Commit Graph

41 Commits

Author SHA1 Message Date
darrenr fd7edad6c3 Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc.  The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list.  This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also.  The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.
2000-02-17 10:59:32 +00:00
veego 064dbd29ad Only print one 'IP Filter:' line when it gets enabled or disabled. 2000-02-01 21:41:36 +00:00
veego b3bffdf856 Resolve conflicts. 2000-02-01 21:29:15 +00:00
veego 64b2c34646 Resolve conflicts and small fixes. 1999-12-12 11:11:15 +00:00
sommerfeld d0790aa895 in ipfr_fastroute, before calling icmp_error(), put received-interface
back into the packet.  (ip_output() clears it since ipsec reuses that
packet field in the output path.  by putting it back, we're going to
pretend we're back on the input path now).
1999-10-12 14:51:34 +00:00
itojun a89a69391a clear m->m_pkthdr.rcvif before calling ip_output().
the member is used to pass struct socket to ip{,6}_output for ipsec decisions.

(i agree it is kind of ugly.  we need to modify struct mbuf if we are
to do better - which seems to me a bit too much)
1999-08-26 02:56:59 +00:00
marc 3c1adf9354 when fastrouting a packet which needs fragmentation, the packet passed
to if_output did not have m->m_pkthdr.len set correctly.  Add the code
to do this from the similar code in ip_output.c
1999-08-26 02:15:35 +00:00
cjs 8befad84b1 Remove SCCS markers and make these compile in $NetBSD$ IDs. 1999-02-02 19:57:30 +00:00
mycroft 231a906c71 There's just no plausible reason to byte-swap ip_id internally. It's opaque. 1999-01-19 23:39:56 +00:00
sommerfe 0cdf66e377 Fragments should start with a header mbuf allocated by MGETHDR() 1998-11-25 21:13:58 +00:00
mrg 78db9d7d95 merge ipf 3.2.10 1998-11-22 15:17:18 +00:00
drochner 1658ac64a8 fix the previous: "securelevel" in kernel only 1998-11-15 17:36:19 +00:00
tls da1c106b85 In 'highly secure' mode (securelevel >= 2), the filter lists may not be tampered with. It might be desirable to allow enabling of preset filter lists, but it seems too good a candidate for a denial-of-service attack, so we don't. 1998-11-14 07:42:37 +00:00
sommerfe 69b1b4758d Fix PR5559: if fast-forwarding, DF set, and packet too large, send ICMP error.. 1998-07-17 00:35:23 +00:00
veego 82423e3d01 Resolve conflicts 1998-05-17 16:50:15 +00:00
mrg 84ecff38c2 merge ip-filter 3.2.1 1997-11-14 12:40:06 +00:00
mrg 60c28e1f95 sigh. merge ipfilter 3.2 onto the trunk. merge to the branch was a mistake. 1997-10-30 16:08:54 +00:00
veego 4508fb4354 Resolve conflicts from the merge of ipf 3.2beta5. 1997-09-21 18:00:54 +00:00
thorpej ba90103dd6 The fingerprint of (*fr_checkp)() is the same if compiling in kernel
or user code.
1997-07-06 22:32:34 +00:00
thorpej b19b36aff5 Restore original RCS IDs. 1997-07-06 05:29:13 +00:00
thorpej c68633278f - Add a prototype for fixskip() so that this file compiles.
- Fix, ONCE AGAIN, semantics of ipfilterattach().  This time, not only
  was it semantically broken, it wasn't even close to compiling!
1997-07-06 05:13:00 +00:00
darrenr 729f0dc597 fix conflicts from import 1997-07-05 05:38:14 +00:00
thorpej 5b0d69d6a8 In ipl_disable(), don't conditionalize the "fr_checkp = fr_savep"
operation, since:
	- in ipl_enable(), "fr_savep = fr_checkp" is not conditionalized
	  in the same way (not at all), and
	- without this change, it was not possible to enable, disable,
	  and reenable ipfilter.
1997-06-01 06:57:09 +00:00
thorpej fa7df10d8b Put the #ifndef _KERNEL prototype of get_unit() in <netinet/ip_fil.h>
since it is needed by other files, in order to compile on 64-bit
architectures.
1997-05-28 04:48:47 +00:00
thorpej 41d4822677 Resolve conflicts from merge of 3.2a7, take 2. Also, eliminate some
silly differences between the NetBSD copy of the code and the
vendor branch, keeping only those which are necessary.  Of those
differences that currently exist, several "portability to NetBSD"
issues, which will be fed back to the ipfilter author.
1997-05-28 00:17:11 +00:00
thorpej a09051fa6d Make this compile on 32-bit architectures again:
- Fix a really obvious error: ipl_enable() disappeared, but the guts of
  the function were scrunched into the "no-op" BSD pseudo-device attach
  routine.  Would not compile, because of non-void return from a void
  function.  Fixed by reincarnating ipl_enable(), and reimplementing
  the no-op pseudo-device attach.
- #ifdef as appropriate to remove unused variable warnings.
- Call ipl_enable() in iplinit(), rather than the no-op ipfilterattach().
1997-05-27 01:15:21 +00:00
darrenr ea9bbec5f5 remove extra #endif 1997-05-26 17:57:21 +00:00
darrenr 29fab67628 fix conflicts 1997-05-25 12:40:11 +00:00
christos 118a33df24 - Fix indentation of the nested conditionals. It was inconsistent in places.
- Make this compile and work without IPFILTER_LOG, and disable logging by
  default. This can be re-enabled now as a kernel option.
1997-04-15 00:44:42 +00:00
cgd ce54b19fd3 include <stdlib.h> if !_KERNEL for malloc declaration/proto 1997-04-04 01:53:22 +00:00
cgd c492daaa6e fix ... potentially fatal typo (s/unix/unit/) 1997-04-03 00:57:03 +00:00
augustss c56286529c Make it compile again by removing a cast to void of KFREE(). KFREE expands
to a statement, not an expression.
1997-04-01 00:07:07 +00:00
darrenr 4d1eb7820e use IPLLOG instead of ipllog to easily mask parameters, fix up prototype
problems for compiling to user programs.
1997-03-29 04:39:15 +00:00
thorpej 169a339c7d Centralize the check for NetBSD PFIL_HOOKS code into ip_fil.h, and use
it consistently.
1997-03-29 03:05:14 +00:00
thorpej 7845ea0d16 Fix an ... interesting bug that resulted from namespace collision.
Description:

	- A BSD pseudo-device initialization routine is declared as
		void <pseudo-device name>attach __P((int count));
	  in ioconf.c by config(8).  main() calls these functions
	  from a table.

	- IP Filter has functions iplattach() and ipldetach() (or,
	  in the NetBSD case, were erroneously renamed ipfilterattach()
	  and ipfilterdetach()).  These functions are used to establish
	  and disestablish the IP Filter "filter rule check" hook in
	  the IP input/output stream.  They are declared:
		int iplattach __P((void));
		int ipldetach __P((void));
	  ..and are expected to return a value by iplioctl().

	- When main() calls (by sheer coincidence!) iplattach(),
	  the filter hook is established, and the IP Filter machinery
	  labeled as "initialized".  This causes all packets, whether or
	  not the user intents to use filter rules, to be passed to
	  the filter rule checker if "ipfilter" is configured into the
	  kernel.

	- As a result of the above, a kludge existed to default to
	  passing all packets (I can only assume that when this was
	  originally committed, the symptom of the bug was noticed by
	  the integrator, but the bug not actually found/fixed).

	- In iplioctl(), if the SIOCFRENB ioctl is issued with an
	  argument of "enable" (i.e. user executed "ipf -E"), iplattach()
	  will notice that the machinery is already initialized and
	  return EBUSY.

Fix:

	- Rename iplattach()/ipldetach() to ipl_enable() and ipl_disable().

	- Create a pseudo-device entry stub named ipfilterattach()
	  (NetBSD case) or iplattach() (all other).  This is a noop; none
	  of the machinery should be initialized until the caller expicitly
	  enables the filter with ipf -E.  Add a comment to note that.
1997-03-29 01:57:55 +00:00
thorpej f30d8f327f Resolve conflicts from merge.
XXX !!! XXX !!!
I noticed a few semi-serious bugs while doing this merge, one of which
has existed for a fairly long time.  Some of them are addressed in this
commit (because they caused the kernel to not compile), and are annoted
by "XXX" and "--thorpej".  The other one will be addressed shortly in
a future commit, and, as far as I can tell, affects all operating systems
which IP Filter supports.
1997-03-29 00:54:55 +00:00
cgd a8bb00476f ioctl commands are u_longs 1997-03-18 07:14:45 +00:00
veego d61e3f8c25 ipl[attach|detach]->ipfilter[attach|detach] for the pseudo-device change 1997-01-08 21:45:39 +00:00
mrg 9cc6a2a495 remove some old debugging statements. 1997-01-07 10:51:01 +00:00
veego 473d4f54d1 Add $NetBSD$ id's and restore the orginal Id's. 1997-01-05 21:32:18 +00:00
mrg c1067a3f4b initial import of darren reed's ip-filter, version 3.1.2. 1997-01-05 13:47:59 +00:00