summaryrefslogtreecommitdiffstats
path: root/sys/netinet
Commit message (Collapse)AuthorAgeFilesLines
* In tcp_respond(), correctly reset returned IPv6 header. This is essentialume2002-02-042-0/+6
| | | | | | | when the original packet contains an IPv6 extension header. Obtained from: KAME MFC after: 1 week
* WARNS=n and lint(1) silencer. Declare an array of (const) stringsmarkm2002-02-031-1/+1
| | | | as const char.
* The ipfw(8) 'tee' action simply hasn't worked on incoming packets forcjc2002-01-261-0/+3
| | | | | | | | | | | | some time. _All_ packets, regardless of destination, were accepted by the machine as if addressed to it. Jump back to 'pass' processing for a teed packet instead of falling through as if it was ours. PR: kern/31130 Reviewed by: -net, luigi MFC after: 2 weeks
* The ENDPTS_EQ macro was comparing the one of the fports to itself. Fix.jlemon2002-01-221-1/+1
| | | | Submitted by: emy@boostworks.com
* - Check the address family of the destination cached in a PCB.ume2002-01-212-4/+12
| | | | | | | | - Clear the cached destination before getting another cached route. Otherwise, garbage in the padding space (which might be filled in if it was used for IPv4) could annoy rtalloc. Obtained from: KAME
* RFC1122 requires that addresses of the form { 127, <any> } MUST NOTru2002-01-211-1/+11
| | | | | | | | appear outside a host. PR: 30792, 33996 Obtained from: ip_input.c MFC after: 1 week
* Fix a panic condition in icmp_reflect() introduced in rev. 1.61.ru2002-01-111-2/+2
| | | | | | | | | | (We should be able to handle locally originated IP packets, and these do not have m_pkthdr.rcvif set.) PR: kern/32806, kern/33766 Reviewed by: luigi Fix tested by: Maxim Konovalov <maxim@macomnet.ru>, Erwin Lansing <erwin@lansing.dk>
* Initialise the intrq_present fields at runtime, not link time. This allowsmsmith2002-01-081-1/+1
| | | | | | us to load protocols at runtime, and avoids the use of common variables. Also fix the ip6_intrq assignment so that it works at all.
* Fix a missing "ipfw:" in a syslog message.cjc2002-01-071-1/+1
| | | | MFC after: 1 day
* Pre-calculate the checksum for multicast packets sourced on afenner2002-01-051-0/+12
| | | | | | multicast router. This is overkill; it should be possible to delay to hardware interfaces and only pre-calculate when forwarding to a tunnel.
* o Spelling fix in comment: tcp_ouput -> tcp_outputrwatson2002-01-042-2/+2
|
* Don't reveal a router in the IPSTEALTH mode through IP options.yar2001-12-291-4/+41
| | | | | | | | | | | The following steps are involved: a) the IP options related to routing (LSRR and SSRR) are processed as though the router were a host, b) the other IP options are processed as usual only if the packet is destined for the router; otherwise they are ignored. PR: kern/23123 Discussed in: freebsd-hackers
* Fix ipfw fwd so that it acts as the docs sayjulian2001-12-282-10/+24
| | | | | | | when forwarding an incoming packet to another machine. Obtained from: Vicor Production tree MFC after: 3 weeks
* Implement matching IP precedence in ipfw(4).yar2001-12-212-2/+6
| | | | Submitted by: Igor Timkin <ivt@gamma.ru>
* Remove a change that snuck in from my private tree.jlemon2001-12-211-1/+0
|
* If syncookies are disabled (net.inet.tcp.syncookies) then use the fasterjlemon2001-12-212-1/+5
| | | | | | arc4random() routine to generate ISNs instead of creating them with MD5(). Suggested by: silby
* When storing an int value in a void *, use intptr_t as the cast typejlemon2001-12-191-2/+2
| | | | (instead of int) to keep the 64 bit platforms happy.
* Don't try to free a NULL route when doing IPFIREWALL_FORWARD.yar2001-12-191-1/+2
| | | | | | | An old route will be NULL at that point if a packet were initially routed to an interface (using the IP_ROUTETOIF flag.) Submitted by: Igor Timkin <ivt@gamma.ru>
* Extend the SYN DoS defense by adding syncookies to the syncache.jlemon2001-12-191-14/+193
| | | | | | | | | | | | All TCP ISNs that are sent out are valid cookies, which allows entries in the syncache to be dropped and still have the ACK accepted later. As all entries pass through the syncache, there is no sudden switchover from cache -> cookies when the cache is full; instead, syncache entries simply have a reduced lifetime. More details may be found in the "Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002 conference proceedings. Sponsored by: DARPA, NAI Labs
* Fixed the bug in transparent TCP proxying with the "encode_ip_hdr"ru2001-12-181-1/+3
| | | | | | option -- TcpAliasOut() did not catch the IP header length change. Submitted by: Stepachev Andrey <aka50@mail.ru>
* o Add IPOPT_ESO for the 'Extended Security' IP option (RFC1108)rwatson2001-12-141-0/+1
| | | | Obtained from: TrustedBSD Project
* o Add definition for IPOPT_CIPSO, the commercial security IP optionrwatson2001-12-141-0/+1
| | | | | | | number. Submitted by: Ilmar S. Habibulin <ilmar@watson.org> Obtained from: TrustedBSD Project
* whitespace and style fixes recovered from -stable.jlemon2001-12-141-33/+35
|
* minor style and whitespace fixes.jlemon2001-12-141-11/+12
|
* whitespace fixes.jlemon2001-12-142-7/+7
|
* minor whitespace fixes.jlemon2001-12-141-1/+1
|
* Reduce the local network slowstart flightsize from infinity to 4 packets.silby2001-12-141-1/+1
| | | | | | | | | | Now that we've increased the size of our send / receive buffers, bursting an entire window onto the network may cause congestion. As a result, we will slow start beginning with a flightsize of 4 packets. Problem reported by: Thomas Zenker <thz@Lennartz-electronic.de> MFC after: 3 days
* Undo one of my last minute changes; move sc_iss up earlier so itjlemon2001-12-131-1/+1
| | | | is initialized in case we take the T/TCP path.
* Fix up tabs from cut&n&paste.jlemon2001-12-131-8/+8
|
* Fix up tabs in comments.jlemon2001-12-132-8/+8
|
* Minor style fixes.jlemon2001-12-131-2/+2
|
* Minor style fix.jlemon2001-12-131-2/+2
|
* Update to C99, s/__FUNCTION__/__func__/,obrien2001-12-102-3/+3
| | | | also don't use ANSI string concatenation.
* o Our currenty userland boot code (due to rc.conf and rc.network) alwaysrwatson2001-12-071-1/+1
| | | | | enables TCP keepalives using the net.inet.tcp.always_keepalive by default. Synchronize the kernel default with the userland default.
* Fixed remotely exploitable DoS in arpresolve().ru2001-12-051-1/+3
| | | | | | | | | Easily exploitable by flood pinging the target host over an interface with the IFF_NOARP flag set (all you need to know is the target host's MAC address). MFC after: 0 days
* o Introduce pr_mtx into struct prison, providing protection for therwatson2001-12-031-2/+2
| | | | | | | | | | | | | | | | | | mutable contents of struct prison (hostname, securelevel, refcount, pr_linux, ...) o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/ so as to enforce these protections, in particular, in kern_mib.c protection sysctl access to the hostname and securelevel, as well as kern_prot.c access to the securelevel for access control purposes. o Rewrite linux emulator abstractions for accessing per-jail linux mib entries (osname, osrelease, osversion) so that they don't return a pointer to the text in the struct linux_prison, rather, a copy to an array passed into the calls. Likewise, update linprocfs to use these primitives. o Update in_pcb.c to always use prison_getip() rather than directly accessing struct prison. Reviewed by: jhb
* Fix a bug with transmitter restart after receiving a 0 window. Thedillon2001-12-025-19/+56
| | | | | | | | | | | | | receiver was not sending an immediate ack with delayed acks turned on when the input buffer is drained, preventing the transmitter from restarting immediately. Propogate the TCP_NODELAY option to accept()ed sockets. (Helps tbench and is a good idea anyway). Some cleanup. Identify additonal issues in comments. MFC after: 1 day
* Allow for ip_output() to be called with a NULL route pointer.ru2001-12-012-6/+7
| | | | This fixes a panic I introduced yesterday in ip_icmp.c,v 1.64.
* o Stop abusing MD headers with non-MD types.mike2001-12-011-0/+15
| | | | | | | | | | | | | | | o Hide nonstandard functions and types in <netinet/in.h> when _POSIX_SOURCE is defined. o Add some missing types (required by POSIX.1-200x) to <netinet/in.h>. o Restore vendor ID from Rev 1.1 in <netinet/in.h> and make use of new __FBSDID() macro. o Fix some miscellaneous issues in <arpa/inet.h>. o Correct final argument for the inet_ntop() function (POSIX.1-200x). o Get rid of the namespace pollution from <sys/types.h> in <arpa/inet.h>. Reviewed by: fenner Partially submitted by: bde
* The transmit burst limit for newreno completely breaks TCP's performancedillon2001-11-301-0/+10
| | | | | | if the receive side is using delayed acks. Temporarily remove it. MFC after: 0 days
* During SIOCAIFADDR, if in_ifinit() fails and we've already added anbrian2001-11-301-24/+39
| | | | | | | | | | interface address, blow the address away again before returning the error. In in_ifinit(), if we get an error from rtinit() and we've also got a destination address, return the error rather than masking EEXISTS. Failing to create a host route when configuring an interface should be treated as an error.
* - Make ip_rtaddr() global, and use it to look up the correct sourceru2001-11-304-42/+35
| | | | | | | | | address in icmp_reflect(). - Two new "struct icmpstat" members: icps_badaddr and icps_noroute. PR: kern/31575 Obtained from: BSD/OS MFC after: 1 week
* ipfw_modevent(): Don't use an unnatural block to define a variabledd2001-11-271-3/+0
| | | | | | | (fcp) that's already defined in the outer block and isn't used anywhere else. This silences -Wunused. Reviewed by: md5(1)
* Remove debugging printfs that weren't conditional on any debuggingdd2001-11-271-2/+0
| | | | options in handling MOD_{UN,}LOAD (they weren't very useful, anyway).
* In icmp_reflect(): If the packet was not addressed to us and wasdd2001-11-271-2/+15
| | | | | | | | | | | | received on an interface without an IP address, try to find a non-loopback AF_INET address to use. If that fails, drop it. Previously, we used the address at the top of the in_ifaddrhead list, which didn't make much sense, and would cause a panic if there were no AF_INET addresses configured on the system. PR: 29337, 30524 Reviewed by: ru, jlemon Obtained from: NetBSD
* Add include of net/route.h, as structures moved around due to therwatson2001-11-271-0/+1
| | | | | syncache rely on 'struct route' being defined. This fixes the LINT build some.
* Clear a new syncache entry first, followed by filling in values. Thistanimura2001-11-271-4/+4
| | | | fixes route breakage due to uncleared gabage on my box.
* When servicing an internal FTP server, punch ipfirewall(4) holesru2001-11-271-5/+2
| | | | | | | | | for passive mode data connections (PASV/EPSV -> 227/229). Well, the actual punching happens a bit later, when the aliasing link becomes fully specified. Prodded by: Danny Carroll <dannycarroll@hotmail.com> MFC after: 1 week
* Restore the ability to use IP_FW_ADD with setsockopt(2) that gotru2001-11-261-0/+1
| | | | | | | broken in revision 1.86. This broke natd(8)'s -punch_fw option. Reported by: Daniel Rock <D.Rock@t-online.de>, setantae <setantae@submonkey.net>
* Fixed a buffer overrun. In my kernel configuration, tcp_syncache happensbde2001-11-231-1/+1
| | | | | | to be followed by nfsnodehashtbl, so bzeroing callouts beyond the end of tcp_syncache soon caused a null pointer panic when nfsnodehashtbl was accessed.
OpenPOWER on IntegriCloud