summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_fw.c
Commit message (Collapse)AuthorAgeFilesLines
* Add sysctl descriptions to many SYSCTL_XXXsbillf1999-05-031-5/+10
| | | | | | | PR: kern/11197 Submitted by: Adrian Chadd <adrian@FreeBSD.org> Reviewed by: billf(spelling/style/minor nits) Looked at by: bde(style)
* Make one pass through the firewall the default.luigi1999-04-261-2/+2
| | | | Multiple pass (which only affects dummynet) is too confusing.
* Use pointer arithmetic as appropriate.dt1999-04-241-2/+2
|
* s/IPFIREWALL_MODULE/KLD_MODULE/peter1999-04-201-2/+2
|
* Tidy up some stray / unused stuff in the IPFW package and friends.peter1999-04-201-4/+1
| | | | | | | | - unifdef -DCOMPAT_IPFW (this was on by default already) - remove traces of in-kernel ip_nat package, it was never committed. - Make IPFW and DUMMYNET initialize themselves rather than depend on compiled-in hooks in ip_init(). This means they initialize the same way both in-kernel and as kld modules. (IPFW initializes now :-)
* Oops, forgot this part of lkm code that's been replaced with kld.peter1999-04-171-50/+3
|
* Merge from RELENG_2_2, per luigi. Fixes the ntoh?() issue for thensayer1999-03-301-18/+22
| | | | | | | | firewall code when called from the bridge code. PR: 10818 Submitted by: nsayer Obtained from: luigi
* * Change sysctl from using linker_set to construct its tree using SLISTs.dfr1999-02-161-1/+2
| | | | | | | | | | This makes it possible to change the sysctl tree at runtime. * Change KLD to find and register any sysctl nodes contained in the loaded file and to unregister them when the file is unloaded. Reviewed by: Archie Cobbs <archie@whistle.com>, Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
* Partial fix for when ipfw is used with bridging. Bridged packetsluigi1998-12-311-24/+22
| | | | | | | | | | | have all fields in network order, whereas ipfw expects some to be in host order. This resulted in some incorrect matching, e.g. some packets being identified as fragments, or bandwidth not being correctly enforced. NOTE: this only affects bridge+ipfw, normal ipfw usage was already correct). Reported-By: Dave Alden and others.
* 'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot beluigi1998-12-221-3/+3
| | | | | static... Reported by: Dave Alden
* Recover from previous dummynet screwupluigi1998-12-211-10/+52
|
* Last bits (i think) of dummynet for -current.luigi1998-12-141-72/+198
|
* Staticize some more.eivind1998-11-261-2/+2
|
* Finished updating module event handlers to be compatible withbde1998-11-151-2/+2
| | | | modeventhand_t.
* *gulp*. Jordan specifically OK'ed this..peter1998-10-161-8/+50
| | | | | | | | This is the bulk of the support for doing kld modules. Two linker_sets were replaced by SYSINIT()'s. VFS's and exec handlers are self registered. kld is now a superset of lkm. I have converted most of them, they will follow as a seperate commit as samples. This all still works as a static a.out kernel using LKM's.
* Yow! Completely change the way socket options are handled, eliminatingwollman1998-08-231-154/+114
| | | | | | another specialized mbuf type in the process. Also clean up some of the cruft surrounding IPFW, multicast routing, RSVP, and other ill-explored corners.
* Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != longbde1998-08-111-5/+6
| | | | | on some 64-bit systems). print_ip() should use inet_ntoa() instead of bloated inline code with 4 ntohl()s.
* Use explicitly sized types when digging through packet headers.dfr1998-08-031-9/+9
| | | | Reviewed by: Julian Elischer <julian@whistle.com>
* Don't log ICMP type and subtype for non-zero offset packet fragments.alex1998-07-181-2/+5
|
* Support for IPFW based transparent forwarding.julian1998-07-061-5/+40
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Remove the option to keep IPFW diversion backwards compatiblejulian1998-07-021-31/+1
| | | | | WRT diversion reinjection. No-one has been bitten by the new behaviour that I know of.
* Removed unused includes.bde1998-06-211-2/+1
|
* Remove 3 occurances of __FUNCTION__julian1998-06-121-2/+2
|
* Fix wrong data type for a pointer.julian1998-06-061-5/+5
|
* clean up the changes made to ipfw over the last weeksjulian1998-06-061-22/+22
| | | | (should make the ipfw lkm work again)
* Reviewed by: Kirk Mckusick (mckusick@mckusick.com)julian1998-06-051-1/+6
| | | | | | Submitted by: luoqi Chen fix a type in fsck. (also add a comment that got picked up by mistake but is worth adding)
* Reverse the default sense of the IPFW/DIVERT reinjection codejulian1998-06-051-13/+13
| | | | | | | | | so that the new behaviour is now default. Solves the "infinite loop in diversion" problem when more than one diversion is active. Man page changes follow. The new code is in -stable as the NON default option.
* Add optional code to change the way that divert and ipfw work together.julian1998-05-251-1/+36
| | | | | | | | | | | | | | | | | | | | | | | Prior to this change, Accidental recursion protection was done by the diverted daemon feeding back the divert port number it got the packet on, as the port number on a sendto(). IPFW knew not to redivert a packet to this port (again). Processing of the ruleset started at the beginning again, skipping that divert port. The new semantic (which is how we should have done it the first time) is that the port number in the sendto() is the rule number AFTER which processing should restart, and on a recvfrom(), the port number is the rule number which caused the diversion. This is much more flexible, and also more intuitive. If the user uses the same sockaddr received when resending, processing resumes at the rule number following that that caused the diversion. The user can however select to resume rule processing at any rule. (0 is restart at the beginning) To enable the new code use option IPFW_DIVERT_RESTART This should become the default as soon as people have looked at it a bit
* Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> viadg1998-05-191-1/+2
| | | | | | | | | | | | NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and minorly tweaked by me. This is a standard part of FreeBSD, but must be enabled with: "sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must also be enabled. This should probably be modified to use the zone allocator for speed and space efficiency. The current algorithm also appears to lose if the number of active paths exceeds IPFLOW_MAX (256), in which case it wastes lots of time trying to figure out which cache entry to drop.
* Remove the artificial limit on the size of the ipfw filter structure.julian1998-04-211-13/+40
| | | | This allows the addition of extra fields if we need them (I have plans).
* Support compiling with `gcc -ansi'.bde1998-04-151-4/+8
|
* Eradicate the variable "time" from the kernel, using various measures.phk1998-03-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "time" wasn't a atomic variable, so splfoo() protection were needed around any access to it, unless you just wanted the seconds part. Most uses of time.tv_sec now uses the new variable time_second instead. gettime() changed to getmicrotime(0. Remove a couple of unneeded splfoo() protections, the new getmicrotime() is atomic, (until Bruce sets a breakpoint in it). A couple of places needed random data, so use read_random() instead of mucking about with time which isn't random. Add a new nfs_curusec() function. Mark a couple of bogosities involving the now disappeard time variable. Update ffs_update() to avoid the weird "== &time" checks, by fixing the one remaining call that passwd &time as args. Change profiling in ncr.c to use ticks instead of time. Resolution is the same. Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call hzto() which subtracts time" sequences. Reviewed by: bde
* Allow ICMP unreachable messages to be sent in response to ICMP queryalex1998-03-151-4/+21
| | | | packets (as per Stevens volume 1 section 6.2).
* Alter ipfw's behavior with respect to fragmented packets when the packetalex1998-02-121-3/+35
| | | | | | | | | | | | | | | | | | | offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
* Staticize.eivind1998-02-091-2/+2
|
* Back out DIAGNOSTIC changes.eivind1998-02-061-2/+1
|
* Don't attempt to display information which we don't have: specifically,alex1998-02-061-5/+13
| | | | | | | | | TCP and UDP port numbers in fragmented packets when IP offset != 0. 2.2.6 candidate. Discovered by: Marc Slemko <marcs@znep.com> Submitted by: Archie Cobbs <archie@whistle.com> w/fix from me
* Turn DIAGNOSTIC into a new-style option.eivind1998-02-041-1/+2
|
* Make INET a proper option.eivind1998-01-081-1/+5
| | | | | | | | | | | | This will not make any of object files that LINT create change; there might be differences with INET disabled, but hardly anything compiled before without INET anyway. Now the 'obvious' things will give a proper error if compiled without inet - ipx_ip, ipfw, tcp_debug. The only thing that _should_ work (but can't be made to compile reasonably easily) is sppp :-( This commit move struct arpcom from <netinet/if_ether.h> to <net/if_arp.h>.
* Bump up packet and byte counters to 64-bit unsigned ints. As aalex1998-01-081-6/+6
| | | | | | | | | | | | | consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values. NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility. o This probably should not be brought into 2.2. PR: 3738
* Use LIST_FIRST/LIST_NEXT macros instead of accessing the fields lh_firstalex1998-01-051-22/+22
| | | | and le_next.
* Added missing parens from previous commit.alex1998-01-051-3/+3
|
* Bound the ICMP type bitmap now that it doesn't cover all possiblealex1998-01-051-2/+3
| | | | ICMP type values.
* Reduce the amount of time that network interrupts are blocked whilealex1998-01-041-17/+42
| | | | | | zeroing & deleting rules. Return EINVAL when zeroing an nonexistent entry.
* Bring back part of rev 1.44 which was commented out by rev 1.58.alex1997-12-271-7/+8
| | | | Reviewed by: nate
* Fix an incredibly horrible bug in the ipfw codejulian1997-12-191-9/+10
| | | | | | | | where if you are using the "reset tcp" firewall command, the kernel would write ethernet headers onto random kernel stack locations. Fought to the death by: terry, julian, archie. fix valid for 2.2 series as well.
* Make IPDIVERT a supported option. Alas, in_var.h depends on it, ijoerg1997-11-051-1/+2
| | | | | | hope i've found out all files that actually depend on this dependancy. IMHO, it's not very good practice to change the size of internal structs depending on kernel options.
* Last major round (Unless Bruce thinks of somthing :-) of malloc changes.phk1997-10-121-1/+3
| | | | | | | | Distribute all but the most fundamental malloc types. This time I also remembered the trick to making things static: Put "static" in front of them. A couple of finer points by: bde
* Allow a compile-time override of the ipfw deny rule. For a 'firewall'peter1997-09-101-8/+16
| | | | | | | | | | you don't want this (and the documentation explains why), but if you use ipfw as an as-needed casual filter as needed which normally runs as 'allow all' then having the kernel and /sbin/ipfw get out of sync is a *MAJOR* pain in the behind. PR: 4141 Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
* Fixed logging of verbose limited packets.alex1997-08-231-4/+5
| | | | | PR: 4351 Submitted by: Ron Bickers <rbickers@intercenter.net>
OpenPOWER on IntegriCloud