Commit Graph

94 Commits

Author SHA1 Message Date
itojun
90fe937b44 disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel. 1999-10-26 09:53:17 +00:00
sommerfeld
c2accd9f9c In ip_forward():
Avoid forwarding ip unicast packets which were contained inside
link-level multicast packets; having M_MCAST still set in the packet
header flags will mean that the packet will get multicast to a bogus
group instead of unicast to the next hop.

Malformed packets like this have occasionally been spotted "in the
wild" on a mediaone cable modem segment which also had multiple netbsd
machines running as router/NAT boxes.

Without this, any subnet with multiple netbsd routers receiving all
multicasts will generate a packet storm on receipt of such a
multicast.  Note that we already do the same check here for link-level
broadcasts; ip6_forward already does this as well.

Note that multicast forwarding does not go through ip_forward().

Adding some code to if_ethersubr to sanity check link-level
vs. ip-level multicast addresses might also be worthwhile.
1999-10-17 16:00:00 +00:00
itojun
42c5caafe7 do not include unnecessary include files. 1999-07-23 15:21:17 +00:00
thorpej
f9a7668b3f defopt IPSEC and IPSEC_ESP (both into opt_ipsec.h). 1999-07-09 22:57:15 +00:00
itojun
dcc13cdd33 sync with KAME/NetBSD 1.4, SNAP kit 19990705.
key changes are:
- icmp6 redirect fix (dst check)
- revised ip6 multicast check for loopback i/f
- several RCS ID cleanups
1999-07-06 12:23:19 +00:00
itojun
118d2b1d4f IPv6 kernel code, based on KAME/NetBSD 1.4, SNAP kit 19990628.
(Sorry for a big commit, I can't separate this into several pieces...)
Pls check sys/netinet6/TODO and sys/netinet6/IMPLEMENTATION for details.

- sys/kern: do not assume single mbuf, accept chained mbuf on passing
  data from userland to kernel (or other way round).
- "midway" ATM card: ATM PVC pseudo device support, like those done in ALTQ
  package (ftp://ftp.csl.sony.co.jp/pub/kjc/).
- sys/netinet/tcp*: IPv4/v6 dual stack tcp support.
- sys/netinet/{ip6,icmp6}.h, sys/net/pfkeyv2.h: IETF document assumes those
  file to be there so we patch it up.
- sys/netinet: IPsec additions are here and there.
- sys/netinet6/*: most of IPv6 code sits here.
- sys/netkey: IPsec key management code
- dev/pci/pcidevs: regen

In my understanding no code here is subject to export control so it
should be safe.
1999-07-01 08:12:45 +00:00
sommerfeld
b7c70d2b2f If the new global variable hostzerobroadcast is zero, no longer assume
address zero of each net/subnet is a broadcast address.
(The default value is nonzero, which preserves the current behavior).

This can be set using sysctl; the boot-time default can also be
configured using the HOSTZEROBROADCAST kernel config option.

While we're here, defopt HOSTZEROBROADCAST and SUBNETSARELOCAL
1999-06-26 06:16:47 +00:00
hwr
d313e75afe It does not make much sense to increase a "output" counter on input. 1999-05-04 20:13:09 +00:00
thorpej
a40dff106e In INADDR_TO_IA(), skip interfaces which are not up. Revert previous change
to ip_input.c to check the interface status after INADDR_TO_IA().

Fix cooked up by Heiko Rupp and myself.

Fixes PR 7480.
1999-05-03 22:12:44 +00:00
hwr
33a8a5933b Drop packets, that have a Class-D address as source address.
Implements the first half of PR 7003.
1999-05-03 21:14:47 +00:00
proff
8775e52947 tiny KNF change 1999-04-07 05:34:32 +00:00
proff
ae938abb49 Prevent reception of packets on downed interfaces (via an up interface).
fixes kern/7327
1999-04-07 02:31:05 +00:00
aidan
da1b3a7abf Added per-addr input/output statistics. Currently just support netatalk
and netinet, currently only tested under netinet.

Disabled by default, enabled by compiling the kernel with option
IFA_STATS.  Enabling this feature seems to make the ip_output function
take 13% longer than before, which should be OK for people that need
this feature.
1999-03-27 01:24:49 +00:00
proff
85ab19698a security: test for ip_len < ip_hl <<2 and drop packet accordingly 1999-03-26 08:51:35 +00:00
mycroft
231a906c71 There's just no plausible reason to byte-swap ip_id internally. It's opaque. 1999-01-19 23:39:56 +00:00
mycroft
7eeb5a04da Don't screw with ip_len; just subtract from it where we actually use the
value.
1999-01-19 23:03:20 +00:00
mycroft
fc1211a6ab Don't overwrite the checksum fields when checking them. There's no reason to
do this, and it screws up ICMP replies.
XXX The returned IP checksum and length are still wrong.
1999-01-19 21:58:40 +00:00
thorpej
555784ccd5 Fix byte order and ip_len inconsistencies in ICMP reply code. Also, fix
some formatting and HTONS(foo) vs. foo = htons(foo) inconsistencies.

PR #6602, Darren Reed.
1999-01-11 22:35:06 +00:00
thorpej
12632ebf71 Reverse the copyright-notice-swap. It went against existing practice. 1998-12-19 02:46:12 +00:00
thorpej
ca15e01c76 Add a lock around the IP fragment reassembly queue, to prevent ip_drain()
from corrupting the queue if called from a device's interrupt context.

Should fix PR #5684.
1998-12-18 21:35:11 +00:00
thorpej
0e3a0a7f80 Once a fragmented IP packet has been reassembled, recompute the packet
length before passing it up the stack.  From FreeBSD.
1998-11-13 03:24:22 +00:00
thorpej
14f5ac9081 Use the pool allocator for ipflow entries. 1998-10-08 01:41:45 +00:00
thorpej
974aa74abd Use the pool allocator for ipqent structures. 1998-10-08 01:19:25 +00:00
tls
c4730d65cf Switch order of TNF and UCB copyrights so UCB copyright is first; this seems more appropriate since UCB wrote the original code, after all. 1998-09-30 21:52:24 +00:00
thorpej
9fd57e8917 Make a diagnostic printf more sensible, PR #5951, Heiko W. Rupp. 1998-09-09 04:57:18 +00:00
mrg
4a75265273 defopt PFIL_HOOKS. 1998-08-09 08:58:18 +00:00
sommerfe
534520d815 Fix PR5508: ipfil cut-through forwarding causes panic 1998-07-17 00:28:00 +00:00
thorpej
08b5a4ecb8 Protect the ipflow_reap() call with splsoftnet. 1998-06-01 00:39:37 +00:00
thorpej
f555f6d93f Fix OBOB in IP timestamp option processing, as noted in FreeBSD PR 6738,
from Jennifer Dawn Meyers <jdm@enteract.com>.
1998-05-24 20:14:53 +00:00
matt
36eac04cc0 Default IP flow to being enabled. Add a sysctl to control the maximum
number of flows (net.inet.ip.maxflows).  If set to 0, will disable fast
path forwarding.
1998-05-04 19:24:53 +00:00
thorpej
4452bc9a21 Allow packet filters to prevent a packet from creating a fast-forwarding
flow, by setting the "can fast forward" flag in the packet header, and
giving a chance for filters to clear the flag.  If the flag is still
set after the filters have given it a chance, the packet will be used
to create a fast-forward flow entry.
1998-05-01 03:23:24 +00:00
matt
d4d709f7d0 Add support for "fast" forwarding. Add hooks in if_ethersubr.c and
if_fddisubr.c to fastpath IP forwarding.  If ip_forward successfully
forwards a packet, it will create a cache (ipflow) entry.  ether_input
and fddi_input will first call ipflow_fastforward with the received
packet and if the packet passes enough tests, it will be forwarded (the
ttl is decremented and the cksum is adjusted incrementally).
1998-04-29 21:37:52 +00:00
matt
37d70e3b46 defopt GATEWAY 1998-04-29 20:45:30 +00:00
kml
eadcaa201c change path MTU timeout value to match RFC 1191 1998-04-29 03:45:52 +00:00
kml
1579dcec47 Add support for deletion of routes added by path MTU discovery;
uses new generic route timeout code.  Add sysctl for timeout period.
1998-04-29 03:44:11 +00:00
mrg
45159fa631 convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue.  update
the two users of these functions, and document these changes.

fixes PR#4593.
1998-03-19 15:45:30 +00:00
tls
91de585d5f Add correct copyright notice for IP address hash change. This code is donated to TNF by the original copyright holder, Panix. 1998-02-15 18:24:23 +00:00
tls
c9934a9084 Change list of interface IP addresses to a hash. Improves performance on hosts with a large number of IP addresses significantly. 1998-02-13 18:21:38 +00:00
thorpej
4c54445530 Use offsetof() from libkern.h 1998-01-28 02:35:10 +00:00
scottr
54ea074777 Use option header file for MROUTING 1998-01-12 03:02:48 +00:00
lukem
1f8f74b669 enhance ephemeral port allocation code:
* support sysctl net.inet.ip.anonportmin (lowest ephemeral port)
  and net.inet.ip.anonportmax (highest ephemeral port).
  these can't be set to >65535, < IPPORT_RESERVED (unless IPNOPRIVPORTS
  is defined), and anonportmin has to be < anonportmax.
* use a cleaner way of only cycling through the available set once;
  this will be useful for when a random allocation scheme is used
* define IPPORT_ANON{MIN,MAX} instead of IPPORT_USER{LOW,HIGH}
1998-01-05 09:52:02 +00:00
kml
6b86b260cb change sysctl net.inet.icmp.mtudisc to net.inet.ip.mtudisc 1997-10-18 21:18:28 +00:00
thorpej
10f29f9bcb Allow `subnetsarelocal' to be changed via sysctl. 1997-10-17 21:20:49 +00:00
gwr
c74236bfc9 Tweaks to allow operation with an interface address of 0.0.0.0
(needed for NFS mountroot using BOOTP to get boot parameters)
1997-08-29 16:02:41 +00:00
thorpej
a0e791807e Eliminate use of dtom() from the network code, allowing more flexible
use of mbuf external storage and increasing performance (by eliminating
an m_pullup() for clusters in the IP reassembly code).

Changes from Koji Imada <koji@math.human.nagoya-u.ac.jp>, in PR #3628
and #3480, with ever-so-slight integration changes by me.
1997-06-24 02:25:59 +00:00
christos
0659cacda6 Move the mtod calls *after* we've made sure that the packet has passed the
filter successfully. Otherwise it can be NULL if the filter blocked it,
and we die. How did this ever work?
1997-04-15 00:41:52 +00:00
mrg
78cd2f6f78 allow src-routed packetd by default, per host requirements 1997-02-26 04:09:32 +00:00
cjs
8a449a258b Add net.inet.ip.allowsrcrt option which allows/drops all source
routed packets. This currently defaults to `drop,' but once we
verify  that all applications that rely on determining remote IP
addresses for authentication are dropping the connection when they
see a source route option (not just disabling the source route
option), we can turn this back on and conform with the host
requirements.
1997-02-25 08:35:41 +00:00
cjs
788bcc9857 Fix bug in sysctl net.inet.ip.forwsrcrt handing: now you can read it
if securelevel > 0. (Thanks, cgd.)
1997-02-19 08:30:04 +00:00
mrg
4c8bfe2630 pseudo-device ipfilter brings in PFIL_HOOKS. 1997-02-18 20:49:32 +00:00