Commit Graph

93 Commits

Author SHA1 Message Date
peter
8f83cde4e3 Fix TCP/UDP checksum handling as pointed out by Daniel Hartmeier in:
http://mail-index.netbsd.org/tech-net/2006/01/21/0000.html.

Problem reported and patch tested by der Mouse & Nino Dehne (PR/32874).
2006-02-19 12:15:33 +00:00
rpaulo
99513cfd59 In pf_socket_lookup() fix copy & paste problem when in6_pcblookup_bind()
returns NULL.
2006-02-07 22:53:03 +00:00
peter
10f6d07582 apply a fix from OpenBSD:
> revision 1.104
> date: 2006/01/18 22:03:21;  author: dhartmei;  state: Exp;  lines: +2 -2
> fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl',
> but not 'fragment reassemble'), which can cause some fragments to get
> inserted into the cache twice, thereby violating an invariant, and panic-
> ing the system subsequently. ok deraadt@
2006-01-25 10:45:20 +00:00
peter
5d1968b1c0 Include netinet/in.h, for compatibility with OpenBSD (we #ifdef'ed out a
header which includes netinet/in.h on OpenBSD).

Pointed out by Thomas E. Spanjaard.
No objection from yamt@.
2006-01-17 12:24:53 +00:00
christos
97dec287fc make the kernel link without options INET.
XXX: this is of dubious use.
2005-12-28 09:29:48 +00:00
christos
08e11b2039 make this compile with no INET options. 2005-12-28 09:05:54 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
christos
a751ffb4fe Adjust for icmp_error signature. 2005-10-23 19:40:20 +00:00
yamt
3a2482b78f fr_check_wrapper6: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:38 +00:00
yamt
bbfb2033ff pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:24 +00:00
yamt
d6d72a6dc9 wrap INET only code by #if defined(INET). (in __NetBSD__ part) 2005-08-06 11:22:39 +00:00
peter
84fa01a154 pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.
2005-07-26 13:09:23 +00:00
christos
b132d4d5fd Fix typo 2005-07-10 09:22:56 +00:00
christos
4a35068121 Small correction to skd's patch from darren. 2005-07-10 05:49:38 +00:00
christos
20dd96aff1 Don't drop fragments that are smalled than the ip header size. From skd 2005-07-09 14:51:11 +00:00
peter
9710741485 Resolve conflicts (pf from OpenBSD 3.7, kernel part). 2005-07-01 12:37:34 +00:00
lukem
fd8956d5fa Use an "XXXGCC -Wuninitalized" style that is consistent with that used
elsewhere in the tree.
2005-06-15 01:48:20 +00:00
jmc
6724401235 Cleanup XXGCC in a few places to make it easier to see. 2005-06-14 21:20:30 +00:00
jmc
c3073778d2 Fix unitialized warnings that only crop up on m68k. XXGCC taggedd 2005-06-13 20:33:53 +00:00
darrenr
4e1ba8b46a bin/29508 - fix "ipf -T" - kernel wasn't setting ipft_cookie and userland
was expecting it to be set, thus ignored it.
bin/29509 - because ipft_cookie wasn't reset to 0 before making the ioctl
call for each variable, only the first name to find was used, each successive
call just used the cookie.
CVn: ----------------------------------------------------------------------
2005-06-11 12:31:40 +00:00
darrenr
e5f523e30c Using USE_SPL should be done after the last place it is defined. 2005-06-11 12:12:59 +00:00
darrenr
486aaa2c70 kern/30082 - fr_check() is missing SPL_NET() macros for non-mutex using
platforms, allowing it to be preempted and restarted in an inconsistent
state.
2005-06-11 11:25:28 +00:00
yamt
656adb750b pf_reassemble: clear stale csum_flags. 2005-06-08 11:50:46 +00:00
christos
f9aeac0ab7 - sprinkle const
- avoid variable shadowing.
2005-05-29 21:57:49 +00:00
christos
966656bbac more fallout from so_uid -> so_uidinfo. 2005-05-07 19:59:56 +00:00
martti
58b8abcbf8 Upgraded IPFilter to 4.1.8 2005-04-03 15:05:30 +00:00
martti
c775aec128 Import IPFilter 4.1.8 2005-04-03 15:01:04 +00:00
christos
3136f75efa defopt IPFILTER_DEFAULT_BLOCK 2005-03-26 18:08:42 +00:00
peter
851064ccf9 Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.
2005-03-15 18:08:59 +00:00
hannken
4e0e09fd14 frpr_udpcommon() failed to handle fragmented packets. Packets with less than
8 bytes of data were dropped.

- If the packet is a fragment, return. There is no UDP header in this case.
- Don't set the FI_SHORT flag. Already tested in `frpr_short()'.
- Remove unneeded test `!fin->fin_off'.

Approved by: Christos Zoulas <christos@netbsd.org>
2005-03-07 13:59:30 +00:00
christos
2a8316cc91 Add a change lost in the transition from 4.1.3->4.1.6. Don't block packets
for which we cannot add state. Explanation in the code. Fixes PR/29560.
2005-03-01 13:41:43 +00:00
itojun
57eaa97695 with IPv6 intermediate host will not perform PMTUD. ip6_getpmtu() is for
end node cases, so do not use it.
2005-02-28 09:26:36 +00:00
martin
65c3e91025 When we call m_makewritable() the mbuf might be copied - so don't use
stale mtod()'d pointers from before.
2005-02-21 22:01:52 +00:00
martti
460bbcc960 Upgraded IPFilter to 4.1.6 2005-02-19 21:30:24 +00:00
martti
76b5d9e30f Import IPFilter 4.1.6 2005-02-19 21:26:02 +00:00
christos
a05a0bbcb8 Deal with possibly uninitialized variable, and tidy up a bit. 2005-02-17 04:14:31 +00:00
christos
9606238d80 There were more broken things aside from the __'s missing. 2005-02-17 03:12:36 +00:00
christos
0a15d30196 Don't forget the trailing __'s in NetBSD Version. Should fix PR/29407. 2005-02-17 02:26:51 +00:00
peter
41ea7e91a7 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.
2005-02-14 21:28:33 +00:00
peter
1b4e743b06 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> ICMP state entries use the ICMP ID as port for the unique state key. When
> checking for a usable key, construct the key in the same way. Otherwise,
> a colliding key might be missed or a state insertion might be refused even
> though it could be inserted. The second case triggers the endless loop
> fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
> Report and test data by Srebrenko Sehic.
2005-02-14 21:27:26 +00:00
christos
1b198d8f16 size_t should be cast'ed to unsigned long. 2005-02-09 23:42:30 +00:00
he
f29d7ec0d8 One can't portably print a size_t with an %u format directive.
Since this might be in the kernel, cast to unsigned int before printing.
Fixes build problem for amd64 (and presumably also our other LP64 ports).
2005-02-09 08:21:27 +00:00
he
c05368e398 Make the declaration of oip in fr_send_ip() conditional on INET,
since it's use is also conditional on that preprocessor macro.
2005-02-09 08:19:24 +00:00
martti
a023cb1d19 Upgraded IPFilter to 4.1.5 2005-02-08 07:01:52 +00:00
martti
4d6a62d250 Import IPFilter 4.1.5 2005-02-08 06:52:59 +00:00
christos
78ec5c8f06 Disable the oow test because it is broken. It is killing valid packets. 2005-01-16 02:56:22 +00:00
lukem
4ae6a6d6f4 Support -DNOINET6 to disable USE_INET6 (a la the FreeBSD section earlier) 2005-01-10 02:10:47 +00:00
yamt
de965c0ed7 pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf. 2005-01-01 09:13:14 +00:00
martti
756f26107c Import IPFilter 4.1.3 2004-12-31 11:30:42 +00:00
peter
dd544baa78 Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by dhartmei@

IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.

ok deraadt@ dhartmei@ mcbride@
2004-12-21 12:06:37 +00:00