| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As in r315225, discard 3072 bytes of RC4 bytestream instead of 1024.
(This implementation of arc4rand(9) is used by the userland ipftest
utility as it approximates ipfilter kernelspace in userspace.)
PR: 217920
Submitted by: codarren@hackers.mu
Reviewed by: emaste, cem
Approved by: so (implicit, in r315225)
Differential Revision: D11747
Patterned after: r315225
|
|
|
|
|
|
|
| |
Correct example directory location.
Submitted by: olivier@
Approved by: re@ (kib@)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
calloc() and realloc() modernization.
This commit replaces calloc calls, which called calloc() as if it were
malloc() by allocating a multiple of objects as a sizeof multiplied by
the number of objects. The patch rectifies this by calling calloc() as
it was meant to be called.
This commit also replaces realloc() with reallocarray() in a similar
fashion as above. Instead of calculating the memory to reallocated
(changed) by multiplying sizeof by the number of objects, the sizeof
and number are passed as separate arguments to reallocarray(), letting
reallocarray() do the multiplication instead. Like the calloc()
adjustment above, this is approach is cleaner and more elegant than
than the previous code.
This has been tested on my production firewall and a laptop (also
running ipfilter).
Submitted by: pfg
|
|
|
|
|
| |
As of r318281 in HEAD (r318390 [in stable/10 & stable/11]), there is no
need to put a colon (:) in the message string.
|
|
|
|
|
|
| |
Separate the ipfilter function/static string from the error with a
colon (:) in error messages to assist the user in parsing out the error
from where or which object the error message refers to.
|
|
|
|
| |
Ifdef out a redundant if statement when INET6 is disabled.
|
|
|
|
| |
Pointy hat to: cy
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r316993:
Fix CID 1372601 in ipfilter/lib/parsefields.c, possible NULL pointer
dereference should reallocarray() fail.
Reported by: Coverity CID 1372601
r316994:
Fix CID 1372600 in ipfilter/tools/ipf_y.y, possible NULL pointer
dereference should reallocarray() fail.
Reported by: Coverity CID 1372600
r316997:
Use warnx() to issue error message.
Reported by: cem
|
|
|
|
|
|
|
|
|
| |
Fix leak (free str before returning when ctx's calloc fails).
Submitted by: trix_juniper.net (Tom Rix)
Reviewed by: cy, ngie
Discovered by: clang's static analyzer
Differential Revision: D9877
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.
This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).
The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.
The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).
Inspired by: NetBSD ip_frag.c r1.4
|
|
|
|
|
|
| |
Use normal KNF cuddling of elses.
Reported by: bde
|
|
|
|
|
| |
Issue an error message when an incorrect flush argument is encountered
(and style fixup).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define ipfilter's SOLARIS macro in a defined and portable way.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D7671
MFC r304959 (by kib):
Complete r304953.
Sponsored by: The FreeBSD Foundation
MFC r304964:
Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.
Pointy hat to: dim
|
|
|
|
|
| |
Approved by: re@ (hrs@)
MFC after: 1 week
|
|
|
|
|
|
| |
Approved by: re@ (gjb)
MFC after: 1 week
X-MFC with: r301773
|
|
|
|
|
|
| |
option is a noop and only here for backward compatibility.
MFC after: 1 week
|
|
|
|
|
| |
Reported by: cem
MFC after: 6 days
|
|
|
|
|
| |
Reported by: Ruben Kerkhof <ruben@rubenkerkhof.com>
MFC after: 6 days
|
|
|
|
| |
MFC after: 4 weeks
|
|
|
|
| |
MFC after: 4 weeks
|
|
|
|
|
|
| |
I meant to do this on ^/user/ngie/more-tests
Pointyhat to: ngie (use svn info next time...)
|
| |
|
|
|
|
|
|
|
| |
Reviewed by: cy
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D2607
|
|
|
|
| |
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.
Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
against rules. It definitely doesn't need to know about kernel internals,
such as 'struct ifaddr'. What it does with ifaddr, is that it only takes
ifa_addr member of it, and treats it as sockaddr, while it is only a pointer
to sockaddr. Fortunately, sizeof(struct ifaddr) > sizeof(struct sockaddr_in6),
so no problems arise.
Fix that declaring a private struct ifaddr in ipftest(1) and stop including
if_var.h.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: netbsd CVS repo (r1.4), ipfilter CVS repo (r1.38)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.34), netbsd CVS repo (r1.4)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.37), netbsd CVS repo (r1.3)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.11)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5)
|
|
|
|
| |
I'm tired to see tinderbox spamming. Feel free to fix it your way.
|
|
|
|
|
|
|
| |
(NO_INET6) are specified.
Approved by: glebius
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
namely ipftest(1) and ifmcstat(1). These sniff structure definition using
_WANT_IFADDR define.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
|
| |
Approved by: glebius (mentor)
Approved by: re (blanket)
|
|
|
|
|
|
| |
Discovered by: Coverity.
Approved by: glebius (mentor)
Approved by: re (blanket)
|
|\
| |
| |
| |
| | |
Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
|
| |
| |
| |
| |
| |
| |
| |
| | |
import of new ipfilter vendor sources by flattening them.
To keep the tags consistent with dist, the tags are also flattened.
Approved by: glebius (Mentor)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since ARP and routing are separated, "proxy only" entries
don't have any meaning, thus we don't need additional field
in sockaddr to pass SIN_PROXY flag.
New kernel is binary compatible with old tools, since sizes
of sockaddr_inarp and sockaddr_in match, and sa_family are
filled with same value.
The structure declaration is left for compatibility with
third party software, but in tree code no longer use it.
Reviewed by: ru, andre, net@
|
| |
| |
| |
| |
| | |
Submitted by: Christoph Mallon
MFC after: 3 days
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
PR: 144880
Submitted by: Glen Barber <glen.j.barber@gmail.com>
MFC after: 1 week
|
| |
| |
| |
| | |
This header file should not be included by anything.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
identical loop a few lines above.
Reviewed by: sam
Approved by: ed (mentor)
Silence from: darrenr (maintainer)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ipfilter tables via http by the user-level ippool utility. Previously
the 1024-byte buffer used to store a http request coudld easily overflow
if the length of the hostname part of the url passes exceeded 496 bytes. [1]
- Use snprintf to prevent possieble buffer overflows in future. [2]
- Do not try to close the descriptor twice on failure. [2]
Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1]
Obtained from: NetBSD CVS [2]
MFC after: 2 weeks
|
| |
| |
| |
| |
| | |
Tripped over by: a compile of an upcoming change
MFC after: 1 month
|