s/Incluse/Include/

don't opencode kauth_cred_get()

Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74

branches: 1.23.6; 1.23.8;
Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

don't opencode kauth_cred_get()

Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74

branches: 1.23.6; 1.23.8;
Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74

Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

add fallthru comments.

Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision