summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_input.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Yow! Completely change the way socket options are handled, eliminatingwollman1998-08-231-2/+5
| | | | | | another specialized mbuf type in the process. Also clean up some of the cruft surrounding IPFW, multicast routing, RSVP, and other ill-explored corners.
* Fixed printf format errors.bde1998-08-171-2/+3
|
* Fixed some longs that should have been fixed-sized types.bde1998-07-131-2/+2
|
* When not acting as a router (ipforwarding=0), silently discard sourcedg1998-07-081-10/+21
| | | | | routed packets that aren't destined for us, as required by RFC-1122. PR: 7191
* oops ended comment before the comment ended..julian1998-07-061-2/+2
|
* Bring back some slight cleanups from 2.2julian1998-07-061-3/+10
|
* Fix braino in switching to TAILQ macro.julian1998-07-061-2/+2
|
* Support for IPFW based transparent forwarding.julian1998-07-061-12/+48
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Remove the option to keep IPFW diversion backwards compatiblejulian1998-07-021-2/+3
| | | | | WRT diversion reinjection. No-one has been bitten by the new behaviour that I know of.
* Go through the loopback code with a broom..julian1998-06-121-7/+2
| | | | | | | | | | | | | | | | Remove lots'o'hacks. looutput is now static. Other callers who want to use loopback to allow shortcutting should call the special entrypoint for this, if_simloop(), which is specifically designed for this purpose. Using looutput for this purpose was problematic, particularly with bpf and trying to keep track of whether one should be using the charateristics of the loopback interface or the interface (e.g. if_ethersubr.c) that was requesting the loopback. There was a whole class of errors due to this mis-use each of which had hacks to cover them up. Consists largly of hack removal :-)
* Make sure the default value of a dummy variable is 0julian1998-06-061-2/+2
| | | | so that it doesn't do anything.
* Fix wrong data type for a pointer.julian1998-06-061-2/+2
|
* clean up the changes made to ipfw over the last weeksjulian1998-06-061-25/+9
| | | | (should make the ipfw lkm work again)
* Reverse the default sense of the IPFW/DIVERT reinjection codejulian1998-06-051-9/+9
| | | | | | | | | so that the new behaviour is now default. Solves the "infinite loop in diversion" problem when more than one diversion is active. Man page changes follow. The new code is in -stable as the NON default option.
* Add optional code to change the way that divert and ipfw work together.julian1998-05-251-2/+25
| | | | | | | | | | | | | | | | | | | | | | | Prior to this change, Accidental recursion protection was done by the diverted daemon feeding back the divert port number it got the packet on, as the port number on a sendto(). IPFW knew not to redivert a packet to this port (again). Processing of the ruleset started at the beginning again, skipping that divert port. The new semantic (which is how we should have done it the first time) is that the port number in the sendto() is the rule number AFTER which processing should restart, and on a recvfrom(), the port number is the rule number which caused the diversion. This is much more flexible, and also more intuitive. If the user uses the same sockaddr received when resending, processing resumes at the rule number following that that caused the diversion. The user can however select to resume rule processing at any rule. (0 is restart at the beginning) To enable the new code use option IPFW_DIVERT_RESTART This should become the default as soon as people have looked at it a bit
* The ipt_ptr field is 1-based (see TCP/IP Illustrated, Vol. 1, pp. 91-95),dg1998-05-241-3/+3
| | | | | | | | | | so it must be adjusted (minus 1) before using it to do the length check. I'm not sure who to give the credit to, but the bug was reported by Jennifer Dawn Myers <jdm@enteract.com>, who also supplied a patch. It was also fixed in OpenBSD previously by andreas.gunnarsson@emw.ericsson.se, and of course I did the homework to verify that the fix was correct per the specification. PR: 6738
* Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> viadg1998-05-191-3/+6
| | | | | | | | | | | | NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and minorly tweaked by me. This is a standard part of FreeBSD, but must be enabled with: "sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must also be enabled. This should probably be modified to use the zone allocator for speed and space efficiency. The current algorithm also appears to lose if the number of active paths exceeds IPFLOW_MAX (256), in which case it wastes lots of time trying to figure out which cache entry to drop.
* Wrong header length used for certain reassembled IP packets.phk1998-04-131-1/+3
| | | | | | PR: 6177 Reviewed by: phk, wollman Submitted by: Eric Sprinkle <eric@ennovatenetworks.com>
* Eradicate the variable "time" from the kernel, using various measures.phk1998-03-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "time" wasn't a atomic variable, so splfoo() protection were needed around any access to it, unless you just wanted the seconds part. Most uses of time.tv_sec now uses the new variable time_second instead. gettime() changed to getmicrotime(0. Remove a couple of unneeded splfoo() protections, the new getmicrotime() is atomic, (until Bruce sets a breakpoint in it). A couple of places needed random data, so use read_random() instead of mucking about with time which isn't random. Add a new nfs_curusec() function. Mark a couple of bogosities involving the now disappeard time variable. Update ffs_update() to avoid the weird "== &time" checks, by fixing the one remaining call that passwd &time as args. Change profiling in ncr.c to use ticks instead of time. Resolution is the same. Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call hzto() which subtracts time" sequences. Reviewed by: bde
* Make this compile.. There are some unpleasing hacks in here.peter1998-03-211-3/+7
| | | | | A major unifdef session is sorely tempting but would destroy any remaining chance of tracking the original sources.
* NetBSD PR# 2772dima1998-02-261-2/+2
| | | | Reviewed by: David Greenman
* Add new sysctl variable: net.inet.ip.accept_sourcerouteguido1998-02-161-1/+7
| | | | | | | It controls if the system is to accept source routed packets. It used to be such that, no matter if the setting of net.inet.ip.sourceroute, source routed packets destined at us would be accepted. Now it is controllable with eth default set to NOT accept those.
* Replace non-existent ip_forwarding with ipforwardingache1998-02-121-2/+2
| | | | (compilation error)
* Only forward source routed packets when ip_forwarding is set to 1.guido1998-02-111-2/+2
| | | | | | | | | This means that a FreeBSD will only forward source routed packets when both net.inet.ip.forwarding and net.inet.ip.sourceroute are set to 1. You can hit me now ;-) Submitted by: Thomas Ptacek
* Back out DIAGNOSTIC changes.eivind1998-02-061-2/+1
|
* Turn DIAGNOSTIC into a new-style option.eivind1998-02-041-1/+2
|
* Make the BOOTP family new-style options (in opt_bootp.h)eivind1998-01-091-1/+2
|
* Submitted by: Archie cobbs (IPDIVERT author)julian1997-11-131-1/+7
| | | | | | | | close small security hole where an atacker could sendpackets with IPDIVERT protocol, and select how it would be diverted thus bypassing the ipfirewall. Discovered by inspection rather than attack. (you'd have to know how the firewall was configured (EXACTLY) to make use of this but..)
* Make IPDIVERT a supported option. Alas, in_var.h depends on it, ijoerg1997-11-051-1/+2
| | | | | | hope i've found out all files that actually depend on this dependancy. IMHO, it's not very good practice to change the size of internal structs depending on kernel options.
* Return the entire if info, rather than just the index number. (at least try)julian1997-11-051-9/+31
| | | | | Interface index numbers are an abomination that should go away (at least in that form)
* Fix bugs from my previous commitguido1997-10-281-4/+4
| | | | Submitted by: Bruce Evans
* Removed unused #includes.bde1997-10-281-4/+1
|
* When dosourcerouting is set do not sourceoute....guido1997-10-271-1/+4
|
* Export ipstat via sysctl. Don't understand why this wasn't done before.wollman1997-09-251-1/+3
|
* Prevent overflow with fragmented packetsache1997-09-151-26/+67
| | | | Reviewed by: wollman
* Recalculate ip_sum before passing abrian1997-07-251-1/+15
| | | | | | re-assembled packet to a divert port. Pointed-out by: Ari Suutari <ari@suutari.iki.fi> VS: then name the system in this line, otherwise delete it.
* Submitted by: Whistle Communications (archie Cobbs)julian1997-06-021-16/+16
| | | | | | | | | | | | | | | these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
* Bring in some kernel bootp support. This removes the need for netboottegge1997-05-111-1/+5
| | | | | | | | to fill in the nfs_diskless structure, at the cost of some kernel bloat. The advantage is that this code works on a wider range of network adapters than netboot. Several new kernel options are documented in LINT. Obtained from: parts of the code comes from NetBSD.
* Resolve conflicts created by import.darrenr1997-04-031-15/+13
|
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* change IP Filter hooks to match new 3.1.8 patches for FreeBSDdarrenr1997-02-191-6/+7
|
* Add IP Filter hooks (from patches).darrenr1997-02-101-0/+19
|
* Don't zero ip->ip_sum during sum validation. This should onlybrian1997-02-061-3/+4
| | | | | | | | | | affect programs that sit on top of divert(4) sockets. The multicast routing code already unconditionally zeros the sum before recalculating. Any code that unconditionaly sums a packet without first zeroing the sum (assuming that it's already zero'd) will break. No such code seems to exist.
* Reset ip_divert_ignore to zero immediately after use - also,brian1997-02-021-0/+1
| | | | | | | | | | | set it in the first place, independent of whether sin->sin_port is set. The result is that diverted packets that are being forwarded will be diverted once and only once on the way in (ip_input()) and again, once and only once on the way out (ip_output()) - twice in total. ICMP packets that don't contain a port will now also be diverted.
* Count multicast packets received for groups of which we are notwollman1997-01-211-1/+1
| | | | | a member separately from generic ``can't forward'' packets. This would have helped me find the previous bug much faster.
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Convert the interface address and IP interface address structureswollman1996-12-131-4/+7
| | | | | | to TAILQs. Fix places which referenced these for no good reason that I can see (the references remain, but were fixed to compile again; they are still questionable).
* Only pay attention to the offset and the IP_MF flag in ip_off. Pointeddg1996-12-111-2/+2
| | | | out by Nathaniel D. Daw (daw@panix.com), but fixed differently by me.
* Add the IP_RECVIF socket option, which supplies a packet's incoming interfacefenner1996-11-111-1/+61
| | | | | | | | using a sockaddr_dl. Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR) to work for multicast UDP and raw sockets as well. (They previously only worked for unicast UDP).
* Don't allow reassembly to create packets bigger than IP_MAXPACKET, and countfenner1996-10-251-2/+12
| | | | | | | | | attempts to do so. Don't allow users to source packets bigger than IP_MAXPACKET. Make UDP length and ipovly's protocol length unsigned short. Reviewed by: wollman Submitted by: (partly by) kml@nas.nasa.gov (Kevin Lahey)
OpenPOWER on IntegriCloud