summaryrefslogtreecommitdiff
path: root/sys/net/if_pfsync.c
AgeCommit message (Collapse)Author
2013-08-07states learnt via pfsync from a peer with the same ruleset checksum wereDavid Gwynne
not getting assigned to rules like they should cos pfsync_in_upd() wasnt passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import. found and fixed by pedro
2013-06-20Revert previous and unbreak asr, the new include should be protected.Martin Pieuchot
Reported by naddy@
2013-06-20Allocate the various hook head descriptors as part of the ifnetMartin Pieuchot
structure rather than doing various M_WAITOK allocations during the *attach() functions, we always rely on them anyway. ok mikeb@, uebayasi@
2013-05-10Since pf_state_key_attach can decide to free the provided stateMike Belopuhov
key we need to sync our state key pointers with whatever values the function will pick. Not doing so will produce wrong results if address translation must be applied afterwards and we happen to have a state key collision. Then pf_translate will follow an old pointer and punch in garbage addresses into the packet. Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru> ok tedu, henning
2013-03-28no need for a lot of code to include proc.hTed Unangst
2013-03-26Remove various read-only *maxlen variables and use IFQ_MAXLEN directly.Martin Pieuchot
ok beck@, mikeb@
2012-10-30Use time_uptime for expiration values as time_second can be skewed atFlorian Obser
runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
2012-10-09simplify hook_disestablish() handling by always resetting the hook whenMarkus Friedl
the syncdev gets set. this also makes sure we no longer leak hooks on repeatet 'ifconfig syncdev' invocations. ok mikeb@
2012-10-08make sure we don't call hook_disestablish() twice e.g. ifconfig -syncdevMarkus Friedl
followed by ifconfig destroy; ok mikeb
2012-09-20pfsync_cancel_full_update needs to restore carp demotions sinceMike Belopuhov
it's cancelling the bulk update and can leave the machine in a demoted state. bug was noticed by benno, who was kind enough to verify that the fix is working fine. ok mpf, benno
2012-09-20spltdb() was really just #define'd to be splsoftnet(); replace the formerBret Lambert
with the latter no change in md5 checksum of generated files ok claudio@ henning@
2012-09-19update the tdb replay counter endian conversion to 64 bits;Mike Belopuhov
ok camield mpf
2012-07-26rename all_state_flags to state_flags to finish the transitionMike Belopuhov
to the 16 bit flags; reminded by claudio, ok henning
2012-06-30Fix a number of problems introduced by the link state handling commit:Mike Belopuhov
1) demote by 32 on the first bulk update to prevent failovers w/o having a full state table; 2) don't do any demotion adjustments on the link up event and undemote when bulk update finishes (or times out) preventing a race between nodes getting a link state update asynchronously. With phessler; tested by phessler and Kapetanakis Giannis. Thanks! Looked through by henning and dlg. Now the correct version.
2012-06-30backout rev1.185 as it's not what i have intended to commitMike Belopuhov
2012-06-29add ESN-related bits missed in the previous commitMike Belopuhov
2012-06-28Fix a number of problems introduced by the link state handling commit:Mike Belopuhov
1) demote by 32 on the first bulk update to prevent failovers w/o having a full state table; 2) don't do any demotion adjustments on the link up event and undemote when bulk update finishes (or times out) preventing a race between nodes getting a link state update asynchronously. With phessler; tested by phessler and Kapetanakis Giannis. Thanks! Looked through by henning and dlg.
2012-04-11fix all the suser calls which pass an incorrect p_acflag argument;Mike Belopuhov
figured out by and ok guenther
2012-04-07remove superfluous return, ok mikebCamiel Dobbelaar
2012-04-03Fix kernel compilation with pf but without pfsync pseudo-device byMike Belopuhov
moving the state export functionality from pfsync code into pf. Based on the initial diff diff by guenther, ok henning.
2012-02-03The kernel did not compile without INET6. Put some #ifdefs intoAlexander Bluhm
pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
2012-01-16do carp demotion adjustments on syncdev link state change.Mike Belopuhov
this prevents backup to failover back to master immediately after getting link back on carpdev interface if underlying pfsync interface went down as well. instead pfsync will request a bulk update to get new states from the master. sthen and mpf like the idea, ok dlg
2011-12-01Make sure we only enter pf_route() when undefering in the PF_ROUTETO case.Ryan Thomas McBride
ok dlg claudio
2011-11-29use a u_int64_t for the state id in pfsync_state. this makes it consistentDavid Gwynne
with every other thing that stores the state id (including other pfsync messages). includes improvements to the systat code to consider the creatorid as well as the state id in its cache to avoid collisions between states created on different hosts. tested by me in production and on amd64 talking to sparc64. ok henning@
2011-11-27Protect more operations in the pfsync_clone_destroy to preventMike Belopuhov
accidental race conditions. From Erik Lax, thanks! ok dlg
2011-11-26Apply route-to to deferred packet; without this the first packet of aRyan Thomas McBride
connection does not observe the route-to option. ok dlg mikeb
2011-11-25use time_uptime to set state creation values as time_second can beDavid Gwynne
skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. ok deraadt@ mikeb@
2011-11-16Improve flag setting ioctl so that bulk updates are requestedMike Belopuhov
only when we're going up, not when we set PROMISC or any other flag. Fixes spontaneous CARP failovers when running tcpdump on pfsync. ok henning, mcbride, camield
2011-11-09State expire time is a baseline time ("last active") for expiryCamiel Dobbelaar
calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future). Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates. This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger. Timeout code from mikeb. Found and testing by Maxim Bourmistrov. ok mikeb dlg
2011-11-04Select a correct protocol for a stack side state key when importingMike Belopuhov
an icmp<->icmp6 state (nat64); ok henning, mcbride, dlg
2011-10-31Don't forget to cancel bulk update failure timeout when destroying anMike Belopuhov
interface. Problem report and fix from Erik Lax, thanks!
2011-10-30Allow setting big MTU values on the pfsync interface but not largerMike Belopuhov
than the syncdev MTU. Prompted by the discussion with and tested by Maxim Bourmistrov; ok dlg, mpf
2011-10-20remove a bogus chunk accidentally introduced by mcbride in rev1.141;Mike Belopuhov
mcbride agrees, ok mpf, dlg
2011-10-13Since the IPv6 madness is not enough introduce NAT64 -- which is actuallyClaudio Jeker
"af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
2011-08-03someone (*cough*henning*cough*) made pf_state.state_flags a u_int16_tDavid Gwynne
without growing it in pfsync_state too. to keep the wire format compat this uses some of the pad bytes to send all the state flags on the wire as well as maintaining the old state_flags field. after 5.0 we'll deprecate the original field and only use the new one. discussed with mcbride and deraadt and based on a diff from deraadt. tested against an "old" pfsync locally. ok mcbride@ henning@ deraadt@
2011-08-02Replace one byte of padding with sa_family_t af in pfsync_state_key;Ryan Thomas McBride
Reject states with pfsync_state->af == 0 in pfsync_state_import(), in preparation for states which specify an address family in each state key instead (change will take place post-5.0). ok dlg henning mikeb
2011-07-06cosnistently use IFQ_SET_MAXLEN, surfaced in a discussion with + ok bluhmHenning Brauer
2011-07-04use mtod.David Hill
no change in binary "Sure" claudio@
2011-05-10when undeferring a packet, try to timeout_del first to check if youDavid Gwynne
actually removed it from the timeout wheel before releasing it. if timeout_del returns 0 then you know the timeout is about to run or is already running, meaning it will free itself so you dont have to. this handling is only done for the undefer paths at SOFTNET since it is higher than SOFTCLOCK which timeouts run from. it is possible for a timeout to start running at softclock and get interrupted by softnet. the undefer in process context blocks both these interrupts while it undefers, so it is impossible for the timeout to run and cause the list to be in this inconsistent state.
2011-04-02dont let pfsync defer packets for states with NOSYNC set.David Gwynne
2011-03-02when sending deferred packets use ip6_output for v6 frames instead ofDavid Gwynne
blindly assuming everything is v4 to be sent with ip_output. problem originally reported by Marco Fretz. fix verified locally. ok henning@ mcbride@
2011-01-11delay deferred packets for a maximum of 20ms instead of 100 ticks (whichDavid Gwynne
varies by arch). the 20ms is still up for discussion. ok deraadt@
2010-11-29use m_pulldown to get a contig view of the pfsync_header instead ofDavid Gwynne
m_pullup. not really a significant change since most rx bufs (which we read pfsync packets from) are a single contig cluster coming off the network, so we rarely hit the case m_pullup was called in.
2010-11-29get rid of struct pfsync_pkt. it was used to store data on the stack toDavid Gwynne
pass to all the submessage handlers, but only the flags part of it was ever used. just pass the flags directly instead.
2010-11-28there's no need to take splsoftnet in the input packet action handlersDavid Gwynne
since theyre only ever called from pfsync_input, which is only called from ipintr, which is only called by softnet.
2010-09-27must have either PR_WAITOK or PR_NOWAIT set.David Gwynne
2010-09-08creating a pfsync interface is always done from process context, soBret Lambert
we can pass M_WAITOK to malloc(9) (which was already done a few lines down, which set off my aesthetic alarm). While here, include malloc.h, since we're calling malloc. ok dlg@
2010-07-28pfsync_bulk_fail was mucking around with pfsync_softc and sending packetsDavid Gwynne
without holding splsoftnet. this adds the necessary protection. reported by patrick coleman
2010-07-25Add missing braces so a loop will function as intended.Jonathan Gray
ok dlg@
2010-07-09Add support for using IPsec in multiple rdomains.Reyk Floeter
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@