#
370346 |
|
19-Aug-2021 |
emaste |
ipfilter: remove doubled semicolons
Local commit; ipfilter upstream is inactive.
Discussed with: cy MFC after: 3 days
(cherry picked from commit 8fa63f44e64ebac444a4ac6451ac5e150cdcf8b1)
Git Hash: f3616c6d7ff5168d2e7883a831b60bbdc31367c6 Git Author: emaste@FreeBSD.org
|
#
369277 |
|
16-Feb-2021 |
cy |
MFC 57785538c6e0d7e8ca0f161ab95bae10fd304047 and 1e811efbc591699b872bea42b9de419c373199df:
57785538c6e0d7e8ca0f161ab95bae10fd304047)
Simplify the FreeBSD check using __FreeBSD__ compiler macro.
Rather than rely on __FreeBSD_version, defined in sys/param.h, use __FreeBSD__ defined by the compiler.
Reported by: emaste MFC after: 1 week
(cherry picked from commit 57785538c6e0d7e8ca0f161ab95bae10fd304047)
1e811efbc591699b872bea42b9de419c373199df:
Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.
57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD from __FreeBSD_version to __FreeBSD__. However this test was performed before sys/param.h was included, therefore __FreeBSD_version was never defined. As the test was never true opt_random_ip_id.h was never included.
Submitted by: bdragon Reported by: bdragon
(cherry picked from commit 1e811efbc591699b872bea42b9de419c373199df)
Git Hash: 62607e8680e944f89cd7b5b7bca10698c66908b2 Git Author: cy@FreeBSD.org
|
#
369272 |
|
16-Feb-2021 |
cy |
MFC 0f34c80f376345b98a972940dd4757e58d7beb06:
Replace the redundant MENTAT macro with SOLARIS.
MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate macro.
(cherry picked from commit 0f34c80f376345b98a972940dd4757e58d7beb06)
Git Hash: 8d6da0aae1c4ca288537c9875eaed1f65988e51f Git Author: cy@FreeBSD.org
|
#
369245 |
|
09-Feb-2021 |
git2svn |
MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:
Retire the K&R/STD C __P prototype declarations.
In the old days when K&R C and STD C were each in use a workaround (read hack) was required to allow the same code to work on each without modification. All C compilers support STD C. We can finally put the __P prototype to rest.
(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)
Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f Git Author: cy@FreeBSD.org
|
#
358664 |
|
05-Mar-2020 |
cy |
MFC r358558:
Continuing the effort started in r343701, #ifdef cleanup, checking for __FreeBSD_version > 3.0 and 5.0 is redundant.
|
#
351479 |
|
25-Aug-2019 |
cy |
MFC r350881:
Calculate the number interface array elements using the new FR_NUM macro instead of the hard-coded value of 4. This is a precursor to increasing the number of interfaces speficied in "on {interface, ..., interface}". Note that though this feature is coded in ipf_y.y, it is partially supported in the ipfilter kld, meaning it does not work yet (and is yet to be documented in ipf.5 too).
|
#
350189 |
|
21-Jul-2019 |
cy |
MFC r349980:
Calculate the offset of the interface name using FR_NAME rather than calclulating it "by hand". This improves consistency with the rest of the code and is in line with planned fixes and other work.
|
#
344833 |
|
06-Mar-2019 |
cy |
MFC r343701 & r343732:
ipfilter #ifdef cleanup.
Remove #ifdefs for ancient and irrelevant operating systems from ipfilter.
When ipfilter was written the UNIX and UNIX-like systems in use were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any more. OpenBSD removed ipfilter shortly after the first time the ipfilter license terms changed in the early 2000's. ipfilter on AIX, HP/UX, and Linux never really caught on. Removal of code for operating systems that ipfilter will never run on again will simplify the code making it easier to fix bugs, complete partially implemented features, and extend ipfilter.
Unsupported previous version FreeBSD code and some older NetBSD code has also been removed.
What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and NetBSD have collaborated exchanging patches, while illumos has expressed willingness to have their ipfilter updated to 5.1.2, provided their zone-specific updates to their ipfilter are merged (which are of interest to FreeBSD to allow control of ipfilters in jails from the global zone).
Reviewed by: glebius@ Differential Revision: https://reviews.freebsd.org/D19006
|
#
328274 |
|
23-Jan-2018 |
cy |
MFC r327718:
When growing the state, also grow the seed array. Otherwise memory that was not allocated will be accessed.
This necessitated refactoring state seed allocation from ipf_state_soft_init() into a new common ipf_state_seed_alloc() function as it is now also used by ipf_state_rehash() when changing the size of the state hash table in addition to by ipf_state_soft_init() during initialization.
According to Christos Zoulas <christos@NetBSD.org>:
The bug was encountered by a NetBSD vendor who's customer machines had large ipfilter states. The bug was reliably triggered by resizing the state variables using "ipf -T".
Submitted by: Christos Zoulas <christos@NetBSD.org> Reviewed by: delphij, rgrimes Obtained from: NetBSD ip_state.c CVS revs r1.9 and r1.10 Differential Revision: https://reviews.freebsd.org/D13755
|
#
327717 |
|
09-Jan-2018 |
cy |
MFC r327540:
Correct function name in description block.
|
#
323842 |
|
21-Sep-2017 |
cy |
MFC r323715:
Don't use an apostrophe in a possesive pronoun.
|
#
323694 |
|
18-Sep-2017 |
cy |
MFC r323478:
Improve the wording of a comment describing why EAGAIN is the error code.
|
#
317434 |
|
26-Apr-2017 |
cy |
MFC r316810, r316814, r316816, r316991:
Keep state incorrectly assumes keep frags. This is counter to the ipfilter man pages. This also currently restricts keep frags to only when keep state is used, which is redundant because keep state currently assumes keep frags. This commit fixes this.
To the user this change means that to maintain the current behaviour one must add keep frags to any ipfilter keep state rule (as documented in the man pages).
This patch also allows the flexability to specify and use keep frags separate from keep state, as documented in an example in ipf.conf.5, instead of the currently broken behaviour.
MFC suggested by: rgrimes Relnotes: yes
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
297632 |
|
06-Apr-2016 |
cy |
Add DTrace probes for packets flagged as bad by ipfilter. All probes for bad packets are named ipf_fi_bad_*. An example of its use might be:
dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'
Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>
|
#
289480 |
|
18-Oct-2015 |
cy |
Really fix ipfilter bug 3600459.
Obtained from: ipfilter cvs repo r1.48.2.25, r1.72 and NetBSD repo r1.4 MFC after: 3 days
|
#
287674 |
|
11-Sep-2015 |
cy |
Fix ipfilter bug 3600459 NAT bucket count wrong.
Obtained from: ipfilter cvs repo r1.48.2.25 MFC after: 2 weeks
|
#
287653 |
|
11-Sep-2015 |
cy |
Revert $FreeBSD$.
|
#
287652 |
|
11-Sep-2015 |
cy |
Fix mutex errors.
Obtained from: NetBSD r1.4. MFC after: 1 week
|
#
287651 |
|
11-Sep-2015 |
cy |
Fixup typos in comments.
Obtained from: NetBSD r1.4. MFC after: 1 week
|
#
255332 |
|
06-Sep-2013 |
cy |
Update ipfilter 4.1.28 --> 5.1.2.
Approved by: glebius (mentor) BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
|
#
180778 |
|
24-Jul-2008 |
darrenr |
2020447 IPFilter's NAT can undo name server random port selection
Approved by: darrenr MFC after: 1 week Security: CERT VU#521769
|
#
173181 |
|
30-Oct-2007 |
darrenr |
Apply a few changes from ipfilter-current: * Do not hold any locks over calls to copyin/copyout. * Clean up some #ifdefs * fix a possible mbuf leak when NAT fails on policy routed packets
PR: 117216
|
#
172776 |
|
18-Oct-2007 |
darrenr |
Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after: 7 days
|
#
170268 |
|
04-Jun-2007 |
darrenr |
Merge IPFilter 4.1.23 back to HEAD See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
|
#
165515 |
|
24-Dec-2006 |
darrenr |
TCP Window scaling was being recognised but the recorded settings were being clobbered and thus effectively disabled.
MFC after: 7 days
|
#
161356 |
|
16-Aug-2006 |
guido |
Resolve conflicts
MFC after: 2 weeks
|
#
153876 |
|
30-Dec-2005 |
guido |
Resolve conflicts
|
#
145522 |
|
25-Apr-2005 |
darrenr |
Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree
|
#
139255 |
|
24-Dec-2004 |
darrenr |
Enable fine grained locking within IPFilter, using mtx(9) and sx(9) allowing the the "needs giant" flag to be removed from the driver.
|
#
130886 |
|
21-Jun-2004 |
darrenr |
Update ipfilter from 3.4.31 -> 3.4.35. Some important changes: * block packets that fail to create state table entries * only allow non-fragmented packets to influence whether or not a logged packet is the same as the one logged before. * correct the ICMP packet checksum fixing up when processing ICMP errors for NAT * implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX and ipf_nattable_max) * frsynclist() wasn't paying attention to all the places where interface names are, like it should. * fix comparing ICMP packets with established TCP state where only 8 bytes of header are returned in the ICMP error.
MFC after: 1 week
|
#
113799 |
|
21-Apr-2003 |
obrien |
Explicitly declare 'int' parameters.
|
#
110921 |
|
15-Feb-2003 |
darrenr |
fix bug in updating of interface pointers when resyncing state
|
#
110916 |
|
15-Feb-2003 |
darrenr |
Commit import changed from vendor branch of ipfilter to -current head
|
#
102520 |
|
28-Aug-2002 |
darrenr |
Finally merge in the changes from ipfilter 3.4.29 to freebsd-current. Main changes here are related to the ftp proxy and making that work better.
|
#
98004 |
|
07-Jun-2002 |
darrenr |
Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28
|
#
95563 |
|
27-Apr-2002 |
darrenr |
Merge updates from 3.4.26 - 3.4.27.
|
#
95418 |
|
25-Apr-2002 |
darrenr |
bring in changes from 3.4.26.
|
#
92685 |
|
19-Mar-2002 |
darrenr |
fix conflicts (mostly damn rcs id's) generated by import
|
#
89336 |
|
14-Jan-2002 |
alfred |
Backout inclusion of queue.h since rev 1.38 sys/file.h now has it included in the right order.
|
#
89316 |
|
13-Jan-2002 |
alfred |
Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.
Requested by: jhb
|
#
80482 |
|
28-Jul-2001 |
darrenr |
fix conflicts created by import
|
#
75262 |
|
06-Apr-2001 |
darrenr |
fix security hole created by fragment cache
|
#
72006 |
|
04-Feb-2001 |
darrenr |
fix conflicts
|
#
67853 |
|
29-Oct-2000 |
darrenr |
Fix conflicts creted by import.
|
#
67614 |
|
26-Oct-2000 |
darrenr |
fix conflicts from rcsids
|
#
64580 |
|
13-Aug-2000 |
darrenr |
resolve conflicts
|
#
63523 |
|
19-Jul-2000 |
darrenr |
fix conflicts
|
#
60883 |
|
24-May-2000 |
darrenr |
fix duplicate rcsid's
|
#
60854 |
|
24-May-2000 |
darrenr |
fix conflicts
|
#
57126 |
|
10-Feb-2000 |
guido |
Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's. Add them.
Approved by: jkh (is part of ipfilter upgrade)
|
#
57096 |
|
09-Feb-2000 |
guido |
Bring over ipfilter v3_3_8 kernel sources, including merging the local modifications. Also fix initializing fr_running in KLD case. Rename ipl_inited to fr_runninhg in mlfk_ipl
Approved by: jkh
|
#
55929 |
|
13-Jan-2000 |
guido |
Bring over ipfilter kernel sources, including merging the local modifications.
|
#
55460 |
|
05-Jan-2000 |
eivind |
KERNEL -> _KERNEL
|
#
54221 |
|
06-Dec-1999 |
guido |
Revive mlfk_ipl here. This version is slightly changed from the old one: an unnecessary define (KLD_MODULE) has been deleted and the initialisation of the module is done after domaininit was called to be sure inet is running.
Some slight changed were made to ip_auth.c and ip_state.c in order to assure including of sys/systm.h in case we make a kld
Make sure ip_fil does nmot include osreldate in kernel mode
Remove mlfk_ipl.c from here: no sources allowed in these directories!
|
#
53642 |
|
23-Nov-1999 |
guido |
Add kernel parts of revived ipfilter (3.3.3.)
|