| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@ dhartmei@ claudio@
|
|
purged errneously. mpf@ ok
|
|
ok mpf@
|
|
in kernel code to match. Brings pfsync in line with carp, vlan and pppoe
devices. Old syncif and -syncif options still work, will be removed later.
ok markus@
|
|
ok pascoe@
|
|
more than a second old.
ok mcbride@ henning@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.
Diff from Chris Pascoe.
ok henning@ dhartmei@
|
|
being inserted, so that the counter does not wrap back when the state
is removed. This fixes pfsync setups with adaptive timeouts.
From Chris Pascoe
ok canacar@ dhartmei@ henning@ deraadt@
|
|
updates to; this allows pairs of pfsync firewalls to protect the traffic
with IPSec.
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
|
|
|
|
|
|
- If the physical interface goes down or the link goes down,
the carp interface goes down as well.
- We treat this like the preemption holdoff with pfsync.
So if one of the carp interfaces is known to be bad (because the
physical interface it's associated with is bad), all the other carp
interfaces back off: they won't preempt, and their advskew goes to 240.
ok cedric@
|
|
ok mcbride@
|
|
ok mcbride@ henning@
|
|
pointed at by Joris Vink who was baffeled how this should work anyway
ok mcbride@ henning@
|
|
the local state.
Tricky state comparisons from frantzen@ ok cedric@ dhartmei@
Post-ok addition of code to broadcast an update with the better local version
when this happens. Torture tested by beck@
|
|
to arbitrary values. Invalid state->timeout can hit a KASSERT in pf, the other
ones should be ok but we check them just to make sure.
ok dhartmei@ deraadt@
|
|
until mono_time.tv_sec advances past the time the bulk transfer request
was recieved.
ok cedric@ deraadt@
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
sensitive CPUs. Pointed out by deraadt@.
|
|
- Make sure we calculate the correct maximum size for PFSYNC_ACT_UREQ.
- Make pfsync_sendout() return immediately if there is nothing to send.
|
|
ip and pfsync headers. This makes us behave correctly if the packet is
spread across multiple mbufs (which does not appear to happen in practice).
|
|
- Fix the expiry time calculations, for real
- Unbreak the collapsing of multiple updates into one
And a little KNF for good measure.
|
|
ok mcbride@
|
|
|
|
optional.
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
|
|
and no network synchronization is happening.
|
|
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
From Pyun YongHyeon. ok henning@, canacar@
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
|
|
back in tcpdump, worked fine (; from bdd@ieee.org
|
|
ok; fixes unaligned trap on alpha from pr3037
|
|
|
|
|
