| Age | Commit message (Collapse) | Author |
|---|
|
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
|
|
Panic reported by deraadt.
OK henning@
|
|
provide netstat(1) with data it needs; ok claudio reyk
|
|
one entry for each multicast group and interface combination). this allows
you to run OSPF with more than 10 interfaces.
adapted from freebsd; ok claudio, henning, mpf
|
|
-remove useless casts
-MALLOC/FREE -> malloc/free
-use M_ZERO where appropriate instead of seperate bzero
feedback & ok krw, hshoexer
|
|
'badstate' everywhere.
ok henning@
|
|
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
|
the end of the array of rule pointers when attaching a pfsync'd state
to a rule. Reported in PR5508 by mayer@netlab.nec.de.
ok henning@
|
|
keys that can map to multiple states (last not least for ifbound) we don't
need state tables hanging off each struct kif representing an interface
any more. use two globals for the two tables. ok markus ryan
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
previously, we had a set of state tables attached to each interface. so for
every packet we had to do a lookup in the tables for the interface, and
afterwards in the global tables.
since we split state keys and states now, use only the global tables, and
put the actual states in a tail queue attached to the state key. sort the
list so that ifbound states come before global ones. on lookup, we only
have to compare the interface pointer on the actual states and use the
first one where either the interface matches or the state is not interface
bound. thus, if you don't actually use ifbound states, and there is only
one state per state key, the overhead is close to zero, where we had extra
lookups before. in addition to a much cleaner design (that'll allow for more
goodies later) this gives us ~12.5% more forwarding performance.
mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
|
|
from mickey, ok me markus mickey
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
|
|
ok henning@
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
|
|
|
|
them being there.
diff & ok deraadt
|
|
|
|
|
|
without trying to free the (in that case nonexistant) tdb mbuf
found out the hard way by pedro
|
|
|
|
beeing created for now - much more work would be required to change that
input & ok ryan
|
|
As a first user, move the global carp(4) demotion counter
into the interface group. Thus we have the possibility
to define which carp interfaces are demoted together.
Put the demotion counter into the reserved field of the carp header.
With this, we can have carp act smarter if multiple errors occur.
It now always takes over other carp peers, that are advertising
with a higher demote count. As a side effect, we can also have
group failovers without the need of running in preempt mode.
The protocol change does not break compability with older
implementations.
Collaborative work with mcbride@
OK mcbride@, henning@
|
|
Another ipsec failover fix from nathanael at polymorpheus dot com.
ok hshoexer@
|
|
comparison of the TDB before collapsing multiple updates.
Another ipsec failover fix from Nathanael <list-openbsd-tech@polymorpheus.com>
|
|
work between little-endian and big-endian machines, and compare the spi
against SPI_RESERVED_MAX correctly.
Fix from Nathanael <list-openbsd-tech at polymorpheus dot com>
|
|
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
"Please commit this diff ASAP" brad@
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
ok henning mcbride, looks good frantzen
|
|
ok ho@
|
|
Instead of purging immediately, let the state be purged at the purge interval.
ok henning
|
|
|
|
|
|
failover gateways. ok mcbride@, "looks good" hshoexer@
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
ok henning@ dhartmei@ claudio@
|
|
purged errneously. mpf@ ok
|
|
ok mpf@
|
|
in kernel code to match. Brings pfsync in line with carp, vlan and pppoe
devices. Old syncif and -syncif options still work, will be removed later.
ok markus@
|
|
ok pascoe@
|
|
more than a second old.
ok mcbride@ henning@
|
