318391 |
17-May-2017 |
cy |
MFC r318283:
As of r318281 in HEAD (r318390 [in stable/10 & stable/11]), there is no need to put a colon (:) in the message string. |
318390 |
17-May-2017 |
cy |
MFC r318281:
Separate the ipfilter function/static string from the error with a colon (:) in error messages to assist the user in parsing out the error from where or which object the error message refers to. |
317314 |
23-Apr-2017 |
cy |
MFC r316993, r316994, r316997 as follows:
r316993:
Fix CID 1372601 in ipfilter/lib/parsefields.c, possible NULL pointer dereference should reallocarray() fail.
Reported by: Coverity CID 1372601
r316994:
Fix CID 1372600 in ipfilter/tools/ipf_y.y, possible NULL pointer dereference should reallocarray() fail.
Reported by: Coverity CID 1372600
r316997:
Use warnx() to issue error message.
Reported by: cem |
314834 |
07-Mar-2017 |
cy |
MFC r314627:
Fix leak (free str before returning when ctx's calloc fails).
Submitted by: trix_juniper.net (Tom Rix) Reviewed by: cy, ngie Discovered by: clang's static analyzer Differential Revision: D9877 |
314251 |
25-Feb-2017 |
cy |
MFC r312787:
Currently the fragment info is placed at the top of the linked list under a shared read lock. This patch attempts to upgrade the lock to an exclusive write lock. If the exclusive write lock fails to be obtained, the current fragment is not placed at the head of the list.
This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which effectively removed the section of code that performed the reordering).
The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.
The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch by emulating the mutex in userspace when exercised by ipftest(1).
Inspired by: NetBSD ip_frag.c r1.4 |
272987 |
12-Oct-2014 |
cy |
MFC r271972
Fix ipfilter bug #536 ipnat can try to print rule as dstlist incorrectly.
Obtained from: ipfilter CVS repo (r1.14), netbsd CVS repo (r1.3) |
272986 |
12-Oct-2014 |
cy |
MFC r271971
Fix ipfilter bug #553 gethost needs to zero entire IP address structure.
Obtained from: ipfilter CVS repo (r1.11) |
272985 |
12-Oct-2014 |
cy |
MFC r271970
ipv6 address for test.hosts.dots in wrong byte order.
Obtained from: ipfilter CVS repo (r1.11), netbsd CVS repo (r1.5) |
268937 |
21-Jul-2014 |
cy |
MFC r268532 and r268585. When world and kernel are built without INET6 support, the userland was still built with INET6 turned on.
PR: 190964 Approved by: glebius (mentor, implicit) |
268563 |
12-Jul-2014 |
cy |
MFC r268286: Fix compile-time errors when NO_WERROR and WITHOUT_INET6_SUPPORT (NO_INET6) are specified.
Approved by: glebius (mentor) |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
255332 |
06-Sep-2013 |
cy |
Update ipfilter 4.1.28 --> 5.1.2.
Approved by: glebius (mentor) BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)
|
193043 |
29-May-2009 |
stas |
- Prevent buffer overflow in IPFilter's load_http function used to load ipfilter tables via http by the user-level ippool utility. Previously the 1024-byte buffer used to store a http request coudld easily overflow if the length of the hostname part of the url passes exceeded 496 bytes. [1] - Use snprintf to prevent possieble buffer overflows in future. [2] - Do not try to close the descriptor twice on failure. [2]
Reported by: Maksymilian Arciemowicz <cxib@securityreason.com> [1] Obtained from: NetBSD CVS [2] MFC after: 2 weeks
|
180778 |
24-Jul-2008 |
darrenr |
2020447 IPFilter's NAT can undo name server random port selection
Approved by: darrenr MFC after: 1 week Security: CERT VU#521769
|
172776 |
18-Oct-2007 |
darrenr |
Pullup IPFilter 4.1.28 from the vendor branch into HEAD.
MFC after: 7 days
|
172772 |
18-Oct-2007 |
darrenr |
This commit was generated by cvs2svn to compensate for changes in r172771, which included commits to RCS files with non-trunk default branches.
|
170269 |
04-Jun-2007 |
darrenr |
Remove files no longer required to build IPFilter
|
170268 |
04-Jun-2007 |
darrenr |
Merge IPFilter 4.1.23 back to HEAD See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13
|
170264 |
04-Jun-2007 |
darrenr |
This commit was generated by cvs2svn to compensate for changes in r170263, which included commits to RCS files with non-trunk default branches.
|
161357 |
16-Aug-2006 |
guido |
Resolve conflicts
MFC after: 1 weeks
|
161352 |
16-Aug-2006 |
guido |
This commit was generated by cvs2svn to compensate for changes in r161351, which included commits to RCS files with non-trunk default branches.
|
153881 |
30-Dec-2005 |
guido |
Resolve conflicts (and believe me...you don't want to know).
|
153878 |
30-Dec-2005 |
guido |
This commit was generated by cvs2svn to compensate for changes in r153877, which included commits to RCS files with non-trunk default branches.
|
147547 |
23-Jun-2005 |
darrenr |
Fix some minor problems before release: (1) "ipf -T" is broken for fetching single entries and (2) loading rules with numbered collections does not order insertion right. (3) stats aren't accumulated for hash table memory failures
Approved by: re (dwhite)
|
145640 |
28-Apr-2005 |
darrenr |
Don't use quad_t on FreeBSD (deprecated) so use "long long" instead. Someday this should be converted to uint64_t and printstate.c changed to use those horrid PRiud64 things.
|
145547 |
26-Apr-2005 |
darrenr |
Fix problems with building libipf: ipf_dontuning.c - change the include to look in netinet for ipl.h ipft_tx.c - make the private use of arrays with tcp flags info in them more not use names that can be "confusing"
|
145519 |
25-Apr-2005 |
darrenr |
* Someone imported a lot of files with the wrong CVS tag, so lots of files need that fixed in them.... * Keep unnecessary files out of the non-vendor part of this CVS repository.
|
145511 |
25-Apr-2005 |
darrenr |
This commit was generated by cvs2svn to compensate for changes in r145510, which included commits to RCS files with non-trunk default branches.
|