History log of /freebsd-head/sys/netinet/in.h
Revision Date Author Comments
e5e4cd3eefe013cb688e0fa9bc45440002045fde 09-Oct-2020 rscheff <rscheff@FreeBSD.org> Add IP(V6)_VLAN_PCP to set 802.1 priority per-flow.

This adds a new IP_PROTO / IPV6_PROTO setsockopt (getsockopt)
option IP(V6)_VLAN_PCP, which can be set to -1 (interface
default), or explicitly to any priority between 0 and 7.

Note that for untagged traffic, explicitly adding a
priority will insert a special 801.1Q vlan header with
vlan ID = 0 to carry the priority setting

Reviewed by: gallatin, rrs
MFC after: 2 weeks
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D26409
9dd4070571f77676d0dcd3d2aa7acdce654d68f4 12-Feb-2020 rrs <rrs@FreeBSD.org> White space cleanup -- remove trailing tab's or spaces
from any line.

Sponsored by: Netflix Inc.
e262ca6be69da717763fb63aa734dda07df7e5d7 08-Aug-2019 thj <thj@FreeBSD.org> Rename IPPROTO 33 from SEP to DCCP

IPPROTO 33 is DCCP in the IANA Registry:
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

IPPROTO_SEP was added about 20 years ago in r33804. The entries were added
straight from RFC1700, without regard to whether they were used.

The reference in RFC1700 for SEP is '[JC120] <mystery contact>', this is an
indication that the protocol number was probably in use in a private network.

As RFC1700 is no longer the authoritative list of internet numbers and that
IANA assinged 33 to DCCP in RFC4340, change the header to the actual
authoritative source.

Reviewed by: Richard Scheffenegger, bz
Approved by: bz (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D21178
1a5fd513af7e3801164aea50e6e53cd0b12075d8 25-Jun-2019 hselasky <hselasky@FreeBSD.org> Convert all IPv4 and IPv6 multicast memberships into using a STAILQ
instead of a linear array.

The multicast memberships for the inpcb structure are protected by a
non-sleepable lock, INP_WLOCK(), which needs to be dropped when
calling the underlying possibly sleeping if_ioctl() method. When using
a linear array to keep track of multicast memberships, the computed
memory location of the multicast filter may suddenly change, due to
concurrent insertion or removal of elements in the linear array. This
in turn leads to various invalid memory access issues and kernel
panics.

To avoid this problem, put all multicast memberships on a STAILQ based
list. Then the memory location of the IPv4 and IPv6 multicast filters
become fixed during their lifetime and use after free and memory leak
issues are easier to track, for example by: vmstat -m | grep multi

All list manipulation has been factored into inline functions
including some macros, to easily allow for a future hash-list
implementation, if needed.

This patch has been tested by pho@ .

Differential Revision: https://reviews.freebsd.org/D20080
Reviewed by: markj @
MFC after: 1 week
Sponsored by: Mellanox Technologies
4736ccfd9c3411d50371d7f21f9450a47c19047e 20-Nov-2017 pfg <pfg@FreeBSD.org> sys: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
8930206be0f629e4e1e6aa710497eaa21aa98bba 09-Aug-2017 des <des@FreeBSD.org> Correct sysctl names.
f7d1b9ebc68d29e5e3e9aca6b42a7b4cd1587266 11-Apr-2017 ae <ae@FreeBSD.org> Make sysctl identifiers for direct netisr queue unique.
Introduce IPCTL_INTRDQMAXLEN and IPCTL_INTRDQDROPS macros for this purpose.

Reviewed by: gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D10358
f2a480c25cb3d60d5b3221a43f3c0c5b763099eb 06-Mar-2017 eri <eri@FreeBSD.org> The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Unfortunately they will have different integer value due to Linux value being already assigned in FreeBSD.

The patch is similar to IP_RECVDSTADDR but also provides the destination port value to the application.

This allows/improves implementation of transparent proxies on UDP sockets due to having the whole information on forwarded packets.

Reviewed by: adrian, aw
Approved by: ae (mentor)
Sponsored by: rsync.net
Differential Revision: D9235
7e6cabd06e6caa6a02eeb86308dc0cb3f27e10da 28-Feb-2017 imp <imp@FreeBSD.org> Renumber copyright clause 4

Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
f36100ef2cbe402b1ae964ab123c97b78d7db8e1 16-Feb-2017 vangyzen <vangyzen@FreeBSD.org> Remove inet_ntoa() from the kernel

inet_ntoa() cannot be used safely in a multithreaded environment
because it uses a static local buffer. Remove it from the kernel.

Suggested by: glebius, emaste
Reviewed by: gnn
MFC after: never
Sponsored by: Dell EMC
Differential Revision: https://reviews.freebsd.org/D9625
bb348ba959fe20fe2e80e46b6549e83bb2864d80 12-Feb-2017 eri <eri@FreeBSD.org> Committed without approval from mentor.

Reported by: gnn
ed45b3149493fb1e83faa4fc28cc0acf91aae040 10-Feb-2017 eri <eri@FreeBSD.org> The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Unfortunately they will have different integer value due to Linux value being already assigned in FreeBSD.

The patch is similar to IP_RECVDSTADDR but also provides the destination port value to the application.

This allows/improves implementation of transparent proxies on UDP sockets due to having the whole information on forwarded packets.

Sponsored-by: rsync.net
Differential Revision: D9235
Reviewed-by: adrian
217cfdcc890b0802702cad55927db136b123f909 18-Aug-2016 rstone <rstone@FreeBSD.org> Don't iterate over the ifnet addr list in ip_output()

For almost every packet that is transmitted through ip_output(),
a call to in_broadcast() was made to decide if the destination
IP was a broadcast address. in_broadcast() iterates over the
ifnet's address to find a source IP matching the subnet of the
destination IP, and then checks if the IP is a broadcast in that
subnet.

This is completely redundant as we have already performed the
route lookup, so the source IP is already known. Just use that
address to directly check whether the destination IP is a
broadcast address or not.

MFC after: 2 months
Sponsored By: EMC / Isilon Storage Division
Differential Revision: https://reviews.freebsd.org/D7266
00d578928eca75be320b36d37543a7e2a4f9fbdb 27-May-2016 grehan <grehan@FreeBSD.org> Create branch for bhyve graphics import.
14b7122d6dee034c5e3a8364b50fd099c0fed264 17-Apr-2015 glebius <glebius@FreeBSD.org> Provide functions to determine presence of a given address
configured on a given interface.

Discussed with: np
Sponsored by: Nginx, Inc.
12580bcaa8a78094978261a456034eb3684e9f58 11-Nov-2014 melifaro <melifaro@FreeBSD.org> Kill custom in_matroute() radix mathing function removing one rte mutex lock.

Initially in_matrote() in_clsroute() in their current state was introduced by
r4105 20 years ago. Instead of deleting inactive routes immediately, we kept them
in route table, setting RTPRF_OURS flag and some expire time. After that, either
GC came or RTPRF_OURS got removed on first-packet. It was a good solution
in that days (and probably another decade after that) to keep TCP metrics.
However, after moving metrics to TCP hostcache in r122922, most of in_rmx
functionality became unused. It might had been used for flushing icmp-originated
routes before rte mutexes/refcounting, but I'm not sure about that.

So it looks like this is nearly impossible to make GC do its work nowadays:

in_rtkill() ignores non-RTPRF_OURS routes.
route can only become RTPRF_OURS after dropping last reference via rtfree()
which calls in_clsroute(), which, it turn, ignores UP and non-RTF_DYNAMIC routes.

Dynamic routes can still be installed via received redirect, but they
have default lifetime (no specific rt_expire) and no one has another trie walker
to call RTFREE() on them.

So, the changelist:
* remove custom rnh_match / rnh_close matching function.
* remove all GC functions
* partially revert r256695 (proto3 is no more used inside kernel,
it is not possible to use rt_expire from user point of view, proto3 support
is not complete)
* Finish r241884 (similar to this commit) and remove remaining IPv6 parts

MFC after: 1 month
b5d711d3a6940afdd3615f7ffc2dcfa3faacd446 09-Nov-2014 melifaro <melifaro@FreeBSD.org> Renove faith(4) and faithd(8) from base. It looks like industry
have chosen different (and more traditional) stateless/statuful
NAT64 as translation mechanism. Last non-trivial commits to both
faith(4) and faithd(8) happened more than 12 years ago, so I assume
it is time to drop RFC3142 in FreeBSD.

No objections from: net@
2b4fb093044897c573e0f1cfe28d235e8c83db08 29-Oct-2014 jilles <jilles@FreeBSD.org> MFC r266842: netinet/in.h: Expose htonl(), htons(), ntohl() and ntohs() in
strict POSIX mode.

Put the htonl(), htons(), ntohl() and ntohs() declarations under
__POSIX_VISIBLE >= 200112. POSIX.1-2001 and newer require these to be
exposed from <netinet/in.h> (as well as <arpa/inet.h>).

Note that it may be unnecessary to check __POSIX_VISIBLE >= 200112 because
older versions of POSIX and the C standard do not define this header.
However, other places in the same file already perform the check.

PR: 188316
Submitted by: Christian Neukirchen
e623d51cd5c4ea0255d03a6a082071e1ae700947 09-Sep-2014 adrian <adrian@FreeBSD.org> Add support for receiving and setting flowtype, flowid and RSS bucket
information as part of recvmsg().

This is primarily used for debugging/verification of the various
processing paths in the IP, PCB and driver layers.

Unfortunately the current implementation of the control message path
results in a ~10% or so drop in UDP frame throughput when it's used.

Differential Revision: https://reviews.freebsd.org/D527
Reviewed by: grehan
0e45eb31ff5365243a7b27d57c6f11f2b51fca4e 17-Jul-2014 adrian <adrian@FreeBSD.org> Oops - somehow I missed the IP option numbers clashing with the multicast
numbers below.

Move them to a new set of non-clashing numbers.
627c6869c375d438267904bd1157d3129d6811e0 10-Jul-2014 adrian <adrian@FreeBSD.org> Implement the first stage of multi-bind listen sockets and RSS socket
awareness.

* Introduce IP_BINDMULTI - indicating that it's okay to bind multiple
sockets on the same bind details.

Although the PCB code has been taught about this (see below) this patch
doesn't introduce the rest of the PCB changes necessary to distribute
lookups among multiple PCB entries in the global wildcard table.

* Introduce IP_RSS_LISTEN_BUCKET - placing an listen socket into the
given RSS bucket (and thus a single PCBGROUP hash.)

* Modify the PCB add path to be aware of IP_BINDMULTI:
+ Only allow further PCB entries to be added if the owner credentials
and IP_BINDMULTI has been specified. Ie, only allow further
IP_BINDMULTI sockets to appear if the first bind() was IP_BINDMULTI.

* Teach the PCBGROUP code about IP_RSS_LISTE_BUCKET marked PCB entries.
Instead of using the wildcard logic and hashing, these sockets are
simply placed into the PCBGROUP and _not_ in the wildcard hash.

* When doing a PCBGROUP lookup, also do a wildcard match as well.
This allows for an RSS bucket PCB entry to appear in a PCBGROUP
rather than having to exist in the wildcard list.

Tested:

* TCP IPv4 server testing with igb(4)
* TCP IPv4 server testing with ix(4)

TODO:

* The pcbgroup lookup code duplicated the wildcard and wildcard-PCB
logic. This could be refactored into a single function.

* This doesn't yet work for IPv6 (The PCBGROUP code in netinet6/ doesn't
yet know about this); nor does it yet fully work for UDP.
d4fe515519adfe9db564595f1182018d76bbdd26 26-Jun-2014 adrian <adrian@FreeBSD.org> Retire IP_RSSCPUID ; the right thing to do is query the RSS bucket;
map the bucket to an RSS queue, then map the queue to a CPU ID.
This way the bucket->queue and queue->CPU mapping can change
over time.

Introduce IP_RSSBUCKETID - which instead looks up the RSS bucket.
User applications can then map the RSS bucket to a CPU.
1effdc7fef22ed90536e030bf0fb3b62240b3b45 29-May-2014 jilles <jilles@FreeBSD.org> netinet/in.h: Expose htonl(), htons(), ntohl() and ntohs() in strict POSIX
mode.

Put the htonl(), htons(), ntohl() and ntohs() declarations under
__POSIX_VISIBLE >= 200112. POSIX.1-2001 and newer require these to be
exposed from <netinet/in.h> (as well as <arpa/inet.h>).

Note that it may be unnecessary to check __POSIX_VISIBLE >= 200112 because
older versions of POSIX and the C standard do not define this header.
However, other places in the same file already perform the check.

PR: 188316
Submitted by: Christian Neukirchen
784a0cfd01f188b91214b271d574a603f101d41e 17-May-2014 adrian <adrian@FreeBSD.org> Reserve IP_FLOWID, IP_FLOWTYPE, IP_RSSCPUID socket option IDs for
near-term future use.

These are intended to fetch the current flow id, flow hash type
(M_HASHTYPE_* from the sys/mbuf.h) and if RSS is enabled, the
RSS destined CPU ID for the receive path.
69da76e9e5a9758fee9f8286827143e4608bb87a 13-May-2014 kevlo <kevlo@FreeBSD.org> MFC r264212,r264213,r264248,r265776,r265811,r265909:

- Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks.
Tested with vlc and a test suite [1].
[1] http://www.erg.abdn.ac.uk/~gerrit/udp-lite/files/udplite_linux.tar.gz

Reviewed by: jhb, glebius, adrian

- Fix a logic bug which prevented the sending of UDP packet with 0 checksum.

- Disable TX checksum offload for UDP-Lite completely. It wasn't used for
partial checksum coverage, but even for full checksum coverage it doesn't
work.
45fcb795ff06a8693c03048461d7be0b2d43627d 07-Apr-2014 kevlo <kevlo@FreeBSD.org> Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks.
Tested with vlc and a test suite [1].

[1] http://www.erg.abdn.ac.uk/~gerrit/udp-lite/files/udplite_linux.tar.gz

Reviewed by: jhb, glebius, adrian
d9d6b88f18b92428357f47580e9e331def5c7f9d 25-Feb-2014 jhb <jhb@FreeBSD.org> Remove more constants related to static sysctl nodes. The MAXID constants
were primarily used to size the sysctl name list macros that were removed
in r254295. A few other constants either did not have an associated
sysctl node, or the associated node used OID_AUTO instead.

PR: ports/184525 (exp-run)
eb1a5f8de9f7ea602c373a710f531abbf81141c4 21-Feb-2014 gjb <gjb@FreeBSD.org> Move ^/user/gjb/hacking/release-embedded up one directory, and remove
^/user/gjb/hacking since this is likely to be merged to head/ soon.

Sponsored by: The FreeBSD Foundation
6b01bbf146ab195243a8e7d43bb11f8835c76af8 27-Dec-2013 gjb <gjb@FreeBSD.org> Copy head@r259933 -> user/gjb/hacking/release-embedded for initial
inclusion of (at least) arm builds with the release.

Sponsored by: The FreeBSD Foundation
66725ba1ff3e0717e5d6c3d76b3a8b61be37f563 25-Dec-2013 bz <bz@FreeBSD.org> Add more (IPv6) related Internet Protocols:
- Host Identity Protocol (RFC5201)
- Shim6 Protocol (RFC5533)
- 2x experimentation and testing (RFC3692, RFC4727)

This does not indicate interest to implement/support these protocols,
but they are part of the "IPv6 Extension Header Types" [1] based on RFC7045
and might thus be needed by filtering and next header parsing
implementations.

References: [1] http://www.iana.org/assignments/ipv6-parameters
Obtained from: http://www.iana.org/assignments/protocol-numbers
MFC after: 1 week
9e24ae1a7a83f4e171e6db258d3e259c84bf3fd5 23-Oct-2013 jhb <jhb@FreeBSD.org> Finish r254925 and remove the last remaining sysctl name list macro. The
one port that used it has been fixed to use the more portable
getprotoent(3) instead.
1a884d59cfcf6f1850742e793acfc113bbc33838 19-Oct-2013 kevlo <kevlo@FreeBSD.org> - Add parentheses to all internet addresses
- All the casts to uint32_t should be to in_addr_t

Suggested by: bde
Reviewed by: bde
69104cedb7bd1435005fd8226e3a2cd06d3de77c 15-Oct-2013 kevlo <kevlo@FreeBSD.org> Treat INADDR_NONE as uint32_t.

Reviewed by: glebius
a437be72574480c1aedb04a776cc369e323fba4a 26-Aug-2013 jhb <jhb@FreeBSD.org> Remove most of the remaining sysctl name list macros. They were only
ever intended for use in sysctl(8) and it has not used them for many
years.

Reviewed by: bde
Tested by: exp-run by bdrewery
fcb67434842e8a1a8ba60a2607b55922d35887fb 27-Apr-2013 cperciva <cperciva@FreeBSD.org> Move IPPROTO_IPV6 from #ifdef __BSD_VISIBLE to #if __POSIX_VISIBLE >= 201112
since POSIX 2001 states that it shall be defined.

Reported by: sbruno
Reviewed by: jilles
MFC after: 1 week
5cc3ac590262ed14bfbf8392f27f90923b7cc7a1 22-Oct-2012 glebius <glebius@FreeBSD.org> Switch the entire IPv4 stack to keep the IP packet header
in network byte order. Any host byte order processing is
done in local variables and host byte order values are
never[1] written to a packet.

After this change a packet processed by the stack isn't
modified at all[2] except for TTL.

After this change a network stack hacker doesn't need to
scratch his head trying to figure out what is the byte order
at the given place in the stack.

[1] One exception still remains. The raw sockets convert host
byte order before pass a packet to an application. Probably
this would remain for ages for compatibility.

[2] The ip_input() still subtructs header len from ip->ip_len,
but this is planned to be fixed soon.

Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru>
Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
32041f44edbadf78cfaf57b4d6a30f5c41b4732d 12-Jun-2012 tuexen <tuexen@FreeBSD.org> Add a IP_RECVTOS socket option to receive for received UDP/IPv4
packets a cmsg of type IP_RECVTOS which contains the TOS byte.
Much like IP_RECVTTL does for TTL. This allows to implement a
protocol on top of UDP and implementing ECN.

MFC after: 3 days
1690c6b1c4bc8bc3a23b6785748d01166ece86a6 27-May-2012 emaste <emaste@FreeBSD.org> Add IPPROTO_MPLS (rfc4023) IP protocol definition

There are currently no in-tree consumers; I'm adding it now for use by
vendor code. This matches the change OpenBSD made while implementing
MPLS in gif(4).
5bfe25432f47fc51db50d501a15474b6dadf73af 15-Oct-2011 glebius <glebius@FreeBSD.org> Add support for IPv4 /31 prefixes, as described in RFC3021.

To run a /31 network, participating hosts MUST drop support
for directed broadcasts, and treat the first and last addresses
on subnet as unicast. The broadcast address for the prefix
should be the link local broadcast address, INADDR_BROADCAST.
09f9c897d33c41618ada06fbbcf1a9b3812dee53 19-Oct-2010 jamie <jamie@FreeBSD.org> A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.
278493a1a57074b0ff4561304d271e464a4944ef 24-Sep-2010 attilio <attilio@FreeBSD.org> Make the RPC specific __rpc_inet_ntop() and __rpc_inet_pton() general
in the kernel (just as inet_ntoa() and inet_aton()) are and sync their
prototype accordingly with already mentioned functions.

Sponsored by: Sandvine Incorporated
Reviewed by: emaste, rstone
Approved by: dfr
MFC after: 2 weeks
c6c2feb282a53da0c88c776fa754d0952cc04718 19-Aug-2010 anchie <anchie@FreeBSD.org> MFp4: anchie_soc2009 branch:

Add kernel side support for Secure Neighbor Discovery (SeND), RFC 3971.

The implementation consists of a kernel module that gets packets from
the nd6 code, sends them to user space on a dedicated socket and reinjects
them back for further processing.

Hooks are used from nd6 code paths to divert relevant packets to the
send implementation for processing in user space. The hooks are only
triggered if the send module is loaded. In case no user space
application is connected to the send socket, processing continues
normaly as if the module would not be loaded. Unloading the module
is not possible at this time due to missing nd6 locking.

The native SeND socket is similar to a raw IPv6 socket but with its own,
internal pseudo-protocol.

Approved by: bz (mentor)
69ea0c9b4e42f7055ca1b8bbee0a6c37924b69ed 31-Mar-2010 delphij <delphij@FreeBSD.org> Add definition of IPv6 mobility header's protocol number, as assigned by
IANA and defined in RFC 3775.

Obtained from: KAME
153fa4f49e7ae4d39851638cfb970d383c0f8b91 23-Mar-2010 luigi <luigi@FreeBSD.org> MFC of a large number of ipfw and dummynet fixes and enhancements
done in CURRENT over the last 4 months.
HEAD and RELENG_8 are almost in sync now for ipfw, dummynet
the pfil hooks and related components.

Among the most noticeable changes:
- r200855 more efficient lookup of skipto rules, and remove O(N)
blocks from critical sections in the kernel;
- r204591 large restructuring of the dummynet module, with support
for multiple scheduling algorithms (4 available so far)
See the original commit logs for details.

Changes in the kernel/userland ABI should be harmless because the
kernel is able to understand previous requests from RELENG_8 and
RELENG_7. For this reason, this changeset would be applicable
to RELENG_7 as well, but i am not sure if it is worthwhile.
f1216d1f0ade038907195fc114b7e630623b402c 19-Mar-2010 delphij <delphij@FreeBSD.org> Create a custom branch where I will be able to do the merge.
483862a5a29b9346fa21b1e610575cc357fe333b 28-Dec-2009 luigi <luigi@FreeBSD.org> bring in several cleanups tested in ipfw3-head branch, namely:

r201011
- move most of ng_ipfw.h into ip_fw_private.h, as this code is
ipfw-specific. This removes a dependency on ng_ipfw.h from some files.

- move many equivalent definitions of direction (IN, OUT) for
reinjected packets into ip_fw_private.h

- document the structure of the packet tags used for dummynet
and netgraph;

r201049
- merge some common code to attach/detach hooks into
a single function.

r201055
- remove some duplicated code in ip_fw_pfil. The input
and output processing uses almost exactly the same code so
there is no need to use two separate hooks.
ip_fw_pfil.o goes from 2096 to 1382 bytes of .text

r201057 (see the svn log for full details)
- macros to make the conversion of ip_len and ip_off
between host and network format more explicit

r201113 (the remaining parts)
- readability fixes -- put braces around some large for() blocks,
localize variables so the compiler does not think they are uninitialized,
do not insist on precise allocation size if we have more than we need.

r201119
- when doing a lookup, keys must be in big endian format because
this is what the radix code expects (this fixes a bug in the
recently-introduced 'lookup' option)

No ABI changes in this commit.

MFC after: 1 week
7aa9b3e4c1f240775ef7f44659d10d1c10b50433 05-Dec-2009 luigi <luigi@FreeBSD.org> some simple MFC:

r200020:
change the type of the opcode from enum *:8 to u_int8_t
so the size and alignment of the ipfw_insn is not compiler dependent.
No changes in the code generated by gcc.

r200023:
Add new sockopt names for ipfw and dummynet.

This commit is just grabbing entries for the new names
that will be used in the future, so you don't need to
rebuild anything now.

r200034
Dispatch sockopt calls to ipfw and dummynet
using the new option numbers, IP_FW3 and IP_DUMMYNET3.
Right now the modules return an error if called with those arguments
so there is no danger of unwanted behaviour.

r200040
- initialize src_ip in the main loop to prevent a compiler warning
(gcc 4.x under linux, not sure how real is the complaint).
- rename a macro argument to prevent name clashes.
- add the macro name on a couple of #endif
- add a blank line for readability.
0042b1fc7042b493c963018d755e89a409d59db6 02-Dec-2009 luigi <luigi@FreeBSD.org> Add new sockopt names for ipfw and dummynet.

This commit is just grabbing entries for the new names
that will be used in the future, so you don't need to
rebuild anything now.

MFC after: 3 days
ad9ff10c114556a4301d782eb633ab4f4f9592e0 22-Nov-2009 attilio <attilio@FreeBSD.org> MFC r199208, r199223:
Move inet_aton() (specular to inet_ntoa(), already present in libkern)
into libkern in order to made it usable by other modules than alias_proxy.

Sponsored by: Sandvine Incorporated
01da2349df43dda915c9e7cdd794dff6385b3751 12-Nov-2009 attilio <attilio@FreeBSD.org> Move inet_aton() (specular to inet_ntoa(), already present in libkern)
into libkern in order to made it usable by other modules than alias_proxy.

Obtained from: Sandvine Incorporated
Sponsored by: Sandvine Incorporated
MFC: 1 week
c8ab4ab72e60824c72824342463fc881d7c7885e 08-Sep-2009 phk <phk@FreeBSD.org> Move the duplicate definition of struct sockaddr_storage to its own
include file, and include this where the previous duplicate definitions were.

Static program checkers like FlexeLint rightfully take a dim view of
duplicate definitions, even if they currently are identical.
5243d2d206ac372ee679c11bde715a4a4f2f93fd 01-Jun-2009 pjd <pjd@FreeBSD.org> - Rename IP_NONLOCALOK IP socket option to IP_BINDANY, to be more consistent
with OpenBSD (and BSD/OS originally). We can't easly do it SOL_SOCKET option
as there is no more space for more SOL_SOCKET options, but this option also
fits better as an IP socket option, it seems.
- Implement this functionality also for IPv6 and RAW IP sockets.
- Always compile it in (don't use additional kernel options).
- Remove sysctl to turn this functionality on and off.
- Introduce new privilege - PRIV_NETINET_BINDANY, which allows to use this
functionality (currently only unjail root can use it).

Discussed with: julian, adrian, jhb, rwatson, kmacy
58fce43140bb8d3abacea316b6eb11295e7bf210 14-Mar-2009 das <das@FreeBSD.org> Namespace: Defining htonl() and friends here instead of arpa/inet.h is
a BSD extension.
71233409ea6a2f4d751847c05e7aad9375278d94 09-Mar-2009 bms <bms@FreeBSD.org> Merge IGMPv3 and Source-Specific Multicast (SSM) to the FreeBSD
IPv4 stack.

Diffs are minimized against p4.
PCS has been used for some protocol verification, more widespread
testing of recorded sources in Group-and-Source queries is needed.
sizeof(struct igmpstat) has changed.

__FreeBSD_version is bumped to 800070.
28b42e9e29e039295bbaeda2d239fac5eae5e894 04-Mar-2009 bms <bms@FreeBSD.org> Add various defines/macros required by IGMPv3:
* MCAST_UNDEFINED state.
* in_allhosts() macro (group is 224.0.0.1).
This uses a const endian comparison.
* IP_MAX_GROUP_SRC_FILTER, IP_MAX_SOCK_SRC_FILTER
default resource limits.
24f22ace0209d24280c43e7ac04caf725723eac3 09-Jan-2009 adrian <adrian@FreeBSD.org> Better comment what the socket option does. Thanks to Sam Leffler
for suggesting this.
e2eee65f2168a3fcb7a12e27d463de4003f878c8 09-Jan-2009 adrian <adrian@FreeBSD.org> Implement a new IP option (not compiled/enabled by default) to allow
applications to specify a non-local IP address when bind()'ing a socket
to a local endpoint.

This allows applications to spoof the client IP address of connections
if (obviously!) they somehow are able to receive the traffic normally
destined to said clients.

This patch doesn't include any changes to ipfw or the bridging code to
redirect the client traffic through the PCB checks so TCP gets a shot
at it. The normal behaviour is that packets with a non-local destination
IP address are not handled locally. This can be dealth with some IPFW hackery;
modifications to IPFW to make this less hacky will occur in subsequent
commmits.

Thanks to Julian Elischer and others at Ironport. This work was approved
and donated before Cisco acquired them.

Obtained from: Julian Elischer and others
MFC after: 2 weeks
604d89458ab94ec81eaefa2d55ef219cba461e31 02-Dec-2008 bz <bz@FreeBSD.org> Rather than using hidden includes (with cicular dependencies),
directly include only the header files needed. This reduces the
unneeded spamming of various headers into lots of files.

For now, this leaves us with very few modules including vnet.h
and thus needing to depend on opt_route.h.

Reviewed by: brooks, gnn, des, zec, imp
Sponsored by: The FreeBSD Foundation
19b6af98ec71398e77874582eb84ec5310c7156f 22-Nov-2008 dfr <dfr@FreeBSD.org> Clone Kip's Xen on stable/6 tree so that I can work on improving FreeBSD/amd64
performance in Xen's HVM mode.
cf5320822f93810742e3d4a1ac8202db8482e633 19-Oct-2008 lulf <lulf@FreeBSD.org> - Import the HEAD csup code which is the basis for the cvsmode work.
8797d4caecd5881e312923ee1d07be3de68755dc 02-Oct-2008 zec <zec@FreeBSD.org> Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit

Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.

Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().

Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).

All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).

(*) netipsec/keysock.c did not validate depending on compile time options.

Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
438bc1c5f58492873337beb84bc76dbe5c31f357 25-Sep-2008 jhb <jhb@FreeBSD.org> MFC: 178280
- Clean up the code that checks the types of address so that it is
done by understandable macros.
- Fix the bug that prevented the system from responding on interfaces with
link local addresses assigned.

Approved by: re (gnn)
441ddb2bf29c0056ac960cadd11797ba0d298a75 25-Sep-2008 jhb <jhb@FreeBSD.org> MFC: 178280
- Clean up the code that checks the types of address so that it is
done by understandable macros.
- Fix the bug that prevented the system from responding on interfaces with
link local addresses assigned.

Approved by: re (gnn)
0fe5e1b107285a54877a688637777ff44aa5e5b4 17-Apr-2008 gnn <gnn@FreeBSD.org> Clean up the code that checks the types of address so that it is
done by understandable macros.

Fix the bug that prevented the system from responding on interfaces with
link local addresses assigned.

PR: 120958
Submitted by: James Snow <snow at teardrop.org>
MFC after: 2 weeks
74f471aa5cf5bd53bce113fed3d0f77b5dbb534b 04-Mar-2008 rpaulo <rpaulo@FreeBSD.org> Change the default port range for outgoing connections by introducing
IPPORT_EPHEMERALFIRST and IPPORT_EPHEMERALLAST with values
10000 and 65535 respectively.
The rationale behind is that it makes the attacker's life more
difficult if he/she wants to guess the ephemeral port range and
also lowers the probability of a port colision (described in
draft-ietf-tsvwg-port-randomization-01.txt).

While there, remove code duplication in in_pcbbind_setup().

Submitted by: Fernando Gont <fernando at gont.com.ar>
Approved by: njl (mentor)
Reviewed by: silby, bms
Discussed on: freebsd-net
ffd77d9ba5a1376d64ccbb2909a7179c05de81bc 12-Jun-2007 bms <bms@FreeBSD.org> Import rewrite of IPv4 socket multicast layer to support source-specific
and protocol-independent host mode multicast. The code is written to
accomodate IPv6, IGMPv3 and MLDv2 with only a little additional work.

This change only pertains to FreeBSD's use as a multicast end-station and
does not concern multicast routing; for an IGMPv3/MLDv2 router
implementation, consider the XORP project.

The work is based on Wilbert de Graaf's IGMPv3 code drop for FreeBSD 4.6,
which is available at: http://www.kloosterhof.com/wilbert/igmpv3.html

Summary
* IPv4 multicast socket processing is now moved out of ip_output.c
into a new module, in_mcast.c.
* The in_mcast.c module implements the IPv4 legacy any-source API in
terms of the protocol-independent source-specific API.
* Source filters are lazy allocated as the common case does not use them.
They are part of per inpcb state and are covered by the inpcb lock.
* struct ip_mreqn is now supported to allow applications to specify
multicast joins by interface index in the legacy IPv4 any-source API.
* In UDP, an incoming multicast datagram only requires that the source
port matches the 4-tuple if the socket was already bound by source port.
An unbound socket SHOULD be able to receive multicasts sent from an
ephemeral source port.
* The UDP socket multicast filter mode defaults to exclusive, that is,
sources present in the per-socket list will be blocked from delivery.
* The RFC 3678 userland functions have been added to libc: setsourcefilter,
getsourcefilter, setipv4sourcefilter, getipv4sourcefilter.
* Definitions for IGMPv3 are merged but not yet used.
* struct sockaddr_storage is now referenced from <netinet/in.h>. It
is therefore defined there if not already declared in the same way
as for the C99 types.
* The RFC 1724 hack (specify 0.0.0.0/8 addresses to IP_MULTICAST_IF
which are then interpreted as interface indexes) is now deprecated.
* A patch for the Rhyolite.com routed in the FreeBSD base system
is available in the -net archives. This only affects individuals
running RIPv1 or RIPv2 via point-to-point and/or unnumbered interfaces.
* Make IPv6 detach path similar to IPv4's in code flow; functionally same.
* Bump __FreeBSD_version to 700048; see UPDATING.

This work was financially supported by another FreeBSD committer.

Obtained from: p4://bms_netdev
Submitted by: Wilbert de Graaf (original work)
Reviewed by: rwatson (locking), silence from fenner,
net@ (but with encouragement)
833c0dc8bdbc56a6e5c3e1f713dbba4a82e86240 27-Feb-2007 bms <bms@FreeBSD.org> Add INADDR_ALLRPTS_GROUP define for 224.0.0.22 for future IGMPv3 support.

Obtained from: OpenSolaris
85b469b6d6acf844bd4284c8b60b49c1a8664861 14-Feb-2007 bms <bms@FreeBSD.org> MFC rev 1.98:
Import macros IN_LINKLOCAL(), IN_PRIVATE(), IN_LOCAL_GROUP(), IN_ANY_LOCAL().
This is not a functional change.

IN_LINKLOCAL() tests if an address falls within the IPv4 link-local prefix.
IN_PRIVATE() tests if an address falls within an RFC 1918 private prefix.
IN_LOCAL_GROUP() tests if an address falls within the statically assigned
link-local multicast scope specified in RFC 2365.
IN_ANY_LOCAL() tests for either of IN_LINKLOCAL() or IN_LOCAL_GROUP().

As with the existing macros in the FreeBSD netinet stack, comparisons
are performed in host-byte order.

See also: RFC 1918, RFC 2365, RFC 3927
Obtained from: NetBSD (dyoung@)
cad0bb8b1623afcd1ac92da90371f8c8c4d101bf 31-Jan-2007 bms <bms@FreeBSD.org> Import macros IN_LINKLOCAL(), IN_PRIVATE(), IN_LOCAL_GROUP(), IN_ANY_LOCAL().
This is not a functional change.

IN_LINKLOCAL() tests if an address falls within the IPv4 link-local prefix.
IN_PRIVATE() tests if an address falls within an RFC 1918 private prefix.
IN_LOCAL_GROUP() tests if an address falls within the statically assigned
link-local multicast scope specified in RFC 2365.
IN_ANY_LOCAL() tests for either of IN_LINKLOCAL() or IN_LOCAL_GROUP().

As with the existing macros in the FreeBSD netinet stack, comparisons
are performed in host-byte order.

See also: RFC 1918, RFC 2365, RFC 3927
Obtained from: NetBSD (dyoung@)
MFC after: 2 weeks
0db606a3b135b207a944e841f0142c30f4f43ceb 29-Dec-2006 piso <piso@FreeBSD.org> Summer of Code 2005: improve libalias - part 2 of 2

With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
18895e4f429bdde8c9a49ec2740de9f7ee1eb851 14-May-2006 bms <bms@FreeBSD.org> Fix a long-standing limitation in IPv4 multicast group membership.

By making the imo_membership array a dynamically allocated vector,
this minimizes disruption to existing IPv4 multicast code. This
change breaks the ABI for the kernel module ip_mroute.ko, and may
cause a small amount of churn for folks working on the IGMPv3 merge.

Previously, sockets were subject to a compile-time limitation on
the number of IPv4 group memberships, which was hard-coded to 20.
The imo_membership relationship, however, is 1:1 with regards to
a tuple of multicast group address and interface address. Users who
ran routing protocols such as OSPF ran into this limitation on machines
with a large system interface tree.
cdcd368c4f9a5e4c5817f6867f6699939691cdf3 27-Dec-2005 gnn <gnn@FreeBSD.org> MFC of SCTP protocol number.
1e54d54964c647332ca6619ee5d8244c0485d095 20-Dec-2005 delphij <delphij@FreeBSD.org> Use consistent indent character as other IPPROTO_* lines did.
9736e3d822518c1bd0207b76d3614e585d7b1229 20-Dec-2005 gnn <gnn@FreeBSD.org> Add protocol number for SCTP.

Submitted by: Randall Stewart rrs at cisco.com
MFC after: 1 week
882a00088153db211bd33548fb783b20f2ee16b6 02-Oct-2005 andre <andre@FreeBSD.org> MFC IP_DONTFRAG IP socket option.

Approved by: re (scottl)
1d50cd7eb988660990181de5c74b6e63d57812ab 01-Oct-2005 andre <andre@FreeBSD.org> MFC: IP_MINTTL socket option.

Approved by: re (scottl)
a15c06842ee037a714984a8801c70197df361083 29-Sep-2005 rwatson <rwatson@FreeBSD.org> Merge if.c:1.247, in.c:1.88, in.h:1.92 from HEAD to RELENG_6:

Take a first cut at cleaning up ifnet removal and multicast socket
panics, which occur when stale ifnet pointers are left in struct
moptions hung off of inpcbs:

- Add in_ifdetach(), which matches in6_ifdetach(), and allows the
protocol to perform early tear-down on the interface early in
if_detach().

- Annotate that if_detach() needs careful consideration.

- Remove calls to in_pcbpurgeif0() in the handling of SIOCDIFADDR --
this is not the place to detect interface removal! This also
removes what is basically a nasty (and now unnecessary) hack.

- Invoke in_pcbpurgeif0() from in_ifdetach(), in both raw and UDP
IPv4 sockets.

It is now possible to run the msocket_ifnet_remove regression test
using HEAD without panicking.

Reported by: Gavin Atkinson <gavin dot atkinson at ury dot york dot ac dot uk>

Approved by: re (scottl)
bedcd4ace8e6c1ce8c4308a2e5dd2e0a92d9ac06 26-Sep-2005 andre <andre@FreeBSD.org> Implement IP_DONTFRAG IP socket option enabling the Don't Fragment
flag on IP packets. Currently this option is only repected on udp
and raw ip sockets. On tcp sockets the DF flag is controlled by the
path MTU discovery option.

Sending a packet larger than the MTU size of the egress interface
returns an EMSGSIZE error.

Discussed with: rwatson
Sponsored by: TCP/IP Optimization Fundraise 2005
64eedb0310efb0ac8456dd7ad217d0bb521fb0fe 18-Sep-2005 rwatson <rwatson@FreeBSD.org> Take a first cut at cleaning up ifnet removal and multicast socket
panics, which occur when stale ifnet pointers are left in struct
moptions hung off of inpcbs:

- Add in_ifdetach(), which matches in6_ifdetach(), and allows the
protocol to perform early tear-down on the interface early in
if_detach().

- Annotate that if_detach() needs careful consideration.

- Remove calls to in_pcbpurgeif0() in the handling of SIOCDIFADDR --
this is not the place to detect interface removal! This also
removes what is basically a nasty (and now unnecessary) hack.

- Invoke in_pcbpurgeif0() from in_ifdetach(), in both raw and UDP
IPv4 sockets.

It is now possible to run the msocket_ifnet_remove regression test
using HEAD without panicking.

MFC after: 3 days
573a9535a81268ee8fa937d020dad86235127d2c 22-Aug-2005 andre <andre@FreeBSD.org> Add socketoption IP_MINTTL. May be used to set the minimum acceptable
TTL a packet must have when received on a socket. All packets with a
lower TTL are silently dropped. Works on already connected/connecting
and listening sockets for RAW/UDP/TCP.

This option is only really useful when set to 255 preventing packets
from outside the directly connected networks reaching local listeners
on sockets.

Allows userland implementation of 'The Generalized TTL Security Mechanism
(GTSM)' according to RFC3682. Examples of such use include the Cisco IOS
BGP implementation command "neighbor ttl-security".

MFC after: 2 weeks
Sponsored by: TCP/IP Optimization Fundraise 2005
e1d22638d0a8257ed01b7f95d1b6d5cef74ebd07 22-Feb-2005 glebius <glebius@FreeBSD.org> Add CARP (Common Address Redundancy Protocol), which allows multiple
hosts to share an IP address, providing high availability and load
balancing.

Original work on CARP done by Michael Shalayeff, with many
additions by Marco Pfatschbacher and Ryan McBride.

FreeBSD port done solely by Max Laier.

Patch by: mlaier
Obtained from: OpenBSD (mickey, mcbride)
a50ffc29129a52835a39bf4868cd5facdc7dce30 07-Jan-2005 imp <imp@FreeBSD.org> /* -> /*- for license, minor formatting changes
11ab41ab2fcf910d0a343664eb523a47314b88c3 19-Oct-2004 andre <andre@FreeBSD.org> Pre-emptively define IPPROTO_SPACER to 32767, the same value as PROTO_SPACER
to document that this value is globally assigned for a special purpose and
may not be reused within the IPPROTO number space.
87aa99bbbbf620c4ce98996d472fdae45f077eae 16-Aug-2004 rwatson <rwatson@FreeBSD.org> White space cleanup for netinet before branch:

- Trailing tab/space cleanup
- Remove spurious spaces between or before tabs

This change avoids touching files that Andre likely has in his working
set for PFIL hooks changes for IPFW/DUMMYNET.

Approved by: re (scottl)
Submitted by: Xin LI <delphij@frontfree.net>
a93503bce5774a1d50bc8d2659fa612fd093c64a 11-Aug-2004 andre <andre@FreeBSD.org> Add the function in_localip() which returns 1 if an internet address is for
the local host and configured on one of its interfaces.
18ff3600274a040e5de7283d8307f491d309ab41 16-Jun-2004 mlaier <mlaier@FreeBSD.org> Prepare for pf 3.5 import:
- Remove pflog and pfsync modules. Things will change in such a fashion
that there will be one module with pf+pflog that can be loaded into
GENERIC without problems (which is what most people want). pfsync is no
longer possible as a module.
- Add multicast address for in-kernel multicast pfsync protocol. Protocol
glue will follow once the import is done.
- Add one more mbuf tag
27bed143c8c7c9b562797f2484f88fdaa8bc1e39 09-Jun-2004 ru <ru@FreeBSD.org> Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets. Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after: 1 week
b49b7fe7994689a25dfc2162fe02f1d030360089 07-Apr-2004 imp <imp@FreeBSD.org> Remove advertising clause from University of California Regent's
license, per letter dated July 22, 1999 and email from Peter Wemm,
Alan Cox and Robert Watson.

Approved by: core, peter, alc, rwatson
b3c1e801753069192b4fa8fc22662fa3052ec7c7 25-Oct-2003 ume <ume@FreeBSD.org> correct namespace pollution.

Submitted by: bde
881c4fa39150df7d0de2dae7ae808f6a73cb199a 24-Oct-2003 ume <ume@FreeBSD.org> Switch Advanced Sockets API for IPv6 from RFC2292 to RFC3542
(aka RFC2292bis). Though I believe this commit doesn't break
backward compatibility againt existing binaries, it breaks
backward compatibility of API.
Now, the applications which use Advanced Sockets API such as
telnet, ping6, mld6query and traceroute6 use RFC3542 API.

Obtained from: KAME
3af3c5ae44ef98b9f2da135dcb64cfc12acd0f39 20-Aug-2003 bms <bms@FreeBSD.org> Add the IP_ONESBCAST option, to enable undirected IP broadcasts to be sent on
specific interfaces. This is required by aodvd, and may in future help us
in getting rid of the requirement for BPF from our import of isc-dhcp.

Suggested by: fenestro
Obtained from: BSD/OS
Reviewed by: mini, sam
Approved by: jake (mentor)
22b74d7669536646fea2e19cfe101635b524360a 07-Aug-2003 hsu <hsu@FreeBSD.org> 1. Basic PIM kernel support
Disabled by default. To enable it, the new "options PIM" must be
added to the kernel configuration file (in addition to MROUTING):

options MROUTING # Multicast routing
options PIM # Protocol Independent Multicast

2. Add support for advanced multicast API setup/configuration and
extensibility.

3. Add support for kernel-level PIM Register encapsulation.
Disabled by default. Can be enabled by the advanced multicast API.

4. Implement a mechanism for "multicast bandwidth monitoring and upcalls".

Submitted by: Pavlin Radoslavov <pavlin@icir.org>
7c250e7fe6babc804765231f92101de8b45258a8 29-Apr-2003 mdodd <mdodd@FreeBSD.org> Add definitions for IN6ADDR_LINKLOCAL_ALLMDNS_INIT and INADDR_ALLMDNS_GROUP.
6afaafd2aaf53c793eefeb6d602c1038625e9bff 29-Apr-2003 mdodd <mdodd@FreeBSD.org> IP_RECVTTL socket option.

Reviewed by: Stuart Cheshire <cheshire@apple.com>
ccc6071f7ea7e2ba54dfcf45ff8afda2e395aa3d 02-Apr-2003 mdodd <mdodd@FreeBSD.org> Back out support for RFC3514.

RFC3514 poses an unacceptale risk to compliant systems.
e72fdee732ab55fc784034c81ccedda4b5279816 01-Apr-2003 mdodd <mdodd@FreeBSD.org> Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.

There are three sysctl tunables provided to govern system behavior.

net.inet.ip.rfc3514:

Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.

net.inet.ip.hear_no_evil

If set the host will discard all received evil packets.

net.inet.ip.speak_no_evil

If set the host will discard all transmitted evil packets.

The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.

For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.
d3367c5f5d3ddcc6824d8f41c4cf179f9a5588f8 01-Jan-2003 schweikh <schweikh@FreeBSD.org> Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
68784e2b89c00e55ec18f52a94e0a73b1e5a63ff 29-Oct-2002 fenner <fenner@FreeBSD.org> Renumber IPPROTO_DIVERT out of the range of valid IP protocol numbers.
This allows socket() to return an error when the kernel is not built
with IPDIVERT, and doesn't prevent future applications from using the
"borrowed" IP protocol number. The sysctl net.inet.raw.olddiverterror
controls whether opening a socket with the "borrowed" IP protocol
fails with an accompanying kernel printf; this code should last only a
couple of releases.

Approved by: re
4d33fec54145dd857e0d47d64751830d35fcfc97 21-Oct-2002 iedowse <iedowse@FreeBSD.org> Implement a new IP_SENDSRCADDR ancillary message type that permits
a server process bound to a wildcard UDP socket to select the IP
address from which outgoing packets are sent on a per-datagram
basis. When combined with IP_RECVDSTADDR, such a server process can
guarantee to reply to an incoming request using the same source IP
address as the destination IP address of the request, without having
to open one socket per server IP address.

Discussed on: -net
Approved by: re
f230fa27fb7dfbf8aa6fc49c6b846e56a35aada0 04-Sep-2002 sobomax <sobomax@FreeBSD.org> Add in_hosteq() and in_nullhost() macros to make life of developers
porting NetBSD code a little bit easier.

Obtained from: NetBSD
9e6f796b0d2083dcc48c062853660f96db0a3c8d 21-Aug-2002 mike <mike@FreeBSD.org> o Merge <machine/ansi.h> and <machine/types.h> into a new header
called <machine/_types.h>.
o <machine/ansi.h> will continue to live so it can define MD clock
macros, which are only MD because of gratuitous differences between
architectures.
o Change all headers to make use of this. This mainly involves
changing:
#ifdef _BSD_FOO_T_
typedef _BSD_FOO_T_ foo_t;
#undef _BSD_FOO_T_
#endif
to:
#ifndef _FOO_T_DECLARED
typedef __foo_t foo_t;
#define _FOO_T_DECLARED
#endif

Concept by: bde
Reviewed by: jake, obrien
3ef853a60c9cecff32830b522d44504ec37f7b77 11-May-2002 mike <mike@FreeBSD.org> Remove some duplicate types that should have been removed as part of
the rearranging in the previous revision.

Pointy hat to: cvs update (merging), mike (for not noticing)
491520a810d46a6e5fa90ea1cef40cf1240a981f 24-Apr-2002 mike <mike@FreeBSD.org> Rearrange <netinet/in.h> so that it is easier to conditionalize
sections for various standards. Conditionalize sections for various
standards. Use standards conforming spelling for types in the
sockaddr_in structure.
39f7a31d8080bfe4427a83cb28ee01fef0e3831a 20-Apr-2002 mike <mike@FreeBSD.org> Add sa_family_t type to <sys/_types.h> and typedefs to <netinet/in.h>
and <sys/socket.h>. Previously, sa_family_t was only typedef'd in
<sys/socket.h>.
5c10a8af2430ee1c789444ca9d8863296bdf2765 10-Apr-2002 silby <silby@FreeBSD.org> Totally nuke IPPORT_USERRESERVED, it is no longer used anywhere, update
remaining comments to reflect new ephemeral port range.

Reminded by: Maxim Konovalov <maxim@macomnet.ru>
MFC after: 3 days
4100d7ad0fd1685daadebee6380b55dc43d1a944 10-Apr-2002 mike <mike@FreeBSD.org> Unconditionalize the definition of INET_ADDRSTRLEN and
INET6_ADDRSTRLEN. Doing this helps expose bogus redefinitions in 3rd
party software.
5339bdcf65d36dc5d915628cfbc4f2b777a338de 09-Apr-2002 silby <silby@FreeBSD.org> Update comments to reflect the recent ephemeral port range
change.

Noticed by: ru
MFC After: 1 day
beecc37c73ebf8cf27e26fe5fc3a80fd02535ac4 01-Apr-2002 mike <mike@FreeBSD.org> o Implement <sys/_types.h>, a new header for storing types that are
MI, not required to be a fixed size, and used in multiple headers.
This will grow in time, as more things move here from <sys/types.h>
and <machine/ansi.h>.
o Add missing type definitions (uint16_t and uint32_t) to
<arpa/inet.h> and <netinet/in.h>.
o Reduce pollution in <sys/types.h> by using `#if _FOO_T_DECLARED'
widgets to avoid including <sys/stdint.h>.
o Add some missing type definitions to <unistd.h> and note the ones
that still need to be added.
o Make use of <sys/_types.h> primitives in <grp.h> and <sys/types.h>.

Reviewed by: bde
357e37e023059920b1f80494e489797e2f69a3dd 19-Mar-2002 alfred <alfred@FreeBSD.org> Remove __P.
b9910027dd0cf95c5e683b596045e215cb76ba18 10-Mar-2002 mike <mike@FreeBSD.org> o Add INET_ADDRSTRLEN and INET6_ADDRSTRLEN defines to <arpa/inet.h>
for POSIX.1-2001 conformance.
o Add magic to <netinet/in.h> and <netinet6/in6.h> to prevent
redefining INET_ADDRSTRLEN and INET6_ADDRSTRLEN.
o Add a note about missing typedefs in <arpa/inet.h>.
b8cc0d1207ca0471e0fc9e82c60e6e0c76b9dd98 09-Mar-2002 mike <mike@FreeBSD.org> o Don't require long long support in bswap64() functions.
o In i386's <machine/endian.h>, macros have some advantages over
inlines, so change some inlines to macros.
o In i386's <machine/endian.h>, ungarbage collect word_swap_int()
(previously __uint16_swap_uint32), it has some uses on i386's with
PDP endianness.

Submitted by: bde

o Move a comment up in <machine/endian.h> that was accidentially moved
down a few revisions ago.
o Reenable userland's use of optimized inline-asm versions of
byteorder(3) functions.
o Fix ordering of prototypes vs. redefinition of byteorder(3)
functions, so that the non-GCC (libc asm) case has proper
prototypes.
o Add proper prototypes for byteorder(3) functions in <sys/param.h>.
o Prevent redundant duplicate prototypes by making use of the
_BYTEORDER_PROTOTYPED define.
o Move the bswap16(), bswap32(), bswap64() C functions into MD space
for platforms in which asm versions don't exist. This significantly
reduces the complexity of some things at the cost of duplicate code.

Reviewed by: bde
bcee06d42c20a8ea0e6c6ffb8924e16e7e793c0f 18-Feb-2002 mike <mike@FreeBSD.org> o Move NTOHL() and associated macros into <sys/param.h>. These are
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
complexities associated with having MD (asm and inline) versions, and
having to prevent exposure of these functions in other headers that
happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.

Tested on: alpha, i386
Reviewed by: bde, jake, tmm
20cacce16c233112fc71cb819fa0db765acba715 01-Dec-2001 mike <mike@FreeBSD.org> o Stop abusing MD headers with non-MD types.
o Hide nonstandard functions and types in <netinet/in.h> when
_POSIX_SOURCE is defined.
o Add some missing types (required by POSIX.1-200x) to <netinet/in.h>.
o Restore vendor ID from Rev 1.1 in <netinet/in.h> and make use of new
__FBSDID() macro.
o Fix some miscellaneous issues in <arpa/inet.h>.
o Correct final argument for the inet_ntop() function (POSIX.1-200x).
o Get rid of the namespace pollution from <sys/types.h> in
<arpa/inet.h>.

Reviewed by: fenner
Partially submitted by: bde
17d77e934622c40b38b3ea7e9d9486bf6c67f15f 29-Sep-2001 jlemon <jlemon@FreeBSD.org> Centralize satosin(), sintosa() and ifatoia() macros in <netinet/in.h>
Remove local definitions.
af2cc9a06808d52ba584bc2c8b5d4b2472ddac38 27-Sep-2001 luigi <luigi@FreeBSD.org> Remove unused (and duplicate) struct ip_opts which is never used,
not referenced in Stevens, and does not compile with g++.
There is an equivalent structure, struct ipoption in ip_var.h
which is actually used in various parts of the kernel, and also referenced
in Stevens.

Bill Fenner also says:
... if you want the trivia, struct ip_opts was introduced
in in.h SCCS revision 7.9, on 6/28/1990, by Mike Karels.
struct ipoption was introduced in ip_var.h SCCS revision 6.5,
on 9/16/1985, by... Mike Karels.

MFC-after: 3 days
89d8e7c7546d2bcd7666487fe24dbca2b5f35158 15-Jun-2001 peter <peter@FreeBSD.org> Fix a stack of KAME netinet6/in6.h warnings:
592: warning: `struct mbuf' declared inside parameter list
595: warning: `struct ifnet' declared inside parameter list
aabe84d0cbca8d7eed5bd5b81cb33f80bca39a55 23-Mar-2001 ume <ume@FreeBSD.org> IPv4 address is not unsigned int. This change introduces in_addr_t.

PR: 9982
Adviced by: des
Reviewed by: -alpha and -net (no objection)
Obtained from: OpenBSD
ab5676fc870d2d819cf41120313443182db079cf 21-Feb-2001 rwatson <rwatson@FreeBSD.org> o Move per-process jail pointer (p->pr_prison) to inside of the subject
credential structure, ucred (cr->cr_prison).
o Allow jail inheritence to be a function of credential inheritence.
o Abstract prison structure reference counting behind pr_hold() and
pr_free(), invoked by the similarly named credential reference
management functions, removing this code from per-ABI fork/exit code.
o Modify various jail() functions to use struct ucred arguments instead
of struct proc arguments.
o Introduce jailed() function to determine if a credential is jailed,
rather than directly checking pointers all over the place.
o Convert PRISON_CHECK() macro to prison_check() function.
o Move jail() function prototypes to jail.h.
o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the
flag in the process flags field itself.
o Eliminate that "const" qualifier from suser/p_can/etc to reflect
mutex use.

Notes:

o Some further cleanup of the linux/jail code is still required.
o It's now possible to consider resolving some of the process vs
credential based permission checking confusion in the socket code.
o Mutex protection of struct prison is still not present, and is
required to protect the reference count plus some fields in the
structure.

Reviewed by: freebsd-arch
Obtained from: TrustedBSD Project
ec09e340cef61cfdf365ffecedbf4459c06ed79a 14-Feb-2001 asmodai <asmodai@FreeBSD.org> Add definitions for IPPROTO numbers 55-57.
4cc04a654fa69b6f6a0caec3df82f95082ad05c4 12-Jan-2001 bmilekic <bmilekic@FreeBSD.org> Prototype inet_ntoa_r and thereby silence a warning from GCC. The function
is prototyped immediately under inet_ntoa, which is also from libkern.
5f4e854de19331a53788d6100bbcd42845056bc1 04-Jul-2000 itojun <itojun@FreeBSD.org> sync with kame tree as of july00. tons of bug fixes/improvements.

API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
(also syntax change)
2b2c2a8b666b5d6fd19bd3cf86c81751fd2411ea 06-May-2000 jlemon <jlemon@FreeBSD.org> Add #include <machine/in_cksum.h>, in order to pick up the checksum
inline functions and prototypes.
b42951578188c5aab5c9f8cbcde4a743f8092cdc 02-Apr-2000 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'ALSA'.
a0c9aca93ba39577e7f36147df6ca979625e77b1 10-Feb-2000 shin <shin@FreeBSD.org> Forbid include of soem inet6 header files from wrong place

KAME put INET6 related stuff into sys/netinet6 dir, but IPv6
standard API(RFC2553) require following files to be under sys/netinet.
netinet/ip6.h
netinet/icmp6.h
Now those header files just include each following files.
netinet6/ip6.h
netinet6/icmp6.h

Also KAME has netinet6/in6.h for easy INET6 common defs
sharing between different BSDs, but RFC2553 requires only
netinet/in.h should be included from userland.
So netinet/in.h also includes netinet6/in6.h inside.

To keep apps portability, apps should not directly include
above files from netinet6 dir.
Ideally, all contents of,
netinet6/ip6.h
netinet6/icmp6.h
netinet6/in6.h
should be moved into
netinet/ip6.h
netinet/icmp6.h
netinet/in.h
but to avoid big changes in this stage, add some hack, that
-Put some special macro define into those files under neitnet
-Let files under netinet6 cause error if it is included
from some apps, and, if the specifal macro define is not
defined.
(which should have been defined if files under netinet is
included)
-And let them print an error message which tells the
correct name of the include file to be included.

Also fix apps which includes invalid header files.

Approved by: jkh

Obtained from: KAME project
15b9bcb121e1f3735a2c98a11afdb52a03301d7e 29-Dec-1999 peter <peter@FreeBSD.org> Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot). This is consistant with the other
BSD's who made this change quite some time ago. More commits to come.
50ba589c666f7d356304339b9cfc7fc9d173ad8d 22-Dec-1999 shin <shin@FreeBSD.org> IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
7efc91cadcfeb421fc4d02ba94db784616f3714c 05-Nov-1999 shin <shin@FreeBSD.org> KAME related header files additions and merges.
(only those which don't affect c source files so much)

Reviewed by: cvs-committers
Obtained from: KAME project
3b842d34e82312a8004a7ecd65ccdb837ef72ac1 28-Aug-1999 peter <peter@FreeBSD.org> $Id$ -> $FreeBSD$
d848a791d143dcd43bbfd4243df4fe61c62fac41 01-Aug-1999 green <green@FreeBSD.org> Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
41db63d93aff1cb9a9b829a9b4cf815100d50951 08-May-1999 peter <peter@FreeBSD.org> Pre-declare struct proc to avoid 'inside param list' warnings.
2085d1a0500e60ec06a7ca2ded31bde3fe581bd6 04-May-1999 luigi <luigi@FreeBSD.org> Free the dummynet descriptor in ip_dummynet, not in the called
routines. The descriptor contains parameters which could be used
within those routines (eg. ip_output() ).

On passing, add IPPROTO_PGM entry to netinet/in.h
ca21a25f173ed030b0093e4d83140e3b0b43db01 28-Apr-1999 phk <phk@FreeBSD.org> This Implements the mumbled about "Jail" feature.

This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

I have no scripts for setting up a jail, don't ask me for them.

The IP number should be an alias on one of the interfaces.

mount a /proc in each jail, it will make ps more useable.

/proc/<pid>/status tells the hostname of the prison for
jailed processes.

Quotas are only sensible if you have a mountpoint per prison.

There are no privisions for stopping resource-hogging.

Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/
f9bc841320c631b24281c6561466509a4771b0f0 20-Apr-1999 peter <peter@FreeBSD.org> Tidy up some stray / unused stuff in the IPFW package and friends.
- unifdef -DCOMPAT_IPFW (this was on by default already)
- remove traces of in-kernel ip_nat package, it was never committed.
- Make IPFW and DUMMYNET initialize themselves rather than depend on
compiled-in hooks in ip_init(). This means they initialize the same
way both in-kernel and as kld modules. (IPFW initializes now :-)
4b628fa86de9e1f3e478283a0118b2209ccc5885 14-Dec-1998 luigi <luigi@FreeBSD.org> Last bits (i think) of dummynet for -current.
a76fb5eefabdc9418c911bf0b61768d533c15cbd 23-Aug-1998 wollman <wollman@FreeBSD.org> Yow! Completely change the way socket options are handled, eliminating
another specialized mbuf type in the process. Also clean up some
of the cruft surrounding IPFW, multicast routing, RSVP, and other
ill-explored corners.
22a5d80812f1c709917ff24ff791b1f952f8d6f7 06-Jul-1998 julian <julian@FreeBSD.org> Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
30cc111a0f023e7efe54d7c4ec29f9673fbc4901 06-Jun-1998 julian <julian@FreeBSD.org> Fix wrong data type for a pointer.
2cda12b561a47f469b0a05b3854a548c841356a9 06-Jun-1998 julian <julian@FreeBSD.org> clean up the changes made to ipfw over the last weeks
(should make the ipfw lkm work again)
5f8a4130d8dd1d4441beb5fba01ab53b331a9111 19-May-1998 dg <dg@FreeBSD.org> Added fast IP forwarding code by Matt Thomas <matt@3am-software.com> via
NetBSD, ported to FreeBSD by Pierre Beyssac <pb@fasterix.freenix.org> and
minorly tweaked by me.
This is a standard part of FreeBSD, but must be enabled with:
"sysctl -w net.inet.ip.fastforwarding=1" ...and of course forwarding must
also be enabled. This should probably be modified to use the zone
allocator for speed and space efficiency. The current algorithm also
appears to lose if the number of active paths exceeds IPFLOW_MAX (256),
in which case it wastes lots of time trying to figure out which cache
entry to drop.
7467b35443d0588a1831915f0a0cb8b3f6ba65c5 10-May-1998 jb <jb@FreeBSD.org> Treat all internet addresses as u_int32_t.
0f961b2277a016486da4e8a38c3c8e2e4630944d 19-Apr-1998 phk <phk@FreeBSD.org> According to:

ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

port numbers are divided into three ranges:

0 - 1023 Well Known Ports
1024 - 49151 Registered Ports
49152 - 65535 Dynamic and/or Private Ports

This patch changes the "local port range" from 40000-44999
to the range shown above (plus fix the comment in in_pcb.c).

WARNING: This may have an impact on firewall configurations!

PR: 5402
Reviewed by: phk
Submitted by: Stephen J. Roznowski <sjr@home.net>
586efaf85d285fea40e0e51d2c0c4de42bfae2e1 25-Feb-1998 julian <julian@FreeBSD.org> OOPs typo TCF, not TCP....
9f72afe0f750da4c723f92f8f2de764608bd5575 25-Feb-1998 julian <julian@FreeBSD.org> Bring our in.h up to date with respect to allocated
IP protocol numbers. It is possible that the names may require tuning,
but the numbers represent what is in rfc1700 which is the present
active RFC.
11fbae904270b422a9ad9544d95c00a56f74e51e 16-Feb-1998 guido <guido@FreeBSD.org> Add new sysctl variable: net.inet.ip.accept_sourceroute
It controls if the system is to accept source routed packets.
It used to be such that, no matter if the setting of net.inet.ip.sourceroute,
source routed packets destined at us would be accepted. Now it is
controllable with eth default set to NOT accept those.
0506343883d62f6649f7bbaf1a436133cef6261d 11-Jan-1998 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'jb'.
7c6e96080c4fb49bf912942804477d202a53396c 10-Jan-1998 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'JB'.
6c4e9fc61332696898bfd76840cc344e5d8f7b95 25-Sep-1997 wollman <wollman@FreeBSD.org> Export ipstat via sysctl. Don't understand why this wasn't done before.
94b6d727947e1242356988da003ea702d41a97de 22-Feb-1997 peter <peter@FreeBSD.org> Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
808a36ef658c1810327b5d329469bcf5dad24b28 14-Jan-1997 jkh <jkh@FreeBSD.org> Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
2a7e4d562f4977127aa5f5a0abb201656a252dde 30-Dec-1996 peter <peter@FreeBSD.org> Add INADDR_LOOPBACK, moved from <rpc/rpc.h>
51fa6f0e6c383037d81db2731606bf56378e1128 11-Nov-1996 fenner <fenner@FreeBSD.org> Add the IP_RECVIF socket option, which supplies a packet's incoming interface
using a sockaddr_dl.

Fix the other packet-information socket options (SO_TIMESTAMP, IP_RECVDSTADDR)
to work for multicast UDP and raw sockets as well. (They previously only
worked for unicast UDP).
a197836ae2c867853f50806481014a7309e0c3da 22-Oct-1996 sos <sos@FreeBSD.org> Changed args to the nat functions.
357e1b74cb7e558ee041bc0d7993aa657186af36 19-Oct-1996 alex <alex@FreeBSD.org> Reword two comments.
6fc54fe251487977f8ca4fe6fc5c87f29dc9a5a3 21-Aug-1996 sos <sos@FreeBSD.org> Add hooks for an IP NAT module, much like the firewall stuff...
Move the sockopt definitions for the firewall code from
ip_fw.h to in.h where it belongs.
cff0cee56f8b022e93a2ce161b76444796020180 12-Aug-1996 peter <peter@FreeBSD.org> Add two more portrange sysctls, which control the area of the below
IPPORT_RESERVED that is used for selection when bind() is told to allocate
a reserved port.

Also, implement simple sanity checking for all the addresses set, to make
it a little harder for a user/sysadmin to shoot themselves in the feet.
9277e63302140b5062d96a9394cdec2b83b2e70a 10-Jul-1996 julian <julian@FreeBSD.org> Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
8a4381b139489559851a24f7e7088354b0acf624 03-Apr-1996 phk <phk@FreeBSD.org> Add feature for tcp "established".
Change interface between netinet and ip_fw to be more general, and thus
hopefully also support other ip filtering implementations.
fac8f2c92271b1198714685037e3dbf30a2e1e44 14-Mar-1996 fenner <fenner@FreeBSD.org> IGMPv2 routines rewritten, to be more compact and to fully comply
with the IGMPv2 Internet Draft (including Router Alert IP option)
fe35eac01c2144b50535ae23a00660c11524fd22 22-Feb-1996 peter <peter@FreeBSD.org> Make the default behavior of local port assignment match traditional
systems (my last change did not mix well with some firewall
configurations). As much as I dislike firewalls, this is one thing I
I was not prepared to break by default.. :-)

Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call. The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.*

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it.

Partly suggested by: pst
Reviewed by: wollman
2f93f3daa7e31b316e927b2cd030e17cb036afae 19-Jan-1996 peter <peter@FreeBSD.org> Change the default local address range for IP from 1024 through 5000
to 20000 through 30000. These numbers are used for local IP port numbers
when an explicit address is not specified.

The values are sysctl modifiable under: net.inet.ip.port_{first|last}_auto

These numbers do not overlap with any known server addresses, without going
above 32768 which are "negative" on some other implementations.

20000 through 30000 is 2.5 times larger than the old range, but some have
suggested even that may not be enough... (gasp!) Setting a low address
of 10000 should be plenty.. :-)
db2c71245d8bd7171d58bbd567c7a24804e752e5 14-Nov-1995 phk <phk@FreeBSD.org> New style sysctl & staticize alot of stuff.
86f1bc4514fdcfd255f37f3218fe234bdc3664fc 05-Nov-1995 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'LINUX'.
c53e4d30eddfc89be2cd81c9c3ea3a595789fdc2 01-Nov-1995 wollman <wollman@FreeBSD.org> Instrument the IP input queue with two new read-only MIB entries:
net.inet.ip.intr-queue-maxlen (=== ipintrq.ifq_maxlen)
and net.inet.ip.intr-queue-drops (=== ipintrq.ifq_drops)

There should probably be a standard way of getting the same information
going the other way.
8424d675bc800cef5b661fa40603ec3836315fc7 18-Jul-1995 peter <peter@FreeBSD.org> Change the compile-time option of DIRECTED_BROADCAST into a sysctl
variable underneath ip, "directed-broadcast".
Reviewed by: David Greenman
Obtained from: NetBSD, by Darren Reed.
20ad4f8359820cf12331c0335034438fc23ad604 13-Jun-1995 wollman <wollman@FreeBSD.org> Kernel side of 3.5 multicast routing code, based on work by Bill Fenner
and other work done here. The LKM support is probably broken, but it
still compiles and will be fixed later.
a428f47a5d3b328c0a7a5c36b95a868d52b294ca 16-Mar-1995 wollman <wollman@FreeBSD.org> Reject source routes unless configured on by administrator.
8882d76eda0f65db86b70a8641d460198eb851a8 16-Mar-1995 wollman <wollman@FreeBSD.org> Add inet_ntoa() and replace ARP's private routine with same.
2e14d9ebc3d3592c67bdf625af9ebe0dfc386653 14-Mar-1995 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'MATT_THOMAS'.
e3defa4503d0fce9ea8650a9557e03073e3aef45 14-Feb-1995 wollman <wollman@FreeBSD.org> Attempt to make the host route cache a bit smarter under conditions of
high load:

1) If there ever get to be more than net.inet.ip.rtmaxcache entries
in the cache, in_rtqtimo() will reduce net.inet.ip.rtexpire by
1/3 and do another round, unles net.inet.ip.rtexpire is less than
net.inet.ip.rtminexpire, and never more than once in ten minutes
(rtq_timeout).

2) If net.inet.ip.rtexpire is set to zero, don't bother to cache
anything.
fc1509a009c04ccb08ad290842a91217efeacff5 21-Dec-1994 wollman <wollman@FreeBSD.org> Correct sysctl info so that net.inet.ip.rtexpire is actually accessible.
17700af9e7617a500f69ae58357f81ed1c153cd8 14-Dec-1994 wollman <wollman@FreeBSD.org> Make rtq_reallyold user-configurable via sysctl.
34cd81d75f398ee455e61969b118639dacbfd7a6 23-Sep-1994 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'MACKERRAS'.
75ad508fd126c679edba9b67bd09d74a1fff3aba 06-Sep-1994 wollman <wollman@FreeBSD.org> Initial get-the-easy-case-working upgrade of the multicast code
to something more recent than the ancient 1.2 release contained in
4.4. This code has the following advantages as compared to
previous versions (culled from the README file for the SunOS release):

- True multicast delivery
- Configurable rate-limiting of forwarded multicast traffic on each
physical interface or tunnel, using a token-bucket limiter.
- Simplistic classification of packets for prioritized dropping.
- Administrative scoping of multicast address ranges.
- Faster detection of hosts leaving groups.
- Support for multicast traceroute (code not yet available).
- Support for RSVP, the Resource Reservation Protocol.

What still needs to be done:

- The multicast forwarder needs testing.
- The multicast routing daemon needs to be ported.
- Network interface drivers need to have the `#ifdef MULTICAST' goop ripped
out of them.
- The IGMP code should probably be bogon-tested.

Some notes about the porting process:

In some cases, the Berkeley people decided to incorporate functionality from
later releases of the multicast code, but then had to do things differently.
As a result, if you look at Deering's patches, and then look at
our code, it is not always obvious whether the patch even applies. Let
the reader beware.

I ran ip_mroute.c through several passes of `unifdef' to get rid of
useless grot, and to permanently enable the RSVP support, which we will
include as standard.

Ported by: Garrett Wollman
Submitted by: Steve Deering and Ajit Thyagarajan (among others)
8197ce5e98353ade5c0651b18d741110a142e3c8 21-Aug-1994 paul <paul@FreeBSD.org> Made idempotent.

Submitted by: Paul
e16baf7a5fe7ac1453381d0017ed1dcdeefbc995 07-Aug-1994 cvs2svn <cvs2svn@FreeBSD.org> This commit was manufactured by cvs2svn to create branch 'SUNRPC'.
8d205697aac53476badf354623abd4e1c7bc5aff 02-Aug-1994 dg <dg@FreeBSD.org> Added $Id$
8fb65ce818b3e3c6f165b583b910af24000768a5 24-May-1994 rgrimes <rgrimes@FreeBSD.org> BSD 4.4 Lite Kernel Sources