Commit Graph

928 Commits

Author SHA1 Message Date
itojun 29a4fb39d9 minor typo. s/iPsec/IPsec/ 2000-08-30 15:04:45 +00:00
simonb 94d3076df3 #define<tab> cleanup. 2000-08-28 02:12:22 +00:00
itojun 26dc854c41 make sure anonport{min,max} is not negative number 2000-08-26 10:41:29 +00:00
tron a97bfde931 Add new sysctl variables "net.inet.ip.lowportmin" and
"net.inet.ip.lowportmax" which can be used to the set minimum
and maximum port number assigned to sockets using
IP_PORTRANGE_LOW.
2000-08-25 13:35:05 +00:00
mjl 8358c07048 Add bpf tap to gre interface. 2000-08-25 00:51:20 +00:00
sommerfeld 867ca7767a Fill in next mtu field of NEEDFRAG ICMP error message.
From Marc Horowitz, pr10857
2000-08-22 16:02:16 +00:00
itojun 32e6a89b31 net.inet.tcp.rstratelimit is deprecated. make it invalid and return
ENOPROTOOPT.
2000-08-15 22:13:02 +00:00
jhawk b70721109d Add kernel counters for arp events, displayable with netstat -s -f arp 2000-08-15 20:24:57 +00:00
enami beb808e530 Put # endif directive after the right (i.e., matching) close brace
to prevent compilation error.
2000-08-12 14:17:13 +00:00
veego fea1509f80 Apply fix from IWAMOTO Toshihiro in pr#10813:
rev 1.35 of ip_nat.c checks if packets are too short.
 For ICMP packets, this packet length checking double counts
 the length of an IP header contained in ICMP messages.
 So, unless ICMP packets are long enough (such as echo-reply),
 packets are mistakingly considered too short and are dropped.
2000-08-12 08:08:54 +00:00
veego 35df2482b0 Protect a IPLLOG with ifdef IPFILTER_LOG. Patch from Darren Reed. 2000-08-12 08:04:18 +00:00
veego b3d0df91fb Resolve conflicts. 2000-08-09 21:00:39 +00:00
itojun 5e868d1e49 clearifications in icmp6 node query support.
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun afa5315364 correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
sync with kame.
2000-08-03 14:31:04 +00:00
itojun 6574aa66e8 inhibit error code from rtinit(). this happens when we try to assign
multiple addresses from same prefix, onto single interface.  PR 10427.


more info:
- 4.4BSD did not check return code from in_ifinit() at all.
  4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
  the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
  4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
  from the same prefix.  KAME tree has more extensive change, however, it needs
  much more time to get stabilized (rtentry refcnt change can cause serious
  issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
thorpej bdb0f01b7c Slight adjustment to last, to allow the userland version to build. 2000-08-01 15:03:51 +00:00
thorpej ead5ad8885 - ipl_enable(): -1 is not an error return. If initializing IP Filter
fails, return EIO instead.

- iplioctl(): If performing a NAT operation, and IP Filter is not
  yet initialized (e.g. by `ipf -E'), enable it implicitly before
  doing the NAT operation.
2000-08-01 03:46:09 +00:00
kleink 079b94ad72 Avoid recursion with traditional cpp. 2000-07-28 12:13:32 +00:00
itojun 63de4c2cb9 nuke the following sysctl variables. "ppsratelimit" should work better.
need to recompile sbin/sysctl after updating /usr/include.
	net.inet.tcp.rstratelimit
	net.inet.icmp.errratelimit
	net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun 7abf4641c6 forgot to call tcp6_quench(). sync with kame. 2000-07-28 02:39:45 +00:00
itojun 928dfa5233 do not disable icmp error rate limitation for local address.
local address can be abused too.  pps rate limitation should work fine for
moderate amount of icmp errors.
2000-07-27 11:36:14 +00:00
itojun dd9f2f7f1d implement net.inet.tcp.rstppslimit to limit TCP RSTs by packet-per-second
basis.  default: 100pps

set default value for net.inet.tcp.rstratelimit to 0 (disabled),
NOTE: it does not work right for smaller-than-1/hz interval.  maybe we should
nuke it, or make it impossible to set smaller-than-1/hz value.
2000-07-27 11:34:06 +00:00
itojun a18c2d780f be proactive about unspecified IPv6 source address. pcb layer uses
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.

use of :: as source is not documented well in IPv6 specification.

not sure if it presents a real threat.  the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
	local address = my addres
	remote address = ::     (meaning "unconnected")
	state = SYN_RCVD
  note that SYN ACK will not be sent due to ip6_output() filter.
  this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
  being contacted (DoS).

udp6/raw6 socket may have similar problem, but as they are connectionless,
it may too much to filter it out.
2000-07-27 06:18:13 +00:00
sommerfeld 73b6d9485c Drop packet, increment udps_badlen if the udp header length field
reports a size smaller than the udp header; defends against bogosity
detected by Assar Westerlund.

This patch and the previous ip_icmp.c change were the joint work of
assar, itojun, and myself.
2000-07-24 03:46:57 +00:00
sommerfeld a0c29e06a3 Improve robustness of icmp_error():
- allow it to work when icmpreturndatabytes is sufficiently large that the
icmp error message doesn't fit in a header mbuf.
 - defend against mbuf chains shorter than their contained ip->ip_len.
2000-07-24 03:32:31 +00:00
itojun ca777cb72c add an DIAGNOSTIC case for MCLBYTES assumption 2000-07-23 05:00:01 +00:00
itojun f5211e847a remove m_pulldown statistics code. it is highly experimental and belong
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun ab492849bc implement net.inet.icmp.errppslimit.
make default value for net.inet.icmp.erratelimit to 0, as < 10ms value
does not do the right thing.
2000-07-10 09:31:29 +00:00
itojun 8a661b9beb be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 12:49:08 +00:00
itojun ec67eee51f sync with kame.
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
itojun 210a3e2f80 remove unnecessary #include <netkey/key_debug.h>. from kame. 2000-07-06 12:51:39 +00:00
itojun 0a1e211454 - do not use bitfield for router renumbering header.
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation.  TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
thorpej 70140a566d Some slight cleanup. 2000-07-06 04:34:26 +00:00
thorpej 9c86b65a92 Fix an omission in the gre cloning changes. 2000-07-05 22:45:25 +00:00
thorpej 6a900bc9ff Fix some zero-vs-NULL confusion. 2000-07-05 21:45:14 +00:00
thorpej f77f419c50 Make that note that we really should be checking the viftable
in ip_mroute.c for duplicate tunnel entries, too.  Well, what
really needs to happen is that the mrouting code needs to be
changed to work w/ `gif' tunnels... but...
2000-07-05 21:32:51 +00:00
thorpej 4348603862 RFCs 1853, 2003, 2401 -- copy the DF bit. 2000-07-05 21:01:38 +00:00
thorpej e5c397199f Use LIST_HEAD_INITIALIZER(), for correctness sake. 2000-07-05 18:45:26 +00:00
christos f142d4254d added a linted comment about non-portable bitfields. Unfortunately it cannot
be fixed portably.
2000-07-05 02:45:03 +00:00
itojun f0d7296dc1 typo in previous 2000-07-02 21:25:41 +00:00
itojun e29fba4ba7 do not touch struct ip6stat on non-INET6 compilation.
From: Paul Goyette <paul@whooppee.com>
2000-07-02 21:05:41 +00:00
itojun 8ff902fca1 repair kernel faithd(8) support. there were two mistakes:
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
sommerfeld 8f2d5e3219 Don't rate-limit ICMP errors from packets we send to ourselves.
The dns resolver depends on reliably receiving errors to allow it to
quickly detect a dead local nameserver.
2000-07-01 21:46:40 +00:00
thorpej c8875e6066 Pass the correct destination address for the route-to-gateway case.
From Zdenek Salvet, kern/10483.
2000-06-30 19:43:53 +00:00
itojun 23f6a4f4e8 remove old mbuf assumption (ip header and tcp header are on the same mbuf).
this is for m_pulldown use. (sync with kame)
2000-06-30 16:44:33 +00:00
mrg cf594a3f4d <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:01:16 +00:00
mrg 5ec6fd267b remove include of <vm/vm.h> 2000-06-28 02:59:32 +00:00
kleink d2787dad27 XNS5.2: define sa_family_t and use it where specified by the standard. 2000-06-26 15:48:19 +00:00
mrg 2f159a1bac remove/move more mach vm header files:
<vm/pglist.h> -> <uvm/uvm_pglist.h>
	<vm/vm_inherit.h> -> <uvm/uvm_inherit.h>
	<vm/vm_kern.h> -> into <uvm/uvm_extern.h>
	<vm/vm_object.h> -> nothing
	<vm/vm_pager.h> -> into <uvm/uvm_pager.h>

also includes a bunch of <vm/vm_page.h> include removals (due to redudancy
with <vm/vm.h>), and a scattering of other similar headers.
2000-06-26 14:20:25 +00:00
matt e21a3d997c Don't copy M_EXT mbufs unless in "dhcp" mode. Do a mtod after the pullup
to make sure the ip pointer is still valid.
2000-06-16 20:21:26 +00:00
itojun 07098cd363 better conformance to draft-ietf-ipngwg-icmp-name-lookups-05.
the old code was chimera of 03 and 05 draft.

-n by default, since IPv6 reverse lookup takes too much time.
use -H to enable reverse name lookup.
2000-06-12 16:21:02 +00:00
veego ecbf42696a Remove a duplicated check for the NetBSD callout (I think it is a mistake
from a previous conflict resolve which doesn't cause harm).
2000-06-12 10:41:36 +00:00
veego 886013b9e7 Ups, forgot to resolve one place. 2000-06-12 10:29:36 +00:00
veego d6dd29c882 Resolve conflicts. 2000-06-12 10:28:20 +00:00
darrenr bae005d1db add icmpreturndatabytes kernel variable (default 8) which specifies the
number of extra data bytes to return in ICMP error messages.  This is
also available via sysctl as net.icmp.returndatabytes and is limited to
[8,512].
2000-06-10 12:39:19 +00:00
itojun 8987054176 pass struct proc * down to udp6_output and in6_pcbbind. 2000-06-05 06:38:22 +00:00
veego c02ef5cc85 Resolve conflicts. 2000-05-23 06:07:42 +00:00
itojun 5de72de121 disallow negative numbers for ratelimit interval (tcp, icmp, icmp6). 2000-05-22 12:08:43 +00:00
veego b0c4d85748 Add a missing ; at the end of a line. 2000-05-21 18:47:00 +00:00
veego 4c4ad1d1a5 Resolve conflicts. 2000-05-21 18:45:53 +00:00
jhawk ca31d672e2 Install "show arptab" (db_show_arptab) in the ddb command tree.
Move prototype from netinet/if_inarp.h to ddb/db_interface.h.
Change function to have standard ddb parameters (though they're
ignored).
2000-05-20 03:08:41 +00:00
veego 8db28cd918 Resolve conflicts and fix a compile error in ip_ftp_pxy.c. 2000-05-11 19:46:05 +00:00
itojun 8a0fabf8cf add missing boundary checks to ip options processing.
correct timestamp option validation (len and ptr upper/lower bound
based on RFC791).
fill "pointer" field for parameter problem in timestamp option processing.
2000-05-10 03:31:30 +00:00
itojun b3c4ed6cf7 correct more out-of-bounds memory access, if cnt == 1 and optlen > 1. 2000-05-10 01:19:44 +00:00
itojun 4a12628c71 correct out-of-bound access when hlen == 1 and opt > 1.
reviewed by darren, darren committed to freebsd fil.c (1.12 -> 1.13)
so it should be correct enough.
2000-05-10 00:08:03 +00:00
sommerfeld 90f481ef3f Handle large offsets with very small options correctly. 2000-05-06 16:35:14 +00:00
mycroft 176e840713 GC in_interfaces. 2000-05-06 02:41:32 +00:00
matt 650107086a remove superfluous test (snd_una is always > iss since th_ack must > iss
(first test at start of case) and th_ack is assigned to snd_una).
2000-05-05 15:05:29 +00:00
matt 5a6e4c896c From PR #3733: Only disarm timer if SYN contained the ACK bit since if
it didn't it would be a crossing/simultaneous SYN and doesn't mean the
remote TCP received our SYN.
2000-05-05 14:51:46 +00:00
veego 21dea2100c Resolve conflicts. 2000-05-03 11:12:03 +00:00
sommerfeld a5ff71cecc One more __attribute__((__packed__)) to dissuade egcs from making
unwarranted asumptions about the structure's alignment.
2000-05-02 14:15:07 +00:00
itojun 3075a916cc sync with more recent kame. defer inclusion of net/if_gif.h. 2000-04-26 05:36:41 +00:00
enami c63f06acd3 IN_MULTICAST() takes in_addr.s_addr as argument, not pointer to it. 2000-04-20 01:59:22 +00:00
itojun d300ce3942 add net/if_stf.h and netinet/ip_encap.h (almost noone will include them though) 2000-04-19 06:39:15 +00:00
itojun 3909133548 introduce sys/netinet/ip_encap.c, to dispatch inbound packets
to protocol handlers, based on src/dst (for ip proto #4/41).
see comment in ip_encap.c for details of the problem we have.
there are too many protocol specs for ip proto #4/41.
backward compatibility with MROUTING case is now provided in ip_encap.c.

fix ipip to work with gif (using ip_encap.c).  sorry for breakage.

gif now uses ip_encap.c.

introduce stf pseudo interface (implements 6to4, another IPv6-over-IPv4 code
with ip proto #41).
2000-04-19 06:30:51 +00:00
chs e34eb900c0 remove an LBL ifdef that we can't turn on anyway. 2000-04-16 20:59:49 +00:00
chs 46faa6bb58 remove ifdefs to skip htons() on some big-endian platforms. 2000-04-16 20:58:52 +00:00
is ab879a6479 Copy M_BCAST and M_MCAST flags when fragmenting a packet (else
Multicast packets won't be send to the correct link layer address
by the interface driver).
By Artur Grabowski, PR 9772.
2000-04-13 11:48:07 +00:00
enami 97ba34b80b - Unselect the multicast outgoing interface if it is being detached.
- Drop the multicast membership if we are joining through the interface
  being detached.
2000-04-03 03:51:16 +00:00
enami 107aabc200 Bump the reference count of ifaddr while it is refered through in_multi. 2000-04-03 03:50:05 +00:00
jdolecek c42f28d24a Since last duplicate prototype cleanup, we need to include
<netinet/ip_mroute.h> to get ip_mforward() prototype if MROUTING
is defined.
2000-03-31 14:31:03 +00:00
jdolecek a59a99b6dc Slighly improve previous - only include <netinet/ip_mroute.h> if MROUTING
is defined.
2000-03-31 14:27:17 +00:00
jdolecek c2acbd102b include <netinet/ip_mroute.h> for ip_mforward() - needed after
last duplicate prototype sweep (prototype for ip_mforward() used to be in <netinet/ip_var.h>)
2000-03-31 08:34:20 +00:00
augustss 8529438fe6 Remove register declarations. 2000-03-30 12:51:13 +00:00
simonb 75c4560a75 Delete reduncdant decl of inetctlerrmap - it's in <netinet/in_var.h>. 2000-03-30 02:39:37 +00:00
simonb 1058c2aba9 Delete redundant decl of zeroin6_addr, it's in <netinet6/in6_var.h>. 2000-03-30 02:38:53 +00:00
simonb c85fbea607 Delete redundant decl of ip_gif_ttl - it's in <netinet/in_gif.h>.
Delete redundant decl of ip_mforward() - it's in <netinet/ip_mroute.h>.
2000-03-30 02:37:40 +00:00
simonb c2693b78a0 Delete uninitialised declaration of ip_defttl - there's an initialised
decl earlier in this file.
2000-03-30 02:35:24 +00:00
simonb d1fd2a6b54 Delete redundant decl of in_socktrim() - it's in <netinet/in.h>. 2000-03-30 02:33:45 +00:00
simonb e4c5993774 Extern decl of arpintrq. 2000-03-30 02:32:57 +00:00
thorpej 66470ad12d Pull in <sys/callout.h> for the benefit of userland. 2000-03-24 22:40:11 +00:00
thorpej fc96443d15 New callout mechanism with two major improvements over the old
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
  resource allocation.
- Insertion and removal of callouts is constant time, important as
  this facility is used quite a lot in the kernel.

The old timeout()/untimeout() API has been removed from the kernel.
2000-03-23 07:01:25 +00:00
ws 7da71e5f9e Make IPKDB working again.
Add support for i386 debugging and pci-based ne2000 boards.
2000-03-22 20:58:25 +00:00
itojun 2dbc76c437 tabify a line. 2000-03-22 06:10:39 +00:00
itojun 19b198e8c2 improve comment (about undo'ing code on in{,6}_ifinit failure) 2000-03-21 11:23:31 +00:00
itojun d926d6fa47 #if 0'ed undo code for interface address addition failure.
it was a bit too strong, and forbids multiple addresses from
same prefix to be assigned.

now the behavior is the same as previous - memory leak on interface address
addition failure.
http://orange.kame.net/dev/query-pr.cgi?pr=218
2000-03-18 02:41:58 +00:00
itojun 9f8cac1f16 undo interface address addition attempt, when in_ifinit fails.
(this basically avoids memory leakage)
2000-03-12 05:01:16 +00:00
thorpej 0fcf68825f Back out previous, and adjust a comment. 2000-03-10 22:39:03 +00:00
itojun 673e8e6fad move IPPROTO_DONE to IPPROTO_xx group 2000-03-10 15:30:55 +00:00
itojun 402493dee5 change member name for icmp6_filter, to be conformant to RFC2292.
From: Francis Dupont
2000-03-09 21:26:16 +00:00
thorpej d315d42657 Back out part of 1.104 which isn't actually needed. 2000-03-07 05:39:57 +00:00
mycroft 5a212f7999 Fix a splx() botch or two. 2000-03-07 04:58:35 +00:00
itojun 6a70fada85 allow SIOCDIFADDR with AF_UNSPEC address by default, until we fix ifconfig(8).
(should be COMPAT_43)
2000-03-06 19:33:13 +00:00
itojun be78177ba2 comment fix, sync with kame. 2000-03-03 17:42:14 +00:00
itojun 38441b4ae3 remove unnecessary ttl initialization which I mistakingly bringed in
during KAME merge (this is part of WIDE's expeirmental reass code...)
NetBSD PR: 9412
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
Fix from: ho@crt.se
itojun was notified from: theo
2000-03-03 13:07:42 +00:00
thorpej 754bba7b6c Avoid a bug in GCC which manifests itself when processing unaligned
IP options.  Problem pointed out by Matt Hargett and Erik Fair, analyzed
by me.
2000-03-02 06:07:36 +00:00
itojun 04ac848d6f introduce m->m_pkthdr.aux to hold random data which needs to be passed
between protocol handlers.

ipsec socket pointers, ipsec decryption/auth information, tunnel
decapsulation information are in my mind - there can be several other usage.
at this moment, we use this for ipsec socket pointer passing.  this will
avoid reuse of m->m_pkthdr.rcvif in ipsec code.

due to the change, MHLEN will be decreased by sizeof(void *) - for example,
for i386, MHLEN was 100 bytes, but is now 96 bytes.
we may want to increase MSIZE from 128 to 256 for some of our architectures.

take caution if you use it for keeping some data item for long period
of time - use extra caution on M_PREPEND() or m_adj(), as they may result
in loss of m->m_pkthdr.aux pointer (and mbuf leak).

this will bump kernel version.

(as discussed in tech-net, tested in kame tree)
2000-03-01 12:49:27 +00:00
itojun 5c1b7efe97 avoid copy-overwrite-copy on incoming udp4 checksum. use in4_cksum
which takes care of pseudo header checksum without overwrites.
2000-02-29 16:21:56 +00:00
itojun 82ab98145f ensure tcp window size does not overflow (16bit unsigned after window scale).
FreeBSD PR: 16914
2000-02-29 05:25:49 +00:00
itojun cdea88d700 support draft-ietf-ipngwg-icmp-name-lookups-05.txt, drop support for
draft-ietf-ipngwg-icmp-name-lookups-04.txt.

There are certain bitfield change in 04 draft to 05 draft, which makes
04 "ping6 -a" and 05 "ping6 -a" not interoperable.  sigh.
2000-02-28 13:48:50 +00:00
itojun bbe25244d0 remove some of cross-BSD portability #ifdef.
remove xxCTL_VARS, which is BSDI specific.
2000-02-28 12:08:21 +00:00
itojun 1450d6e643 bring in recent KAME changes (only important and stable ones, as usual).
- remove net.inet6.ip6.nd6_proxyall.  introduce proxy NDP code works
  just like "arp -s".
- revise source address selection.
  be more careful about use of yet-to-be-valid addresses as source.
- as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope
  packet forwarding attempt.
- path MTU discovery takes care of routing header properly.
- be more strict about mbuf chain parsing.
2000-02-26 08:39:18 +00:00
itojun c1e70a6c0a allow AF_UNSPEC for SIOCDIFADDR. ISC DHCP client depends on this behavior. 2000-02-25 08:51:35 +00:00
itojun abf6ccac96 backout previous commit (sanity check for family) - it seems to be doing
something wrong.  i'll revise it soon.
2000-02-25 08:37:05 +00:00
itojun 3c0960474d reject non-AF_INET addresses on ioctl.
without this, we can configure invalid sockaddrs, for example,
sa_family == 0 (and we can never remove them!)
2000-02-25 07:11:38 +00:00
itojun 729dcf0da4 hide declaration of IP6_EXTHDR_{GET,CHECK} from userland. 2000-02-24 09:55:24 +00:00
itojun 6a1af46504 don't transmit ICMPv4 packet back, if the original packet was encyrpted. 2000-02-24 09:54:49 +00:00
darrenr 4b3916780b pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".
2000-02-20 00:56:33 +00:00
darrenr fd7edad6c3 Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc.  The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list.  This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also.  The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.
2000-02-17 10:59:32 +00:00
itojun 729f693364 - if ip_dst matches address on !IFF_UP interface, and
- there's no match against addresses on IFF_UP interface,
send icmp unreach if I'm router.  drop it if I'm host.

Revised version of PR: 9387 from nrt@iij.ad.jp.  Discussed with thorpej+nrt.
2000-02-16 12:40:40 +00:00
thorpej b178e1f58c Add support for rate-limiting RSTs sent in response to no socket for
an incoming packet.  Default minimum interval is 10ms.  The interval
is changeable via the "net.inet.tcp.rstratelimit" sysctl variable.
2000-02-15 19:54:11 +00:00
thorpej f3b975e9a4 Add ICMP error rate limiting, based on the same for ICMP6.
Note, we're reusing the previously unused slot for "MTU discovery" (which
was moved to the "net.inet.ip" branch of the sysctl tree quite some time
ago).
2000-02-15 04:03:49 +00:00
itojun 800897b12f make assumption on mbuf explicit (m->m_len >= sizeof (struct ip)). 2000-02-15 00:42:22 +00:00
thorpej fd4ed9b425 Typo (Thanks, Havard :-) 2000-02-12 18:00:00 +00:00
thorpej 46f7b67929 Small cosmetic change, and note a place where a statistic should be
gathered.
2000-02-12 17:45:44 +00:00
thorpej 312cb38ccb In the tcp_input() path:
- Filter out multicast destinations explicitly for every incoming packet,
  not just SYNs.  Previously, non-SYN multicast destination would be
  filtered out as a side effect of PCB lookup.  Remove now redundant
  similar checks in the dropwithreset case and in syn_cache_add().
- Defer the TCP checksum until we know that we want to process the
  packet (i.e. have a non-CLOSED connection or a listen socket).
2000-02-12 17:19:34 +00:00
itojun 82b005364c don't increase both "no port on broadcast packet" and "no port" stat.
increasing both of them will result in negative number on udp
"delivered" stat on netstat(8), since netstat computes number of delivered
packet by subtracting them from number of inbound packets.
2000-02-11 10:43:36 +00:00
itojun 46dfa55555 fix in-kernel packet forwarding loop (till TTL becomes 0) when:
- a packet is delivered to an address X,
- and the address X is configured on my !IFF_UP interface
- and ipforwarding=1

NetBSD PR: 9387
From: nrt@iij.ad.jp
2000-02-11 05:57:58 +00:00
itojun ff0fe5df65 fix ip4 protosw.
gif interface and gre interface should be able to coexist.
2000-02-10 14:44:28 +00:00
itojun 59d74f3d21 to improve RFC2553/2292 compliance, and promote use of
RFC2553/2292-compliant header file path, now the following headers are
forbidden:
	netinet6/ip6.h
	netinet6/icmp6.h
	netinet6/in6.h

if you want netinet6/{ip6,icmp6}.h, use netinet/{ip6,icmp6}.h.

if you want netinet6/in6.h, you just need to include netinet/in.h.
it pulls it in.
(we may need to integrate them into netinet/in.h, but for cross-BSD code
sharing i'd like to keep it like this for now)
2000-02-09 00:54:55 +00:00
itojun 4f53db2499 optimize mbuf allocation for ip/tcp/tcpopt part. 2000-02-09 00:50:40 +00:00
veego aa4732525f Fix from Darren Reed for the test failure of f11. 2000-02-07 13:58:00 +00:00
itojun 2687887f38 s/DIAGNOSTIC/DEBUG/ 2000-02-07 06:15:16 +00:00
itojun 51219dabc9 to be more rfc2292 complient, move ip6.h and icmp6.h into netinet.
(netinet6/{ip6,icmp6}.h is non-standard path - these files should go away)

it was not possible to use cvsmove in this case.
when you try to look at history, chase it toward netinet6/{ip6,icmp6}.h.
2000-02-06 11:11:29 +00:00
itojun 76064f5770 don't chase mbuf pointer when it is NULL. 2000-02-06 08:06:43 +00:00
itojun f91ee608a9 avoid calling in6_control(SIOCDIFADDR_IN6) from interrupt context.
it is not supposed to work.
logging fix: add "\n" to some of log() in in6_prefix.c.

improve in6_ifdetach().  now almost all structure depend on ifnet
will be cleared up.
possible loose ends:
- cached route_in6 in static varaiables needs to be cleared as well
- there are ifaddr manipulation without reference counting,
  which should be fixed
we still see panics after card removal, though...  not sure what is left.

(sync with kame)
2000-02-04 14:34:22 +00:00
thorpej c1185c1020 PRU_PURGEADDR -> PRU_PURGEIF, per a discussion w/ itojun. In the IPv4
and IPv6 code, also use this to traverse PCB tables, looking for cached
routes referencing the dying ifnet, forcing them to be refreshed.
2000-02-02 23:28:08 +00:00
thorpej d844a3ac41 First-draft if_detach() implementation, originally from Bill Studnemund,
although this version has been changed somewhat:
- reference counting on ifaddrs isn't as complete as Bill's original
  work was.  This is hard to get right, and we should attack one
  protocol at a time.
- This doesn't do reference counting or dynamic allocation of ifnets yet.
- This version introduces a new PRU -- PRU_PURGEADDR, which is used to
  purge an ifaddr from a protocol.  The old method Bill used didn't work
  on all protocols, and it only worked on some because it was Very Lucky.

This mostly works ... i.e. works for my USB Ethernet, except for a dangling
ifaddr reference left by the IPv6 code; have not yet tracked this down.
2000-02-01 22:52:04 +00:00
veego 064dbd29ad Only print one 'IP Filter:' line when it gets enabled or disabled. 2000-02-01 21:41:36 +00:00
veego b3bffdf856 Resolve conflicts. 2000-02-01 21:29:15 +00:00
thorpej 3b5706e2e5 Fix a couple of whitespace glitches. 2000-02-01 00:07:50 +00:00
thorpej 637a2eee6e Use ifatoia() and sintosa() consistently, rather than using home-grown
casting macros intermixed.
2000-02-01 00:07:09 +00:00
thorpej 1cb24101b9 Small amount of cosmetic cleanup. 2000-02-01 00:05:07 +00:00
itojun 1a2a1e2b1f bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited

XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
2000-01-31 14:18:52 +00:00
itojun 63fd2c0262 destination port == 0 is illegal based on RFC768.
(NetBSD PR: 9137 - I thought I committed this already but I wasn't)
2000-01-31 10:39:26 +00:00
sommerfeld 62224d5f23 Pick source address for ICMP errors a bit more intelligently when
there are multiple addresses on the interface.

From Marc Horowitz <marc@netbsd.org>, who left this sitting for too long.
2000-01-25 17:07:56 +00:00
itojun b3761abef8 remove extra portability #ifdef (like #ifdef __FreeBSD__) in KAME IPv6/IPsec
code, from netbsd-current repository.
#ifdef'ed version is always available from ftp.kame.net.

XXX please do not make too many diff-unfriendly changes, we'll need to take
bunch of diffs on upgrade...
2000-01-06 15:46:07 +00:00
itojun ec63b40402 remove too much portability code in KAME, to improve readability. 2000-01-06 07:31:07 +00:00
itojun 2e904aec57 make IPV6_BINDV6ONLY setsockopt available. it controls behavior of
AF_INET6 wildcard listening socket.  heavily documented in ip6(4).
net.inet6.ip6.bindv6only defines default value.  default is 1.

"options INET6_BINDV6ONLY" removes any code fragment that supports
IPV6_BINDV6ONLY == 0 case (not defopt'ed as use of this is rare).
2000-01-06 06:41:18 +00:00
veego a7c3d2263b Fix a panic which was mentioned on the ipfilter mailing list.
Patch from Darren send to the mailing list after he released 3.3.6 and
did a bad job with using the wrong way to update the NetBSD version
of ipfilter.
1999-12-29 08:19:07 +00:00
darrenr 1904e0a218 update ipfilter code to 3.3.6 1999-12-28 07:14:53 +00:00
itojun dc0f1c0435 drop IPv6 packets with v4 mapped address on src/dst. they are illegal
and may be used to fool IPv6 implementations (by using ::ffff:127.0.0.1 as
source you may be able to pretend the packet is from local node)
1999-12-22 04:03:01 +00:00
itojun 8bd9534970 avoid shared cluster mbuf overwrite on multicast packet loopback.
(bsdi and freebsd fixed this a long time ago...)

PR: 9020
From: pavlin@catarina.usc.edu
1999-12-20 05:46:33 +00:00
itojun abddb5f851 do not overwrite traffic class field when we write IPv6 version field. 1999-12-15 06:28:43 +00:00
is 43aa150a4e Handle packets to 255.255.255.255 like multicast packets. Fixes PR 7682 by
Darren Reed.
1999-12-13 17:04:11 +00:00
itojun ea861f0183 sync IPv6 part with latest KAME tree. IPsec part is left unmodified
due to massive changes in KAME side.
- IPv6 output goes through nd6_output
- faith can capture IPv4 packets as well - you can run IPv4-to-IPv6 translator
  using heavily modified DNS servers
- per-interface statistics (required for IPv6 MIB)
- interface autoconfig is revisited
- udp input handling has a big change for mapped address support.
- introduce in4_cksum() for non-overwriting checksumming
- introduce m_pulldown()
- neighbor discovery cleanups/improvements
- netinet/in.h strictly conforms to RFC2553 (no extra defs visible to userland)
- IFA_STATS is fixed a bit (not tested)
- and more more more.

TODO:
- cleanup os-independency #ifdef
- avoid rcvif dual use (for IPsec) to help ifdetach

(sorry for jumbo commit, I can't separate this any more...)
1999-12-13 15:17:17 +00:00
ragge 713b50cde9 Avoid GCC complaints (under some circumstances). 1999-12-12 19:51:49 +00:00
itojun 5bb1c57bee sync with latest KAME (rcsid only). 1999-12-12 16:19:40 +00:00
itojun 2f49a03b86 do not use member of sockaddr_storage directly.
(if the definition is like in rfc2553) they are not supposed to be used.

XXX i'm trying to change rfc2553 sockaddr_storage definition to include
"ss_len" and "ss_family".  see ipngwg.  situation might change soon.
1999-12-12 15:57:07 +00:00
veego 64b2c34646 Resolve conflicts and small fixes. 1999-12-12 11:11:15 +00:00
veego 99f380af25 Import a few IP Filter 3.3.5 files under sys/netinet. 1999-12-12 10:57:57 +00:00
itojun 4d757da195 implement upper-layer reachability confirmation for IPv6 ND (RFC2461 7.3.1).
fix code to reject "tcp to IPv6 anycast".

sync with recent KAME.
1999-12-11 09:55:14 +00:00
itojun 313f5eb9cd do not drop from IP header to tcp option until sbappend(), to reduce
requirement to mbuf chain.
part of KAME sync, committed separately for its (possible) impact.
1999-12-08 16:22:20 +00:00
itojun bbb8727584 bring in latest KAME (as of 19991130, KAME/NetBSD141) into kame branch
just for reference purposes.
This commit includes 1.4 -> 1.4.1 sync for kame branch.

The branch does not compile at all (due to the lack of ALTQ and some other
source code).  Please do not try to modify the branch, this is just for
referenre purposes.

synchronization to latest KAME will take place on HEAD branch soon.
1999-11-30 13:34:47 +00:00
thorpej 046d593425 Add the `packed' attribute to structures which describe wire protocol data. 1999-11-20 00:37:58 +00:00
bouyer f86517a031 Update protocoles and interfaces stats counters to 64bit.
RTM_IFINFO is now 0xf, 0xe is RTM_OIFINFO which returns the old (if_msghdr14)
struct with 32bit counters (binary compat, conditioned on COMPAT_14).
Same for sysctl: node 3 is renamed NET_RT_OIFLIST, NET_RT_IFLIST is now node 4.
Change rt_msg1() to add an mbuf to the mbuf chain instead of just panic()
when the message is larger than MHLEN.
1999-11-19 10:41:41 +00:00
itojun 90fe937b44 disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel. 1999-10-26 09:53:17 +00:00
drochner 87568e8d82 defopt the XNS protocol (options NS), clean up the use of related
option headers / defines
1999-10-25 19:18:10 +00:00
sommerfeld f3182098a7 If a packet came in as link-level broadcast or link-level multicast, don't
attempt to fast-forward it out.
1999-10-17 23:38:45 +00:00
sommerfeld c2accd9f9c In ip_forward():
Avoid forwarding ip unicast packets which were contained inside
link-level multicast packets; having M_MCAST still set in the packet
header flags will mean that the packet will get multicast to a bogus
group instead of unicast to the next hop.

Malformed packets like this have occasionally been spotted "in the
wild" on a mediaone cable modem segment which also had multiple netbsd
machines running as router/NAT boxes.

Without this, any subnet with multiple netbsd routers receiving all
multicasts will generate a packet storm on receipt of such a
multicast.  Note that we already do the same check here for link-level
broadcasts; ip6_forward already does this as well.

Note that multicast forwarding does not go through ip_forward().

Adding some code to if_ethersubr to sanity check link-level
vs. ip-level multicast addresses might also be worthwhile.
1999-10-17 16:00:00 +00:00
sommerfeld d0790aa895 in ipfr_fastroute, before calling icmp_error(), put received-interface
back into the packet.  (ip_output() clears it since ipsec reuses that
packet field in the output path.  by putting it back, we're going to
pretend we're back on the input path now).
1999-10-12 14:51:34 +00:00
is f546d949b6 Decouple IP mtu for ARCnet devices from interface MTU.
This is important, because for most protocols, link level fragmentation is
used, but with different default effective MTUs. (e.g.: IPv4 default MTU
is 1500 octets, IPv6 default MTU is 9072 octets).
1999-09-25 17:49:27 +00:00
enami 5326516a15 Make this compile without INET6. 1999-09-23 04:02:27 +00:00
itojun 9474edfcd8 cleanup and correct TCP MSS consideration with IPsec headers.
MSS advertisement must always be:
	max(if mtu) - ip hdr siz - tcp hdr siz
We violated this in the previous code so it was fixed.

tcp_mss_to_advertise() now takes af (af on wire) as its argument,
to compute right ip hdr siz.

tcp_segsize() will take care of IPsec header size.
One thing I'm not really sure is how to handle IPsec header size in
*rxsegsizep (inbound segment size estimation).
The current code subtracts possible *outbound* IPsec size from *rxsegsizep,
hoping that the peer is using the same IPsec policy as me.
It may not be applicable, could TCP gulu please comment...
1999-09-23 02:21:30 +00:00
itojun 6b9bfc0691 - Call in{,6}_pcbdetach if ipsec initialization is failed during PRU_ATTACH.
This situation happens on severe memory shortage.  We may need more
  improvements here and there.
- Grab IEEE802 address from IFT_ETHER card, even if the card is
  inserted after bootup time.  Is there any other card that can be
  inserted afterwards?  pcmcia fddi card? :-P
- RFC2373 u bit handling suggests that we SHOULD NOT copy interface id from
  ethernet card to pseudo interface, when ethernet card has IEEE802/EUI64
  with u bit != 0 (this means that IEEE802/EUI64 is not universally unique).
  Do not use such address as, for example, interface id for gif interface.
  (I have such an ethernet card myself)
  This may change interface id for your gif interface.  be careful upgrading
  rc files.

(sync with recent KAME)
1999-09-13 12:15:54 +00:00
simonb fd8040a031 s/acknowledgment/acknowledgement/ 1999-09-10 03:24:14 +00:00
itojun 4597cff18d fix tcp mss consideration on ipsec operation.
now tcp-over-ipsec should not experience fragmentation due to
addition of ipsec header.

From: proff@suburbia.net (Julian Assange)
1999-08-27 02:56:14 +00:00
itojun a89a69391a clear m->m_pkthdr.rcvif before calling ip_output().
the member is used to pass struct socket to ip{,6}_output for ipsec decisions.

(i agree it is kind of ugly.  we need to modify struct mbuf if we are
to do better - which seems to me a bit too much)
1999-08-26 02:56:59 +00:00
marc 3c1adf9354 when fastrouting a packet which needs fragmentation, the packet passed
to if_output did not have m->m_pkthdr.len set correctly.  Add the code
to do this from the similar code in ip_output.c
1999-08-26 02:15:35 +00:00
thorpej 1e921673e3 Fix a problem discovered by the snd_recover update fix. A bit of the
New Reno fast recovery code was being executed even when New Reno was
disabled, resulting in an unfortunate interaction with the traditional
fast recovery code, the end resulting being that the very condition
that would trigger the traditional fast recovery mechanism caused fast
recovery to be disabled!

Problem reported by Ted Lemon, and some analytical help from Charles Hannum.
1999-08-26 00:04:30 +00:00
itojun 809ab7f1ff When listening socket goes away, remove assockated syn cache entires.
Stale syn cache entries are useless because none of them will be used
if there is no listening socket, as tcp_input looks up listening socket by
in_pcblookup*() before looking into syn cache.

This fixes race condition due to dangling socket pointer from syn cache
entries to listening socket (this was introduced when ipsec is merged in).

This should preserve currently implemented behavior (but not 4.4BSD
behavior prior to syn cache).

Tested in KAME repository before commit, but we'd better run some
regression tests.
1999-08-25 15:23:12 +00:00
itojun d48c55f4f0 ctlinput handling must look at ip6_src, not ip6_dst.
(this makes path mtu handling wrong)
1999-08-25 12:38:14 +00:00
bouyer 4f806e660f Fix for kern/7831 from Darren Reed after discussion on tech-net 2 weeks ago:
check that the packet if of the rigth protocol before giving it to the
proxy module, otherwise let the ipnat code handle it.
What happens in kern/7831 is that a router sends back a icmp message for
a TCP SYN, and ip_proxy.c forwards it to ip_ftp_pxy.c which can only
handle TCP packets. The icmp message is properly handled by ipnat, no need to
go to ip_ftp_pxy.c.
1999-08-24 16:10:35 +00:00
christos d6f8878423 PR/8254: Wolfgang Rupprecht: Incorrect logging of tcp connections; Fix src/dst
confusion.
1999-08-23 14:14:30 +00:00
matt d3448593e5 Cleanup a little kludge in mtu handling in route.c. Bring down FDDI
mtu to legal IP max but don't affect other protocols.
1999-08-21 03:46:35 +00:00
itojun 00cf8638cb do not capture packets by gif, when gif interface is down. 1999-08-20 10:07:40 +00:00
itojun 98fab25334 fix sototcpcb(). this sometimes caused panic on OOB data reception.
the macro may need to be expanded into dedicated function, rather than a macro,
to capture unsupported values.
1999-08-12 16:04:52 +00:00
thorpej af1e02ad91 Fix a few bugs in the TCP New Reno code:
- Make sure that snd_recover is always at least snd_una.  If we don't do
  this, there can be confusion when sequence numbers wrap around on a
  large loss-free data transfer.
- When doing a New Reno retransmit, snd_una hasn't been updated yet,
  and the socket's send buffer has not yet dropped off ACK'd data, so
  don't muddle with snd_una, so that tcp_output() gets the correct data
  offset.
- When doing a New Reno retransmit, make sure the congestion window is
  open one segment beyond the ACK'd data, so that we can actually perform
  the retransmit.

Partially derived from, although more complete than, similar changes in
OpenBSD, which in turn originated from Tom Henderson <tomh@cs.berkeley.edu>.
1999-08-11 17:37:59 +00:00
thorpej e48f29e82b Make sure the echoed RFC 1323 timestamp is valid before using it to
compute the round trip time.  From Mark Allman <mallman@lerc.nasa.gov>.
1999-08-11 03:02:18 +00:00
itojun a9b7fe4621 return with doing nothing from xx_ctlinput(), when sa->sa_family
is not the expected one.

I see PRC_REDIRECT_HOST with sa->sa_family == AF_UNIX coming to
{tcp,udp}_ctlinput() when I use dhclient, and I feel like adding
more sanity checks, without logging - if we log it it is too noisy.
1999-08-09 10:55:29 +00:00
sommerfeld 08e495eda4 Delete debug printfs from arp_drain() 1999-08-05 04:36:56 +00:00
sommerfeld 2aa9696fee Implement arp_drain(), which frees packets tied up in the arp cache if
mbufs are in short supply.
Create a (trivial) protocol domain for arp so that the drain routine will
be called from m_reclaim()
1999-08-05 04:04:28 +00:00
itojun 70ada0957e sync with recent KAME.
- loosen ipsec restriction on packet diredtion.
- revise icmp6 redirect handling on IsRouter bit.
- tcp/udp notification processing (link-local address case)
- cosmetic fixes (better code share across *BSD).
1999-07-31 18:41:15 +00:00
itojun 06c350054d remove reference to in6_systm.h (file itself will be removed afterwords) 1999-07-30 10:35:34 +00:00
itojun 42c5caafe7 do not include unnecessary include files. 1999-07-23 15:21:17 +00:00
itojun 7fee35f579 - implement IPv6 pmtud, which is necessary for TCP6.
- fix memory leak on SO_DEBUG over TCP.
1999-07-22 12:56:56 +00:00
itojun b479094c45 no need to include faith.h on non-IPv6 build, so wrap by #ifdef.
(dunno if it's better to always include it or not)
1999-07-17 12:53:05 +00:00
itojun c74f79d16f fix faith interface support. need testing.
(i understand this is a dirty hack, of course)
1999-07-17 07:07:08 +00:00
itojun 685747d56c Use proper ip protocol # field and tcp hdr on sending RST against SYN,
when ip header and tcp header are not adjacent to each other
(i.e. when ip6 options are attached).

To test this, try
	telnet @::1@::1 port
toward a port without responding server.  Prior to the fix, the kernel will
generate broken RST packet.
1999-07-14 22:37:13 +00:00
drochner 46f90cb053 make sending of keepalive messages work again:
-remove bogus sanity check involving an uninitialized variable
-correct mbuf cluster allocation
-(non-critical) remove redundant check in cleanup after error
1999-07-14 22:08:52 +00:00