summaryrefslogtreecommitdiffstats
path: root/sys/netinet/udp_usrreq.c
Commit message (Collapse)AuthorAgeFilesLines
* - Combine kern.ps_showallprocs and kern.ipc.showallsockets intorwatson2001-10-091-3/+3
| | | | | | | | | | | | | | | | | | | | | | | a single kern.security.seeotheruids_permitted, describes as: "Unprivileged processes may see subjects/objects with different real uid" NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is an API change. kern.ipc.showallsockets does not. - Check kern.security.seeotheruids_permitted in cr_cansee(). - Replace visibility calls to socheckuid() with cr_cansee() (retain the change to socheckuid() in ipfw, where it is used for rule-matching). - Remove prison_unpcb() and make use of cr_cansee() against the UNIX domain socket credential instead of comparing root vnodes for the UDS and the process. This allows multiple jails to share the same chroot() and not see each others UNIX domain sockets. - Remove unused socheckproc(). Now that cr_cansee() is used universally for socket visibility, a variety of policies are more consistently enforced, including uid-based restrictions and jail-based restrictions. This also better-supports the introduction of additional MAC models. Reviewed by: ps, billf Obtained from: TrustedBSD Project
* Only allow users to see their own socket connections ifps2001-10-051-1/+5
| | | | | | | | | kern.ipc.showallsockets is set to 0. Submitted by: billf (with modifications by me) Inspired by: Dave McKay (aka pm aka Packet Magnet) Reviewed by: peter MFC after: 2 weeks
* o Rename u_cansee() to cr_cansee(), making the name more comprehensiblerwatson2001-09-201-1/+1
| | | | | | in the face of a rename of ucred to cred, and possibly generally. Obtained from: TrustedBSD Project
* KSE Milestone 2julian2001-09-121-16/+16
| | | | | | | | | | | | | | Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
* Patches from Keiichi SHIMA <keiichi@iij.ad.jp>julian2001-09-031-2/+2
| | | | | | to make ip use the standard protosw structure again. Obtained from: Well, KAME I guess.
* move ipsec security policy allocation into in_pcballoc, beforeume2001-07-261-7/+0
| | | | | | | | making pcbs available to the outside world. otherwise, we will see inpcb without ipsec security policy attached (-> panic() in ipsec.c). Obtained from: KAME MFC after: 3 days
* Allow getcred sysctl to work in jailed root processes. Processes candwmalone2001-06-241-3/+7
| | | | | | | | only do getcred calls for sockets which were created in the same jail. This should allow the ident to work in a reasonable way within jails. PR: 28107 Approved by: des, rwatson
* Add netstat(1) knob to reset net.inet.{ip|icmp|tcp|udp|igmp}.stats.ru2001-06-231-1/+1
| | | | | | For example, ``netstat -s -p ip -z'' will show and reset IP stats. PR: bin/17338
* Sync with recent KAME.ume2001-06-111-3/+5
| | | | | | | | | | | | | | | | | | This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
* Count and show incoming UDP datagrams with no checksum.ru2001-03-131-1/+2
|
* Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly.jlemon2001-02-261-13/+16
| | | | | | | | For TCP, verify that the sequence number in the ICMP packet falls within the tcp receive window before performing any actions indicated by the icmp packet. Clean up some layering violations (access to tcp internals from in_pcb)
* Redo the security update done in rev 1.54 of src/sys/netinet/tcp_subr.cjesper2001-02-221-17/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | and 1.84 of src/sys/netinet/udp_usrreq.c The changes broken down: - remove 0 as a wildcard for addresses and port numbers in src/sys/netinet/in_pcb.c:in_pcbnotify() - add src/sys/netinet/in_pcb.c:in_pcbnotifyall() used to notify all sessions with the specific remote address. - change - src/sys/netinet/udp_usrreq.c:udp_ctlinput() - src/sys/netinet/tcp_subr.c:tcp_ctlinput() to use in_pcbnotifyall() to notify multiple sessions, instead of using in_pcbnotify() with 0 as src address and as port numbers. - remove check for src port == 0 in - src/sys/netinet/tcp_subr.c:tcp_ctlinput() - src/sys/netinet/udp_usrreq.c:udp_ctlinput() as they are no longer needed. - move handling of redirects and host dead from in_pcbnotify() to udp_ctlinput() and tcp_ctlinput(), so they will call in_pcbnotifyall() to notify all sessions with the specific remote address. Approved by: jlemon Inspired by: NetBSD
* o Move per-process jail pointer (p->pr_prison) to inside of the subjectrwatson2001-02-211-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | credential structure, ucred (cr->cr_prison). o Allow jail inheritence to be a function of credential inheritence. o Abstract prison structure reference counting behind pr_hold() and pr_free(), invoked by the similarly named credential reference management functions, removing this code from per-ABI fork/exit code. o Modify various jail() functions to use struct ucred arguments instead of struct proc arguments. o Introduce jailed() function to determine if a credential is jailed, rather than directly checking pointers all over the place. o Convert PRISON_CHECK() macro to prison_check() function. o Move jail() function prototypes to jail.h. o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the flag in the process flags field itself. o Eliminate that "const" qualifier from suser/p_can/etc to reflect mutex use. Notes: o Some further cleanup of the linux/jail code is still required. o It's now possible to consider resolving some of the process vs credential based permission checking confusion in the socket code. o Mutex protection of struct prison is still not present, and is required to protect the reference count plus some fields in the structure. Reviewed by: freebsd-arch Obtained from: TrustedBSD Project
* Only call in_pcbnotify if the src port number != 0, as wejesper2001-02-201-0/+13
| | | | | | | | | | | | | | | | treat 0 as a wildcard in src/sys/in_pbc.c:in_pcbnotify() It's sufficient to check for src|local port, as we'll have no sessions with src|local port == 0 Without this a attacker sending ICMP messages, where the attached IP header (+ 8 bytes) has the address and port numbers == 0, would have the ICMP message applied to all sessions. PR: kern/25195 Submitted by: originally by jesper, reimplimented by jlemon's advice Reviewed by: jlemon Approved by: jlemon
* Switch to using a struct xucred instead of a struct xucred when notgreen2001-02-181-2/+8
| | | | | | | | | | | | | | | | | actually in the kernel. This structure is a different size than what is currently in -CURRENT, but should hopefully be the last time any application breakage is caused there. As soon as any major inconveniences are removed, the definition of the in-kernel struct ucred should be conditionalized upon defined(_KERNEL). This also changes struct export_args to remove dependency on the constantly-changing struct ucred, as well as limiting the bounds of the size fields to the correct size. This means: a) mountd and friends won't break all the time, b) mountd and friends won't crash the kernel all the time if they don't know what they're doing wrt actual struct export_args layout. Reviewed by: bde
* Clean up RST ratelimiting. Previously, ratelimiting occured before testsbmilekic2001-02-111-1/+1
| | | | | | | | | | | were performed to determine if the received packet should be reset. This created erroneous ratelimiting and false alarms in some cases. The code has now been reorganized so that the checks for validity come before the call to badport_bandlim. Additionally, a few changes in the symbolic names of the bandlim types have been made, as well as a clarification of exactly which type each RST case falls under. Submitted by: Mike Silbersack <silby@silby.com>
* Mechanical change to use <sys/queue.h> macro API instead ofphk2001-02-041-2/+2
| | | | | | | fondling implementation details. Created with: sed(1) Reviewed by: md5(1)
* Update the "icmp_admin_prohib_like_rst" code to check the tcp-window andphk2000-12-241-2/+2
| | | | | | | to be configurable with respect to acting only in SYN or in all TCP states. PR: 23665 Submitted by: Jesper Skriver <jesper@skriver.dk>
* Change the following:bmilekic2000-12-151-1/+1
| | | | | | | | | | | | | | | | 1. ICMP ECHO and TSTAMP replies are now rate limited. 2. RSTs generated due to packets sent to open and unopen ports are now limited by seperate counters. 3. Each rate limiting queue now has its own description, as follows: Limiting icmp unreach response from 439 to 200 packets per second Limiting closed port RST response from 283 to 200 packets per second Limiting open port RST response from 18724 to 200 packets per second Limiting icmp ping response from 211 to 200 packets per second Limiting icmp tstamp response from 394 to 200 packets per second Submitted by: Mike Silbersack <silby@silby.com>
* Wrong checksum may have been computed for certain UDP packets.ru2000-11-011-1/+1
| | | | Reviewed by: jlemon
* Do not waste a time saving a copy of IP header if we are certainlyru2000-10-311-1/+2
| | | | not going to send an ICMP error message (net.inet.udp.blackhole=1).
* Convert all users of fldoff() to offsetof(). fldoff() is badphk2000-10-271-1/+0
| | | | | | | | | | | | | | | | | | | | | | | because it only takes a struct tag which makes it impossible to use unions, typedefs etc. Define __offsetof() in <machine/ansi.h> Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h> Remove myriad of local offsetof() definitions. Remove includes of <stddef.h> in kernel code. NB: Kernelcode should *never* include from /usr/include ! Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API. Deprecate <struct.h> with a warning. The warning turns into an error on 01-12-2000 and the file gets removed entirely on 01-01-2001. Paritials reviews by: various. Significant brucifications by: bde
* Reverse last commit, a better fix has been found.phk2000-09-171-8/+3
|
* Make sure UDP sockets are explicitly bind(2)'ed [sic] before we connect(2)phk2000-09-171-3/+8
| | | | | | | them. PR: 20946 Isolated by: Aaron Gifford <agifford@infowest.com>
* Fixed broken ICMP error generation, unified conversion of IP headerru2000-09-011-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fields between host and network byte order. The details: o icmp_error() now does not add IP header length. This fixes the problem when icmp_error() is called from ip_forward(). In this case the ip_len of the original IP datagram returned with ICMP error was wrong. o icmp_error() expects all three fields, ip_len, ip_id and ip_off in host byte order, so DTRT and convert these fields back to network byte order before sending a message. This fixes the problem described in PR 16240 and PR 20877 (ip_id field was returned in host byte order). o ip_ttl decrement operation in ip_forward() was moved down to make sure that it does not corrupt the copy of original IP datagram passed later to icmp_error(). o A copy of original IP datagram in ip_forward() was made a read-write, independent copy. This fixes the problem I first reported to Garrett Wollman and Bill Fenner and later put in audit trail of PR 16240: ip_output() (not always) converts fields of original datagram to network byte order, but because copy (mcopy) and its original (m) most likely share the same mbuf cluster, ip_output()'s manipulations on original also corrupted the copy. o ip_output() now expects all three fields, ip_len, ip_off and (what is significant) ip_id in host byte order. It was a headache for years that ip_id was handled differently. The only compatibility issue here is the raw IP socket interface with IP_HDRINCL socket option set and a non-zero ip_id field, but ip.4 manual page was unclear on whether in this case ip_id field should be in host or network byte order.
* Backout the hack in rev 1.71, I am working on a better patchru2000-08-301-1/+0
| | | | | that should cover almost all inconsistencies in ICMP error generation.
* Apply appropriate patch.darrenr2000-08-291-0/+1
| | | | | PR: 20877 Submitted by: Frank Volf (volf@oasis.IAEhv.nl)
* sync with kame tree as of july00. tons of bug fixes/improvements.itojun2000-07-041-5/+7
| | | | | | | API changes: - additional IPv6 ioctls - IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8). (also syntax change)
* Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.phk2000-07-041-2/+2
| | | | Pointed out by: bde
* Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:phk2000-07-031-2/+2
| | | | | | | | Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our sources: -sysctl_vm_zone SYSCTL_HANDLER_ARGS +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
* Fixed some style bugs (mainly convoluted logic for blackhole processing).bde2000-05-241-6/+2
|
* sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.dan2000-05-221-2/+2
| | | | Suggested by: des/nbm
* Add support for offloading IP/TCP/UDP checksums to NIC hardware whichjlemon2000-03-271-10/+25
| | | | supports them.
* IPSEC support in the kernel.shin1999-12-221-1/+3
| | | | | | | | pr_input() routines prototype is also changed to support IPSEC and IPV6 chained protocol headers. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* Change incorrect NULLs to 0seivind1999-12-211-1/+1
|
* M_PREPEND-related cleanups (unregisterifying struct mbuf *s).green1999-12-191-1/+1
|
* Always set INP_IPV4 flag for IPv4 pcb entries, because netstat needs itshin1999-12-131-2/+0
| | | | | | | | | | | to print out protocol specific pcb info. A patch submitted by guido@gvr.org, and asmodai@wxs.nl also reported the problem. Thanks and sorry for your troubles. Submitted by: guido@gvr.org Reviewed by: shin
* udp IPv6 support, IPv6/IPv4 tunneling support in kernel,shin1999-12-071-40/+192
| | | | | | | | | | packet divert at kernel for IPv6/IPv4 translater daemon This includes queue related patch submitted by jburkhol@home.com. Submitted by: queue related patch from jburkhol@home.com Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* The logic for blackhole processing does not free mbufs if thephk1999-11-171-0/+2
| | | | | | | | blackhole flag is set. PR: 14958 Submitted by: Larry Baird <lab@gta.com> Reviewed by: phk
* KAME related header files additions and merges.shin1999-11-051-10/+9
| | | | | | | (only those which don't affect c source files so much) Reviewed by: cvs-committers Obtained from: KAME project
* Change so_cred's type to a ucred, not a pcred. THis makes more sense, actually.green1999-09-191-4/+2
| | | | | | Make a sonewconn3() which takes an extra argument (proc) so new sockets created with sonewconn() from a user's system call get the correct credentials, not just the parent's credentials.
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Fix breakage if blackhole=1 and tiflags & TH_SYN, pluscsgr1999-08-191-2/+2
| | | | | | style(9) fixes Submitted by: Jonathon Lemon
* Add net.inet.tcp.blackhole and net.inet.udp.blackholecsgr1999-08-171-2/+7
| | | | | | | | | | | sysctl knobs. With these knobs on, refused connection attempts are dropped without sending a RST, or Port unreachable in the UDP case. In the TCP case, sending of RST is inhibited iff the incoming segment was a SYN. Docs and rc.conf settings to follow.
* Two new sysctls: net.inet.tcp.getcred and net.inet.udp.getcred. These takegreen1999-07-111-1/+33
| | | | | | | | | a sockaddr_in[2] (local, then remote) and return a struct ucred. Example code for these is at: http://www.FreeBSD.org/~green/inetd_ident.patch http://www.FreeBSD.org/~green/freebsd4.c (for pidentd) Reviewed by: bde
* This is the much-awaited cleaned up version of IPFW [ug]id support.green1999-06-191-2/+2
| | | | All relevant changes have been made (including ipfw.8).
* Add sysctl descriptions to many SYSCTL_XXXsbillf1999-05-031-5/+5
| | | | | | | PR: kern/11197 Submitted by: Adrian Chadd <adrian@FreeBSD.org> Reviewed by: billf(spelling/style/minor nits) Looked at by: bde(style)
* This Implements the mumbled about "Jail" feature.phk1999-04-281-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/
* Reviewed by: freebsd-currentdillon1998-12-031-1/+7
| | | | | | | | | | | | | | Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option is specified in kernel config, icmplim defaults to 100 pps. Setting it to 0 will disable the feature. This feature limits ICMP error responses for packets sent to bad tcp or udp ports, which does a lot to help the machine handle network D.O.S. attacks. The kernel will report packet rates that exceed the limit at a rate of one kernel printf per second. There is one issue in regards to the 'tail end' of an attack... the kernel will not output the last report until some unrelated and valid icmp error packet is return at some point after the attack is over. This is a minor reporting issue only.
* Re-implement tcp and ip fragment reassembly to not store pointers in thedfr1998-08-241-6/+3
| | | | | | ip header which can't work on alpha since pointers are too big. Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
OpenPOWER on IntegriCloud