opnsense-src

mirror of https://github.com/opnsense/src.git synced 2026-06-08 08:12:27 -04:00

History

Mark Johnston 40faf87894 ip: Defer checks for an unspecified dstaddr until after pfil hooks To comply with Common Criteria certification requirements, it may be necessary to ensure that packets to 0.0.0.0/::0 are dropped and logged by the system firewall. Currently, such packets are dropped by ip_input() and ip6_input() before reaching pfil hooks; let's defer the checks slightly to give firewalls a chance to drop the packets themselves, as this gives better observability. Add some regression tests for this with pf+pflog. Note that prior to commit `713264f6b8`, v4 packets to the unspecified address were not dropped by the IP stack at all. Note that ip_forward() and ip6_forward() ensure that such packets are not forwarded; they are passed back unmodified. Add a regression test which ensures that such packets are visible to pflog. Reviewed by: glebius MFC after: 3 weeks Sponsored by: Klara, Inc. Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D48163		2025-01-16 16:45:16 +00:00
..
dest6.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
frag6.c	frag6: Add another use of frag6_rmqueue()	2024-01-04 08:39:52 -05:00
icmp6.c	icmp: improve INVARIANTS check	2024-12-12 15:40:49 +01:00
icmp6.h	sys: Remove $FreeBSD$: one-line .c comment pattern	2023-08-16 11:54:24 -06:00
in6.c	in6: Constify some sockaddr conversion functions	2024-11-14 19:59:04 +00:00
in6.h	in6: Constify some sockaddr conversion functions	2024-11-14 19:59:04 +00:00
in6_cksum.c	sys: Automated cleanup of cdefs and other formatting	2023-11-26 22:24:00 -07:00
in6_fib.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
in6_fib.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
in6_fib_algo.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
in6_gif.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
in6_ifattach.c	sys: Automated cleanup of cdefs and other formatting	2023-11-26 22:24:00 -07:00
in6_ifattach.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
in6_jail.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
in6_mcast.c	netinet: Remove stale references to Giant from comments	2024-01-27 13:51:13 -05:00
in6_pcb.c	inpcb: Further restrict binding to a port owned by a different UID	2024-12-23 15:41:06 +00:00
in6_pcb.h	inpcb: Constify address parameters to in6 pcb lookup routines	2024-11-14 19:59:04 +00:00
in6_proto.c	icmp6: move ICMPv6 related tunables to the files where they are used	2024-03-24 09:13:23 -07:00
in6_rmx.c	in6_rmx: remove unnecessary socketvar.h	2024-05-07 14:15:56 -07:00
in6_rss.c	sys: Remove $FreeBSD$: two-line .c pattern	2023-08-16 11:54:30 -06:00
in6_rss.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
in6_src.c	netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters	2024-04-08 17:29:59 +02:00
in6_var.h	in6_var.h: make struct in6_ifaddr declaration searchable with grep(1)	2024-12-09 08:18:56 -08:00
ip6.h	sys: Remove $FreeBSD$: one-line .c comment pattern	2023-08-16 11:54:24 -06:00
ip6_ecn.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
ip6_fastfwd.c	ip: Defer checks for an unspecified dstaddr until after pfil hooks	2025-01-16 16:45:16 +00:00
ip6_forward.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
ip6_gre.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
ip6_id.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
ip6_input.c	ip: Defer checks for an unspecified dstaddr until after pfil hooks	2025-01-16 16:45:16 +00:00
ip6_mroute.c	netinet*: Add assertions for some places that don't support M_EXTPG mbufs	2024-10-31 16:32:32 -04:00
ip6_mroute.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
ip6_output.c	ipsec: allow it to work with unmapped mbufs	2025-01-13 21:29:32 +02:00
ip6_var.h	netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters	2024-04-08 17:29:59 +02:00
ip_fw_nat64.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
ip_fw_nptv6.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
mld6.c	netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters	2024-04-08 17:29:59 +02:00
mld6.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
mld6_var.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
nd6.c	nd6: Fix the routing table subscription	2024-07-25 10:27:39 -04:00
nd6.h	icmp6: move ICMPv6 related tunables to the files where they are used	2024-03-24 09:13:23 -07:00
nd6_nbr.c	netinet: add a probe point for IP, IP6, ICMP, ICMP6, UDP and TCP stats counters	2024-04-08 17:29:59 +02:00
nd6_rtr.c	icmp6: move ICMPv6 related tunables to the files where they are used	2024-03-24 09:13:23 -07:00
pim6.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
pim6_var.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
raw_ip6.c	rip6: don't lock the inpcb list	2024-11-14 11:39:12 -08:00
raw_ip6.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
route6.c	sys: Remove $FreeBSD$: one-line .c pattern	2023-08-16 11:54:36 -06:00
scope6.c	netinet6: Fix two typos in source code comments	2024-01-22 21:48:34 +01:00
scope6_var.h	sys: Remove $FreeBSD$: one-line .h pattern	2023-08-16 11:54:18 -06:00
sctp6_usrreq.c	sctp(4): Fix typos in source code comments	2024-07-21 10:57:22 +02:00
sctp6_var.h	sctp: cleanup cdefs.h include	2023-08-18 15:25:34 +02:00
send.c	sys: Automated cleanup of cdefs and other formatting	2023-11-26 22:24:00 -07:00
send.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00
tcp6_var.h	sys: Remove ancient SCCS tags.	2023-11-26 22:23:30 -07:00
udp6_usrreq.c	inpcb: gc unused argument of in_pcbconnect()	2024-11-14 11:39:13 -08:00
udp6_var.h	sys: Remove ancient SCCS tags.	2023-11-26 22:23:30 -07:00