summaryrefslogtreecommitdiffstats
path: root/contrib/ipfilter
Commit message (Collapse)AuthorAgeFilesLines
* MFC r321605:cy2017-08-031-2/+2
| | | | | | | | | | | | | As in r315225, discard 3072 bytes of RC4 bytestream instead of 1024. (This implementation of arc4rand(9) is used by the userland ipftest utility as it approximates ipfilter kernelspace in userspace.) PR: 217920 Submitted by: codarren@hackers.mu Reviewed by: emaste, cem Approved by: so (implicit, in r315225) Differential Revision: D11747 Patterned after: r315225
* MFC r319962:cy2017-06-191-1/+1
| | | | | | | Correct example directory location. Submitted by: olivier@ Approved by: re@ (kib@)
* MFC r315368:cy2017-05-3012-16/+17
| | | | | | | | | | | | | | | | | | | | | | calloc() and realloc() modernization. This commit replaces calloc calls, which called calloc() as if it were malloc() by allocating a multiple of objects as a sizeof multiplied by the number of objects. The patch rectifies this by calling calloc() as it was meant to be called. This commit also replaces realloc() with reallocarray() in a similar fashion as above. Instead of calculating the memory to reallocated (changed) by multiplying sizeof by the number of objects, the sizeof and number are passed as separate arguments to reallocarray(), letting reallocarray() do the multiplication instead. Like the calloc() adjustment above, this is approach is cleaner and more elegant than than the previous code. This has been tested on my production firewall and a laptop (also running ipfilter). Submitted by: pfg
* MFC r318283:cy2017-05-171-1/+1
| | | | | As of r318281 in HEAD (r318390 [in stable/10 & stable/11]), there is no need to put a colon (:) in the message string.
* MFC r318281:cy2017-05-171-1/+1
| | | | | | Separate the ipfilter function/static string from the error with a colon (:) in error messages to assist the user in parsing out the error from where or which object the error message refers to.
* MFC 317830:cy2017-05-121-0/+2
| | | | Ifdef out a redundant if statement when INET6 is disabled.
* Revert r318203: Neglected to put "MFC 318203:" in the log.cy2017-05-121-2/+0
| | | | Pointy hat to: cy
* Ifdef out a redundant if statement when INET6 is disabled.cy2017-05-121-0/+2
|
* MFC r316993, r316994, r316997 as follows:cy2017-04-232-0/+10
| | | | | | | | | | | | | | | | | | | | | | r316993: Fix CID 1372601 in ipfilter/lib/parsefields.c, possible NULL pointer dereference should reallocarray() fail. Reported by: Coverity CID 1372601 r316994: Fix CID 1372600 in ipfilter/tools/ipf_y.y, possible NULL pointer dereference should reallocarray() fail. Reported by: Coverity CID 1372600 r316997: Use warnx() to issue error message. Reported by: cem
* MFC r314627:cy2017-03-071-1/+3
| | | | | | | | | Fix leak (free str before returning when ctx's calloc fails). Submitted by: trix_juniper.net (Tom Rix) Reviewed by: cy, ngie Discovered by: clang's static analyzer Differential Revision: D9877
* MFC r312787:cy2017-02-251-0/+21
| | | | | | | | | | | | | | | | | | Currently the fragment info is placed at the top of the linked list under a shared read lock. This patch attempts to upgrade the lock to an exclusive write lock. If the exclusive write lock fails to be obtained, the current fragment is not placed at the head of the list. This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which effectively removed the section of code that performed the reordering). The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c. The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch by emulating the mutex in userspace when exercised by ipftest(1). Inspired by: NetBSD ip_frag.c r1.4
* MFC r312791:cy2017-02-091-2/+1
| | | | | | Use normal KNF cuddling of elses. Reported by: bde
* MFC r312777, r312780:cy2017-02-081-4/+7
| | | | | Issue an error message when an incorrect flush argument is encountered (and style fixup).
* MFC r304953:dim2016-08-311-1/+5
| | | | | | | | | | | | | | | | | | | | | Define ipfilter's SOLARIS macro in a defined and portable way. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D7671 MFC r304959 (by kib): Complete r304953. Sponsored by: The FreeBSD Foundation MFC r304964: Follow-up to r304953, in which I broke the build: apparently the SOLARIS macro is defined in lots of different places in ipfilter, so replace all of the nonportable definitions with portable ones. Pointy hat to: dim
* Remove dead code.cy2016-06-301-17/+0
| | | | | Approved by: re@ (hrs@) MFC after: 1 week
* Clarify the wording to be more accurate.cy2016-06-101-5/+4
| | | | | | Approved by: re@ (gjb) MFC after: 1 week X-MFC with: r301773
* Update the man ipf.8 man page to accurately reflect that the -6cy2016-06-101-1/+5
| | | | | | option is a noop and only here for backward compatibility. MFC after: 1 week
* Fix another typo.cy2016-05-191-1/+1
| | | | | Reported by: cem MFC after: 6 days
* Fix typo.cy2016-05-191-1/+1
| | | | | Reported by: Ruben Kerkhof <ruben@rubenkerkhof.com> MFC after: 6 days
* Static pointers need not be initialized.cy2016-04-151-3/+3
| | | | MFC after: 4 weeks
* Use NULL instead of 0 for pointer comparison.cy2016-04-151-3/+3
| | | | MFC after: 4 weeks
* Revert r288682ngie2015-10-05319-0/+70759
| | | | | | I meant to do this on ^/user/ngie/more-tests Pointyhat to: ngie (use svn info next time...)
* Remove some paths preparing for a re-copy from headngie2015-10-05319-70759/+0
|
* ipf(1): Use strchr(3) instead of deprecated index(3)emaste2015-05-221-1/+1
| | | | | | | Reviewed by: cy MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D2607
* Stop including if_var.h from userland.glebius2015-04-069-27/+0
| | | | Sponsored by: Nginx, Inc.
* o Use new function ip_fillid() in all places throughout the kernel,glebius2015-04-011-0/+8
| | | | | | | | | | | | | | | | | where we want to create a new IP datagram. o Add support for RFC6864, which allows to set IP ID for atomic IP datagrams to any value, to improve performance. The behaviour is controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by default. o In case if we generate IP ID, use counter(9) to improve performance. o Gather all code related to IP ID into ip_id.c. Differential Revision: https://reviews.freebsd.org/D2177 Reviewed by: adrian, cy, rpaulo Tested by: Emeric POUPON <emeric.poupon stormshield.eu> Sponsored by: Netflix Sponsored by: Nginx, Inc. Relnotes: yes
* The ipftest(1) is a program that emulates ipf(4) operation and tests packetsglebius2015-02-192-3/+3
| | | | | | | | | | | | | | against rules. It definitely doesn't need to know about kernel internals, such as 'struct ifaddr'. What it does with ifaddr, is that it only takes ifa_addr member of it, and treats it as sockaddr, while it is only a pointer to sockaddr. Fortunately, sizeof(struct ifaddr) > sizeof(struct sockaddr_in6), so no problems arise. Fix that declaring a private struct ifaddr in ipftest(1) and stop including if_var.h. Sponsored by: Netflix Sponsored by: Nginx, Inc.
* #552 destination port not zero after parsing nat rulecy2014-09-221-9/+13
| | | | | Approved by: glebius (mentor) Obtained from: netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)
* 3561691 gethost never returns an ipv6 addresscy2014-09-221-7/+9
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)
* #551 ipf.conf address structure not properly zero filledcy2014-09-221-11/+21
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)
* #536 ipnat can try to print rule as dstlist incorrectlycy2014-09-221-2/+4
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
* #553 gethost needs to zero entire IP address structurecy2014-09-221-0/+1
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.11)
* ipv6 address for test.hosts.dots in wrong byte order.cy2014-09-221-4/+4
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
* Unbreak with gcc.pluknet2014-07-131-0/+2
| | | | I'm tired to see tinderbox spamming. Feel free to fix it your way.
* Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORTcy2014-07-054-4/+4
| | | | | | | (NO_INET6) are specified. Approved by: glebius MFC after: 1 week
* Hide 'struct ifaddr' definition from userland. Two tools left that use it,glebius2013-10-151-3/+4
| | | | | | | | namely ipftest(1) and ifmcstat(1). These sniff structure definition using _WANT_IFADDR define. Sponsored by: Netflix Sponsored by: Nginx, Inc.
* Remove redundant files.cy2013-09-21529-30779/+0
| | | | | Approved by: glebius (mentor) Approved by: re (blanket)
* Check return code from inet_pton.cy2013-09-211-1/+13
| | | | | | Discovered by: Coverity. Approved by: glebius (mentor) Approved by: re (blanket)
* Update ipfilter 4.1.28 --> 5.1.2.cy2013-09-06579-11711/+39290
|\ | | | | | | | | Approved by: glebius (mentor) BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
| * As per the developers handbook (5.3.1 step 1), prepare the vendor trees forcy2013-07-19794-133028/+0
| | | | | | | | | | | | | | | | import of new ipfilter vendor sources by flattening them. To keep the tags consistent with dist, the tags are also flattened. Approved by: glebius (Mentor)
* | Retire struct sockaddr_inarp.glebius2013-01-311-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since ARP and routing are separated, "proxy only" entries don't have any meaning, thus we don't need additional field in sockaddr to pass SIN_PROXY flag. New kernel is binary compatible with old tools, since sizes of sockaddr_inarp and sockaddr_in match, and sa_family are filled with same value. The structure declaration is left for compatibility with third party software, but in tree code no longer use it. Reviewed by: ru, andre, net@
* | Clean some 'svn:executable' properties in the tree.pfg2013-01-262-0/+0
| | | | | | | | | | Submitted by: Christoph Mallon MFC after: 3 days
* | Fix paths for example files.markm2010-11-182-2/+2
| |
* | Use pcap's bpf header, not our own copy of it.rpaulo2010-10-291-2/+0
| |
* | Comment in the BUGS section header. Matches what's in ipfilter 5.10.brueffer2010-05-121-1/+1
| | | | | | | | | | | | PR: 144880 Submitted by: Glen Barber <glen.j.barber@gmail.com> MFC after: 1 week
* | Remove unneeded include of <sys/timeb.h>.ed2010-03-091-1/+0
| | | | | | | | This header file should not be included by anything.
* | fix spelling mistakedarrenr2009-11-191-1/+1
| |
* | Fix a typo that causes the for loop to exit immediately. There'srdivacky2009-06-161-1/+1
| | | | | | | | | | | | | | | | identical loop a few lines above. Reviewed by: sam Approved by: ed (mentor) Silence from: darrenr (maintainer)
* | - Prevent buffer overflow in IPFilter's load_http function used to loadstas2009-05-291-10/+19
| | | | | | | | | | | | | | | | | | | | | | | | ipfilter tables via http by the user-level ippool utility. Previously the 1024-byte buffer used to store a http request coudld easily overflow if the length of the hostname part of the url passes exceeded 496 bytes. [1] - Use snprintf to prevent possieble buffer overflows in future. [2] - Do not try to close the descriptor twice on failure. [2] Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1] Obtained from: NetBSD CVS [2] MFC after: 2 weeks
* | Remove udp and tcp includes not needed here.bz2009-04-251-3/+0
| | | | | | | | | | Tripped over by: a compile of an upcoming change MFC after: 1 month
OpenPOWER on IntegriCloud