darrenr
9ec77d6329
Do not allow packets flagged with "out-of-window" (oow) to match "keep state"
...
rules and try to prevent such rules ("keep state with oow") from being loaded
into the kernel.
Pr: kern/26581
2004-09-06 09:55:13 +00:00
manu
85111f912e
IPv4 PIM support, based on submission from Pavlin Radoslavov on tech-net@ :
...
two new files I forgot to add on the first cvs commit.
2004-09-04 23:32:29 +00:00
manu
6e3c639957
IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on
...
tech-net@
2004-09-04 23:29:44 +00:00
darrenr
02c34673a3
add a per-socket counter for dropped UDP packets when the internal buffers
...
are full.
2004-09-03 18:14:09 +00:00
smb
57643d12c5
Don't try and add a state session if the packet has already been checked
...
and marked as out of window - trying to do the add will result in a failure
and the packet being blocked, incorrectly.
Committed By: darrenr
Tested By: smb
2004-09-03 04:18:09 +00:00
chs
34187f4589
fix m_pulldown() usage, it's different from m_pullup().
...
fixes PRs 26666 and 26701.
2004-08-22 21:38:21 +00:00
itojun
682ddb0274
initialize max_keylen for ip_encap.c earlier
2004-08-17 07:05:34 +00:00
yamt
28b17ac69e
in_control: fix address leaks on error, which causes a panic
...
("no domain for AF 0") on if_detach.
- SIOCAIFADDR, SIOCSIFADDR: free an address on error.
- SIOCSIFNETMASK, SIOCSIFDSTADDR: reject operations for an interface which
has no AF_INET addresses.
partly from OpenBSD and FreeBSD.
reviewed by Christos Zoulas on tech-net@.
2004-08-08 09:52:41 +00:00
christos
f3a2c3728b
remove the avail = 0; assignment which is superfluous. pointed out by enami.
2004-08-04 03:55:06 +00:00
christos
5ab21dfa5d
PR/26471: Arto Selonen: ipfilter 4.1.3 crashes the system every few hours
...
Remove extraneous m = NULL assignment that will cause a NULL dereference
later.
2004-08-03 16:16:30 +00:00
cube
19861ea4fe
Remove a common (icmpstat).
2004-08-03 13:58:59 +00:00
yamt
48d156e320
call PFIL_NEWIF hooks at a correct place.
...
(on SIOCAIFADDR rather than SIOCGIFALIAS.)
from Peter Postma, PR/26402.
ok'ed by itojun.
2004-07-26 13:43:14 +00:00
martti
7ff15b917f
Upgraded IPFilter to 4.1.3
2004-07-23 05:39:03 +00:00
martti
9e82a8bf0d
Import IPFilter 4.1.3
2004-07-23 05:33:55 +00:00
yamt
4374881880
fix typos. PFIL_HOOK -> PFIL_HOOKS
2004-07-18 11:37:38 +00:00
itojun
5807e550e5
typo. Bruno Rohee
2004-07-09 09:15:02 +00:00
christos
d397fc692a
Bring in flags from 4.1.2 to make things compile.
2004-07-08 02:52:02 +00:00
mycroft
cc559c8583
Fix SIOCSIFNETMASK -- it needs to use in_ifscrub() and in_ifinit() to update
...
the interface route and various internal state. Also, it should use an ifreq,
not an if_aliasreq. Addresses PR 9604. (Nothing in our source tree uses
SIOCSIFNETMASK, though. Perhaps it should be deprecated.)
2004-07-07 01:39:00 +00:00
minoura
c3ed038115
Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...).
...
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
2004-07-06 04:30:27 +00:00
heas
192b371d42
Adjust description for net.inet.udp.checksum; it does not controll checking,
...
only computing.
2004-07-02 18:19:51 +00:00
christos
01a2047486
PR/25999: Jeff Rizzo: ipf: ipnat is corrupting "bimap" translations in 2.0_BETA and -current
2004-06-29 22:44:59 +00:00
itojun
2aef0b1784
correct TCP-MD5 support. Jeff Rizzo
2004-06-26 03:29:15 +00:00
itojun
db45a6f189
icmp_reflect: check if m_pkthdr.rcvif is non-NULL before touching it.
...
icmp_reflect could be called from the output path, so m_pkthdr.rcvif may not
be set. (found by panic when PF is configured "block return all")
2004-06-25 15:43:00 +00:00
itojun
59302fc979
be careful touching m_pkthdr.rcvif, it could be NULL if the packet was
...
generated from local node and icmp_error calls icmp_reflect.
2004-06-25 15:24:41 +00:00
itojun
047170b1cc
prepare PF-related hooks. reviewed by matt, perry, christos
2004-06-22 12:50:41 +00:00
tron
c465794d70
Correct two errors in fr_check():
...
1.) Make sure that "pass" is always initialized.
2.) Make sure the code doesn't use a stale mbuf pointer after fr_makefrip()
has been called. This fixes PR kern/25868.
Analyzed and reviewed by Steve Woodford.
2004-06-16 14:06:23 +00:00
tron
fcda778c8f
Don't leak mbuf if ipfr_fastroute6() fails.
...
Reviewed by Steve Woodford.
2004-06-16 14:02:39 +00:00
itojun
b834441eb5
update mtu value if outgoing interface changes with ipsec ops
...
(draft-touch-vpn case only?) iij seil team
2004-06-01 05:06:56 +00:00
itojun
b4ea6633c0
fix SIOC*LIFADDR for IPv4. markus friedl
2004-05-30 06:37:07 +00:00
atatat
4de3747b89
Sysctl descriptions under net subtree (net.key not done)
2004-05-25 04:33:59 +00:00
jonathan
349ad018c7
Remove now-unused variable.
2004-05-23 00:37:27 +00:00
jonathan
c8c7a6dbab
With FAST_IPSEC, include <netipsec/key.h>, as Itojun's recent changes
...
now require KEY_FREESAV() to be in scope.
2004-05-20 22:59:02 +00:00
christos
bd67b97d6a
PR/25622: IPV6 return RST and through cloned interfaces was broken.
...
- checksum was computed incorrectly.
- ipv6 packet was not initialized properly.
- fixed code to be more similar to the v4 counterpart.
2004-05-20 13:55:31 +00:00
christos
b78a596c7a
PR/25646: Perry Metzger: Commit a patch that compiles awaiting feedback.
2004-05-20 13:54:19 +00:00
christos
c046c90643
- remove superfluous assignment
...
- rt_gateway is already a pointer to struct sockaddr; don't take its address
when assigning it to struct sockaddr_in *
2004-05-18 21:47:45 +00:00
christos
0d17293b81
Fix buffer overrun in in_pcbopts() (FreeBSD PR/66386)
2004-05-18 16:47:08 +00:00
itojun
4ebcfcf29a
fix MD5 signature support to actually validate inbound signature, and
...
drop packet if fails.
2004-05-18 14:44:14 +00:00
christos
540c75a594
PR/25103: Martin Husemann: IP Filter 4.4.1 breaks some connections when NATing
...
patch from Darren applied.
2004-05-10 12:10:31 +00:00
christos
f07e678b45
PR/24969: Arto Selonen: /usr/sbin/ipfs from ipfilter 4.1.1 does not work
...
patch applied.
2004-05-10 01:34:59 +00:00
taca
3657b758c0
Make it comiple without warning; void function fr_checkv4sum() and
...
fr_checkv6sum() should not return value.
2004-05-09 08:29:30 +00:00
christos
e982110b53
PR/24981: Steven M. Bellovin: ipfilter in 2.0 branch panics the system
...
patch applied.
2004-05-09 04:17:34 +00:00
christos
865c473c96
PR/25332: HIROSE yuuji: "fastroute(to)" in ipf.conf doesn't work; patch applied
2004-05-09 04:02:32 +00:00
christos
5592d4d1fa
PR/25441: Matthew Green: IP-Filter uses M_TEMP when it already has M_IPFILTER
2004-05-09 03:54:43 +00:00
chs
bd3ff85ff7
work around an LP64 problem where we report an excessively large window
...
due to incorrect mixing of types.
2004-05-08 14:41:47 +00:00
kleink
542839207d
Add definitions for the (currently unimplemented) ECN TCP flags;
...
from Chuck Swiger in PR standards/25058.
2004-05-07 20:11:52 +00:00
jonathan
85b3ba5bf1
Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
...
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl, for
netstat -p ipsec.
New kernel files:
sys/netipsec/Makefile (new file; install *_var.h includes)
sys/netipsec/ipsec_var.h (new 64-bit mib counter struct)
Changed kernel files:
sys/Makefile (recurse into sys/netipsec/)
sys/netinet/in.h (fake IP_PROTO name for fast_ipsec
sysctl subtree.)
sys/netipsec/ipsec.h (minimal userspace inclusion)
sys/netipsec/ipsec_osdep.h (minimal userspace inclusion)
sys/netipsec/ipsec_netbsd.c (redo sysctl subtree from scratch)
sys/netipsec/key*.c (fix broken net.key subtree)
sys/netipsec/ah_var.h (increase all counters to 64 bits)
sys/netipsec/esp_var.h (increase all counters to 64 bits)
sys/netipsec/ipip_var.h (increase all counters to 64 bits)
sys/netipsec/ipcomp_var.h (increase all counters to 64 bits)
sys/netipsec/ipsec.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_mbuf.c (add #include netipsec/ipsec_var.h)
sys/netipsec/ipsec_output.c (add #include netipsec/ipsec_var.h)
sys/netinet/raw_ip.c (add #include netipsec/ipsec_var.h)
sys/netinet/tcp_input.c (add #include netipsec/ipsec_var.h)
sys/netinet/udp_usrreq.c (add #include netipsec/ipsec_var.h)
Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":
New file:
usr.bin/netstat/fast_ipsec.c (print fast-ipsec counters)
Changed files:
usr.bin/netstat/Makefile (add fast_ipsec.c)
usr.bin/netstat/netstat.h (declarations for fast_ipsec.c)
usr.bin/netstat/main.c (call KAME-vs-fast-ipsec dispatcher)
2004-05-07 00:55:14 +00:00
skd
1b1b474faa
Fix to update all references to mbuf. Fixes case where mbuf is freed twice.
2004-05-04 11:31:52 +00:00
darrenr
39ee9f396a
at line 543, we do a pullup here of hlen bytes into the mbuf,
...
so these later ones are superfluous.
2004-05-02 05:02:53 +00:00
matt
c41eb5a6f6
defflag TCP_OUTPUT_COUNTERS and TCP_REASS_COUNTERS
2004-05-01 02:21:44 +00:00
matt
da67d85073
Use EVCNT_ATTACH_STATIC{,2}
2004-05-01 02:20:42 +00:00
ragge
79edf5fba0
Send an arp request before the arp entry times out if the entry is active,
...
to avoid deleting active entries.
Add sysctl support to tune the default arp timeout values.
2004-04-28 14:09:36 +00:00
matt
5a0de7507d
When a packet is received that overlaps the left side of the window,
...
check for RST *before* trimming data and adjust its sequence number.
2004-04-27 14:46:07 +00:00
itojun
362e07a3c9
zero-clear ip6?pseudo before use
2004-04-26 05:18:13 +00:00
itojun
f103f9aee9
declare ip6_hdr_pseudo (for kernel only) and use it for TCP MD5 signature
2004-04-26 05:15:47 +00:00
itojun
67372cc454
sync comment with reality
2004-04-26 05:05:49 +00:00
itojun
e0395ac8f0
make TCP MD5 signature work with KAME IPSEC (#define IPSEC).
...
support IPv6 if KAME IPSEC (RFC is not explicit about how we make data stream
for checksum with IPv6, but i'm pretty sure using normal pseudo-header is the
right thing).
XXX
current TCP MD5 signature code has giant flaw:
it does not validate signature on input (can't believe it! what is the point?)
2004-04-26 03:54:28 +00:00
matt
5413745100
Remove #else clause of __STDC__
2004-04-26 01:31:56 +00:00
jonathan
887b782b0b
Initial commit of a port of the FreeBSD implementation of RFC 2385
...
(MD5 signatures for TCP, as used with BGP). Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net. Shortening of the setsockopt() name
attributed to Vincent Jardin.
This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct. Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).
NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures. Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary. Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.
In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:
sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15
Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
2004-04-25 22:25:03 +00:00
simonb
b5d0e6bf06
Initialise (most) pools from a link set instead of explicit calls
...
to pool_init. Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.
Convert struct session, ucred and lockf to pools.
2004-04-25 16:42:40 +00:00
itojun
22bdfd729d
fix how we send RST against ACK. markus@openbsd
2004-04-25 03:29:11 +00:00
itojun
8a0aba4304
indent for little bit better readability
2004-04-25 00:08:54 +00:00
itojun
3b87628cfb
fix comment; we no longer move ip+tcp into the same mbuf
2004-04-24 23:59:13 +00:00
matt
41478e7f33
Always include <sys/param.h> first!
2004-04-24 19:59:19 +00:00
ragge
febf637b17
Avoid performance problem in tcp_reass() when appending mbufs to a chain
...
by keeping a pointer to the last mbuf in the chain.
2004-04-22 15:05:33 +00:00
tls
7eb2f214d5
Change the default state of two tunables; bring our TCP a little bit
...
closer to normal behaviour for the current century.
New Reno is now on by default (which is really the only reasonable
choice, since we don't do SACK); instead of an initial window of 1
for non-local nets, we now use Sally Floyd's magic 4K rule.
2004-04-22 02:19:39 +00:00
matt
e50668c7fa
Constify protosw arrays. This can reduce the kernel .data section by
...
over 4K (if all the network protocols) are loaded.
2004-04-22 01:01:40 +00:00
itojun
d2f1c029b9
kill sprintf, use snprintf
2004-04-21 18:40:37 +00:00
itojun
e133d13e80
kill some strcpy
2004-04-21 18:16:14 +00:00
itojun
0f06e31eb6
no space between function name and paren: foo (blah) -> foo(blah)
2004-04-21 17:49:46 +00:00
matt
e3b919c754
Constify if.c radix.c and route.c (and fix related fallout).
2004-04-21 04:17:28 +00:00
matt
30e63c6236
export tcpstates for _KERNEL and remove tcp_usrreq.c's incorrect
...
declartion.
2004-04-20 22:54:31 +00:00
itojun
6a16706746
follow draft-ietf-tcpm-tcpsecure-00.txt 3.2 (B):
...
if SYN is coming and RCV.NXT == SEG.SEQ, then ACK with value - 1.
2004-04-20 19:49:15 +00:00
itojun
f2e796b13f
- respond to RST by ACK, as suggested in NISCC recommendation
...
- rate-limit ACKs against RSTs and SYNs
2004-04-20 16:52:12 +00:00
matt
5060b3b780
ANSI'fy and de __P
2004-04-18 23:35:56 +00:00
matt
db6a0b431a
De __P()
2004-04-18 21:00:35 +00:00
matt
35b9f3ec72
If a segment is received with RST set and the segment is completely to the
...
left of the receive window, ignore it. Add some additional comments to
the code that deals with received segemnts that are completely to the right
of the receive window. If an invalid SYN is received, force an ACK and
drop it; if the other side really sent the SYN; it'll respond with a reset.
2004-04-17 23:35:37 +00:00
christos
90e1f431ca
adjust to the sbreserve prototype change.
2004-04-17 15:18:53 +00:00
ragge
0a7fe37708
Add back one line which was accidentially removed (by me) a while ago.
...
Spotted by Markus Friedl (markus at openbsd.org).
2004-04-14 18:07:52 +00:00
christos
99d2bc9467
PR/22551: Invoking tcpcb's get erroneously free'd resulting in to_ticks <= 0
...
assertion. Approved by he.
2004-04-05 21:49:21 +00:00
matt
efc47093e2
In ip_reass_ttl_descr, make i signed since it's compared to >= 0
2004-04-01 22:47:55 +00:00
martin
8afe56f1c5
A few more ioctl vs. copyin changes, spotted by Bill Studenmund.
2004-04-01 21:54:41 +00:00
martin
9d16150a8e
Untangle ioctl copyin/copyout confusion. IP-Filter now actually works
...
on sparc64 (and probably everywhere else).
2004-04-01 09:24:58 +00:00
dyoung
957f9ce691
Only #define COPYIN copyin, et cetera, in the kernel. That is, only
...
when when _KERNEL is defined.
2004-03-31 20:58:15 +00:00
darrenr
077337039d
COPYIN/COPYOUT macros need to call copyin/out on NetBSD rather than just use
...
bcopy.
2004-03-31 11:41:45 +00:00
itojun
7cd01f1c20
clean previous commit (uh_sum != 0 check in IPv6)
2004-03-31 07:57:06 +00:00
itojun
8d81738de0
drop packet if IPv6 udp packet does not have checksum (checksum is mandatory
...
in IPv6).
2004-03-31 07:54:00 +00:00
christos
dc9378460c
Make sure we disarm the persist timer before we arm the rexmit
...
timer, otherwise there is a tiny window where both timers are
active, and this is not correct according to the comments in the
code. I believe that this is the cause of the to_ticks <= 0 assertion
failure in callout_schedule() that I've been getting.
2004-03-30 19:58:14 +00:00
atatat
83b193a052
Make these compile without INET. tcp_input probably needs a lot more
...
work...
2004-03-29 04:59:02 +00:00
martin
665588c20c
Cast 64 bit pointers only with (intptr_t) care.
2004-03-28 12:12:28 +00:00
martti
621e9bac7f
Sync with official IPFilter
2004-03-28 09:01:26 +00:00
martti
24d567d60d
Upgraded IPFilter to 4.1.1
2004-03-28 09:00:53 +00:00
martti
ad9b29ed97
Import IPFilter 4.1.1
2004-03-28 08:55:20 +00:00
atatat
19af35fd0d
Tango on sysctl_createv() and flags. The flags have all been renamed,
...
and sysctl_createv() now uses more arguments.
2004-03-24 15:34:46 +00:00
itojun
3811eef49d
typo
2004-03-23 05:31:54 +00:00
drochner
6a4fbf616c
fix tcp/udp checksum test in the M_CSUM_NO_PSEUDOHDR case
...
(this can never have worked)
now I can use a "bge" gigabit interface with hw checksumming
ttcp-t: 2147483648 bytes in 18.31 real seconds = 114527.11 KB/sec +++
woow!
2004-03-10 18:50:45 +00:00
wiz
e8f4f5ba76
No need to include netinet/ip_mroute.h twice.
...
Closes PR 24652 by Kailash Sethuraman.
2004-03-04 15:15:06 +00:00
thorpej
8387ab32c5
Use IPSEC_PCB_SKIP_IPSEC() to short-circuit calls to ipsec{4,6}_hdrsiz_tcp().
2004-03-03 05:59:38 +00:00
thorpej
2803ff0955
Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup
...
when possible. This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
2004-03-02 02:28:28 +00:00
thorpej
00f100daae
Call ipsec_pcbconn() and ipsec_pcbdisconn() for FAST_IPSEC, too.
2004-03-02 02:26:28 +00:00
thorpej
979f197a86
Define a sotoinpcb_hdr() macro (a'la sotoinpcb()).
2004-03-02 02:11:14 +00:00