summaryrefslogtreecommitdiffstats
path: root/sys/netinet/in.h
Commit message (Collapse)AuthorAgeFilesLines
* o Move per-process jail pointer (p->pr_prison) to inside of the subjectrwatson2001-02-211-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | credential structure, ucred (cr->cr_prison). o Allow jail inheritence to be a function of credential inheritence. o Abstract prison structure reference counting behind pr_hold() and pr_free(), invoked by the similarly named credential reference management functions, removing this code from per-ABI fork/exit code. o Modify various jail() functions to use struct ucred arguments instead of struct proc arguments. o Introduce jailed() function to determine if a credential is jailed, rather than directly checking pointers all over the place. o Convert PRISON_CHECK() macro to prison_check() function. o Move jail() function prototypes to jail.h. o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the flag in the process flags field itself. o Eliminate that "const" qualifier from suser/p_can/etc to reflect mutex use. Notes: o Some further cleanup of the linux/jail code is still required. o It's now possible to consider resolving some of the process vs credential based permission checking confusion in the socket code. o Mutex protection of struct prison is still not present, and is required to protect the reference count plus some fields in the structure. Reviewed by: freebsd-arch Obtained from: TrustedBSD Project
* Add definitions for IPPROTO numbers 55-57.asmodai2001-02-141-1/+3
|
* Prototype inet_ntoa_r and thereby silence a warning from GCC. The functionbmilekic2001-01-121-0/+1
| | | | is prototyped immediately under inet_ntoa, which is also from libkern.
* sync with kame tree as of july00. tons of bug fixes/improvements.itojun2000-07-041-1/+30
| | | | | | | API changes: - additional IPv6 ioctls - IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8). (also syntax change)
* Add #include <machine/in_cksum.h>, in order to pick up the checksumjlemon2000-05-061-1/+0
| | | | inline functions and prototypes.
* Forbid include of soem inet6 header files from wrong placeshin2000-02-101-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | KAME put INET6 related stuff into sys/netinet6 dir, but IPv6 standard API(RFC2553) require following files to be under sys/netinet. netinet/ip6.h netinet/icmp6.h Now those header files just include each following files. netinet6/ip6.h netinet6/icmp6.h Also KAME has netinet6/in6.h for easy INET6 common defs sharing between different BSDs, but RFC2553 requires only netinet/in.h should be included from userland. So netinet/in.h also includes netinet6/in6.h inside. To keep apps portability, apps should not directly include above files from netinet6 dir. Ideally, all contents of, netinet6/ip6.h netinet6/icmp6.h netinet6/in6.h should be moved into netinet/ip6.h netinet/icmp6.h netinet/in.h but to avoid big changes in this stage, add some hack, that -Put some special macro define into those files under neitnet -Let files under netinet6 cause error if it is included from some apps, and, if the specifal macro define is not defined. (which should have been defined if files under netinet is included) -And let them print an error message which tells the correct name of the include file to be included. Also fix apps which includes invalid header files. Approved by: jkh Obtained from: KAME project
* Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"peter1999-12-291-3/+3
| | | | | | is an application space macro and the applications are supposed to be free to use it as they please (but cannot). This is consistant with the other BSD's who made this change quite some time ago. More commits to come.
* IPSEC support in the kernel.shin1999-12-221-1/+1
| | | | | | | | pr_input() routines prototype is also changed to support IPSEC and IPV6 chained protocol headers. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* KAME related header files additions and merges.shin1999-11-051-18/+36
| | | | | | | (only those which don't affect c source files so much) Reviewed by: cvs-committers Obtained from: KAME project
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Make ipfw's logging more dynamic. Now, log will use the default limitgreen1999-08-011-1/+2
| | | | | | | | | | | | | _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
* Pre-declare struct proc to avoid 'inside param list' warnings.peter1999-05-081-1/+2
|
* Free the dummynet descriptor in ip_dummynet, not in the calledluigi1999-05-041-2/+3
| | | | | | | routines. The descriptor contains parameters which could be used within those routines (eg. ip_output() ). On passing, add IPPROTO_PGM entry to netinet/in.h
* This Implements the mumbled about "Jail" feature.phk1999-04-281-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/
* Tidy up some stray / unused stuff in the IPFW package and friends.peter1999-04-201-2/+1
| | | | | | | | - unifdef -DCOMPAT_IPFW (this was on by default already) - remove traces of in-kernel ip_nat package, it was never committed. - Make IPFW and DUMMYNET initialize themselves rather than depend on compiled-in hooks in ip_init(). This means they initialize the same way both in-kernel and as kld modules. (IPFW initializes now :-)
* Last bits (i think) of dummynet for -current.luigi1998-12-141-1/+6
|
* Yow! Completely change the way socket options are handled, eliminatingwollman1998-08-231-16/+1
| | | | | | another specialized mbuf type in the process. Also clean up some of the cruft surrounding IPFW, multicast routing, RSVP, and other ill-explored corners.
* Support for IPFW based transparent forwarding.julian1998-07-061-2/+2
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Fix wrong data type for a pointer.julian1998-06-061-2/+2
|
* clean up the changes made to ipfw over the last weeksjulian1998-06-061-2/+2
| | | | (should make the ipfw lkm work again)
* Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> viadg1998-05-191-2/+4
| | | | | | | | | | | | NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and minorly tweaked by me. This is a standard part of FreeBSD, but must be enabled with: "sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must also be enabled. This should probably be modified to use the zone allocator for speed and space efficiency. The current algorithm also appears to lose if the number of active paths exceeds IPFLOW_MAX (256), in which case it wastes lots of time trying to figure out which cache entry to drop.
* Treat all internet addresses as u_int32_t.jb1998-05-101-15/+15
|
* According to:phk1998-04-191-3/+14
| | | | | | | | | | | | | | | | | | | ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers port numbers are divided into three ranges: 0 - 1023 Well Known Ports 1024 - 49151 Registered Ports 49152 - 65535 Dynamic and/or Private Ports This patch changes the "local port range" from 40000-44999 to the range shown above (plus fix the comment in in_pcb.c). WARNING: This may have an impact on firewall configurations! PR: 5402 Reviewed by: phk Submitted by: Stephen J. Roznowski <sjr@home.net>
* OOPs typo TCF, not TCP....julian1998-02-251-2/+2
|
* Bring our in.h up to date with respect to allocatedjulian1998-02-251-3/+86
| | | | | | IP protocol numbers. It is possible that the names may require tuning, but the numbers represent what is in rfc1700 which is the present active RFC.
* Add new sysctl variable: net.inet.ip.accept_sourcerouteguido1998-02-161-2/+4
| | | | | | | It controls if the system is to accept source routed packets. It used to be such that, no matter if the setting of net.inet.ip.sourceroute, source routed packets destined at us would be accepted. Now it is controllable with eth default set to NOT accept those.
* Export ipstat via sysctl. Don't understand why this wasn't done before.wollman1997-09-251-2/+4
|
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Add INADDR_LOOPBACK, moved from <rpc/rpc.h>peter1996-12-301-1/+2
|
* Add the IP_RECVIF socket option, which supplies a packet's incoming interfacefenner1996-11-111-1/+2
| | | | | | | | using a sockaddr_dl. Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR) to work for multicast UDP and raw sockets as well. (They previously only worked for unicast UDP).
* Changed args to the nat functions.sos1996-10-221-2/+2
|
* Reword two comments.alex1996-10-191-3/+3
|
* Add hooks for an IP NAT module, much like the firewall stuff...sos1996-08-211-5/+21
| | | | | Move the sockopt definitions for the firewall code from ip_fw.h to in.h where it belongs.
* Add two more portrange sysctls, which control the area of the belowpeter1996-08-121-2/+10
| | | | | | | | IPPORT_RESERVED that is used for selection when bind() is told to allocate a reserved port. Also, implement simple sanity checking for all the addresses set, to make it a little harder for a user/sysadmin to shoot themselves in the feet.
* Adding changes to ipfw and the kernel to support ip packet diversion..julian1996-07-101-1/+2
| | | | | | This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
* Add feature for tcp "established".phk1996-04-031-3/+9
| | | | | Change interface between netinet and ip_fw to be more general, and thus hopefully also support other ip filtering implementations.
* IGMPv2 routines rewritten, to be more compact and to fully complyfenner1996-03-141-1/+2
| | | | with the IGMPv2 Internet Draft (including Router Alert IP option)
* Make the default behavior of local port assignment match traditionalpeter1996-02-221-14/+48
| | | | | | | | | | | | | | | | | | | | | | | | | systems (my last change did not mix well with some firewall configurations). As much as I dislike firewalls, this is one thing I I was not prepared to break by default.. :-) Allow the user to nominate one of three ranges of port numbers as candidates for selecting a local address to replace a zero port number. The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg) call. The three ranges are: default, high (to bypass firewalls) and low (to get a port below 1024). The default and high port ranges are sysctl settable under sysctl net.inet.ip.portrange.* This code also fixes a potential deadlock if the system accidently ran out of local port addresses. It'd drop into an infinite while loop. The secure port selection (for root) should reduce overheads and increase reliability of rlogin/rlogind/rsh/rshd if they are modified to take advantage of it. Partly suggested by: pst Reviewed by: wollman
* Change the default local address range for IP from 1024 through 5000peter1996-01-191-1/+15
| | | | | | | | | | | | | | to 20000 through 30000. These numbers are used for local IP port numbers when an explicit address is not specified. The values are sysctl modifiable under: net.inet.ip.port_{first|last}_auto These numbers do not overlap with any known server addresses, without going above 32768 which are "negative" on some other implementations. 20000 through 30000 is 2.5 times larger than the old range, but some have suggested even that may not be enough... (gasp!) Setting a low address of 10000 should be plenty.. :-)
* New style sysctl & staticize alot of stuff.phk1995-11-141-3/+1
|
* Instrument the IP input queue with two new read-only MIB entries:wollman1995-11-011-2/+6
| | | | | | | | net.inet.ip.intr-queue-maxlen (=== ipintrq.ifq_maxlen) and net.inet.ip.intr-queue-drops (=== ipintrq.ifq_drops) There should probably be a standard way of getting the same information going the other way.
* Change the compile-time option of DIRECTED_BROADCAST into a sysctlpeter1995-07-181-2/+4
| | | | | | variable underneath ip, "directed-broadcast". Reviewed by: David Greenman Obtained from: NetBSD, by Darren Reed.
* Kernel side of 3.5 multicast routing code, based on work by Bill Fennerwollman1995-06-131-3/+5
| | | | | and other work done here. The LKM support is probably broken, but it still compiles and will be fixed later.
* Reject source routes unless configured on by administrator.wollman1995-03-161-1/+3
|
* Add inet_ntoa() and replace ARP's private routine with same.wollman1995-03-161-1/+4
|
* Attempt to make the host route cache a bit smarter under conditions ofwollman1995-02-141-2/+6
| | | | | | | | | | | | | high load: 1) If there ever get to be more than net.inet.ip.rtmaxcache entries in the cache, in_rtqtimo() will reduce net.inet.ip.rtexpire by 1/3 and do another round, unles net.inet.ip.rtexpire is less than net.inet.ip.rtminexpire, and never more than once in ten minutes (rtq_timeout). 2) If net.inet.ip.rtexpire is set to zero, don't bother to cache anything.
* Correct sysctl info so that net.inet.ip.rtexpire is actually accessible.wollman1994-12-211-2/+2
|
* Make rtq_reallyold user-configurable via sysctl.wollman1994-12-141-1/+4
|
* Initial get-the-easy-case-working upgrade of the multicast codewollman1994-09-061-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to something more recent than the ancient 1.2 release contained in 4.4. This code has the following advantages as compared to previous versions (culled from the README file for the SunOS release): - True multicast delivery - Configurable rate-limiting of forwarded multicast traffic on each physical interface or tunnel, using a token-bucket limiter. - Simplistic classification of packets for prioritized dropping. - Administrative scoping of multicast address ranges. - Faster detection of hosts leaving groups. - Support for multicast traceroute (code not yet available). - Support for RSVP, the Resource Reservation Protocol. What still needs to be done: - The multicast forwarder needs testing. - The multicast routing daemon needs to be ported. - Network interface drivers need to have the `#ifdef MULTICAST' goop ripped out of them. - The IGMP code should probably be bogon-tested. Some notes about the porting process: In some cases, the Berkeley people decided to incorporate functionality from later releases of the multicast code, but then had to do things differently. As a result, if you look at Deering's patches, and then look at our code, it is not always obvious whether the patch even applies. Let the reader beware. I ran ip_mroute.c through several passes of `unifdef' to get rid of useless grot, and to permanently enable the RSVP support, which we will include as standard. Ported by: Garrett Wollman Submitted by: Steve Deering and Ajit Thyagarajan (among others)
OpenPOWER on IntegriCloud