| Age | Commit message (Collapse) | Author |
|---|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
instead of MISC. "makes a little bit more sense" henning@
|
|
not having sks and sks set to NULL causes random memory to be pool_put().
ok deraadt@ jsing@
|
|
and thus had to get rid of them if we didn't create state. this is no
longer the case, kill dead code. ok claudio
|
|
|
|
to pf_test6 (where it is wrong in some edge cases, for match rules and
logs a packet twice in some cases). ok claudio
|
|
if action != PF_PASS. same was changed in pf_test_rule a while back
but the fragment case was forgotten. since everybody reassembles nobody
ran into this.
|
|
|
|
the NAT rewrite and ever since then only checked in a couple of plaes
but never set. same for nat_src_node on pf_state.
with this the NAT rewrite made pf over 1000 lines shorter.
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
|
|
tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
splitting things out into a seperate pool.
Problem noticed and fix tested by sthen@
ok claudio@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
add break in the last case block
|
|
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found
by claudio
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
1) at least one match rule matched the packet and
2) we do not create state
found by me while fixing the pool_get problem, ok dlg
|
|
introduced by yours truly (no idea how that could happpen), problem
found by sthen the hard way, fix by me. ok dlg
|
|
ok henning, jsing
|
|
ICMPv6 messages.
ok henning@
|
|
Suggested by Max Laier.
ok henning@
|
|
spotted by naddy@
ok henning@
|
|
but our local copy proto that we very carefully set beforehands. skw
being NULL is perfectly valid there.
|
|
steps found with the recent pfvar.h commit to check address families.
from & commit req by henning.
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
us relying on where we are setting it. ok ryan dlg
|
|
turned up in pf_icmp_state_lookup.
ok sthen@
|
|
ever try to aplly options from the anchor rule if it was the last matching
one but the last matching real rule. it is right but despite begging nobody
has the balls to ok it ;(
|
|
correctly inherit queue stuff, tag, rtableid from the rule if we have no
state
some logic simplification and removal of redundant checks
ok dlg
|
|
|
|
all other code do. Should fix pr 6121.
ok henning@
|
|
specifically crafted IP datagram.
Problem noted by Sebastian Rother.
ok henning@ mcbride@ sthen@
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
ok henning markus
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
panic seen with some some icmp types in icmp error message payloads.
Reported by david@ and insan.praja@gmail.com
|
|
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
|
|
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2
on both ends do not fail but insert the new state anyway and unlink the
old one afterwards. pimp error message a bit, too.
problem found with NAT by viq <viq@viq.ath.cx>
ok theo markus
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
to zero for checksum offload; ok henning@
|
|
frees pf states.
ok mcbride@
|
