| Age | Commit message (Collapse) | Author |
|---|
|
m_pullup.
not really a significant change since most rx bufs (which we read pfsync
packets from) are a single contig cluster coming off the network, so we
rarely hit the case m_pullup was called in.
|
|
pass to all the submessage handlers, but only the flags part of it was
ever used. just pass the flags directly instead.
|
|
since theyre only ever called from pfsync_input, which is only called
from ipintr, which is only called by softnet.
|
|
|
|
we can pass M_WAITOK to malloc(9) (which was already done a few lines
down, which set off my aesthetic alarm).
While here, include malloc.h, since we're calling malloc.
ok dlg@
|
|
without holding splsoftnet. this adds the necessary protection.
reported by patrick coleman
|
|
ok dlg@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
sending a bulk update, only say we're using the states referenced
by the next and last pointers into the table. this means the pf
timeout thread can keep trimming states during a bulk update.
|
|
+#if defined(PFSYNC_DEBUG)
|
|
keeps on building them, which means that it floods the tx ring on
the pfsync interface rather than actually sending many packets.
this change correctly calculates when we've filled a bulk update
packet.
many thanks to david@ for making me go chase this. ive been wondering
why the state count on my firewalls has had such a discrepency for
a long time now.
|
|
pfsync_bulk_start sets up a bulk transfer by doing this:
sc->sc_bulk_next = TAILQ_FIRST(&state_list);
sc->sc_bulk_last = sc->sc_bulk_next;
and then calls pfsync_bulk_update which loops over state_list like
this:
st = sc->sc_bulk_next;
while (st != sc->sc_bulk_last) {
basically bulk updates never got sent.
this diff handles jjs problem by not attempting to send a bulk
update when the state table is empty and fixed the loop to break
at the right times.
reported by david@ who's initial tests are positive.
reviewed by mcbride@
tested in production at work.
|
|
afterwards
diff from gleydson soares
ok claudio@
|
|
This is needed because pf_state_peer_hton() skips some fields in certain
situations which could result in garbage beeing sent to the other peer.
This seems to fix the pfsync storms seen by stephan@ and so dlg owes me
a whiskey.
OK dlg@, stephan@
|
|
removed. Extend carp demote logging to also show the reason for
the demote. Return EINVAL instead of ERANGE if a carpdemote request
is out range. Requested from otto.
OK mcbride, henning.
|
|
Found out the hard way by Laurent ``bucky'' Lavaud and myself.
Input by claudio@, ok dlg@
|
|
also protect the flushing of the deferred packet queue in clone_destroy
with the right spls. noticed by claudio@
|
|
ok sthen@ henning@
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
that it knows how big the messages are.
rework the message handlers to use the pfsync_subheader.len value to
iterate over the message regions.
deprecate the EOF subheader since trying to pulldown a 0 byte buffer is
fail.
ok mcbride@ sperreault@
|
|
this makes sure there is enough of the message to try and parse it, and
allows implementations to skip past regions prefixed by unknown subheaders.
based on discussion with mcbride@ deraadt@ and simon perreault
|
|
bpfdetach() will be called in if_detach(). Diff by Gleydson Soares
|
|
|
|
length of its message in dwords. multiply that by the count of the messages
to figure out how to skip to the next subheader.
"old" code still thinks the len field is a pad, which it doesnt look at, so
new messages with a filled in len are still parsed correctly by "old" code.
input and ok mcbride@
sounds good! Simon Perreault
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
ok claudio@ dlg@
|
|
the NAT rewrite and ever since then only checked in a couple of plaes
but never set. same for nat_src_node on pf_state.
with this the NAT rewrite made pf over 1000 lines shorter.
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
ok dlg
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope
when inserting an already existing state.
|
|
removed in pfsync v5.
|
|
windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to
produce, and therefore makes it possible to do usable active-active
statuful firewalls with pf.
lots of testing locally on the production firewalls, also tested by sthen@
|
|
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
|
|
and the conditions on which pfsync will notify its peers on a stale update.
each side (ie, the sending and receiving side) of the state update is
compared separately. any side that is further along than the local state
tree is merged. if any side is further along in the local state table, an
update is sent out telling the peers about it.
this has been flogged to death on my firewalls.
|
|
most obvious problem.
if the state table is empty, we'd deref a null pointer.
tested on my firewalls with big state tables, so existing use cases still
work.
|
|
the splnet calls and the extra splx(s)s necessary for it to be safe.
bug found by sthen@
|
|
all the other protocols is simply pushing the timeouts along which has a
resolution of 1 second, so it isnt going to be hurt by pfsync taking up
to a second to send it over.
keep track of updates on tcp still though, their windows need constant
attention.
tested by sthen@
|
|
|
|
affected by adjusting the clock.
|
|
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
|
|
rather than giving up after a hardcoded 5 seconds (which is generally much
too short an interval for a bulk update).
pointed out by david@, eyeballed by mcbride@
|
|
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
- pass a void *, rather than an mbuf and an offset into m_data, the callers
can do the math for it.
- we need to store the size of the messages these functions will serialise
into, so dont get the funcs to return it, just add it on in the caller.
|
|
people who hate^Wdont use pfsync.
|
|
this cleans up use of splnet.
|
|
modifies the pfsync state queues, however, it didnt prevent interrupts from
whacking the same structures.
this diff makes the bulk update code take splsoftnet() to prevent the
panics ive been suffering all day when a firewall peer was booted.
ok deraadt@
|
|
while i was replacing the guts of pfsync, but i forgot to put it back
again. this will make ipsec gateway failover work again.
tested by sthen@ and david@
ok deraadt@
|
|
ioctl. without this peers would not request a bulk update when they come
up, and therefore will not have the full state tree available for use in
failover.
ok mcbride@ "go for it" deraadt@
|
