| Age | Commit message (Collapse) | Author |
|---|
|
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.
ok jmc@
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
|
|
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
expanded version of a diff from Vadim Zhukov.
ok henning@ claudio@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
that the load balancing code does not freak out but because of this
check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL
so check_netmask() is fixing up the netmask for IPv4 and stops complaining.
This is a partial fix for the failing regress test 13.
found with jsg, looks good henning
|
|
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
|
|
inspired by the short reboot times on an rb600a provided by stephan
rickauer.
testing and bugfixing by sthen@
ok mcbride@ sthen@
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
|
|
ok henning@ (sorry)
|
|
found by sthen@
ok henning@
|
|
noticed by Wiktor Izdebski
OK henning@
|
|
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.
for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)
many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
Make it possible to use DiffServ Code Point in the TOS fields.
Requested by deraadt@
|
|
|
|
af11, cs6 and ef will now be mapped to the coresponding TOS value.
OK henning@, sthen@, mcbride@
|
|
since all this stuff is transactional now we need to wrap that into
DIOCXBEGIN/COMMIT.
bad henning forgot to commit this chunk at c2k9
|
|
my last commit. ok deraadt@
|
|
ok henning@ deraadt@
|
|
noticed due to a question from otto@, ok regress/sbin/pfctl/ ;)
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
|
|
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
way it has already been done for ICMPv4.
ok mcbride@
|
|
looked at post-release -- out of time for these kinds of problems
david@ says: pfopt6 and f91.ok; pfopt6 change looks ok, but pf91 is
of concern.
|
|
|
|
|
|
should make the pushback buffer really transparent.
diagnosis by me, fix with mpf, some input deraadt, ok mpf
|
|
permitted keep state(X). applies to all rules which do not have keep state
explicitely. e. g. "set state-defaults pflow, no-sync"
ok phessler deraadt
|
|
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
|
|
|
|
covers loopback addresses. ok ryan
problem report from Harald Dunkel <harald.dunkel@aixigo.de>
|
|
pointed out by, and ok david@, go ahead henning@
|
|
From: Gleydson Soares <gsoares@gmail.com>, ryan ok
|
|
ok henning
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
