Commit Graph

49 Commits

Author SHA1 Message Date
martti 5aaa8070be Remove unused ipl_usec. 2002-09-29 17:55:14 +00:00
martti 15e6ca78da Fix ipmon problems on 64-bit platforms (PR#17403 and PR#17404). 2002-09-25 06:43:17 +00:00
martti b69124b84c Resync with official IPF 2002-09-19 08:12:43 +00:00
martti 87f18f024e Upgraded IPFilter to 3.4.29 2002-09-19 08:08:14 +00:00
christos dad84218d6 Fix iplog problem on sparc64 [from Tomi Nylund]
1. size_t is 64 bits, so use a u_32_t for iplused
	2. microtime() and friends expect a struct timeval,
	   passing the first of two unsigned longs will not cut it.
2002-07-01 13:55:35 +00:00
martti e74092de02 Upgraded IPFilter to 3.4.27 2002-05-02 17:11:37 +00:00
martti 83b3487b70 Upgraded IPFilter to 3.4.25 2002-03-14 12:32:36 +00:00
martti 7a8f11612c Re-sync with IPFilter 2002-01-24 08:23:40 +00:00
martti b9920d0f43 Upgraded IPFilter to 3.4.23 2002-01-24 08:21:30 +00:00
wiz 456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
mike fb2dc295a6 Resolve conflicts. 2001-03-26 06:11:46 +00:00
thorpej 65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
veego d6dd29c882 Resolve conflicts. 2000-06-12 10:28:20 +00:00
veego c02ef5cc85 Resolve conflicts. 2000-05-23 06:07:42 +00:00
veego 21dea2100c Resolve conflicts. 2000-05-03 11:12:03 +00:00
veego b3bffdf856 Resolve conflicts. 2000-02-01 21:29:15 +00:00
darrenr 1904e0a218 update ipfilter code to 3.3.6 1999-12-28 07:14:53 +00:00
veego 64b2c34646 Resolve conflicts and small fixes. 1999-12-12 11:11:15 +00:00
mrg 2f2fd097ef remove this insanity. appeared with ipfilter 3.2.10... 1998-12-11 23:47:16 +00:00
drochner 914642e439 correction to the previous: protect against _LKM too
pointed out by Todd Whitesel <toddpw@best.com>
1998-12-11 11:57:33 +00:00
drochner 36b809fed6 correcton tp previous: don't try to include kernel option headers in
userland
fixes PR kern/6561 (Takahiro Kambe)
1998-12-11 09:15:42 +00:00
christos c7578c510a defopt 1998-12-10 11:01:01 +00:00
mrg 78db9d7d95 merge ipf 3.2.10 1998-11-22 15:17:18 +00:00
veego 97ab1bd53b Resolve conflicts from the import. 1998-07-12 15:23:59 +00:00
veego a4c89e3e2e Resolve conflicts from the import of IPFilter 3.2.7. 1998-05-29 20:24:36 +00:00
veego 82423e3d01 Resolve conflicts 1998-05-17 16:50:15 +00:00
perry f73530ba55 add/cleanup multiple inclusion protection. 1998-02-10 01:26:19 +00:00
mrg 84ecff38c2 merge ip-filter 3.2.1 1997-11-14 12:40:06 +00:00
mrg 60c28e1f95 sigh. merge ipfilter 3.2 onto the trunk. merge to the branch was a mistake. 1997-10-30 16:08:54 +00:00
veego 4508fb4354 Resolve conflicts from the merge of ipf 3.2beta5. 1997-09-21 18:00:54 +00:00
mrg 02e5531ec7 put back IPFILTER_DEFAULT_BLOCK, as documented in options(4). 1997-07-08 05:54:02 +00:00
veego 29fcbcb000 Use FR_PASS for IPF_DEFAULT_PASS. This can be overwritten with an
options IPF_DEFAULT_PASS=FR_BLOCK in your config file.
1997-07-07 23:08:22 +00:00
thorpej b19b36aff5 Restore original RCS IDs. 1997-07-06 05:29:13 +00:00
thorpej 0feb054b62 - Add a missing #ifdef SOLARIS
- Properly prototype ipfilterattach()/iplattach().
1997-07-06 05:13:40 +00:00
darrenr 729f0dc597 fix conflicts from import 1997-07-05 05:38:14 +00:00
thorpej fa7df10d8b Put the #ifndef _KERNEL prototype of get_unit() in <netinet/ip_fil.h>
since it is needed by other files, in order to compile on 64-bit
architectures.
1997-05-28 04:48:47 +00:00
thorpej 41d4822677 Resolve conflicts from merge of 3.2a7, take 2. Also, eliminate some
silly differences between the NetBSD copy of the code and the
vendor branch, keeping only those which are necessary.  Of those
differences that currently exist, several "portability to NetBSD"
issues, which will be fed back to the ipfilter author.
1997-05-28 00:17:11 +00:00
thorpej e8e871e8ca Make this compile on 32-bit architectures again:
- Don't prototype functions that don't exist, and do prototype those
  that do.
- Get ioctl arguments right (cmd is a u_long in NetBSD).
1997-05-27 01:17:04 +00:00
darrenr 29fab67628 fix conflicts 1997-05-25 12:40:11 +00:00
christos 118a33df24 - Fix indentation of the nested conditionals. It was inconsistent in places.
- Make this compile and work without IPFILTER_LOG, and disable logging by
  default. This can be re-enabled now as a kernel option.
1997-04-15 00:44:42 +00:00
thorpej 0684baea63 Define control device names here; they're needed by kernel and userland. 1997-03-29 19:50:51 +00:00
darrenr 4d1eb7820e use IPLLOG instead of ipllog to easily mask parameters, fix up prototype
problems for compiling to user programs.
1997-03-29 04:39:15 +00:00
thorpej 169a339c7d Centralize the check for NetBSD PFIL_HOOKS code into ip_fil.h, and use
it consistently.
1997-03-29 03:05:14 +00:00
thorpej 7845ea0d16 Fix an ... interesting bug that resulted from namespace collision.
Description:

	- A BSD pseudo-device initialization routine is declared as
		void <pseudo-device name>attach __P((int count));
	  in ioconf.c by config(8).  main() calls these functions
	  from a table.

	- IP Filter has functions iplattach() and ipldetach() (or,
	  in the NetBSD case, were erroneously renamed ipfilterattach()
	  and ipfilterdetach()).  These functions are used to establish
	  and disestablish the IP Filter "filter rule check" hook in
	  the IP input/output stream.  They are declared:
		int iplattach __P((void));
		int ipldetach __P((void));
	  ..and are expected to return a value by iplioctl().

	- When main() calls (by sheer coincidence!) iplattach(),
	  the filter hook is established, and the IP Filter machinery
	  labeled as "initialized".  This causes all packets, whether or
	  not the user intents to use filter rules, to be passed to
	  the filter rule checker if "ipfilter" is configured into the
	  kernel.

	- As a result of the above, a kludge existed to default to
	  passing all packets (I can only assume that when this was
	  originally committed, the symptom of the bug was noticed by
	  the integrator, but the bug not actually found/fixed).

	- In iplioctl(), if the SIOCFRENB ioctl is issued with an
	  argument of "enable" (i.e. user executed "ipf -E"), iplattach()
	  will notice that the machinery is already initialized and
	  return EBUSY.

Fix:

	- Rename iplattach()/ipldetach() to ipl_enable() and ipl_disable().

	- Create a pseudo-device entry stub named ipfilterattach()
	  (NetBSD case) or iplattach() (all other).  This is a noop; none
	  of the machinery should be initialized until the caller expicitly
	  enables the filter with ipf -E.  Add a comment to note that.
1997-03-29 01:57:55 +00:00
thorpej f30d8f327f Resolve conflicts from merge.
XXX !!! XXX !!!
I noticed a few semi-serious bugs while doing this merge, one of which
has existed for a fairly long time.  Some of them are addressed in this
commit (because they caused the kernel to not compile), and are annoted
by "XXX" and "--thorpej".  The other one will be addressed shortly in
a future commit, and, as far as I can tell, affects all operating systems
which IP Filter supports.
1997-03-29 00:54:55 +00:00
scottr 54b157939d Don't include ipfilter.h if building an LKM. 1997-02-19 23:07:57 +00:00
mrg 4c8bfe2630 pseudo-device ipfilter brings in PFIL_HOOKS. 1997-02-18 20:49:32 +00:00
veego 473d4f54d1 Add $NetBSD$ id's and restore the orginal Id's. 1997-01-05 21:32:18 +00:00
mrg c1067a3f4b initial import of darren reed's ip-filter, version 3.1.2. 1997-01-05 13:47:59 +00:00