aboutsummaryrefslogtreecommitdiff
path: root/sys/contrib/ipfilter
Commit message (Collapse)AuthorAgeFilesLines
* ipfilter: Move kernel bits to netpfilCy Schubert2021-12-2046-57394/+0
| | | | | | | | | | | | | | | | Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sys/netpil. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to netpfil. This is the first of three commits the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
* ipfilter fil.c: Fix two typos in commentsCy Schubert2021-12-151-2/+2
| | | | MFC after: 3 days
* ipfilter: Replace sprintf with range checking version (snprintf)Cy Schubert2021-12-148-25/+26
| | | | MFC after: 1 week
* ipfilter radix_ipf: name is only valid with RDX_DEBUGCy Schubert2021-12-141-0/+2
| | | | | | ipf_rdx_node.name is only vaild when RDX_DEBUG is defined. MFC after: 1 week
* ipfilter: The SNPRINTF macro doesn't exist, remove itCy Schubert2021-12-147-85/+0
| | | | MFC after: 1 week
* ipfilter: Fix struct ifnet pointer typeCy Schubert2021-12-131-0/+4
| | | | | | | | | | | The fr_info struct contains a summary of a packet. One of its fields is a pointer to the ifnet struct the packet arrived on. It is pointed to by a void* because ipfilter supports multiple O/Ses. Unfortunately this makes it difficult it examine with DTrace. Defining fin_ifp as a pointer to an ifnet struct makes the struct it points to using a DTrace script possible. MFC after: 1 week
* ip_log: remove set-but-not-unused varsCy Schubert2021-12-111-2/+2
| | | | MFC after: 3 days
* ipfilter: Avoid more null if-then-else blocksCy Schubert2021-12-041-2/+2
| | | | | | | | | As in 73db3b64f167, when WITHOUT_INET6 is selected, null if-then-else blocks are generated because #if statements are incorrectly placed. Moving the #if statements reduces unnecessary runtime comparisons or compiler optimizations. MFC after: 3 days
* ipfilter: Correct a comment and add notationCy Schubert2021-12-041-2/+4
| | | | | | | Correct a comment to accurately reflect what is being done. While we're at it document the next step in the process. MFC after: 3 days
* ipfilter: Correct function descriptionCy Schubert2021-12-041-1/+1
| | | | | | | As of 874b1a35486b, ip_proxy_check() return codes have been simplified. The original comment was also incorrect in the first place. MFC after: 3 days
* ipfilter: Add DTrace SDT probeCy Schubert2021-12-041-0/+2
| | | | | | | | Add an SDT probe, using the newly created DT5 macro, in similar vein to DEBUG_PARSE printf for when FTP junk is anticipated and ok. This will assist in debugging port (active) FTP proxy issues. MFC after: 3 days
* ipfilter: New DT5 DTrace macroCy Schubert2021-12-041-0/+3
| | | | | | | Define a new DT5 DTrace macro used to call DTRACE_PROBE5, for use with SDT probes with five arguments. MFC after: 3 days
* ipfilter: Whitespace cleanupCy Schubert2021-12-041-5/+5
| | | | | | Clean up whitespace from compaction of DTn macro definitions. MFC after: 3 days
* ipfilter: Compat and simplify DTrace macro definitionsCy Schubert2021-12-041-9/+1
| | | | | | | Use a compound #if to simplify and compact DTn DTRACE_PROBEn macros used by ipfilter. MFC after: 3 days
* ipfilter: Save a word of stack spaceCy Schubert2021-12-041-4/+2
| | | | | | | Rather than save the return code into an intermediate variable, which BTW is optimized out anyway, explicitly remove the return code from the stack. MFC after: 3 days
* kernel: deprecate Internet Class A/B/CMike Karels2021-11-091-1/+1
| | | | | | | | | | | | Hide historical Class A/B/C macros unless IN_HISTORICAL_NETS is defined; define it for user level. Define IN_MULTICAST separately from IN_CLASSD, and use it in pf instead of IN_CLASSD. Stop using class for setting default masks when not specified; instead, define new default mask (24 bits). Warn when an Internet address is set without a mask. MFC after: 1 month Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D32708
* ipfilter: Save time and cycles swapping bucket table sizesCy Schubert2021-09-302-20/+22
| | | | | | | | NAT hash tables are inverted for inbound vs outbound. Rather than spend the time and cycles swapping them, let's simply calculate the bucket lengths inversely. MFC after: 1 week
* ipfilter: Correct a commentCy Schubert2021-09-271-1/+1
| | | | | | Correct a comment's grammar and while at it clarify its meaining. MFC after: 3 days
* ipfilter: Print the correct TCP sequence index numberCy Schubert2021-09-271-1/+1
| | | | | | | TCP sequence numbers in the FTP proxy are maintained in a two dimensional array. The debug message prints the same seq[N] for both. Fix that. MFC after: 3 days
* ipfilter: Locking sysctls here is not requiredCy Schubert2021-09-241-2/+0
| | | | | | | Locking of data structures touched by sysctls is more finely locked in ipflter therefore higher level locks are redundant. MFC after: 3 days
* ipfilter: Avoid a null if-then-else blocksCy Schubert2021-09-242-12/+8
| | | | | | | | When WITHOUT_INET6 is selected we generate a null if-then-else blocks due to incorrect placment of #if statments. Move the #if statements reducing unnecessary runtime comparisons WITHOUT_INET6. MFC after: 1 week
* routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549).Zhenlei Huang2021-08-221-16/+17
| | | | | | | | | | | | | | | | | | | | | | | Implement kernel support for RFC 5549/8950. * Relax control plane restrictions and allow specifying IPv6 gateways for IPv4 routes. This behavior is controlled by the net.route.rib_route_ipv6_nexthop sysctl (on by default). * Always pass final destination in ro->ro_dst in ip_forward(). * Use ro->ro_dst to exract packet family inside if_output() routines. Consistently use RO_GET_FAMILY() macro to handle ro=NULL case. * Pass extracted family to nd6_resolve() to get the LLE with proper encap. It leverages recent lltable changes committed in c541bd368f86. Presence of the functionality can be checked using ipv4_rfc5549_support feature(3). Example usage: route add -net 192.0.0.0/24 -inet6 fe80::5054:ff:fe14:e319%vtnet0 Differential Revision: https://reviews.freebsd.org/D30398 MFC after: 2 weeks
* ipfilter: remove doubled semicolonsEd Maste2021-08-162-3/+3
| | | | | | | Local commit; ipfilter upstream is inactive. Discussed with: cy MFC after: 3 days
* ipfilter: Fix ip_nat memory leak and use-after-freeCy Schubert2021-05-251-1/+1
| | | | | | | | | Unfortunately the wrong elemet is freed, also resulting in use-after-free. PR: 255859 Submitted by: lylgood@foxmail.com Reported by: lylgood@foxmail.com MFC after: 3 days
* ipfilter: simplify ipf_proxy_check() return codesCy Schubert2021-03-243-8/+3
| | | | | | | | | | ipf_proxy_check() returns -1 for an error and 0 or 1 for success. ipf_proxy_check()'s callers check for error and if the return code is 0, they change it to 1 prior to returning to their callers. Simply by returning -1 or 1 we reduce complexity and cycles burned changing 0 to 1. MFC after: 1 week
* ipfilter: Make LARGE_NAT a tunable.Cy Schubert2021-02-226-44/+65
| | | | | | | | | | | | | | | | LARGE_NAT is a C macro that increases NAT_SIZE from 127 to 2047, RDR_SIZE from 127 to 2047, HOSTMAP_SIZE from 2047 to 8191, NAT_TABLE_MAX from 30000 to 180000, and NAT_TABLE_SZ from 2047 to 16383. These values can be altered at runtime using the ipf -T command however some adminstrators of large firewalls rebuild the kernel to enable LARGE_NAT at boot. This revision adds the tunable net.inet.ipf.large_nat which allows an administrator to set this option at boot instead of build time. Setting the LARGE_NAT macro to 1 is unaffected allowing build-time users to continue using the old way.
* Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.Cy Schubert2021-02-101-4/+0
| | | | | | | | | | | | 57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD from __FreeBSD_version to __FreeBSD__. However this test was performed before sys/param.h was included, therefore __FreeBSD_version was never defined. As the test was never true opt_random_ip_id.h was never included. Submitted by: bdragon Reported by: bdragon MFC after: 1 week X-MFC with: 57785538c6e0d7e8ca0f161ab95bae10fd304047
* Simplify the FreeBSD check using __FreeBSD__ compiler macro.Cy Schubert2021-02-0918-59/+59
| | | | | | | | Rather than rely on __FreeBSD_version, defined in sys/param.h, use __FreeBSD__ defined by the compiler. Reported by: emaste MFC after: 1 week
* ipfilter: Use the softn (NAT softc) host map size in ip_nat6 calculation.Cy Schubert2021-02-061-1/+1
| | | | | | | | | | | | The ipfilter NAT table host map size is a tunable that defaults to a macro value defined at build time. HOSTMAP_SIZE is saved in softn (the ipnat softc) at initialization. It can be tuned (changed) at runtime using the ipf -T command. If the hostmap_size tunable is adjusted the calculation to determine where to put new entries in the table was incorrect. Use the tunable in the NAT softc instead of the static build time value. MFC after: 1 week
* Simplify BSD macro tests.Cy Schubert2021-02-064-15/+3
| | | | | | All FreeBSD and NetBSD are BSD >= 199306 and have been for a long time. MFC after: 1 week
* Replace the redundant MENTAT macro with SOLARIS.Cy Schubert2021-02-0211-44/+42
| | | | | | | MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate macro. MFC after: 1 week
* Indentation cleanup resulting from the cleanup of #ifdefs.Cy Schubert2021-02-027-216/+215
| | | | | | | | | | | The conscious decision was made not to perform any indentation or whitespace cleanup while cleaning out old redunant #ifdefs. The reason for this was to avoid confusing future readers of history and diffs with cosmetic changes, making bisection of any possible bugs introduced more difficult. This commit cleans up the whitespace detritus left behind from the previous #ifdef cleanup commits. MFC after: 1 week
* Retire the K&R/STD C __P prototype declarations.Cy Schubert2021-02-0241-1016/+1010
| | | | | | | | | In the old days when K&R C and STD C were each in use a workaround (read hack) was required to allow the same code to work on each without modification. All C compilers support STD C. We can finally put the __P prototype to rest. MFC after: 1 week
* ipfilter: Retire pre-standard C support.Cy Schubert2021-01-257-92/+0
| | | | | | | | All C compilers in 2021 support standard C and architectures that did not were retired long ago. Simplify by removing now redundant pre-standard C code. MFC after: 1 week
* Simplify dynamic ipfilter sysctls.John Baldwin2021-01-211-56/+30
| | | | | | | | | | | Pass the structure offset in arg2 instead of arg1. This avoids having to undo the pointer arithmetic on arg1. Instead arg2 can be used directly as an offset relative to the desired structure. Reviewed by: cy Obtained from: CheriBSD Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D27961
* Explicit CTLFLAG_DYN not neededRyan Moeller2020-10-041-4/+4
| | | | | | | | | | | | Dynamically created OIDs automatically get this flag set. Reviewed by: jhb MFC after: 1 week Sponsored by: iXsystems, Inc. Differential Revision: https://reviews.freebsd.org/D26561 Notes: svn path=/head/; revision=366433
* Continued ipfilter #ifdef cleanup. The r343701 log entry contains aCy Schubert2020-09-301-4/+3
| | | | | | | | | complete description. MFC after: 1 week Notes: svn path=/head/; revision=366287
* Remove extraneous bracket.Cy Schubert2020-09-271-1/+1
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=366204
* Fix incorrect byte order in ipfstat -f output.Cy Schubert2020-07-172-1/+5
| | | | | | | | | | | | | | - make sure frag is initialized to 0 - initialize ipfr_p field NetBSD PR: 55137 Submitted by: christos@NetBSD.org Reported by: christos@NetBSD.org Obtained from: NetBSD fil.c r1.32, ip_frag.c r1.8 MFC after: 2 weeks Notes: svn path=/head/; revision=363285
* pfil_run_hooks() can be called recursively, so we have toCy Schubert2020-07-171-0/+2
| | | | | | | | | | | | define FASTROUTE_RECURSION in fil.c Submitted by: christos@NetBSD.org Reported by: christos@NetBSD.org Obtained from: NetBSD r1.31 MFC after: 2 weeks Notes: svn path=/head/; revision=363284
* Convert ipfilter to the new routing KPI.Cy Schubert2020-04-191-8/+13
| | | | | | | Reviewed by: melifaro (previous version) Notes: svn path=/head/; revision=360101
* fib4_free_nh_ext is an empty function. It does nothing. Don't call it.Cy Schubert2020-04-191-5/+0
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=360100
* Retire macros:Cy Schubert2020-03-023-8/+5
| | | | | | | | | | | BSD_GE_YEAR BSD_GT_YEAR BSD_LT_YEAR MFC after: 3 days Notes: svn path=/head/; revision=358560
* Remove the now unused FREEBSD_GE_REV, FREEBSD_GT_REV, and FREEBSD_LT_REVCy Schubert2020-03-021-6/+0
| | | | | | | | | macros. MFC after: 3 days Notes: svn path=/head/; revision=358559
* Continuing the effort started in r343701, #ifdef cleanup, checking forCy Schubert2020-03-025-7/+6
| | | | | | | | | __FreeBSD_version > 3.0 and 5.0 is redundant. MFC after: 3 days Notes: svn path=/head/; revision=358558
* With the planned removal of GIANT (sysctl uses GIANT), make future-proofCy Schubert2020-02-261-6/+10
| | | | | | | | | | ipfilter by making it sysctl locking mpsafe. Reviewed by: kaktus Differential Revision: https://reviews.freebsd.org/D23839 Notes: svn path=/head/; revision=358356
* Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (8 of many)Pawel Biernacki2020-02-241-11/+17
| | | | | | | | | | | | | | | r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Approved by: kib (mentor, blanket) Differential Revision: https://reviews.freebsd.org/D23628 Notes: svn path=/head/; revision=358276
* Rather than pass the address of the packet information control block toCy Schubert2019-12-123-6/+4
| | | | | | | | | | | ipf_pcksum6(), directly pass the adddress of the mbuf to it. This reduces one pointer dereference. ipf_pcksum6() doesn't use the packet information control block except to obtain the mbuf address. MFC after: 3 days Notes: svn path=/head/; revision=355670
* in6_cksum() returns zero when checksums are good.Cy Schubert2019-12-121-1/+1
| | | | | | | | | PR: 203275 Reported by: Frank Volf <frank@deze.org> MFC after: 3 days Notes: svn path=/head/; revision=355669
* Include fin, the packet information structure (fr_info_t), in theCy Schubert2019-11-281-1/+1
| | | | | | | | | | l4sums DTrace probe, making more information available for the diagnosis of IPv6 checksum errors. MFC after: 3 days Notes: svn path=/head/; revision=355156