kleink
b2bead304f
Fix a misplaced brace which caused NAT list corruption; from Dave Huang
...
<khym@bga.com> in PR kern/3872.
1997-07-16 11:06:07 +00:00
mrg
02e5531ec7
put back IPFILTER_DEFAULT_BLOCK, as documented in options(4).
1997-07-08 05:54:02 +00:00
veego
29fcbcb000
Use FR_PASS for IPF_DEFAULT_PASS. This can be overwritten with an
...
options IPF_DEFAULT_PASS=FR_BLOCK in your config file.
1997-07-07 23:08:22 +00:00
fvdl
413872caa0
Get rid of (void) cast to KFREE, as it may be a macro, in which case
...
the cast will be a syntax error.
1997-07-07 22:21:21 +00:00
phil
ccfe711608
Protect against double inclusion. PR 3524.
1997-07-07 20:57:46 +00:00
thorpej
ba90103dd6
The fingerprint of (*fr_checkp)() is the same if compiling in kernel
...
or user code.
1997-07-06 22:32:34 +00:00
thorpej
e0acb98b94
Fix an old and obscure TCP bug, brought to my attention by Bill Fenner,
...
fixed in FreeBSD by John Polstra:
Fix a bug (apparently very old) that can cause a TCP connection to
be dropped when it has an unusual traffic pattern. For full details
as well as a test case that demonstrates the failure, see the
referenced PR (FreeBSD's kern/3998).
Under certain circumstances involving the persist state, it is
possible for the receive side's tp->rcv_nxt to advance beyond its
tp->rcv_adv. This causes (tp->rcv_adv - tp->rcv_nxt) to become
negative. However, in the code affected by this fix, that difference
was interpreted as an unsigned number by max(). Since it was
negative, it was taken as a huge unsigned number. The effect was
to cause the receiver to believe that its receive window had negative
size, thereby rejecting all received segments including ACKs. As
the test case shows, this led to fruitless retransmissions and
eventually to a dropped connection. Even connections using the
loopback interface could be dropped. The fix substitutes the signed
imax() for the unsigned max() function.
Bill informs me that his research indicates this bug appeared in Reno.
1997-07-06 07:04:34 +00:00
thorpej
b19b36aff5
Restore original RCS IDs.
1997-07-06 05:29:13 +00:00
thorpej
329a831bd5
Deal with a bogus warning from -Wuninitialized.
1997-07-06 05:14:08 +00:00
thorpej
0feb054b62
- Add a missing #ifdef SOLARIS
...
- Properly prototype ipfilterattach()/iplattach().
1997-07-06 05:13:40 +00:00
thorpej
c68633278f
- Add a prototype for fixskip() so that this file compiles.
...
- Fix, ONCE AGAIN, semantics of ipfilterattach(). This time, not only
was it semantically broken, it wasn't even close to compiling!
1997-07-06 05:13:00 +00:00
thorpej
3fb8ff16e8
The sheer number of #ifdef's around it should have been a hint that
...
#include <machine/mtpr.h> isn't something you're supposed to do in
NetBSD.
1997-07-06 05:11:28 +00:00
thorpej
ab01c534f6
Fix a bug caught by gcc: add parenthesis to properly group a test.
1997-07-06 05:10:41 +00:00
thorpej
90c43e78e2
Import yet another missing piece of IPFilter 3.2beta1.
1997-07-06 05:02:26 +00:00
thorpej
5a85b0d9fa
Import ip_auth.h from IPFilter 3.2beta1; this was missed during the
...
upgrade.
1997-07-06 04:58:52 +00:00
darrenr
729f0dc597
fix conflicts from import
1997-07-05 05:38:14 +00:00
thorpej
9bf15b8b78
Don't adjust ip->ip_len before calling icmp_error(); icmp_error() already
...
does this. Per Stevens in TCP/IP Illustrated Vol. 2, p.774, submitted
by Koji Imada <koji@math.human.nagoya-u.ac.jp>.
1997-06-24 19:31:34 +00:00
thorpej
a0e791807e
Eliminate use of dtom() from the network code, allowing more flexible
...
use of mbuf external storage and increasing performance (by eliminating
an m_pullup() for clusters in the IP reassembly code).
Changes from Koji Imada <koji@math.human.nagoya-u.ac.jp>, in PR #3628
and #3480 , with ever-so-slight integration changes by me.
1997-06-24 02:25:59 +00:00
thorpej
b791871522
Increment icmpstat.icps_badlen for bad length of ICMP_MASKREQ, per
...
Stevens in TCP/IP Illustrated vol. 2, p.319. Submitted by
Koji Imada <koji@math.human.nagoya-u.ac.jp> in PR #3712 .
1997-06-24 01:26:19 +00:00
kleink
b8377e5395
As per RFC 793, don't retransmit the FIN during a simultaneous close.
...
From Thorsten Frueauf <frueauf@ira.uka.de> and W. Richard Stevens in PR/3737
and TCP/IP Illustrated, Vol. 2, respectively.
1997-06-18 10:05:44 +00:00
mrg
c258d0d05e
make it "options IPFILTER_DEFAULT_BLOCK".
1997-06-16 13:38:05 +00:00
kleink
8fb48a5db9
Eliminate a superflouus `if' statement: when detaching the TCP protocol from
...
a socket, just calling tcp_disconnect() on the tcpcb will do the right thing.
From Thorsten Frueauf <frueauf@ira.uka.de> and W. Richard Stevens in PR/3738
resp. TCP/IP Illustrated, Vol. 2.
1997-06-12 18:41:14 +00:00
kml
6a233e37f6
Fix urgent pointer overflow problems when used with large windows
1997-06-03 16:17:09 +00:00
thorpej
5b0d69d6a8
In ipl_disable(), don't conditionalize the "fr_checkp = fr_savep"
...
operation, since:
- in ipl_enable(), "fr_savep = fr_checkp" is not conditionalized
in the same way (not at all), and
- without this change, it was not possible to enable, disable,
and reenable ipfilter.
1997-06-01 06:57:09 +00:00
thorpej
a464ced388
Change the aps_tout member of struct ap_session from time_t to u_long
...
so that it can be passed to the filter rule aging functions, which
expect a pointer to a u_long. (time_t is an int on the alpha.)
1997-05-28 04:59:34 +00:00
thorpej
fa7df10d8b
Put the #ifndef _KERNEL prototype of get_unit() in <netinet/ip_fil.h>
...
since it is needed by other files, in order to compile on 64-bit
architectures.
1997-05-28 04:48:47 +00:00
thorpej
41d4822677
Resolve conflicts from merge of 3.2a7, take 2. Also, eliminate some
...
silly differences between the NetBSD copy of the code and the
vendor branch, keeping only those which are necessary. Of those
differences that currently exist, several "portability to NetBSD"
issues, which will be fed back to the ipfilter author.
1997-05-28 00:17:11 +00:00
gwr
3cb60b969d
Allow revarpwhoami() to be called multiple times.
...
(Just return the answer if we already have it.)
Without this, the RB_ASKNAME loop fails on every
call to nfs_mountroot after the first call.
1997-05-27 23:14:44 +00:00
thorpej
67a6c44c15
Make this compile on 32-bit architectures again:
...
- Pull in includes to get appropriate prototypes.
1997-05-27 01:24:31 +00:00
thorpej
faeb45fcca
Make this compile on 32-bit architectures:
...
- Add prototypes.
- Add a forward-decl to avoid a cyclic dependency graph.
1997-05-27 01:23:50 +00:00
thorpej
03e37a1874
Make this compile on 32-bit architectures:
...
- Deal with lame gcc -Wuninitialized warning (which is incorrect)
- Add parens around assignments within conditionals.
1997-05-27 01:22:52 +00:00
thorpej
77a115108c
Make this compile on 32-bit architecutres again:
...
- Get arguments to ioctl right (cmd is a u_long in NetBSD)
1997-05-27 01:21:33 +00:00
thorpej
55323c48ca
Make this compile on 32-bit architectures again:
...
- Add prototypes.
- Get arguments to ioctl right (cmd is a u_long in NetBSD)
1997-05-27 01:20:46 +00:00
thorpej
5d1bb7474a
Make this compile on 32-bit architectures:
...
- Add prototypes.
- garbage-collect unused variables.
1997-05-27 01:19:48 +00:00
thorpej
6c873135ee
Make this compile on 32-bit architectures again:
...
- garbage-collect unused variables.
1997-05-27 01:18:47 +00:00
thorpej
e8e871e8ca
Make this compile on 32-bit architectures again:
...
- Don't prototype functions that don't exist, and do prototype those
that do.
- Get ioctl arguments right (cmd is a u_long in NetBSD).
1997-05-27 01:17:04 +00:00
thorpej
a09051fa6d
Make this compile on 32-bit architectures again:
...
- Fix a really obvious error: ipl_enable() disappeared, but the guts of
the function were scrunched into the "no-op" BSD pseudo-device attach
routine. Would not compile, because of non-void return from a void
function. Fixed by reincarnating ipl_enable(), and reimplementing
the no-op pseudo-device attach.
- #ifdef as appropriate to remove unused variable warnings.
- Call ipl_enable() in iplinit(), rather than the no-op ipfilterattach().
1997-05-27 01:15:21 +00:00
thorpej
8ead9b88e8
Make this compile on 32-bit architectures again:
...
- garbage-collect unused variables, or #ifdef them as appropriate.
1997-05-27 01:09:13 +00:00
darrenr
ea9bbec5f5
remove extra #endif
1997-05-26 17:57:21 +00:00
darrenr
27be4b8f04
Import new sources for 3.2alpha7
...
(blah, someone want to clean away /cvsroot/sys/netinet ?)
1997-05-26 15:18:15 +00:00
darrenr
29fab67628
fix conflicts
1997-05-25 12:40:11 +00:00
christos
118a33df24
- Fix indentation of the nested conditionals. It was inconsistent in places.
...
- Make this compile and work without IPFILTER_LOG, and disable logging by
default. This can be re-enabled now as a kernel option.
1997-04-15 00:44:42 +00:00
christos
ae60a7c343
Fix SPLNET() conditional to work for NetBSD1_0+, not just the named versions.
1997-04-15 00:42:54 +00:00
christos
0659cacda6
Move the mtod calls *after* we've made sure that the packet has passed the
...
filter successfully. Otherwise it can be NULL if the filter blocked it,
and we die. How did this ever work?
1997-04-15 00:41:52 +00:00
jtk
e096ee0e10
add newlines at end of debugging log messages which were missing them
1997-04-07 01:48:30 +00:00
cgd
ce54b19fd3
include <stdlib.h> if !_KERNEL for malloc declaration/proto
1997-04-04 01:53:22 +00:00
cgd
c492daaa6e
fix ... potentially fatal typo (s/unix/unit/)
1997-04-03 00:57:03 +00:00
augustss
c56286529c
Make it compile again by removing a cast to void of KFREE(). KFREE expands
...
to a statement, not an expression.
1997-04-01 00:07:07 +00:00
thorpej
0684baea63
Define control device names here; they're needed by kernel and userland.
1997-03-29 19:50:51 +00:00
darrenr
4d1eb7820e
use IPLLOG instead of ipllog to easily mask parameters, fix up prototype
...
problems for compiling to user programs.
1997-03-29 04:39:15 +00:00