rev 1.35 of ip_nat.c checks if packets are too short.
For ICMP packets, this packet length checking double counts
the length of an IP header contained in ICMP messages.
So, unless ICMP packets are long enough (such as echo-reply),
packets are mistakingly considered too short and are dropped.
multiple addresses from same prefix, onto single interface. PR 10427.
more info:
- 4.4BSD did not check return code from in_ifinit() at all.
4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
from the same prefix. KAME tree has more extensive change, however, it needs
much more time to get stabilized (rtentry refcnt change can cause serious
issue, we really need to bake it before bring it to netbsd)
fails, return EIO instead.
- iplioctl(): If performing a NAT operation, and IP Filter is not
yet initialized (e.g. by `ipf -E'), enable it implicitly before
doing the NAT operation.
basis. default: 100pps
set default value for net.inet.tcp.rstratelimit to 0 (disabled),
NOTE: it does not work right for smaller-than-1/hz interval. maybe we should
nuke it, or make it impossible to set smaller-than-1/hz value.
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.
use of :: as source is not documented well in IPv6 specification.
not sure if it presents a real threat. the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
local address = my addres
remote address = :: (meaning "unconnected")
state = SYN_RCVD
note that SYN ACK will not be sent due to ip6_output() filter.
this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
being contacted (DoS).
udp6/raw6 socket may have similar problem, but as they are connectionless,
it may too much to filter it out.
reports a size smaller than the udp header; defends against bogosity
detected by Assar Westerlund.
This patch and the previous ip_icmp.c change were the joint work of
assar, itojun, and myself.
- allow it to work when icmpreturndatabytes is sufficiently large that the
icmp error message doesn't fit in a header mbuf.
- defend against mbuf chains shorter than their contained ip->ip_len.
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation. TOOD: should implement ppsratecheck(9).
in ip_mroute.c for duplicate tunnel entries, too. Well, what
really needs to happen is that the mrouting code needs to be
changed to work w/ `gif' tunnels... but...
<vm/pglist.h> -> <uvm/uvm_pglist.h>
<vm/vm_inherit.h> -> <uvm/uvm_inherit.h>
<vm/vm_kern.h> -> into <uvm/uvm_extern.h>
<vm/vm_object.h> -> nothing
<vm/vm_pager.h> -> into <uvm/uvm_pager.h>
also includes a bunch of <vm/vm_page.h> include removals (due to redudancy
with <vm/vm.h>), and a scattering of other similar headers.
enami