| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
any fake value.
Notes:
svn path=/head/; revision=136910
|
|
|
|
| |
Notes:
svn path=/head/; revision=133719
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions. Basically, the ip_next() function was used to get the PPTP and
Skinny headers when tcp_next() should have been used instead. Symptoms of
this included a segfault in natd when trying to process a PPTP or Skinny
packet.
Approved by: des
Notes:
svn path=/head/; revision=133121
|
|
|
|
|
|
|
| |
open where people can see them and hopefully fix them.
Notes:
svn path=/head/; revision=131700
|
|
|
|
|
|
|
|
|
|
| |
{ip,udp,tcp} header and return a void * pointing to the payload (i.e. the
first byte past the end of the header and any required padding). Use them
consistently throughout libalias to a) reduce code duplication, b) improve
code legibility, c) get rid of a bunch of alignment warnings.
Notes:
svn path=/head/; revision=131699
|
|
|
|
|
|
|
|
|
| |
a short pointer. The previous implementation seems to be in a gray zone
of the C standard, and GCC generates incorrect code for it at -O2 or
higher on some platforms.
Notes:
svn path=/head/; revision=131693
|
|
|
|
|
|
|
| |
alpha.
Notes:
svn path=/head/; revision=131690
|
|
|
|
|
|
|
|
|
|
|
|
| |
named link, foo_link or link_foo to lnk, foo_lnk or lnk_foo, fixing
signed / unsigned comparisons, and shoving unused function arguments
under the carpet.
I was hoping WARNS?=6 might reveal more serious problems, and perhaps
the source of the -O2 breakage, but found no smoking gun.
Notes:
svn path=/head/; revision=131614
|
|
|
|
| |
Notes:
svn path=/head/; revision=131613
|
|
|
|
| |
Notes:
svn path=/head/; revision=131612
|
|
|
|
|
|
|
| |
does not create a new entry if none is found.
Notes:
svn path=/head/; revision=131566
|
|
|
|
| |
Notes:
svn path=/head/; revision=131504
|
|
|
|
|
|
|
|
| |
Fixed markup.
Fixed examples to match the new API.
Notes:
svn path=/head/; revision=131420
|
|
|
|
|
|
|
| |
Reported and submitted by: Sean McNeil (sean at mcneil.com)
Notes:
svn path=/head/; revision=127757
|
|
|
|
| |
Notes:
svn path=/head/; revision=127690
|
|
|
|
|
|
|
|
| |
Reviewed by: ru
Approved by: silence on the lists
Notes:
svn path=/head/; revision=127689
|
|
|
|
|
|
|
|
| |
The result isn't quite knf, but it's knfer than the original, and far
more consistent.
Notes:
svn path=/head/; revision=127094
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes it possible to have multiple packet aliasing instances in a
single process by moving all static and global variables into an
instance structure called "struct libalias".
Redefine a new API based on s/PacketAlias/LibAlias/g
Add new "instance" argument to all functions in the new API.
Implement old API in terms of the new API.
Notes:
svn path=/head/; revision=124621
|
|
|
|
| |
Notes:
svn path=/head/; revision=120373
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Skinny is the protocol used by Cisco IP phones to talk to Cisco Call
Managers. With this code, one can use a Cisco IP phone behind a FreeBSD
NAT gateway.
Currently, having the Call Manager behind the NAT gateway is not supported.
More information on enabling Skinny support in libalias, natd, and ppp
can be found in those applications' manpages.
PR: 55843
Reviewed by: ru
Approved by: ru
MFC after: 30 days
Notes:
svn path=/head/; revision=120372
|
|
|
|
|
|
|
|
| |
Submitted by: Stefan Farfeleder
PR: bin/56653
Notes:
svn path=/head/; revision=119932
|
|
|
|
| |
Notes:
svn path=/head/; revision=119893
|
|
|
|
| |
Notes:
svn path=/head/; revision=119071
|
|
|
|
|
|
|
|
|
| |
binaries in /bin and /sbin installed in /lib. Only the versioned files
reside in /lib, the .so symlink continues to live /usr/lib so the
toolchain doesn't need to be modified.
Notes:
svn path=/head/; revision=119017
|
|
|
|
|
|
|
|
|
| |
original source IP address, as promised in the manual page.
Spotted by: Vaclav Petricek
Notes:
svn path=/head/; revision=116315
|
|
|
|
|
|
|
| |
limit" mdoc(7) atavism.
Notes:
svn path=/head/; revision=116314
|
|
|
|
|
|
|
| |
are _destination_ address and port.
Notes:
svn path=/head/; revision=116313
|
|
|
|
| |
Notes:
svn path=/head/; revision=116312
|
|
|
|
| |
Notes:
svn path=/head/; revision=116020
|
|
|
|
|
|
|
|
| |
to mark a fully specified static link as dynamic; i.e. make
it a one-time link.
Notes:
svn path=/head/; revision=115650
|
|
|
|
|
|
|
|
|
| |
is not called, and no static rules match an outgoing packet, the
latter retains its source IP address. This is in support of the
"static NAT only" mode.
Notes:
svn path=/head/; revision=115648
|
|
|
|
| |
Notes:
svn path=/head/; revision=113755
|
|
|
|
|
|
|
| |
especially in troff files.
Notes:
svn path=/head/; revision=108533
|
|
|
|
| |
Notes:
svn path=/head/; revision=104073
|
|
|
|
|
|
|
|
|
|
| |
IP datagram embedded into ICMP error message.
Spotted by: tcpdump 3.7.1 (-vvv)
MFC after: 3 days
Notes:
svn path=/head/; revision=100537
|
|
|
|
|
|
|
| |
Make indentation of new parts consistent with the style used for this file.
Notes:
svn path=/head/; revision=100288
|
|
|
|
|
|
|
|
|
|
|
|
| |
no punch_fw was used.
Fix another couple of bugs which prevented rules from being
installed properly.
On passing, use IPFW2 instead of NEW_IPFW to compile the new code,
and slightly simplify the instruction generation code.
Notes:
svn path=/head/; revision=99623
|
|
|
|
| |
Notes:
svn path=/head/; revision=99207
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.
I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
Notes:
svn path=/head/; revision=98943
|
|
|
|
| |
Notes:
svn path=/head/; revision=97627
|
|
|
|
|
|
|
|
|
| |
option -- TcpAliasOut() did not catch the IP header length change.
Submitted by: Stepachev Andrey <aka50@mail.ru>
Notes:
svn path=/head/; revision=88132
|
|
|
|
|
|
|
|
|
|
|
|
| |
for passive mode data connections (PASV/EPSV -> 227/229). Well,
the actual punching happens a bit later, when the aliasing link
becomes fully specified.
Prodded by: Danny Carroll <dannycarroll@hotmail.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=86953
|
|
|
|
|
|
|
| |
Requested by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=85964
|
|
|
|
| |
Notes:
svn path=/head/; revision=84306
|
|
|
|
| |
Notes:
svn path=/head/; revision=84195
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NAT in extended passive mode if the server's public IP address was
different from the main NAT address. This caused a wrong aliasing
link to be created that did not route the incoming packets back to
the original IP address of the server.
natd -v -n pub0 -redirect_address localFTP publicFTP
Note that even if localFTP == publicFTP, one still needs to supply
the -redirect_address directive. It is needed as a helper because
extended passive mode's 229 reply does not contain the IP address.
MFC after: 1 week
Notes:
svn path=/head/; revision=83771
|
|
|
|
|
|
|
|
| |
Submitted by: Joe Clarke <marcus@marcuscom.com>
MFC after: 2 weeks
Notes:
svn path=/head/; revision=82069
|
|
|
|
|
|
|
| |
Submitted by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
Notes:
svn path=/head/; revision=82050
|
|
|
|
|
|
|
| |
Previously approved by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=82001
|
|
|
|
|
|
|
| |
MFC after: 2 weeks
Notes:
svn path=/head/; revision=81962
|