Commit Graph

54 Commits

Author SHA1 Message Date
sommerfeld
17aee57321 Relax overly-conservative TCP option parsing used by ipnat when
hunting for an MSS option to clamp.  The previous code assumed that at least
one more byte of options (such as a TCPOPT_EOL) would follow the MSS
option; now, we allow the MSS option to end on the last byte of the
TCP header.

Packets have been observed "in the wild" with a TCP header length of
'6' (24 bytes.. 20 bytes fixed header, 4 bytes options) with a 4-byte
MSS option exactly filling the 4 bytes of options payload and no
following TCPOPT_EOL.

RFC793 is quite explicit that the EOL byte:

	" .. need only be used if the end of the options would not
	otherwise coincide with the end of the TCP header."
2002-09-24 14:14:25 +00:00
martti
b69124b84c Resync with official IPF 2002-09-19 08:12:43 +00:00
martti
87f18f024e Upgraded IPFilter to 3.4.29 2002-09-19 08:08:14 +00:00
itojun
f192b66b94 whitespace 2002-06-09 16:33:36 +00:00
itojun
f45a8e9eb0 typo/bound check fix from YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp> 2002-06-05 13:11:34 +00:00
itojun
fb9b52398c in mss clamping code, do not go past TCPOPT_EOL. enforce stricter
boundary checking.  discussed on tech-net
2002-06-04 10:06:27 +00:00
martti
6f5d858e4b Fix compilation problems 2002-05-02 17:13:27 +00:00
martti
e74092de02 Upgraded IPFilter to 3.4.27 2002-05-02 17:11:37 +00:00
martin
58d564bc8c Add MSS clamping to the IP Filter NAT subsystem.
Configured by a new option "mssclamp" in NAT rules, like:

 map pppoe0 192.168.1.0/24 -> 0/32 mssclamp 1452

This is based on work by Xiaodan Tang <xtang@qnx.com>.
2002-03-14 21:46:54 +00:00
martti
83b3487b70 Upgraded IPFilter to 3.4.25 2002-03-14 12:32:36 +00:00
martti
7a8f11612c Re-sync with IPFilter 2002-01-24 08:23:40 +00:00
martti
b9920d0f43 Upgraded IPFilter to 3.4.23 2002-01-24 08:21:30 +00:00
lukem
2565646230 don't need <sys/types.h> when including <sys/param.h> 2001-11-15 09:47:59 +00:00
lukem
ea1cd7eb08 add RCSIDs 2001-11-13 00:32:34 +00:00
martin
449c740399 Remove tests for IPN_FRAG bits.
There is no place in the source where this bit could ever be set (or I'm
to blind to find it).

This fixes PR 12671.

If someone thinks this is the wrong solution, please make sure to (a) reopen
the PR and (b) explain to me how the tested bits would ever get set. I'll
be glad to then look further for the real cause (i.e. the flags not getting
set in the case described in the PR).
2001-05-20 13:03:39 +00:00
darrenr
0b6031033d fix fragment cache security hole 2001-04-06 15:32:40 +00:00
mike
fb2dc295a6 Resolve conflicts. 2001-03-26 06:11:46 +00:00
chs
09cb38f22b expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 10:42:40 +00:00
veego
fea1509f80 Apply fix from IWAMOTO Toshihiro in pr#10813:
rev 1.35 of ip_nat.c checks if packets are too short.
 For ICMP packets, this packet length checking double counts
 the length of an IP header contained in ICMP messages.
 So, unless ICMP packets are long enough (such as echo-reply),
 packets are mistakingly considered too short and are dropped.
2000-08-12 08:08:54 +00:00
veego
b3d0df91fb Resolve conflicts. 2000-08-09 21:00:39 +00:00
veego
d6dd29c882 Resolve conflicts. 2000-06-12 10:28:20 +00:00
veego
4c4ad1d1a5 Resolve conflicts. 2000-05-21 18:45:53 +00:00
veego
8db28cd918 Resolve conflicts and fix a compile error in ip_ftp_pxy.c. 2000-05-11 19:46:05 +00:00
veego
21dea2100c Resolve conflicts. 2000-05-03 11:12:03 +00:00
chs
46faa6bb58 remove ifdefs to skip htons() on some big-endian platforms. 2000-04-16 20:58:52 +00:00
augustss
8529438fe6 Remove register declarations. 2000-03-30 12:51:13 +00:00
veego
b3bffdf856 Resolve conflicts. 2000-02-01 21:29:15 +00:00
darrenr
1904e0a218 update ipfilter code to 3.3.6 1999-12-28 07:14:53 +00:00
veego
64b2c34646 Resolve conflicts and small fixes. 1999-12-12 11:11:15 +00:00
mycroft
c6d172438d Minor cleanup to use LONG_SUM() and CALC_SUMD() more. 1999-03-05 07:27:09 +00:00
cjs
8befad84b1 Remove SCCS markers and make these compile in $NetBSD$ IDs. 1999-02-02 19:57:30 +00:00
mrg
78db9d7d95 merge ipf 3.2.10 1998-11-22 15:17:18 +00:00
drochner
1658ac64a8 fix the previous: "securelevel" in kernel only 1998-11-15 17:36:19 +00:00
tls
da1c106b85 In 'highly secure' mode (securelevel >= 2), the filter lists may not be tampered with. It might be desirable to allow enabling of preset filter lists, but it seems too good a candidate for a denial-of-service attack, so we don't. 1998-11-14 07:42:37 +00:00
veego
97ab1bd53b Resolve conflicts from the import. 1998-07-12 15:23:59 +00:00
veego
a4c89e3e2e Resolve conflicts from the import of IPFilter 3.2.7. 1998-05-29 20:24:36 +00:00
veego
82423e3d01 Resolve conflicts 1998-05-17 16:50:15 +00:00
scottr
81a5bfdf33 Change from IP-Filter 3.2.3: avoid infinite loop in nat_new() when
NAT'ing to a single IP address.
1998-03-29 22:56:00 +00:00
mrg
2a9598ccdf fixes for memory leaks in proxying, and byte ordering problems. from darren reed. 1997-11-25 03:14:11 +00:00
mrg
84ecff38c2 merge ip-filter 3.2.1 1997-11-14 12:40:06 +00:00
mrg
60c28e1f95 sigh. merge ipfilter 3.2 onto the trunk. merge to the branch was a mistake. 1997-10-30 16:08:54 +00:00
veego
4508fb4354 Resolve conflicts from the merge of ipf 3.2beta5. 1997-09-21 18:00:54 +00:00
kleink
512b9c1d90 Nuke an `#ifdef sparc' conditional around ntohs() usage: this (1) is incomplete
and (2) makes no difference anyway.  Also, minor KNF.
1997-07-21 16:53:47 +00:00
kleink
b2bead304f Fix a misplaced brace which caused NAT list corruption; from Dave Huang
<khym@bga.com> in PR kern/3872.
1997-07-16 11:06:07 +00:00
thorpej
b19b36aff5 Restore original RCS IDs. 1997-07-06 05:29:13 +00:00
thorpej
329a831bd5 Deal with a bogus warning from -Wuninitialized. 1997-07-06 05:14:08 +00:00
darrenr
729f0dc597 fix conflicts from import 1997-07-05 05:38:14 +00:00
thorpej
41d4822677 Resolve conflicts from merge of 3.2a7, take 2. Also, eliminate some
silly differences between the NetBSD copy of the code and the
vendor branch, keeping only those which are necessary.  Of those
differences that currently exist, several "portability to NetBSD"
issues, which will be fed back to the ipfilter author.
1997-05-28 00:17:11 +00:00
thorpej
55323c48ca Make this compile on 32-bit architectures again:
- Add prototypes.
- Get arguments to ioctl right (cmd is a u_long in NetBSD)
1997-05-27 01:20:46 +00:00
darrenr
29fab67628 fix conflicts 1997-05-25 12:40:11 +00:00