| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
|
| |
|
|
|
|
| |
easily include file version information in bug reports.
Approved by: re (kensmith)
|
| |
|
|
|
|
|
|
|
| |
by 'ipfw: '.
PR: kern/115755
Submitted by: sem
Approved by: re (gnn)
MFC after: 4 weeks
|
| |
|
|
|
|
|
|
|
| |
import. The PF mbuf-tagging support routines changed to link the
allocated tags into the provided mbuf themselves, so the left-over
m_tag_prepend() was trying to add a bogus (usually NULL) tag.
Reviewed by: mlaier
Approved by: re
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pack a set number correctly.
Submitted by: oleg
o Plug a memory leak.
Submitted by: oleg and Andrey V. Elsukov
Approved by: re (kensmith)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
previously conditionally acquired Giant based on debug.mpsafenet. As that
has now been removed, they are no longer required. Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option. Clean up some related gotos for
consistency.
Reviewed by: bz, csjp
Tested by: kris
Approved by: re (kensmith)
|
| |
|
|
|
|
|
|
| |
definition of NET_CALLOUT_MPSAFE, which is no longer required now that
debug.mpsafenet has been removed.
The once over: bz
Approved by: re (kensmith)
|
| |
|
|
|
|
|
|
| |
- move ftp-proxy from libexec to usr.sbin
- add tftp-proxy
- new altq mtag link
Approved by: re (kensmith)
|
| |
|
|
|
|
|
|
| |
option is now deprecated, as well as the KAME IPsec code.
What was FAST_IPSEC is now IPSEC.
Approved by: re
Sponsored by: Secure Computing
|
| |
|
|
|
|
|
|
|
| |
This commit includes only the kernel files, the rest of the files
will follow in a second commit.
Reviewed by: bz
Approved by: re
Supported by: Secure Computing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- to show a specific set: ipfw set 3 show
- to delete rules from the set: ipfw set 9 delete 100 200 300
- to flush the set: ipfw set 4 flush
- to reset rules counters in the set: ipfw set 1 zero
PR: kern/113388
Submitted by: Andrey V. Elsukov
Approved by: re (kensmith)
MFC after: 6 weeks
|
| |
|
|
| |
consistent style(9)-ish layout.
|
| |
|
|
|
|
|
| |
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.
MFC after: 3 weeks
|
| |
|
|
|
|
|
| |
"zone", which is generally not present in zone names. This reduces the
incidence of line-wrapping in "vmstat -z " using 80-column displays.
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
they have been reported back to the userland as being in 1970.
Add boot time to the timestamp to give the time in the scale of the 'current'
real timescale. Not perfect if you change the time a lot but good enough
to keep all the rules correct relative to each other correct in terms
of time relative to "now".
|
| |
|
|
| |
describes the state of IPDIVERT.
|
| |
|
|
| |
ip is now an argument to the function ipfw_log()
|
| |
|
|
| |
Reviewed: luigi
|
| |
|
|
|
|
|
| |
"IPFIREWALL_NAT": this way nat is turned off by default and
POLA is preserved.
Reviewed by: rwatson
|
| |
|
|
|
|
|
|
|
| |
mbuf. First moves toward being able to cope better with having layer 2 (or
other encapsulation data) before the IP header in the packet being examined.
More commits to come to round out this functionality. This commit should
have no practical effect but clears the way for what is coming.
Revirewed by: luigi, yar
MFC After: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the second (and last) part of my previous Summer of Code work, we get:
-ipfw's in kernel nat
-redirect_* and LSNAT support
General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.
To enable in kernel nat in rc.conf, two options were added:
o firewall_nat_enable: equivalent to natd_enable
o firewall_nat_interface: equivalent to natd_interface
Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.
NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).
Approved by: glebius (mentor)
|
| |
|
|
|
|
|
| |
In ip6_sprintf no longer use and return one of eight static buffers
for printing/logging ipv6 addresses.
The caller now has to hand in a sufficiently large buffer as first
argument.
|
| |
|
|
|
|
|
|
| |
We are not yet aware of the protocol internals but this way
SCTP traffic over v6 will not be discarded.
Reported by: Peter Lei via rrs
Tested by: Peter Lei <peterlei cisco.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA
|
| |
|
|
| |
IS_IP6_FLOW_ID() exactly for that.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
entries' by src:port and dst:port pairs. IPv6 part is non-functional
as ``limit'' does not support IPv6 flows.
PR: kern/103967
Submitted by: based on Bruce Campbell patch
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
|
| |
in ip6_output. In case this fails handle the error directly and log it[1].
In addition permit CARP over v6 in ip_fw2.
PR: kern/98622
Similar patch by: suz
Discussed with: glebius [1]
Tested by: Paul.Dekkers surfnet.nl, Philippe.Pegon crc.u-strasbg.fr
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
ipfw add allow ip6 from any to 2000::/16,2002::/16
PR: 102422 (part 3)
Submitted by: Andrey V. Elsukov <bu7cher at yandex dot ru>
MFC after: 5 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch
introduced a number of entry points which were programmatically
equivalent. So I introduced only one. Instead, we should leverage
mac_create_mbuf_netlayer() which is used for similar situations,
an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1]
MFC after: 1 week
This is a RELENG_6 candidate
|
| |
|
|
| |
MFC after: 1 week
|
| |
|
|
|
| |
Submitted by: ru
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for example:
fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2
This allows trivial implementation of a secondary routing table implemented
in the firewall layer.
I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.
Reviewed by: Glebius
MFC after: 1 month
|
| |
|
|
|
|
|
|
| |
allocation.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Approved by: glebius (mentor)
MFC after: 1 week
|
| |
|
|
|
|
| |
Noticed by: yar
Approved by: glebius (mentor)
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
except in places dealing with ifaddr creation or destruction; and
in such special places incomplete ifaddrs should never be linked
to system-wide data structures. Therefore we can eliminate all the
superfluous checks for "ifa->ifa_addr != NULL" and get ready
to the system crashing honestly instead of masking possible bugs.
Suggested by: glebius, jhb, ru
|
| | |
|
| |
|
|
|
|
|
|
| |
used since FreeBSD-SA-06:04.ipfw.
Adopt send_reject6 to what had been done for legacy IP: no longer
send or permit sending rejects for any but the first fragment.
Discussed with: oleg, csjp (some weeks ago)
|
| |
|
|
| |
OKed by: rwatson (some weeks ago)
|
| |
|
|
|
|
|
|
|
|
|
| |
infinite loop with net.inet6.ip6.fw.deny_unknown_exthdrs=0.
- Teach ipv6 and ipencap as they appear in an IPv4/IPv6 over IPv6
tunnel.
- Test the next extention header even when the routing header type
is unknown with net.inet6.ip6.fw.deny_unknown_exthdrs=0.
Found by: xcast-fan-club
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
pipe 1 tag tablearg ip from table(1) to any
allow ip from any to table(2) tagged tablearg
allow tcp from table(3) to any 25 setup limit src-addr tablearg
sbin/ipfw/ipfw2.c:
1) new macros
GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.
Approved by: glebius (mentor)
MFC after: 1 month
|
| |
|
|
|
| |
Approved by: glebius (mentor)
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
| |
flows for O_LIMIT rules. Otherwise 'ipfw -d show' is unable to display
PARENT rules properly.
(This bug was exposed by ipfw2.c rev.1.90)
Approved by: glebius (mentor)
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
| |
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by: glebius (mentor)
Idea from: OpenBSD PF
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
| |
connections and get rid of the flow_id as it is not guaranteed to be stable
some (most?) current implementations seem to just zero it out.
PR: kern/88664
Reported by: jylefort
Submitted by: Joost Bekkers (w/ changes)
Tested by "regisr" <regisrApoboxDcom>
|
| |
|
|
| |
contrast to ip6fw - is properly lockes, it is time to retire ip6fw.
|
| |
|
|
|
|
| |
seperately. Also use pfil hook/unhook instead of keeping the check
functions in pfil just to return there based on the sysctl. While here fix
some whitespace on a nearby SYSCTL_ macro.
|
| | |
|
| |
|
|
|
|
| |
- Acquire read (not write) lock in case of IP_FW_TABLE_LIST.
In collaboration with: ru
|
