Commit Graph

709 Commits

Author SHA1 Message Date
sommerfeld c2accd9f9c In ip_forward():
Avoid forwarding ip unicast packets which were contained inside
link-level multicast packets; having M_MCAST still set in the packet
header flags will mean that the packet will get multicast to a bogus
group instead of unicast to the next hop.

Malformed packets like this have occasionally been spotted "in the
wild" on a mediaone cable modem segment which also had multiple netbsd
machines running as router/NAT boxes.

Without this, any subnet with multiple netbsd routers receiving all
multicasts will generate a packet storm on receipt of such a
multicast.  Note that we already do the same check here for link-level
broadcasts; ip6_forward already does this as well.

Note that multicast forwarding does not go through ip_forward().

Adding some code to if_ethersubr to sanity check link-level
vs. ip-level multicast addresses might also be worthwhile.
1999-10-17 16:00:00 +00:00
sommerfeld d0790aa895 in ipfr_fastroute, before calling icmp_error(), put received-interface
back into the packet.  (ip_output() clears it since ipsec reuses that
packet field in the output path.  by putting it back, we're going to
pretend we're back on the input path now).
1999-10-12 14:51:34 +00:00
is f546d949b6 Decouple IP mtu for ARCnet devices from interface MTU.
This is important, because for most protocols, link level fragmentation is
used, but with different default effective MTUs. (e.g.: IPv4 default MTU
is 1500 octets, IPv6 default MTU is 9072 octets).
1999-09-25 17:49:27 +00:00
enami 5326516a15 Make this compile without INET6. 1999-09-23 04:02:27 +00:00
itojun 9474edfcd8 cleanup and correct TCP MSS consideration with IPsec headers.
MSS advertisement must always be:
	max(if mtu) - ip hdr siz - tcp hdr siz
We violated this in the previous code so it was fixed.

tcp_mss_to_advertise() now takes af (af on wire) as its argument,
to compute right ip hdr siz.

tcp_segsize() will take care of IPsec header size.
One thing I'm not really sure is how to handle IPsec header size in
*rxsegsizep (inbound segment size estimation).
The current code subtracts possible *outbound* IPsec size from *rxsegsizep,
hoping that the peer is using the same IPsec policy as me.
It may not be applicable, could TCP gulu please comment...
1999-09-23 02:21:30 +00:00
itojun 6b9bfc0691 - Call in{,6}_pcbdetach if ipsec initialization is failed during PRU_ATTACH.
This situation happens on severe memory shortage.  We may need more
  improvements here and there.
- Grab IEEE802 address from IFT_ETHER card, even if the card is
  inserted after bootup time.  Is there any other card that can be
  inserted afterwards?  pcmcia fddi card? :-P
- RFC2373 u bit handling suggests that we SHOULD NOT copy interface id from
  ethernet card to pseudo interface, when ethernet card has IEEE802/EUI64
  with u bit != 0 (this means that IEEE802/EUI64 is not universally unique).
  Do not use such address as, for example, interface id for gif interface.
  (I have such an ethernet card myself)
  This may change interface id for your gif interface.  be careful upgrading
  rc files.

(sync with recent KAME)
1999-09-13 12:15:54 +00:00
simonb fd8040a031 s/acknowledgment/acknowledgement/ 1999-09-10 03:24:14 +00:00
itojun 4597cff18d fix tcp mss consideration on ipsec operation.
now tcp-over-ipsec should not experience fragmentation due to
addition of ipsec header.

From: proff@suburbia.net (Julian Assange)
1999-08-27 02:56:14 +00:00
itojun a89a69391a clear m->m_pkthdr.rcvif before calling ip_output().
the member is used to pass struct socket to ip{,6}_output for ipsec decisions.

(i agree it is kind of ugly.  we need to modify struct mbuf if we are
to do better - which seems to me a bit too much)
1999-08-26 02:56:59 +00:00
marc 3c1adf9354 when fastrouting a packet which needs fragmentation, the packet passed
to if_output did not have m->m_pkthdr.len set correctly.  Add the code
to do this from the similar code in ip_output.c
1999-08-26 02:15:35 +00:00
thorpej 1e921673e3 Fix a problem discovered by the snd_recover update fix. A bit of the
New Reno fast recovery code was being executed even when New Reno was
disabled, resulting in an unfortunate interaction with the traditional
fast recovery code, the end resulting being that the very condition
that would trigger the traditional fast recovery mechanism caused fast
recovery to be disabled!

Problem reported by Ted Lemon, and some analytical help from Charles Hannum.
1999-08-26 00:04:30 +00:00
itojun 809ab7f1ff When listening socket goes away, remove assockated syn cache entires.
Stale syn cache entries are useless because none of them will be used
if there is no listening socket, as tcp_input looks up listening socket by
in_pcblookup*() before looking into syn cache.

This fixes race condition due to dangling socket pointer from syn cache
entries to listening socket (this was introduced when ipsec is merged in).

This should preserve currently implemented behavior (but not 4.4BSD
behavior prior to syn cache).

Tested in KAME repository before commit, but we'd better run some
regression tests.
1999-08-25 15:23:12 +00:00
itojun d48c55f4f0 ctlinput handling must look at ip6_src, not ip6_dst.
(this makes path mtu handling wrong)
1999-08-25 12:38:14 +00:00
bouyer 4f806e660f Fix for kern/7831 from Darren Reed after discussion on tech-net 2 weeks ago:
check that the packet if of the rigth protocol before giving it to the
proxy module, otherwise let the ipnat code handle it.
What happens in kern/7831 is that a router sends back a icmp message for
a TCP SYN, and ip_proxy.c forwards it to ip_ftp_pxy.c which can only
handle TCP packets. The icmp message is properly handled by ipnat, no need to
go to ip_ftp_pxy.c.
1999-08-24 16:10:35 +00:00
christos d6f8878423 PR/8254: Wolfgang Rupprecht: Incorrect logging of tcp connections; Fix src/dst
confusion.
1999-08-23 14:14:30 +00:00
matt d3448593e5 Cleanup a little kludge in mtu handling in route.c. Bring down FDDI
mtu to legal IP max but don't affect other protocols.
1999-08-21 03:46:35 +00:00
itojun 00cf8638cb do not capture packets by gif, when gif interface is down. 1999-08-20 10:07:40 +00:00
itojun 98fab25334 fix sototcpcb(). this sometimes caused panic on OOB data reception.
the macro may need to be expanded into dedicated function, rather than a macro,
to capture unsupported values.
1999-08-12 16:04:52 +00:00
thorpej af1e02ad91 Fix a few bugs in the TCP New Reno code:
- Make sure that snd_recover is always at least snd_una.  If we don't do
  this, there can be confusion when sequence numbers wrap around on a
  large loss-free data transfer.
- When doing a New Reno retransmit, snd_una hasn't been updated yet,
  and the socket's send buffer has not yet dropped off ACK'd data, so
  don't muddle with snd_una, so that tcp_output() gets the correct data
  offset.
- When doing a New Reno retransmit, make sure the congestion window is
  open one segment beyond the ACK'd data, so that we can actually perform
  the retransmit.

Partially derived from, although more complete than, similar changes in
OpenBSD, which in turn originated from Tom Henderson <tomh@cs.berkeley.edu>.
1999-08-11 17:37:59 +00:00
thorpej e48f29e82b Make sure the echoed RFC 1323 timestamp is valid before using it to
compute the round trip time.  From Mark Allman <mallman@lerc.nasa.gov>.
1999-08-11 03:02:18 +00:00
itojun a9b7fe4621 return with doing nothing from xx_ctlinput(), when sa->sa_family
is not the expected one.

I see PRC_REDIRECT_HOST with sa->sa_family == AF_UNIX coming to
{tcp,udp}_ctlinput() when I use dhclient, and I feel like adding
more sanity checks, without logging - if we log it it is too noisy.
1999-08-09 10:55:29 +00:00
sommerfeld 08e495eda4 Delete debug printfs from arp_drain() 1999-08-05 04:36:56 +00:00
sommerfeld 2aa9696fee Implement arp_drain(), which frees packets tied up in the arp cache if
mbufs are in short supply.
Create a (trivial) protocol domain for arp so that the drain routine will
be called from m_reclaim()
1999-08-05 04:04:28 +00:00
itojun 70ada0957e sync with recent KAME.
- loosen ipsec restriction on packet diredtion.
- revise icmp6 redirect handling on IsRouter bit.
- tcp/udp notification processing (link-local address case)
- cosmetic fixes (better code share across *BSD).
1999-07-31 18:41:15 +00:00
itojun 06c350054d remove reference to in6_systm.h (file itself will be removed afterwords) 1999-07-30 10:35:34 +00:00
itojun 42c5caafe7 do not include unnecessary include files. 1999-07-23 15:21:17 +00:00
itojun 7fee35f579 - implement IPv6 pmtud, which is necessary for TCP6.
- fix memory leak on SO_DEBUG over TCP.
1999-07-22 12:56:56 +00:00
itojun b479094c45 no need to include faith.h on non-IPv6 build, so wrap by #ifdef.
(dunno if it's better to always include it or not)
1999-07-17 12:53:05 +00:00
itojun c74f79d16f fix faith interface support. need testing.
(i understand this is a dirty hack, of course)
1999-07-17 07:07:08 +00:00
itojun 685747d56c Use proper ip protocol # field and tcp hdr on sending RST against SYN,
when ip header and tcp header are not adjacent to each other
(i.e. when ip6 options are attached).

To test this, try
	telnet @::1@::1 port
toward a port without responding server.  Prior to the fix, the kernel will
generate broken RST packet.
1999-07-14 22:37:13 +00:00
drochner 46f90cb053 make sending of keepalive messages work again:
-remove bogus sanity check involving an uninitialized variable
-correct mbuf cluster allocation
-(non-critical) remove redundant check in cleanup after error
1999-07-14 22:08:52 +00:00
thorpej 267920eb1a defopt INET6, and put it in opt_inet.h (most places already include this
file, which is why the file list is so short).
1999-07-09 23:41:16 +00:00
thorpej f9a7668b3f defopt IPSEC and IPSEC_ESP (both into opt_ipsec.h). 1999-07-09 22:57:15 +00:00
drochner 2df8761fac for incoming broadcasts, strip IP/UDP header correctly
wrap a line
1999-07-06 14:37:47 +00:00
itojun dcc13cdd33 sync with KAME/NetBSD 1.4, SNAP kit 19990705.
key changes are:
- icmp6 redirect fix (dst check)
- revised ip6 multicast check for loopback i/f
- several RCS ID cleanups
1999-07-06 12:23:19 +00:00
darrenr a47ffec442 Call icmp_error() at the bottom of rip_input IFF rip_input is the handler
for the protocol in the specified packet.
Fix statistic gathering to not make bogus increments of ips_delivered and
ips_noproto for cases where rip_input() is called by a protocol handler
(such as icmp_input or igmp_input) which has already processed the packet.
1999-07-05 07:24:38 +00:00
thorpej cd3a345ea0 RCS ID police. 1999-07-03 21:24:45 +00:00
fvdl e3fa5cc725 Fix for -Wunitialized warnings broke compiles without INET6, refix. 1999-07-02 21:02:05 +00:00
itojun 4b961b81e3 avoid "variable not initialized" warnings on some of the platforms. 1999-07-02 12:45:32 +00:00
itojun f8346292af move ipsec sysctl index to IPPROTO_AH (instead of IPPROTO_ESP),
so that you can perform sysctl operation when ESP is not compiled in.
1999-07-02 08:46:47 +00:00
itojun 118d2b1d4f IPv6 kernel code, based on KAME/NetBSD 1.4, SNAP kit 19990628.
(Sorry for a big commit, I can't separate this into several pieces...)
Pls check sys/netinet6/TODO and sys/netinet6/IMPLEMENTATION for details.

- sys/kern: do not assume single mbuf, accept chained mbuf on passing
  data from userland to kernel (or other way round).
- "midway" ATM card: ATM PVC pseudo device support, like those done in ALTQ
  package (ftp://ftp.csl.sony.co.jp/pub/kjc/).
- sys/netinet/tcp*: IPv4/v6 dual stack tcp support.
- sys/netinet/{ip6,icmp6}.h, sys/net/pfkeyv2.h: IETF document assumes those
  file to be there so we patch it up.
- sys/netinet: IPsec additions are here and there.
- sys/netinet6/*: most of IPv6 code sits here.
- sys/netkey: IPsec key management code
- dev/pci/pcidevs: regen

In my understanding no code here is subject to export control so it
should be safe.
1999-07-01 08:12:45 +00:00
darrenr 67cac86e57 add PR_LISTEN to protocols which support listen(2) 1999-07-01 05:53:04 +00:00
itojun 74d3c214ec KAME/NetBSD 1.4 SNAP kit, dated 19990628.
NOTE: this branch (kame) is used just for refernce.  this may not compile
due to multiple reasons.
1999-06-28 06:36:47 +00:00
sommerfeld b7c70d2b2f If the new global variable hostzerobroadcast is zero, no longer assume
address zero of each net/subnet is a broadcast address.
(The default value is nonzero, which preserves the current behavior).

This can be set using sysctl; the boot-time default can also be
configured using the HOSTZEROBROADCAST kernel config option.

While we're here, defopt HOSTZEROBROADCAST and SUBNETSARELOCAL
1999-06-26 06:16:47 +00:00
thorpej 51867fc227 When sending an ARP reply, make sure to set the length of the outgoing
packet.

Slightly modified from PR #7809, Zdenek Salvet <salvet@ics.muni.cz>.
1999-06-18 18:20:50 +00:00
mrg 7185af78dc oops. move sendit: above the PFIL_HOOKS so that multicast traffic is filtered. from darren reed. 1999-06-07 01:26:04 +00:00
bad 6b30aed924 Fix thinko of mine in previous. The source route info is not at m->m_data
after various m_adj()s have been done.  Kludge around this with a cheesy
macro that knows where the drivers put the mac header in the first mbuf.

XXX There should be a better way to do this.
1999-05-30 00:39:07 +00:00
bad 0b3a9f9e00 Don't assume the Token-Ring source route is in the m_pktdat. Use
m_data instead.  This isn't a problem with ARP packets but is correct
way to this.

Noticed by pmara@cactus.org (Shashi Mara).
1999-05-29 22:36:07 +00:00
ad ccc7e59e1f Add new sysctl (net.inet.tcp.log_refused) that when set, causes refused TCP
connections to be logged.
1999-05-23 20:33:50 +00:00
ad bdf1938edd For completeness sake, allow this to compile with no loopback interfaces
configured.
1999-05-23 20:21:51 +00:00
thorpej 788dee365c Sigh, fix some broken logic in the last change to INADDR_TO_IA(), and make
the macro a little more obvious.  Should fix kern/7589, from Jens A Nilsson.
1999-05-16 19:33:27 +00:00
is 7807c9a493 Fixes PR 7489 by Olaf Seibert. Fix by Zdenek Salvet (PR 7497). 1999-05-04 20:50:35 +00:00
hwr d313e75afe It does not make much sense to increase a "output" counter on input. 1999-05-04 20:13:09 +00:00
hwr 3fa094f8b5 Don't let packets with a Class-D source address escape the host.
Fixes second half of kern/7003 by Jonathan Stone <jonathan@DSG.Stanford.EDU>.
1999-05-04 19:50:23 +00:00
is 7470bd006a Fix for PR 7490 by Olaf Seibert, fix mostly from PR 7497 bei Zdenek Salvet,
but with more verbose error messages.
1999-05-04 14:58:27 +00:00
thorpej 3faa72bd56 Fix an ininitialized variable that the MIPS compiler caught (but the
SPARC, Alpha, Arm, and i386 compilers missed).
1999-05-03 23:30:27 +00:00
thorpej a40dff106e In INADDR_TO_IA(), skip interfaces which are not up. Revert previous change
to ip_input.c to check the interface status after INADDR_TO_IA().

Fix cooked up by Heiko Rupp and myself.

Fixes PR 7480.
1999-05-03 22:12:44 +00:00
hwr 33a8a5933b Drop packets, that have a Class-D address as source address.
Implements the first half of PR 7003.
1999-05-03 21:14:47 +00:00
thorpej 2cd33a0ce1 Implement retransmit logic for the SYN cache engine. Fixes a rare condition
where one side can think a connection exists, where the other side thinks
the connection was never established.

The original problem was first reported by Ty Sarna in PR #5909.  The
original fix I made to the code didn't cover all cases.  The problem this
fix addresses was reported by Christoph Badura via private e-mail.

Many thanks to Bill Sommerfeld for helping me to test this code, and
for finding a subtle bug.
1999-04-29 03:54:22 +00:00
hwr fb7871d6b2 If the incoming code value is 0, timer gets 0, which would mean
a divide by zero afterwards.
This is also, what Bill Fenner seems to have done in the FreeBSD igmp
code.
This should fix kern/6541.
1999-04-25 10:26:29 +00:00
simonb be3adbebcc Don't extern sb_max, <sys/socketvar.h> provides a definition. 1999-04-22 01:32:30 +00:00
kml a7f8ef5e9b Ensure that out of window SYNs receive an ACK in responce, rather than
being dropped.  This fixes a bug reported by Jason Thorpe.
1999-04-09 22:01:07 +00:00
proff 8775e52947 tiny KNF change 1999-04-07 05:34:32 +00:00
proff ae938abb49 Prevent reception of packets on downed interfaces (via an up interface).
fixes kern/7327
1999-04-07 02:31:05 +00:00
tron 1b27086b7e - Make sure that interface can't be marked up before a route to the remote
tunnel end was found.
- Flush route and reset MTU if interface is marked down.
1999-04-04 09:10:27 +00:00
tron ef85f04fcb Avoid kernel panic if interface is configured before a route to the
remote of the tunnel can be found.

XXX If you manually mark the interface as "UP" and set the MTU later
XXX sending a packet will still cause a kernel panic.
1999-04-04 00:21:53 +00:00
hwr 3f5c626e42 Setting of source and destination IP is not done by
passing SIOCSIFADDR/SIOIFDSTADDR, but by passing the addresses in
the appropriate structs.
One of the mysteries of ifconfig IMHO...

Should fix kern/6899.
1999-04-02 20:39:23 +00:00
mycroft 742a052418 Fix a null pointer dereference in the case where forwarding is turned on and
there are interfaces up but with no addresses.
1999-03-30 19:02:56 +00:00
nathanw 9c6754cd69 Alpha printf format fixes.
Closes PR kern/7258.
1999-03-27 21:47:59 +00:00
aidan da1b3a7abf Added per-addr input/output statistics. Currently just support netatalk
and netinet, currently only tested under netinet.

Disabled by default, enabled by compiling the kernel with option
IFA_STATS.  Enabling this feature seems to make the ip_output function
take 13% longer than before, which should be OK for people that need
this feature.
1999-03-27 01:24:49 +00:00
proff 85ab19698a security: test for ip_len < ip_hl <<2 and drop packet accordingly 1999-03-26 08:51:35 +00:00
lukem 8a931fcdd8 Ensure that you can only bind a more specific address when it is done by the
same uid or by root.

This code is from FreeBSD. (Whilst it was originally obtained from OpenBSD,
FreeBSD fixed it to work with multicast. To quote the commit message:
    - Don't bother checking for conflicting sockets if we're binding to a
      multicast address.
    - Don't return an error if we're binding to INADDR_ANY, the conflicting
      socket is bound to INADDR_ANY, and the conflicting socket has
      SO_REUSEPORT set.
)
1999-03-23 10:45:37 +00:00
bad a5283c98c0 Add support for Token-Ring source routes in the ARP cache.
By Onno van der Linden.
1999-03-22 22:30:42 +00:00
perry d446fb449c exterminate ovbcopy. patches provided by Erik Bertelsen, pr-7145 1999-03-12 22:42:30 +00:00
mycroft c6d172438d Minor cleanup to use LONG_SUM() and CALC_SUMD() more. 1999-03-05 07:27:09 +00:00
explorer cff4c9630b Don't mix in data just to stir the rnd pool. Extracting data will do that,
any network packets received might, too, so this is already taken care of.
1999-02-28 13:41:24 +00:00
drochner 918dfd95e1 -always do an RARP if revarpwhoarewe() is called, it might be for another
interface or the server's configuration has changed
-g/c revarpwhoami()
1999-02-21 15:17:14 +00:00
matt 7ebd19d744 According to Dave Borman, the iss should be using snd_nxt and not rcv_nxt
(from tcp_impl mailing-list).
1999-02-05 22:37:24 +00:00
explorer 25d32ef34d REALLY only update the window when we get an ACK. (the old code seemed broken) 1999-02-04 22:58:37 +00:00
cjs 8befad84b1 Remove SCCS markers and make these compile in $NetBSD$ IDs. 1999-02-02 19:57:30 +00:00
thorpej a350d7b28b Set the tunnel destination address correctly. Should fix PR #6899. 1999-02-02 07:20:13 +00:00
marc 5f688e6632 remove gre_softc declaration; the symbol is no longer used in this
file.
1999-02-02 07:10:45 +00:00
mycroft 5e373d307f Clear mfchashtbl after it's deallocated, to kill a stray pointer. Fixes PR
5400.
1999-02-01 15:09:46 +00:00
thorpej a22cfcf3d4 Make programs that use raw IP work again; trim the header length from ip_len
before handing the packet off to the socket.
1999-01-30 21:43:16 +00:00
itohy 7751c2e2eb ~htons(...) is always negative. 1999-01-28 21:29:27 +00:00
thorpej 6c30816c15 Fix a slight error in previous. Rearrange some code in tcp_respond() so
that a DIAGNOSTIC check against the destination address is actually
checking the destination address.  "oops."
1999-01-26 08:28:50 +00:00
mycroft 8ede79f2b4 One more tweak to the checksum hack, and I promise I'm done. B-) 1999-01-25 15:53:29 +00:00
mycroft 50438b6df0 Absolutely minor tweak to generate better code. 1999-01-25 15:36:50 +00:00
mycroft 70e6acdfef Update the comment about the checksum hack. It was way out of date. 1999-01-24 13:34:35 +00:00
mycroft 94895652e1 Modify the checksum slightly so that the htons()s can all be combined. 1999-01-24 12:57:38 +00:00
thorpej a58f271406 Oops, forgot to update copyright notice in previous. 1999-01-24 01:21:18 +00:00
thorpej 86e2c3fbc6 * Completely rewrite syn_cache_respond().
- Don't use tcp_respond(), instead create the tcp/ip header from scratch,
and send it ourself.
- Reuse the mbuf that carried the SYN, or allocate one if that is not
available.
- Cache the route we look up to do the Path MTU Discovery check, and
transfer the reference to that route to the inpcb when the connection
completes.
* Macro'ize a small, but often repeated code fragment.
1999-01-24 01:19:28 +00:00
mycroft b790730226 Fix problems with fr_tcpsum() that prevented the FTP proxy from working. 1999-01-23 08:50:52 +00:00
thorpej a43786143f Fix a problem pointed out by Charles Hannum; DF wasn't being set in
SYN,ACK packets during Path MTU Discovery.  Fix tcp_respond() to do the
appropriate route lookup and set DF as appropriate.

Also, fixup similar code in tcp_output() to relookup the route if it
is down.
1999-01-20 03:39:54 +00:00
mycroft 231a906c71 There's just no plausible reason to byte-swap ip_id internally. It's opaque. 1999-01-19 23:39:56 +00:00
mycroft 7eeb5a04da Don't screw with ip_len; just subtract from it where we actually use the
value.
1999-01-19 23:03:20 +00:00
mycroft d3ea3de1af Fix byte-swapping of ip_len in returned IP header. 1999-01-19 22:10:42 +00:00
mycroft fc1211a6ab Don't overwrite the checksum fields when checking them. There's no reason to
do this, and it screws up ICMP replies.
XXX The returned IP checksum and length are still wrong.
1999-01-19 21:58:40 +00:00
thorpej 4b0e6bb4dc Domains are associated with protocol families, not address families. 1999-01-14 01:16:55 +00:00
thorpej 98d3903da8 Use the count supplied to the pseudo-device attach routine to dynamically
allocate (once) the ipip_softc array; don't assume NIPIP contains the count.
1999-01-13 23:01:20 +00:00
thorpej 555784ccd5 Fix byte order and ip_len inconsistencies in ICMP reply code. Also, fix
some formatting and HTONS(foo) vs. foo = htons(foo) inconsistencies.

PR #6602, Darren Reed.
1999-01-11 22:35:06 +00:00
thorpej 6ae68b4feb Pull the IP-in-IP tunneling support out of the GRE code. It's not handled
by a separate IP-IP input path.

XXX Should eventually do the same thing for IPPROTO_MOBILE.
1999-01-11 21:32:13 +00:00
thorpej 9508f259bf Adjust for the new IP-IP input path. mrt_ipip_input() is called from
ipip_input(), and returns non-zero if mrt_ipip_input() handled the
packet.

XXX Eventually, the multicast code should probably use regular IP-IP
XXX `interfaces', but mrouted knows about the VIF table, etc.
1999-01-11 21:31:03 +00:00
thorpej 9d996b9e4e Adjust for the new IP-IP input path. 1999-01-11 21:28:28 +00:00
thorpej 9f9be750f6 Separate out the IP-in-IP implementation from the GRE code. This cleans
up the interface to ip_mroute.c somewhat, and properly separates IP-IP
from GRE.  (They are similar, but they are different protocols, and should
not be implemented in the same place.)
1999-01-11 21:26:53 +00:00
thorpej 5f69dedb2c ipip_input() -> mrt_ipip_input(). 1998-12-22 02:51:32 +00:00
thorpej 54377d1212 Simplify the tunnel lookup routine. 1998-12-22 01:49:04 +00:00
thorpej 12632ebf71 Reverse the copyright-notice-swap. It went against existing practice. 1998-12-19 02:46:12 +00:00
thorpej 4f177aec90 Add a lock around the TCPCB's sequence queue, to prevent tcp_drain()
from corrupting the queue if called from a device's interrupt context.

Similar in nature to the problem reported in PR #5684.
1998-12-18 21:38:02 +00:00
thorpej ca15e01c76 Add a lock around the IP fragment reassembly queue, to prevent ip_drain()
from corrupting the queue if called from a device's interrupt context.

Should fix PR #5684.
1998-12-18 21:35:11 +00:00
thorpej 93454aafc6 Delay sending if SS_MORETOCOME is set in so_state. This avoids the case
where the user issued a write with a length greater than MLEN but less
than MINCLSIZE, thus causing two mbufs to be used.  The loop in sosend()
would then call PRU_SEND twice, causing TCP to transmit 2 packets when
it could have transmitted one.

Suggested by Justin Walker <justin@apple.com> on the freebsd-net
mailing list.
1998-12-16 00:33:14 +00:00
mrg 2f2fd097ef remove this insanity. appeared with ipfilter 3.2.10... 1998-12-11 23:47:16 +00:00
drochner 914642e439 correction to the previous: protect against _LKM too
pointed out by Todd Whitesel <toddpw@best.com>
1998-12-11 11:57:33 +00:00
drochner 36b809fed6 correcton tp previous: don't try to include kernel option headers in
userland
fixes PR kern/6561 (Takahiro Kambe)
1998-12-11 09:15:42 +00:00
christos ce96f9960a defopt IPFILTER_LOG 1998-12-10 15:50:59 +00:00
christos c7578c510a defopt 1998-12-10 11:01:01 +00:00
mrg a94214bdd0 add a patch from darren reed, to make ipfilter use our cksum routine. 1998-11-26 12:21:47 +00:00
sommerfe 0cdf66e377 Fragments should start with a header mbuf allocated by MGETHDR() 1998-11-25 21:13:58 +00:00
mrg 4dd9bebb58 add two more prototypes. noted missing by mjacob. 1998-11-22 23:30:36 +00:00
mrg 78db9d7d95 merge ipf 3.2.10 1998-11-22 15:17:18 +00:00
lukem 0cd1643609 if INADDR_ANY is given in in_pcbconnect(), choose the ia_addr of the first
interface, not the ia_broadaddr.  should fix [standards/5645] and [kern/6425]
1998-11-16 05:47:19 +00:00
drochner 1658ac64a8 fix the previous: "securelevel" in kernel only 1998-11-15 17:36:19 +00:00
tls da1c106b85 In 'highly secure' mode (securelevel >= 2), the filter lists may not be tampered with. It might be desirable to allow enabling of preset filter lists, but it seems too good a candidate for a denial-of-service attack, so we don't. 1998-11-14 07:42:37 +00:00
lukem cc41dfe747 simplify test in in_pcbbind() for setting wild=1; no need to check if
((so->so_proto->pr_flags & PR_CONNREQUIRED) == 0 ||
	(so->so_options & SO_ACCEPTCONN) == 0)
since the latter is always true, so the former test in unnecessary.
from `TCP/IP Illustrated, Volume 2', W. Richard Stevens, p 730.
1998-11-13 10:50:10 +00:00
thorpej 0e3a0a7f80 Once a fragmented IP packet has been reassembled, recompute the packet
length before passing it up the stack.  From FreeBSD.
1998-11-13 03:24:22 +00:00
ws ede30e2813 Fix a buglet when looking up an interface for multicast:
Zero out the routing structure before calling the route lookup code
in order to correctly match addresses.
1998-10-26 17:31:01 +00:00
matt 3ad026ac87 vax -> __vax__ (and mips to __mips__ in ultrix_misc.c) 1998-10-20 01:46:27 +00:00
kim cd7e3136ad Use ETHERTYPE_ATALK instead of ETHERTYPE_AT. The former seems more common.
Our other constants also use "ATALK".

Added many new ETHERTYPE constants to sys/net/ethertypes.h, including the
ones from libpcap and tcpdump "ethertype.h" files.
1998-10-13 02:34:31 +00:00
thorpej 14f5ac9081 Use the pool allocator for ipflow entries. 1998-10-08 01:41:45 +00:00
thorpej 974aa74abd Use the pool allocator for ipqent structures. 1998-10-08 01:19:25 +00:00
thorpej 588ccb2d75 Fix some typos in comments, and clean up some whitespace. 1998-10-07 23:33:02 +00:00
thorpej 6cfb33b4e4 Use the pool allocator for the tcpcb's TCP/IP header template. 1998-10-07 23:20:03 +00:00
matt bf4e491879 Fix boolean dyslexic test. Duh! 1998-10-06 00:41:13 +00:00
matt 8e8f38e0f2 Add a sysctl for newreno (default to off). 1998-10-06 00:20:44 +00:00
lukem a1ea50ee45 * in_pcblookup_port(): deprecate INPLOOKUP_WILDCARD and flags in favour
of a lookup_wildcard arg; simplifies the logic a bit.
* when assigning ephemeral ports in in_pcbbind(), always call
  in_pcblookup_port() with lookup_wildcard=1, so that ephemeral port
  allocation on sockets with SO_REUSEADDR set won't potentially bind to a
  port in use by something else (principle of least surprise).
1998-10-05 14:33:14 +00:00
matt 25054b5cf7 Adapt the NEWRENO changes from the UCSB diffs of BSDI 3.0's TCP
to NetBSD.  Ignore the SACK & FACK stuff for now.
1998-10-04 21:33:52 +00:00
kleink c68106edad Use #error instead of causing a parse error. 1998-10-02 21:21:04 +00:00
drochner 5ddf423985 print reason for arplookup() failure (ala FreeBSD) 1998-10-01 11:04:24 +00:00
tls c4730d65cf Switch order of TNF and UCB copyrights so UCB copyright is first; this seems more appropriate since UCB wrote the original code, after all. 1998-09-30 21:52:24 +00:00
hwr eaccb9cd8d Start supporting IPPROTO_MOBILE (55) encapsulation. This is yet
another tunneling protocol used by the Mobile-IP people. See RFC 2004
for this.
1998-09-30 05:59:27 +00:00
christos e74ca32804 SIOCGIFALIAS should not be restricted to the superuser. 1998-09-28 12:32:43 +00:00
mycroft 4a000a54e6 Fix a typo (not mine) in a comment. 1998-09-19 04:34:34 +00:00
mycroft 04ef3bf88d If we're in LISTEN state and all of RST, SYN and ACK are clear, send a RST. 1998-09-19 04:32:51 +00:00
mycroft 31347e4671 Always send a 0 window with a RST. Suggested by Darren Reed. 1998-09-19 04:02:52 +00:00
hwr cf70cc28c7 Typo. :( 1998-09-14 21:15:56 +00:00
hwr 517139017e Some additions.
And IDPR-CMTP is 38 not 39 according to IANA.
1998-09-14 21:09:51 +00:00
hwr 366b9c4515 Add a gre tunnel pseudo network device. Gre = generic route encapsulation.
This device shows up like any other network interface and can be used to
tunnel L3 protocols as e.g. IP over IP.
1998-09-13 20:27:47 +00:00
christos 66dd35d72c Fix copyright spacing and 'Van' -> 'van' for consistency. 1998-09-13 15:45:40 +00:00
tv 235fc6a6a9 egcs {brace} warning fix 1998-09-10 19:53:28 +00:00
mouse b95116821c Create tcp.keepidle, tcp.keepintvl, tcp.keepcnt, tcp.slowhz sysctls. 1998-09-10 10:46:03 +00:00