Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
134,027 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1426 Commits

Author SHA1 Message Date
darrenr 9ec77d6329 Do not allow packets flagged with "out-of-window" (oow) to match "keep state" 
rules and try to prevent such rules ("keep state with oow") from being loaded
into the kernel.

Pr: kern/26581
 2004-09-06 09:55:13 +00:00
manu 85111f912e IPv4 PIM support, based on submission from Pavlin Radoslavov on tech-net@ : 
two new files I forgot to add on the first cvs commit.
 2004-09-04 23:32:29 +00:00
manu 6e3c639957 IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on 
tech-net@
 2004-09-04 23:29:44 +00:00
darrenr 02c34673a3 add a per-socket counter for dropped UDP packets when the internal buffers 
are full.
 2004-09-03 18:14:09 +00:00
smb 57643d12c5 Don't try and add a state session if the packet has already been checked 
and marked as out of window - trying to do the add will result in a failure
and the packet being blocked, incorrectly.

Committed By: darrenr
Tested By: smb
 2004-09-03 04:18:09 +00:00
chs 34187f4589 fix m_pulldown() usage, it's different from m_pullup(). 
fixes PRs 26666 and 26701.
 2004-08-22 21:38:21 +00:00
itojun 682ddb0274 initialize max_keylen for ip_encap.c earlier 2004-08-17 07:05:34 +00:00
yamt 28b17ac69e in_control: fix address leaks on error, which causes a panic 
("no domain for AF 0") on if_detach.
- SIOCAIFADDR, SIOCSIFADDR: free an address on error.
- SIOCSIFNETMASK, SIOCSIFDSTADDR: reject operations for an interface which
  has no AF_INET addresses.

partly from OpenBSD and FreeBSD.
reviewed by Christos Zoulas on tech-net@.
 2004-08-08 09:52:41 +00:00
christos f3a2c3728b remove the avail = 0; assignment which is superfluous. pointed out by enami. 2004-08-04 03:55:06 +00:00
christos 5ab21dfa5d PR/26471: Arto Selonen: ipfilter 4.1.3 crashes the system every few hours 
Remove extraneous m = NULL assignment that will cause a NULL dereference
later.
 2004-08-03 16:16:30 +00:00
cube 19861ea4fe Remove a common (icmpstat). 2004-08-03 13:58:59 +00:00
yamt 48d156e320 call PFIL_NEWIF hooks at a correct place. 
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
 2004-07-26 13:43:14 +00:00
martti 7ff15b917f Upgraded IPFilter to 4.1.3 2004-07-23 05:39:03 +00:00
martti 9e82a8bf0d Import IPFilter 4.1.3 2004-07-23 05:33:55 +00:00
yamt 4374881880 fix typos. PFIL_HOOK -> PFIL_HOOKS 2004-07-18 11:37:38 +00:00
itojun 5807e550e5 typo. Bruno Rohee 2004-07-09 09:15:02 +00:00
christos d397fc692a Bring in flags from 4.1.2 to make things compile. 2004-07-08 02:52:02 +00:00
mycroft cc559c8583 Fix SIOCSIFNETMASK -- it needs to use in_ifscrub() and in_ifinit() to update 
the interface route and various internal state.  Also, it should use an ifreq,
not an if_aliasreq.  Addresses PR 9604.  (Nothing in our source tree uses
SIOCSIFNETMASK, though.  Perhaps it should be deprecated.)
 2004-07-07 01:39:00 +00:00
minoura c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
heas 192b371d42 Adjust description for net.inet.udp.checksum; it does not controll checking, 
only computing.
 2004-07-02 18:19:51 +00:00
christos 01a2047486 PR/25999: Jeff Rizzo: ipf: ipnat is corrupting "bimap" translations in 2.0_BETA and -current 2004-06-29 22:44:59 +00:00
itojun 2aef0b1784 correct TCP-MD5 support. Jeff Rizzo 2004-06-26 03:29:15 +00:00
itojun db45a6f189 icmp_reflect: check if m_pkthdr.rcvif is non-NULL before touching it. 
icmp_reflect could be called from the output path, so m_pkthdr.rcvif may not
be set.  (found by panic when PF is configured "block return all")
 2004-06-25 15:43:00 +00:00
itojun 59302fc979 be careful touching m_pkthdr.rcvif, it could be NULL if the packet was 
generated from local node and icmp_error calls icmp_reflect.
 2004-06-25 15:24:41 +00:00
itojun 047170b1cc prepare PF-related hooks. reviewed by matt, perry, christos 2004-06-22 12:50:41 +00:00
tron c465794d70 Correct two errors in fr_check(): 
1.) Make sure that "pass" is always initialized.
2.) Make sure the code doesn't use a stale mbuf pointer after fr_makefrip()
    has been called. This fixes PR kern/25868.

Analyzed and reviewed by Steve Woodford.
 2004-06-16 14:06:23 +00:00
tron fcda778c8f Don't leak mbuf if ipfr_fastroute6() fails. 
Reviewed by Steve Woodford.
 2004-06-16 14:02:39 +00:00
itojun b834441eb5 update mtu value if outgoing interface changes with ipsec ops 
(draft-touch-vpn case only?)  iij seil team
 2004-06-01 05:06:56 +00:00
itojun b4ea6633c0 fix SIOC*LIFADDR for IPv4. markus friedl 2004-05-30 06:37:07 +00:00
atatat 4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
jonathan 349ad018c7 Remove now-unused variable. 2004-05-23 00:37:27 +00:00
jonathan c8c7a6dbab With FAST_IPSEC, include <netipsec/key.h>, as Itojun's recent changes 
now require KEY_FREESAV() to be in scope.
 2004-05-20 22:59:02 +00:00
christos bd67b97d6a PR/25622: IPV6 return RST and through cloned interfaces was broken. 
- checksum was computed incorrectly.
- ipv6 packet was not initialized properly.
- fixed code to be more similar to the v4 counterpart.
 2004-05-20 13:55:31 +00:00
christos b78a596c7a PR/25646: Perry Metzger: Commit a patch that compiles awaiting feedback. 2004-05-20 13:54:19 +00:00
christos c046c90643 - remove superfluous assignment 
- rt_gateway is already a pointer to struct sockaddr; don't take its address
  when assigning it to struct sockaddr_in *
 2004-05-18 21:47:45 +00:00
christos 0d17293b81 Fix buffer overrun in in_pcbopts() (FreeBSD PR/66386) 2004-05-18 16:47:08 +00:00
itojun 4ebcfcf29a fix MD5 signature support to actually validate inbound signature, and 
drop packet if fails.
 2004-05-18 14:44:14 +00:00
christos 540c75a594 PR/25103: Martin Husemann: IP Filter 4.4.1 breaks some connections when NATing 
patch from Darren applied.
 2004-05-10 12:10:31 +00:00
christos f07e678b45 PR/24969: Arto Selonen: /usr/sbin/ipfs from ipfilter 4.1.1 does not work 
patch applied.
 2004-05-10 01:34:59 +00:00
taca 3657b758c0 Make it comiple without warning; void function fr_checkv4sum() and 
fr_checkv6sum() should not return value.
 2004-05-09 08:29:30 +00:00
christos e982110b53 PR/24981: Steven M. Bellovin: ipfilter in 2.0 branch panics the system 
patch applied.
 2004-05-09 04:17:34 +00:00
christos 865c473c96 PR/25332: HIROSE yuuji: "fastroute(to)" in ipf.conf doesn't work; patch applied 2004-05-09 04:02:32 +00:00
christos 5592d4d1fa PR/25441: Matthew Green: IP-Filter uses M_TEMP when it already has M_IPFILTER 2004-05-09 03:54:43 +00:00
chs bd3ff85ff7 work around an LP64 problem where we report an excessively large window 
due to incorrect mixing of types.
 2004-05-08 14:41:47 +00:00
kleink 542839207d Add definitions for the (currently unimplemented) ECN TCP flags; 
from Chuck Swiger in PR standards/25058.
 2004-05-07 20:11:52 +00:00
jonathan 85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch. 
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
 2004-05-07 00:55:14 +00:00
skd 1b1b474faa Fix to update all references to mbuf. Fixes case where mbuf is freed twice. 2004-05-04 11:31:52 +00:00
darrenr 39ee9f396a at line 543, we do a pullup here of hlen bytes into the mbuf, 
so these later ones are superfluous.
 2004-05-02 05:02:53 +00:00
matt c41eb5a6f6 defflag TCP_OUTPUT_COUNTERS and TCP_REASS_COUNTERS 2004-05-01 02:21:44 +00:00
matt da67d85073 Use EVCNT_ATTACH_STATIC{,2} 2004-05-01 02:20:42 +00:00
ragge 79edf5fba0 Send an arp request before the arp entry times out if the entry is active, 
to avoid deleting active entries.
Add sysctl support to tune the default arp timeout values.
 2004-04-28 14:09:36 +00:00
matt 5a0de7507d When a packet is received that overlaps the left side of the window, 
check for RST *before* trimming data and adjust its sequence number.
 2004-04-27 14:46:07 +00:00
itojun 362e07a3c9 zero-clear ip6?pseudo before use 2004-04-26 05:18:13 +00:00
itojun f103f9aee9 declare ip6_hdr_pseudo (for kernel only) and use it for TCP MD5 signature 2004-04-26 05:15:47 +00:00
itojun 67372cc454 sync comment with reality 2004-04-26 05:05:49 +00:00
itojun e0395ac8f0 make TCP MD5 signature work with KAME IPSEC (#define IPSEC). 
support IPv6 if KAME IPSEC (RFC is not explicit about how we make data stream
for checksum with IPv6, but i'm pretty sure using normal pseudo-header is the
right thing).

XXX
current TCP MD5 signature code has giant flaw:
it does not validate signature on input (can't believe it! what is the point?)
 2004-04-26 03:54:28 +00:00
matt 5413745100 Remove #else clause of __STDC__ 2004-04-26 01:31:56 +00:00
jonathan 887b782b0b Initial commit of a port of the FreeBSD implementation of RFC 2385 
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
 2004-04-25 22:25:03 +00:00
simonb b5d0e6bf06 Initialise (most) pools from a link set instead of explicit calls 
to pool_init.  Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.

 Convert struct session, ucred and lockf to pools.
 2004-04-25 16:42:40 +00:00
itojun 22bdfd729d fix how we send RST against ACK. markus@openbsd 2004-04-25 03:29:11 +00:00
itojun 8a0aba4304 indent for little bit better readability 2004-04-25 00:08:54 +00:00
itojun 3b87628cfb fix comment; we no longer move ip+tcp into the same mbuf 2004-04-24 23:59:13 +00:00
matt 41478e7f33 Always include <sys/param.h> first! 2004-04-24 19:59:19 +00:00
ragge febf637b17 Avoid performance problem in tcp_reass() when appending mbufs to a chain 
by keeping a pointer to the last mbuf in the chain.
 2004-04-22 15:05:33 +00:00
tls 7eb2f214d5 Change the default state of two tunables; bring our TCP a little bit 
closer to normal behaviour for the current century.

New Reno is now on by default (which is really the only reasonable
choice, since we don't do SACK); instead of an initial window of 1
for non-local nets, we now use Sally Floyd's magic 4K rule.
 2004-04-22 02:19:39 +00:00
matt e50668c7fa Constify protosw arrays. This can reduce the kernel .data section by 
over 4K (if all the network protocols) are loaded.
 2004-04-22 01:01:40 +00:00
itojun d2f1c029b9 kill sprintf, use snprintf 2004-04-21 18:40:37 +00:00
itojun e133d13e80 kill some strcpy 2004-04-21 18:16:14 +00:00
itojun 0f06e31eb6 no space between function name and paren: foo (blah) -> foo(blah) 2004-04-21 17:49:46 +00:00
matt e3b919c754 Constify if.c radix.c and route.c (and fix related fallout). 2004-04-21 04:17:28 +00:00
matt 30e63c6236 export tcpstates for _KERNEL and remove tcp_usrreq.c's incorrect 
declartion.
 2004-04-20 22:54:31 +00:00
itojun 6a16706746 follow draft-ietf-tcpm-tcpsecure-00.txt 3.2 (B): 
if SYN is coming and RCV.NXT == SEG.SEQ, then ACK with value - 1.
 2004-04-20 19:49:15 +00:00
itojun f2e796b13f - respond to RST by ACK, as suggested in NISCC recommendation 
- rate-limit ACKs against RSTs and SYNs
 2004-04-20 16:52:12 +00:00
matt 5060b3b780 ANSI'fy and de __P 2004-04-18 23:35:56 +00:00
matt db6a0b431a De __P() 2004-04-18 21:00:35 +00:00
matt 35b9f3ec72 If a segment is received with RST set and the segment is completely to the 
left of the receive window, ignore it.  Add some additional comments to
the code that deals with received segemnts that are completely to the right
of the receive window.  If an invalid SYN is received, force an ACK and
drop it; if the other side really sent the SYN; it'll respond with a reset.
 2004-04-17 23:35:37 +00:00
christos 90e1f431ca adjust to the sbreserve prototype change. 2004-04-17 15:18:53 +00:00
ragge 0a7fe37708 Add back one line which was accidentially removed (by me) a while ago. 
Spotted by Markus Friedl (markus at openbsd.org).
 2004-04-14 18:07:52 +00:00
christos 99d2bc9467 PR/22551: Invoking tcpcb's get erroneously free'd resulting in to_ticks <= 0 
assertion. Approved by he.
 2004-04-05 21:49:21 +00:00
matt efc47093e2 In ip_reass_ttl_descr, make i signed since it's compared to >= 0 2004-04-01 22:47:55 +00:00
martin 8afe56f1c5 A few more ioctl vs. copyin changes, spotted by Bill Studenmund. 2004-04-01 21:54:41 +00:00
martin 9d16150a8e Untangle ioctl copyin/copyout confusion. IP-Filter now actually works 
on sparc64 (and probably everywhere else).
 2004-04-01 09:24:58 +00:00
dyoung 957f9ce691 Only #define COPYIN copyin, et cetera, in the kernel. That is, only 
when when _KERNEL is defined.
 2004-03-31 20:58:15 +00:00
darrenr 077337039d COPYIN/COPYOUT macros need to call copyin/out on NetBSD rather than just use 
bcopy.
 2004-03-31 11:41:45 +00:00
itojun 7cd01f1c20 clean previous commit (uh_sum != 0 check in IPv6) 2004-03-31 07:57:06 +00:00
itojun 8d81738de0 drop packet if IPv6 udp packet does not have checksum (checksum is mandatory 
in IPv6).
 2004-03-31 07:54:00 +00:00
christos dc9378460c Make sure we disarm the persist timer before we arm the rexmit 
timer, otherwise there is a tiny window where both timers are
active, and this is not correct according to the comments in the
code. I believe that this is the cause of the to_ticks <= 0 assertion
failure in callout_schedule() that I've been getting.
 2004-03-30 19:58:14 +00:00
atatat 83b193a052 Make these compile without INET. tcp_input probably needs a lot more 
work...
 2004-03-29 04:59:02 +00:00
martin 665588c20c Cast 64 bit pointers only with (intptr_t) care. 2004-03-28 12:12:28 +00:00
martti 621e9bac7f Sync with official IPFilter 2004-03-28 09:01:26 +00:00
martti 24d567d60d Upgraded IPFilter to 4.1.1 2004-03-28 09:00:53 +00:00
martti ad9b29ed97 Import IPFilter 4.1.1 2004-03-28 08:55:20 +00:00
atatat 19af35fd0d Tango on sysctl_createv() and flags. The flags have all been renamed, 
and sysctl_createv() now uses more arguments.
 2004-03-24 15:34:46 +00:00
itojun 3811eef49d typo 2004-03-23 05:31:54 +00:00
drochner 6a4fbf616c fix tcp/udp checksum test in the M_CSUM_NO_PSEUDOHDR case 
(this can never have worked)
now I can use a "bge" gigabit interface with hw checksumming
ttcp-t: 2147483648 bytes in 18.31 real seconds = 114527.11 KB/sec +++
woow!
 2004-03-10 18:50:45 +00:00
wiz e8f4f5ba76 No need to include netinet/ip_mroute.h twice. 
Closes PR 24652 by Kailash Sethuraman.
 2004-03-04 15:15:06 +00:00
thorpej 8387ab32c5 Use IPSEC_PCB_SKIP_IPSEC() to short-circuit calls to ipsec{4,6}_hdrsiz_tcp(). 2004-03-03 05:59:38 +00:00
thorpej 2803ff0955 Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup 
when possible.  This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
 2004-03-02 02:28:28 +00:00
thorpej 00f100daae Call ipsec_pcbconn() and ipsec_pcbdisconn() for FAST_IPSEC, too. 2004-03-02 02:26:28 +00:00
thorpej 979f197a86 Define a sotoinpcb_hdr() macro (a'la sotoinpcb()). 2004-03-02 02:11:14 +00:00