Fix typo in comment.

Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>

s/recusive/recursive/ in comment.

s/imples/implies/ in comment.

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off

branches: 1.32.2;
PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>

s/recusive/recursive/ in comment.

s/imples/implies/ in comment.

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off

branches: 1.32.2;
PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

s/recusive/recursive/ in comment.

s/imples/implies/ in comment.

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off

branches: 1.32.2;
PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision