aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet
Commit message (Collapse)AuthorAgeFilesLines
* MFSJesper Skriver2001-08-061-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | src/sys/netinet/ip_input.c rev 1.130.2.22 src/sys/netinet6/frag6.c rev 1.2.2.4 src/sys/netinet6/in6_proto.c rev 1.6.2.4 Prevent denial of service using bogus fragmented IPv4 packets. A attacker sending a lot of bogus fragmented packets to the target (with different IPv4 identification field - ip_id), may be able to put the target machine into mbuf starvation state. By setting a upper limit on the number of reassembly queues we prevent this situation. This upper limit is controlled by the new sysctl net.inet.ip.maxfragpackets which defaults to nmbclusters/4 If you want old behaviour (no upper limit) set this sysctl to a negative value. If you don't want to accept any fragments (not recommended) set the sysctl to 0 (zero) Obtained from: NetBSD (partially) Notes: svn path=/stable/3/; revision=81196
* MFC: Better TCP ISN randomizationKris Kennaway2001-05-026-6/+85
| | | | Notes: svn path=/stable/3/; revision=76218
* MFC:Jesper Skriver2001-02-244-28/+76
| | | | | | | | | | | | | | | | | src/sys/netinet/in_pcb.c rev 1.78 src/sys/netinet/in_pcb.h rev 1.36 src/sys/netinet/tcp_subr.c rev 1.91 src/sys/netinet/udp_usrreq.c rev 1.86 Without this a attacker sending ICMP messages, where the attached IP header (+ 8 bytes) has the address and port numbers == 0, would have the ICMP message applied to all sessions. Approved by: kris Inspired by: NetBSD Notes: svn path=/stable/3/; revision=72995
* MFC: ECN flag handling fixes in IPFWChris D. Faulhaber2001-01-133-7/+23
| | | | Notes: svn path=/stable/3/; revision=70988
* MFC: Use stronger randomness for TCP_ISSINCR and tcp_issKris Kennaway2000-09-292-2/+2
| | | | Notes: svn path=/stable/3/; revision=66446
* MFC (rev.1.46: fixed a missing splx() in if_addmulti()).Bruce Evans2000-08-191-1/+3
| | | | Notes: svn path=/stable/3/; revision=64854
* MFC rev 1.60: fix comment for TCPCTL_KEEPINIT .Sheldon Hearn2000-07-181-1/+1
| | | | Notes: svn path=/stable/3/; revision=63435
* MFC: (rev 1.133) do not call icmp_error() if ipfirewall(4) denied packet.Ruslan Ermilov2000-06-131-0/+4
| | | | Notes: svn path=/stable/3/; revision=61602
* MFC: r1.34, LAST_ACK problem. (slightly different patch)Jonathan Lemon2000-06-081-0/+3
| | | | | | | Submitted by: Mike Silbersack <silby@silby.com> Notes: svn path=/stable/3/; revision=61421
* MFC: correct boundary checks against IP optionsJonathan Lemon2000-06-083-3/+16
| | | | Notes: svn path=/stable/3/; revision=61418
* MFC: 1.134, problem relating to sizeof() unsignedness.Jonathan Lemon2000-05-261-3/+4
| | | | | | | Requested by: kris Notes: svn path=/stable/3/; revision=60955
* do not add state upon RSTDarren Reed2000-05-241-0/+2
| | | | Notes: svn path=/stable/3/; revision=60858
* Only send warnings once per second when there is a problem withLuigi Rizzo2000-05-121-0/+8
| | | | | | | dynamic rules. Notes: svn path=/stable/3/; revision=60433
* Fix bug in dealing with "hlen == 1 and opt > 1"Darren Reed2000-05-101-6/+12
| | | | Notes: svn path=/stable/3/; revision=60316
* MFC patches for stream attack. This fell through the crackWes Peters2000-04-251-6/+19
| | | | | | | | | on 3.x. Reviewed by: Mike Silbersack <silby@silby.com> Notes: svn path=/stable/3/; revision=59618
* MFC: 1.73Paul Saab2000-02-291-1/+4
| | | | | | | Approved by: jkh Notes: svn path=/stable/3/; revision=57608
* MFC: bring stateful extensions for IPFW and related fixes to -stable.Luigi Rizzo2000-02-136-179/+696
| | | | | | | | | | | | | In order to use the new features and get sensible output from "ipfw show" you need to recompile ipfw. Note that you will still be able to configure the firewall using the old ipfw. Approved-by: jordan Notes: svn path=/stable/3/; revision=57187
* Functional change: in ready_event(), move the call to tranmit_event()Luigi Rizzo2000-02-021-59/+59
| | | | | | | | | | | | | | | | near the end of the function or this might cause the precondition for the next part of the function to be violated. This fixes the "warning, event is 1 tick late" message that some might get in certain configurations of dummynet (this was mostly harmless). Also some reformatting of the code, as the indentation of lot of this file got completely screwed up in the previous massive commit. Reported-by: Mike Tancsa Notes: svn path=/stable/3/; revision=56950
* Various MFC:Luigi Rizzo2000-01-187-463/+864
| | | | | | | | | | | | * update dummynet to the new code in 4.0, and cleanup call interface (affects ip_dummynet.c ip_dummynet.h ip_input.c ip_output.c) * various cleanup of ipfw code, including dummynet hooks, support for masks on UDP/TCP ports, and removal of ip_nat hooks as in 4.0 (affects ip_fw.c ip_fw.h raw_ip.c) The new dummynet code is thanks Akamba Corp. Notes: svn path=/stable/3/; revision=56246
* MFC: Fix page fault when diverting packets with IP options.Ruslan Ermilov2000-01-111-0/+1
| | | | Notes: svn path=/stable/3/; revision=55826
* MFC: RTFREE the correct route entry in dummynet_io(). The previousLuigi Rizzo1999-11-261-3/+3
| | | | | | | | | code failed in handling things like "forward" actions. Reported-and-tested-by: Jean-Hugues ROYER jhroyer@joher.com Notes: svn path=/stable/3/; revision=53717
* MFC rev 1.14 - add missing ICMP_PARAMPROB_* definesPeter Wemm1999-11-181-0/+2
| | | | Notes: svn path=/stable/3/; revision=53361
* Fix the CLOSING state bug that crept in from 4.0.Brian Feldman1999-11-151-1/+1
| | | | | | | Noticed by: Jeroen Ruigrok van der Werven <asmodai@wxs.nl> Notes: svn path=/stable/3/; revision=53165
* MFC the IPSTEALTH optionDag-Erling Smørgrav1999-11-011-4/+18
| | | | Notes: svn path=/stable/3/; revision=52771
* MFC (rev 1.62): Add missing newline to log() message.Sheldon Hearn1999-10-181-1/+1
| | | | Notes: svn path=/stable/3/; revision=52378
* MFC: Add the net.inet.icmp.drop_redirect, net.inet.icmp.log_redirect,Dag-Erling Smørgrav1999-10-142-2/+56
| | | | | | | net.inet.tcp.drop_synfin and net.inet.tcp.restrict_rst sysctls. Notes: svn path=/stable/3/; revision=52236
* MFC the fix for truncated arp packets, and this timeLarry Lile1999-09-161-20/+22
| | | | | | | | | do it correctly. Also fix a little white space breakage. [This affects token-ring only] Notes: svn path=/stable/3/; revision=51321
* MFC fix for truncated token-ring arp replies.Larry Lile1999-09-151-36/+56
| | | | | | | | | | | | Reorder arp code to make ethernet arp's the default and allow fddi to arp correctly. Reported by: Russell Neeper <r-neeper@tamu.edu> Reviewed by: Eivind Eklund <eivind@freebsd.org> Approved by: Jordan K. Hubbard <jkh@freebsd.org> Notes: svn path=/stable/3/; revision=51317
* $Id$ -> $FreeBSD$Peter Wemm1999-08-2965-66/+66
| | | | Notes: svn path=/stable/3/; revision=50583
* MFC:Brian Feldman1999-08-298-29/+279
| | | | | | | | | | | | | | | This is the pre-3.3 IPFW megamerge. This brings IPFW almost completely up to 4.0's. __FreeBSD_version is bumped by this commi. Changes include: - per-socket credentials stored - ability to get those credentials with sysctl - uid- and gid- based filtering in IPFW - dynamic logging in IPFW (rules can be set as logging for any number of packets, not just the default, and logging can be reset) Following this is a commit to pidentd to use 1 and 2. Notes: svn path=/stable/3/; revision=50563
* whoops... missing semicolonLuigi Rizzo1999-08-161-2/+2
| | | | Notes: svn path=/stable/3/; revision=49903
* MFC: add probabilistic rule match code (kernel+userland) and manpage.Luigi Rizzo1999-08-162-9/+38
| | | | | | | Approved-by: Jordan Notes: svn path=/stable/3/; revision=49896
* MFC: add spl protection when restarting the timer.Luigi Rizzo1999-08-111-2/+4
| | | | Notes: svn path=/stable/3/; revision=49629
* MFC: in in_pcbconnect(), check errors from in_pcbbind() and exitPierre Beyssac1999-06-271-3/+6
| | | | | | | | | | if any. This avoids calling in_pcbrehash() without a preceeding in_pcbinshash(), causing a crash. PR: misc/12256 Notes: svn path=/stable/3/; revision=48272
* MFC: 1.55: tegge: don't deref NULL on tcp pcblist sysctl copyout if thePeter Wemm1999-06-201-2/+7
| | | | | | | tcp session was closed or reset. Notes: svn path=/stable/3/; revision=48042
* MFC: Don't accept divert/tee/pipe rules without corresponding option.Ruslan Ermilov1999-06-171-3/+11
| | | | | | | PR: 10324 Notes: svn path=/stable/3/; revision=47979
* MFC: stop mbuf leak when writing to a tcp session in certain racePeter Wemm1999-06-051-7/+28
| | | | | | | conditions. Notes: svn path=/stable/3/; revision=47745
* MFC: Olicom token ring support and token ring framework.Julian Elischer1999-05-271-4/+76
| | | | | | | | | | | | | | | | | Submitted by: Larry Lile <lile@stdio.com> Also Tagged into RELENG_3: sys/contrib/dev/oltr/COPYRIGHT sys/contrib/dev/oltr/i386-elf.trlld.o.uu sys/contrib/dev/oltr/if_oltr.c sys/contrib/dev/oltr/trlld.h sys/contrib/dev/oltr/trlldbm.c sys/contrib/dev/oltr/trlldhm.c sys/contrib/dev/oltr/trlldmac.c Notes: svn path=/stable/3/; revision=47535
* MFC: close PR# kern/10889Luigi Rizzo1999-05-241-1/+4
| | | | Notes: svn path=/stable/3/; revision=47456
* MFC: free the dummynet header in ip_dummynet, not in the calledLuigi Rizzo1999-05-044-12/+10
| | | | | | | routine. Notes: svn path=/stable/3/; revision=46421
* MFC -- assorted dummynet cleanupsLuigi Rizzo1999-05-042-27/+38
| | | | Notes: svn path=/stable/3/; revision=46386
* MFC: linger time in secondsAndrey A. Chernov1999-04-301-2/+2
| | | | Notes: svn path=/stable/3/; revision=46214
* MFC: make one pass through the firewall the default.Luigi Rizzo1999-04-261-2/+2
| | | | Notes: svn path=/stable/3/; revision=46096
* MFC: move igmp_leavegroup() after if_delmulti.Luigi Rizzo1999-04-251-2/+8
| | | | Notes: svn path=/stable/3/; revision=46050
* MFC:David E. O'Brien1999-04-201-3/+3
| | | | | | | | * rev 1.84: snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT * rev 1.83: fix warning to pass -Wall -Wcast-qual Notes: svn path=/stable/3/; revision=45874
* MFC: two cosmetic changes.Julian Elischer1999-04-072-7/+15
| | | | Notes: svn path=/stable/3/; revision=45440
* 1.103.2.1 merged the changes made in 1.105 to RELENG_3. Fixes theNick Sayer1999-04-011-1/+1
| | | | | | | | | ntoh?() issue when passing bridged packets through ipfw. PR: 10818 Notes: svn path=/stable/3/; revision=45231
* MFCNick Sayer1999-03-311-18/+22
| | | | Notes: svn path=/stable/3/; revision=45192
* one more typo.... will i ever fix this...Luigi Rizzo1999-03-261-2/+2
| | | | Notes: svn path=/stable/3/; revision=45050
* MFC: fix length handling with bridged packets.Luigi Rizzo1999-03-261-8/+8
| | | | Notes: svn path=/stable/3/; revision=45049
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-01 04:58:12 +0000