19 21:30:24 +00:00
martti 76b5d9e30f Import IPFilter 4.1.6 2005-02-19 21:26:02 +00:00
christos a05a0bbcb8 Deal with possibly uninitialized variable, and tidy up a bit. 2005-02-17 04:14:31 +00:00
christos 9606238d80 There were more broken things aside from the __'s missing. 2005-02-17 03:12:36 +00:00
christos 0a15d30196 Don't forget the trailing __'s in NetBSD Version. Should fix PR/29407. 2005-02-17 02:26:51 +00:00
peter 41ea7e91a7 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.
2005-02-14 21:28:33 +00:00
peter 1b4e743b06 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> ICMP state entries use the ICMP ID as port for the unique state key. When
> checking for a usable key, construct the key in the same way. Otherwise,
> a colliding key might be missed or a state insertion might be refused even
> though it could be inserted. The second case triggers the endless loop
> fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
> Report and test data by Srebrenko Sehic.
2005-02-14 21:27:26 +00:00
christos 1b198d8f16 size_t should be cast'ed to unsigned long. 2005-02-09 23:42:30 +00:00
he f29d7ec0d8 One can't portably print a size_t with an %u format directive.
Since this might be in the kernel, cast to unsigned int before printing.
Fixes build problem for amd64 (and presumably also our other LP64 ports).
2005-02-09 08:21:27 +00:00
he c05368e398 Make the declaration of oip in fr_send_ip() conditional on INET,
since it's use is also conditional on that preprocessor macro.
2005-02-09 08:19:24 +00:00
martti a023cb1d19 Upgraded IPFilter to 4.1.5 2005-02-08 07:01:52 +00:00
martti 4d6a62d250 Import IPFilter 4.1.5 2005-02-08 06:52:59 +00:00
christos 78ec5c8f06 Disable the oow test because it is broken. It is killing valid packets. 2005-01-16 02:56:22 +00:00
lukem 4ae6a6d6f4 Support -DNOINET6 to disable USE_INET6 (a la the FreeBSD section earlier) 2005-01-10 02:10:47 +00:00
yamt de965c0ed7 pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf. 2005-01-01 09:13:14 +00:00
martti 756f26107c Import IPFilter 4.1.3 2004-12-31 11:30:42 +00:00
peter dd544baa78 Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by dhartmei@

IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.

ok deraadt@ dhartmei@ mcbride@
2004-12-21 12:06:37 +00:00
peter e71187380f Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by mcbride@

Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@

ok mcbride@ dhartmei@ deraadt@ henning@
2004-12-21 12:05:34 +00:00
yamt 21a48a296e pf_check_proto_cksum: use {tcp,udp}_input_checksum so that we can:
- handle loopback checksum omission properly.
- profit from h/w checksum offloading.
2004-12-21 05:55:23 +00:00
darrenr f314fbb0f1 Expand out an unused byte to give each NAT rule a protocol version field,
allowing rules to be set to match only ipv4/ipv6. And so ipnat must be updated
to actually set this field correctly but to keep things working for old
versions of ipnat (that will set this to 0), make the ioctl handler "update"
the 0 to a 4 to keep things working when people just upgrade kernels.  This
forces NAT rule matching to be limited to ipv4 only, here forward, fixing
kern/28662
2004-12-16 17:01:02 +00:00
darrenr d7859a0415 add an extra sanity check for stepping through TCP header options 2004-12-16 16:37:52 +00:00
christos 64573a67d7 Sprinkle #ifdef INET to make a GENERIC kernel compile with INET undefined. 2004-12-06 02:59:23 +00:00
peter e6a70f95cf Apply a patch from OpenBSD 3.6 branch (ok yamt@).
MFC:
Fix by dhartmei@

fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon.
2004-12-05 13:32:17 +00:00
peter fd3bd491c0 Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
2004-12-04 14:26:01 +00:00
peter 3cfd10be8b Don't put the hook definitions into #ifdef _KERNEL.
(needed to compile pf programs because of the previous change)
2004-12-04 14:21:23 +00:00
yamt 0a7a28fcc4 plug pfik_ifaddrhooks leaks by embedding it to pfi_kif. 2004-12-04 10:35:54 +00:00
martin 897d73f414 Patch from PR kern/26839, OK'd as a stopgap fix by Darren. 2004-12-01 08:25:54 +00:00
christos 35a75baff6 PR/28418: Do not drop packets for which we cannot add state, because adding
state is not applicable. The fix just reverts the new code that blocked
packets where fr_addstate() fails. This is not correct in all cases, but
blocking them is a bit drastic and breaks existing functionality. The proper
fix is to change fr_addstate() to return:

- state added
- adding state failed
- adding state is not applicable

and then filter packets only in the second case. I am leaving this for someone
else.
2004-11-25 09:49:12 +00:00
peter c7f5faeaa9 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

The flag to re-filter pf-generated packets was set wrong by synproxy
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client.
2004-11-21 17:59:24 +00:00
peter a3452e6de2 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

For RST generated due to state mismatch during handshake, don't set
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround.
2004-11-21 17:57:52 +00:00
yamt da18614102 resolve conflicts. (pf from OpenBSD 3.6, kernel part) 2004-11-14 11:12:16 +00:00
yamt 3d5ba5bca1 backout whitespace changes to make further import easier. 2004-11-13 21:13:07 +00:00
he 4a9ab9770a Apply patch from Darren for the ctype() functions/macros.
Encapsulates the ctype() functions so that the casts are centralized.
2004-11-13 19:14:48 +00:00
he 76d82c7f1f Revert previous, paving the way for Darren's cleaner patch. 2004-11-13 18:43:49 +00:00
he dd5a52f76d More instances of cast to unsigned char for arguments to ctype functions.
Will also be sent to maintainer for possible inclusion in master source.
2004-11-13 15:19:58 +00:00
darrenr 90032de19d build a new fr_info_t structure in fr_send_ip() and pass it through to
the fastroute function so that it uses accurate packet information about
the packet being sent out rather than the packet received (impacts both
return-rst and return-icmp features.)

PR: kern/27093
2004-10-31 04:52:50 +00:00
darrenr 8fe036145c * Prevent hang when attempting to flush state entries for ipv4 when ipv6
are present or vice versa
* Fix matching of IPv6 state entries when the initial packet is a
  sent to a multicast address.  This includes not updating the address as
  being fixed when a second (or further) such packet is seen before a reply.
* Disable code, for now, that limited how many ICMP packets could match a
  state entry based on the number of real packets seen.
2004-10-07 03:57:02 +00:00
darrenr 328bd73105 The change in 1.3 is incorrect - it checks for FI_OOW regardless of what
type of data is stored in the rule (only a valid check for FR_T_IPF rules.)
2004-10-06 15:06:29 +00:00
yamt 2c46ccce37 move netinet/ip_lookup.h -> dist/ipf/netinet/ip_lookup.h. 2004-10-05 04:56:41 +00:00
jdolecek 20d2b45d7d fix bug introduced in rev 1.70 - in the "keep state" & "oow" flag check,
ensure a pointer to a state structure is non-NULL before dereferencing

Fixes PR kern/26927 by me and PR kern/26947 by Brett Lymn
2004-10-03 12:21:13 +00:00
jdolecek a9bc4a2fda frrequest(): move some variable initializations for clarity
no functional change
2004-10-03 12:16:32 +00:00
jdolecek 46134b3da6 move ip_htable.h from sys/netinet/ to sys/dist/ipf/netinet/, it's ipfilter file 2004-10-02 07:59:14 +00:00
christos d0905be2d3 moved from sys/netinet. 2004-10-02 07:51:53 +00:00
christos f33294b6a4 Moved from sys/netinet as part of the ipfilter separation. 2004-10-01 15:25:59 +00:00
dyoung 34a3fbf64e "RB_PROTOTYPE();" does not lint because you end up with two
consecutive semicolons, so let's use RB_PROTOTYPE() alone.
2004-09-28 00:14:02 +00:00
yamt d37ce14181 pflog_packet: use bpf_mtap2().
(our bpf_mtap() is more "strict" about mbufs
than openbsd's one is.  eg. M_PKTHDR should be set properly.)
2004-09-10 08:48:32 +00:00
yamt c3b066f850 pull following fixes from openbsd. ok'ed by itojun.
> ----------------------------
> revision 1.58
> date: 2004/06/23 04:34:17;  author: mcbride;  state: Exp;  lines: +5 -3
> pfr_commit_ktable calls functions that can result in the current
> ktable being destroyed, which makes it unsafe in a SLIST_FOREACH.
>
> Fix from Chris Pascoe
> ----------------------------
> revision 1.56
> date: 2004/06/11 05:21:20;  author: mcbride;  state: Exp;  lines: +5 -3
> Eliminate a dereference after pool_put when an inactive/no-longer referenced
> table is destroyed in pfr_setflags_ktable.
>
> Fix from Chris Pascoe
> ----------------------------
2004-09-09 14:56:00 +00:00
yamt 31715f4eb9 remove no longer needed caddr_t casts to reduce diffs from openbsd. 2004-09-08 12:11:25 +00:00
yamt 421ffa4969 pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.
2004-09-06 10:01:39 +00:00
yamt 0370fc7128 - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma.  PR/26403.
2004-07-27 12:22:59 +00:00
yamt 46abcaebe4 fix dynaddr tracking.
from Peter Postma, PR/26369.
ok'ed by itojun.
2004-07-26 13:46:43 +00:00
yamt 4f755d07b4 ANSIfy. (inside #ifdef __NetBSD__)
from Peter Postma.
ok'ed by itojun.
2004-07-26 13:45:40 +00:00
yamt 48d156e320 call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
2004-07-26 13:43:14 +00:00
itojun 0407dd42ae make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
2004-06-29 04:42:54 +00:00
itojun ce0e658ff3 PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma 2004-06-25 13:17:01 +00:00
martin 149fa38cf4 Make it compile on non-IPv6 kernels. 2004-06-22 18:59:14 +00:00
martin be9dcae132 Fix formatting for 64 bit archs. This fixes PR port-sparc64/26010.
While there, make it compile for non-INET6 aware kernels.
2004-06-22 18:37:49 +00:00
christos 6ecf0e2cbe add a pfdetach() method to be used by lkm's 2004-06-22 18:04:32 +00:00
itojun bfcdaa5766 PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive.  this will be sorted out when
  kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.
2004-06-22 14:17:07 +00:00
itojun 6adffbf983 PF from OpenBSD 3.5 2004-06-22 13:52:05 +00:00