summaryrefslogtreecommitdiffstats
path: root/sys/contrib/ipfilter
Commit message (Collapse)AuthorAgeFilesLines
* Fix ipfilter(4) fragment handling panic.delphij2017-04-271-1/+1
| | | | | Security: FreeBSD-SA-17:04.ipfilter Approved by: so
* Only set the ipfilter running state to 'not running' if we arebz2016-07-061-2/+3
| | | | | | | | | | | doing the teardown. ipf_destroy_all() may free ipfmain in case of ipf_dynamic_softc being true, thus we are avoiding a possible memory modified after free as well. Reported by: Coverity Coverity CID: 1357320 Approved by: re (hrs) MFC after: 10 days
* Virtualise ipfilter.bz2016-06-305-159/+345
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Split initializzation an teardown into module (global state) and VNET (per virtual network stack) parts. Virtualise global state, which is not "const". Cleanup eventhandlers, so that we can make use of the passed in argument to get the vnet state from the ifp; disable the "cloner" event as it is too early, has no state, and can fire before initialisation (see comment in the source). Handle the dynamic sysctls specially. The problem is that "ipmain" is the virtualized struct, but the fields used for the sysctls are hanging off memory allocated and attached to the virtualized "ipmain" thus standard VNET macros and sysctl handling do not work. We still say it is VNET sysctls to get the proper protection checks in the VIMAGE case; to solve the problem of accessing the right bit of memory hanging of each per-VNET ipmain, we use a dedicated handler function wrapping around sysctl_ipf_int() undoing the base calculation from kern_sysctl.c and then adding the passed-in offset into the right struct depending on handler. A bit of a mess exposing VNET-internals this way but the only way to keep the code without having to massively restructure ipf internals. Approved by: re (hrs) Sponsored by: The FreeBSD Foundation Obtained from: projects/vnet MFC after: 2 weeks Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D7000
* Remove unused global variables as well as unused memorybz2016-06-303-23/+0
| | | | | | | | | allocations from ipfilter in preparation for VNET support. Suggested by: cy (see D7000) Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Approved by: re (gjb)
* Get closer to a VIMAGE network stack teardown from top to bottom ratherbz2016-06-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | than removing the network interfaces first. This change is rather larger and convoluted as the ordering requirements cannot be separated. Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and related modules to their own SI_SUB_PROTO_FIREWALL. Move initialization of "physical" interfaces to SI_SUB_DRIVERS, move virtual (cloned) interfaces to SI_SUB_PSEUDO. Move Multicast to SI_SUB_PROTO_MC. Re-work parts of multicast initialisation and teardown, not taking the huge amount of memory into account if used as a module yet. For interface teardown we try to do as many of them as we can on SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling over a higher layer protocol such as IP. In that case the interface has to go along (or before) the higher layer protocol is shutdown. Kernel hhooks need to go last on teardown as they may be used at various higher layers and we cannot remove them before we cleaned up the higher layers. For interface teardown there are multiple paths: (a) a cloned interface is destroyed (inside a VIMAGE or in the base system), (b) any interface is moved from a virtual network stack to a different network stack ("vmove"), or (c) a virtual network stack is being shut down. All code paths go through if_detach_internal() where we, depending on the vmove flag or the vnet state, make a decision on how much to shut down; in case we are destroying a VNET the individual protocol layers will cleanup their own parts thus we cannot do so again for each interface as we end up with, e.g., double-frees, destroying locks twice or acquiring already destroyed locks. When calling into protocol cleanups we equally have to tell them whether they need to detach upper layer protocols ("ulp") or not (e.g., in6_ifdetach()). Provide or enahnce helper functions to do proper cleanup at a protocol rather than at an interface level. Approved by: re (hrs) Obtained from: projects/vnet Reviewed by: gnn, jhb Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D6747
* Remove extraneous blank line.cy2016-05-201-1/+0
| | | | | MFC after: 1 month X-MFC with: r300259
* Enable the two ip_frag tuneables. The code is there but the twocy2016-05-202-1/+21
| | | | | | | | ip_frag tuneables aren't registered in the ipf_tuners linked list. This commmit enables the two existing ip_frag tuneables by registering them. MFC after: 1 month
* Make subsequent code reachable.cy2016-05-151-3/+6
| | | | | Reported by: Coverity CID 1354625 MFC after: 3 days
* Use NULL instead of 0 for pointer comparison.cy2016-04-151-2/+2
| | | | MFC after: 4 weeks
* Add DTrace probes for packets flagged as bad by ipfilter. All probescy2016-04-074-11/+62
| | | | | | | | for bad packets are named ipf_fi_bad_*. An example of its use might be: dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }' Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>
* Remove redundant NULL pointer comparison.cy2016-03-021-4/+0
| | | | | Reported by: PVS-Studio (V595) in D5245 Differential Revision: D5245
* These files were getting sys/malloc.h and vm/uma.h with header pollutionglebius2016-02-012-0/+2
| | | | via sys/mbuf.h
* Convert ipfilter to the new routing KPI.melifaro2016-01-101-41/+30
| | | | Differential Revision: D4764
* Correct __FreeBSD__ check.cy2015-12-281-1/+1
| | | | MFC after: 3 days
* Don't assume checksums will be calculated later when fastfoward iscy2015-12-201-2/+2
| | | | | | | enabled (by default in r290383). PR: 72210 MFC after: 1 week
* Really fix ipfilter bug 3600459.cy2015-10-181-2/+1
| | | | | Obtained from: ipfilter cvs repo r1.48.2.25, r1.72 and NetBSD repo r1.4 MFC after: 3 days
* On some interfaces, ipfilter drops UDP packets with zero checkum.cy2015-10-061-0/+16
| | | | | | | | | This commit fixes that. PR: 166372 Submitted by: mk@neon1.net Reviewed by: Darren Reed <darrenr@reed.wattle.id.au> MFC after: 1 week
* Compare the newly allocated array elements to NULL in order to seebz2015-09-251-2/+2
| | | | | | | if the malloc succeeded. Spotted by: reading kernel compile time log MFC after: 2 weeks
* Revert ip_fil_freebsd.c -r287674. This should not have gone in yet.cy2015-09-111-12/+0
|
* Fix ipfilter bug 3600459 NAT bucket count wrong.cy2015-09-112-1/+14
| | | | | Obtained from: ipfilter cvs repo r1.48.2.25 MFC after: 2 weeks
* Revert $FreeBSD$.cy2015-09-111-1/+1
|
* Fix mutex errors.cy2015-09-111-1/+1
| | | | | Obtained from: NetBSD r1.4. MFC after: 1 week
* Fixup typos in comments.cy2015-09-111-5/+9
| | | | | Obtained from: NetBSD r1.4. MFC after: 1 week
* CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than tenjkim2015-05-221-2/+2
| | | | | | | | | | years for head. However, it is continuously misused as the mpsafe argument for callout_init(9). Deprecate the flag and clean up callout_init() calls to make them more consistent. Differential Revision: https://reviews.freebsd.org/D2613 Reviewed by: jhb MFC after: 2 weeks
* In ipfilter(4) there is the ipftest(1) program, that compiles half of theglebius2015-04-071-11/+23
| | | | | | | | | | | | ipfilter code as userland application. To reduce kernel structure knowledge include if_var.h only if a file is compiled with _KERNEL defined. In !_KERNEL case, provide our own definition of struct ifnet, that will satisfy ipftest(1). This was already done earlier to struct ifaddr in r279029. Protect the definition with _NET_IF_VAR_H_, since kernel part of ipfilter may include if_var.h and ip_compat.h. Sponsored by: Netflix Sponsored by: Nginx, Inc.
* o Use new function ip_fillid() in all places throughout the kernel,glebius2015-04-014-36/+9
| | | | | | | | | | | | | | | | | where we want to create a new IP datagram. o Add support for RFC6864, which allows to set IP ID for atomic IP datagrams to any value, to improve performance. The behaviour is controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by default. o In case if we generate IP ID, use counter(9) to improve performance. o Gather all code related to IP ID into ip_id.c. Differential Revision: https://reviews.freebsd.org/D2177 Reviewed by: adrian, cy, rpaulo Tested by: Emeric POUPON <emeric.poupon stormshield.eu> Sponsored by: Netflix Sponsored by: Nginx, Inc. Relnotes: yes
* In order to reduce use of M_EXT outside of the mbuf allocator andrwatson2015-01-061-4/+2
| | | | | | | | | | | | | | | | | | | | | socket-buffer implementations, introduce a return value for MCLGET() (and m_cljget() that underlies it) to allow the caller to avoid testing M_EXT itself. Update all callers to use the return value. With this change, very few network device drivers remain aware of M_EXT; the primary exceptions lie in mbuf-chain pretty printers for debugging, and in a few cases, custom mbuf and cluster allocation implementations. NB: This is a difficult-to-test change as it touches many drivers for which I don't have physical devices. Instead we've gone for intensive review, but further post-commit review would definitely be appreciated to spot errors where changes could not easily be made mechanically, but were largely mechanical in nature. Differential Revision: https://reviews.freebsd.org/D1440 Reviewed by: adrian, bz, gnn Sponsored by: EMC / Isilon Storage Division
* Correctly define constants.cy2014-11-282-2/+2
| | | | MFC after: 1 week
* Set the current vnet inside the ioctl handler for ipfilter.rodrigc2014-11-201-0/+11
| | | | | | | | | | | | | | | Without this fix, the vnet was NULL and would crash. This fix is similar to what was done inside the ioctl handler for PF. Tested by: (1) Boot a kernel with "options VIMAGE" enabled (2) Type: echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart PR: 176992 Differential Revision: https://reviews.freebsd.org/D1191 Reviewed by: cy
* ipfilter bug #537 NAT rules with sticky have incorrect hostmap IP address.cy2014-10-051-2/+4
| | | | | | | This fixes when an IP address mapping is put in the hostmap table for sticky NAT rules, it ends up having the wrong byte order. Obtained from: ipfilter CVS repo (r1.102), NetBSD CVS repo (r1.12)
* ipfilter bug #534 destination list hashing not endian neutralcy2014-10-051-3/+3
| | | | Obtained from: ipfilter CVS repo (r1.26), NetBSD CVS repo (r1.8)
* ipfilter bug #538 ipf_p_dns_del should return voidcy2014-10-051-3/+2
| | | | Obtained from: ipfilter cvs repo (r1.8)
* ipfilter bug #554 Determining why a ipf rule matches is hard -- replacecy2014-10-051-11/+34
| | | | | | ipfilter rule compare with new ipf_rule_compare() function. Obtained from: ipfilter CVS rep (r1.129)
* ipfiler bug #550 filter rule list corrupted with inserted rulescy2014-10-051-0/+12
| | | | Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)
* ipfilter bug #558 add in some missing frag table function comments.cy2014-09-241-5/+33
| | | | | Approved by: glebius (mentor) Obtained from: ipfilter CVS repo (r1.36)
* Check for NULL before de-refencing; in particular sel is assigned to NULL,cy2014-09-221-2/+2
| | | | | | | in the default case, and then couple of lines down we do sel-> Approved by: glebius (mentor) Obtained from: NetBSD CVS repo (r1.5)
* Honour WITH and WITHOUT_INET6_SUPPORT.cy2014-08-051-0/+4
| | | | | Approved by: glebius (mentor) MFC after: 3 days
* Remove redundant USE_INET6 test that enables INET6 in the ipfilter userlandcy2014-07-111-4/+0
| | | | | | | | regardless of the setting in make.conf. PR: 190964 Approved by: glebius (mentor) MFC after: 1 week
* Fix case where fastroute or "to interface" is used with incorrect FIB.cy2014-06-191-1/+1
| | | | | | | PR: 183065 Submitted by: p-freebsd-bugs@ziemba.us Approved by: glebius MFC after: 1 week
* Move mutex creation from ipf_log_soft_init() to ipf_log_soft_create()cy2014-05-241-8/+6
| | | | | | | | to be consistent with mutex destruction in ipf_log_soft_destroy(). As a result mutex destruction in ipf_log_soft_fini() is redundant. Approved by: glebius (mentor) Obtained from: darrenr (author)
* Implement the final missing sysctls by moving ipf_auth_softc_t fromcy2014-04-075-87/+117
| | | | | | | | | ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks that are dynamically created when IP Filter is loaded. This necessitated creating them on-the-fly rather than statically at compile time. Approved by: glebius (mentor)
* - Remove rt_metrics_lite and simply put its members into rtentry.glebius2014-03-051-1/+1
| | | | | | | | | | | | | | | | - Use counter(9) for rt_pksent (former rt_rmx.rmx_pksent). This removes another cache trashing ++ from packet forwarding path. - Create zini/fini methods for the rtentry UMA zone. Via initialize mutex and counter in them. - Fix reporting of rmx_pksent to routing socket. - Fix netstat(1) to report "Use" both in kvm(3) and sysctl(3) mode. The change is mostly targeted for stable/10 merge. For head, rt_pksent is expected to just disappear. Discussed with: melifaro Sponsored by: Netflix Sponsored by: Nginx, Inc.
* Substitute flags from historical mbuf(9) allocator with modern ones.glebius2014-01-162-11/+11
| | | | Sponsored by: Nginx, Inc.
* Fix build. We need to include systm.h before if_var.h.glebius2013-10-281-2/+4
| | | | Pointy hat to: glebius
* Include lock.h before mutex.h.glebius2013-10-271-0/+1
|
* Initialize a variable in sys/contrib/ipfilter/netinet/ip_tftp_pxy.c, todim2013-10-101-1/+1
| | | | | | | silence a gcc warning. Approved by: re (rodrigc) X-MFC-With: r255332
* Initialize a variable in sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c, todim2013-10-091-1/+1
| | | | | | | silence a gcc warning. Approved by: re (gjb) X-MFC-With: r255332
* Address double init of ip_log mutex, fixing a panic after ipfilter iscy2013-09-211-1/+1
| | | | | | | re-enabled following it being disabled. Approved by: glebius (mentor) Approved by: re (blanket)
* Enable main ipfilter sysctl MIBs.cy2013-09-211-28/+26
| | | | | Approved by: glebius (mentor) Approved by: re (blanket)
* Convert ipfilter from timeout(9) to callout(9).cy2013-09-212-4/+14
| | | | | | Submitted by: jhb Approved by: glebius (mentor) Approved by: re (blanket)
OpenPOWER on IntegriCloud