| Age | Commit message (Collapse) | Author |
|---|
|
As a first user, move the global carp(4) demotion counter
into the interface group. Thus we have the possibility
to define which carp interfaces are demoted together.
Put the demotion counter into the reserved field of the carp header.
With this, we can have carp act smarter if multiple errors occur.
It now always takes over other carp peers, that are advertising
with a higher demote count. As a side effect, we can also have
group failovers without the need of running in preempt mode.
The protocol change does not break compability with older
implementations.
Collaborative work with mcbride@
OK mcbride@, henning@
|
|
Another ipsec failover fix from nathanael at polymorpheus dot com.
ok hshoexer@
|
|
comparison of the TDB before collapsing multiple updates.
Another ipsec failover fix from Nathanael <list-openbsd-tech@polymorpheus.com>
|
|
work between little-endian and big-endian machines, and compare the spi
against SPI_RESERVED_MAX correctly.
Fix from Nathanael <list-openbsd-tech at polymorpheus dot com>
|
|
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
"Please commit this diff ASAP" brad@
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
ok henning mcbride, looks good frantzen
|
|
ok ho@
|
|
Instead of purging immediately, let the state be purged at the purge interval.
ok henning
|
|
|
|
|
|
failover gateways. ok mcbride@, "looks good" hshoexer@
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
ok henning@ dhartmei@ claudio@
|
|
purged errneously. mpf@ ok
|
|
ok mpf@
|
|
in kernel code to match. Brings pfsync in line with carp, vlan and pppoe
devices. Old syncif and -syncif options still work, will be removed later.
ok markus@
|
|
ok pascoe@
|
|
more than a second old.
ok mcbride@ henning@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.
Diff from Chris Pascoe.
ok henning@ dhartmei@
|
|
being inserted, so that the counter does not wrap back when the state
is removed. This fixes pfsync setups with adaptive timeouts.
From Chris Pascoe
ok canacar@ dhartmei@ henning@ deraadt@
|
|
updates to; this allows pairs of pfsync firewalls to protect the traffic
with IPSec.
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
|
|
|
|
|
|
- If the physical interface goes down or the link goes down,
the carp interface goes down as well.
- We treat this like the preemption holdoff with pfsync.
So if one of the carp interfaces is known to be bad (because the
physical interface it's associated with is bad), all the other carp
interfaces back off: they won't preempt, and their advskew goes to 240.
ok cedric@
|
|
ok mcbride@
|
|
ok mcbride@ henning@
|
|
pointed at by Joris Vink who was baffeled how this should work anyway
ok mcbride@ henning@
|
|
the local state.
Tricky state comparisons from frantzen@ ok cedric@ dhartmei@
Post-ok addition of code to broadcast an update with the better local version
when this happens. Torture tested by beck@
|
|
to arbitrary values. Invalid state->timeout can hit a KASSERT in pf, the other
ones should be ok but we check them just to make sure.
ok dhartmei@ deraadt@
|
|
until mono_time.tv_sec advances past the time the bulk transfer request
was recieved.
ok cedric@ deraadt@
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
sensitive CPUs. Pointed out by deraadt@.
|
|
- Make sure we calculate the correct maximum size for PFSYNC_ACT_UREQ.
- Make pfsync_sendout() return immediately if there is nothing to send.
|
|
ip and pfsync headers. This makes us behave correctly if the packet is
spread across multiple mbufs (which does not appear to happen in practice).
|
|
- Fix the expiry time calculations, for real
- Unbreak the collapsing of multiple updates into one
And a little KNF for good measure.
|
|
ok mcbride@
|
|
|
