| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Sponsored by: The FreeBSD Foundation
|
|
|
|
|
|
| |
ipfilter bug #552 destination port not zero after parsing nat rule.
Obtained from: netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)
|
|
|
|
|
|
| |
3561691 gethost never returns an ipv6 address
Obtained from: ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)
|
|
|
|
|
|
| |
ipfilter bug #551 ipf.conf address structure not properly zero filled.
Obtained from: ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)
|
|
|
|
|
|
| |
Fix ipfilter bug #536 ipnat can try to print rule as dstlist incorrectly.
Obtained from: ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
|
|
|
|
|
|
| |
Fix ipfilter bug #553 gethost needs to zero entire IP address structure.
Obtained from: ipfilter CVS repo (r1.11)
|
|
|
|
|
|
| |
ipv6 address for test.hosts.dots in wrong byte order.
Obtained from: ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
|
|
|
|
|
|
|
| |
support, the userland was still built with INET6 turned on.
PR: 190964
Approved by: glebius (mentor, implicit)
|
|
|
|
|
|
| |
(NO_INET6) are specified.
Approved by: glebius (mentor)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Approved by: re (blanket)
|
|
|
|
|
|
| |
Discovered by: Coverity.
Approved by: glebius (mentor)
Approved by: re (blanket)
|
|\
| |
| |
| |
| | |
Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
|
| |
| |
| |
| |
| |
| |
| |
| | |
import of new ipfilter vendor sources by flattening them.
To keep the tags consistent with dist, the tags are also flattened.
Approved by: glebius (Mentor)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since ARP and routing are separated, "proxy only" entries
don't have any meaning, thus we don't need additional field
in sockaddr to pass SIN_PROXY flag.
New kernel is binary compatible with old tools, since sizes
of sockaddr_inarp and sockaddr_in match, and sa_family are
filled with same value.
The structure declaration is left for compatibility with
third party software, but in tree code no longer use it.
Reviewed by: ru, andre, net@
|
| |
| |
| |
| |
| | |
Submitted by: Christoph Mallon
MFC after: 3 days
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
PR: 144880
Submitted by: Glen Barber <glen.j.barber@gmail.com>
MFC after: 1 week
|
| |
| |
| |
| | |
This header file should not be included by anything.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
identical loop a few lines above.
Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ipfilter tables via http by the user-level ippool utility. Previously
the 1024-byte buffer used to store a http request coudld easily overflow
if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]
Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from: NetBSD CVS [2]
MFC after: 2 weeks
|
| |
| |
| |
| |
| | |
Tripped over by: a compile of an upcoming change
MFC after: 1 month
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,
The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.
Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:
- Kip Macy revised the locking code completely, thus completing
the last piece of the puzzle, Kip has also been conducting
active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
me maintaining that branch before the svn conversion
|
| | |
|
| |
| |
| |
| |
| |
| | |
Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
own purposes. To pull this off, it defines _KERNEL before including the
headers where these structures are defined. This leads to no end of
trouble when some of these headers, or other headers that they include,
change, as demonstrated by r180755.
The quick fix in this particular case is to define _WANT_FILE instead of
_KERNEL, conditional on __FreeBSD__. A better long-term fix is left as
an exercise to the reader.
|
| |
| |
| |
| | |
MFC after: 7 days
|
|\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
PR: bin/113879
Submitted by: kabe@sra-tohoku.co.jp
Reviewed by: darrenr
Approved by: re
|
| | |
|
| |
| |
| |
| | |
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
|
|\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| |
| |
| |
| | |
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
|
| |
| |
| |
| | |
MFC after: 1 weeks
|
|\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | |
|
| |
| |
| |
| | |
MFC after: 4 days
|
| |
| |
| |
| |
| |
| | |
ipfilter usr/share directory
PR: docs/26879
|
| | |
|
|\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
in src/sys/contrib/ipfilter/netinet. Makefile's reachover bits find what
they need so building is unaffected.
Approved by: re (dwhite)
|
| |
| |
| |
| |
| |
| |
| |
| | |
(1) "ipf -T" is broken for fetching single entries and
(2) loading rules with numbered collections does not order insertion right.
(3) stats aren't accumulated for hash table memory failures
Approved by: re (dwhite)
|
| |
| |
| |
| | |
/boot/kernel/kernel, not plain /kernel
|
| | |
|
| |
| |
| |
| | |
parse bpf strings for filter rules in ipf.conf
|