| Age | Commit message (Collapse) | Author |
|---|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
"Please commit this diff ASAP" brad@
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
ok henning mcbride, looks good frantzen
|
|
ok ho@
|
|
Instead of purging immediately, let the state be purged at the purge interval.
ok henning
|
|
|
|
|
|
failover gateways. ok mcbride@, "looks good" hshoexer@
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
ok henning@ dhartmei@ claudio@
|
|
purged errneously. mpf@ ok
|
|
ok mpf@
|
|
in kernel code to match. Brings pfsync in line with carp, vlan and pppoe
devices. Old syncif and -syncif options still work, will be removed later.
ok markus@
|
|
ok pascoe@
|
|
more than a second old.
ok mcbride@ henning@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.
Diff from Chris Pascoe.
ok henning@ dhartmei@
|
|
being inserted, so that the counter does not wrap back when the state
is removed. This fixes pfsync setups with adaptive timeouts.
From Chris Pascoe
ok canacar@ dhartmei@ henning@ deraadt@
|
|
updates to; this allows pairs of pfsync firewalls to protect the traffic
with IPSec.
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
|
|
|
|
|
|
- If the physical interface goes down or the link goes down,
the carp interface goes down as well.
- We treat this like the preemption holdoff with pfsync.
So if one of the carp interfaces is known to be bad (because the
physical interface it's associated with is bad), all the other carp
interfaces back off: they won't preempt, and their advskew goes to 240.
ok cedric@
|
|
ok mcbride@
|
|
ok mcbride@ henning@
|
|
pointed at by Joris Vink who was baffeled how this should work anyway
ok mcbride@ henning@
|
|
the local state.
Tricky state comparisons from frantzen@ ok cedric@ dhartmei@
Post-ok addition of code to broadcast an update with the better local version
when this happens. Torture tested by beck@
|
|
to arbitrary values. Invalid state->timeout can hit a KASSERT in pf, the other
ones should be ok but we check them just to make sure.
ok dhartmei@ deraadt@
|
|
until mono_time.tv_sec advances past the time the bulk transfer request
was recieved.
ok cedric@ deraadt@
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
sensitive CPUs. Pointed out by deraadt@.
|
|
- Make sure we calculate the correct maximum size for PFSYNC_ACT_UREQ.
- Make pfsync_sendout() return immediately if there is nothing to send.
|
|
ip and pfsync headers. This makes us behave correctly if the packet is
spread across multiple mbufs (which does not appear to happen in practice).
|
|
- Fix the expiry time calculations, for real
- Unbreak the collapsing of multiple updates into one
And a little KNF for good measure.
|
|
ok mcbride@
|
|
|
|
optional.
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
|
