Commit Graph

31 Commits

Author SHA1 Message Date
martin
65c3e91025 When we call m_makewritable() the mbuf might be copied - so don't use
stale mtod()'d pointers from before.
2005-02-21 22:01:52 +00:00
martti
460bbcc960 Upgraded IPFilter to 4.1.6 2005-02-19 21:30:24 +00:00
martti
76b5d9e30f Import IPFilter 4.1.6 2005-02-19 21:26:02 +00:00
christos
a05a0bbcb8 Deal with possibly uninitialized variable, and tidy up a bit. 2005-02-17 04:14:31 +00:00
christos
9606238d80 There were more broken things aside from the __'s missing. 2005-02-17 03:12:36 +00:00
christos
0a15d30196 Don't forget the trailing __'s in NetBSD Version. Should fix PR/29407. 2005-02-17 02:26:51 +00:00
christos
1b198d8f16 size_t should be cast'ed to unsigned long. 2005-02-09 23:42:30 +00:00
he
f29d7ec0d8 One can't portably print a size_t with an %u format directive.
Since this might be in the kernel, cast to unsigned int before printing.
Fixes build problem for amd64 (and presumably also our other LP64 ports).
2005-02-09 08:21:27 +00:00
he
c05368e398 Make the declaration of oip in fr_send_ip() conditional on INET,
since it's use is also conditional on that preprocessor macro.
2005-02-09 08:19:24 +00:00
martti
a023cb1d19 Upgraded IPFilter to 4.1.5 2005-02-08 07:01:52 +00:00
martti
4d6a62d250 Import IPFilter 4.1.5 2005-02-08 06:52:59 +00:00
christos
78ec5c8f06 Disable the oow test because it is broken. It is killing valid packets. 2005-01-16 02:56:22 +00:00
lukem
4ae6a6d6f4 Support -DNOINET6 to disable USE_INET6 (a la the FreeBSD section earlier) 2005-01-10 02:10:47 +00:00
martti
756f26107c Import IPFilter 4.1.3 2004-12-31 11:30:42 +00:00
darrenr
f314fbb0f1 Expand out an unused byte to give each NAT rule a protocol version field,
allowing rules to be set to match only ipv4/ipv6. And so ipnat must be updated
to actually set this field correctly but to keep things working for old
versions of ipnat (that will set this to 0), make the ioctl handler "update"
the 0 to a 4 to keep things working when people just upgrade kernels.  This
forces NAT rule matching to be limited to ipv4 only, here forward, fixing
kern/28662
2004-12-16 17:01:02 +00:00
darrenr
d7859a0415 add an extra sanity check for stepping through TCP header options 2004-12-16 16:37:52 +00:00
christos
64573a67d7 Sprinkle #ifdef INET to make a GENERIC kernel compile with INET undefined. 2004-12-06 02:59:23 +00:00
martin
897d73f414 Patch from PR kern/26839, OK'd as a stopgap fix by Darren. 2004-12-01 08:25:54 +00:00
christos
35a75baff6 PR/28418: Do not drop packets for which we cannot add state, because adding
state is not applicable. The fix just reverts the new code that blocked
packets where fr_addstate() fails. This is not correct in all cases, but
blocking them is a bit drastic and breaks existing functionality. The proper
fix is to change fr_addstate() to return:

- state added
- adding state failed
- adding state is not applicable

and then filter packets only in the second case. I am leaving this for someone
else.
2004-11-25 09:49:12 +00:00
he
4a9ab9770a Apply patch from Darren for the ctype() functions/macros.
Encapsulates the ctype() functions so that the casts are centralized.
2004-11-13 19:14:48 +00:00
he
76d82c7f1f Revert previous, paving the way for Darren's cleaner patch. 2004-11-13 18:43:49 +00:00
he
dd5a52f76d More instances of cast to unsigned char for arguments to ctype functions.
Will also be sent to maintainer for possible inclusion in master source.
2004-11-13 15:19:58 +00:00
darrenr
90032de19d build a new fr_info_t structure in fr_send_ip() and pass it through to
the fastroute function so that it uses accurate packet information about
the packet being sent out rather than the packet received (impacts both
return-rst and return-icmp features.)

PR: kern/27093
2004-10-31 04:52:50 +00:00
darrenr
8fe036145c * Prevent hang when attempting to flush state entries for ipv4 when ipv6
are present or vice versa
* Fix matching of IPv6 state entries when the initial packet is a
  sent to a multicast address.  This includes not updating the address as
  being fixed when a second (or further) such packet is seen before a reply.
* Disable code, for now, that limited how many ICMP packets could match a
  state entry based on the number of real packets seen.
2004-10-07 03:57:02 +00:00
darrenr
328bd73105 The change in 1.3 is incorrect - it checks for FI_OOW regardless of what
type of data is stored in the rule (only a valid check for FR_T_IPF rules.)
2004-10-06 15:06:29 +00:00
yamt
2c46ccce37 move netinet/ip_lookup.h -> dist/ipf/netinet/ip_lookup.h. 2004-10-05 04:56:41 +00:00
jdolecek
20d2b45d7d fix bug introduced in rev 1.70 - in the "keep state" & "oow" flag check,
ensure a pointer to a state structure is non-NULL before dereferencing

Fixes PR kern/26927 by me and PR kern/26947 by Brett Lymn
2004-10-03 12:21:13 +00:00
jdolecek
a9bc4a2fda frrequest(): move some variable initializations for clarity
no functional change
2004-10-03 12:16:32 +00:00
jdolecek
46134b3da6 move ip_htable.h from sys/netinet/ to sys/dist/ipf/netinet/, it's ipfilter file 2004-10-02 07:59:14 +00:00
christos
d0905be2d3 moved from sys/netinet. 2004-10-02 07:51:53 +00:00
christos
f33294b6a4 Moved from sys/netinet as part of the ipfilter separation. 2004-10-01 15:25:59 +00:00