| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
binaries in /bin and /sbin installed in /lib. Only the versioned files
reside in /lib, the .so symlink continues to live /usr/lib so the
toolchain doesn't need to be modified.
Notes:
svn path=/head/; revision=119017
|
| |
|
|
|
|
|
|
|
| |
original source IP address, as promised in the manual page.
Spotted by: Vaclav Petricek
Notes:
svn path=/head/; revision=116315
|
| |
|
|
|
|
|
| |
limit" mdoc(7) atavism.
Notes:
svn path=/head/; revision=116314
|
| |
|
|
|
|
|
| |
are _destination_ address and port.
Notes:
svn path=/head/; revision=116313
|
| |
|
|
| |
Notes:
svn path=/head/; revision=116312
|
| |
|
|
| |
Notes:
svn path=/head/; revision=116020
|
| |
|
|
|
|
|
|
| |
to mark a fully specified static link as dynamic; i.e. make
it a one-time link.
Notes:
svn path=/head/; revision=115650
|
| |
|
|
|
|
|
|
|
| |
is not called, and no static rules match an outgoing packet, the
latter retains its source IP address. This is in support of the
"static NAT only" mode.
Notes:
svn path=/head/; revision=115648
|
| |
|
|
| |
Notes:
svn path=/head/; revision=113755
|
| |
|
|
|
|
|
| |
especially in troff files.
Notes:
svn path=/head/; revision=108533
|
| |
|
|
| |
Notes:
svn path=/head/; revision=104073
|
| |
|
|
|
|
|
|
|
|
| |
IP datagram embedded into ICMP error message.
Spotted by: tcpdump 3.7.1 (-vvv)
MFC after: 3 days
Notes:
svn path=/head/; revision=100537
|
| |
|
|
|
|
|
| |
Make indentation of new parts consistent with the style used for this file.
Notes:
svn path=/head/; revision=100288
|
| |
|
|
|
|
|
|
|
|
|
|
| |
no punch_fw was used.
Fix another couple of bugs which prevented rules from being
installed properly.
On passing, use IPFW2 instead of NEW_IPFW to compile the new code,
and slightly simplify the instruction generation code.
Notes:
svn path=/head/; revision=99623
|
| |
|
|
| |
Notes:
svn path=/head/; revision=99207
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.
I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
Notes:
svn path=/head/; revision=98943
|
| |
|
|
| |
Notes:
svn path=/head/; revision=97627
|
| |
|
|
|
|
|
|
|
| |
option -- TcpAliasOut() did not catch the IP header length change.
Submitted by: Stepachev Andrey <aka50@mail.ru>
Notes:
svn path=/head/; revision=88132
|
| |
|
|
|
|
|
|
|
|
|
|
| |
for passive mode data connections (PASV/EPSV -> 227/229). Well,
the actual punching happens a bit later, when the aliasing link
becomes fully specified.
Prodded by: Danny Carroll <dannycarroll@hotmail.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=86953
|
| |
|
|
|
|
|
| |
Requested by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=85964
|
| |
|
|
| |
Notes:
svn path=/head/; revision=84306
|
| |
|
|
| |
Notes:
svn path=/head/; revision=84195
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NAT in extended passive mode if the server's public IP address was
different from the main NAT address. This caused a wrong aliasing
link to be created that did not route the incoming packets back to
the original IP address of the server.
natd -v -n pub0 -redirect_address localFTP publicFTP
Note that even if localFTP == publicFTP, one still needs to supply
the -redirect_address directive. It is needed as a helper because
extended passive mode's 229 reply does not contain the IP address.
MFC after: 1 week
Notes:
svn path=/head/; revision=83771
|
| |
|
|
|
|
|
|
| |
Submitted by: Joe Clarke <marcus@marcuscom.com>
MFC after: 2 weeks
Notes:
svn path=/head/; revision=82069
|
| |
|
|
|
|
|
| |
Submitted by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
Notes:
svn path=/head/; revision=82050
|
| |
|
|
|
|
|
| |
Previously approved by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=82001
|
| |
|
|
|
|
|
| |
MFC after: 2 weeks
Notes:
svn path=/head/; revision=81962
|
| |
|
|
|
|
|
|
|
|
| |
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
Notes:
svn path=/head/; revision=81251
|
| |
|
|
| |
Notes:
svn path=/head/; revision=79531
|
| |
|
|
|
|
|
| |
Reported by: Bernd Fuerwitt <bf@fuerwitt.de>
Notes:
svn path=/head/; revision=78886
|
| |
|
|
|
|
|
| |
Approved by: Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=77701
|
| |
|
|
|
|
|
| |
Approved by: Atsushi Murai <amurai@spec.co.jp>
Notes:
svn path=/head/; revision=77696
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For FTP control connection, keep the CRLF end-of-line termination
status in there.
Fixed the bug when the first FTP command in a session was ignored.
PR: 24048
MFC after: 1 week
Notes:
svn path=/head/; revision=77485
|
| |
|
|
| |
Notes:
svn path=/head/; revision=74870
|
| |
|
|
|
|
|
|
|
| |
Reviewed by (*): bde
(*) alias_local.h only got a cursory glance.
Notes:
svn path=/head/; revision=74778
|
| |
|
|
| |
Notes:
svn path=/head/; revision=74768
|
| |
|
|
| |
Notes:
svn path=/head/; revision=74651
|
| |
|
|
| |
Notes:
svn path=/head/; revision=71796
|
| |
|
|
| |
Notes:
svn path=/head/; revision=71763
|
| |
|
|
| |
Notes:
svn path=/head/; revision=69025
|
| |
|
|
|
|
|
| |
whether they should create a link if lookup has failed or not.
Notes:
svn path=/head/; revision=67980
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PPTP links are no longer dropped by simple (and inappropriate in this
case) "inactivity timeout" procedure, only when requested through the
control connection.
It is now possible to have multiple PPTP servers running behind NAT.
Just redirect the incoming TCP traffic to port 1723, everything else
is done transparently.
Problems were reported and the fix was tested by:
Michael Adler <Michael.Adler@compaq.com>,
David Andersen <dga@lcs.mit.edu>
Notes:
svn path=/head/; revision=67966
|
| |
|
|
|
|
|
|
| |
This fixes a null pointer dereference problem that is unlikely to
happen in normal circumstances.
Notes:
svn path=/head/; revision=67316
|
| |
|
|
| |
Notes:
svn path=/head/; revision=66545
|
| |
|
|
|
|
|
|
|
|
| |
The field is in network byte order and contains the
size of the header.
Reviewed by: brian
Notes:
svn path=/head/; revision=66157
|
| |
|
|
| |
Notes:
svn path=/head/; revision=65892
|
| |
|
|
|
|
|
|
|
|
| |
datagram embedded into ICMP error message, not with protocol
field of ICMP message itself (which is always IPPROTO_ICMP).
Pointed by: Erik Salander <erik@whistle.com>
Notes:
svn path=/head/; revision=65332
|
| |
|
|
|
|
|
|
|
|
|
| |
not alias `ip_src' unless it comes from the host an original
datagram that triggered this error message was destined for.
PR: 20712
Reviewed by: brian, Charles Mott <cmott@scientech.com>
Notes:
svn path=/head/; revision=65317
|
| |
|
|
| |
Notes:
svn path=/head/; revision=65281
|
| |
|
|
|
|
|
|
| |
This makes outgoing ICMP echo/timestamp replies to be de-aliased
with the right source IP, not exactly the primary aliasing IP.
Notes:
svn path=/head/; revision=65280
|
