| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
problems reported recently (the rtentry pointer in the dummynet
queue was not initialized in all cases, resulting in spurious
rt_refcnt decreases in the lucky cases, and memory trashing in
other cases.
|
|
|
|
| |
interfaces are used in clusters so the check does not apply.
|
|
|
|
|
| |
resulting NULL FILE *.
PR: 9403
|
|
|
|
|
|
|
|
|
|
|
| |
have all fields in network order, whereas ipfw expects some to be
in host order. This resulted in some incorrect matching, e.g. some
packets being identified as fragments, or bandwidth not being
correctly enforced.
NOTE: this only affects bridge+ipfw, normal ipfw usage was already
correct).
Reported-By: Dave Alden and others.
|
| |
|
|
|
|
|
| |
static...
Reported by: Dave Alden
|
| |
|
| |
|
|
|
|
| |
Submitted by: Amancio Hasty <hasty@rah.star-gate.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add bounds checking to netbios NS packet resolving code. This should
prevent natd from crashing on badly formed netbios packets (as might be
heard when the machine is sitting on a cable modem or certain DSL
networks), and also closes potential security holes that might have
exploited the lack of bounds checking in the previous version of the
code.
|
|
|
|
|
|
|
|
| |
If timer calculation results in degenerate value (0), force it to 1
to avoid divide-by-zero panic later on in calls to IGMP_RANDOM_DELAY().
I considered simply adding 1 to the timer calculation, but was unsure
if the calculation was part of the IGMP standard or not so did not want
to mess with it for all cases.
|
|
|
|
| |
and local variables, goto labels, and functions declared but not defined.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.
These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.
Reviewed by: Bruce Evans <bde@zeta.org.au>
Reviewed by: Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by: Mike Spengler <mks@networkcs.com>
|
|
|
|
|
|
|
| |
option not defined the sysctl int value is set to -1 and read-only.
#ifdef KERNEL's added appropriately to wall off visibility of kernel
routines from user code.
|
|
|
|
|
| |
Quick add #ifdef KERNEL for ICMP_BANDLIM option so userland program
can #include icmp_var.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option
is specified in kernel config, icmplim defaults to 100 pps. Setting it
to 0 will disable the feature. This feature limits ICMP error responses
for packets sent to bad tcp or udp ports, which does a lot to help the
machine handle network D.O.S. attacks.
The kernel will report packet rates that exceed the limit at a rate of
one kernel printf per second. There is one issue in regards to the
'tail end' of an attack... the kernel will not output the last report
until some unrelated and valid icmp error packet is return at some
point after the attack is over. This is a minor reporting issue only.
|
| |
|
| |
|
|
|
|
| |
Pointed out by: Roman V. Palagin <romanp@wuppy.rcs.ru>
|
|
|
|
| |
Requested by: bde
|
|
|
|
|
|
|
| |
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond()
Reviewed by: Don Lewis <Don.Lewis@tsc.tdk.com>
Obtained from: Bugtraq (from: Darren Reed <avalon@COOMBS.ANU.EDU.AU>)
|
| |
|
|
|
|
| |
modeventhand_t.
|
| |
|
| |
|
|
|
|
| |
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
|
|
|
|
|
|
| |
a fragment which wholly overlapped one or more existing fragments.
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>
|
|
|
|
|
|
|
|
| |
This is the bulk of the support for doing kld modules. Two linker_sets
were replaced by SYSINIT()'s. VFS's and exec handlers are self registered.
kld is now a superset of lkm. I have converted most of them, they will
follow as a seperate commit as samples.
This all still works as a static a.out kernel using LKM's.
|
|
|
|
|
| |
struct ipovly (they don't exist anymore because they don't work when
pointers are 64bit).
|
|
|
|
|
|
|
|
|
|
| |
- Don't bother checking for conflicting sockets if we're binding to a
multicast address.
- Don't return an error if we're binding to INADDR_ANY, the conflicting
socket is bound to INADDR_ANY, and the conflicting socket has SO_REUSEPORT
set.
PR: kern/7713
|
|
|
|
|
| |
Ignore ARP replies from the wrong interface (discussion on mailing list)
Add interface name to a couple of error messages
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
addresses by default.
Add a knob "icmp_bmcastecho" to "rc.network" to allow this
behaviour to be controlled from "rc.conf".
Document the controlling sysctl variable "net.inet.icmp.bmcastecho"
in sysctl(3).
Reviewed by: dg, jkh
Reminded on -hackers by: Steinar Haug <sthaug@nethelp.no>
|
| |
|
|
|
|
|
| |
PR: 7892
Submitted by: Don.Lewis@tsc.tdk.com
|
| |
|
|
|
|
|
|
|
|
|
|
| |
4.1.4. Experimental Protocol
A system should not implement an experimental protocol unless it
is participating in the experiment and has coordinated its use of
the protocol with the developer of the protocol.
Pointed out by: Steinar Haug <sthaug@nethelp.no>
|
|
|
|
|
|
| |
This will allow us to add dummynet to 3.0
Recompile /sbin/ipfw AND your kernel.
|
|
|
|
|
| |
PR: 7802
Submitted by: Steve McCanne <mccanne@cs.berkeley.edu>
|
|
|
|
|
|
|
|
| |
OS rather than making it a mess and potentially screwing
up cross builds.
Suggested by: bde
Add Id keyword.
|
| |
|
|
|
|
|
|
| |
ip header which can't work on alpha since pointers are too big.
Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
|
|
|
|
|
|
| |
another specialized mbuf type in the process. Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
|
| |
|
|
|
|
|
| |
for `u_long cmd' ioctl args if __FreeBSD_version >= 300003. Some ioctls
were broken on machines with 32-bit ints and 64-bit longs.
|
|
|
|
|
| |
on some 64-bit systems). print_ip() should use inet_ntoa() instead of
bloated inline code with 4 ntohl()s.
|
| |
|
|
|
|
| |
Reviewed by: Julian Elischer <julian@whistle.com>
|
| |
|