| Age | Commit message (Collapse) | Author |
|---|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
|
|
ok henning@ (sorry)
|
|
found by sthen@
ok henning@
|
|
noticed by Wiktor Izdebski
OK henning@
|
|
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.
for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)
many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
Make it possible to use DiffServ Code Point in the TOS fields.
Requested by deraadt@
|
|
|
|
af11, cs6 and ef will now be mapped to the coresponding TOS value.
OK henning@, sthen@, mcbride@
|
|
since all this stuff is transactional now we need to wrap that into
DIOCXBEGIN/COMMIT.
bad henning forgot to commit this chunk at c2k9
|
|
my last commit. ok deraadt@
|
|
ok henning@ deraadt@
|
|
noticed due to a question from otto@, ok regress/sbin/pfctl/ ;)
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
|
|
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
way it has already been done for ICMPv4.
ok mcbride@
|
|
looked at post-release -- out of time for these kinds of problems
david@ says: pfopt6 and f91.ok; pfopt6 change looks ok, but pf91 is
of concern.
|
|
|
|
|
|
should make the pushback buffer really transparent.
diagnosis by me, fix with mpf, some input deraadt, ok mpf
|
|
permitted keep state(X). applies to all rules which do not have keep state
explicitely. e. g. "set state-defaults pflow, no-sync"
ok phessler deraadt
|
|
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
|
|
|
|
covers loopback addresses. ok ryan
problem report from Harald Dunkel <harald.dunkel@aixigo.de>
|
|
pointed out by, and ok david@, go ahead henning@
|
|
From: Gleydson Soares <gsoares@gmail.com>, ryan ok
|
|
ok henning
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
|
the kernel to be deleted.
|
|
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
into one 8 bit flags field.
shrinks the state structure by 4 bytes on 32bit archs
ryan ok
|
|
|
|
of the good one. ok theo ryan reyk
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
pf_ioctl.c r1.196.
|
|
|
|
Remove it from the name section.
OK mcbride, henning
|
|
Fix printing of the state id in pfctl -ss -vv.
Remove the psnk_af hack to return the number of killed states.
OK markus, beck. "I like it" henning, deraadt.
Manpage help from jmc.
|
|
numbers with one, and fix a few other bugs along the way
ok mpf henning
|
|
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
