Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
130,559 Commits 606 Branches 0 Tags 3.1 GiB
3362d4ed5b
Commit Graph

1379 Commits

Author SHA1 Message Date
yamt
0ea22c32fa fix ipqent pool corruption problems. make tcp reass code use 
its own pool of ipqent rather than sharing it with ip reass code.
PR/24782.
 2004-09-15 09:21:22 +00:00
yamt
d676f9e5b0 fr_check_wrapper: as ipf modifies application data as well when 
doing application proxy, it's needed to ensure that the whole packet
is writable here.
 2004-09-06 10:46:02 +00:00
yamt
d73bcfeb33 fr_check_wrapper, fr_check_wrapper6: 
ensure that mbufs are writable beforehand as ipf assumes.
PR/26773 and PR/26850.
 2004-09-06 10:00:43 +00:00
darrenr
9ec77d6329 Do not allow packets flagged with "out-of-window" (oow) to match "keep state" 
rules and try to prevent such rules ("keep state with oow") from being loaded
into the kernel.

Pr: kern/26581
 2004-09-06 09:55:13 +00:00
manu
85111f912e IPv4 PIM support, based on submission from Pavlin Radoslavov on tech-net@ : 
two new files I forgot to add on the first cvs commit.
 2004-09-04 23:32:29 +00:00
manu
6e3c639957 IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on 
tech-net@
 2004-09-04 23:29:44 +00:00
darrenr
02c34673a3 add a per-socket counter for dropped UDP packets when the internal buffers 
are full.
 2004-09-03 18:14:09 +00:00
smb
57643d12c5 Don't try and add a state session if the packet has already been checked 
and marked as out of window - trying to do the add will result in a failure
and the packet being blocked, incorrectly.

Committed By: darrenr
Tested By: smb
 2004-09-03 04:18:09 +00:00
chs
34187f4589 fix m_pulldown() usage, it's different from m_pullup(). 
fixes PRs 26666 and 26701.
 2004-08-22 21:38:21 +00:00
itojun
682ddb0274 initialize max_keylen for ip_encap.c earlier 2004-08-17 07:05:34 +00:00
yamt
28b17ac69e in_control: fix address leaks on error, which causes a panic 
("no domain for AF 0") on if_detach.
- SIOCAIFADDR, SIOCSIFADDR: free an address on error.
- SIOCSIFNETMASK, SIOCSIFDSTADDR: reject operations for an interface which
  has no AF_INET addresses.

partly from OpenBSD and FreeBSD.
reviewed by Christos Zoulas on tech-net@.
 2004-08-08 09:52:41 +00:00
christos
f3a2c3728b remove the avail = 0; assignment which is superfluous. pointed out by enami. 2004-08-04 03:55:06 +00:00
christos
5ab21dfa5d PR/26471: Arto Selonen: ipfilter 4.1.3 crashes the system every few hours 
Remove extraneous m = NULL assignment that will cause a NULL dereference
later.
 2004-08-03 16:16:30 +00:00
cube
19861ea4fe Remove a common (icmpstat). 2004-08-03 13:58:59 +00:00
yamt
48d156e320 call PFIL_NEWIF hooks at a correct place. 
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
 2004-07-26 13:43:14 +00:00
martti
7ff15b917f Upgraded IPFilter to 4.1.3 2004-07-23 05:39:03 +00:00
martti
9e82a8bf0d Import IPFilter 4.1.3 2004-07-23 05:33:55 +00:00
yamt
4374881880 fix typos. PFIL_HOOK -> PFIL_HOOKS 2004-07-18 11:37:38 +00:00
itojun
5807e550e5 typo. Bruno Rohee 2004-07-09 09:15:02 +00:00
christos
d397fc692a Bring in flags from 4.1.2 to make things compile. 2004-07-08 02:52:02 +00:00
mycroft
cc559c8583 Fix SIOCSIFNETMASK -- it needs to use in_ifscrub() and in_ifinit() to update 
the interface route and various internal state.  Also, it should use an ifreq,
not an if_aliasreq.  Addresses PR 9604.  (Nothing in our source tree uses
SIOCSIFNETMASK, though.  Perhaps it should be deprecated.)
 2004-07-07 01:39:00 +00:00
minoura
c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
heas
192b371d42 Adjust description for net.inet.udp.checksum; it does not controll checking, 
only computing.
 2004-07-02 18:19:51 +00:00
christos
01a2047486 PR/25999: Jeff Rizzo: ipf: ipnat is corrupting "bimap" translations in 2.0_BETA and -current 2004-06-29 22:44:59 +00:00
itojun
2aef0b1784 correct TCP-MD5 support. Jeff Rizzo 2004-06-26 03:29:15 +00:00
itojun
db45a6f189 icmp_reflect: check if m_pkthdr.rcvif is non-NULL before touching it. 
icmp_reflect could be called from the output path, so m_pkthdr.rcvif may not
be set.  (found by panic when PF is configured "block return all")
 2004-06-25 15:43:00 +00:00
itojun
59302fc979 be careful touching m_pkthdr.rcvif, it could be NULL if the packet was 
generated from local node and icmp_error calls icmp_reflect.
 2004-06-25 15:24:41 +00:00
itojun
047170b1cc prepare PF-related hooks. reviewed by matt, perry, christos 2004-06-22 12:50:41 +00:00
tron
c465794d70 Correct two errors in fr_check(): 
1.) Make sure that "pass" is always initialized.
2.) Make sure the code doesn't use a stale mbuf pointer after fr_makefrip()
    has been called. This fixes PR kern/25868.

Analyzed and reviewed by Steve Woodford.
 2004-06-16 14:06:23 +00:00
tron
fcda778c8f Don't leak mbuf if ipfr_fastroute6() fails. 
Reviewed by Steve Woodford.
 2004-06-16 14:02:39 +00:00
itojun
b834441eb5 update mtu value if outgoing interface changes with ipsec ops 
(draft-touch-vpn case only?)  iij seil team
 2004-06-01 05:06:56 +00:00
itojun
b4ea6633c0 fix SIOC*LIFADDR for IPv4. markus friedl 2004-05-30 06:37:07 +00:00
atatat
4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
jonathan
349ad018c7 Remove now-unused variable. 2004-05-23 00:37:27 +00:00
jonathan
c8c7a6dbab With FAST_IPSEC, include <netipsec/key.h>, as Itojun's recent changes 
now require KEY_FREESAV() to be in scope.
 2004-05-20 22:59:02 +00:00
christos
bd67b97d6a PR/25622: IPV6 return RST and through cloned interfaces was broken. 
- checksum was computed incorrectly.
- ipv6 packet was not initialized properly.
- fixed code to be more similar to the v4 counterpart.
 2004-05-20 13:55:31 +00:00
christos
b78a596c7a PR/25646: Perry Metzger: Commit a patch that compiles awaiting feedback. 2004-05-20 13:54:19 +00:00
christos
c046c90643 - remove superfluous assignment 
- rt_gateway is already a pointer to struct sockaddr; don't take its address
  when assigning it to struct sockaddr_in *
 2004-05-18 21:47:45 +00:00
christos
0d17293b81 Fix buffer overrun in in_pcbopts() (FreeBSD PR/66386) 2004-05-18 16:47:08 +00:00
itojun
4ebcfcf29a fix MD5 signature support to actually validate inbound signature, and 
drop packet if fails.
 2004-05-18 14:44:14 +00:00
christos
540c75a594 PR/25103: Martin Husemann: IP Filter 4.4.1 breaks some connections when NATing 
patch from Darren applied.
 2004-05-10 12:10:31 +00:00
christos
f07e678b45 PR/24969: Arto Selonen: /usr/sbin/ipfs from ipfilter 4.1.1 does not work 
patch applied.
 2004-05-10 01:34:59 +00:00
taca
3657b758c0 Make it comiple without warning; void function fr_checkv4sum() and 
fr_checkv6sum() should not return value.
 2004-05-09 08:29:30 +00:00
christos
e982110b53 PR/24981: Steven M. Bellovin: ipfilter in 2.0 branch panics the system 
patch applied.
 2004-05-09 04:17:34 +00:00
christos
865c473c96 PR/25332: HIROSE yuuji: "fastroute(to)" in ipf.conf doesn't work; patch applied 2004-05-09 04:02:32 +00:00
christos
5592d4d1fa PR/25441: Matthew Green: IP-Filter uses M_TEMP when it already has M_IPFILTER 2004-05-09 03:54:43 +00:00
chs
bd3ff85ff7 work around an LP64 problem where we report an excessively large window 
due to incorrect mixing of types.
 2004-05-08 14:41:47 +00:00
kleink
542839207d Add definitions for the (currently unimplemented) ECN TCP flags; 
from Chuck Swiger in PR standards/25058.
 2004-05-07 20:11:52 +00:00
jonathan
85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch. 
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
 2004-05-07 00:55:14 +00:00
skd
1b1b474faa Fix to update all references to mbuf. Fixes case where mbuf is freed twice. 2004-05-04 11:31:52 +00:00