Commit Graph

253 Commits

Author SHA1 Message Date
dyoung
5493f188c7 KNF: de-__P, bzero -> memset, bcmp -> memcmp. Remove extraneous
parentheses in return statements.

Cosmetic: don't open-code TAILQ_FOREACH().

Cosmetic: change types of variables to avoid oodles of casts: in
   in6_src.c, avoid casts by changing several route_in6 pointers
   to struct route pointers.  Remove unnecessary casts to caddr_t
   elsewhere.

Pave the way for eliminating address family-specific route caches:
   soon, struct route will not embed a sockaddr, but it will hold
   a reference to an external sockaddr, instead.  We will set the
   destination sockaddr using rtcache_setdst().  (I created a stub
   for it, but it isn't used anywhere, yet.)  rtcache_free() will
   free the sockaddr.  I have extracted from rtcache_free() a helper
   subroutine, rtcache_clear().  rtcache_clear() will "forget" a
   cached route, but it will not forget the destination by releasing
   the sockaddr.  I use rtcache_clear() instead of rtcache_free()
   in rtcache_update(), because rtcache_update() is not supposed
   to forget the destination.

Constify:

   1 Introduce const accessor for route->ro_dst, rtcache_getdst().

   2 Constify the 'dst' argument to ifnet->if_output().  This
     led me to constify a lot of code called by output routines.

   3 Constify the sockaddr argument to protosw->pr_ctlinput.  This
     led me to constify a lot of code called by ctlinput routines.

   4 Introduce const macros for converting from a generic sockaddr
     to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
     satocsin, et cetera.
2007-02-17 22:34:07 +00:00
dyoung
10c063a777 In pf_rtlabel_match, use rtcache_free()/rtcache_init(). This is
just cosmetic, since the whole routine is presently #if 0'd.
2007-02-17 21:08:52 +00:00
alc
ea827cc550 CID-3809: move up the initialization of `fr' as we can jump to junkput: if
fr_inobj() fails. junkput: will then check the value of `fr' which is at
this time uninitialized.

CID-3803: don't leak `ipn' upon return

ok christos@
2006-12-27 18:28:54 +00:00
alc
aca410156d CID-3802: don't leak `isc'
ok christos@
2006-12-27 18:10:03 +00:00
darrenr
54726f45ee TCP window scaling was being recognised but the recorded settins were being
clobbered and thus effectively disabled
2006-12-24 02:31:16 +00:00
joerg
eb04733c4e Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.
2006-12-15 21:18:52 +00:00
matt
8861fab664 Don't apply a window scale to the window size in a SYN packet. 2006-12-13 03:45:48 +00:00
dyoung
c308b1c661 Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.
2006-12-09 05:33:04 +00:00
dyoung
dcabc5c2e5 Make code concise by removing uninformative #ifdef's. 2006-12-04 03:02:48 +00:00
dyoung
9534d9db92 Indent these macros for readability. People have to read this
code, too.
2006-12-04 02:59:35 +00:00
dyoung
1b9b487578 Lightly constify. Helps compile-time checking that we are not
scribbling over shared or read-only memory---e.g., in mbufs.
2006-12-04 02:58:06 +00:00
dyoung
fdab81c3b0 No need for a struct route_in6 in pf_route6(). Replace it with a
sockaddr_in6.

In pf_calc_mss(), factor common code out of PF_INET and PF_INET6
switch cases.
2006-12-04 02:28:12 +00:00
christos
c0179c282a spell precede; from Zafer 2006-11-25 16:48:31 +00:00
christos
1665d5e960 fix spelling of accommodate; from Zapher. 2006-11-24 19:46:58 +00:00
christos
168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
dogcow
372e6ef309 now that we have -Wno-unused-parameter, back out all the tremendously ugly
code to gratuitously access said parameters.
2006-10-17 18:21:29 +00:00
dogcow
2023789a40 More -Wunused fallout. sprinkle __unused when possible; otherwise, use the
do { if (&x) {} } while (/* CONSTCOND */ 0);
construct as suggested by uwe in <20061012224845.GA9449@snark.ptc.spbu.ru>.
2006-10-13 16:53:35 +00:00
peter
dd191f37f3 Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
2006-10-12 19:59:07 +00:00
christos
4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
peter
d697e40372 PR/34746: Nino Dehne: pf(4)'s synproxy state breaks when used with tags
Apply OpenBSD src/sys/net/pf.c rev 1.486 and 1.487:

1.486:
When synproxy sends packets to the destination host, make sure to copy
the 'tag' from the original state entry into the outgoing mbuf.

1.487:
When synproxy completes the replayed handshake and modifies the state
into a normal one, it sets both peers' sequence windows. Fix a bug where
the previously advertised windows are applied to the wrong side (i.e.
peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This
went undetected because mostly the windows are similar and/or re-
advertised soon. But there are (rare) cases where a synproxy'd connection
would stall right after handshake. Found by Gleb Smirnoff.
2006-10-07 21:45:49 +00:00
pavel
b4d9afa72c In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects,
and if ALTQ and pf are both enabled, it leads to compile errors. So,
change all tests for ALTQ to ALTQ_NEW, which won't be defined.

This allows simultaneous compilation of pf and ALTQ and is a temporary
measure before the peter-altq brach is merged.

Tested and approved by Peter Postma.
2006-10-01 12:52:24 +00:00
elad
83a5239b28 Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.
2006-09-19 21:42:29 +00:00
yamt
a741fb2573 defflag IPFILTER_LOOKUP. 2006-09-17 13:43:15 +00:00
elad
bada0c776a Don't use KAUTH_RESULT_* where it's not applicable.
Prompted by yamt@.
2006-09-13 10:07:42 +00:00
elad
5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
christos
5388ec4cc9 add missing initializer 2006-09-03 04:53:19 +00:00
mrg
09534a159a fix the previous: don't replace a NULL with a "" in an initialiser.
fixes sparc64 kernel from crash when starting ipfilter.  thanks to
jnemeth@ for flagging the delta that caused the problem.
2006-09-01 09:47:47 +00:00
christos
2a76cd386d off by one element. 2006-08-30 19:12:56 +00:00
christos
6d155711f9 avoid empty if body. 2006-08-30 19:04:52 +00:00
christos
3fad7e8079 complete identifiers. 2006-08-30 19:04:26 +00:00
christos
5d91315335 complete initializer 2006-08-30 18:50:20 +00:00
christos
35190634ec fix incomplete initializers 2006-08-30 01:58:00 +00:00
christos
f9cd3d1167 more version lossage 2006-08-26 20:37:50 +00:00
christos
cb5c9c5f42 PR/34287: Gene ENonymous: ipf/ippool enabled kernel fails build.sh build due to
use of "version" variable name
2006-08-26 20:36:17 +00:00
christos
c762f34e0e PR/34284: Gene ENonymous: when "ippool -F" is invoked, error is
"ioctl(SIOCLOOKUPFLUSH): Bad address"
2006-08-26 20:25:23 +00:00
martin
30b452e3dc Some interfaces are initially created with zero addresses on them
(like pppoe). Make the loop over all interface addresses cope.
Problem reported by Christian Hattemer.
2006-07-12 17:26:11 +00:00
christos
5ed3dd2fe3 don't allocate > 1K on the stack. 2006-06-13 02:08:20 +00:00
kardel
de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
peter
a3fa0e8e3f Initialize h4 and h6 to NULL.
Fixes a panic reported by Mipam on -current-users.
2006-05-23 22:24:32 +00:00
christos
a75306c3a4 Fix strict aliasing issues and while I am here fix a memory leak on error 2006-05-21 04:30:03 +00:00
elad
fc9422c9d9 integrate kauth. 2006-05-14 21:31:52 +00:00
christos
ca0ec852e6 XXX: GCC uninitialized 2006-05-14 03:40:02 +00:00
martti
0f3d8a43c2 Make sure IPF can correctly pullup short headers. Patch received from
darrenr@. This fixes kern/33423.
2006-05-11 07:37:09 +00:00
mrg
84ab62db88 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-11 01:08:38 +00:00
mrg
1e7e4f5c0c caddr_t -> u_char *, to match the variable type 2006-05-11 01:08:19 +00:00
mrg
5755809507 - include <sys/selinfo.h> on BSD, for ipfselwait[].
- mask off the bits that don't fit in IP_HL_A().
2006-05-11 01:07:01 +00:00
mrg
084c052803 quell GCC 4.1 uninitialised variable warnings.
XXX: we should audit the tree for which old ones are no longer needed
after getting the older compilers out of the tree..
2006-05-10 21:53:14 +00:00
darrenr
0df9b5fe68 ipf -Z returns junk and/or can cause a panic (seen on solaris.) 2006-04-18 12:40:49 +00:00
darrenr
b817a6b4f0 This change corrects what 1.6 tried to do. This feels like a coverity fix
for a code path that should never actually happen (fr_newauth() should only
be called for auth rules - i.e. when fin_fr != NULL.  If it is possible to
call fr_newauth() with fin_fr == NULL then this change introduces a
regression compared to prior importing of 4.1.13.
2006-04-15 13:58:43 +00:00
garbled
2355e5cd00 Fix a typo. fin->fin->fr should be fin->fin_fr 2006-04-14 04:32:26 +00:00
christos
0a1c2ab0b8 Coverity CID 2855: If fin->fin_fr is NULL, return 0, don't crash. 2006-04-13 18:59:58 +00:00
kochi
62f4a841c7 Fix return without free (resource leakage).
Detected by Coverity (CID 2309).
2006-04-13 08:43:17 +00:00
kochi
656c03f555 This is better fix than the previous commit for
saner cleanup path.
2006-04-13 07:31:29 +00:00
kochi
691e781111 Fix usage after free of NextWalkState.
Closes Coverity CID 2672 and this is reported to intel people.
2006-04-13 07:21:20 +00:00
cube
7db196715b Protect config(1)-generated include files inclusion with
#ifdef _KERNEL_OPT.  ACPI-CA might be used by standalone code in the
future.  Suggested by cherry@.
2006-04-07 13:49:20 +00:00
martti
7967220333 Removed BROKEN_TCP_WINDOW_CHECK hack. 2006-04-04 16:19:05 +00:00
martti
9ea58d54bc Upgraded IPFilter to 4.1.13 2006-04-04 16:17:18 +00:00
kochi
ec7315b11c Moved from sys/dev/acpi/acpica/Subsystem.
suggested by cube.
2006-03-23 13:36:31 +00:00
christos
5a57baa413 don't use MALLOC with a non-constant size; use malloc instead. 2006-03-17 23:29:07 +00:00
lukem
a1f606d3fd Use the SI capitalization for "Hz", "kHz", and "MHz" in comments and strings.
Add a space between numbers and Hz unit.
2006-03-08 23:46:22 +00:00
peter
8f83cde4e3 Fix TCP/UDP checksum handling as pointed out by Daniel Hartmeier in:
http://mail-index.netbsd.org/tech-net/2006/01/21/0000.html.

Problem reported and patch tested by der Mouse & Nino Dehne (PR/32874).
2006-02-19 12:15:33 +00:00
rpaulo
99513cfd59 In pf_socket_lookup() fix copy & paste problem when in6_pcblookup_bind()
returns NULL.
2006-02-07 22:53:03 +00:00
peter
10f6d07582 apply a fix from OpenBSD:
> revision 1.104
> date: 2006/01/18 22:03:21;  author: dhartmei;  state: Exp;  lines: +2 -2
> fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl',
> but not 'fragment reassemble'), which can cause some fragments to get
> inserted into the cache twice, thereby violating an invariant, and panic-
> ing the system subsequently. ok deraadt@
2006-01-25 10:45:20 +00:00
peter
5d1968b1c0 Include netinet/in.h, for compatibility with OpenBSD (we #ifdef'ed out a
header which includes netinet/in.h on OpenBSD).

Pointed out by Thomas E. Spanjaard.
No objection from yamt@.
2006-01-17 12:24:53 +00:00
christos
97dec287fc make the kernel link without options INET.
XXX: this is of dubious use.
2005-12-28 09:29:48 +00:00
christos
08e11b2039 make this compile with no INET options. 2005-12-28 09:05:54 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
christos
a751ffb4fe Adjust for icmp_error signature. 2005-10-23 19:40:20 +00:00
yamt
3a2482b78f fr_check_wrapper6: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:38 +00:00
yamt
bbfb2033ff pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6. 2005-08-11 13:01:24 +00:00
yamt
d6d72a6dc9 wrap INET only code by #if defined(INET). (in __NetBSD__ part) 2005-08-06 11:22:39 +00:00
peter
84fa01a154 pf_test() can set *mp to NULL, check for this before de-referencing it.
From Akihiro Sagawa in PR/30835.
2005-07-26 13:09:23 +00:00
christos
b132d4d5fd Fix typo 2005-07-10 09:22:56 +00:00
christos
4a35068121 Small correction to skd's patch from darren. 2005-07-10 05:49:38 +00:00
christos
20dd96aff1 Don't drop fragments that are smalled than the ip header size. From skd 2005-07-09 14:51:11 +00:00
peter
9710741485 Resolve conflicts (pf from OpenBSD 3.7, kernel part). 2005-07-01 12:37:34 +00:00
lukem
fd8956d5fa Use an "XXXGCC -Wuninitalized" style that is consistent with that used
elsewhere in the tree.
2005-06-15 01:48:20 +00:00
jmc
6724401235 Cleanup XXGCC in a few places to make it easier to see. 2005-06-14 21:20:30 +00:00
jmc
c3073778d2 Fix unitialized warnings that only crop up on m68k. XXGCC taggedd 2005-06-13 20:33:53 +00:00
darrenr
4e1ba8b46a bin/29508 - fix "ipf -T" - kernel wasn't setting ipft_cookie and userland
was expecting it to be set, thus ignored it.
bin/29509 - because ipft_cookie wasn't reset to 0 before making the ioctl
call for each variable, only the first name to find was used, each successive
call just used the cookie.
CVn: ----------------------------------------------------------------------
2005-06-11 12:31:40 +00:00
darrenr
e5f523e30c Using USE_SPL should be done after the last place it is defined. 2005-06-11 12:12:59 +00:00
darrenr
486aaa2c70 kern/30082 - fr_check() is missing SPL_NET() macros for non-mutex using
platforms, allowing it to be preempted and restarted in an inconsistent
state.
2005-06-11 11:25:28 +00:00
yamt
656adb750b pf_reassemble: clear stale csum_flags. 2005-06-08 11:50:46 +00:00
christos
f9aeac0ab7 - sprinkle const
- avoid variable shadowing.
2005-05-29 21:57:49 +00:00
christos
966656bbac more fallout from so_uid -> so_uidinfo. 2005-05-07 19:59:56 +00:00
martti
58b8abcbf8 Upgraded IPFilter to 4.1.8 2005-04-03 15:05:30 +00:00
martti
c775aec128 Import IPFilter 4.1.8 2005-04-03 15:01:04 +00:00
christos
3136f75efa defopt IPFILTER_DEFAULT_BLOCK 2005-03-26 18:08:42 +00:00
peter
851064ccf9 Fix a GCC warning when compiling on evbppc.
From FUKAUMI Naoki in PR #29669.
2005-03-15 18:08:59 +00:00
hannken
4e0e09fd14 frpr_udpcommon() failed to handle fragmented packets. Packets with less than
8 bytes of data were dropped.

- If the packet is a fragment, return. There is no UDP header in this case.
- Don't set the FI_SHORT flag. Already tested in `frpr_short()'.
- Remove unneeded test `!fin->fin_off'.

Approved by: Christos Zoulas <christos@netbsd.org>
2005-03-07 13:59:30 +00:00
christos
2a8316cc91 Add a change lost in the transition from 4.1.3->4.1.6. Don't block packets
for which we cannot add state. Explanation in the code. Fixes PR/29560.
2005-03-01 13:41:43 +00:00
itojun
57eaa97695 with IPv6 intermediate host will not perform PMTUD. ip6_getpmtu() is for
end node cases, so do not use it.
2005-02-28 09:26:36 +00:00
martin
65c3e91025 When we call m_makewritable() the mbuf might be copied - so don't use
stale mtod()'d pointers from before.
2005-02-21 22:01:52 +00:00
martti
460bbcc960 Upgraded IPFilter to 4.1.6 2005-02-19 21:30:24 +00:00
martti
76b5d9e30f Import IPFilter 4.1.6 2005-02-19 21:26:02 +00:00
christos
a05a0bbcb8 Deal with possibly uninitialized variable, and tidy up a bit. 2005-02-17 04:14:31 +00:00
christos
9606238d80 There were more broken things aside from the __'s missing. 2005-02-17 03:12:36 +00:00
christos
0a15d30196 Don't forget the trailing __'s in NetBSD Version. Should fix PR/29407. 2005-02-17 02:26:51 +00:00
peter
41ea7e91a7 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.
2005-02-14 21:28:33 +00:00
peter
1b4e743b06 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> ICMP state entries use the ICMP ID as port for the unique state key. When
> checking for a usable key, construct the key in the same way. Otherwise,
> a colliding key might be missed or a state insertion might be refused even
> though it could be inserted. The second case triggers the endless loop
> fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
> Report and test data by Srebrenko Sehic.
2005-02-14 21:27:26 +00:00
christos
1b198d8f16 size_t should be cast'ed to unsigned long. 2005-02-09 23:42:30 +00:00
he
f29d7ec0d8 One can't portably print a size_t with an %u format directive.
Since this might be in the kernel, cast to unsigned int before printing.
Fixes build problem for amd64 (and presumably also our other LP64 ports).
2005-02-09 08:21:27 +00:00
he
c05368e398 Make the declaration of oip in fr_send_ip() conditional on INET,
since it's use is also conditional on that preprocessor macro.
2005-02-09 08:19:24 +00:00
martti
a023cb1d19 Upgraded IPFilter to 4.1.5 2005-02-08 07:01:52 +00:00
martti
4d6a62d250 Import IPFilter 4.1.5 2005-02-08 06:52:59 +00:00
christos
78ec5c8f06 Disable the oow test because it is broken. It is killing valid packets. 2005-01-16 02:56:22 +00:00
lukem
4ae6a6d6f4 Support -DNOINET6 to disable USE_INET6 (a la the FreeBSD section earlier) 2005-01-10 02:10:47 +00:00
yamt
de965c0ed7 pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf. 2005-01-01 09:13:14 +00:00
martti
756f26107c Import IPFilter 4.1.3 2004-12-31 11:30:42 +00:00
peter
dd544baa78 Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by dhartmei@

IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.

ok deraadt@ dhartmei@ mcbride@
2004-12-21 12:06:37 +00:00
peter
e71187380f Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by mcbride@

Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@

ok mcbride@ dhartmei@ deraadt@ henning@
2004-12-21 12:05:34 +00:00
yamt
21a48a296e pf_check_proto_cksum: use {tcp,udp}_input_checksum so that we can:
- handle loopback checksum omission properly.
- profit from h/w checksum offloading.
2004-12-21 05:55:23 +00:00
darrenr
f314fbb0f1 Expand out an unused byte to give each NAT rule a protocol version field,
allowing rules to be set to match only ipv4/ipv6. And so ipnat must be updated
to actually set this field correctly but to keep things working for old
versions of ipnat (that will set this to 0), make the ioctl handler "update"
the 0 to a 4 to keep things working when people just upgrade kernels.  This
forces NAT rule matching to be limited to ipv4 only, here forward, fixing
kern/28662
2004-12-16 17:01:02 +00:00
darrenr
d7859a0415 add an extra sanity check for stepping through TCP header options 2004-12-16 16:37:52 +00:00
christos
64573a67d7 Sprinkle #ifdef INET to make a GENERIC kernel compile with INET undefined. 2004-12-06 02:59:23 +00:00
peter
e6a70f95cf Apply a patch from OpenBSD 3.6 branch (ok yamt@).
MFC:
Fix by dhartmei@

fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon.
2004-12-05 13:32:17 +00:00
peter
fd3bd491c0 Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
2004-12-04 14:26:01 +00:00
peter
3cfd10be8b Don't put the hook definitions into #ifdef _KERNEL.
(needed to compile pf programs because of the previous change)
2004-12-04 14:21:23 +00:00
yamt
0a7a28fcc4 plug pfik_ifaddrhooks leaks by embedding it to pfi_kif. 2004-12-04 10:35:54 +00:00
martin
897d73f414 Patch from PR kern/26839, OK'd as a stopgap fix by Darren. 2004-12-01 08:25:54 +00:00
christos
35a75baff6 PR/28418: Do not drop packets for which we cannot add state, because adding
state is not applicable. The fix just reverts the new code that blocked
packets where fr_addstate() fails. This is not correct in all cases, but
blocking them is a bit drastic and breaks existing functionality. The proper
fix is to change fr_addstate() to return:

- state added
- adding state failed
- adding state is not applicable

and then filter packets only in the second case. I am leaving this for someone
else.
2004-11-25 09:49:12 +00:00
peter
c7f5faeaa9 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

The flag to re-filter pf-generated packets was set wrong by synproxy
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client.
2004-11-21 17:59:24 +00:00
peter
a3452e6de2 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

For RST generated due to state mismatch during handshake, don't set
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround.
2004-11-21 17:57:52 +00:00
yamt
da18614102 resolve conflicts. (pf from OpenBSD 3.6, kernel part) 2004-11-14 11:12:16 +00:00
yamt
3d5ba5bca1 backout whitespace changes to make further import easier. 2004-11-13 21:13:07 +00:00
he
4a9ab9770a Apply patch from Darren for the ctype() functions/macros.
Encapsulates the ctype() functions so that the casts are centralized.
2004-11-13 19:14:48 +00:00
he
76d82c7f1f Revert previous, paving the way for Darren's cleaner patch. 2004-11-13 18:43:49 +00:00
he
dd5a52f76d More instances of cast to unsigned char for arguments to ctype functions.
Will also be sent to maintainer for possible inclusion in master source.
2004-11-13 15:19:58 +00:00
darrenr
90032de19d build a new fr_info_t structure in fr_send_ip() and pass it through to
the fastroute function so that it uses accurate packet information about
the packet being sent out rather than the packet received (impacts both
return-rst and return-icmp features.)

PR: kern/27093
2004-10-31 04:52:50 +00:00
darrenr
8fe036145c * Prevent hang when attempting to flush state entries for ipv4 when ipv6
are present or vice versa
* Fix matching of IPv6 state entries when the initial packet is a
  sent to a multicast address.  This includes not updating the address as
  being fixed when a second (or further) such packet is seen before a reply.
* Disable code, for now, that limited how many ICMP packets could match a
  state entry based on the number of real packets seen.
2004-10-07 03:57:02 +00:00
darrenr
328bd73105 The change in 1.3 is incorrect - it checks for FI_OOW regardless of what
type of data is stored in the rule (only a valid check for FR_T_IPF rules.)
2004-10-06 15:06:29 +00:00
yamt
2c46ccce37 move netinet/ip_lookup.h -> dist/ipf/netinet/ip_lookup.h. 2004-10-05 04:56:41 +00:00
jdolecek
20d2b45d7d fix bug introduced in rev 1.70 - in the "keep state" & "oow" flag check,
ensure a pointer to a state structure is non-NULL before dereferencing

Fixes PR kern/26927 by me and PR kern/26947 by Brett Lymn
2004-10-03 12:21:13 +00:00
jdolecek
a9bc4a2fda frrequest(): move some variable initializations for clarity
no functional change
2004-10-03 12:16:32 +00:00
jdolecek
46134b3da6 move ip_htable.h from sys/netinet/ to sys/dist/ipf/netinet/, it's ipfilter file 2004-10-02 07:59:14 +00:00
christos
d0905be2d3 moved from sys/netinet. 2004-10-02 07:51:53 +00:00
christos
f33294b6a4 Moved from sys/netinet as part of the ipfilter separation. 2004-10-01 15:25:59 +00:00
dyoung
34a3fbf64e "RB_PROTOTYPE();" does not lint because you end up with two
consecutive semicolons, so let's use RB_PROTOTYPE() alone.
2004-09-28 00:14:02 +00:00
yamt
d37ce14181 pflog_packet: use bpf_mtap2().
(our bpf_mtap() is more "strict" about mbufs
than openbsd's one is.  eg. M_PKTHDR should be set properly.)
2004-09-10 08:48:32 +00:00
yamt
c3b066f850 pull following fixes from openbsd. ok'ed by itojun.
> ----------------------------
> revision 1.58
> date: 2004/06/23 04:34:17;  author: mcbride;  state: Exp;  lines: +5 -3
> pfr_commit_ktable calls functions that can result in the current
> ktable being destroyed, which makes it unsafe in a SLIST_FOREACH.
>
> Fix from Chris Pascoe
> ----------------------------
> revision 1.56
> date: 2004/06/11 05:21:20;  author: mcbride;  state: Exp;  lines: +5 -3
> Eliminate a dereference after pool_put when an inactive/no-longer referenced
> table is destroyed in pfr_setflags_ktable.
>
> Fix from Chris Pascoe
> ----------------------------
2004-09-09 14:56:00 +00:00
yamt
31715f4eb9 remove no longer needed caddr_t casts to reduce diffs from openbsd. 2004-09-08 12:11:25 +00:00
yamt
421ffa4969 pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.
2004-09-06 10:01:39 +00:00
yamt
0370fc7128 - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma.  PR/26403.
2004-07-27 12:22:59 +00:00
yamt
46abcaebe4 fix dynaddr tracking.
from Peter Postma, PR/26369.
ok'ed by itojun.
2004-07-26 13:46:43 +00:00
yamt
4f755d07b4 ANSIfy. (inside #ifdef __NetBSD__)
from Peter Postma.
ok'ed by itojun.
2004-07-26 13:45:40 +00:00
yamt
48d156e320 call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
2004-07-26 13:43:14 +00:00
itojun
0407dd42ae make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
2004-06-29 04:42:54 +00:00
itojun
ce0e658ff3 PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma 2004-06-25 13:17:01 +00:00
martin
149fa38cf4 Make it compile on non-IPv6 kernels. 2004-06-22 18:59:14 +00:00
martin
be9dcae132 Fix formatting for 64 bit archs. This fixes PR port-sparc64/26010.
While there, make it compile for non-INET6 aware kernels.
2004-06-22 18:37:49 +00:00