Fix typo in comment.

Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>

s/recusive/recursive/ in comment.

s/imples/implies/ in comment.

PR/55149: Kouichi Hashikawa: Get morefrag before we strip it out from off

branches: 1.32.2;
PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
Fix incorrect byte order.

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

PR/54443: Edgar Fu�: ip mistakenly regards UDP packet with checksum field
0xffff as bad

branches: 1.29.2;
Revert previous and do the off == 1 case after we've taken the mask.

Conform to RFC 3128 by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
From FreeBSD r349399, reported vy Cy Schubert

Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

Remove redundant off != 0 check, from FreeBSD r349400, reported by Cy Schubert

add fallthru comments.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.23.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.22.2;
apply __attribute__((__used__)) for rcsid, etc.

Revert changing the byte order of fi->fi_addr. It is already correct. From
Timo Buhrmester
XXX: pullup 8.

branches: 1.20.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

partial sync with FreeBSD

branches: 1.18.2;
We don't need this in /current because packet processing does not happen in
an interrupt anymore (pointed out by ozaki@)

Comment out the mutex calls that protect against concurrent configuration
changes and processing. This needs to be done differently since you can't
sleep during interrupt processing.

Fix for PR kern/48109 (and its duplicate kern/49807)

As provided by Takahiro HAYASHI in PR kern/48109. Additional error
registration in ipf(8) by myself. Changes tested with GENERIC and
XEN3_DOM0. Thanks!

XXX pull-up netbsd-7

branches: 1.15.2; 1.15.4;
Darren Reed: #550 filter rule list corrupted with inserted rules

branches: 1.14.2;
kill sprintf

CID 976267: NULL deref check

Add bpf_filter_ext() to use with BPF COP, restore bpf_filter() as it was
originally to preserve compatibility. Similarly, add bpf_validate_ext()
which takes bpf_ctx_t.

Remove unused variable

bpf_filter: add a custom argument which can be passed to coprocessor routine.

Implement BPF_COP/BPF_COPX instructions in the misc category (BPF_MISC)
which add a capability to call external functions in a predetermined way.

It can be thought as a BPF "coprocessor" -- a generic mechanism to offload
more complex packet inspection operations. There is no default coprocessor
and this functionality is not targeted to the /dev/bpf. This is primarily
targeted to the kernel subsystems, therefore there is no way to set a custom
coprocessor at the userlevel.

Discussed on: tech-net@
OK: core@

branches: 1.8.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

remove wrong ntohl (from Aran Clauson)

branches: 1.5.2;
ansify new function definition

ansify new functio definitions

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Remove unnecessary inclusion of <net/netisr.h>.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.5.26;
Include cdefs.h earlier for NetBSD.

branches: 1.4.2;
ifdef kernel used only variable

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Remove m_copy completely.

Remove unused alias to tcpiphdr.

branches: 1.11.14;
unifdef

branches: 1.10.2;
Avoid storing a pointer of an interface in a mbuf

Having a pointer of an interface in a mbuf isn't safe if we remove big
kernel locks; an interface object (ifnet) can be destroyed anytime in any
packet processing and accessing such object via a pointer is racy. Instead
we have to get an object from the interface collection (ifindex2ifnet) via
an interface index (if_index) that is stored to a mbuf instead of an
pointer.

The change provides two APIs: m_{get,put}_rcvif_psref that use psref(9)
for sleep-able critical sections and m_{get,put}_rcvif that use
pserialize(9) for other critical sections. The change also adds another
API called m_get_rcvif_NOMPSAFE, that is NOT MP-safe and for transition
moratorium, i.e., it is intended to be used for places where are not
planned to be MP-ified soon.

The change adds some overhead due to psref to performance sensitive paths,
however the overhead is not serious, 2% down at worst.

Proposed on tech-kern and tech-net.

Introduce m_set_rcvif and m_reset_rcvif

The API is used to set (or reset) a received interface of a mbuf.
They are counterpart of m_get_rcvif, which will come in another
commit, hide internal of rcvif operation, and reduce the diff of
the upcoming change.

No functional change.

Enable building of ipfilter code as a separately-loaded module.

branches: 1.7.6;
kill sprintf

branches: 1.6.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

#534 destination list hashing not endian neutral

branches: 1.7.2;
Remove SCCS prefix from RCS string!

Use __KERNEL_RCSID.

branches: 1.5.2;
PR/47270: Paul Goyette: ipftest -N aborts
1. check for NULL before de-refencing; in particular sel is assigned to NULL,
in the default case, and then couple of lines down we do sel->
2. gcc appears to optimize u_32_t hash[4], to u_32_t hash, since we only
use hash[0], disregarding the fact that we pass it to MD5Final() leading
to stack corruption. Use an explicit union, so that the compiler stops
butting its head where it shouldn't.

XXX: pullup to 6

branches: 1.4.2;
ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

revert rev 1.7 (which removed the fd_local field from frdest_t).
this structure is part of the kernel/user ABI and so we would need to
version the ioctl ABI again in order to remove this field. but that's
a big pain so let's just leave the field there. the problem that
was being fixed in FreeBSD related to this was a failure to locate
filter rules in certain situations, but having an unused always-zero
field there won't cause that problem.

branches: 1.7.2;
Remove fd_local, it is not used, from FreeBSD r349401, reported by Cy Schubert

branches: 1.6.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.5.30;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.4.2;
the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

updates for GCC 6:

- frentry_4_1_0_to_current() has duplicated code section, found via
the indent checker. didn't setup a test to confirm the bug/fix,
but the other 2 similar functions are similar here now.

kill sprintf

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

ipfilter(4): mark as MPSAFE.

my testing seems to work fine, and this version was known to work
on solaris with no global locking available.

Fix typo in comment.

driver(9): devsw_detach never fails. Make it return void.

Prune a whole lotta dead branches as a result of this. (Some logic
calling this is also wrong for other reasons; devsw_detach is final
-- you should never have any reason to decide to roll it back. To be
cleaned up in subsequent commits...)

XXX kernel ABI change to devsw_detach signature requires bump

Adjust for fewer args in calling functions

branches: 1.35.2;
ipfilter: Prepare for life without in kernel RA

Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.

branches: 1.33.2;
fix double space in comment

Fix 2 bugs, reported by Edgar Fu� on tech-net@
- pfil_run_hooks() can be called recursively, so we have to
#define FASTROUTE_RECURSION in fil.c
- ip6_if_output()/nd6_output() will free the mbuf on error, to make sure
to set *mpp to NULL so the caller won't try to free it again.

branches: 1.31.4;
Fix compilation of PF/IPF...

Rename

ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in6_offload.c. Add comments to explain what
we're doing.

Same as IPv4.

Rename

ip_undefer_csum -> in_undefer_cksum
in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.

branches: 1.28.2;
Remove now unused tcpip.h includes. Some were already unused before.

Remove m_copy completely.

branches: 1.26.2;
use the scoping functions (JINMEI, Tatuya)

From Edgar Fuss:
ipf's return-icmp doesn't work when the packet matched by the rule is
directed at a link local address. The problem is that
ipf_send_icmp_err() calls ipf_ifpaddr() to find an address of the
interface in question, but that routine discards link local addresses.
I guess the best fix is to simply use the destination address instead if
it is link local, i.e. treat the rule as if return-icmp-as-dest was
given in this case.

Fix ipf failing to sent TCP RST's on link-local interfaces by stuffing
the scope KAME style before calling the routing routines instead of after.
From Edgar Fuss.

branches: 1.23.2;
Call the right filter function for hook removal found by Stephen Borrill.

branches: 1.22.4;
Do ND in L2_output in the same manner as arpresolve

The benefits of this change are:
- The flow is consistent with IPv4 (and FreeBSD and OpenBSD)
- old: ip6_output => nd6_output (do ND if needed) => L2_output (lookup a stored cache)
- new: ip6_output => L2_output (lookup a cache. Do ND if cache not found)
- We can remove some workarounds in nd6_output
- We can move L2 specific operations to their own place
- The performance slightly improves because one cache lookup is reduced

branches: 1.21.2;
use the proper hook function

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

Add rtcache_unref to release points of rtentry stemming from rtcache

In the MP-safe world, a rtentry stemming from a rtcache can be freed at any
points. So we need to protect rtentries somehow say by reference couting or
passive references. Regardless of the method, we need to call some release
function of a rtentry after using it.

The change adds a new function rtcache_unref to release a rtentry. At this
point, this function does nothing because for now we don't add a reference
to a rtentry when we get one from a rtcache. We will add something useful
in a further commit.

This change is a part of changes for MP-safe routing table. It is separated
to avoid one big change that makes difficult to debug by bisecting.

Rearrange code to avoid testing an error value that has not been set.

Also, for the built-in case, rather than re-inserting our devsw and
then ignoring the EEXIST error, don't bother re-inserting.

CID 1364140

Another case of not calling devsw_attach() for built-in device modules

branches: 1.16.2;
Switch the address list of intefaces to pslist(9)

As usual, we leave the old list to avoid breaking kvm(3) users.

apply if_output_lock() to L3 callers which call ifp->if_output() of L2(or L3 tunneling).

Introduce m_set_rcvif and m_reset_rcvif

The API is used to set (or reset) a received interface of a mbuf.
They are counterpart of m_get_rcvif, which will come in another
commit, hide internal of rcvif operation, and reduce the diff of
the upcoming change.

No functional change.

Enable building of ipfilter code as a separately-loaded module.

Pass the requisite number of arguments to ip_output from ipf.

Fortunately the last argument, struct socket *so, is used only when
flags includes IP_DF (0x4000), which is not the case here -- we pass
IP_FORWARDING (0x0001).

branches: 1.11.4;
Add d_discard to all struct cdevsw instances I could find.

All have been set to "nodiscard"; some should get a real implementation.

- Implement pktqueue interface for lockless IP input queue.
- Replace ipintrq and ip6intrq with the pktqueue mechanism.
- Eliminate kernel-lock from ipintr() and ip6intr().
- Some preparation work to push softnet_lock out of ipintr().

Discussed on tech-net.

Make sure *(if_output)() is called with KERNEL_LOCK held.
Add some KASSERT for this.
See http://mail-index.netbsd.org/tech-net/2014/04/09/msg004511.html
for details.

branches: 1.8.2;
Change (mostly mechanically) every cdevsw/bdevsw I can find to use
designated initializers.

I have not built every extant kernel so I have probably broken at
least one build; however I've also found and fixed some wrong
cdevsw/bdevsw entries so even if so I think we come out ahead.

move variable definition/set inside the same #ifdef of the usage.

Remove unused variable and ifdef another like their use

- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.4.2;
Fix off-by-one read error.

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

PR/55137: Kouichi Hashikawa: ipfstat -f incorrect output
- make sure frag is initialized to 0
- initialize ipfr_p field

branches: 1.7.2; 1.7.6;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.5.10;
Free the right fragment (Cy Schubert @ FreeBSD). This will cause use after free
issues and eventually panic.

Don't play with the linked list while holding only a read lock!

branches: 1.3.2; 1.3.14; 1.3.16; 1.3.18; 1.3.20; 1.3.24;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.6.14;
fix !INET6 builds

branches: 1.5.6; 1.5.10;
kill sprintf

branches: 1.4.2; 1.4.4;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.1.2; 1.1.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

Enable building of ipfilter code as a separately-loaded module.

branches: 1.6.6;
kill sprintf

A member of a non-null struct pointer can't be null.

Remove unused variable

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

kill sprintf

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.6.34;
Destroying the mutex once is enough.

call mutex destroy in fini, so that we don't end up with a lockdebug panic
when we re-attach.

the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Enable building of ipfilter code as a separately-loaded module.

branches: 1.4.6;
kill sprintf

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

fix a/an grammar in obvious cases

branches: 1.26.10;
s/Incluse/Include/

don't opencode kauth_cred_get()

Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74

branches: 1.23.6; 1.23.8;
Remove #ifdef BRIDGE_IPF, compile in the code by default. Sent to
tech-net@.

reduce stack usage in ipf_nat_ioctl()

also, in SIOCADNAT, make sure to not leak kernel data

add fallthru comments.

branches: 1.20.2;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.18.4;
Typo

Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.16.2;
Fix matching of ICMP queries when NAT'd through IPF

This notably fixes MTU updates for hosts issueing ICMP queries through a
NAT performed by NetBSD with IPF.

Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.13.2; 1.13.4;
PR kern/47665
For ICMP packets, use the "oicmpid" and "nicmpid" fields explicitly rather
than overloading those with "port" in them and expecting them to work.

#537 NAT rules with sticky have incorrect hostmap IP address

branches: 1.11.2;
Checking the return value of an allocator works better, when looking at
the stored pointer.

Remove unused variables

branches: 1.9.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.6.2;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

remove conditional code that defines members of natstat_t.

kernels without INET6 support end up with a different size of
this structure than the userland does and then it errors:

# ipnat -l
70:ioctl(SIOCGNATS) object size mismatch for copying out ipfobj

with these members (which are zeroed at ipf init) enabled, the
size check works.


XXX: pullup-9 (change tested there.)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.6.12; 1.6.14;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

Fix bucket and chain counts on nat lists from Geoff Adams:

The problem was that ipf_nat_delete wasn't swapping inbound and
outbound hash codes for inbound NAT entries, so it was essentially
always looking in the wrong buckets in those cases. But because of
the way the linked list works, I don't think any NAT entries were
actually leaked. But since all the bucket counters and chain count
were getting messed up, things did start to go bad after a while.
(New NAT entries wouldn't be created, for instance.)

The fix is in the ipf_nat_delete function, itself; the other changes
are a slight refactoring of one method and adding some comments
that helped me figure out how the linked list with pointer-back-pointers
worked.

Also note that I haven't looked through the logic in ipf_nat_rehash;
it's likely that that might miss some things for the same reason.

I also haven't yet looked into the ipf_nat_newrdr problem with mappings
already existing. That'll be next.

the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

fix a/an grammar in obvious cases

branches: 1.12.24;
From Cy Schubert:

ipfilter: Use the softn (NAT softc) host map size in ip_nat6
calculation. The ipfilter NAT table host map size is a tunable
that defaults to a macro value defined at build time. HOSTMAP_SIZE
is saved in softn (the ipnat softc) at initialization. It can be
tuned (changed) at runtime using the ipf -T command. If the
hostmap_size tunable is adjusted the calculation to determine where
to put new entries in the table was incorrect. Use the tunable in
the NAT softc instead of the static build time value.

branches: 1.11.14;
Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.10.14;
Fix lookup of original destination address when using a redirect rule.
This is required for transparent proxying by squid, for example.

branches: 1.9.2;
Update comments to match previous change (avoid panic in SIOCGNATL)

Avoid panic in SIOCGNATL dereferencing a NULL softc.
Solution suggestion from Martin Husemann.

branches: 1.7.4; 1.7.6;
Remove SCCS prefix from RCS string!

Use __KERNEL_RCSID.

Remove a few unused variables, ifdef others like their use

branches: 1.4.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Enable building of ipfilter code as a separately-loaded module.

branches: 1.4.6;
kill sprintf

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

fix a/an grammar in obvious cases

branches: 1.7.38;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.5.38;
ansify new function definition

h323 proxy removed

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

the result of the construct

#define FOO defined(BAR)

#if FOO
[conditional code]
#endif

is "undefined", according to C99 6.10.1 note 4. So, change code like
that to use the following paradigm

#if defined(BAR)
#define FOO 1
#else
#define FOO 0
#endif

#if FOO
[conditional code]
#endif

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Remove unused variables

branches: 1.4.2; 1.4.4;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

kill sprintf

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

be consistent about byte flipping (cosmetic no functional change)

branches: 1.11.2; 1.11.12;
Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.10.2;
put back the cast.

When growing the state, remember to grow the seed array, otherwise we'll end
up accessing memory we did not allocate.

Typo

branches: 1.7.4;
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)

branches: 1.6.4; 1.6.6; 1.6.8; 1.6.10; 1.6.16;
Remove unused variables

branches: 1.5.2;
Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Remove now unused tcpip.h includes. Some were already unused before.

branches: 1.5.28;
Fix return value of ipf_sync_nat

branches: 1.4.2; 1.4.4;
Fix printf format

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Constify a bunch of global varialbes under ipf/ so that they land in
.rodata (3472 bytes).

Also, remove ipf_tuneables[], unused.

branches: 1.5.38;
Make ipf compile even without INET6 support.

Changes have been fed upstream (to darrenr@)

ansify new function definition

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Back out my last change, which was a partial fix for hash code computation problems.
Apply Darren's more complete reworking of hash code computation.
Ensure that the struct containing the red-black tree head is properly initialized.
From Geoff Adams

- Replace the seemingly broken built-in ipf rbtree implementation with ours.
- Fix typos in comments
- Fix 2 mutex errors
From Geoff Adams

branches: 1.3.2;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

PR/50559: David Binderman: Add missing free()'s after calls to randomize().

branches: 1.5.6;
kill sprintf

Remove unused variable

branches: 1.3.2; 1.3.4;
Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision

Merge IPFilter 5.1.2 into HEAD

branches: 1.2.2; 1.2.4;
apply our changes.
- prototypes
- ip_h323_pxy.c is missing from the distribution
- original tar distribution is missing <$>Id values in most files

branches: 1.1.1;
Initial revision