summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_fw2.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Use PFIL_HOOKED macros in if_bridge and pass the right argument tocsjp2006-02-021-1/+1
| | | | | | | rw_assert. This un-breaks the build. Submitted by: Kostik Belousov Pointy hat to: csjp
* Somewhat re-factor the read/write locking mechanism associated with the packetcsjp2006-02-021-45/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | filtering mechanisms to use the new rwlock(9) locking API: - Drop the variables stored in the phil_head structure which were specific to conditions and the home rolled read/write locking mechanism. - Drop some includes which were used for condition variables - Drop the inline functions, and convert them to macros. Also, move these macros into pfil.h - Move pfil list locking macros intp phil.h as well - Rename ph_busy_count to ph_nhooks. This variable will represent the number of IN/OUT hooks registered with the pfil head structure - Define PFIL_HOOKED macro which evaluates to true if there are any hooks to be ran by pfil_run_hooks - In the IP/IP6 stacks, change the ph_busy_count comparison to use the new PFIL_HOOKED macro. - Drop optimization in pfil_run_hooks which checks to see if there are any hooks to be ran, and returns if not. This check is already performed by the IP stacks when they call: if (!PFIL_HOOKED(ph)) goto skip_hooks; - Drop in assertion which makes sure that the number of hooks never drops below 0 for good measure. This in theory should never happen, and if it does than there are problems somewhere - Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep - Drop variables which support home rolled read/write locking mechanism from the IPFW firewall chain structure. - Swap out the read/write firewall chain lock internal to use the rwlock(9) API instead of our home rolled version - Convert the inlined functions to macros Reviewed by: mlaier, andre, glebius Thanks to: jhb for the new locking API
* Fix minor bug in uRPF:oleg2006-01-241-2/+8
| | | | | | | | | | | If net.link.ether.inet.useloopback=1 and we send broadcast packet using our own source ip address it may be rejected by uRPF rules. Same bug was fixed for IPv6 in rev. 1.115 by suz. PR: kern/76971 Approved by: glebius (mentor) MFC after: 3 days
* - Change the return type for init_tables from void to int so we can propagatecsjp2006-01-201-10/+25
| | | | | | | | | | | | | | | | | errors from rn_inithead back to the ipfw initialization function. - Check return value of rn_inithead for failure, if table allocation has failed for any reason, free up any tables we have created and return ENOMEM - In ipfw_init check the return value of init_tables and free up any mutexes or UMA zones which may have been created. - Assert that the supplied table is not NULL before attempting to dereference. This fixes panics which were a result of invalid memory accesses due to failed table allocation. This is an issue mainly because the R_Zalloc function is a malloc(M_NOWAIT) wrapper, thus making it possible for allocations to fail. Found by: Coverity Prevent (tm) Coverity ID: CID79 MFC after: 1 week
* Destroy the dynamic rule zone in the event that we fail to insert thecsjp2006-01-201-0/+1
| | | | | | initial default rule. MFC after: 1 week
* Correct insecure temporary file usage in texindex. [06:01]cperciva2006-01-111-1/+1
| | | | | | | | | | | | | | Correct insecure temporary file usage in ee. [06:02] Correct a race condition when setting file permissions, sanitize file names by default, and fix a buffer overflow when handling files larger than 4GB in cpio. [06:03] Fix an error in the handling of IP fragments in ipfw which can cause a kernel panic. [06:04] Security: FreeBSD-SA-06:01.texindex Security: FreeBSD-SA-06:02.ee Security: FreeBSD-SA-06:03.cpio Security: FreeBSD-SA-06:04.ipfw
* Cleanup __FreeBSD_version.glebius2005-12-161-5/+0
|
* Add a new feature for optimizining ipfw rulesets - substitution of theglebius2005-12-131-5/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | action argument with the value obtained from table lookup. The feature is now applicable only to "pipe", "queue", "divert", "tee", "netgraph" and "ngtee" rules. An example usage: ipfw pipe 1000 config bw 1000Kbyte/s ipfw pipe 4000 config bw 4000Kbyte/s ipfw table 1 add x.x.x.x 1000 ipfw table 1 add x.x.x.y 4000 ipfw pipe tablearg ip from table(1) to any In the example above the rule will throw different packets to different pipes. TODO: - Support "skipto" action, but without searching all rules. - Improve parser, so that it warns about bad rules. These are: - "tablearg" argument to action, but no "table" in the rule. All traffic will be blocked. - "tablearg" argument to action, but "table" searches for entry with a specific value. All traffic will be blocked. - "tablearg" argument to action, and two "table" looks - for src and for dst. The last lookup will match.
* Optimize parallel processing of ipfw(4) rulesets eliminating the lockingglebius2005-12-061-71/+54
| | | | | | | | | | | | | | | | | | | | | of the radix lookup tables. Since several rnh_lookup() can run in parallel on the same table, we can piggyback on the shared locking provided by ipfw(4). However, the single entry cache in the ip_fw_table can't be used lockless, so it is removed. This pessimizes two cases: processing of bursts of similar packets and matching one packet against the same table several times during one ipfw_chk() lookup. To optimize the processing of similar packet bursts administrator should use stateful firewall. To optimize the second problem a solution will be provided soon. Details: o Since we piggyback on the ipfw(4) locking, and the latter is per-chain, the tables are moved from the global declaration to the struct ip_fw_chain. o The struct ip_fw_table is shrunk to one entry and thus vanished. o All table manipulating functions are extended to accept the struct ip_fw_chain * argument. o All table modifing functions use IPFW_WLOCK_ASSERT().
* obey opt_inet6.h and opt_ipsec.h in kernel build directory.ume2005-11-291-2/+2
| | | | Requested by: hrs
* Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),glebius2005-11-291-29/+1
| | | | | thus removing a few XXXes. Document the ABI breakage in UPDATING.
* fixed a bug that uRPF does not work properly for an IPv6 packet bound for ↵suz2005-11-101-2/+8
| | | | | | | the sending machine itself (this is a bug introduced due to a change in ip6_input.c:Rev.1.83) Pointed out by: Sean McNeil and J.R.Oldroyd MFC after: 3 days
* Retire MT_HEADER mbuf type and change its users to use MT_DATA.andre2005-11-021-1/+1
| | | | | | | | | | | | Having an additional MT_HEADER mbuf type is superfluous and redundant as nothing depends on it. It only adds a layer of confusion. The distinction between header mbuf's and data mbuf's is solely done through the m->m_flags M_PKTHDR flag. Non-native code is not changed in this commit. For compatibility MT_HEADER is mapped to MT_DATA. Sponsored by: TCP/IP Optimization Fundraise 2005
* Remove bridge(4) from the tree. if_bridge(4) is a full functionalmlaier2005-09-271-1/+1
| | | | | | | | replacement and has additional features which make it superior. Discussed on: -arch Reviewed by: thompsa X-MFC-after: never (RELENG_6 as transition period)
* Use monotonic 'time_uptime' instead of 'time_second' as timebaseandre2005-09-191-24/+24
| | | | for timeouts.
* Fix panic when kernel compiled without INET6 by rejectingbz2005-09-141-6/+30
| | | | | | | IPv6 opcodes which are behind #if(n)def INET6 now. PR: kern/85826 MFC after: 3 days
* clear lock on error in O_LIMIT case of install_statesam2005-09-041-0/+1
| | | | | Submitted by: Ted Unangst MFC after: 3 days
* Fix broken build of rev. 1.108 in case of no INET6 and IPFIREWALLbz2005-08-141-1/+7
| | | | | | compiled into kernel. Spotted and tested by: Michal Mertl <mime at traveller.cz>
* * Add dynamic sysctl for net.inet6.ip6.fw.bz2005-08-131-67/+283
| | | | | | | | | | | | | * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
* include scope6_var.h for in6_clearscope().ume2005-07-261-0/+3
|
* Remove ambiguity from hlen. IPv4 is now indicated by is_ipv4 and we need amlaier2005-07-031-20/+17
| | | | | | | proper hlen value for IPv6 to implement O_REJECT and O_LOG. Reviewed by: glebius, brooks, gnn Approved by: re (scottl)
* Fix ipfw packet matching errors with address tables.simon2005-06-291-17/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. Submitted by: ru Reviewed by: csjp, mlaier Security: CAN-2005-2019 Security: FreeBSD-SA-05:13.ipfw Correct bzip2 permission race condition vulnerability. Obtained from: Steve Grubb via RedHat Security: CAN-2005-0953 Security: FreeBSD-SA-05:14.bzip2 Approved by: obrien Correct TCP connection stall denial of service vulnerability. A TCP packets with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. Submitted by: Noritoshi Demizu Reviewed by: andre, Mohan Srinivasan Security: CAN-2005-2068 Security: FreeBSD-SA-05:15.tcp Approved by: re (security blanket), cperciva
* In verify_rev_path6():mlaier2005-06-161-18/+52
| | | | | | | | | | | | - do not use static memory as we are under a shared lock only - properly rtfree routes allocated with rtalloc - rename to verify_path6() - implement the full functionality of the IPv4 version Also make O_ANTISPOOF work with IPv6. Reviewed by: gnn Approved by: re (blanket)
* Fix indentation in INET6 section in preperation of more serious work.mlaier2005-06-161-49/+49
| | | | Approved by: re (blanket ip6fw removal)
* When doing matching based on dst_ip/src_ip make sure we are really lookingmlaier2005-06-121-10/+13
| | | | | | | | | | | | on an IPv4 packet as these variables are uninitialized if not. This used to allow arbitrary IPv6 packets depending on the value in the uninitialized variables. Some opcodes (most noteably O_REJECT) do not support IPv6 at all right now. Reviewed by: brooks, glebius Security: IPFW might pass IPv6 packets depending on stack contents. Approved by: re (blanket)
* Modify send_pkt() to return the generated packet and have the callergreen2005-06-101-8/+32
| | | | | | | | | | | | | do the subsequent ip_output() in IPFW. In ipfw_tick(), the keep-alive packets must be generated from the data that resides under the stateful lock, but they must not be sent at that time, as this would cause a lock order reversal with the normal ordering (interface's lock, then locks belonging to the pfil hooks). In practice, this caused deadlocks when using IPFW and if_bridge(4) together to do stateful transparent filtering. MFC after: 1 week
* Better explain, then actually implement the IPFW ALTQ-rule first-matchgreen2005-06-041-0/+3
| | | | | | | | policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
* Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.mlaier2005-06-031-0/+7
| | | | | | | | This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
* Let OSPFv3 go through ipfw. Some more additional checks would betanimura2005-05-281-0/+5
| | | | desirable, though.
* IPFW version 2 is the only option in HEAD and RELENG_5.glebius2005-05-041-4/+0
| | | | Thus, cleanup unnecessary now ifdefs.
* Introduce a struct icmphdr which contains the type, code, and cksumbrooks2005-04-261-9/+5
| | | | | | | | | | | | | | | | | fields of an ICMP packet. Use this to allow ipfw to pullup only these values since it does not use the rest of the packet and it was failed on ICMP packets because they were not long enough. struct icmp should probably be modified to use these at some point, but that will break a fair bit of code so it can wait for another day. On the off chance that adding this struct breaks something in ports, bump __FreeBSD_version. Reported by: Randy Bush <randy at psg dot com> Tested by: Randy Bush <randy at psg dot com>
* typophk2005-04-191-1/+1
|
* Make IPFIREWALL compile without INET6phk2005-04-191-3/+18
|
* Add IPv6 support to IPFW and Dummynet.brooks2005-04-181-32/+333
| | | | Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
* Centralized finding the protocol header in IP packets in preperation forbrooks2005-04-151-92/+109
| | | | | | | IPv6 support. The header in IPv6 is more complex then in IPv4 so we want to handle skipping over it in one location. Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
* Use NET_CALLOUT_MPSAFE macro.glebius2005-03-011-1/+1
|
* Jump to common action checks after doing specific once. This fixes addingglebius2005-02-061-0/+5
| | | | | | of divert rules, which I break in previous commit. Pointy hat to: glebius
* Add a ng_ipfw node, implementing a quick and simple interface betweenglebius2005-02-051-0/+23
| | | | | | ipfw(4) and netgraph(4) facilities. Reviewed by: andre, brooks, julian
* Change the state allocator from using regular malloc to usingcsjp2005-01-311-2/+7
| | | | | | | | | | a UMA zone instead. This should eliminate a bit of the locking overhead associated with with malloc and reduce the memory consumption associated with each new state. Reviewed by: rwatson, andre Silence on: ipfw@ MFC after: 1 week
* o Clean up interface between ip_fw_chk() and its callers:glebius2005-01-141-26/+23
| | | | | | | | | | | | | | | | - ip_fw_chk() returns action as function return value. Field retval is removed from args structure. Action is not flag any more. It is one of integer constants. - Any action-specific cookies are returned either in new "cookie" field in args structure (dummynet, future netgraph glue), or in mbuf tag attached to packet (divert, tee, some future action). o Convert parsing of return value from ip_fw_chk() in ipfw_check_{in,out}() to a switch structure, so that the functions are more readable, and a future actions can be added with less modifications. Approved by: andre MFC after: 2 months
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* This commit adds a shared locking mechanism very similar to thecsjp2004-12-101-29/+69
| | | | | | | | | | | | | | | | | | | | mechanism used by pfil. This shared locking mechanism will remove a nasty lock order reversal which occurs when ucred based rules are used which results in hard locks while mpsafenet=1. So this removes the debug.mpsafenet=0 requirement when using ucred based rules with IPFW. It should be noted that this locking mechanism does not guarantee fairness between read and write locks, and that it will favor firewall chain readers over writers. This seemed acceptable since write operations to firewall chains protected by this lock tend to be less frequent than reads. Reviewed by: andre, rwatson Tested by: myself, seanc Silence on: ipfw@ MFC after: 1 month
* Remove RFC1644 T/TCP support from the TCP side of the network stack.andre2004-11-021-5/+0
| | | | | | | | | | | | | | | | A complete rationale and discussion is given in this message and the resulting discussion: http://docs.freebsd.org/cgi/mid.cgi?4177C8AD.6060706 Note that this commit removes only the functional part of T/TCP from the tcp_* related functions in the kernel. Other features introduced with RFC1644 are left intact (socket layer changes, sendmsg(2) on connection oriented protocols) and are meant to be reused by a simpler and less intrusive reimplemention of the previous T/TCP functionality. Discussed on: -arch
* When printing the initialization string and IPDIVERT is not compiled into theandre2004-10-221-1/+1
| | | | kernel refer to it as "loadable" instead of "disabled".
* Convert IPDIVERT into a loadable module. This makes use of the dynamic ↵andre2004-10-191-4/+2
| | | | | | | | | | | loadability of protocols. The call to divert_packet() is done through a function pointer. All semantics of IPDIVERT remain intact. If IPDIVERT is not loaded ipfw will refuse to install divert rules and natd will complain about 'protocol not supported'. Once it is loaded both will work and accept rules and open the divert socket. The module can only be unloaded if no divert sockets are open. It does not close any divert sockets when an unload is requested but will return EBUSY instead.
* Add support to IPFW for matching by TCP data length.green2004-10-031-0/+23
|
* Add support to IPFW for classification based on "diverted" statusgreen2004-10-031-1/+20
| | | | (that is, input via a divert socket).
* Add to IPFW the ability to do ALTQ classification/tagging.green2004-10-031-0/+44
|
* Validate the action pointer to be within the rule size, so that trying togreen2004-09-301-0/+5
| | | | add corrupt ipfw rules would not potentially panic the system or worse.
* Add an additional struct inpcb * argument to pfil(9) in order to enablemlaier2004-09-291-11/+32
| | | | | | | | | | | | | | | | | | | passing along socket information. This is required to work around a LOR with the socket code which results in an easy reproducible hard lockup with debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do so later. The missing piece is to turn the filter locking into a leaf lock and will follow in a seperate (later) commit. This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in forseeable future. Suggested by: rwatson A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;) Reviewed by: rwatson, csjp Tested by: -pf, -ipfw, LINT, csjp and myself MFC after: 3 days LOR IDs: 14 - 17 (not fixed yet)
OpenPOWER on IntegriCloud