CVS log for src/sys/netinet/Attic/ip_fw.c
![[BACK]](/gifs/back.gif){kind=small}
Up to [FreeBSD] / src / sys / netinet
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Revision 1.193
Tue Jun 24 07:12:11 2003 UTC (8 years, 7 months ago) by luigi
Branches: MAIN
CVS tags: HEAD
FILE REMOVED
Changes since revision 1.192: +1 -1 lines
remove unused file (ipfw2 is the default in RELENG_5 and above; the old ipfw1 has been unused and unmaintained for a long time).
Revision 1.192: download - view: text, markup, annotated - select for diffs
Wed Feb 19 05:47:33 2003 UTC (8 years, 11 months ago) by imp
Branches: MAIN
CVS tags: RELENG_5_1_BP, RELENG_5_1_0_RELEASE, RELENG_5_1
Diff to: previous 1.191: preferred, colored
Changes since revision 1.191: +2 -2 lines
Back out M_* changes, per decision of the TRB. Approved by: trb
Revision 1.191: download - view: text, markup, annotated - select for diffs
Tue Jan 21 08:56:03 2003 UTC (9 years ago) by alfred
Branches: MAIN
Diff to: previous 1.190: preferred, colored
Changes since revision 1.190: +2 -2 lines
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
Revision 1.131.2.39: download - view: text, markup, annotated - select for diffs
Mon Jan 20 02:23:07 2003 UTC (9 years ago) by iedowse
Branches: RELENG_4
CVS tags: RELENG_4_9_BP, RELENG_4_9_0_RELEASE, RELENG_4_9, RELENG_4_8_BP, RELENG_4_8_0_RELEASE, RELENG_4_8, RELENG_4_11_BP, RELENG_4_11_0_RELEASE, RELENG_4_11, RELENG_4_10_BP, RELENG_4_10_0_RELEASE, RELENG_4_10
Diff to: previous 1.131.2.38: preferred, colored; branchpoint 1.131: preferred, colored; next MAIN 1.132: preferred, colored
Changes since revision 1.131.2.38: +5 -0 lines
MFC: Bridged packets need to have their IP header converted to host byte order before being passed to icmp_error().
Revision 1.190: download - view: text, markup, annotated - select for diffs
Fri Dec 27 17:43:25 2002 UTC (9 years, 1 month ago) by iedowse
Branches: MAIN
Diff to: previous 1.189: preferred, colored
Changes since revision 1.189: +6 -1 lines
Bridged packets are supplied to the firewall with their IP header in network byte order, but icmp_error() expects the IP header to be in host order and the code here did not perform the necessary swapping for the bridged case. This bug causes an "icmp_error: bad length" panic when certain length IP packets (e.g. ip_len == 0x100) are rejected by the firewall with an ICMP response. MFC after: 3 days
Revision 1.189: download - view: text, markup, annotated - select for diffs
Thu Dec 19 22:58:26 2002 UTC (9 years, 1 month ago) by bmilekic
Branches: MAIN
Diff to: previous 1.188: preferred, colored
Changes since revision 1.188: +2 -2 lines
o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
bpf_alloc() and pass the 'canwait' flag(s) along. It's been changed
to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
flag (and only one of those two).
Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
Revision 1.131.2.38: download - view: text, markup, annotated - select for diffs
Thu Nov 21 01:27:30 2002 UTC (9 years, 2 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.37: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.37: +0 -1 lines
MFC: obey to fw_one_pass in bridge and layer 2 firewalling (the latter only affects ipfw2 users). Move fw_one_pass from ip_fw[2].c to ip_input.c to avoid depending on IPFIREWALL.
Revision 1.131.2.37: download - view: text, markup, annotated - select for diffs
Tue Oct 29 09:45:25 2002 UTC (9 years, 3 months ago) by maxim
Branches: RELENG_4
Diff to: previous 1.131.2.36: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.36: +1 -1 lines
Lower a priority of "session drop" messages. Requested by: Eugene Grosbein <eugen@kuzbass.ru>
Revision 1.131.2.36: download - view: text, markup, annotated - select for diffs
Mon Oct 28 12:44:16 2002 UTC (9 years, 3 months ago) by maxim
Branches: RELENG_4
Diff to: previous 1.131.2.35: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.35: +17 -4 lines
o Fix remove_dyn_rule() logic. o Re-lookup a parent after EXPIRE_DYN_CHAIN(). o MFC rev. 1.14 ip_fw2.c: do not abuse console with 'session drop' messages. PR: kern/32600, kern/35887 Submitted by: Dan Pelleg <daniel+bsd@pelleg.org> Reviewed by: -stable Changes #1 and #2 do not apply to -CURRENT. Many thanks to Dan Pelleg <daniel+bsd@pelleg.org>, Dmitry Afanasiev <dima@KOT.SPb.Ru>, Eugene Grosbein <eugen@kuzbass.ru> and Andrew Zavjalov <jerom@gambit.com.ru> for testing.
Revision 1.131.2.35: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:04:25 2002 UTC (9 years, 6 months ago) by luigi
Branches: RELENG_4
CVS tags: RELENG_4_7_BP, RELENG_4_7_0_RELEASE, RELENG_4_7
Diff to: previous 1.131.2.34: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.34: +4 -4 lines
ipfw1 cannot handle non-IP packets, so just return 0 (and accept them) when it encounters them.
Revision 1.131.2.34: download - view: text, markup, annotated - select for diffs
Tue Jul 9 09:11:42 2002 UTC (9 years, 7 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.33: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.33: +81 -65 lines
The purpose of this commit is to bring the net/ and netinet/ sources
more in sync with what is in -current, so that mainteinance and
bugfix of the two trees is not a nightmare.
THERE IS NO FUNCTIONAL OR EXTERNAL API CHANGE IN THIS COMMIT
You should not need to recompile any userland code.
In (some) more detail, this commit does the following:
* remove a number of static variables from the ip stack that were
used to support DIVERT, IPFIREWALL_FORWARD and stateful rules/
dynamic pipes. These are replaced with packet annotations, much
in the same (ugly for someone, but it is extremely fast and easy
to extend) way used for ages to support dummynet annotations.
On passing, fix a bug in the handling of divert for fragmented packets.
* as part of the removal of static variables, change the (internal)
interface of ip_fw_chk() to use a single structure to hold arguments.
Adapt clients of the above (ip_input, ip_output, bridge, ether_output,
ether_demux) to use the new interface.
* remove some unused variables.
* remove some of the __P() macros from some of the files involved
Because of the NO FUNCTIONAL CHANGE you don't get the following features
which are in -current:
* ipfw on layer-2 packets. All the hooks and the code are there,
but the controlling variable
net.link.ether.ipfw: 0
is readonly because i am only 99% confident on how the old ipfw
handles these frames. Just edit if_ethersubr.c to make the
variable RW if you want this feature. I might commit this in
due time if there is interest.
these frames. Just edit if_ethersubr.c to make it RW if you want this
feature. I might commit this in due time if there is interest.
* ipfw2, the new, faster and more flexible firewall code.
The code has hooks to make use of ipfw2, and I will make patches
available to use it (it is basically 3 files, netinet/ip_fw2.[ch],
sbin/ipfw/ipfw2.c, plus one-line changes in conf/options,
conf/files and sbin/ipfw/Makefile, plus libalias patches).
Revision 1.188: download - view: text, markup, annotated - select for diffs
Sat Jun 22 11:51:02 2002 UTC (9 years, 7 months ago) by luigi
Branches: MAIN
CVS tags: RELENG_5_0_BP, RELENG_5_0_0_RELEASE, RELENG_5_0
Diff to: previous 1.187: preferred, colored
Changes since revision 1.187: +42 -38 lines
Remove (almost all) global variables that were used to hold
packet forwarding state ("annotations") during ip processing.
The code is considerably cleaner now.
The variables removed by this change are:
ip_divert_cookie used by divert sockets
ip_fw_fwd_addr used for transparent ip redirection
last_pkt used by dynamic pipes in dummynet
Removal of the first two has been done by carrying the annotations
into volatile structs prepended to the mbuf chains, and adding
appropriate code to add/remove annotations in the routines which
make use of them, i.e. ip_input(), ip_output(), tcp_input(),
bdg_forward(), ether_demux(), ether_output_frame(), div_output().
On passing, remove a bug in divert handling of fragmented packet.
Now it is the fragment at offset 0 which sets the divert status of
the whole packet, whereas formerly it was the last incoming fragment
to decide.
Removal of last_pkt required a change in the interface of ip_fw_chk()
and dummynet_io(). On passing, use the same mechanism for dummynet
annotations and for divert/forward annotations.
option IPFIREWALL_FORWARD is effectively useless, the code to
implement it is very small and is now in by default to avoid the
obfuscation of conditionally compiled code.
NOTES:
* there is at least one global variable left, sro_fwd, in ip_output().
I am not sure if/how this can be removed.
* I have deliberately avoided gratuitous style changes in this commit
to avoid cluttering the diffs. Minor stule cleanup will likely be
necessary
* this commit only focused on the IP layer. I am sure there is a
number of global variables used in the TCP and maybe UDP stack.
* despite the number of files touched, there are absolutely no API's
or data structures changed by this commit (except the interfaces of
ip_fw_chk() and dummynet_io(), which are internal anyways), so
an MFC is quite safe and unintrusive (and desirable, given the
improved readability of the code).
MFC after: 10 days
Revision 1.187: download - view: text, markup, annotated - select for diffs
Mon May 13 10:21:13 2002 UTC (9 years, 9 months ago) by luigi
Branches: MAIN
Diff to: previous 1.186: preferred, colored
Changes since revision 1.186: +1 -2 lines
Remove custom definitions (IP_FW_TCPF_SYN etc.) of TCP header flags which are the same as the original ones (TH_SYN etc.)
Revision 1.186: download - view: text, markup, annotated - select for diffs
Sun May 12 20:43:50 2002 UTC (9 years, 9 months ago) by luigi
Branches: MAIN
Diff to: previous 1.185: preferred, colored
Changes since revision 1.185: +108 -62 lines
Add code to match MAC header fields (at the moment supported on
bridged packets only, soon to come also for packets on ordinary
ether_input() and ether_output() paths. The syntax is
ipfw add <action> MAC dst src type
where dst and src can be "any" or a MAC address optionallyfollowed
by a mask, e.g.
10:20:30:40:50
10:20:30:40:50/32
10:20:30:40:50&ff:ff:ff:f0:ff:0f
and type can be a single ethernet type, a range, or a type followed by
a mask (values are always in hexadecimal) e.g.
0800
0800-0806
0800/8
0800&03ff
Note, I am still uncertain on what is the best format for inputting
these values, having the values in hexadecimal is convenient in most
cases but can be confusing sometimes. Suggestions welcome.
Implement suggestion from PR 37778 to allow "not me" on destination
and source IP. The code in the PR was slightly wrong and interfered
with the normal handling of IP addresses. This version hopefully is
correct.
Minor cleanup of the code, in some places moving the indentation to 4
spaces because the code was becoming too deep. Eventually, in a
separate commit, I will move the whole file to 4 space indent.
Revision 1.185: download - view: text, markup, annotated - select for diffs
Thu May 9 10:34:57 2002 UTC (9 years, 9 months ago) by luigi
Branches: MAIN
Diff to: previous 1.184: preferred, colored
Changes since revision 1.184: +82 -75 lines
Cleanup the interface to ip_fw_chk, two of the input arguments
were totally useless and have been removed.
ip_input.c, ip_output.c:
Properly initialize the "ip" pointer in case the firewall does an
m_pullup() on the packet.
Remove some debugging code forgotten long ago.
ip_fw.[ch], bridge.c:
Prepare the grounds for matching MAC header fields in bridged packets,
so we can have 'etherfw' functionality without a lot of kernel and
userland bloat.
Revision 1.131.2.33: download - view: text, markup, annotated - select for diffs
Wed May 1 21:30:05 2002 UTC (9 years, 9 months ago) by cjc
Branches: RELENG_4
CVS tags: RELENG_4_6_BP, RELENG_4_6_2_RELEASE, RELENG_4_6_1_RELEASE, RELENG_4_6_0_RELEASE, RELENG_4_6
Diff to: previous 1.131.2.32: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.32: +6 -2 lines
MFC: Enlighten those who read the FINE POINTS of the documentation a bit more on how ipfw(8) deals with tiny fragments. While we're at it, add a quick log message to even let people know we dropped a packet. (Note that the second FINE POINT is somewhat redundant given the first, but since the code is there, leave the docs for it.) src/sbin/ipfw/ipfw.8: 1.102 src/sys/netinet/ip_fw.c: 1.184
Revision 1.184: download - view: text, markup, annotated - select for diffs
Wed May 1 06:29:16 2002 UTC (9 years, 9 months ago) by cjc
Branches: MAIN
Diff to: previous 1.183: preferred, colored
Changes since revision 1.183: +6 -2 lines
Enlighten those who read the FINE POINTS of the documentation a bit more on how ipfw(8) deals with tiny fragments. While we're at it, add a quick log message to even let people know we dropped a packet. (Note that the second FINE POINT is somewhat redundant given the first, but since the code is there, leave the docs for it.) MFC after: 1 day
Revision 1.131.2.32: download - view: text, markup, annotated - select for diffs
Fri Mar 8 20:14:37 2002 UTC (9 years, 11 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.31: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.31: +4 -2 lines
MFC: 1.181->1.182, cache result of previous lookups in skipto rules.
Revision 1.183: download - view: text, markup, annotated - select for diffs
Wed Feb 27 18:32:17 2002 UTC (9 years, 11 months ago) by jhb
Branches: MAIN
Diff to: previous 1.182: preferred, colored
Changes since revision 1.182: +1 -1 lines
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
Revision 1.182: download - view: text, markup, annotated - select for diffs
Wed Feb 20 17:15:57 2002 UTC (9 years, 11 months ago) by luigi
Branches: MAIN
Diff to: previous 1.181: preferred, colored
Changes since revision 1.181: +4 -2 lines
BUGFIX: make use of the pointer to the target of skipto rules, so that after the first time we can follow the pointer instead of having to scan the list. This was the intended behaviour from day one. PR: 34639 MFC-after: 3 days
Revision 1.181: download - view: text, markup, annotated - select for diffs
Mon Feb 18 20:35:22 2002 UTC (9 years, 11 months ago) by mike
Branches: MAIN
Diff to: previous 1.180: preferred, colored
Changes since revision 1.180: +2 -2 lines
o Move NTOHL() and associated macros into <sys/param.h>. These are deprecated in favor of the POSIX-defined lowercase variants. o Change all occurrences of NTOHL() and associated marcros in the source tree to use the lowercase function variants. o Add missing license bits to sparc64's <machine/endian.h>. Approved by: jake o Clean up <machine/endian.h> files. o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>. o Remove prototypes for non-existent bswapXX() functions. o Include <machine/endian.h> in <arpa/inet.h> to define the POSIX-required ntohl() family of functions. o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>, and <sys/param.h>. o Prepend underscores to the ntohl() family to help deal with complexities associated with having MD (asm and inline) versions, and having to prevent exposure of these functions in other headers that happen to make use of endian-specific defines. o Create weak aliases to the canonical function name to help deal with third-party software forgetting to include an appropriate header. o Remove some now unneeded pollution from <sys/types.h>. o Add missing <arpa/inet.h> includes in userland. Tested on: alpha, i386 Reviewed by: bde, jake, tmm
Revision 1.131.2.31: download - view: text, markup, annotated - select for diffs
Tue Feb 12 05:01:53 2002 UTC (10 years ago) by dd
Branches: RELENG_4
Diff to: previous 1.131.2.30: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.30: +2 -4 lines
MFC 1.176, 1.180: silence warnings.
Revision 1.180: download - view: text, markup, annotated - select for diffs
Sun Feb 10 22:22:05 2002 UTC (10 years ago) by dd
Branches: MAIN
Diff to: previous 1.179: preferred, colored
Changes since revision 1.179: +2 -0 lines
Silence unused variable warning in the !KLD_MODULE case. Submitted by: archie
Revision 1.131.2.30: download - view: text, markup, annotated - select for diffs
Mon Jan 7 22:40:22 2002 UTC (10 years, 1 month ago) by cjc
Branches: RELENG_4
CVS tags: RELENG_4_5_BP, RELENG_4_5_0_RELEASE, RELENG_4_5
Diff to: previous 1.131.2.29: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.29: +1 -1 lines
MFC 1.179: Fix a missing "ipfw:" in a syslog message. Approved by: re
Revision 1.179: download - view: text, markup, annotated - select for diffs
Mon Jan 7 07:12:09 2002 UTC (10 years, 1 month ago) by cjc
Branches: MAIN
Diff to: previous 1.178: preferred, colored
Changes since revision 1.178: +1 -1 lines
Fix a missing "ipfw:" in a syslog message. MFC after: 1 day
Revision 1.178: download - view: text, markup, annotated - select for diffs
Fri Dec 21 18:43:02 2001 UTC (10 years, 1 month ago) by yar
Branches: MAIN
Diff to: previous 1.177: preferred, colored
Changes since revision 1.177: +4 -1 lines
Implement matching IP precedence in ipfw(4). Submitted by: Igor Timkin <ivt@gamma.ru>
Revision 1.177: download - view: text, markup, annotated - select for diffs
Fri Dec 14 19:32:00 2001 UTC (10 years, 1 month ago) by jlemon
Branches: MAIN
Diff to: previous 1.176: preferred, colored
Changes since revision 1.176: +1 -1 lines
minor whitespace fixes.
Revision 1.131.2.29: download - view: text, markup, annotated - select for diffs
Sun Dec 9 19:02:55 2001 UTC (10 years, 2 months ago) by dd
Branches: RELENG_4
Diff to: previous 1.131.2.28: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.28: +0 -2 lines
MFC 1.175: nuke debugging printfs.
Revision 1.176: download - view: text, markup, annotated - select for diffs
Tue Nov 27 20:32:47 2001 UTC (10 years, 2 months ago) by dd
Branches: MAIN
Diff to: previous 1.175: preferred, colored
Changes since revision 1.175: +0 -3 lines
ipfw_modevent(): Don't use an unnatural block to define a variable (fcp) that's already defined in the outer block and isn't used anywhere else. This silences -Wunused. Reviewed by: md5(1)
Revision 1.175: download - view: text, markup, annotated - select for diffs
Tue Nov 27 20:28:48 2001 UTC (10 years, 2 months ago) by dd
Branches: MAIN
Diff to: previous 1.174: preferred, colored
Changes since revision 1.174: +0 -2 lines
Remove debugging printfs that weren't conditional on any debugging
options in handling MOD_{UN,}LOAD (they weren't very useful, anyway).
Revision 1.174: download - view: text, markup, annotated - select for diffs
Sun Nov 4 22:56:25 2001 UTC (10 years, 3 months ago) by luigi
Branches: MAIN
Diff to: previous 1.173: preferred, colored
Changes since revision 1.173: +96 -77 lines
MFS: sync the ipfw/dummynet/bridge code with the one recently merged
into stable (mostly , but not only, formatting and comments changes).
Revision 1.131.2.28: download - view: text, markup, annotated - select for diffs
Sun Nov 4 18:24:04 2001 UTC (10 years, 3 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.27: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.27: +30 -26 lines
Remove a leftover bzero(), plus a number of indentation and comment fixes spotted by a diff versus HEAD. No functional changes.
Revision 1.131.2.27: download - view: text, markup, annotated - select for diffs
Sat Nov 3 00:36:09 2001 UTC (10 years, 3 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.26: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.26: +561 -457 lines
Mega-MFC for ipfw/bridge/dummynet features and fixes added over the past couple of months: * merge of ipfw rule descriptor and chain pointer. No functional change, but the internal data structures and code are way more readable; * BillF code to make ipfw/dummynet/bridge KLD'able. NOTA BENE: this still has some rough edges, which are mostly due to bugs in kldload() rather than in this code. * add a new type of dynamic rule that lets you limit the number of simultaneous connections matching certain criteria (with the usual aggregation based on port/address masks) * fix spl*() protection in same parts of the code; This code also includes some minor bugfixes and code cleanup that I will port to CURRENT as soon as i have a chance. I have tested the code as much as i could, but there is really a million combinations so I might have missed some corner case. Please report if you have problem building things. The only thing known not to work is bridge.ko -- it does forward correctly, but packets directed to the bridge itself are only received from one interface (i suspect some missing initialization), and there are some other issues at unloading time. Please use the statically compiled code for the time being. NOTE ON KLD: It appears that kldload/unload is unable to handle the case of (erroneously) loading/unloading a module which is already compiled in. What happens is that load fails, but the module is listed as loaded, and then the system panics if you attempt an unloading of the module. This problem need fixing in the module loading/unloading code, which is not in my area of competence.
Revision 1.173: download - view: text, markup, annotated - select for diffs
Fri Oct 5 07:06:31 2001 UTC (10 years, 4 months ago) by ps
Branches: MAIN
Diff to: previous 1.172: preferred, colored
Changes since revision 1.172: +3 -5 lines
Only allow users to see their own socket connections if kern.ipc.showallsockets is set to 0. Submitted by: billf (with modifications by me) Inspired by: Dave McKay (aka pm aka Packet Magnet) Reviewed by: peter MFC after: 2 weeks
Revision 1.172: download - view: text, markup, annotated - select for diffs
Fri Oct 5 05:45:26 2001 UTC (10 years, 4 months ago) by ps
Branches: MAIN
Diff to: previous 1.171: preferred, colored
Changes since revision 1.171: +6 -14 lines
Make it so dummynet and bridge can be loaded as modules. Submitted by: billf
Revision 1.131.2.26: download - view: text, markup, annotated - select for diffs
Thu Oct 4 01:56:01 2001 UTC (10 years, 4 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.25: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.25: +3 -3 lines
Remove an additional newline in a string Noticed-by: gcc -pedantic
Revision 1.171: download - view: text, markup, annotated - select for diffs
Mon Oct 1 17:35:54 2001 UTC (10 years, 4 months ago) by luigi
Branches: MAIN
Diff to: previous 1.170: preferred, colored
Changes since revision 1.170: +4 -4 lines
Fix a problem with unnumbered rules introduced in latest commit. Reported by: des
Revision 1.170: download - view: text, markup, annotated - select for diffs
Thu Sep 27 23:44:26 2001 UTC (10 years, 4 months ago) by luigi
Branches: MAIN
Diff to: previous 1.169: preferred, colored
Changes since revision 1.169: +243 -165 lines
Two main changes here: + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
Revision 1.169: download - view: text, markup, annotated - select for diffs
Wed Sep 26 19:58:29 2001 UTC (10 years, 4 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.168: preferred, colored
Changes since revision 1.168: +9 -4 lines
o Modify IPFW and DUMMYNET administrative setsockopt() calls to use securelevel_gt() to check the securelevel, rather than direct access to the securelevel variable. Obtained from: TrustedBSD Project
Revision 1.168: download - view: text, markup, annotated - select for diffs
Mon Sep 24 05:24:19 2001 UTC (10 years, 4 months ago) by luigi
Branches: MAIN
Diff to: previous 1.167: preferred, colored
Changes since revision 1.167: +5 -7 lines
Fix a null pointer dereference introduced in the last commit, plus remove a useless assignment and move a comment. Submitted by: Thomas Moestl
Revision 1.167: download - view: text, markup, annotated - select for diffs
Thu Sep 20 13:52:49 2001 UTC (10 years, 4 months ago) by luigi
Branches: MAIN
Diff to: previous 1.166: preferred, colored
Changes since revision 1.166: +319 -305 lines
A bunch of minor changes to the code (see below) for readability, code size and speed. No new functionality added (yet) apart from a bugfix. MFC will occur in due time and probably in stages. BUGFIX: fix a problem in old code which prevented reallocation of the hash table for dynamic rules (there is a PR on this). OTHER CHANGES: minor changes to the internal struct for static and dynamic rules. Requires rebuild of ipfw binary. Add comments to show how data structures are linked together. (It probably makes no sense to keep the chain pointers separate from actual rule descriptors. They will be hopefully merged soon. keep a (sysctl-readable) counter for the number of static rules, to speed up IP_FW_GET operations initial support for a "grace time" for expired connections, so we can set timeouts for closing connections to much shorter times. merge zero_entry() and resetlog_entry(), they use basically the same code. clean up and reduce replication of code for removing rules, both for readability and code size. introduce a separate lifetime for dynamic UDP rules. fix a problem in old code which prevented reallocation of the hash table for dynamic rules (PR ...) restructure dynamic rule descriptors introduce some local variables to avoid multiple dereferencing of pointer chains (reduces code size and hopefully increases speed).
Revision 1.131.2.25: download - view: text, markup, annotated - select for diffs
Sun Aug 26 23:22:44 2001 UTC (10 years, 5 months ago) by billf
Branches: RELENG_4
CVS tags: RELENG_4_4_BP, RELENG_4_4_0_RELEASE, RELENG_4_4
Diff to: previous 1.131.2.24: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.24: +4 -1 lines
MFC: rev 1.166 - spl protection for generation of dynamic rules for userland. Approved by: jkh
Revision 1.166: download - view: text, markup, annotated - select for diffs
Sun Aug 26 10:09:47 2001 UTC (10 years, 5 months ago) by billf
Branches: MAIN
CVS tags: KSE_PRE_MILESTONE_2, KSE_MILESTONE_2
Diff to: previous 1.165: preferred, colored
Changes since revision 1.165: +4 -1 lines
the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information about rules and dynamic rules. it later fills this buffer with these rules. it also takes the opporunity to compare the expiration of the dynamic rules with the current time and either marks them for deletion or simply charges the countdown. unfortunatly it does this all (the sizing, the buffer copying, and the expiration GC) with no spl protection whatsoever. it was possible for the dynamic rule(s) to be ripped out from under the request before it had completed, resulting in corrupt memory dereferencing. Reviewed by: ps MFC before: 4.4-RELEASE, hopefully.
Revision 1.131.2.24: download - view: text, markup, annotated - select for diffs
Tue Jul 24 07:07:11 2001 UTC (10 years, 6 months ago) by cjc
Branches: RELENG_4
Diff to: previous 1.131.2.23: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.23: +12 -9 lines
MFC of 1.165 changes. Fixing a fragment logging bug and upgrading to tcpdump(8)-like fragment logging. PR: kern/23446 Approved by: ru
Revision 1.165: download - view: text, markup, annotated - select for diffs
Mon Jul 2 15:50:31 2001 UTC (10 years, 7 months ago) by cjc
Branches: MAIN
Diff to: previous 1.164: preferred, colored
Changes since revision 1.164: +12 -9 lines
While in there fixing a fragment logging bug, fix it so we log fragments "right." Log fragment information tcpdump(8)-style, Jul 1 19:38:45 bubbles /boot/kernel/kernel: ipfw: 1000 Accept ICMP:8.0 192.168.64.60 192.168.64.20 in via ep0 (frag 53113:1480@0+) That is, instead of the old, ... Fragment = <offset/8> Do, ... (frag <IP ID>:<data len>@<offset>[+]) PR: kern/23446 Approved by: ru MFC after: 1 week
Revision 1.164: download - view: text, markup, annotated - select for diffs
Fri Apr 6 06:52:25 2001 UTC (10 years, 10 months ago) by billf
Branches: MAIN
Diff to: previous 1.163: preferred, colored
Changes since revision 1.163: +2 -2 lines
pipe/queue are the only consumers of flow_id, so only set it in those cases
Revision 1.131.2.23: download - view: text, markup, annotated - select for diffs
Wed Mar 28 05:19:00 2001 UTC (10 years, 10 months ago) by simokawa
Branches: RELENG_4
CVS tags: RELENG_4_3_BP, RELENG_4_3_0_RELEASE, RELENG_4_3
Diff to: previous 1.131.2.22: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.22: +2 -2 lines
MFC: Replace dyn_fin_lifetime with dyn_ack_lifetime for half-closed state. (ip_fw.c rev.163) Approved by: jkh
Revision 1.163: download - view: text, markup, annotated - select for diffs
Tue Mar 27 05:28:30 2001 UTC (10 years, 10 months ago) by simokawa
Branches: MAIN
Diff to: previous 1.162: preferred, colored
Changes since revision 1.162: +2 -2 lines
Replace dyn_fin_lifetime with dyn_ack_lifetime for half-closed state. Half-closed state could last long for some connections and fin_lifetime (default 20sec) is too short for that. OK'ed by: luigi
Revision 1.162: download - view: text, markup, annotated - select for diffs
Wed Mar 21 08:19:31 2001 UTC (10 years, 10 months ago) by paul
Branches: MAIN
Diff to: previous 1.161: preferred, colored
Changes since revision 1.161: +18 -9 lines
Only flush rules that have a rule number above that set by a new sysctl, net.inet.ip.fw.permanent_rules. This allows you to install rules that are persistent across flushes, which is very useful if you want a default set of rules that maintains your access to remote machines while you're reconfiguring the other rules. Reviewed by: Mark Murray <markm@FreeBSD.org>
Revision 1.131.2.22: download - view: text, markup, annotated - select for diffs
Fri Mar 9 16:37:36 2001 UTC (10 years, 11 months ago) by jlemon
Branches: RELENG_4
Diff to: previous 1.131.2.21: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.21: +2 -2 lines
MFC: r1.161; fix for byte swapped RST sequence number.
Revision 1.161: download - view: text, markup, annotated - select for diffs
Fri Mar 9 08:13:08 2001 UTC (10 years, 11 months ago) by jlemon
Branches: MAIN
Diff to: previous 1.160: preferred, colored
Changes since revision 1.160: +2 -2 lines
The TCP sequence number used for sending a RST with the ipfw reset rule is already in host byte order, so do not swap it again. Reviewed by: bfumerola
Revision 1.131.2.21: download - view: text, markup, annotated - select for diffs
Tue Mar 6 02:39:09 2001 UTC (10 years, 11 months ago) by billf
Branches: RELENG_4
Diff to: previous 1.131.2.20: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.20: +2 -1 lines
in the spirit r1.160, fix code dealing with fragmented packets and tcpoptions thanks to matt ayres <mayres@chimesnet.com> for unwittingly making me remember this.
Revision 1.160: download - view: text, markup, annotated - select for diffs
Tue Feb 27 10:20:44 2001 UTC (10 years, 11 months ago) by billf
Branches: MAIN
Diff to: previous 1.159: preferred, colored
Changes since revision 1.159: +2 -2 lines
The TCP header-specific section suffered a little bit of bitrot recently:
When we recieve a fragmented TCP packet (other than the first) we can't
extract header information (we don't have state to reference). In a rather
unelegant fashion we just move on and assume a non-match.
Recent additions to the TCP header-specific section of the code neglected
to add the logic to the fragment code so in those cases the match was
assumed to be positive and those parts of the rule (which should have
resulted in a non-match/continue) were instead skipped (which means
the processing of the rule continued even though it had already not
matched).
Fault can be spread out over Rich Steenbergen (tcpoptions) and myself
(tcp{seq,ack,win}).
rwatson sent me a patch that got me thinking about this whole situation
(but what I'm committing / this description is mine so don't blame him).
Revision 1.131.2.20: download - view: text, markup, annotated - select for diffs
Tue Feb 27 09:41:15 2001 UTC (10 years, 11 months ago) by phk
Branches: RELENG_4
Diff to: previous 1.131.2.19: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.19: +4 -7 lines
MFC various trivial/textual changes.
Revision 1.131.2.19: download - view: text, markup, annotated - select for diffs
Wed Feb 21 00:24:46 2001 UTC (10 years, 11 months ago) by jlemon
Branches: RELENG_4
Diff to: previous 1.131.2.18: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.18: +1 -2 lines
MFC: clean up warning
Revision 1.131.2.18: download - view: text, markup, annotated - select for diffs
Tue Feb 20 21:00:35 2001 UTC (10 years, 11 months ago) by phk
Branches: RELENG_4
Diff to: previous 1.131.2.17: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.17: +2 -1 lines
MFC: ipfw "me" functionality. I forgot this #include in the last commit.
Revision 1.131.2.17: download - view: text, markup, annotated - select for diffs
Tue Feb 20 11:39:17 2001 UTC (10 years, 11 months ago) by phk
Branches: RELENG_4
Diff to: previous 1.131.2.16: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.16: +12 -1 lines
MFC: The ipfw src/dst "me" keyword support.
Revision 1.159: download - view: text, markup, annotated - select for diffs
Thu Feb 15 22:32:06 2001 UTC (10 years, 11 months ago) by jlemon
Branches: MAIN
Diff to: previous 1.158: preferred, colored
Changes since revision 1.158: +1 -2 lines
Clean up warning.
Revision 1.158: download - view: text, markup, annotated - select for diffs
Tue Feb 13 14:12:04 2001 UTC (10 years, 11 months ago) by phk
Branches: MAIN
Diff to: previous 1.157: preferred, colored
Changes since revision 1.157: +13 -1 lines
Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface. This is useful for routers with
dynamic interfaces. It is now possible to say:
0100 allow tcp from any to any established
0200 skipto 1000 tcp from any to any
0300 allow ip from any to any
1000 allow tcp from 1.2.3.4 to me 22
1010 deny tcp from any to me 22
1020 allow tcp from any to any
and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.
The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
Revision 1.157: download - view: text, markup, annotated - select for diffs
Sat Feb 10 00:10:18 2001 UTC (11 years ago) by luigi
Branches: MAIN
Diff to: previous 1.156: preferred, colored
Changes since revision 1.156: +42 -44 lines
Sync with the bridge/dummynet/ipfw code already tested in stable. In ip_fw.[ch] change a couple of variable and field names to avoid having types, variables and fields with the same name.
Revision 1.131.2.16: download - view: text, markup, annotated - select for diffs
Fri Feb 9 23:18:08 2001 UTC (11 years ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.15: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.15: +41 -43 lines
Convert to the use of <sys/queue.h> macros. In the process, change a couple of variable and field names so we do not use the same exact name for types, variable and fields and hopefully can understand which is which. On passing, simplify the logic in a few places. This commit has no functional changes.
Revision 1.131.2.15: download - view: text, markup, annotated - select for diffs
Wed Feb 7 01:03:13 2001 UTC (11 years ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.14: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.14: +3 -5 lines
Another sweep at the bridge/ipfw/dummynet code, thanks to the bug reports received over the last days. Among other things, this commit should avoid some of the problems with ARP replies being copied to the wrong interface. In detail (and modulo errors) bridge.c: + comment out some verbose debugging messages; + improve handling of configurations with multiple interface clusters. Do not permit leaks of packets from one cluster to another. + simplify the structure of bdg_forward() net/if_ethersubr.c: + minor simplifications related to the change of interface in bdg_forward(); netinet/if_ether.c + minor simplifications in the arp error handling code. netinet/ip_fw.c netinet/ip_fw.h + #define and use a symbolic constant for the return value from ip_fw_chk netinet/ip_input.c netinet/ip_output.c + same as above, plus improve error handling in case the firewall decides to change the mbuf pointer.
Revision 1.156: download - view: text, markup, annotated - select for diffs
Sun Feb 4 13:13:07 2001 UTC (11 years ago) by phk
Branches: MAIN
Diff to: previous 1.155: preferred, colored
Changes since revision 1.155: +15 -16 lines
Mechanical change to use <sys/queue.h> macro API instead of fondling implementation details. Created with: sed(1) Reviewed by: md5(1)
Revision 1.131.2.14: download - view: text, markup, annotated - select for diffs
Sun Feb 4 05:48:59 2001 UTC (11 years ago) by rwatson
Branches: RELENG_4
Diff to: previous 1.131.2.13: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.13: +4 -2 lines
A recent commit (1.131.2.13) removed the security fix associated with FreeBSD-SA-01:08, breaking the "established" TCP matching flag even more than it was prior to the security advisory. Reinstate the fix by restoring the conditional assocated with entering tcpflg_match(). Reported by a number of people via send-pr, security-officer, et al., including: Steven Farmer <steve@megahack.com> Bernd Luevelsmeyer <bdluevel@heitec.net> Andrew Gordon <arg@arg1.demon.co.uk> Thanks to those people for bringing this to our attention in such a timely manner. An updated advisory and/or announcement to the freebsd-stable mailing list will be forthcoming, once all parties have confirmed that this resolves the problems they were experiencing. PR: 24833 Approved by: security-officer Slap on the wrist to: luigi
Revision 1.155: download - view: text, markup, annotated - select for diffs
Fri Feb 2 00:18:00 2001 UTC (11 years ago) by luigi
Branches: MAIN
Diff to: previous 1.154: preferred, colored
Changes since revision 1.154: +3 -5 lines
MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately)
Revision 1.131.2.13: download - view: text, markup, annotated - select for diffs
Thu Feb 1 20:25:09 2001 UTC (11 years ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.12: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.12: +6 -8 lines
Assorted bridge+ipfw+dummynet fixes. The general goal of this set
of patches is to reduce the number of places where shared mbuf
clusters are modified.
In detail:
ip_fw.c:
modified the ip_fw_chk interface (so that it does not consume
the buffer unless strictly necessary).
ip_input.c, ip_output.c, bridge.c:
reflect above changes.
if_ethersubr.c:
avoid dereferencing pointers to an mbuf chain after it has been
freed. Also fix some bugs when interfaces are not part of
a bridging cluster.
ip_dummynet.[ch]
largely simplified the WF2Q+ implementation removing a redundant
data structrure.
bridge.[ch]
fix the forwarding loop to avoid modifying the packet when
possible.
Revision 1.154: download - view: text, markup, annotated - select for diffs
Sat Jan 27 02:31:08 2001 UTC (11 years ago) by luigi
Branches: MAIN
Diff to: previous 1.153: preferred, colored
Changes since revision 1.153: +3 -2 lines
Make sure we do not follow an invalid pointer in ipfw_report when we get an incomplete packet or m_pullup fails.
Revision 1.131.2.12: download - view: text, markup, annotated - select for diffs
Fri Jan 26 19:57:06 2001 UTC (11 years ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.11: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.11: +39 -42 lines
MFC: bring in latest bunch of bugfixes and patches to make bridging and dummynet work. Once again the reason for this quick MFC is that nobody that I know is testing this code in -CURRENT (though I tested it briefly and it seems to work there as well), whereas there is a number of people using it in -STABLE. In detail, the changes to the code (committed to both -CURRENT and -STABLE) over the last week have been the following: + bridge.c: assorted bugfixes, and several performance improvements aimed at reducing the number of copies and mbuf usage. For what matters, the time spent in bdg_forward is now cut by more than 50% in the common cases, and most of the packets are kept contiguous in a single cluster from entry to exit. + ip_dummynet.c: final cleanup to the weighted fair queueing code, which now seems to work reliably. + ip_fw.c: removed the #ifdef STATEFUL lines, since there is really no way to compile this file without stateful support. Also try to reduce the number of places where ipfw depends on fields in host order. This is in an attempt to make the shared parts of mbuf chains as much as possible readonly.
Revision 1.153: download - view: text, markup, annotated - select for diffs
Fri Jan 26 19:43:54 2001 UTC (11 years ago) by luigi
Branches: MAIN
Diff to: previous 1.152: preferred, colored
Changes since revision 1.152: +4 -5 lines
Minor cleanups after yesterday's patch. The code (bridging and dummynet) actually worked fine!
Revision 1.152: download - view: text, markup, annotated - select for diffs
Fri Jan 26 06:49:34 2001 UTC (11 years ago) by luigi
Branches: MAIN
Diff to: previous 1.151: preferred, colored
Changes since revision 1.151: +40 -42 lines
Bring dummynet in line with the code that now works in -STABLE. It compiles, but I cannot test functionality yet.
Revision 1.103.2.13: download - view: text, markup, annotated - select for diffs
Sat Jan 13 02:44:21 2001 UTC (11 years ago) by jedgar
Branches: RELENG_3
Diff to: previous 1.103.2.12: preferred, colored; branchpoint 1.103: preferred, colored; next MAIN 1.104: preferred, colored
Changes since revision 1.103.2.12: +14 -6 lines
MFC: ECN flag handling fixes in IPFW
Revision 1.131.2.11: download - view: text, markup, annotated - select for diffs
Wed Jan 10 03:43:34 2001 UTC (11 years, 1 month ago) by rwatson
Branches: RELENG_4
Diff to: previous 1.131.2.10: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.10: +14 -6 lines
o MFC of ECN flag handling fixes in IPFW, respectively:
Revision Changes Path
1.98 +3 -4 src/sbin/ipfw/ipfw.c
1.151 +14 -6 src/sys/netinet/ip_fw.c
1.54 +3 -3 src/sys/netinet/ip_fw.h
Prior commit message:
o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets. This
patch stops overloading those bits in the IP firewall rules, and
moves colliding flags to a seperate field, ipflg. The IPFW userland
management tool, ipfw(8), is updated to reflect this change. New
TCP flags related to ECN are now included in tcp.h for reference,
although we don't currently implement TCP+ECN.
o To use this fix without completely rebuilding, it is sufficient to
copy ip_fw.h and tcp.h into your appropriate include directory,
then rebuild the ipfw kernel module, and ipfw tool, and install
both. Note that a mismatch between module and userland tool will
result in incorrect installation of firewall rules that may have
unexpected effects. This bug does not appear to affect ipfilter.
Reviewed by: security-officer, billf, jedgar
Reported by: Aragon Gouveia <aragon@phat.za.net>
Revision 1.151: download - view: text, markup, annotated - select for diffs
Tue Jan 9 03:10:30 2001 UTC (11 years, 1 month ago) by rwatson
Branches: MAIN
Diff to: previous 1.150: preferred, colored
Changes since revision 1.150: +14 -6 lines
o IPFW incorrectly handled filtering in the presence of previously reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN. o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter. Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
Revision 1.150: download - view: text, markup, annotated - select for diffs
Fri Dec 8 21:50:47 2000 UTC (11 years, 2 months ago) by dwmalone
Branches: MAIN
Diff to: previous 1.149: preferred, colored
Changes since revision 1.149: +4 -7 lines
Convert more malloc+bzero to malloc+M_ZERO. Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
Revision 1.131.2.10: download - view: text, markup, annotated - select for diffs
Tue Nov 7 09:50:58 2000 UTC (11 years, 3 months ago) by ru
Branches: RELENG_4
CVS tags: RELENG_4_2_0_RELEASE
Diff to: previous 1.131.2.9: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.9: +4 -4 lines
MFC: (rev 1.149) fixed the IP_FW_ADD security breach. Approved by: jkh
Revision 1.149: download - view: text, markup, annotated - select for diffs
Tue Nov 7 09:20:32 2000 UTC (11 years, 3 months ago) by ru
Branches: MAIN
Diff to: previous 1.148: preferred, colored
Changes since revision 1.148: +4 -4 lines
Fixed the security breach I introduced in rev 1.145. Disallow getsockopt(IP_FW_ADD) if securelevel >= 3. PR: 22600
Revision 1.148: download - view: text, markup, annotated - select for diffs
Sun Oct 29 13:57:08 2000 UTC (11 years, 3 months ago) by phk
Branches: MAIN
Diff to: previous 1.147: preferred, colored
Changes since revision 1.147: +1 -2 lines
Remove unneeded #include <sys/proc.h> lines.
Revision 1.131.2.9: download - view: text, markup, annotated - select for diffs
Fri Oct 27 07:41:07 2000 UTC (11 years, 3 months ago) by ru
Branches: RELENG_4
Diff to: previous 1.131.2.8: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.8: +16 -21 lines
MFC: - (rev 1.144) pull up the entire (minimum) TCP and UDP headers, and 4 bytes of ICMP header (enough for type, code and cksum). - (rev 1.147) fetch the protocol header (TCP, UDP, ICMP) only from the first (OFF=0) fragment of IP datagram.
Revision 1.147: download - view: text, markup, annotated - select for diffs
Fri Oct 27 07:19:17 2000 UTC (11 years, 3 months ago) by ru
Branches: MAIN
Diff to: previous 1.146: preferred, colored
Changes since revision 1.146: +12 -17 lines
Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment of IP datagram. This fixes the problem when firewall denied fragmented packets whose last fragment was less than minimum protocol header size. Found by: Harti Brandt <brandt@fokus.gmd.de> PR: kern/22309
Revision 1.131.2.8: download - view: text, markup, annotated - select for diffs
Thu Oct 26 00:17:32 2000 UTC (11 years, 3 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.7: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.7: +2 -2 lines
MFC: close PR22152 and PR19511 -- wrong variable name
Revision 1.146: download - view: text, markup, annotated - select for diffs
Thu Oct 26 00:16:12 2000 UTC (11 years, 3 months ago) by luigi
Branches: MAIN
Diff to: previous 1.145: preferred, colored
Changes since revision 1.145: +2 -2 lines
Close PR22152 and PR19511 -- correct the naming of a variable
Revision 1.131.2.7: download - view: text, markup, annotated - select for diffs
Tue Oct 17 13:44:57 2000 UTC (11 years, 3 months ago) by ru
Branches: RELENG_4
Diff to: previous 1.131.2.6: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.6: +4 -2 lines
MFC: make rule number available from getsockopt(IP_FW_ADD).
Revision 1.145: download - view: text, markup, annotated - select for diffs
Thu Oct 12 07:59:14 2000 UTC (11 years, 4 months ago) by ru
Branches: MAIN
Diff to: previous 1.144: preferred, colored
Changes since revision 1.144: +4 -2 lines
Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as well, in which case return the rule number back into userland. PR: bin/18351 Reviewed by: archie, luigi
Revision 1.144: download - view: text, markup, annotated - select for diffs
Fri Oct 6 12:12:09 2000 UTC (11 years, 4 months ago) by ru
Branches: MAIN
Diff to: previous 1.143: preferred, colored
Changes since revision 1.143: +5 -5 lines
As we now may check the TCP header window field, make sure we pullup enough into the mbuf data area. Solve this problem once and for all by pulling up the entire (standard) header for TCP and UDP, and four bytes of header for ICMP (enough for type, code and cksum fields).
Revision 1.143: download - view: text, markup, annotated - select for diffs
Tue Oct 3 12:18:11 2000 UTC (11 years, 4 months ago) by ru
Branches: MAIN
Diff to: previous 1.142: preferred, colored
Changes since revision 1.142: +2 -2 lines
Added the missing ntohs() conversion when matching IP packet with the IP_FW_IF_IPID rule. (We have recently decided to keep the ip_id field in network byte order inside the kernel, see revision 1.140 of src/sys/netinet/ip_input.c). I did not like to have the conversion happen in userland, and I think that the similar conversions for fw_tcp(seq|ack|win) should be moved out of userland (src/sbin/ipfw/ipfw.c) into the kernel.
Revision 1.142: download - view: text, markup, annotated - select for diffs
Mon Oct 2 03:33:31 2000 UTC (11 years, 4 months ago) by billf
Branches: MAIN
Diff to: previous 1.141: preferred, colored
Changes since revision 1.141: +49 -5 lines
Add new fields for more granularity:
IP: version, tos, ttl, len, id
TCP: seq#, ack#, window size
Reviewed by: silence on freebsd-{net,ipfw}
Revision 1.131.2.6: download - view: text, markup, annotated - select for diffs
Fri Sep 29 08:51:09 2000 UTC (11 years, 4 months ago) by ru
Branches: RELENG_4
Diff to: previous 1.131.2.5: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.5: +2 -2 lines
MFC: net.inet.ip.fw.one_pass only affects dummynet(4).
Revision 1.141: download - view: text, markup, annotated - select for diffs
Fri Sep 29 08:39:05 2000 UTC (11 years, 4 months ago) by ru
Branches: MAIN
Diff to: previous 1.140: preferred, colored
Changes since revision 1.140: +2 -2 lines
Document that net.inet.ip.fw.one_pass only affects dummynet(4). Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
Revision 1.140: download - view: text, markup, annotated - select for diffs
Tue Sep 12 02:38:05 2000 UTC (11 years, 5 months ago) by billf
Branches: MAIN
Diff to: previous 1.139: preferred, colored
Changes since revision 1.139: +4 -2 lines
Fix screwup in previous commit.
Revision 1.139: download - view: text, markup, annotated - select for diffs
Wed Sep 6 03:10:42 2000 UTC (11 years, 5 months ago) by billf
Branches: MAIN
CVS tags: PRE_SMPNG
Diff to: previous 1.138: preferred, colored
Changes since revision 1.138: +8 -3 lines
1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking
for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).
2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.
XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.
Pointy hat: green
Revision 1.131.2.5: download - view: text, markup, annotated - select for diffs
Fri Jul 28 23:16:30 2000 UTC (11 years, 6 months ago) by billf
Branches: RELENG_4
CVS tags: RELENG_4_1_1_RELEASE
Diff to: previous 1.131.2.4: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.4: +71 -1 lines
MFC ipfw.c: r1.84,1.88: tcpoptions support (dan, ras@e-gerbil.net) r1.86: reorder output of 'prob' to match the input method (billf) ip_fw.c: r1.138: tcpoptions support (dan, ras@e-gerbil.net) ip_fw.h: r1.50(partial): complete WF2Q+ merge, comment only (luigi) r1.51: tcpoptions support (dan, ras@e-gerbil.net)
Revision 1.131.2.4: download - view: text, markup, annotated - select for diffs
Sun Jun 11 18:39:44 2000 UTC (11 years, 8 months ago) by luigi
Branches: RELENG_4
CVS tags: RELENG_4_1_0_RELEASE
Diff to: previous 1.131.2.3: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.3: +20 -3 lines
MFC: Bring WF2Q+ support in dummynet. Read the ipfw(8) manpage for documentation. Except for recompiling ipfw, old ipfw configurations involving dummynet pipes work unmodified.
Revision 1.138: download - view: text, markup, annotated - select for diffs
Thu Jun 8 15:34:51 2000 UTC (11 years, 8 months ago) by dan
Branches: MAIN
Diff to: previous 1.137: preferred, colored
Changes since revision 1.137: +71 -1 lines
Add tcpoptions to ipfw. This works much in the same way as ipoptions do. It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS, ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
Revision 1.137: download - view: text, markup, annotated - select for diffs
Thu Jun 8 09:45:23 2000 UTC (11 years, 8 months ago) by luigi
Branches: MAIN
Diff to: previous 1.136: preferred, colored
Changes since revision 1.136: +20 -3 lines
Implement WF2Q+ in dummynet.
Revision 1.136: download - view: text, markup, annotated - select for diffs
Fri May 26 02:05:46 2000 UTC (11 years, 8 months ago) by jake
Branches: MAIN
Diff to: previous 1.135: preferred, colored
Changes since revision 1.135: +2 -2 lines
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen. Requested by: msmith and others
Revision 1.131.2.3: download - view: text, markup, annotated - select for diffs
Wed May 24 01:47:57 2000 UTC (11 years, 8 months ago) by archie
Branches: RELENG_4
Diff to: previous 1.131.2.2: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.2: +166 -236 lines
MFC: Move BPF and bridging code into ether_input()
Revision 1.135: download - view: text, markup, annotated - select for diffs
Tue May 23 20:38:16 2000 UTC (11 years, 8 months ago) by jake
Branches: MAIN
Diff to: previous 1.134: preferred, colored
Changes since revision 1.134: +2 -2 lines
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct. Suggested by: phk Reviewed by: phk Approved by: mdodd
Revision 1.134: download - view: text, markup, annotated - select for diffs
Sun May 14 02:18:38 2000 UTC (11 years, 9 months ago) by archie
Branches: MAIN
Diff to: previous 1.133: preferred, colored
Changes since revision 1.133: +166 -236 lines
Move code to handle BPF and bridging for incoming Ethernet packets out of the individual drivers and into the common routine ether_input(). Also, remove the (incomplete) hack for matching ethernet headers in the ip_fw code. The good news: net result of 1016 lines removed, and this should make bridging now work with *all* Ethernet drivers. The bad news: it's nearly impossible to test every driver, especially for bridging, and I was unable to get much testing help on the mailing lists. Reviewed by: freebsd-net
Revision 1.103.2.12: download - view: text, markup, annotated - select for diffs
Fri May 12 07:22:57 2000 UTC (11 years, 9 months ago) by luigi
Branches: RELENG_3
CVS tags: RELENG_3_5_0_RELEASE
Diff to: previous 1.103.2.11: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.11: +9 -1 lines
Only send warnings once per second when there is a problem with dynamic rules.
Revision 1.131.2.2: download - view: text, markup, annotated - select for diffs
Tue May 2 16:31:05 2000 UTC (11 years, 9 months ago) by luigi
Branches: RELENG_4
Diff to: previous 1.131.2.1: preferred, colored; branchpoint 1.131: preferred, colored
Changes since revision 1.131.2.1: +3 -1 lines
remove a useless error message
Revision 1.133: download - view: text, markup, annotated - select for diffs
Tue May 2 15:39:36 2000 UTC (11 years, 9 months ago) by luigi
Branches: MAIN
Diff to: previous 1.132: preferred, colored
Changes since revision 1.132: +3 -1 lines
Remove an unnecessary error message
Revision 1.131.2.1: download - view: text, markup, annotated - select for diffs
Tue Mar 14 20:35:20 2000 UTC (11 years, 10 months ago) by ru
Branches: RELENG_4
CVS tags: RELENG_4_0_0_RELEASE
Diff to: previous 1.131: preferred, colored
Changes since revision 1.131: +7 -6 lines
MFC: (rev 1.132) Fix logging of src and dst IP addresses.
Revision 1.132: download - view: text, markup, annotated - select for diffs
Tue Mar 14 14:11:53 2000 UTC (11 years, 11 months ago) by ru
Branches: MAIN
Diff to: previous 1.131: preferred, colored
Changes since revision 1.131: +7 -6 lines
Fix reporting of src and dst IP addresses for ICMP and generic IP packets. PR: 17319 Submitted by: Mike Heffner <spock@techfour.net>
Revision 1.131: download - view: text, markup, annotated - select for diffs
Tue Feb 29 17:51:25 2000 UTC (11 years, 11 months ago) by luigi
Branches: MAIN
CVS tags: RELENG_4_BP
Branch point for: RELENG_4
Diff to: previous 1.130: preferred, colored
Changes since revision 1.130: +69 -70 lines
Fix panic when doing keep-state and "forward". Removed a redundant check. Also move check for expired rules before using them. Sorry for the whitespace changes. Approved-by: jordan
Revision 1.103.2.11: download - view: text, markup, annotated - select for diffs
Sun Feb 13 12:18:35 2000 UTC (11 years, 11 months ago) by luigi
Branches: RELENG_3
Diff to: previous 1.103.2.10: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.10: +464 -47 lines
MFC: bring stateful extensions for IPFW and related fixes to -stable. In order to use the new features and get sensible output from "ipfw show" you need to recompile ipfw. Note that you will still be able to configure the firewall using the old ipfw. Approved-by: jordan
Revision 1.130: download - view: text, markup, annotated - select for diffs
Thu Feb 10 17:56:01 2000 UTC (12 years ago) by luigi
Branches: MAIN
Diff to: previous 1.129: preferred, colored
Changes since revision 1.129: +1 -2 lines
Move definition of fw_enable from ip_fw.c to ip_input.c so we can compile kernels without IPFIREWALL . Reported-by: Robert Watson Approved-by: jordan
Revision 1.129: download - view: text, markup, annotated - select for diffs
Thu Feb 10 16:50:53 2000 UTC (12 years ago) by luigi
Branches: MAIN
Diff to: previous 1.128: preferred, colored
Changes since revision 1.128: +8 -7 lines
Whoops... forgot braces in a conditional
Revealed-by: diff with -STABLE version (the advantage of having
multiple lines of development...)
Approved-by: jordan
Revision 1.128: download - view: text, markup, annotated - select for diffs
Thu Feb 10 14:17:38 2000 UTC (12 years ago) by luigi
Branches: MAIN
Diff to: previous 1.127: preferred, colored
Changes since revision 1.127: +451 -22 lines
Support for stateful (dynamic) ipfw rules. They are very similar to ipfilter's keep-state. Look at the updated ipfw(8) manpage for details. Approved-by: jordan
Revision 1.103.2.10: download - view: text, markup, annotated - select for diffs
Tue Jan 18 16:03:53 2000 UTC (12 years ago) by luigi
Branches: RELENG_3
Diff to: previous 1.103.2.9: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.9: +154 -95 lines
Various MFC: * update dummynet to the new code in 4.0, and cleanup call interface (affects ip_dummynet.c ip_dummynet.h ip_input.c ip_output.c) * various cleanup of ipfw code, including dummynet hooks, support for masks on UDP/TCP ports, and removal of ip_nat hooks as in 4.0 (affects ip_fw.c ip_fw.h raw_ip.c) The new dummynet code is thanks Akamba Corp.
Revision 1.127: download - view: text, markup, annotated - select for diffs
Sun Jan 9 19:17:25 2000 UTC (12 years, 1 month ago) by shin
Branches: MAIN
Diff to: previous 1.126: preferred, colored
Changes since revision 1.126: +5 -4 lines
tcp updates to support IPv6. also a small patch to sys/nfs/nfs_socket.c, as max_hdr size change. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
Revision 1.126: download - view: text, markup, annotated - select for diffs
Sat Jan 8 11:31:43 2000 UTC (12 years, 1 month ago) by luigi
Branches: MAIN
Diff to: previous 1.125: preferred, colored
Changes since revision 1.125: +96 -69 lines
Add ipfw hooks for the new dummynet features. Support masks on TCP/UDP ports. Minor cleanup of ip_fw_chk() to avoid repeated calls to PULLUP_TO at each rule.
Revision 1.125: download - view: text, markup, annotated - select for diffs
Tue Dec 7 17:39:08 1999 UTC (12 years, 2 months ago) by shin
Branches: MAIN
Diff to: previous 1.124: preferred, colored
Changes since revision 1.124: +9 -5 lines
udp IPv6 support, IPv6/IPv4 tunneling support in kernel, packet divert at kernel for IPv6/IPv4 translater daemon This includes queue related patch submitted by jburkhol@home.com. Submitted by: queue related patch from jburkhol@home.com Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
Revision 1.124: download - view: text, markup, annotated - select for diffs
Mon Dec 6 00:43:06 1999 UTC (12 years, 2 months ago) by archie
Branches: MAIN
Diff to: previous 1.123: preferred, colored
Changes since revision 1.123: +61 -61 lines
Miscellaneous fixes/cleanups relating to ipfw and divert(4): - Implement 'ipfw tee' (finally) - Divert packets by calling new function divert_packet() directly instead of going through protosw[]. - Replace kludgey global variable 'ip_divert_port' with a function parameter to divert_packet() - Replace kludgey global variable 'frag_divert_port' with a function parameter to ip_reass() - style(9) fixes Reviewed by: julian, green
Revision 1.123: download - view: text, markup, annotated - select for diffs
Sun Sep 19 02:17:01 1999 UTC (12 years, 4 months ago) by green
Branches: MAIN
Diff to: previous 1.122: preferred, colored
Changes since revision 1.122: +7 -7 lines
Change so_cred's type to a ucred, not a pcred. THis makes more sense, actually. Make a sonewconn3() which takes an extra argument (proc) so new sockets created with sonewconn() from a user's system call get the correct credentials, not just the parent's credentials.
Revision 1.14.4.12: download - view: text, markup, annotated - select for diffs
Sun Sep 5 08:34:48 1999 UTC (12 years, 5 months ago) by peter
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.11: preferred, colored; branchpoint 1.14: preferred, colored; next MAIN 1.15: preferred, colored
Changes since revision 1.14.4.11: +1 -1 lines
$Id$ -> $FreeBSD$
Revision 1.51.2.25: download - view: text, markup, annotated - select for diffs
Sun Sep 5 08:18:28 1999 UTC (12 years, 5 months ago) by peter
Branches: RELENG_2_2
Diff to: previous 1.51.2.24: preferred, colored; branchpoint 1.51: preferred, colored; next MAIN 1.52: preferred, colored
Changes since revision 1.51.2.24: +1 -1 lines
$Id$ -> $FreeBSD$
Revision 1.103.2.9: download - view: text, markup, annotated - select for diffs
Sun Aug 29 16:29:44 1999 UTC (12 years, 5 months ago) by peter
Branches: RELENG_3
CVS tags: RELENG_3_4_0_RELEASE, RELENG_3_3_0_RELEASE
Diff to: previous 1.103.2.8: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.8: +1 -1 lines
$Id$ -> $FreeBSD$
Revision 1.103.2.8: download - view: text, markup, annotated - select for diffs
Sun Aug 29 13:09:17 1999 UTC (12 years, 5 months ago) by green
Branches: RELENG_3
Diff to: previous 1.103.2.7: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.7: +180 -18 lines
MFC: This is the pre-3.3 IPFW megamerge. This brings IPFW almost completely up to 4.0's. __FreeBSD_version is bumped by this commi. Changes include: - per-socket credentials stored - ability to get those credentials with sysctl - uid- and gid- based filtering in IPFW - dynamic logging in IPFW (rules can be set as logging for any number of packets, not just the default, and logging can be reset) Following this is a commit to pidentd to use 1 and 2.
Revision 1.122: download - view: text, markup, annotated - select for diffs
Sun Aug 29 10:23:13 1999 UTC (12 years, 5 months ago) by bde
Branches: MAIN
Diff to: previous 1.121: preferred, colored
Changes since revision 1.121: +2 -2 lines
Oops, I missed a cast in rev.1.119.
Revision 1.121: download - view: text, markup, annotated - select for diffs
Sat Aug 28 07:20:59 1999 UTC (12 years, 5 months ago) by green
Branches: MAIN
Diff to: previous 1.120: preferred, colored
Changes since revision 1.120: +4 -2 lines
Also make the "other" packets counter resettable.
Revision 1.120: download - view: text, markup, annotated - select for diffs
Sat Aug 28 00:49:23 1999 UTC (12 years, 5 months ago) by peter
Branches: MAIN
Diff to: previous 1.119: preferred, colored
Changes since revision 1.119: +1 -1 lines
$Id$ -> $FreeBSD$
Revision 1.119: download - view: text, markup, annotated - select for diffs
Tue Aug 24 00:48:19 1999 UTC (12 years, 5 months ago) by bde
Branches: MAIN
Diff to: previous 1.118: preferred, colored
Changes since revision 1.118: +4 -4 lines
Cast pointers to [u]intptr_t instead of casting them to [u_]long. Don't depend on gcc's feature of casting lvalues, especially for direct assignment where it doesn't even simplify the syntax. Cosmetic.
Revision 1.118: download - view: text, markup, annotated - select for diffs
Sat Aug 21 18:35:50 1999 UTC (12 years, 5 months ago) by green
Branches: MAIN
Diff to: previous 1.117: preferred, colored
Changes since revision 1.117: +86 -58 lines
To christen the brand new security category for syslog, we get IPFW using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites! Reviewed by: committers
Revision 1.103.2.7: download - view: text, markup, annotated - select for diffs
Mon Aug 16 19:16:25 1999 UTC (12 years, 5 months ago) by luigi
Branches: RELENG_3
Diff to: previous 1.103.2.6: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.6: +2 -2 lines
whoops... missing semicolon
Revision 1.103.2.6: download - view: text, markup, annotated - select for diffs
Mon Aug 16 17:29:50 1999 UTC (12 years, 5 months ago) by luigi
Branches: RELENG_3
Diff to: previous 1.103.2.5: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.5: +18 -7 lines
MFC: add probabilistic rule match code (kernel+userland) and manpage. Approved-by: Jordan
Revision 1.117: download - view: text, markup, annotated - select for diffs
Wed Aug 11 15:34:47 1999 UTC (12 years, 6 months ago) by luigi
Branches: MAIN
Diff to: previous 1.116: preferred, colored
Changes since revision 1.116: +18 -7 lines
Implement probabilistic rule match in ipfw. Each rule can be associated with a match probability to achieve non-deterministic behaviour of the firewall. This can be extremely useful for testing purposes such as simulating random packet drop without having to use dummynet (which already does the same thing), and simulating multipath effects and the associated out-of-order delivery (this time in conjunction with dummynet). The overhead on normal rules is just one comparison with 0. Since it would have been trivial to implement this by just adding a field to the ip_fw structure, I decided to do it in a backward-compatible way (i.e. struct ip_fw is unchanged, and as a consequence you don't need to recompile ipfw if you don't want to use this feature), since this was also useful for -STABLE. When, at some point, someone decides to change struct ip_fw, please add a length field and a version number at the beginning, so userland apps can keep working even if they are out of sync with the kernel.
Revision 1.116: download - view: text, markup, annotated - select for diffs
Sun Aug 1 16:57:15 1999 UTC (12 years, 6 months ago) by green
Branches: MAIN
Diff to: previous 1.115: preferred, colored
Changes since revision 1.115: +80 -9 lines
Make ipfw's logging more dynamic. Now, log will use the default limit _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
Revision 1.115: download - view: text, markup, annotated - select for diffs
Wed Jul 28 22:27:27 1999 UTC (12 years, 6 months ago) by green
Branches: MAIN
Diff to: previous 1.114: preferred, colored
Changes since revision 1.114: +3 -3 lines
8 -> NBBy
Revision 1.114: download - view: text, markup, annotated - select for diffs
Sat Jun 19 18:43:28 1999 UTC (12 years, 7 months ago) by green
Branches: MAIN
Diff to: previous 1.113: preferred, colored
Changes since revision 1.113: +98 -9 lines
This is the much-awaited cleaned up version of IPFW [ug]id support. All relevant changes have been made (including ipfw.8).
Revision 1.103.2.5: download - view: text, markup, annotated - select for diffs
Thu Jun 17 13:38:59 1999 UTC (12 years, 7 months ago) by ru
Branches: RELENG_3
Diff to: previous 1.103.2.4: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.4: +11 -3 lines
MFC: Don't accept divert/tee/pipe rules without corresponding option. PR: 10324
Revision 1.113: download - view: text, markup, annotated - select for diffs
Fri Jun 11 11:27:35 1999 UTC (12 years, 8 months ago) by ru
Branches: MAIN
Diff to: previous 1.112: preferred, colored
Changes since revision 1.112: +11 -3 lines
Don't accept divert/tee/pipe rules without corresponding option. PR: 10324 Reviewed by: luigi
Revision 1.51.2.24: download - view: text, markup, annotated - select for diffs
Mon May 24 10:17:24 1999 UTC (12 years, 8 months ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.23: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.23: +4 -1 lines
MFC: close pr 10889
Revision 1.103.2.4: download - view: text, markup, annotated - select for diffs
Mon May 24 10:09:21 1999 UTC (12 years, 8 months ago) by luigi
Branches: RELENG_3
Diff to: previous 1.103.2.3: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.3: +4 -1 lines
MFC: close PR# kern/10889
Revision 1.112: download - view: text, markup, annotated - select for diffs
Mon May 24 10:01:15 1999 UTC (12 years, 8 months ago) by luigi
Branches: MAIN
Diff to: previous 1.111: preferred, colored
Changes since revision 1.111: +4 -1 lines
close pr 10889: + add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit) PR: kern/10889 Submitted by: Ruslan Ermilov
Revision 1.111: download - view: text, markup, annotated - select for diffs
Mon May 3 23:57:28 1999 UTC (12 years, 9 months ago) by billf
Branches: MAIN
Diff to: previous 1.110: preferred, colored
Changes since revision 1.110: +10 -5 lines
Add sysctl descriptions to many SYSCTL_XXXs PR: kern/11197 Submitted by: Adrian Chadd <adrian@FreeBSD.org> Reviewed by: billf(spelling/style/minor nits) Looked at by: bde(style)
Revision 1.103.2.3: download - view: text, markup, annotated - select for diffs
Mon Apr 26 14:59:02 1999 UTC (12 years, 9 months ago) by luigi
Branches: RELENG_3
CVS tags: RELENG_3_2_PAO_BP, RELENG_3_2_PAO, RELENG_3_2_0_RELEASE
Diff to: previous 1.103.2.2: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.2: +2 -2 lines
MFC: make one pass through the firewall the default.
Revision 1.110: download - view: text, markup, annotated - select for diffs
Mon Apr 26 14:57:24 1999 UTC (12 years, 9 months ago) by luigi
Branches: MAIN
CVS tags: PRE_VFS_BIO_NFS_PATCH, PRE_SMP_VMSHARE, POST_VFS_BIO_NFS_PATCH, POST_SMP_VMSHARE
Diff to: previous 1.109: preferred, colored
Changes since revision 1.109: +2 -2 lines
Make one pass through the firewall the default. Multiple pass (which only affects dummynet) is too confusing.
Revision 1.109: download - view: text, markup, annotated - select for diffs
Sat Apr 24 13:23:48 1999 UTC (12 years, 9 months ago) by dt
Branches: MAIN
Diff to: previous 1.108: preferred, colored
Changes since revision 1.108: +2 -2 lines
Use pointer arithmetic as appropriate.
Revision 1.108: download - view: text, markup, annotated - select for diffs
Tue Apr 20 14:29:59 1999 UTC (12 years, 9 months ago) by peter
Branches: MAIN
Diff to: previous 1.107: preferred, colored
Changes since revision 1.107: +2 -2 lines
s/IPFIREWALL_MODULE/KLD_MODULE/
Revision 1.107: download - view: text, markup, annotated - select for diffs
Tue Apr 20 13:32:04 1999 UTC (12 years, 9 months ago) by peter
Branches: MAIN
Diff to: previous 1.106: preferred, colored
Changes since revision 1.106: +1 -4 lines
Tidy up some stray / unused stuff in the IPFW package and friends. - unifdef -DCOMPAT_IPFW (this was on by default already) - remove traces of in-kernel ip_nat package, it was never committed. - Make IPFW and DUMMYNET initialize themselves rather than depend on compiled-in hooks in ip_init(). This means they initialize the same way both in-kernel and as kld modules. (IPFW initializes now :-)
Revision 1.106: download - view: text, markup, annotated - select for diffs
Sat Apr 17 08:56:38 1999 UTC (12 years, 9 months ago) by peter
Branches: MAIN
Diff to: previous 1.105: preferred, colored
Changes since revision 1.105: +3 -50 lines
Oops, forgot this part of lkm code that's been replaced with kld.
Revision 1.103.2.2: download - view: text, markup, annotated - select for diffs
Thu Apr 1 14:56:17 1999 UTC (12 years, 10 months ago) by nsayer
Branches: RELENG_3
Diff to: previous 1.103.2.1: preferred, colored; branchpoint 1.103: preferred, colored
Changes since revision 1.103.2.1: +1 -1 lines
1.103.2.1 merged the changes made in 1.105 to RELENG_3. Fixes the ntoh?() issue when passing bridged packets through ipfw. PR: 10818
Revision 1.103.2.1: download - view: text, markup, annotated - select for diffs
Wed Mar 31 14:10:59 1999 UTC (12 years, 10 months ago) by nsayer
Branches: RELENG_3
Diff to: previous 1.103: preferred, colored
Changes since revision 1.103: +22 -18 lines
MFC
Revision 1.105: download - view: text, markup, annotated - select for diffs
Tue Mar 30 23:45:34 1999 UTC (12 years, 10 months ago) by nsayer
Branches: MAIN
CVS tags: PRE_NEWBUS, POST_NEWBUS
Diff to: previous 1.104: preferred, colored
Changes since revision 1.104: +22 -18 lines
Merge from RELENG_2_2, per luigi. Fixes the ntoh?() issue for the firewall code when called from the bridge code. PR: 10818 Submitted by: nsayer Obtained from: luigi
Revision 1.51.2.23: download - view: text, markup, annotated - select for diffs
Tue Mar 16 18:10:45 1999 UTC (12 years, 10 months ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.22: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.22: +16 -12 lines
MFC: fix "arp- host is not on local net" problem with dummynet, plus cleanup interaction between bridge and ipfw: now bridged pkts are passed to the ipfw code with same field in host order, same as it is done with the ordinary path through ip_input.
Revision 1.104: download - view: text, markup, annotated - select for diffs
Tue Feb 16 10:49:52 1999 UTC (12 years, 11 months ago) by dfr
Branches: MAIN
Diff to: previous 1.103: preferred, colored
Changes since revision 1.103: +2 -1 lines
* Change sysctl from using linker_set to construct its tree using SLISTs. This makes it possible to change the sysctl tree at runtime. * Change KLD to find and register any sysctl nodes contained in the loaded file and to unregister them when the file is unloaded. Reviewed by: Archie Cobbs <archie@whistle.com>, Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
Revision 1.51.2.22: download - view: text, markup, annotated - select for diffs
Sun Jan 10 17:36:58 1999 UTC (13 years, 1 month ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.21: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.21: +12 -15 lines
MFC as in 1.102->1.103 (several people reported this problem and are using bridging with -STABLE).
Revision 1.103: download - view: text, markup, annotated - select for diffs
Thu Dec 31 07:43:29 1998 UTC (13 years, 1 month ago) by luigi
Branches: MAIN
CVS tags: RELENG_3_BP, RELENG_3_1_0_RELEASE
Branch point for: RELENG_3
Diff to: previous 1.102: preferred, colored
Changes since revision 1.102: +22 -24 lines
Partial fix for when ipfw is used with bridging. Bridged packets have all fields in network order, whereas ipfw expects some to be in host order. This resulted in some incorrect matching, e.g. some packets being identified as fragments, or bandwidth not being correctly enforced. NOTE: this only affects bridge+ipfw, normal ipfw usage was already correct). Reported-By: Dave Alden and others.
Revision 1.102: download - view: text, markup, annotated - select for diffs
Tue Dec 22 20:38:06 1998 UTC (13 years, 1 month ago) by luigi
Branches: MAIN
Diff to: previous 1.101: preferred, colored
Changes since revision 1.101: +3 -3 lines
'ip_fw_head' and 'M_IPFW' are also used in ip_dummynet so cannot be static... Reported by: Dave Alden
Revision 1.101: download - view: text, markup, annotated - select for diffs
Mon Dec 21 22:40:54 1998 UTC (13 years, 1 month ago) by luigi
Branches: MAIN
Diff to: previous 1.100: preferred, colored
Changes since revision 1.100: +52 -10 lines
Recover from previous dummynet screwup
Revision 1.100: download - view: text, markup, annotated - select for diffs
Mon Dec 14 18:09:13 1998 UTC (13 years, 1 month ago) by luigi
Branches: MAIN
Diff to: previous 1.99: preferred, colored
Changes since revision 1.99: +198 -72 lines
Last bits (i think) of dummynet for -current.
Revision 1.99: download - view: text, markup, annotated - select for diffs
Thu Nov 26 18:54:51 1998 UTC (13 years, 2 months ago) by eivind
Branches: MAIN
Diff to: previous 1.98: preferred, colored
Changes since revision 1.98: +2 -2 lines
Staticize some more.
Revision 1.98: download - view: text, markup, annotated - select for diffs
Sun Nov 15 15:33:52 1998 UTC (13 years, 2 months ago) by bde
Branches: MAIN
Diff to: previous 1.97: preferred, colored
Changes since revision 1.97: +2 -2 lines
Finished updating module event handlers to be compatible with modeventhand_t.
Revision 1.97: download - view: text, markup, annotated - select for diffs
Fri Oct 16 03:55:01 1998 UTC (13 years, 3 months ago) by peter
Branches: MAIN
CVS tags: RELENG_3_0_0_RELEASE
Diff to: previous 1.96: preferred, colored
Changes since revision 1.96: +50 -8 lines
*gulp*. Jordan specifically OK'ed this.. This is the bulk of the support for doing kld modules. Two linker_sets were replaced by SYSINIT()'s. VFS's and exec handlers are self registered. kld is now a superset of lkm. I have converted most of them, they will follow as a seperate commit as samples. This all still works as a static a.out kernel using LKM's.
Revision 1.51.2.21: download - view: text, markup, annotated - select for diffs
Wed Oct 14 16:29:58 1998 UTC (13 years, 3 months ago) by luigi
Branches: RELENG_2_2
CVS tags: RELENG_2_2_8_RELEASE
Diff to: previous 1.51.2.20: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.20: +5 -1 lines
Fix a potential panic when deleting ipfw rules and packets are trapped into a pipe, and you allow multiple passees through the firewall code with dummynet. It has never hit anyone on -stable because net.inet.ip.fw.one_pass=1 by default. Reported by Philippe Regnauld (who else!) while beating the 3.0 version of dummynet.
Revision 1.51.2.20: download - view: text, markup, annotated - select for diffs
Tue Oct 6 09:55:01 1998 UTC (13 years, 4 months ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.19: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.19: +7 -2 lines
Restore default behaviour for skipto rules, i.e. jump to the first rule greater or equal to the jump target.
Revision 1.51.2.19: download - view: text, markup, annotated - select for diffs
Fri Sep 18 20:53:08 1998 UTC (13 years, 4 months ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.18: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.18: +11 -2 lines
remove a diagnostic message and fix statistics when using ipfw on bridged packets
Revision 1.51.2.18: download - view: text, markup, annotated - select for diffs
Thu Sep 17 18:02:25 1998 UTC (13 years, 4 months ago) by luigi
Branches: RELENG_2_2
Diff to: previous 1.51.2.17: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.17: +194 -42 lines
bring DUMMYNET and BRIDGE support into -stable decouple BPF and PROMISC handling on some if drivers make ipstat available through sysctl (already in -current) NOTE: you have to recompile ipfw!
Revision 1.96: download - view: text, markup, annotated - select for diffs
Sun Aug 23 03:07:14 1998 UTC (13 years, 5 months ago) by wollman
Branches: MAIN
Diff to: previous 1.95: preferred, colored
Changes since revision 1.95: +114 -154 lines
Yow! Completely change the way socket options are handled, eliminating another specialized mbuf type in the process. Also clean up some of the cruft surrounding IPFW, multicast routing, RSVP, and other ill-explored corners.
Revision 1.95: download - view: text, markup, annotated - select for diffs
Tue Aug 11 19:08:42 1998 UTC (13 years, 6 months ago) by bde
Branches: MAIN
Diff to: previous 1.94: preferred, colored
Changes since revision 1.94: +6 -5 lines
Fixed printf format errors (ntohl() returns in_addr_t = u_int32_t != long on some 64-bit systems). print_ip() should use inet_ntoa() instead of bloated inline code with 4 ntohl()s.
Revision 1.94: download - view: text, markup, annotated - select for diffs
Mon Aug 3 17:23:37 1998 UTC (13 years, 6 months ago) by dfr
Branches: MAIN
Diff to: previous 1.93: preferred, colored
Changes since revision 1.93: +9 -9 lines
Use explicitly sized types when digging through packet headers. Reviewed by: Julian Elischer <julian@whistle.com>
Revision 1.51.2.17: download - view: text, markup, annotated - select for diffs
Sat Jul 18 23:30:51 1998 UTC (13 years, 6 months ago) by alex
Branches: RELENG_2_2
CVS tags: RELENG_2_2_7_RELEASE
Diff to: previous 1.51.2.16: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.16: +5 -2 lines
MFC (rev 1.93): don't log ICMP type and subtype for non-zero offset packet fragments.
Revision 1.93: download - view: text, markup, annotated - select for diffs
Sat Jul 18 23:27:15 1998 UTC (13 years, 6 months ago) by alex
Branches: MAIN
Diff to: previous 1.92: preferred, colored
Changes since revision 1.92: +5 -2 lines
Don't log ICMP type and subtype for non-zero offset packet fragments.
Revision 1.51.2.16: download - view: text, markup, annotated - select for diffs
Mon Jul 6 08:29:47 1998 UTC (13 years, 7 months ago) by julian
Branches: RELENG_2_2
Diff to: previous 1.51.2.15: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.15: +4 -3 lines
clean up some oversights on the last commits hopefully catches the corner cases
Revision 1.92: download - view: text, markup, annotated - select for diffs
Mon Jul 6 03:20:13 1998 UTC (13 years, 7 months ago) by julian
Branches: MAIN
Diff to: previous 1.91: preferred, colored
Changes since revision 1.91: +40 -5 lines
Support for IPFW based transparent forwarding. Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
Revision 1.91: download - view: text, markup, annotated - select for diffs
Thu Jul 2 05:49:08 1998 UTC (13 years, 7 months ago) by julian
Branches: MAIN
CVS tags: PRE_NOBDEV
Diff to: previous 1.90: preferred, colored
Changes since revision 1.90: +1 -31 lines
Remove the option to keep IPFW diversion backwards compatible WRT diversion reinjection. No-one has been bitten by the new behaviour that I know of.
Revision 1.51.2.15: download - view: text, markup, annotated - select for diffs
Wed Jul 1 01:38:35 1998 UTC (13 years, 7 months ago) by julian
Branches: RELENG_2_2
Diff to: previous 1.51.2.14: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.14: +25 -26 lines
MFC: merge in some minor cleanups for IP divert
Revision 1.90: download - view: text, markup, annotated - select for diffs
Sun Jun 21 14:53:30 1998 UTC (13 years, 7 months ago) by bde
Branches: MAIN
Diff to: previous 1.89: preferred, colored
Changes since revision 1.89: +1 -2 lines
Removed unused includes.
Revision 1.89: download - view: text, markup, annotated - select for diffs
Fri Jun 12 20:03:26 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.88: preferred, colored
Changes since revision 1.88: +2 -2 lines
Remove 3 occurances of __FUNCTION__
Revision 1.88: download - view: text, markup, annotated - select for diffs
Sat Jun 6 20:45:26 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.87: preferred, colored
Changes since revision 1.87: +5 -5 lines
Fix wrong data type for a pointer.
Revision 1.87: download - view: text, markup, annotated - select for diffs
Sat Jun 6 19:39:08 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.86: preferred, colored
Changes since revision 1.86: +22 -22 lines
clean up the changes made to ipfw over the last weeks (should make the ipfw lkm work again)
Revision 1.86: download - view: text, markup, annotated - select for diffs
Fri Jun 5 23:33:26 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.85: preferred, colored
Changes since revision 1.85: +6 -1 lines
Reviewed by: Kirk Mckusick (mckusick@mckusick.com) Submitted by: luoqi Chen fix a type in fsck. (also add a comment that got picked up by mistake but is worth adding)
Revision 1.85: download - view: text, markup, annotated - select for diffs
Fri Jun 5 22:39:53 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.84: preferred, colored
Changes since revision 1.84: +13 -13 lines
Reverse the default sense of the IPFW/DIVERT reinjection code so that the new behaviour is now default. Solves the "infinite loop in diversion" problem when more than one diversion is active. Man page changes follow. The new code is in -stable as the NON default option.
Revision 1.51.2.14: download - view: text, markup, annotated - select for diffs
Fri Jun 5 21:38:07 1998 UTC (13 years, 8 months ago) by julian
Branches: RELENG_2_2
Diff to: previous 1.51.2.13: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.13: +37 -2 lines
MFC: add option to fix divert infinite loop
Revision 1.84: download - view: text, markup, annotated - select for diffs
Mon May 25 10:37:44 1998 UTC (13 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.83: preferred, colored
Changes since revision 1.83: +36 -1 lines
Add optional code to change the way that divert and ipfw work together. Prior to this change, Accidental recursion protection was done by the diverted daemon feeding back the divert port number it got the packet on, as the port number on a sendto(). IPFW knew not to redivert a packet to this port (again). Processing of the ruleset started at the beginning again, skipping that divert port. The new semantic (which is how we should have done it the first time) is that the port number in the sendto() is the rule number AFTER which processing should restart, and on a recvfrom(), the port number is the rule number which caused the diversion. This is much more flexible, and also more intuitive. If the user uses the same sockaddr received when resending, processing resumes at the rule number following that that caused the diversion. The user can however select to resume rule processing at any rule. (0 is restart at the beginning) To enable the new code use option IPFW_DIVERT_RESTART This should become the default as soon as people have looked at it a bit
Revision 1.83: download - view: text, markup, annotated - select for diffs
Tue May 19 14:04:29 1998 UTC (13 years, 8 months ago) by dg
Branches: MAIN
Diff to: previous 1.82: preferred, colored
Changes since revision 1.82: +2 -1 lines
Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and minorly tweaked by me. This is a standard part of FreeBSD, but must be enabled with: "sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must also be enabled. This should probably be modified to use the zone allocator for speed and space efficiency. The current algorithm also appears to lose if the number of active paths exceeds IPFLOW_MAX (256), in which case it wastes lots of time trying to figure out which cache entry to drop.
Revision 1.82: download - view: text, markup, annotated - select for diffs
Tue Apr 21 18:54:53 1998 UTC (13 years, 9 months ago) by julian
Branches: MAIN
Diff to: previous 1.81: preferred, colored
Changes since revision 1.81: +40 -13 lines
Remove the artificial limit on the size of the ipfw filter structure. This allows the addition of extra fields if we need them (I have plans).
Revision 1.81: download - view: text, markup, annotated - select for diffs
Wed Apr 15 17:46:51 1998 UTC (13 years, 9 months ago) by bde
Branches: MAIN
CVS tags: PRE_DEVFS_SLICE, POST_DEVFS_SLICE
Diff to: previous 1.80: preferred, colored
Changes since revision 1.80: +8 -4 lines
Support compiling with `gcc -ansi'.
Revision 1.80: download - view: text, markup, annotated - select for diffs
Mon Mar 30 09:52:50 1998 UTC (13 years, 10 months ago) by phk
Branches: MAIN
Diff to: previous 1.79: preferred, colored
Changes since revision 1.79: +2 -2 lines
Eradicate the variable "time" from the kernel, using various measures. "time" wasn't a atomic variable, so splfoo() protection were needed around any access to it, unless you just wanted the seconds part. Most uses of time.tv_sec now uses the new variable time_second instead. gettime() changed to getmicrotime(0. Remove a couple of unneeded splfoo() protections, the new getmicrotime() is atomic, (until Bruce sets a breakpoint in it). A couple of places needed random data, so use read_random() instead of mucking about with time which isn't random. Add a new nfs_curusec() function. Mark a couple of bogosities involving the now disappeard time variable. Update ffs_update() to avoid the weird "== &time" checks, by fixing the one remaining call that passwd &time as args. Change profiling in ncr.c to use ticks instead of time. Resolution is the same. Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call hzto() which subtracts time" sequences. Reviewed by: bde
Revision 1.51.2.13: download - view: text, markup, annotated - select for diffs
Sun Mar 29 15:01:13 1998 UTC (13 years, 10 months ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.12: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.12: +21 -4 lines
MFC (rev 1.79): Allow ICMP unreachable messages to be sent in response to ICMP query packets.
Revision 1.79: download - view: text, markup, annotated - select for diffs
Sun Mar 15 00:36:27 1998 UTC (13 years, 11 months ago) by alex
Branches: MAIN
Diff to: previous 1.78: preferred, colored
Changes since revision 1.78: +21 -4 lines
Allow ICMP unreachable messages to be sent in response to ICMP query packets (as per Stevens volume 1 section 6.2).
Revision 1.51.2.12: download - view: text, markup, annotated - select for diffs
Fri Feb 13 01:58:13 1998 UTC (14 years ago) by alex
Branches: RELENG_2_2
CVS tags: RELENG_2_2_6_RELEASE
Diff to: previous 1.51.2.11: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.11: +35 -3 lines
MFC: correct handling of fragmented packets.
Revision 1.78: download - view: text, markup, annotated - select for diffs
Thu Feb 12 00:57:04 1998 UTC (14 years ago) by alex
Branches: MAIN
CVS tags: PRE_SOFTUPDATE, POST_SOFTUPDATE
Diff to: previous 1.77: preferred, colored
Changes since revision 1.77: +35 -3 lines
Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and
vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
Revision 1.77: download - view: text, markup, annotated - select for diffs
Mon Feb 9 06:10:10 1998 UTC (14 years ago) by eivind
Branches: MAIN
Diff to: previous 1.76: preferred, colored
Changes since revision 1.76: +2 -2 lines
Staticize.
Revision 1.51.2.11: download - view: text, markup, annotated - select for diffs
Sat Feb 7 00:28:25 1998 UTC (14 years ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.10: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.10: +13 -5 lines
MFC (rev 1.75): suppress display of TCP/UDP port numbers for fragmented packets when IP offset != 0.
Revision 1.76: download - view: text, markup, annotated - select for diffs
Fri Feb 6 12:13:51 1998 UTC (14 years ago) by eivind
Branches: MAIN
Diff to: previous 1.75: preferred, colored
Changes since revision 1.75: +1 -2 lines
Back out DIAGNOSTIC changes.
Revision 1.75: download - view: text, markup, annotated - select for diffs
Fri Feb 6 02:45:54 1998 UTC (14 years ago) by alex
Branches: MAIN
Diff to: previous 1.74: preferred, colored
Changes since revision 1.74: +13 -5 lines
Don't attempt to display information which we don't have: specifically, TCP and UDP port numbers in fragmented packets when IP offset != 0. 2.2.6 candidate. Discovered by: Marc Slemko <marcs@znep.com> Submitted by: Archie Cobbs <archie@whistle.com> w/fix from me
Revision 1.74: download - view: text, markup, annotated - select for diffs
Wed Feb 4 22:33:07 1998 UTC (14 years ago) by eivind
Branches: MAIN
Diff to: previous 1.73: preferred, colored
Changes since revision 1.73: +2 -1 lines
Turn DIAGNOSTIC into a new-style option.
Revision 1.73: download - view: text, markup, annotated - select for diffs
Thu Jan 8 23:41:52 1998 UTC (14 years, 1 month ago) by eivind
Branches: MAIN
Diff to: previous 1.72: preferred, colored
Changes since revision 1.72: +5 -1 lines
Make INET a proper option. This will not make any of object files that LINT create change; there might be differences with INET disabled, but hardly anything compiled before without INET anyway. Now the 'obvious' things will give a proper error if compiled without inet - ipx_ip, ipfw, tcp_debug. The only thing that _should_ work (but can't be made to compile reasonably easily) is sppp :-( This commit move struct arpcom from <netinet/if_ether.h> to <net/if_arp.h>.
Revision 1.72: download - view: text, markup, annotated - select for diffs
Thu Jan 8 03:03:53 1998 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.71: preferred, colored
Changes since revision 1.71: +6 -6 lines
Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.
NOTE:
o The ipfw struct has changed requiring a recompile of both kernel
and userland ipfw utility.
o This probably should not be brought into 2.2.
PR: 3738
Revision 1.71: download - view: text, markup, annotated - select for diffs
Mon Jan 5 00:57:15 1998 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.70: preferred, colored
Changes since revision 1.70: +22 -22 lines
Use LIST_FIRST/LIST_NEXT macros instead of accessing the fields lh_first and le_next.
Revision 1.51.2.10: download - view: text, markup, annotated - select for diffs
Mon Jan 5 00:14:54 1998 UTC (14 years, 1 month ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.9: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.9: +3 -3 lines
MFC (rev 1.70): missing parens.
Revision 1.70: download - view: text, markup, annotated - select for diffs
Mon Jan 5 00:14:05 1998 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.69: preferred, colored
Changes since revision 1.69: +3 -3 lines
Added missing parens from previous commit.
Revision 1.51.2.9: download - view: text, markup, annotated - select for diffs
Mon Jan 5 00:11:16 1998 UTC (14 years, 1 month ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.8: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.8: +3 -2 lines
MFC (rev 1.69): ICMP type fix.
Revision 1.69: download - view: text, markup, annotated - select for diffs
Mon Jan 5 00:08:57 1998 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.68: preferred, colored
Changes since revision 1.68: +3 -2 lines
Bound the ICMP type bitmap now that it doesn't cover all possible ICMP type values.
Revision 1.68: download - view: text, markup, annotated - select for diffs
Sun Jan 4 22:36:12 1998 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.67: preferred, colored
Changes since revision 1.67: +42 -17 lines
Reduce the amount of time that network interrupts are blocked while zeroing & deleting rules. Return EINVAL when zeroing an nonexistent entry.
Revision 1.51.2.8: download - view: text, markup, annotated - select for diffs
Sun Dec 28 16:49:37 1997 UTC (14 years, 1 month ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.7: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.7: +8 -7 lines
MFC (rev 1.67): restore commented out logging.
Revision 1.67: download - view: text, markup, annotated - select for diffs
Sat Dec 27 18:44:56 1997 UTC (14 years, 1 month ago) by alex
Branches: MAIN
Diff to: previous 1.66: preferred, colored
Changes since revision 1.66: +8 -7 lines
Bring back part of rev 1.44 which was commented out by rev 1.58. Reviewed by: nate
Revision 1.51.2.7: download - view: text, markup, annotated - select for diffs
Fri Dec 19 03:50:49 1997 UTC (14 years, 1 month ago) by julian
Branches: RELENG_2_2
Diff to: previous 1.51.2.6: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.6: +10 -9 lines
Obtained from: Whistle production tree MFC: Fix horrendous kernel stack overwrite bug when ipwf was used to implement the ""reset tcp" firewall command. Add a comment in the tcp code to stop others ever making the same mistake.
Revision 1.66: download - view: text, markup, annotated - select for diffs
Fri Dec 19 03:36:15 1997 UTC (14 years, 1 month ago) by julian
Branches: MAIN
Diff to: previous 1.65: preferred, colored
Changes since revision 1.65: +10 -9 lines
Fix an incredibly horrible bug in the ipfw code where if you are using the "reset tcp" firewall command, the kernel would write ethernet headers onto random kernel stack locations. Fought to the death by: terry, julian, archie. fix valid for 2.2 series as well.
Revision 1.51.2.6: download - view: text, markup, annotated - select for diffs
Sat Nov 22 13:00:48 1997 UTC (14 years, 2 months ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.5: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.5: +16 -8 lines
Bring in compile time override of default rule from -current. PR: 5068
Revision 1.65: download - view: text, markup, annotated - select for diffs
Wed Nov 5 20:17:19 1997 UTC (14 years, 3 months ago) by joerg
Branches: MAIN
Diff to: previous 1.64: preferred, colored
Changes since revision 1.64: +2 -1 lines
Make IPDIVERT a supported option. Alas, in_var.h depends on it, i hope i've found out all files that actually depend on this dependancy. IMHO, it's not very good practice to change the size of internal structs depending on kernel options.
Revision 1.64: download - view: text, markup, annotated - select for diffs
Sun Oct 12 20:25:25 1997 UTC (14 years, 4 months ago) by phk
Branches: MAIN
Diff to: previous 1.63: preferred, colored
Changes since revision 1.63: +3 -1 lines
Last major round (Unless Bruce thinks of somthing :-) of malloc changes. Distribute all but the most fundamental malloc types. This time I also remembered the trick to making things static: Put "static" in front of them. A couple of finer points by: bde
Revision 1.63: download - view: text, markup, annotated - select for diffs
Wed Sep 10 03:07:14 1997 UTC (14 years, 5 months ago) by peter
Branches: MAIN
Diff to: previous 1.62: preferred, colored
Changes since revision 1.62: +16 -8 lines
Allow a compile-time override of the ipfw deny rule. For a 'firewall' you don't want this (and the documentation explains why), but if you use ipfw as an as-needed casual filter as needed which normally runs as 'allow all' then having the kernel and /sbin/ipfw get out of sync is a *MAJOR* pain in the behind. PR: 4141 Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
Revision 1.51.2.5: download - view: text, markup, annotated - select for diffs
Sat Aug 23 14:31:52 1997 UTC (14 years, 5 months ago) by alex
Branches: RELENG_2_2
CVS tags: RELENG_2_2_5_RELEASE
Diff to: previous 1.51.2.4: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.4: +5 -4 lines
Merge from -current: fixed logging of verbose limited packets.
Revision 1.62: download - view: text, markup, annotated - select for diffs
Sat Aug 23 14:28:22 1997 UTC (14 years, 5 months ago) by alex
Branches: MAIN
Diff to: previous 1.61: preferred, colored
Changes since revision 1.61: +5 -4 lines
Fixed logging of verbose limited packets. PR: 4351 Submitted by: Ron Bickers <rbickers@intercenter.net>
Revision 1.51.2.4: download - view: text, markup, annotated - select for diffs
Wed Aug 6 00:22:59 1997 UTC (14 years, 6 months ago) by alex
Branches: RELENG_2_2
Diff to: previous 1.51.2.3: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.3: +2 -1 lines
Merge from -current: ensure termination of interface name.
Revision 1.61: download - view: text, markup, annotated - select for diffs
Wed Aug 6 00:19:05 1997 UTC (14 years, 6 months ago) by alex
Branches: MAIN
Diff to: previous 1.60: preferred, colored
Changes since revision 1.60: +2 -1 lines
Ensure that the interface name is terminated.
Revision 1.60: download - view: text, markup, annotated - select for diffs
Sat Aug 2 14:32:51 1997 UTC (14 years, 6 months ago) by bde
Branches: MAIN
Diff to: previous 1.59: preferred, colored
Changes since revision 1.59: +1 -4 lines
Removed unused #includes.
Revision 1.51.2.3: download - view: text, markup, annotated - select for diffs
Fri Jun 20 23:05:33 1997 UTC (14 years, 7 months ago) by julian
Branches: RELENG_2_2
Diff to: previous 1.51.2.2: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.2: +387 -199 lines
YACFC bring back the ipfirewall changes this allows more secure firewall and to reject TCP requests correctly Submitted by: Whistle Communications user-mode changes to follow.
Revision 1.59: download - view: text, markup, annotated - select for diffs
Wed Jun 4 22:09:15 1997 UTC (14 years, 8 months ago) by julian
Branches: MAIN
CVS tags: WOLLMAN_MBUF, BP_WOLLMAN_MBUF
Diff to: previous 1.58: preferred, colored
Changes since revision 1.58: +11 -12 lines
make it compile with -Wall Submitted by: Archi Cobbs, archie@whistle.com
Revision 1.58: download - view: text, markup, annotated - select for diffs
Mon Jun 2 05:02:36 1997 UTC (14 years, 8 months ago) by julian
Branches: MAIN
Diff to: previous 1.57: preferred, colored
Changes since revision 1.57: +385 -196 lines
Submitted by: Whistle Communications (archie Cobbs) these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
Revision 1.14.4.11: download - view: text, markup, annotated - select for diffs
Tue May 6 02:21:28 1997 UTC (14 years, 9 months ago) by alex
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.10: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.10: +2 -1 lines
Merge from -current: create default rule with IP_FW_F_IN | IP_FW_F_OUT.
Revision 1.51.2.2: download - view: text, markup, annotated - select for diffs
Tue May 6 02:18:52 1997 UTC (14 years, 9 months ago) by alex
Branches: RELENG_2_2
CVS tags: RELENG_2_2_2_RELEASE
Diff to: previous 1.51.2.1: preferred, colored; branchpoint 1.51: preferred, colored
Changes since revision 1.51.2.1: +2 -1 lines
Merge from -current: create default rule with IP_FW_F_IN | IP_FW_F_OUT.
Revision 1.57: download - view: text, markup, annotated - select for diffs
Tue May 6 02:12:18 1997 UTC (14 years, 9 months ago) by alex
Branches: MAIN
Diff to: previous 1.56: preferred, colored
Changes since revision 1.56: +2 -1 lines
Create the default rule with flags IP_FW_F_IN | IP_FW_F_OUT. Closes PR#3100.
Revision 1.56: download - view: text, markup, annotated - select for diffs
Sun Apr 6 11:09:03 1997 UTC (14 years, 10 months ago) by dufault
Branches: MAIN
CVS tags: pre_smp_merge, post_smp_merge
Diff to: previous 1.55: preferred, colored
Changes since revision 1.55: +3 -2 lines
Make MOD_* macros almost consistent: Use the name argument almost the same in all LKM types. Maintain the current behavior for the external (e.g., modstat) name for DEV, EXEC, and MISC types being #name ## "_mod" and SYCALL and VFS only #name. This is a candidate for change and I vote just the name without the "_mod". Change the DISPATCH macro to MOD_DISPATCH for consistency with the other macros. Add an LKM_ANON #define to eliminate the magic -1 and associated signed/unsigned warnings. Add MOD_PRIVATE to support wcd.c's poking around in the lkm structure. Change source in tree to use the new interface. Reviewed by: Bruce Evans
Revision 1.55: download - view: text, markup, annotated - select for diffs
Sat Feb 22 09:41:32 1997 UTC (14 years, 11 months ago) by peter
Branches: MAIN
Diff to: previous 1.54: preferred, colored
Changes since revision 1.54: +1 -1 lines
Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not ready for it yet.
Revision 1.51.2.1: download - view: text, markup, annotated - select for diffs
Wed Jan 29 13:15:42 1997 UTC (15 years ago) by adam
Branches: RELENG_2_2
CVS tags: WHISTLE_SET_1, WHISTLE_NET_BRANCH_1, WHISTLE_BP1, RELENG_2_2_1_RELEASE, RELENG_2_2_0_RELEASE
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +5 -3 lines
merge improvements from -current
("not" keyword)
Revision 1.54: download - view: text, markup, annotated - select for diffs
Thu Jan 16 21:04:01 1997 UTC (15 years ago) by adam
Branches: MAIN
Diff to: previous 1.53: preferred, colored
Changes since revision 1.53: +4 -2 lines
implement "not" keyword for inverting the address logic
Revision 1.53: download - view: text, markup, annotated - select for diffs
Tue Jan 14 06:48:54 1997 UTC (15 years ago) by jkh
Branches: MAIN
Diff to: previous 1.52: preferred, colored
Changes since revision 1.52: +1 -1 lines
Make the long-awaited change from $Id$ to $FreeBSD$ This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
Revision 1.52: download - view: text, markup, annotated - select for diffs
Fri Dec 13 21:28:56 1996 UTC (15 years, 2 months ago) by wollman
Branches: MAIN
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +4 -3 lines
Convert the interface address and IP interface address structures to TAILQs. Fix places which referenced these for no good reason that I can see (the references remain, but were fixed to compile again; they are still questionable).
Revision 1.14.4.10: download - view: text, markup, annotated - select for diffs
Tue Nov 12 17:31:31 1996 UTC (15 years, 3 months ago) by jkh
Branches: RELENG_2_1_0
CVS tags: RELENG_2_1_7_RELEASE, RELENG_2_1_6_RELEASE, RELENG_2_1_6_1_RELEASE
Diff to: previous 1.14.4.9: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.9: +7 -3 lines
Fix the ipfw LKM. Submitted-By: jc@irbs.com (John Capo)
Revision 1.51: download - view: text, markup, annotated - select for diffs
Sat Oct 12 19:49:36 1996 UTC (15 years, 4 months ago) by bde
Branches: MAIN
CVS tags: RELENG_2_2_BP
Branch point for: RELENG_2_2
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +2 -1 lines
Removed nested include if <sys/socket.h> from <net/if.h> and <net/if_arp.h> and fixed the things that depended on it. The nested include just allowed unportable programs to compile and made my simple #include checking program report that networking code doesn't need to include <sys/socket.h>.
Revision 1.50: download - view: text, markup, annotated - select for diffs
Sat Oct 12 19:38:50 1996 UTC (15 years, 4 months ago) by alex
Branches: MAIN
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +9 -8 lines
Log the interface name which received the packet. Suggested by: Hal Snyder <hsndyer@thoughtport.com>
Revision 1.49: download - view: text, markup, annotated - select for diffs
Sat Aug 31 21:05:20 1996 UTC (15 years, 5 months ago) by alex
Branches: MAIN
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +5 -5 lines
Fix the visibility of the sysctl variables. Submitted by: phk
Revision 1.48: download - view: text, markup, annotated - select for diffs
Tue Aug 13 19:43:40 1996 UTC (15 years, 6 months ago) by pst
Branches: MAIN
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +44 -91 lines
Completely rewrite handling of protocol field for firewalls, things are now completely consistent across all IP protocols and should be quite a bit faster. Discussed with: fenner & alex
Revision 1.47: download - view: text, markup, annotated - select for diffs
Mon Aug 5 02:35:04 1996 UTC (15 years, 6 months ago) by alex
Branches: MAIN
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +36 -21 lines
Filter by IP protocol. Submitted by: fenner (with modifications by me) Use a common prefix string for all warning messages generated during ip_fw_ctl.
Revision 1.46: download - view: text, markup, annotated - select for diffs
Sun Jul 14 21:12:52 1996 UTC (15 years, 7 months ago) by alex
Branches: MAIN
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +2 -2 lines
Switch back to logging accepted packets with the text "Allow" instead of "Accept"
Revision 1.45: download - view: text, markup, annotated - select for diffs
Wed Jul 10 19:44:23 1996 UTC (15 years, 7 months ago) by julian
Branches: MAIN
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +89 -37 lines
Adding changes to ipfw and the kernel to support ip packet diversion.. This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
Revision 1.44: download - view: text, markup, annotated - select for diffs
Tue Jul 9 20:49:38 1996 UTC (15 years, 7 months ago) by nate
Branches: MAIN
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +7 -1 lines
Functionality for IPFIREWALL_VERBOSE logging: - State when we've reached the limit on a particular rule in the kernel logfile - State when a rule or all rules have been zero'd. This gives a log of all actions that occur w/regard to the firewall occurances, and can explain why a particular break-in attempt might not get logged due to the limit being reached. Reviewed by: alex
Revision 1.43: download - view: text, markup, annotated - select for diffs
Sat Jun 29 03:33:20 1996 UTC (15 years, 7 months ago) by alex
Branches: MAIN
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +11 -1 lines
Reject rules which try to mix ports with incompatible protocols.
Revision 1.14.4.9: download - view: text, markup, annotated - select for diffs
Tue Jun 25 03:16:41 1996 UTC (15 years, 7 months ago) by alex
Branches: RELENG_2_1_0
CVS tags: RELENG_2_1_5_RELEASE
Diff to: previous 1.14.4.8: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.8: +114 -55 lines
Merge with HEAD.
Revision 1.42: download - view: text, markup, annotated - select for diffs
Tue Jun 25 00:22:20 1996 UTC (15 years, 7 months ago) by alex
Branches: MAIN
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +26 -16 lines
Allow fragment checking to work with specific protocols. Reviewed by: phk Reject the addition of rules that will never match (for example, 1.2.3.4:255.255.255.0). User level utilities specify the policy by either masking the IP address for the user (as ipfw(8) does) or rejecting the entry with an error. In either case, the kernel should not modify chain entries to make them work.
Revision 1.41: download - view: text, markup, annotated - select for diffs
Sun Jun 23 14:28:02 1996 UTC (15 years, 7 months ago) by bde
Branches: MAIN
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +4 -4 lines
Use IPFIREWALL_MODULE instead of ACTUALLY_LKM_NOT_KERNEL to indicate LKM'ness. ACTUALLY_LKM_NOT_KERNEL is supposed to be so ugly that it only gets used until <machine/conf.h> goes away. bsd.kmod.mk should define a better-named general macro for this. Some places use PSEUDO_LKM. This is another bad name. Makefile: Added IPFIREWALL_VERBOSE_LIMIT option (commented out).
Revision 1.14.4.8: download - view: text, markup, annotated - select for diffs
Mon Jun 17 00:03:55 1996 UTC (15 years, 7 months ago) by alex
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.7: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.7: +29 -18 lines
Merge in two bug fixes from HEAD: chain numbering bug (rev 1.40) and deletion of default policy (rev 1.37).
Revision 1.40: download - view: text, markup, annotated - select for diffs
Mon Jun 17 00:00:35 1996 UTC (15 years, 7 months ago) by alex
Branches: MAIN
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +27 -16 lines
Fix chain numbering bug when the highest line number installed >= 65435 and the rule being added has no explicit line number set. Submitted by: Archie Cobbs <archie@whistle.com>
Revision 1.39: download - view: text, markup, annotated - select for diffs
Thu Jun 13 17:35:28 1996 UTC (15 years, 8 months ago) by gpalmer
Branches: MAIN
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +3 -1 lines
Don't try to include opt_ipfw.h in LKMs Submitted by: Ollivier Robert <roberto@keltia.freenix.fr>
Revision 1.38: download - view: text, markup, annotated - select for diffs
Wed Jun 12 19:34:33 1996 UTC (15 years, 8 months ago) by gpalmer
Branches: MAIN
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +4 -1 lines
Convert ipfw to use opt_ipfw.h
Revision 1.37: download - view: text, markup, annotated - select for diffs
Sun Jun 9 23:46:20 1996 UTC (15 years, 8 months ago) by alex
Branches: MAIN
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +109 -66 lines
Big sweep over ipfw, picking up where Poul left off:
- Log ICMP type during verbose output.
- Added IPFIREWALL_VERBOSE_LIMIT option to prevent denial of service
attacks via syslog flooding.
- Filter based on ICMP type.
- Timestamp chain entries when they are matched.
- Interfaces can now be matched with a wildcard specification (i.e.
will match any interface unit for a given name).
- Prevent the firewall chain from being manipulated when securelevel
is greater than 2.
- Fixed bug that allowed the default policy to be deleted.
- Ability to zero individual accounting entries.
- Remove definitions of old_chk_ptr and old_ctl_ptr when compiling
ipfw as a lkm.
- Remove some redundant code shared between ip_fw_init and ipfw_load.
Closes PRs: 1192, 1219, and 1267.
Revision 1.36: download - view: text, markup, annotated - select for diffs
Wed May 8 04:28:57 1996 UTC (15 years, 9 months ago) by gpalmer
Branches: MAIN
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +8 -3 lines
Clean up various compiler warnings. Most (if not all) were benign Reviewed by: bde
Revision 1.14.4.7: download - view: text, markup, annotated - select for diffs
Mon May 6 20:32:01 1996 UTC (15 years, 9 months ago) by phk
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.6: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.6: +18 -14 lines
Merge from head.
Revision 1.35: download - view: text, markup, annotated - select for diffs
Mon May 6 20:31:04 1996 UTC (15 years, 9 months ago) by phk
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +18 -14 lines
Several locations in sys/netinet/ip_fw.c are lacking or incorrectly use spl() functions. Reviewed by: phk Submitted by: Alex Nash <alex@zen.nash.org>
Revision 1.34: download - view: text, markup, annotated - select for diffs
Wed Apr 3 13:52:13 1996 UTC (15 years, 10 months ago) by phk
Branches: MAIN
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +16 -11 lines
Add feature for tcp "established". Change interface between netinet and ip_fw to be more general, and thus hopefully also support other ip filtering implementations.
Revision 1.33: download - view: text, markup, annotated - select for diffs
Mon Feb 26 15:28:15 1996 UTC (15 years, 11 months ago) by phk
Branches: MAIN
CVS tags: wollman_polling
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +2 -2 lines
Fix wrong logic, certain rules never matched.
Revision 1.14.4.6: download - view: text, markup, annotated - select for diffs
Mon Feb 26 15:23:32 1996 UTC (15 years, 11 months ago) by phk
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.5: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.5: +141 -62 lines
Update ipfw code to same level as -current.
Revision 1.32: download - view: text, markup, annotated - select for diffs
Sat Feb 24 13:38:26 1996 UTC (15 years, 11 months ago) by phk
Branches: MAIN
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +92 -17 lines
Make getsockopt() capable of handling more than one mbuf worth of data. Use this to read rules out of ipfw. Add the lkm code to ipfw.c
Revision 1.31: download - view: text, markup, annotated - select for diffs
Sat Feb 24 00:17:32 1996 UTC (15 years, 11 months ago) by phk
Branches: MAIN
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +49 -45 lines
The new firewall functionality: Filter on the direction (in/out). Filter on fragment/not fragment.
Revision 1.30: download - view: text, markup, annotated - select for diffs
Fri Feb 23 20:11:37 1996 UTC (15 years, 11 months ago) by phk
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +6 -1 lines
I overlooked this one.
Revision 1.14.4.5: download - view: text, markup, annotated - select for diffs
Fri Feb 23 20:10:52 1996 UTC (15 years, 11 months ago) by phk
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.4: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.4: +6 -1 lines
Overloooked this one.
Revision 1.29: download - view: text, markup, annotated - select for diffs
Fri Feb 23 15:47:49 1996 UTC (15 years, 11 months ago) by phk
Branches: MAIN
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +290 -719 lines
Big sweep over the IPFIREWALL and IPACCT code. Close the ip-fragment hole. Waste less memory. Rewrite to contemporary more readable style. Kill separate IPACCT facility, use "accept" rules in IPFIREWALL. Filter incoming >and< outgoing packets. Replace "policy" by sticky "deny all" rule. Rules have numbers used for ordering and deletion. Remove "rerorder" code entirely. Count packet & bytecount matches for rules. Code in -current & -stable is now the same.
Revision 1.14.4.4: download - view: text, markup, annotated - select for diffs
Fri Feb 23 15:26:03 1996 UTC (15 years, 11 months ago) by phk
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.3: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.3: +381 -694 lines
Big sweep over the IPFIREWALL and IPACCT code. Close the ip-fragment hole. Waste less memory. Rewrite to contemporary more readable style. Kill separate IPACCT facility, use "accept" rules in IPFIREWALL. Filter incoming >and< outgoing packets. Replace "policy" by sticky "deny all" rule. Rules have numbers used for ordering and deletion. Remove "rerorder" code entirely. Count packet & bytecount matches for rules.
Revision 1.14.4.3: download - view: text, markup, annotated - select for diffs
Mon Feb 12 14:34:19 1996 UTC (16 years ago) by phk
Branches: RELENG_2_1_0
Diff to: previous 1.14.4.2: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.2: +3 -2 lines
Release-note material: The ipfw code will no longer sort the rules as default. This means that access-lists may take a different meaning now. >>> Please review your access lists <<<
Revision 1.28: download - view: text, markup, annotated - select for diffs
Sat Feb 3 11:47:51 1996 UTC (16 years ago) by phk
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +3 -1 lines
Make the sorting of IPFW rules an option. You don't want it to sort them. >>>WARNING<<< you may have to revisit your firewall setup.
Revision 1.27: download - view: text, markup, annotated - select for diffs
Sat Dec 2 19:37:59 1995 UTC (16 years, 2 months ago) by bde
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +12 -1 lines
Completed function declarations and/or added prototypes.
Revision 1.26: download - view: text, markup, annotated - select for diffs
Tue Nov 14 20:34:10 1995 UTC (16 years, 3 months ago) by phk
Branches: MAIN
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +5 -5 lines
New style sysctl & staticize alot of stuff.
Revision 1.25: download - view: text, markup, annotated - select for diffs
Sun Oct 29 15:32:31 1995 UTC (16 years, 3 months ago) by phk
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +2 -2 lines
Second batch of cleanup changes. This time mostly making a lot of things static and some unused variables here and there.
Revision 1.24: download - view: text, markup, annotated - select for diffs
Mon Oct 23 03:58:06 1995 UTC (16 years, 3 months ago) by ugen
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +43 -14 lines
Support all the tcpflag options in firewall. Add reading options from file, now ipfw <filename> will read commands string after string from file , form of strings same as command line interface.
Revision 1.23: download - view: text, markup, annotated - select for diffs
Sun Oct 1 21:52:48 1995 UTC (16 years, 4 months ago) by ugen
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +91 -16 lines
Well..finally..this is the first part..it should take care of matching IP options..Check and test this - i made only a couple of rough tests and this could be buggy.. Ipaccounting can't use IP Options (and i don't see any need to cound packets with specific options either..) More to come...
Revision 1.14.4.2: download - view: text, markup, annotated - select for diffs
Fri Aug 25 01:58:04 1995 UTC (16 years, 5 months ago) by davidg
Branches: RELENG_2_1_0
CVS tags: RELENG_2_1_0_RELEASE
Diff to: previous 1.14.4.1: preferred, colored; branchpoint 1.14: preferred, colored
Changes since revision 1.14.4.1: +2 -2 lines
Brought in change from rev 1.22: fix SYN blocking code.
Revision 1.22: download - view: text, markup, annotated - select for diffs
Mon Jul 31 13:58:35 1995 UTC (16 years, 6 months ago) by gpalmer
Branches: MAIN
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +2 -2 lines
Try to make the `syn' blocking code act a bit more sensibly - don't block `syn' packets that have `ack' set. Reviewed by: Submitted by: Obtained from:
Revision 1.14.4.1: download - view: text, markup, annotated - select for diffs
Sun Jul 23 05:43:47 1995 UTC (16 years, 6 months ago) by davidg
Branches: RELENG_2_1_0
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +718 -770 lines
Brought in IP firewall fixes from main branch.
Revision 1.21: download - view: text, markup, annotated - select for diffs
Sun Jul 23 05:36:29 1995 UTC (16 years, 6 months ago) by davidg
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +2 -0 lines
Added $Id$.
Revision 1.20: download - view: text, markup, annotated - select for diffs
Sun Jul 9 14:29:41 1995 UTC (16 years, 7 months ago) by davidg
Branches: MAIN
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +2 -3 lines
Fixed panic that occurs on certain firewall rejected packets that was caused by dtom() being used on an mbuf cluster. The fix involves passing around the mbuf pointer. Submitted by: Bill Fenner
Revision 1.19: download - view: text, markup, annotated - select for diffs
Tue Jul 4 05:39:03 1995 UTC (16 years, 7 months ago) by davidg
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +700 -733 lines
This is the end result of about a dozen passes through this code to fix
incorrect indents, a variety of poor coding practices such as comparing
pointers to constants ('0'), poor code structuring, etc, etc. This brings
the code up to the minimum standards for inclusion in FreeBSD.
Revision 1.18: download - view: text, markup, annotated - select for diffs
Tue Jul 4 05:29:30 1995 UTC (16 years, 7 months ago) by davidg
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +7 -0 lines
Define TRUE and FALSE.
Revision 1.17: download - view: text, markup, annotated - select for diffs
Tue Jul 4 03:35:20 1995 UTC (16 years, 7 months ago) by davidg
Branches: MAIN
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +25 -46 lines
1) Removed bogus #include 2) Rewrote "bad_packet" code to be less buggy and more readable. 3) Removed a pile of goto's; the code is now somewhat less reminiscent of a certain Italian pasta. 4) Changed all boolean returns of "0" and "1" to FALSE/TRUE.
Revision 1.16: download - view: text, markup, annotated - select for diffs
Wed Jun 28 13:22:36 1995 UTC (16 years, 7 months ago) by gpalmer
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +1 -1 lines
Add a missing `goto' statement so that this compiles yet again.
Revision 1.15: download - view: text, markup, annotated - select for diffs
Tue Jun 27 17:26:25 1995 UTC (16 years, 7 months ago) by guido
Branches: MAIN
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +7 -13 lines
reject option in ip_fw used to panic the system. This fixes it. -Guido Reviewed by: Submitted by: Obtained from:
Revision 1.14: download - view: text, markup, annotated - select for diffs
Tue May 30 08:09:38 1995 UTC (16 years, 8 months ago) by rgrimes
Branches: MAIN
CVS tags: RELENG_2_1_0_BP, RELENG_2_0_5_RELEASE, RELENG_2_0_5_BP, RELENG_2_0_5
Branch point for: RELENG_2_1_0
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +61 -61 lines
Remove trailing whitespace.
Revision 1.13: download - view: text, markup, annotated - select for diffs
Thu May 11 19:26:43 1995 UTC (16 years, 9 months ago) by rgrimes
Branches: MAIN
CVS tags: RELENG_2_0_5_ALPHA
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +4 -4 lines
Fix -Wformat warnings from LINT kernel.
Revision 1.12: download - view: text, markup, annotated - select for diffs
Sun Mar 12 13:28:13 1995 UTC (16 years, 11 months ago) by ugen
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +4 -4 lines
Allocate memory as M_IPFW,now we can watch firewall memory usage in vmstat..
Revision 1.11: download - view: text, markup, annotated - select for diffs
Fri Feb 24 14:33:52 1995 UTC (16 years, 11 months ago) by ugen
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +86 -63 lines
Allow "via" to be specified ever as IP adress or as interface name/unit...
Revision 1.10: download - view: text, markup, annotated - select for diffs
Thu Jan 12 13:06:27 1995 UTC (17 years, 1 month ago) by ugen
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +12 -48 lines
Actual firewall change. 1) Firewall is not subdivided on forwarding / blocking chains anymore.Actually only one chain left-it was the blocking one. 2) LKM support.ip_fwdef.c is function pointers definition and goes into kernel along with all INET stuff.
Revision 1.9: download - view: text, markup, annotated - select for diffs
Tue Dec 13 15:57:32 1994 UTC (17 years, 2 months ago) by ugen
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +160 -104 lines
Add clear one accounting entry control. Structure fields changed to seem more standart.
Revision 1.8: download - view: text, markup, annotated - select for diffs
Mon Dec 12 18:10:41 1994 UTC (17 years, 2 months ago) by ugen
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +17 -18 lines
Late patch for delete control..
Revision 1.7: download - view: text, markup, annotated - select for diffs
Mon Dec 12 17:20:51 1994 UTC (17 years, 2 months ago) by ugen
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +118 -62 lines
Add match by interface from which packet arrived (via) Handle right fragmented packets. Remove checking option from kernel..
Revision 1.6: download - view: text, markup, annotated - select for diffs
Mon Nov 28 12:35:13 1994 UTC (17 years, 2 months ago) by ugen
Branches: MAIN
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +202 -209 lines
Added: ICMP reply,TCP SYN check,logging..
Revision 1.5: download - view: text, markup, annotated - select for diffs
Wed Nov 16 10:16:54 1994 UTC (17 years, 2 months ago) by jkh
Branches: MAIN
CVS tags: RELEASE_2_0, OLAH_TTCP, BETA_2_0
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +434 -244 lines
Ugen J.S.Antsilevich's latest, happiest, IP firewall code. Poul: Please take this into BETA. It's non-intrusive, and a rather substantial improvement over what was there before.
Revision 1.4: download - view: text, markup, annotated - select for diffs
Tue Nov 8 12:47:27 1994 UTC (17 years, 3 months ago) by jkh
Branches: MAIN
CVS tags: ALPHA_2_0
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +120 -127 lines
Almost 12th hour (the 11th hour was almost an hour ago :-) patches from Ugen.
Revision 1.3: download - view: text, markup, annotated - select for diffs
Mon Nov 7 10:01:28 1994 UTC (17 years, 3 months ago) by jkh
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +98 -55 lines
2 11th-hour fixes from Ugen (not Uben, sorry!) J.S.Antsilevich. I think it's time for Ugen to get a freefall account, just so I can direct mail at him directly and let him drop off patches for us here. Ugen? Done! Submitted by: ugen
Revision 1.2: download - view: text, markup, annotated - select for diffs
Mon Oct 31 23:58:02 1994 UTC (17 years, 3 months ago) by jkh
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +189 -34 lines
Latest changes from Uben. Submitted by: uben
Revision 1.1: download - view: text, markup, annotated - select for diffs
Fri Oct 28 15:09:46 1994 UTC (17 years, 3 months ago) by jkh
Branches: MAIN
IP Firewall code from Daniel Boulet and J.S.Antsilevich Submitted by: danny ugen