Include the IP address in the message when a hashnode add error occurs.
This helps to identify the ippool.conf statement that the error occurred.
(cherry picked from commit 9da30a23a5ecae151ae1db045354fab105c69e12)
Replace inet_ntoa(3) with inet_ntop(3). This supporting the printing of
IPv6 IP addresses in addition to IPv4 IP addresses in error message.
(cherry picked from commit 3a2cb65b6e6dc1e71013db27ce143eb8670a1755)
When a node in a tree is discovered in error, i.e. duplicate, the
IP address of the node is printed but no closing bracket completes
the node in the message. Fix this.
(cherry picked from commit 858a7a27f5c82c8364a0eb8bf1d9f0b1315422aa)
As with when printing errors for failed poolnodes, printing the hash
node (IP address) only leads to speculation which hash pool the failed
add occurred. This is especially useful when the same IP address is
listed in multiple hash pools.
(cherry picked from commit 8aae4220d76602f22291d7567ba0c61b9aa8c188)
Printing the pool node (IP address) only leads to speculation which
pool the failed add occurred. This is especially useful when the same
IP address is listed in multiple pools.
(cherry picked from commit 470c680cfbf5f6cd9ac392b210b97b41d02cd969)
Avoid overrunning the message buffer when printing an ippool btree error.
We do this in two ways. First we increase the message buffer from 80 to
255 bytes and secondly we replace strcat(3) with strlcat(3).
(cherry picked from commit 42935716286e7887bfeb9dd8daea72d6a5d40908)
Add an ippool(8) option to dump a copy of the inm-memory ippool tables
in an ippool(5) format so that it can be reloaded using ippool -f.
MFC after: 2 weeks
Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.
This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.
MFC after: 1 week
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
MFC after: 1 week
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
MFC after: 1 week
NAT table mappings list only the source and destination IP, the source
and destinaion port numbers, and their mappings. But the protocol is not
listed. Now that Facebook and Google use QUIC, seeing port 443 in in a
list of active NAT sessions could mean 443/tcp or 443/udp. This patch
adds the protocol to the listing to aid in determining whether HTTPS is
TCP or QUIC in a NAT mapping listing. This also helps differentiatinete
between other protocols such as ICMP, ESP, and AH in ipnat list of active
sessions.
MFC after: 1 week
Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).
Reviewed by: glebius (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33595
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510
the real build file.
This lessens the need to define DPADD_<lib> and LDADD_<lib> to just very
special cases.
Sponsored by: EMC / Isilon Storage Division
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
It only provides inet_aton(), which is already provided by the libc. This
causes multiple symbol definitions when linking statically.
Reviewed by: darrenr
buildworld breakage.
Exclude loglevel.c from the build. It does not appear to be used by
anything in the tree and buildworld succeeds just fine without it.
