Fix insufficient packet length validation in libalias.

Approved by: so
Approved by: re (implicit)
Security: FreeBSD-SA-20:12.libalias
Security: CVE-2020-7454

In m_megapullup() use m_getjcl() to allocate 9k or 16k mbuf when requested.

It is better to try allocate a big mbuf, than just silently drop a big
packet. A better solution could be reworking of lib

In m_megapullup() use m_getjcl() to allocate 9k or 16k mbuf when requested.

It is better to try allocate a big mbuf, than just silently drop a big
packet. A better solution could be reworking of libalias modules to be
able use m_copydata()/m_copyback() instead of requiring the single
contiguous buffer.

PR: 229006
MFC after: 1 week

show more ...

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
pro

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

ipfw nat and natd support multiple aliasing instances with "nat global" feature
that chooses right alias_address for outgoing packets that already have
corresponding state in one of aliasing instance

ipfw nat and natd support multiple aliasing instances with "nat global" feature
that chooses right alias_address for outgoing packets that already have
corresponding state in one of aliasing instances. This feature works just fine
for ICMP, UDP, TCP and SCTP packes but not for others. For example,
outgoing PPtP/GRE packets always get alias_address of latest configured
instance no matter whether such packets have corresponding state or not.

This change unbreaks translation of transit PPtP/GRE connections
for "nat global" case fixing a bug in static ProtoAliasOut() function
that ignores its "create" argument and performs translation
regardless of its value. This static function is called only
by LibAliasOutLocked() function and only for packers other than
ICMP, UDP, TCP and SCTP. LibAliasOutLocked() passes its "create"
argument unmodified.

We have only two consumers of LibAliasOutLocked() in the source tree
calling it with "create" unequal to 1: "ipfw nat global" code and similar
natd code having same problem. All other consumers of LibAliasOutLocked()
call it with create = 1 and the patch is "no-op" for such cases.

PR: 218968
Approved by: ae, vsevolod (mentor)
MFC after: 1 week

show more ...

It'll be okay to use LibAliasDetachHandlers() here, relying
on the fact that all handlers come from modules' bss and are
followed by NODIR handler.

In m_megapullup() instead of reserving some space at the end of packet,
m_align() it, reserving space to prepend data.

Reviewed by: mav

Functions m_getm2() and m_get2() have different order of arguments,
and that can drive someone crazy. While m_get2() is young and not
documented yet, change its order of arguments to match m_getm2().

Functions m_getm2() and m_get2() have different order of arguments,
and that can drive someone crazy. While m_get2() is young and not
documented yet, change its order of arguments to match m_getm2().

Sorry for churn, but better now than later.

show more ...

Utilize m_get2() to get mbuf of appropriate size.

Mechanically substitute flags from historic mbuf allocator with
malloc(9) flags within sys.

Exceptions:

- sys/contrib not touched
- sys/mbuf.h edited manually

MFC: r198539

Close a stream file descriptor leak.

Don't spam the console with loaded modules during boot and/or during
startup of ppp.

Note: This cannot be hidden behind bootverbose as this file is included
from lib/libalias as well.

Close a stream file descriptor leak.

PR: 138130
Submitted by: Patroklos Argyroudis <[email protected]>
MFC after: 1 week

What's the point of adjusting a checksum if we are going to toss the
packet? Anticipate the check/return code.

Plug two bugs introduced with modules conversion:

-UdpAliasIn(): correctly check return code after modules ran.
-alias_nbt: in case of malformed packets (or some other unrecoverable
error), toss th

Plug two bugs introduced with modules conversion:

-UdpAliasIn(): correctly check return code after modules ran.
-alias_nbt: in case of malformed packets (or some other unrecoverable
error), toss the packet.

show more ...

Remove stale comments.

Add SCTP NAT support.

Submitted by: CAIA (http://caia.swin.edu.au)

Implement UDP transparent proxy support.

PR: bin/54274
Submitted by: Nicolai Petri <[email protected]>

Make m_megapullup() more intelligent:
- to increase performance do not reallocate mbuf when possible,
- to support up to 16K packets (was 2K max) use mbuf cluster of proper size.
This change depend

Make m_megapullup() more intelligent:
- to increase performance do not reallocate mbuf when possible,
- to support up to 16K packets (was 2K max) use mbuf cluster of proper size.
This change depends on recent ng_nat and ip_fw_nat changes.

show more ...

Fix packet fragmentation support broken by copy/paste error in rev.1.60.
ip_id should be u_short, but not u_char.

Fix build, together with a bit of style breakage.

-Don't pass down the entire pkt to ProtoAliasIn, ProtoAliasOut, FragmentIn
and FragmentOut.
-Axe the old PacketAlias API: it has been deprecated since 5.x.

MFP4:
restrict the utilization of direct pointers to the content of
ip packet. These modifications are functionally nop()s thus
can be merged with no side effects.

o made in kernel libalias mpsafe
o fixed a comment
o made in kernel libalias a bit less verbose (disabled automatic
logging everytime a new link is added or deleted)

Approved by: glebius (mentor)

Make libalias.conf parsing a bit smarter.
This closes PR kern/106112.

While here, add mbuf's #includes i forgot in the previous commit.

Approved by: gleb

Remove m_megapullup from ng_nat and put it under libalias.

Approved by: gleb