| Age | Commit message (Collapse) | Author |
|---|
|
Framgent count and statistics are stored in struct pf_status. From
there pfctl(8) and systat(1) collect and show them. Note that pfctl
-s info needs the -v switch to show fragments. As fragment reassembly
has its own mutex, also grab this in pf ipctl(2) and sysctl(2) code.
input claudio@; OK henning@
|
|
found by "buffer overflow 'anchortypes' 10 <= 12" smatch error
feedback and ok sashan@, ok miod@ on an earlier version
|
|
the parsing code
|
|
This fixes a few KNF issues and ugly line wrapping by using a local
version of nitems(); fix two bsearch() on top.
ok claudio
|
|
let packet to mark 'once' rule as expired. The rule
will be removed by pfctl(8) when rules are updated.
OK kn@
|
|
this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.
the main reasons for this change are:
- route-to, reply-to, and dup-to do not work with pfsync
this is because the information about where to route-to is stored in
rules, and it is hard to have a ruleset synced between firewalls,
and impossible to have them synced 100% of the time.
- i can make my boxes panic in certain situations using route-to
yeah...
- the configuration and syntax for route-to rules are confusing.
the argument to route-to and co is an interace name with an optional
ip address. there are several problems with this. one is that people
tend to think about routing as sending packets to peers by their
address, not by the interface they're reachable on. another is that
we currently have no way to synchronise interface topology information
between firewalls, so using an interface to say where packets go
means we can't do failover of these states with pfsync. another
is that a change in routing topology means a host may become
reachable over a different interface. tying routing policy to
interfaces gets in the way of failover and load balancing.
this change does the following:
- stores the route info in the state instead of the pf rule
this allows route-to to keep working when the ruleset changes, and
allows route-to info to be sent over pfsync. there's enough spare bits
in pfsync messages that the protocol doesnt break.
the caveat is that route-to becomes tied to pass rules that create
state, like rdr-to and nat-to.
- the argument to route-to etc is a destination ip address
it's not limited to a next-hop address (thought a next-hop can be a
destination address). this allows for the failover and load balancing
referred to above.
- deprecates the address@interface host syntax in pfctl
because routing is done entirely by IPs, the interface is derived from
the route lookup, not pf. any attempt to use the @interface syntax
will fail now in all contexts.
there's enthusiasm from proctor@ jmatthew@ and others
ok sashan@ bluhm@
|
|
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
In pf(4), the pf_status.since timestamp is set with time_uptime(9).
This is a low-res snapshot of nanouptime(9). nanouptime(9) is used to
implement CLOCK_BOOTTIME for clock_gettime(2). It is not used to
implement CLOCK_UPTIME, though. The names are misleading.
Switch to CLOCK_BOOTTIME in places in userspace where we use
pf_status.since so we are working with the right clock.
Technically CLOCK_MONOTONIC is equivalent, but we shouldn't use that
here. CLOCK_MONOTONIC is not necessarily the "time since boot": the
standard says its absolute value is meaningless.
ok patrick@ bluhm@
|
|
This is the userland portion. OK deraadt@ sashan@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
Fix a regression of revision 1.326 "Zap v4mask and v6mask in host()" which
allowed CIDR networks with more than one "/" to be loaded into tables.
I took care of this code path with regard to rules coming the ruleset
parser, which aborts earlier on such invalid specifications, but missed
`-T add 1/2/3' and the like.
Analyzed and fixed by Petr Hoffmann <petr dot hoffmann at oracle dot com>,
thanks!
OK deraadt
|
|
Recently introduced in pfctl_parser.c r1.333, this helper nicely
simplifies code when copying IPs based on their address family, so use
it in five other places when killing state or source node entries.
All addresses copied in these code paths result from either
pfctl_parse_host() or pfctl_addrprefix() which guarantee the address
family set to AF_INET or AF_INET6. Therefore, effectively relaxing the
case of unhandled families from errx(3) in callers to warnx(3) in
copy_satopfaddr() is safe since it's never reached.
OK sashan
|
|
that are used for netmask, broadcast, and destination address. In
pfctl(8) take the family of the interface address and write it to
the other addresses. This fixes some bugs when copy_satopfaddr()
copied only part of IPv6 addresses. Print a warning if the address
family is unknown.
OK kn@
|
|
OK bluhm
|
|
I introduced this error with r1.330 while removing the af parameter from
unmask().
`pass inet from (lo0)/24' would result in `pass inet from (lo0)', sorry.
|
|
Left-over from pre-host_ip() times. While here, use __func__.
OK henning benno
|
|
Except for networks such as "10/8" host_ip() now handles addresses in an
AF-agnostic way with more duplicate code removed/merged.
OK sashan (as for earlier copy_satopfaddr() diff) henning
|
|
Move the same dance around v4/v6 for copying IP addresses from sockaddr
into pf_addr to avoid duplicate code and improve readability.
Feedback and OK bluhm
|
|
|
|
henning@ removed this functionality years ago, see the share/man/man4/lo.4
revision 1.27.
OK jca claudio
|
|
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
|
Instead of doing the same dance with every caller, check for user provided
mask or address familiy specific maximum inside the function itself.
Feedback and OK claudio
|
|
This brings it in line with host() and host_dns().
OK sashan miko
|
|
This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.
While here, use the destination's size in memcpy instead of hardcoding its
type.
OK sashan
|
|
Simply defer checks whether a mask has been specified to where it's set in
host_*(); this is to reduce address family specific code.
OK sashan
|
|
Get rid of the `cont' flag, zap obvious comments, add error label.
OK benno sashan
|
|
This is simpler than checking three cases for `q' and gives nicer error
messages. While here, use `v6mask' as maximum netmask instead of hardcoding
it.
OK sashan
|
|
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
|
`error' is not used so drop it and jump to the end.
OK sashan
|
|
|
|
ok benno@
|
|
of a more appropriate place. ok claudio benno procter
|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
|
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
|
|
|
|
manpage wording and reminder about usage() jmc@
ok florian@ henning@
|
|
ICMP6_DST_UNREACH_NOTNEIGHBOR is ICMP6_DST_UNREACH_BEYONDSCOPE (RFC
1885 was obsoleted).
sthen grepped the ports sources to make sure nothing uses it.
OK millert, jca
|
|
The FQ-CoDel related configuration (flows, quantum) becomes available
for the regular bandwidth queue. Internally the kernel will pick the
FQ-CoDel for use as a queue manager for the specified class instead of
the FIFO.
Discussed with and OK henning@ at d2k17 as a part of a larger diff.
|
|
time_second. Since time_second changes depending on the wall-
clock time, time_second is not a reliable source for the status.
We can even end up with a negative time delta. Thus, use the
monotonically growing time_uptime and export it to userland.
ok bluhm@ mikeb@
|
|
Reported by Carl Mascott, thanks! OK sthen
|
|
OK sthen, visa
|
|
as broadcast address. The kernel does not consider this a broadcast
address and ifconfig(8) has a check to exclude it. Use the same
check in pfctl(8).
Found by regress/sbin/pfctl pfi2; OK mikeb@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
ok deraadt@
|
|
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
ok mikeb
|
