Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
145,594 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

51 Commits

Author SHA1 Message Date
martti 7967220333 Removed BROKEN_TCP_WINDOW_CHECK hack. 2006-04-04 16:19:05 +00:00
martti 9ea58d54bc Upgraded IPFilter to 4.1.13 2006-04-04 16:17:18 +00:00
christos 5a57baa413 don't use MALLOC with a non-constant size; use malloc instead. 2006-03-17 23:29:07 +00:00
christos 97dec287fc make the kernel link without options INET. 
XXX: this is of dubious use.
 2005-12-28 09:29:48 +00:00
christos 08e11b2039 make this compile with no INET options. 2005-12-28 09:05:54 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
yamt 3a2482b78f fr_check_wrapper6: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:38 +00:00
christos b132d4d5fd Fix typo 2005-07-10 09:22:56 +00:00
christos 4a35068121 Small correction to skd's patch from darren. 2005-07-10 05:49:38 +00:00
christos 20dd96aff1 Don't drop fragments that are smalled than the ip header size. From skd 2005-07-09 14:51:11 +00:00
darrenr 4e1ba8b46a bin/29508 - fix "ipf -T" - kernel wasn't setting ipft_cookie and userland 
was expecting it to be set, thus ignored it.
bin/29509 - because ipft_cookie wasn't reset to 0 before making the ioctl
call for each variable, only the first name to find was used, each successive
call just used the cookie.
CVn: ----------------------------------------------------------------------
 2005-06-11 12:31:40 +00:00
darrenr e5f523e30c Using USE_SPL should be done after the last place it is defined. 2005-06-11 12:12:59 +00:00
darrenr 486aaa2c70 kern/30082 - fr_check() is missing SPL_NET() macros for non-mutex using 
platforms, allowing it to be preempted and restarted in an inconsistent
state.
 2005-06-11 11:25:28 +00:00
christos f9aeac0ab7 - sprinkle const 
- avoid variable shadowing.
 2005-05-29 21:57:49 +00:00
martti 58b8abcbf8 Upgraded IPFilter to 4.1.8 2005-04-03 15:05:30 +00:00
martti c775aec128 Import IPFilter 4.1.8 2005-04-03 15:01:04 +00:00
christos 3136f75efa defopt IPFILTER_DEFAULT_BLOCK 2005-03-26 18:08:42 +00:00
hannken 4e0e09fd14 frpr_udpcommon() failed to handle fragmented packets. Packets with less than 
8 bytes of data were dropped.

- If the packet is a fragment, return. There is no UDP header in this case.
- Don't set the FI_SHORT flag. Already tested in `frpr_short()'.
- Remove unneeded test `!fin->fin_off'.

Approved by: Christos Zoulas <christos@netbsd.org>
 2005-03-07 13:59:30 +00:00
christos 2a8316cc91 Add a change lost in the transition from 4.1.3->4.1.6. Don't block packets 
for which we cannot add state. Explanation in the code. Fixes PR/29560.
 2005-03-01 13:41:43 +00:00
itojun 57eaa97695 with IPv6 intermediate host will not perform PMTUD. ip6_getpmtu() is for 
end node cases, so do not use it.
 2005-02-28 09:26:36 +00:00
martin 65c3e91025 When we call m_makewritable() the mbuf might be copied - so don't use 
stale mtod()'d pointers from before.
 2005-02-21 22:01:52 +00:00
martti 460bbcc960 Upgraded IPFilter to 4.1.6 2005-02-19 21:30:24 +00:00
martti 76b5d9e30f Import IPFilter 4.1.6 2005-02-19 21:26:02 +00:00
christos a05a0bbcb8 Deal with possibly uninitialized variable, and tidy up a bit. 2005-02-17 04:14:31 +00:00
christos 9606238d80 There were more broken things aside from the __'s missing. 2005-02-17 03:12:36 +00:00
christos 0a15d30196 Don't forget the trailing __'s in NetBSD Version. Should fix PR/29407. 2005-02-17 02:26:51 +00:00
christos 1b198d8f16 size_t should be cast'ed to unsigned long. 2005-02-09 23:42:30 +00:00
he f29d7ec0d8 One can't portably print a size_t with an %u format directive. 
Since this might be in the kernel, cast to unsigned int before printing.
Fixes build problem for amd64 (and presumably also our other LP64 ports).
 2005-02-09 08:21:27 +00:00
he c05368e398 Make the declaration of oip in fr_send_ip() conditional on INET, 
since it's use is also conditional on that preprocessor macro.
 2005-02-09 08:19:24 +00:00
martti a023cb1d19 Upgraded IPFilter to 4.1.5 2005-02-08 07:01:52 +00:00
martti 4d6a62d250 Import IPFilter 4.1.5 2005-02-08 06:52:59 +00:00
christos 78ec5c8f06 Disable the oow test because it is broken. It is killing valid packets. 2005-01-16 02:56:22 +00:00
lukem 4ae6a6d6f4 Support -DNOINET6 to disable USE_INET6 (a la the FreeBSD section earlier) 2005-01-10 02:10:47 +00:00
martti 756f26107c Import IPFilter 4.1.3 2004-12-31 11:30:42 +00:00
darrenr f314fbb0f1 Expand out an unused byte to give each NAT rule a protocol version field, 
allowing rules to be set to match only ipv4/ipv6. And so ipnat must be updated
to actually set this field correctly but to keep things working for old
versions of ipnat (that will set this to 0), make the ioctl handler "update"
the 0 to a 4 to keep things working when people just upgrade kernels.  This
forces NAT rule matching to be limited to ipv4 only, here forward, fixing
kern/28662
 2004-12-16 17:01:02 +00:00
darrenr d7859a0415 add an extra sanity check for stepping through TCP header options 2004-12-16 16:37:52 +00:00
christos 64573a67d7 Sprinkle #ifdef INET to make a GENERIC kernel compile with INET undefined. 2004-12-06 02:59:23 +00:00
martin 897d73f414 Patch from PR kern/26839, OK'd as a stopgap fix by Darren. 2004-12-01 08:25:54 +00:00
christos 35a75baff6 PR/28418: Do not drop packets for which we cannot add state, because adding 
state is not applicable. The fix just reverts the new code that blocked
packets where fr_addstate() fails. This is not correct in all cases, but
blocking them is a bit drastic and breaks existing functionality. The proper
fix is to change fr_addstate() to return:

- state added
- adding state failed
- adding state is not applicable

and then filter packets only in the second case. I am leaving this for someone
else.
 2004-11-25 09:49:12 +00:00
he 4a9ab9770a Apply patch from Darren for the ctype() functions/macros. 
Encapsulates the ctype() functions so that the casts are centralized.
 2004-11-13 19:14:48 +00:00
he 76d82c7f1f Revert previous, paving the way for Darren's cleaner patch. 2004-11-13 18:43:49 +00:00
he dd5a52f76d More instances of cast to unsigned char for arguments to ctype functions. 
Will also be sent to maintainer for possible inclusion in master source.
 2004-11-13 15:19:58 +00:00
darrenr 90032de19d build a new fr_info_t structure in fr_send_ip() and pass it through to 
the fastroute function so that it uses accurate packet information about
the packet being sent out rather than the packet received (impacts both
return-rst and return-icmp features.)

PR: kern/27093
 2004-10-31 04:52:50 +00:00
darrenr 8fe036145c * Prevent hang when attempting to flush state entries for ipv4 when ipv6 
are present or vice versa
* Fix matching of IPv6 state entries when the initial packet is a
  sent to a multicast address.  This includes not updating the address as
  being fixed when a second (or further) such packet is seen before a reply.
* Disable code, for now, that limited how many ICMP packets could match a
  state entry based on the number of real packets seen.
 2004-10-07 03:57:02 +00:00
darrenr 328bd73105 The change in 1.3 is incorrect - it checks for FI_OOW regardless of what 
type of data is stored in the rule (only a valid check for FR_T_IPF rules.)
 2004-10-06 15:06:29 +00:00
yamt 2c46ccce37 move netinet/ip_lookup.h -> dist/ipf/netinet/ip_lookup.h. 2004-10-05 04:56:41 +00:00
jdolecek 20d2b45d7d fix bug introduced in rev 1.70 - in the "keep state" & "oow" flag check, 
ensure a pointer to a state structure is non-NULL before dereferencing

Fixes PR kern/26927 by me and PR kern/26947 by Brett Lymn
 2004-10-03 12:21:13 +00:00
jdolecek a9bc4a2fda frrequest(): move some variable initializations for clarity 
no functional change
 2004-10-03 12:16:32 +00:00
jdolecek 46134b3da6 move ip_htable.h from sys/netinet/ to sys/dist/ipf/netinet/, it's ipfilter file 2004-10-02 07:59:14 +00:00
christos d0905be2d3 moved from sys/netinet. 2004-10-02 07:51:53 +00:00