Commit Graph

1175 Commits

Author SHA1 Message Date
itojun 7f7fe98c2c support tcp_log_refused for IPv6. From: Andrew Brown <atatat@atatdot.net> 2002-03-12 04:36:47 +00:00
martin 0039b1300a KNFify my last change. 2002-03-11 10:06:12 +00:00
thorpej a180cee23b Pool deals fairly well with physical memory shortage, but it doesn't
deal with shortages of the VM maps where the backing pages are mapped
(usually kmem_map).  Try to deal with this:

* Group all information about the backend allocator for a pool in a
  separate structure.  The pool references this structure, rather than
  the individual fields.
* Change the pool_init() API accordingly, and adjust all callers.
* Link all pools using the same backend allocator on a list.
* The backend allocator is responsible for waiting for physical memory
  to become available, but will still fail if it cannot callocate KVA
  space for the pages.  If this happens, carefully drain all pools using
  the same backend allocator, so that some KVA space can be freed.
* Change pool_reclaim() to indicate if it actually succeeded in freeing
  some pages, and use that information to make draining easier and more
  efficient.
* Get rid of PR_URGENT.  There was only one use of it, and it could be
  dealt with by the caller.

From art@openbsd.org.
2002-03-08 20:48:27 +00:00
itojun ac36f7cb2c bring in latest ALTQ from kjc. ALTQify some of the drivers. 2002-03-05 04:12:57 +00:00
sommerfeld 3406f0a3dd The "gif*" tunnelling interface does everything ipip does.
Move usage example from ipip.4 to gif.4
Excise ipip and stitch up the scars.
2002-03-04 13:24:06 +00:00
thorpej 1caa35aa0f In tcp_segsize(), move a label so that option length is considered
when using the default TCP MSS as well.  From Matt Thomas.
2002-03-01 22:54:09 +00:00
thorpej 10444ca48f In in_savemkludge() and in_restoremkludge(), don't insert into a new
list without removing from the old one first.

From Matt Thomas.
2002-03-01 22:51:28 +00:00
martin 75c5a16cfc Enforce a lower bound of 32 for tcp_mssdflt.
This avoids kernel crashes when we don't handle nonsensial values
like 0 gracefully. Better check here once beforehand than having to
check for non meaningful values in time critical paths (like tcp_output).

Fixes PR 15709.
2002-02-28 20:26:17 +00:00
itojun 8832af6e59 correctly enforce ipsec policy check on forwarding case.
From: Greg Troxel <gdt@ir.bbn.com>, Bill Chiarchiaro <wjc@work.cleartech.com>
2002-02-25 02:17:55 +00:00
martin a7d662b71c Clear M_BCAST and M_MCAST on outgoing mbufs.
Don't copy ttl from the inner packet to the encapsulating packet. Make
the outer ttl sysctl'able. This should close PR 14269 from Jasper Wallace
(change partly from there) and it makes traceroute work over gre tunnels.
2002-02-24 17:22:20 +00:00
christos 61e29fb60a Sean amended his patch not to include the IFAFREE() 2002-02-21 22:39:17 +00:00
christos 2446cd0b68 PR/15662: Sean Boudreau: make sure we clean all routes of an interface when
we change its ip address.
2002-02-21 21:59:16 +00:00
itojun 9c68db2bfc suppress source quence message, based on router-req RFC (also could be abused
as DoS traffic generator).  from kjc/kame
2002-02-21 08:39:33 +00:00
thorpej 35a343b018 IFF_POINTTOPOINT interfaces can also transmit packets to broadcast
destinations.
2002-02-07 21:47:45 +00:00
thorpej eb79ee01a8 ip_mloopback(): process the delayed checksum on the copy, not
the original mbuf.
2002-02-06 18:00:01 +00:00
itojun d303c80bfb correct bad ip checksum on multicast loopback packet. PR14597 2002-01-31 07:45:22 +00:00
martti b035470c38 Fixed initialization 2002-01-24 08:24:59 +00:00
martti 7a8f11612c Re-sync with IPFilter 2002-01-24 08:23:40 +00:00
martti b9920d0f43 Upgraded IPFilter to 3.4.23 2002-01-24 08:21:30 +00:00
martti b0499f9062 Import IPFilter 3.4.23 2002-01-24 08:18:28 +00:00
itojun a709c83618 place NRL copyright notice itself, not a reference to it. 2002-01-24 02:12:29 +00:00
itojun ae1b9c29e9 make sure to check address family on route cache. with IPv4 mapped
address we can see both AF_INET/INET6.
2002-01-22 03:53:55 +00:00
itojun 1cc58965b6 don't panic when there's no interface address exist for the specified multicast
outgoing interface (ia == NULL after IFP_TO_IA).

historic behavior (up to revision 1.43) was to use 0.0.0.0 as source address,
but it seems like a mistake according to RFC1112/1122.
2002-01-08 10:05:13 +00:00
itojun 28922b9973 use radix table for inbound tunnel lookup (would increase performance
for machines with a lot of tunnels).
update route cache for IPvX-over-IPv6 tunnel on path MTU discovery.
snyc with kame
2001-12-21 06:30:43 +00:00
itojun af7e7f7b93 whitespace. protect from multiple inclusion. sync with kame 2001-12-21 04:11:24 +00:00
itojun 9fe96e61e6 call rip_ctlinput on icmp4 inputs 2001-12-21 04:07:25 +00:00
itojun 745e191850 move protosw fragment for gif/stf to their own source code.
reduce #ifdef in stf code.  sync with kame
2001-12-21 03:21:50 +00:00
itojun f05aaf1533 have packed attribute to protocol structs. sync with kame 2001-12-21 02:52:18 +00:00
itojun dde7f16c1c have rip_ctlinput to notify routing changes to raw sockets
(protosw change to be done).  sync with kame
2001-12-21 02:51:47 +00:00
itojun f504aee318 comment and whitespace. sync with kame 2001-12-21 02:51:08 +00:00
itojun a36173e7a6 whitespace. sync with kame 2001-12-21 02:50:28 +00:00
itojun 33429d0612 correct timing to increment icmp6 MIB variables. sync with kame 2001-12-07 10:10:43 +00:00
jmcneill 078a8c0cc3 Fix TCP segment size computation. From Rick Byersm, PR kern/14799. 2001-12-03 01:45:43 +00:00
darrenr dd626d89c9 recompute hlen after calling pfil_run_hooks() in case ip_hl was changed. 2001-11-28 09:25:13 +00:00
itojun c23ea6c341 update outgoing ifp, only if tunnel mode ipsec is used. this is to
honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast.  sync with kame
2001-11-21 06:28:08 +00:00
lukem 0fa231134c - replace "defopt" with "defparam" for options which must take a value,
as config(8) will warn for value-less defparam options
- minor whitespace/formatting cleanup
- consolidate opt_tcp_recvspace.h and opt_tcp_sendspace.h into opt_tcp_space.h
2001-11-20 14:34:18 +00:00
lukem 2565646230 don't need <sys/types.h> when including <sys/param.h> 2001-11-15 09:47:59 +00:00
lukem ea1cd7eb08 add RCSIDs 2001-11-13 00:32:34 +00:00
itojun e2df911079 do not grab packet to joined multicast group, when ip6_dst and in6p_laddr
mismatches.  it makes the behavior more closer to 4.4BSD IPv4 code.
sync with kame
2001-11-07 06:30:50 +00:00
matt da5a70805c Convert netinet to not use the internal <sys/queue.h> field names
but instead the access macros.  Use the FOREACH macros where appropriate.
2001-11-04 20:55:25 +00:00
matt 47577dca93 Change a few variable/tables to const since they are read-only. 2001-11-04 13:42:27 +00:00
matt af71a3871d Keep only one mtu_table (the two were identical except for
one value - 65280).
2001-11-04 13:38:50 +00:00
itojun e4b5b62a3d array boundary overflow on the use of IPv4 mapped address. from simonb 2001-11-02 02:37:50 +00:00
kml 77c99e8c60 Add in support for timing out IPv4 routes added due to redirects,
as discussed in tech-net several weeks ago.  It turned out that
KAME had already added this functionality to the IPv6 stack, so
I followed their example in adding the sysctl variables
net.inet.icmp.rediraccept and net.inet.icmp.redirtimeout.
2001-10-30 06:41:09 +00:00
simonb 5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
anymore.
2001-10-29 07:02:30 +00:00
itojun c7e6405a34 remove unused codepath (unifdef -UUDP6) 2001-10-24 06:04:08 +00:00
itojun 7bbe09e1d4 it may fix PR14124. 2001-10-24 05:56:49 +00:00
matt bd61b6ad50 Make tcp_outflags & tcpstates const. 2001-10-20 03:19:41 +00:00
matt fa2b333dc7 Make the two MTU tables const and change their type to u_int (one was int
and one was u_long!).
2001-10-20 03:18:17 +00:00
thorpej e45efd967f Deprecate the "m_act" alias of "m_nextpkt" (m_act is a historical
name), and just use m_nextpkt everywhere.
2001-10-18 20:17:24 +00:00
itojun 91498ffec5 implement IPV6_V6ONLY socket option from draft-ietf-ipngwg-rfc2553bis-03.txt.
IPV6_BINDV6ONLY (netbsd only) is deprecated, but still work just like before.
2001-10-15 09:51:15 +00:00
chs 80373b7e54 don't depend on other headers to include sys/proc.h for us. 2001-09-28 11:59:51 +00:00
thorpej d679590033 Split the pre-computed ifnet checksum flags into Tx and Rx directions.
Add capabilities bits that indicate an interface can only perform
in-bound TCPv4 or UDPv4 checksums.  There is at least one Gig-E chip
for which this is true (Level One LXT-1001), and this is also the
case for the Intel i82559 10/100 Ethernet chips.
2001-09-17 17:26:59 +00:00
wiz 456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
martin 7ac197f6e6 Fix typo in comment. 2001-09-16 08:49:50 +00:00
thorpej 050e9de009 Use callouts for SYN cache timers, rather than traversing time queues
in tcp_slowtimo().
2001-09-11 21:03:20 +00:00
thorpej 4745c7f252 Update copyrights. 2001-09-10 22:45:46 +00:00
thorpej 6d0e813f6c Use callouts for TCP timers, rather than traversing the list of
all open TCP connections in tcp_slowtimo() (which is called 2x
per second).  It's fairly rare for TCP timers to actually fire,
so saving this list traversal is good, especially if you want
to scale to thousands of open connections.
2001-09-10 22:14:26 +00:00
thorpej 413e5cb878 Initialize TCP timer variables in a new function, tcp_timer_init(). 2001-09-10 20:36:43 +00:00
thorpej 3d9c42775e Add explicit initialization of TCP timer state. A noop right now. 2001-09-10 20:19:54 +00:00
thorpej 45e02f5ee8 Split tcp_timers() into multiple functions, one for each timer,
and call it directly from tcp_slowtimo() (via a table) rather
than going through tcp_userreq().

This will allow us to call TCP timers directly from callouts,
in a future revision.
2001-09-10 20:15:14 +00:00
thorpej 7446fd2bc8 Change the way receive idle time and round trip time are measured.
Instead of incrementing t_idle and t_rtt in tcp_slowtimo(), we now
take a timstamp (via tcp_now) and use subtraction to compute the
delta when we actually need it (using unsigned arithmetic so that
tcp_now wrapping is handled correctly).

Based on similar changes in FreeBSD.
2001-09-10 15:23:09 +00:00
thorpej 7a89a34393 Enable Congestion Window Monitoring by default. 2001-09-10 04:43:35 +00:00
thorpej 783db90019 Use a callout for the delayed ACK timer, and delete tcp_fasttimo().
Expose the delayed ACK timer as net.inet.tcp.delack_ticks.
2001-09-10 04:24:24 +00:00
itojun ef0be725b3 if I'm bridging and got a packet to interface address on if A from if B,
advertise MAC address for if A with ARP reply.
2001-08-20 03:13:45 +00:00
thorpej c82b0994e7 Permit weaker interface matches for incoming ARP packets if the packet was
received on an interface that is part of a bridge and we find an ifaddr on
an interface that is part of the same bridge.
2001-08-17 21:47:57 +00:00
itojun 74ad87bc53 gif interface now uses generic software interrupt
(on archs that support it).  also, make gif ALTQ-capable on outgoing.
sync with kame, comments from thorpej.
2001-08-16 17:45:25 +00:00
yamt 5d1c2fff55 fix cksum error of udp and tcp packet with ip options 2001-08-11 12:26:50 +00:00
itojun 57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
2001-08-06 10:25:00 +00:00
thorpej 35df06a642 Carve off the code that builds a TCP data packet into its own
function, and inline it, except when profiling... so we can
profile it.
2001-07-31 02:25:22 +00:00
thorpej 938720eea4 Count the number of times we "self-quench" (ip_output() returns
ENOBUFS), and don't inline tcp_segsize() if profiling.
2001-07-31 00:57:45 +00:00
itojun cad488d032 sync gif interface code with latest kame.
IFF_RUNNING is clearified.  attach/detach logic is more clearner.
the old code mistakenly set IFF_UP by itself, now the behavior is gone.
2001-07-29 05:08:32 +00:00
itojun 66c75f4967 do not check in_dstaddr on in_{add,scrub}prefix, otherwise linklocal
address manipulation could choke.  sync with kame
2001-07-27 02:04:08 +00:00
thorpej 52654926a4 Slight cosmetic change. 2001-07-26 21:47:04 +00:00
itojun fd5e7077a3 allocate ipsec policy buffer attached to pcb in in*_pcballoc, before
giving anyone accesses to pcb (do not reveal an inconsistent ones).
sync with kame
2001-07-25 23:28:02 +00:00
itojun 49f2e6958f g/c #if 0'ed fragment. sync with kame. 2001-07-25 06:05:16 +00:00
enami 4b21362a47 Remove an obsolete comment. 2001-07-25 00:13:16 +00:00
itojun ddf920093e wrap IPv6 code by #ifdef INET6 2001-07-23 15:20:41 +00:00
itojun 489df53efe use in6_maxmtu, not in_maxmtu, for IPv6 mss computation 2001-07-23 15:17:58 +00:00
itojun 6338419cfb manage IFA_ROUTE on interface address better, so that we can
provide a better support for multiple address with the same prefix better.
(like 10.0.0.1/8 and 10.0.0.2/8 on the same interface)
continuation of PR 13311.

remove irrelevant #if 0'ed segment for PR 10427.
2001-07-22 16:18:31 +00:00
wiz a9356936b4 seperate -> separate 2001-07-22 13:33:58 +00:00
enami 5e40498018 Add missing counting up of ``socket buffer is full'' counter when
failed to sbappendaddr().
2001-07-17 02:44:00 +00:00
itojun 09ddb6a1f1 do not #ifdef in headers. usr.sbin/trpt needs it. 2001-07-09 07:53:20 +00:00
abs 03aaf3d8b4 Rename TCPDEBUG to TCP_DEBUG, defopt TCP_DEBUG and TCP_NDEBUG, and
make all usage of tcp_trace dependent on TCP_DEBUG - resulting in
a 31K saving on an INET enabled i386 kernel.
2001-07-08 16:18:56 +00:00
abs 2f72fbeeab Give TCPDEBUG a chance of working - fix printf() types, add missing &s,
and remove attempt to use a non existant tcphdr field.
2001-07-08 15:59:18 +00:00
itojun c3740d7821 IP6_EXTHDR_GET0 had no check against m->m_len (noone was using this macro).
sync with kame
2001-07-05 23:41:07 +00:00
itojun 0fec95079e better support for multiple IPv4 addresses on a single interface.
- consider non-primary (2nd and beyond) IPv4 address as "local", and prevent
  outgoing ARP.
- for routing entries generated by ARP, make sure to set rt->rt_ifa equal to
  rt_key, to help IPv4 source address selection for traffic to myself.
PR 13311.

caveats/TODOs:
- interface routes ("connected routes" in cisco terminlogy) is tied with the
  primary (1st) IPv4 address on the interface.  should be fixed with updates
  to rt_ifinit().
- source address selection for offlink locations.  1st address tend to be used
  with the current code
  (you can configure it right by setting rt->rt_ifa accordingly).
2001-07-04 02:29:58 +00:00
itojun 193167b1eb call in{,6}_pcbpurgeif0() before in{,6}_purgeif(). 2001-07-03 08:06:19 +00:00
itojun 1ff38f4d03 on interface removal, remove multicast groups joined from pcb, before
removing interface addresses.  without the change, we may deref
NULL pointer in in_pcbpurgeif().  from jinmei@kame, sync with kame
2001-07-02 15:25:34 +00:00
itojun 3e8e591c7f fix udp reception to sockets bound to linklocal address (like fe80::1%lo0).
sync with kame
2001-06-27 23:40:50 +00:00
wiz 3f9984fc90 `existent', not `existant' 2001-06-19 13:42:07 +00:00
wiz 0a600be867 receive, not recieve 2001-06-12 15:17:10 +00:00
tron ea44bc48d3 Make arplookup error messages more informative. Patch supplied by
Andrew Brown in PR kern/13162.
2001-06-11 06:19:50 +00:00
thorpej ad9d3794b0 Implement support for IP/TCP/UDP checksum offloading provided by
network interfaces.  This works by pre-computing the pseudo-header
checksum and caching it, delaying the actual checksum to ip_output()
if the hardware cannot perform the sum for us.  In-bound checksums
can either be fully-checked by hardware, or summed up for final
verification by software.  This method was modeled after how this
is done in FreeBSD, although the code is significantly different in
most places.

We don't delay checksums for IPv6/TCP, but we do take advantage of the
cached pseudo-header checksum.

Note: hardware-assisted checksumming defaults to "off".  It is
enabled with ifconfig(8).  See the manual page for details.

Implement hardware-assisted checksumming on the DP83820 Gigabit Ethernet,
3c90xB/3c90xC 10/100 Ethernet, and Alteon Tigon/Tigon2 Gigabit Ethernet.
2001-06-02 16:17:09 +00:00
soda ea2e5754dd missing opt_inet.h 2001-05-31 19:56:13 +00:00
mrg 67afbd6270 use _KERNEL_OPT 2001-05-30 11:57:16 +00:00
itojun e44d476e4e typo in comment 2001-05-27 23:46:51 +00:00
matt 524a19371f Make t_flags a u_int instead of u_short. It's followed by a mbuf pointer
so there's padding around it already.  And it increases the amount of bits
available for TF_* flags.
2001-05-26 22:02:57 +00:00
matt 24f26c957e Add TCP_MD5SIGNATURE option. 2001-05-26 21:40:55 +00:00
ragge 7952ffd61f defined(vax) -> defined(__vax__). This may fix PR#12919. 2001-05-26 21:29:45 +00:00
ragge 474bc8ee6d Remove one #ifdef vax, bugfix another. Should probably be #ifdef i386 also. 2001-05-26 21:27:09 +00:00
itojun a7596d1912 call icmp6_mtudisc_update(foo, 0) even if ICMPv6 messages are very short.
let icmp6 layer decide whether we take PMTUD routes or not.
2001-05-24 07:22:27 +00:00
lukem 07d4fbd104 fix spelo in comment 2001-05-21 03:31:36 +00:00
martin 449c740399 Remove tests for IPN_FRAG bits.
There is no place in the source where this bit could ever be set (or I'm
to blind to find it).

This fixes PR 12671.

If someone thinks this is the wrong solution, please make sure to (a) reopen
the PR and (b) explain to me how the tested bits would ever get set. I'll
be glad to then look further for the real cause (i.e. the flags not getting
set in the case described in the PR).
2001-05-20 13:03:39 +00:00
thorpej 937cea769e Brain'o in last. Pointed out by Steve Woodford <scw@netbsd.org>. 2001-05-19 14:20:40 +00:00
thorpej 905e7935a9 Don't compute psuedo header checksum if nxt == 0. 2001-05-19 00:13:53 +00:00
matt 0c779d0a01 Use the LIST_NEXT & LIST_FIRST macros instead of refering to
le_next & lh_first.
2001-05-14 19:50:43 +00:00
itojun 498fdebcd7 drop multi destination mode (IFF_LINK0). 2001-05-14 13:35:20 +00:00
christos 00adbfd8d6 - Handle realloc failure without leaking memory
(reported by: grendel@heorot.stanford.edu (Ted U)
- Don't cast malloc/realloc/calloc return values because they hide LP64 bugs.
- Don't destroy the whole array when realloc fails
- Use calloc in all cases (malloc was used inconsistently).
- Avoid duplicating code.

Reviewed by: ross
2001-05-12 19:21:57 +00:00
itojun 63181d71c1 correct ecn consideration on tunnel encap/decap. sync with kame. 2001-05-10 01:37:42 +00:00
itojun 1bec764d78 correct faith prefix determination. use sys/netinet/if_faith.c:faithprefix()
to determine.  sync with kame.
(without this change, non-faith socket may mistakenly accept for-faith traffic)
2001-05-08 10:15:13 +00:00
itojun 02077e028f pull encapsulated packet for vif* via ip_encap framework. 2001-05-08 10:07:15 +00:00
fvdl b7025ec37b Make it possible to override TCP_NDEBUG. The default value of 100
wastes quite a bit of space (0xfa00).
2001-04-29 15:18:01 +00:00
itojun 8799a9c64b give a default value to net.inet.ip.maxfragpackets, to protect us from
"lots of fragmented packets" DoS attack.

the current default value is derived from ipv6 counterpart, which is
a magical value "200".  it should be enough for normal systems, not sure
if it is enough when you take hundreds of thousands of tcp connections on
your system.  if you have proposal for a better value with concrete reasons,
let me know.
2001-04-16 17:03:33 +00:00
thorpej bf2dcec4f5 Remove the use of splimp() from the NetBSD kernel. splnet()
and only splnet() is allowed for the protection of data structures
used by network devices.
2001-04-13 23:29:55 +00:00
thorpej b978c269f5 Delete SPL_IMP(). It is not used in IP Filter, and it aids me
on my quest to eliminate the foul beast known as splimp.
2001-04-12 19:41:53 +00:00
darrenr 0b6031033d fix fragment cache security hole 2001-04-06 15:32:40 +00:00
itojun 6e45c58f53 check ip_mtudisc only for TCP over IPv4.
PMTUD is mandatory for TCP over IPv6 (if packets > 1280).
2001-04-03 06:14:31 +00:00
itojun 4b72eeeee5 net.inet.ip.maxfragpackets defines the maximum size of ip reass queue
(prevents fragment flood from chewing up mbuf memory space).
derived from KAME net.inet6.ip6.maxfragpackets.
2001-03-27 02:24:38 +00:00
mike fb2dc295a6 Resolve conflicts. 2001-03-26 06:11:46 +00:00
thorpej 20fe4e2d96 Add a protosw flag, PR_ABRTACPTDIS (Abort on Accept of Disconnected
Socket), and add it to the protocols that use that behavior (all
PR_LISTEN protocols except for PF_LOCAL stream sockets).
2001-03-21 19:22:27 +00:00
chs 5947ce8284 make this compile without rnd. 2001-03-21 03:35:11 +00:00
thorpej 7a3c8f81a5 Two changes, designed to make us even more resilient against TCP
ISS attacks (which we already fend off quite well).

1. First-cut implementation of RFC1948, Steve Bellovin's cryptographic
   hash method of generating TCP ISS values.  Note, this code is experimental
   and disabled by default (experimental enough that I don't export the
   variable via sysctl yet, either).  There are a couple of issues I'd
   like to discuss with Steve, so this code should only be used by people
   who really know what they're doing.

2. Per a recent thread on Bugtraq, it's possible to determine a system's
   uptime by snooping the RFC1323 TCP timestamp options sent by a host; in
   4.4BSD, timestamps are created by incrementing the tcp_now variable
   at 2 Hz; there's even a company out there that uses this to determine
   web server uptime.  According to Newsham's paper "The Problem With
   Random Increments", while NetBSD's TCP ISS generation method is much
   better than the "random increment" method used by FreeBSD and OpenBSD,
   it is still theoretically possible to mount an attack against NetBSD's
   method if the attacker knows how many times the tcp_iss_seq variable
   has been incremented.  By not leaking uptime information, we can make
   that much harder to determine.  So, we avoid the leak by giving each
   TCP connection a timebase of 0.
2001-03-20 20:07:51 +00:00
itojun 5a30bafe14 Remove a bogus rtfree(); OpenBSD PR 1706. 2001-03-08 00:17:05 +00:00
itojun 7806b5d1f3 increase ipstat.ips_badaddr if the packet fails to pass address checks. 2001-03-02 04:26:10 +00:00
itojun 89b4c3edc6 reject packets with 127/8 on IPv4 src/dst, they must not appear on wire
(RFC1122).  torture-tests will be welcomed.
XXX do we want to check source routing headers as well?
2001-03-02 02:05:36 +00:00
itojun 2d6047cff9 make sure to enforce inbound ipsec policy checking, for any protocols on top
of ip (check it when final header is visited).  sync with kame.
XXX kame team will need to re-check policy engine code
2001-03-01 16:31:37 +00:00
itojun 5e57143c4a remove obsolete #if 0'ed section
(IPsec and DF bit interaction - the code was incorrect anyways)
2001-02-27 10:32:03 +00:00
itojun 233e3963ed make sure to validate packet against ipsec policy. 2001-02-26 07:20:44 +00:00
itojun c9928e0ab1 need PR_ADDR|PR_ATOMIC for IPPROTO_EON. fix typo. from chopps, sync with kame 2001-02-21 00:11:53 +00:00
itojun da8a3f0179 add AF_ISO case to output. from chopps. 2001-02-20 10:41:47 +00:00
itojun 176db3e930 ISO over IPv4/v6 by EON encapsulation. from chopps, sync with kame. 2001-02-20 08:49:15 +00:00
itojun bc5a6e2482 pull latest kame pcbnotify code. synchronizes ICMPv6 path mtu discovery
behavior with other protocols (i.e. validation, use of hiwat/lowat).
2001-02-11 06:49:49 +00:00
itojun 52e23efa5f make sure we call tcp_output() only if we have template. 2001-02-11 06:39:35 +00:00
itojun 22b473e0f6 during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).
2001-02-07 08:59:47 +00:00
chs c92d60cfce expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 11:16:31 +00:00
chs 09cb38f22b expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 10:42:40 +00:00
is 29d5f56206 Make diagnostic actually useful - needed to debug other ARP PRs.
Suggested by Geoff C. Wing in PR 10815.
2001-01-26 11:40:32 +00:00
itojun 617b3fab7e - record IPsec packet history into m_aux structure.
- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation
2001-01-24 09:04:15 +00:00
itojun 696bcad865 put attribute(packed) for ip6 option headers. they will appear at
strange alignment positions.  sync with kame
2001-01-23 07:21:07 +00:00
itojun 5a4703fbfe revert revision 1.15 (on ingress, DF bit copied from inner to outer).
since we do not have feedback mechanism from path MTU to tunnel MTU
(not sure if we should), and inner packet source will not get informed of
outer PMTUD (we shouldn't do this), 1.15 behavior can lead us to
blackhole behavior.

configurable behavior (as suggested in RFC2401 6.1) would be nice to have,
however, reusing net.inet.ipsec.dfbit would be hairy.
2001-01-22 07:57:34 +00:00
itojun a836499e32 make it possible to turn off ingress filter on gif/stf tunnel egress,
by using IFF_LINK2.  (part of) PR 11163 from Ken Raeburn.
2001-01-22 07:51:01 +00:00
itojun 93deb6a97f fix RR result bit in little endian systems. sync with kame 2001-01-22 02:28:02 +00:00
itojun 69622e75ab sync with latest kame.
- make icmp6.h spec conformant to 2292bis-02, regarding to router reumbering
  flag bit.
- latest rtadvd.
2001-01-21 15:39:32 +00:00
kleink 4c96c6b51f Add IPPROTO_VRRP. 2001-01-19 09:01:48 +00:00
jdolecek 34c8ae80da constify 2001-01-18 20:28:15 +00:00
itojun df9784d749 pull post-4.4BSD change to sys/net/route.c from BSD/OS 4.2 (UCB copyrighted).
have sys/net/route.c:rtrequest1(), which takes rt_addrinfo * as the argument.
pass rt_addrinfo all the way down to rtrequest, and ifa->ifa_rtrequest.
3rd arg of ifa->ifa_rtrequest is now rt_addrinfo * instead of sockaddr *
(almost noone is using it anyways).

benefit: the follwoing command now works.  previously we need two route(8)
invocations, "add" then "change".
# route add -inet6 default ::1 -ifp gif0

remove unsafe typecast in rtrequest(), from rtentry * to sockaddr *.  it was
introduced by 4.3BSD-reno and never corrected.

XXX is eon_rtrequest() change correct regarding to 3rd arg?
eon_rtrequest() and rtrequest() were incorrect since 4.3BSD-reno,
so i do not have correct answer in the source code.
someone with more clue about netiso-over-ip, please help.
2001-01-17 04:05:41 +00:00
thorpej fc5dafc79b Fix a rather annoying problem where the sockaddr_dl which holds
the link level name for the interface (ifp->if_sadl) is allocated
before ifp->if_addrlen is initialized, which could lead to allocating
too little space for the link level address.

Do this by splitting allocation of the link level name out of
if_attach() and into if_alloc_sadl(), which is normally called
by functions like ether_ifattach().  Network interfaces which
don't have a link-specific attach routine must call if_alloc_sadl()
themselves (example: gif).

Link level names are freed by if_free_sadl(), which can be called
from e.g. ether_ifdetach().  Drivers never need call if_free_sadl()
themselves as if_detach() will do it if it is not already done.

While here, add the ability to pass an AF_LINK address to
SIOCSIFADDR in ether_ioctl() (this is what caused me to notice
the problem that the above fixes).
2001-01-17 00:30:49 +00:00
itojun 42bede79da allow IP_MULTICAST_IF and IP_ADD/DROP_MEMBERSHIP to specify interface
by interface index.  if the interface address specified is in 0.0.0.0/8
it will be considered as interface index in network byteorder.

getsockopt(IP_MULTICAST_IF) preserves old behavior if
setsockopt(IP_MULTICAST_IF) was done with interface address, and
returns interface index if setsockopt(IP_MULTICAST_IF) was done with
interface index (again using the form in 0.0.0.0/8).

Suggested by Dave Thaler, based on RIPv2 MIB spec (RFC1724 section 3.3).

http://mail-index.netbsd.org/tech-net/2001/01/13/0003.html
2001-01-13 07:19:33 +00:00
itojun 4a14fb4fd8 on getsockopt(IP_IPSEC_POLICY), make sure to initialize len 2001-01-13 06:01:18 +00:00
thorpej 054b845cec Fix a small typo that would cause IP Filter to not hook in to
pfil_hooks properly on kernels that included IPv6 support.
2000-12-28 21:42:49 +00:00
thorpej ad5b855ef0 Back out the sledgehammer damage applied by wiz while I was out for
the holiday.
2000-12-28 21:40:59 +00:00
wiz 32e20d8993 Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej d0357bdb4f Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type.  This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
itojun b2aef8afe2 fix call to in6_pcbnotify. s/EMSGSIZE/PRC_MSGSIZE/. 2000-12-21 00:45:17 +00:00
thorpej ca9af6e52e Pull in BPF includes. 2000-12-18 20:58:13 +00:00
thorpej ed7695a765 Fill in if_dlt. 2000-12-18 19:44:33 +00:00
thorpej d9a9544a2f Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook. 2000-12-14 17:36:44 +00:00
thorpej c5293456da Adapt to bpfattach() changes, and further centralize the bpfattach()
and bpfdetach() calls into link-type subroutines where possible.
2000-12-12 18:00:22 +00:00
itojun 25296369e5 make sure t_family has the correct protocol family, after connect(2)
and/or bind(2).  sync with kame
2000-12-11 00:07:48 +00:00
itojun 9302f377a6 remove NRL code leftover. sync with kame 2000-12-10 23:39:36 +00:00
itojun 5eae50d991 update icmp6 too big validation. the change is necessary since pmtud is
mandatory for IPv6 (so we can't just validate by using connected pcb - we need
to allow traffic from unconnected pcb to do pmtud).
- if the traffic is validated by xx_ctlinput, allow up to "hiwat" pmtud
  route entries.
- if the traffic was not validated by xx_ctlinput, allow up to "lowat" pmtud
  route entries (there's upper limit, so bad guys cannot blow up our routing
  table).
sync with kame

XXX need to think again about default hiwat/lowat value.
XXX victim selection to help starvation case
2000-12-09 01:29:45 +00:00
itojun 7fee705236 more on previous (udp4 multicast fix) 2000-12-04 11:24:20 +00:00
itojun c2ca545d60 fix multicast inbound packet processing.
NetBSD PR 11629 From: salvet@ics.muni.cz
2000-12-04 11:23:04 +00:00
itojun f9ed4a5d70 IFA_STATS stability (not complete); don't touch ip if it is NULL. 2000-11-24 03:43:20 +00:00
thorpej e37508421d Due to a quirk (err, bug?) in IP Filter (mbuf freed without setting *mp
to NULL), the NULL check is insufficient.  Also make sure fr_check()
returned 0.
2000-11-12 19:50:47 +00:00
thorpej cbf6f69cb2 Oops, the mbuf may have been freed -- do a NULL check in the wrapper. 2000-11-12 19:29:31 +00:00
thorpej 8517807044 Actually, our local ip_off variable isn't needed. 2000-11-11 00:55:51 +00:00
thorpej 65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
ad 642267bcc7 Update for hashinit() change. 2000-11-08 14:28:12 +00:00
itojun ef8a34f5c3 fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc 2000-11-06 00:50:12 +00:00
onoe e83458422f First Prototype implementation of network interface part for IEEE1394 (if_fw).
Current status:
	Only OHCI chip is supported (fwohci).
	ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
	sometimes works but not stable.
Not implemented yet:
	IRM (Isochronous Resource Manager) functionality.
	Link layer fragmentation.
	Topology map.
More to do:
	clean ups
	MCAP
	charactor device part
	dhcp

There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun be2983be9d cleanup tcp_drop 2000-10-29 06:33:59 +00:00
itojun 7813d4bf6e process IPv4 tcp RST packet right. reported by thorpej. 2000-10-29 06:30:51 +00:00
itojun 80db86454a fix IFA_STATS.
- use hashed in_ifaddr lookup.
- correct endianness.
2000-10-23 03:42:18 +00:00
mjl 986b950535 Mark packets from gre as coming from appropriate gre interface, not
transport interface.
2000-10-20 20:43:26 +00:00
itojun 9183e2dc4e remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun 9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun 23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
itojun d7ca32a335 s/mtudisc_callback/icmp_&/ so that we don't feel conflict between IPv4 and
IPv6 counterpart. (or icmp4_&?)
2000-10-18 20:34:00 +00:00
itojun 9e8a83c2a4 count successful path MTU changes. good for debugging.
(there could be some discussion on when to increase the counter...)
2000-10-18 19:20:02 +00:00
thorpej ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun 06700c02aa move tcp syn cache parameters from in_proto.c to tcp_subr.c.
it makes more sense and helps INET6-only (INET-less) build.
2000-10-18 07:21:10 +00:00
itojun 1eb3565937 allow INET6-less build.
From: smd@ebone.net (Sean Doran)
2000-10-17 21:16:57 +00:00
itojun a7e15e4935 be more friendly with INET-less build.
XXX we need to do more to do a working INET-less build
2000-10-17 03:06:42 +00:00
thorpej d839a91f5f Add an IP_MTUDISC flag to the flags that can be passed to
ip_output().  This flag, if set, causes ip_output() to set
DF in the IP header if the MTU in the route is not locked.

This allows a bunch of redundant code, which I was never
really all that happy about adding in the first place, to
be eliminated.

Inspired by a similar change made by provos@openbsd.org when
he integrated NetBSD's Path MTU Discovery code into OpenBSD.
2000-10-17 02:57:01 +00:00
itojun 6e3a9bc311 validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.
2000-10-13 17:53:44 +00:00
itojun 6572421763 make sure we don't share external mbuf between m and mcopy, in ip_forward().
should solve PR 11201.
2000-10-13 01:50:04 +00:00
itojun 8fa0e6b9f7 sync with kame ($KAME$) 2000-10-10 16:26:43 +00:00
itojun 97c873b9b0 ipfilter currently supports IPv4 only. do not try to touch non-IPv4
packets.  PR 11082.

This is a short-term workaround.  whenever new ipfilter comes out with
proper non-IPv4 support, we should migrate to the new ipfilter.
2000-10-08 13:01:30 +00:00
enami a2b260195e - Keep track of allhost multicast address record we joined into
each in_ifaddr and delete it when an address is purged.
- Don't simply try to delete a multicast address record listed in the
  ia_multiaddrs.  It results a dangling pointer.  Let who holds a
  reference to it to delete it.
2000-10-08 09:15:28 +00:00
itojun 48cc942e89 implement multicast kludge table for IPv4.
- when all the interface address is removed from an interface, and there's
  multicast groups still left joined, keep it in kludge table.
- when an interface address is added again, recover multicast groups from
  kludge table.
this will avoid problem with dangling in_ifaddr on pcmcia card removal,
due to the link from multicast group info (in_multi).

the code is basically from sys/netinet6/in6.c (jinmei@kame).

pointed out by: Shiva Shenoy <shiva_s@yahoo.com>
2000-10-08 02:05:47 +00:00
enami d127401d7f Cosmetic changes to previous commit; indent break statement sanely. 2000-10-06 10:21:06 +00:00
enami 358aa75755 Just call matching purgeif/pcbpurgeif routine for the protocol family.
Without this, if a v6 address is placed before a v4 address in if_addrlist,
a PRU_PURGEIF request for v6 tcp protocol purges also v4 addresses and,
as a result, if_detach fails to request PRU_PURGEIF for v4 protocols
other than tcp.
2000-10-06 09:24:40 +00:00
itojun 654a1d9555 remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
sync with kame.
2000-10-06 05:07:41 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun dde2adf8e4 for t_template, allocate mbuf cluster only if really necessary.
this avoids too aggressive memory usage on heavy load web server, for example.
From: Kevin Lahey <kml@dotrocket.com>

release and reallocate t_template, if t_template->m_len changes.
(this happens if we connect to IPv4 mapped destination and then IPv6
destination, on a single AF_INET6 socket)

KAME 1.26 -> 1.28
2000-09-19 18:21:41 +00:00
itojun 29a4fb39d9 minor typo. s/iPsec/IPsec/ 2000-08-30 15:04:45 +00:00
simonb 94d3076df3 #define<tab> cleanup. 2000-08-28 02:12:22 +00:00
itojun 26dc854c41 make sure anonport{min,max} is not negative number 2000-08-26 10:41:29 +00:00
tron a97bfde931 Add new sysctl variables "net.inet.ip.lowportmin" and
"net.inet.ip.lowportmax" which can be used to the set minimum
and maximum port number assigned to sockets using
IP_PORTRANGE_LOW.
2000-08-25 13:35:05 +00:00
mjl 8358c07048 Add bpf tap to gre interface. 2000-08-25 00:51:20 +00:00
sommerfeld 867ca7767a Fill in next mtu field of NEEDFRAG ICMP error message.
From Marc Horowitz, pr10857
2000-08-22 16:02:16 +00:00
itojun 32e6a89b31 net.inet.tcp.rstratelimit is deprecated. make it invalid and return
ENOPROTOOPT.
2000-08-15 22:13:02 +00:00
jhawk b70721109d Add kernel counters for arp events, displayable with netstat -s -f arp 2000-08-15 20:24:57 +00:00
enami beb808e530 Put # endif directive after the right (i.e., matching) close brace
to prevent compilation error.
2000-08-12 14:17:13 +00:00
veego fea1509f80 Apply fix from IWAMOTO Toshihiro in pr#10813:
rev 1.35 of ip_nat.c checks if packets are too short.
 For ICMP packets, this packet length checking double counts
 the length of an IP header contained in ICMP messages.
 So, unless ICMP packets are long enough (such as echo-reply),
 packets are mistakingly considered too short and are dropped.
2000-08-12 08:08:54 +00:00
veego 35df2482b0 Protect a IPLLOG with ifdef IPFILTER_LOG. Patch from Darren Reed. 2000-08-12 08:04:18 +00:00
veego b3d0df91fb Resolve conflicts. 2000-08-09 21:00:39 +00:00
itojun 5e868d1e49 clearifications in icmp6 node query support.
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun afa5315364 correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
sync with kame.
2000-08-03 14:31:04 +00:00
itojun 6574aa66e8 inhibit error code from rtinit(). this happens when we try to assign
multiple addresses from same prefix, onto single interface.  PR 10427.


more info:
- 4.4BSD did not check return code from in_ifinit() at all.
  4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
  the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
  4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
  from the same prefix.  KAME tree has more extensive change, however, it needs
  much more time to get stabilized (rtentry refcnt change can cause serious
  issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
thorpej bdb0f01b7c Slight adjustment to last, to allow the userland version to build. 2000-08-01 15:03:51 +00:00
thorpej ead5ad8885 - ipl_enable(): -1 is not an error return. If initializing IP Filter
fails, return EIO instead.

- iplioctl(): If performing a NAT operation, and IP Filter is not
  yet initialized (e.g. by `ipf -E'), enable it implicitly before
  doing the NAT operation.
2000-08-01 03:46:09 +00:00
kleink 079b94ad72 Avoid recursion with traditional cpp. 2000-07-28 12:13:32 +00:00
itojun 63de4c2cb9 nuke the following sysctl variables. "ppsratelimit" should work better.
need to recompile sbin/sysctl after updating /usr/include.
	net.inet.tcp.rstratelimit
	net.inet.icmp.errratelimit
	net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun 7abf4641c6 forgot to call tcp6_quench(). sync with kame. 2000-07-28 02:39:45 +00:00
itojun 928dfa5233 do not disable icmp error rate limitation for local address.
local address can be abused too.  pps rate limitation should work fine for
moderate amount of icmp errors.
2000-07-27 11:36:14 +00:00
itojun dd9f2f7f1d implement net.inet.tcp.rstppslimit to limit TCP RSTs by packet-per-second
basis.  default: 100pps

set default value for net.inet.tcp.rstratelimit to 0 (disabled),
NOTE: it does not work right for smaller-than-1/hz interval.  maybe we should
nuke it, or make it impossible to set smaller-than-1/hz value.
2000-07-27 11:34:06 +00:00
itojun a18c2d780f be proactive about unspecified IPv6 source address. pcb layer uses
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.

use of :: as source is not documented well in IPv6 specification.

not sure if it presents a real threat.  the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
	local address = my addres
	remote address = ::     (meaning "unconnected")
	state = SYN_RCVD
  note that SYN ACK will not be sent due to ip6_output() filter.
  this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
  being contacted (DoS).

udp6/raw6 socket may have similar problem, but as they are connectionless,
it may too much to filter it out.
2000-07-27 06:18:13 +00:00
sommerfeld 73b6d9485c Drop packet, increment udps_badlen if the udp header length field
reports a size smaller than the udp header; defends against bogosity
detected by Assar Westerlund.

This patch and the previous ip_icmp.c change were the joint work of
assar, itojun, and myself.
2000-07-24 03:46:57 +00:00
sommerfeld a0c29e06a3 Improve robustness of icmp_error():
- allow it to work when icmpreturndatabytes is sufficiently large that the
icmp error message doesn't fit in a header mbuf.
 - defend against mbuf chains shorter than their contained ip->ip_len.
2000-07-24 03:32:31 +00:00
itojun ca777cb72c add an DIAGNOSTIC case for MCLBYTES assumption 2000-07-23 05:00:01 +00:00
itojun f5211e847a remove m_pulldown statistics code. it is highly experimental and belong
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun ab492849bc implement net.inet.icmp.errppslimit.
make default value for net.inet.icmp.erratelimit to 0, as < 10ms value
does not do the right thing.
2000-07-10 09:31:29 +00:00
itojun 8a661b9beb be more cautious about tcp option length field. drop bogus ones earlier.
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 12:49:08 +00:00
itojun ec67eee51f sync with kame.
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
itojun 210a3e2f80 remove unnecessary #include <netkey/key_debug.h>. from kame. 2000-07-06 12:51:39 +00:00
itojun 0a1e211454 - do not use bitfield for router renumbering header.
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation.  TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
thorpej 70140a566d Some slight cleanup. 2000-07-06 04:34:26 +00:00
thorpej 9c86b65a92 Fix an omission in the gre cloning changes. 2000-07-05 22:45:25 +00:00
thorpej 6a900bc9ff Fix some zero-vs-NULL confusion. 2000-07-05 21:45:14 +00:00
thorpej f77f419c50 Make that note that we really should be checking the viftable
in ip_mroute.c for duplicate tunnel entries, too.  Well, what
really needs to happen is that the mrouting code needs to be
changed to work w/ `gif' tunnels... but...
2000-07-05 21:32:51 +00:00
thorpej 4348603862 RFCs 1853, 2003, 2401 -- copy the DF bit. 2000-07-05 21:01:38 +00:00
thorpej e5c397199f Use LIST_HEAD_INITIALIZER(), for correctness sake. 2000-07-05 18:45:26 +00:00
christos f142d4254d added a linted comment about non-portable bitfields. Unfortunately it cannot
be fixed portably.
2000-07-05 02:45:03 +00:00
itojun f0d7296dc1 typo in previous 2000-07-02 21:25:41 +00:00
itojun e29fba4ba7 do not touch struct ip6stat on non-INET6 compilation.
From: Paul Goyette <paul@whooppee.com>
2000-07-02 21:05:41 +00:00
itojun 8ff902fca1 repair kernel faithd(8) support. there were two mistakes:
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
sommerfeld 8f2d5e3219 Don't rate-limit ICMP errors from packets we send to ourselves.
The dns resolver depends on reliably receiving errors to allow it to
quickly detect a dead local nameserver.
2000-07-01 21:46:40 +00:00
thorpej c8875e6066 Pass the correct destination address for the route-to-gateway case.
From Zdenek Salvet, kern/10483.
2000-06-30 19:43:53 +00:00
itojun 23f6a4f4e8 remove old mbuf assumption (ip header and tcp header are on the same mbuf).
this is for m_pulldown use. (sync with kame)
2000-06-30 16:44:33 +00:00
mrg cf594a3f4d <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:01:16 +00:00
mrg 5ec6fd267b remove include of <vm/vm.h> 2000-06-28 02:59:32 +00:00
kleink d2787dad27 XNS5.2: define sa_family_t and use it where specified by the standard. 2000-06-26 15:48:19 +00:00
mrg 2f159a1bac remove/move more mach vm header files:
<vm/pglist.h> -> <uvm/uvm_pglist.h>
	<vm/vm_inherit.h> -> <uvm/uvm_inherit.h>
	<vm/vm_kern.h> -> into <uvm/uvm_extern.h>
	<vm/vm_object.h> -> nothing
	<vm/vm_pager.h> -> into <uvm/uvm_pager.h>

also includes a bunch of <vm/vm_page.h> include removals (due to redudancy
with <vm/vm.h>), and a scattering of other similar headers.
2000-06-26 14:20:25 +00:00
matt e21a3d997c Don't copy M_EXT mbufs unless in "dhcp" mode. Do a mtod after the pullup
to make sure the ip pointer is still valid.
2000-06-16 20:21:26 +00:00
itojun 07098cd363 better conformance to draft-ietf-ipngwg-icmp-name-lookups-05.
the old code was chimera of 03 and 05 draft.

-n by default, since IPv6 reverse lookup takes too much time.
use -H to enable reverse name lookup.
2000-06-12 16:21:02 +00:00
veego ecbf42696a Remove a duplicated check for the NetBSD callout (I think it is a mistake
from a previous conflict resolve which doesn't cause harm).
2000-06-12 10:41:36 +00:00
veego 886013b9e7 Ups, forgot to resolve one place. 2000-06-12 10:29:36 +00:00