Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
129,616 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1369 Commits

Author SHA1 Message Date
yamt 28b17ac69e in_control: fix address leaks on error, which causes a panic 
("no domain for AF 0") on if_detach.
- SIOCAIFADDR, SIOCSIFADDR: free an address on error.
- SIOCSIFNETMASK, SIOCSIFDSTADDR: reject operations for an interface which
  has no AF_INET addresses.

partly from OpenBSD and FreeBSD.
reviewed by Christos Zoulas on tech-net@.
 2004-08-08 09:52:41 +00:00
christos f3a2c3728b remove the avail = 0; assignment which is superfluous. pointed out by enami. 2004-08-04 03:55:06 +00:00
christos 5ab21dfa5d PR/26471: Arto Selonen: ipfilter 4.1.3 crashes the system every few hours 
Remove extraneous m = NULL assignment that will cause a NULL dereference
later.
 2004-08-03 16:16:30 +00:00
cube 19861ea4fe Remove a common (icmpstat). 2004-08-03 13:58:59 +00:00
yamt 48d156e320 call PFIL_NEWIF hooks at a correct place. 
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
 2004-07-26 13:43:14 +00:00
martti 7ff15b917f Upgraded IPFilter to 4.1.3 2004-07-23 05:39:03 +00:00
martti 9e82a8bf0d Import IPFilter 4.1.3 2004-07-23 05:33:55 +00:00
yamt 4374881880 fix typos. PFIL_HOOK -> PFIL_HOOKS 2004-07-18 11:37:38 +00:00
itojun 5807e550e5 typo. Bruno Rohee 2004-07-09 09:15:02 +00:00
christos d397fc692a Bring in flags from 4.1.2 to make things compile. 2004-07-08 02:52:02 +00:00
mycroft cc559c8583 Fix SIOCSIFNETMASK -- it needs to use in_ifscrub() and in_ifinit() to update 
the interface route and various internal state.  Also, it should use an ifreq,
not an if_aliasreq.  Addresses PR 9604.  (Nothing in our source tree uses
SIOCSIFNETMASK, though.  Perhaps it should be deprecated.)
 2004-07-07 01:39:00 +00:00
minoura c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
heas 192b371d42 Adjust description for net.inet.udp.checksum; it does not controll checking, 
only computing.
 2004-07-02 18:19:51 +00:00
christos 01a2047486 PR/25999: Jeff Rizzo: ipf: ipnat is corrupting "bimap" translations in 2.0_BETA and -current 2004-06-29 22:44:59 +00:00
itojun 2aef0b1784 correct TCP-MD5 support. Jeff Rizzo 2004-06-26 03:29:15 +00:00
itojun db45a6f189 icmp_reflect: check if m_pkthdr.rcvif is non-NULL before touching it. 
icmp_reflect could be called from the output path, so m_pkthdr.rcvif may not
be set.  (found by panic when PF is configured "block return all")
 2004-06-25 15:43:00 +00:00
itojun 59302fc979 be careful touching m_pkthdr.rcvif, it could be NULL if the packet was 
generated from local node and icmp_error calls icmp_reflect.
 2004-06-25 15:24:41 +00:00
itojun 047170b1cc prepare PF-related hooks. reviewed by matt, perry, christos 2004-06-22 12:50:41 +00:00
tron c465794d70 Correct two errors in fr_check(): 
1.) Make sure that "pass" is always initialized.
2.) Make sure the code doesn't use a stale mbuf pointer after fr_makefrip()
    has been called. This fixes PR kern/25868.

Analyzed and reviewed by Steve Woodford.
 2004-06-16 14:06:23 +00:00
tron fcda778c8f Don't leak mbuf if ipfr_fastroute6() fails. 
Reviewed by Steve Woodford.
 2004-06-16 14:02:39 +00:00
itojun b834441eb5 update mtu value if outgoing interface changes with ipsec ops 
(draft-touch-vpn case only?)  iij seil team
 2004-06-01 05:06:56 +00:00
itojun b4ea6633c0 fix SIOC*LIFADDR for IPv4. markus friedl 2004-05-30 06:37:07 +00:00
atatat 4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
jonathan 349ad018c7 Remove now-unused variable. 2004-05-23 00:37:27 +00:00
jonathan c8c7a6dbab With FAST_IPSEC, include <netipsec/key.h>, as Itojun's recent changes 
now require KEY_FREESAV() to be in scope.
 2004-05-20 22:59:02 +00:00
christos bd67b97d6a PR/25622: IPV6 return RST and through cloned interfaces was broken. 
- checksum was computed incorrectly.
- ipv6 packet was not initialized properly.
- fixed code to be more similar to the v4 counterpart.
 2004-05-20 13:55:31 +00:00
christos b78a596c7a PR/25646: Perry Metzger: Commit a patch that compiles awaiting feedback. 2004-05-20 13:54:19 +00:00
christos c046c90643 - remove superfluous assignment 
- rt_gateway is already a pointer to struct sockaddr; don't take its address
  when assigning it to struct sockaddr_in *
 2004-05-18 21:47:45 +00:00
christos 0d17293b81 Fix buffer overrun in in_pcbopts() (FreeBSD PR/66386) 2004-05-18 16:47:08 +00:00
itojun 4ebcfcf29a fix MD5 signature support to actually validate inbound signature, and 
drop packet if fails.
 2004-05-18 14:44:14 +00:00
christos 540c75a594 PR/25103: Martin Husemann: IP Filter 4.4.1 breaks some connections when NATing 
patch from Darren applied.
 2004-05-10 12:10:31 +00:00
christos f07e678b45 PR/24969: Arto Selonen: /usr/sbin/ipfs from ipfilter 4.1.1 does not work 
patch applied.
 2004-05-10 01:34:59 +00:00
taca 3657b758c0 Make it comiple without warning; void function fr_checkv4sum() and 
fr_checkv6sum() should not return value.
 2004-05-09 08:29:30 +00:00
christos e982110b53 PR/24981: Steven M. Bellovin: ipfilter in 2.0 branch panics the system 
patch applied.
 2004-05-09 04:17:34 +00:00
christos 865c473c96 PR/25332: HIROSE yuuji: "fastroute(to)" in ipf.conf doesn't work; patch applied 2004-05-09 04:02:32 +00:00
christos 5592d4d1fa PR/25441: Matthew Green: IP-Filter uses M_TEMP when it already has M_IPFILTER 2004-05-09 03:54:43 +00:00
chs bd3ff85ff7 work around an LP64 problem where we report an excessively large window 
due to incorrect mixing of types.
 2004-05-08 14:41:47 +00:00
kleink 542839207d Add definitions for the (currently unimplemented) ECN TCP flags; 
from Chuck Swiger in PR standards/25058.
 2004-05-07 20:11:52 +00:00
jonathan 85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch. 
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
 2004-05-07 00:55:14 +00:00
skd 1b1b474faa Fix to update all references to mbuf. Fixes case where mbuf is freed twice. 2004-05-04 11:31:52 +00:00
darrenr 39ee9f396a at line 543, we do a pullup here of hlen bytes into the mbuf, 
so these later ones are superfluous.
 2004-05-02 05:02:53 +00:00
matt c41eb5a6f6 defflag TCP_OUTPUT_COUNTERS and TCP_REASS_COUNTERS 2004-05-01 02:21:44 +00:00
matt da67d85073 Use EVCNT_ATTACH_STATIC{,2} 2004-05-01 02:20:42 +00:00
ragge 79edf5fba0 Send an arp request before the arp entry times out if the entry is active, 
to avoid deleting active entries.
Add sysctl support to tune the default arp timeout values.
 2004-04-28 14:09:36 +00:00
matt 5a0de7507d When a packet is received that overlaps the left side of the window, 
check for RST *before* trimming data and adjust its sequence number.
 2004-04-27 14:46:07 +00:00
itojun 362e07a3c9 zero-clear ip6?pseudo before use 2004-04-26 05:18:13 +00:00
itojun f103f9aee9 declare ip6_hdr_pseudo (for kernel only) and use it for TCP MD5 signature 2004-04-26 05:15:47 +00:00
itojun 67372cc454 sync comment with reality 2004-04-26 05:05:49 +00:00
itojun e0395ac8f0 make TCP MD5 signature work with KAME IPSEC (#define IPSEC). 
support IPv6 if KAME IPSEC (RFC is not explicit about how we make data stream
for checksum with IPv6, but i'm pretty sure using normal pseudo-header is the
right thing).

XXX
current TCP MD5 signature code has giant flaw:
it does not validate signature on input (can't believe it! what is the point?)
 2004-04-26 03:54:28 +00:00
matt 5413745100 Remove #else clause of __STDC__ 2004-04-26 01:31:56 +00:00