Commit Graph

178 Commits

Author SHA1 Message Date
gdt 7143faccbb Avoid casting to "i6addr_t *", because that type requires 64-bit
alignment and nothing guarantees that IPv6 packets in mbufs are 8-byte
aligned.  gcc was coalescing adjacent 32-bit compares into "ldx" on
sparc64, leading to alignment faults when processing icmp6 arriving on
gif with IPv4 outer addresses.

Fix mostly from darrenr@.  Discussed extensively on port-sparc64.
2007-07-19 14:04:34 +00:00
ad 88ab7da936 Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
mlelstv f9a2fc4868 Avoid use of cached pointers that might be stale due to mbuf operations. 2007-06-24 22:16:35 +00:00
martin 0d8033bf02 (Re-)add a missing cast in an #if part not used in current, but needed
for netbsd-4.
2007-06-17 09:32:34 +00:00
martin c77a3f5aad Upgraded IPFilter to v4.1.23 2007-06-16 10:52:24 +00:00
dyoung 95edb940c2 Get rid of radix_node_head.rnh_walktree, because it is only ever
set to rn_walktree.

Introduce rt_walktree(), which applies a subroutine to every route
in a particular address family.  Use it instead of rn_walktree()
virtually everywhere.  This helps to hide the routing table
implementation.
2007-06-09 03:07:21 +00:00
martti fff7fd04df s/iplattach/ipfattach/ and s/ipldetach/ipfdetach/ 2007-06-04 12:38:58 +00:00
darrenr fade943a7f The wrong condition was being tested for when deciding which fields to
update in ICMP error messages.  In the test case for this, the wrong
input was actually being used (it should be the headers from the previous
packet output) and therefore the expected results were also wildly wrong.

kern/36309
2007-05-31 10:33:54 +00:00
darrenr 5daa30646c the call to ipf_freetoken() free's the structure pointed to by 't' so doing
any sort of dereference of it afterwards is just a bad idea...
2007-05-30 06:27:11 +00:00
martti 6b17040b66 Fix problems with stateful filtering. Patch received from darrenr@. 2007-05-25 06:44:20 +00:00
christos 1425884c9e Coverity CID 3157: remove bogus break. 2007-05-17 17:04:12 +00:00
martin 6718c86598 Merge IP-Filter 4.1.22 2007-05-15 22:52:20 +00:00
dyoung f7748bc6aa pfctl: extend pf.conf(5) syntax. Let the operator supply an optional
"state lock" flag (if-bound, gr-bound, floating) at the end of a
NAT rule.  The new syntax is backwards-compatbile with the old
syntax.

PF (kernel): change the macro BOUND_IFACE() to the inline function
bound_iface(), and add a new argument, the applicable NAT rule.
Use both the flags on the applicable filter rule and on the applicable
NAT rule to decide whether or not to bind a state to the interface
or the group where it is created.
2007-05-10 22:30:54 +00:00
dyoung a56ad6a493 Use the system's offsetof() definition from sys/systm.h (in kernel)
or stddef.h (out of kernel).  Remove IPF's troublesome offsetof()
definitions.  This lets IPF build on amd64.
2007-05-04 19:50:42 +00:00
dyoung 72f0a6dfb0 Eliminate address family-specific route caches (struct route, struct
route_in6, struct route_iso), replacing all caches with a struct
route.

The principle benefit of this change is that all of the protocol
families can benefit from route cache-invalidation, which is
necessary for correct routing.  Route-cache invalidation fixes an
ancient PR, kern/3508, at long last; it fixes various other PRs,
also.

Discussions with and ideas from Joerg Sonnenberger influenced this
work tremendously.  Of course, all design oversights and bugs are
mine.

DETAILS

1 I added to each address family a pool of sockaddrs.  I have
  introduced routines for allocating, copying, and duplicating,
  and freeing sockaddrs:

        struct sockaddr *sockaddr_alloc(sa_family_t af, int flags);
        struct sockaddr *sockaddr_copy(struct sockaddr *dst,
                                       const struct sockaddr *src);
        struct sockaddr *sockaddr_dup(const struct sockaddr *src, int flags);
        void sockaddr_free(struct sockaddr *sa);

  sockaddr_alloc() returns either a sockaddr from the pool belonging
  to the specified family, or NULL if the pool is exhausted.  The
  returned sockaddr has the right size for that family; sa_family
  and sa_len fields are initialized to the family and sockaddr
  length---e.g., sa_family = AF_INET and sa_len = sizeof(struct
  sockaddr_in).  sockaddr_free() puts the given sockaddr back into
  its family's pool.

  sockaddr_dup() and sockaddr_copy() work analogously to strdup()
  and strcpy(), respectively.  sockaddr_copy() KASSERTs that the
  family of the destination and source sockaddrs are alike.

  The 'flags' argumet for sockaddr_alloc() and sockaddr_dup() is
  passed directly to pool_get(9).

2 I added routines for initializing sockaddrs in each address
  family, sockaddr_in_init(), sockaddr_in6_init(), sockaddr_iso_init(),
  etc.  They are fairly self-explanatory.

3 structs route_in6 and route_iso are no more.  All protocol families
  use struct route.  I have changed the route cache, 'struct route',
  so that it does not contain storage space for a sockaddr.  Instead,
  struct route points to a sockaddr coming from the pool the sockaddr
  belongs to.  I added a new method to struct route, rtcache_setdst(),
  for setting the cache destination:

        int rtcache_setdst(struct route *, const struct sockaddr *);

  rtcache_setdst() returns 0 on success, or ENOMEM if no memory is
  available to create the sockaddr storage.

  It is now possible for rtcache_getdst() to return NULL if, say,
  rtcache_setdst() failed.  I check the return value for NULL
  everywhere in the kernel.

4 Each routing domain (struct domain) has a list of live route
  caches, dom_rtcache.  rtflushall(sa_family_t af) looks up the
  domain indicated by 'af', walks the domain's list of route caches
  and invalidates each one.
2007-05-02 20:40:22 +00:00
dogcow 93c1d76796 Instead of manually multiplying out the magic numbers, use * 15 / 10 instead
of * 1.5; this seems to placate the various compilers into not requiring fp.
2007-05-02 18:47:27 +00:00
martti 69c0a989e5 Sync with official IPF 2007-05-02 09:53:09 +00:00
dogcow 36f6a11c63 gcc is too clueless on some platforms to tell that
(number divisible by 2 * 1.5) is an int, and thus fails spectacularly
at either link or compile time. replace exprs with their int values.
2007-05-02 02:59:54 +00:00
martti 872147fef7 Upgraded IPFilter to 4.1.20 2007-05-01 19:08:03 +00:00
jnemeth 7456457055 Add a define for caddr_t to ip_compat.h and revert most of the
special cases for it.  This is to simplify the code to prepare it
for pullup to netbsd-4 and submitting back upstream.  The change
was requested by martin@.
2007-04-27 10:17:15 +00:00
dogcow 6586d2040a fix build on arches with chars that're by default unsigned.
(patch supplied by martin.)
Forgot that iptest uses these files, rather than the one in src/dist/ipf.
2007-04-16 02:40:25 +00:00
martin da6823c65c A few tweaks (no effect on NetBSD-current) to make syncing with upstream
easier.
2007-04-15 10:42:40 +00:00
martin 8ebafcc992 Update IPFilter to version 4.1.19 2007-04-14 20:34:18 +00:00
ad 59d979c5f1 Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.
2007-03-12 18:18:22 +00:00
christos 53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
dyoung 5493f188c7 KNF: de-__P, bzero -> memset, bcmp -> memcmp. Remove extraneous
parentheses in return statements.

Cosmetic: don't open-code TAILQ_FOREACH().

Cosmetic: change types of variables to avoid oodles of casts: in
   in6_src.c, avoid casts by changing several route_in6 pointers
   to struct route pointers.  Remove unnecessary casts to caddr_t
   elsewhere.

Pave the way for eliminating address family-specific route caches:
   soon, struct route will not embed a sockaddr, but it will hold
   a reference to an external sockaddr, instead.  We will set the
   destination sockaddr using rtcache_setdst().  (I created a stub
   for it, but it isn't used anywhere, yet.)  rtcache_free() will
   free the sockaddr.  I have extracted from rtcache_free() a helper
   subroutine, rtcache_clear().  rtcache_clear() will "forget" a
   cached route, but it will not forget the destination by releasing
   the sockaddr.  I use rtcache_clear() instead of rtcache_free()
   in rtcache_update(), because rtcache_update() is not supposed
   to forget the destination.

Constify:

   1 Introduce const accessor for route->ro_dst, rtcache_getdst().

   2 Constify the 'dst' argument to ifnet->if_output().  This
     led me to constify a lot of code called by output routines.

   3 Constify the sockaddr argument to protosw->pr_ctlinput.  This
     led me to constify a lot of code called by ctlinput routines.

   4 Introduce const macros for converting from a generic sockaddr
     to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
     satocsin, et cetera.
2007-02-17 22:34:07 +00:00
dyoung 10c063a777 In pf_rtlabel_match, use rtcache_free()/rtcache_init(). This is
just cosmetic, since the whole routine is presently #if 0'd.
2007-02-17 21:08:52 +00:00
alc ea827cc550 CID-3809: move up the initialization of `fr' as we can jump to junkput: if
fr_inobj() fails. junkput: will then check the value of `fr' which is at
this time uninitialized.

CID-3803: don't leak `ipn' upon return

ok christos@
2006-12-27 18:28:54 +00:00
alc aca410156d CID-3802: don't leak `isc'
ok christos@
2006-12-27 18:10:03 +00:00
darrenr 54726f45ee TCP window scaling was being recognised but the recorded settins were being
clobbered and thus effectively disabled
2006-12-24 02:31:16 +00:00
joerg eb04733c4e Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.
2006-12-15 21:18:52 +00:00
matt 8861fab664 Don't apply a window scale to the window size in a SYN packet. 2006-12-13 03:45:48 +00:00
dyoung c308b1c661 Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.
2006-12-09 05:33:04 +00:00
dyoung dcabc5c2e5 Make code concise by removing uninformative #ifdef's. 2006-12-04 03:02:48 +00:00
dyoung 9534d9db92 Indent these macros for readability. People have to read this
code, too.
2006-12-04 02:59:35 +00:00
dyoung 1b9b487578 Lightly constify. Helps compile-time checking that we are not
scribbling over shared or read-only memory---e.g., in mbufs.
2006-12-04 02:58:06 +00:00
dyoung fdab81c3b0 No need for a struct route_in6 in pf_route6(). Replace it with a
sockaddr_in6.

In pf_calc_mss(), factor common code out of PF_INET and PF_INET6
switch cases.
2006-12-04 02:28:12 +00:00
christos c0179c282a spell precede; from Zafer 2006-11-25 16:48:31 +00:00
christos 1665d5e960 fix spelling of accommodate; from Zapher. 2006-11-24 19:46:58 +00:00
christos 168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
dogcow 372e6ef309 now that we have -Wno-unused-parameter, back out all the tremendously ugly
code to gratuitously access said parameters.
2006-10-17 18:21:29 +00:00
dogcow 2023789a40 More -Wunused fallout. sprinkle __unused when possible; otherwise, use the
do { if (&x) {} } while (/* CONSTCOND */ 0);
construct as suggested by uwe in <20061012224845.GA9449@snark.ptc.spbu.ru>.
2006-10-13 16:53:35 +00:00
peter dd191f37f3 Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
2006-10-12 19:59:07 +00:00
christos 4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
peter d697e40372 PR/34746: Nino Dehne: pf(4)'s synproxy state breaks when used with tags
Apply OpenBSD src/sys/net/pf.c rev 1.486 and 1.487:

1.486:
When synproxy sends packets to the destination host, make sure to copy
the 'tag' from the original state entry into the outgoing mbuf.

1.487:
When synproxy completes the replayed handshake and modifies the state
into a normal one, it sets both peers' sequence windows. Fix a bug where
the previously advertised windows are applied to the wrong side (i.e.
peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This
went undetected because mostly the windows are similar and/or re-
advertised soon. But there are (rare) cases where a synproxy'd connection
would stall right after handshake. Found by Gleb Smirnoff.
2006-10-07 21:45:49 +00:00
pavel b4d9afa72c In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.
2006-10-01 12:52:24 +00:00
elad 83a5239b28 Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.
2006-09-19 21:42:29 +00:00
yamt a741fb2573 defflag IPFILTER_LOOKUP. 2006-09-17 13:43:15 +00:00
elad bada0c776a Don't use KAUTH_RESULT_* where it's not applicable.
Prompted by yamt@.
2006-09-13 10:07:42 +00:00
elad 5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00