summaryrefslogtreecommitdiffstats
path: root/sys/contrib/ipfilter/netinet
Commit message (Collapse)AuthorAgeFilesLines
* MFC r292813.cy2015-12-311-1/+1
| | | | Correct __FreeBSD__ check.
* MFC r292518.cy2015-12-271-2/+2
| | | | | | | Don't assume checksums will be calculated later when fastfoward is enabled (by default in r290383). PR: 72210
* MFC r289480. Really fix ipfilter bug 3600459.cy2015-10-201-2/+1
| | | | Obtained from: ipfilter cvs repo r1.48.2.25, r1.72 and NetBSD repo r1.4
* MFC r288910: On some interfaces, ipfilter drops UDP packets with zerocy2015-10-131-0/+16
| | | | | | | | checkum. This commit fixes that. PR: 166372 Submitted by: mk@neon1.net Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>
* MFC r287674, r287675. Fix ipfilter bug 3600459 NAT bucket count wrong.cy2015-09-261-1/+2
| | | | Obtained from: ipfilter cvs repo r1.48.2.25
* MFC r287651, r287652, r287653.cy2015-09-191-6/+10
| | | | | | | | | | | | | | | | | | | | | | | Fix mutex errors, fixup typos in comments. Obtained from: NetBSD r1.4. -This lie, anr those below, will be ignored-- > Description of fields to fill in above: 76 columns --| > PR: If a GNATS PR is affected by the change. > Submitted by: If someone else sent in the change. > Reviewed by: If someone else reviewed your modification. > Approved by: If you needed approval for this commit. > Obtained from: If the change is from a third party. > MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email. > MFH: Ports tree branch name. Request approval for merge. > Relnotes: Set to 'yes' for mention in release notes. > Security: Vulnerability reference (one per line) or description. > Sponsored by: If the change was sponsored by an organization. > Differential Revision: https://reviews.freebsd.org/D### (*full* phabric URL needed). > Empty fields above will be automatically removed. _M . M sys/contrib/ipfilter/netinet/ip_state.c
* MFC r275199.cy2014-12-102-2/+2
| | | | Correctly define constants.
* MFC r274744.cy2014-11-281-0/+11
| | | | | | | | | | | | | | | | Set the current vnet inside the ioctl handler for ipfilter. Without this fix, the vnet was NULL and would crash. This fix is similar to what was done inside the ioctl handler for PF. Tested by: (1) Boot a kernel with "options VIMAGE" enabled (2) Type: echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart PR: 176992 Differential Revision: https://reviews.freebsd.org/D1191
* MFC r272555cy2014-10-121-2/+4
| | | | | | | | ipfilter bug #537 NAT rules with sticky have incorrect hostmap IP address. This fixes when an IP address mapping is put in the hostmap table for sticky NAT rules, it ends up having the wrong byte order. Obtained from: ipfilter CVS repo (r1.102), NetBSD CVS repo (r1.12)
* MFC r272554cy2014-10-121-3/+3
| | | | | | ipfilter bug #534 destination list hashing not endian neutral Obtained from: ipfilter CVS repo (r1.26), NetBSD CVS repo (r1.8)
* MFC r272553cy2014-10-121-3/+2
| | | | | | ipfilter bug #538 ipf_p_dns_del should return void Obtained from: ipfilter cvs repo (r1.8)
* MFC r272552cy2014-10-121-11/+34
| | | | | | | ipfilter bug #554 Determining why a ipf rule matches is hard -- replace ipfilter rule compare with new ipf_rule_compare() function. Obtained from: ipfilter CVS rep (r1.129)
* MFC r272551cy2014-10-121-0/+12
| | | | | | ipfiler bug #550 filter rule list corrupted with inserted rules Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)
* MFC r272052cy2014-10-121-5/+33
| | | | | | ipfilter bug #558 add in some missing frag table function comments. Obtained from: ipfilter CVS repo (r1.36)
* MFC r271980cy2014-10-121-2/+2
| | | | | | | Check for NULL before de-refencing; in particular sel is assigned to NULL, in the default case, and then couple of lines down we do sel-> Obtained from: NetBSD CVS repo (r1.5)
* MFC r269585 - Honour WITH and WITHOUT_INET6_SUPPORT.cy2014-08-081-0/+4
| | | | Approved by: glebius (mentor - implicit)
* MFC r268532 and r268585. When world and kernel are built without INET6cy2014-07-211-4/+0
| | | | | | | support, the userland was still built with INET6 turned on. PR: 190964 Approved by: glebius (mentor, implicit)
* MFC r267634: Fix case where fastroute or "to interface" is used withcy2014-06-251-1/+1
| | | | | | | | incorrect FIB. PR: 183065 Submitted by: p-freebsd-bugs@ziemba.us Approved by: glebius (mentor)
* MFC r266605.cy2014-06-031-8/+6
| | | | | | | | Move mutex creation from ipf_log_soft_init() to ipf_log_soft_create() to be consistent with mutex destruction in ipf_log_soft_destroy(). As a result mutex destruction in ipf_log_soft_fini() is redundant. Approved by: glebius (mentor)
* MFC r264235:cy2014-05-295-87/+117
| | | | | | | | | | Implement the final missing sysctls by moving ipf_auth_softc_t from ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks that are dynamically created when IP Filter is loaded. This necessitated creating them on-the-fly rather than statically at compile time. Approved by: glebius (mentor)
* Merge r262763, r262767, r262771, r262806 from head:glebius2014-03-211-1/+1
| | | | | | | | | | - Remove rt_metrics_lite and simply put its members into rtentry. - Use counter(9) for rt_pksent (former rt_rmx.rmx_pksent). This removes another cache trashing ++ from packet forwarding path. - Create zini/fini methods for the rtentry UMA zone. Via initialize mutex and counter in them. - Fix reporting of rmx_pksent to routing socket. - Fix netstat(1) to report "Use" both in kvm(3) and sysctl(3) mode.
* Initialize a variable in sys/contrib/ipfilter/netinet/ip_tftp_pxy.c, todim2013-10-101-1/+1
| | | | | | | silence a gcc warning. Approved by: re (rodrigc) X-MFC-With: r255332
* Initialize a variable in sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c, todim2013-10-091-1/+1
| | | | | | | silence a gcc warning. Approved by: re (gjb) X-MFC-With: r255332
* Address double init of ip_log mutex, fixing a panic after ipfilter iscy2013-09-211-1/+1
| | | | | | | re-enabled following it being disabled. Approved by: glebius (mentor) Approved by: re (blanket)
* Enable main ipfilter sysctl MIBs.cy2013-09-211-28/+26
| | | | | Approved by: glebius (mentor) Approved by: re (blanket)
* Convert ipfilter from timeout(9) to callout(9).cy2013-09-212-4/+14
| | | | | | Submitted by: jhb Approved by: glebius (mentor) Approved by: re (blanket)
* Remove additional non-FreeBSD code.cy2013-09-211-25/+2
| | | | | Approved by: glebius (mentor) Approved by: re (blanket)
* Fix !INET6 build.glebius2013-09-071-1/+1
|
* Update ipfilter 4.1.28 --> 5.1.2.cy2013-09-0645-12884/+32595
|\ | | | | | | | | Approved by: glebius (mentor) BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
| * As per the developers handbook (5.3.1 step 1), prepare the vendor trees forcy2013-07-1943-40513/+0
| | | | | | | | | | | | | | | | import of new ipfilter vendor sources by flattening them. To keep the tags consistent with dist, the tags are also flattened. Approved by: glebius (Mentor)
* | Forcibly defining _KERNEL is bad idea. Toss some code so that ip_var.hglebius2013-04-081-3/+3
| | | | | | | | isn't included with forced _KERNEL define.
* | Fix defines in r241245. We actually don't define FreeBSD.glebius2012-10-141-2/+2
| | | | | | | | Reported & tested by: Oleg Ginzburg
* | Revert previous commit...kevlo2012-10-101-1/+1
| | | | | | | | Pointyhat to: kevlo (myself)
* | Prefer NULL over 0 for pointerskevlo2012-10-091-1/+1
| |
* | A step in resolving mess with byte ordering for AF_INET. After this change:glebius2012-10-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - All packets in NETISR_IP queue are in net byte order. - ip_input() is entered in net byte order and converts packet to host byte order right _after_ processing pfil(9) hooks. - ip_output() is entered in host byte order and converts packet to net byte order right _before_ processing pfil(9) hooks. - ip_fragment() accepts and emits packet in net byte order. - ip_forward(), ip_mloopback() use host byte order (untouched actually). - ip_fastforward() no longer modifies packet at all (except ip_ttl). - Swapping of byte order there and back removed from the following modules: pf(4), ipfw(4), enc(4), if_bridge(4). - Swapping of byte order added to ipfilter(4), based on __FreeBSD_version - __FreeBSD_version bumped. - pfil(9) manual page updated. Reviewed by: ray, luigi, eri, melifaro Tested by: glebius (LE), ray (BE)
* | Fix pseudo checksum calculation.fjoe2012-09-271-1/+3
| | | | | | | | | | | | | | | | | | This fixes ipfilter w/ network controllers that implement only partial rx csum offloading. PR: 106438 Obtained from: upstream MFC after: 1 week
* | Fix typo: s/pakcet/packetkevlo2012-09-201-1/+1
| |
* | Adjust a few old checks to use __FreeBSD_version macro tormh2011-11-242-3/+3
| | | | | | | | | | | | determine which version of FreeBSD kernel we're compiling. Approved by: kib (mentor)
* | Pass a format string to make_dev().rpaulo2010-10-131-1/+1
| | | | | | | | Found by: clang
* | MFP4: @176978-176982, 176984, 176990-176994, 177441bz2010-04-291-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH MFC after: 6 days
* | We don't need the definition for in_cksum repeated here since we getimp2010-04-141-1/+0
| | | | | | | | | | | | | | it from machine/in_cksum.h. This definition prevents us from using hand-tuned assembler versions of in_cksum. # this fixes the modules build on arm for ipfilter.
* | Merge the remainder of kern_vimage.c and vimage.h into vnet.c andrwatson2009-08-012-4/+0
| | | | | | | | | | | | | | | | | | | | vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
* | Build on Jeff Roberson's linker-set based dynamic per-CPU allocatorrwatson2009-07-141-6/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
* | Add hierarchical jails. A jail may further virtualize its environmentjamie2009-05-272-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings. Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge(). Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call. Approved by: bz (mentor)
* | In preparation for turning on options VIMAGE in next commits,zec2009-04-261-0/+3
| | | | | | | | | | | | | | | | rearrange / replace / adjust several INIT_VNET_* initializer macros, all of which currently resolve to whitespace. Reviewed by: bz (an older version of the patch) Approved by: julian (mentor)
* | Change if_output to take a struct route as its fourth argument in orderkmacy2009-04-161-2/+2
| | | | | | | | | | | | to allow passing a cached struct llentry * down to L2 Reviewed by: rwatson
* | Move the include of vinet.h further up before the ipfilter includes.bz2009-02-271-3/+3
| |
* | Check for ipprotosw.h more precisely.bz2008-12-231-1/+3
| | | | | | | | | | | | It hasn't been needed for more than 5 years, since r120386. MFC after: 4 weeks
* | Rather than using hidden includes (with cicular dependencies),bz2008-12-022-2/+3
| | | | | | | | | | | | | | | | | | | | | | directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files. For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h. Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
* | Unhide declarations of network stack virtualization structs fromzec2008-11-282-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | underneath #ifdef VIMAGE blocks. This change introduces some churn in #include ordering and nesting throughout the network stack and drivers but is not expected to cause any additional issues. In the next step this will allow us to instantiate the virtualization container structures and switch from using global variables to their "containerized" counterparts. Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
OpenPOWER on IntegriCloud