summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2002-03-08Fix arc4random() usage; add more randomness to pf_get_sport().Mike Pechkin
dhartmei@, provos@ ok
2002-02-26Add optional pool memory hard limits, mainly as temporary solutionDaniel Hartmeier
until pool exhaustion causes problems no more.
2002-02-23Pools that are only used in the ioctls can use the nointr allocator.Artur Grabowski
2002-02-17Calculate IP checksum and copyback modified headers before logging aDaniel Hartmeier
packet. Closes PR2402. Note that checksums were only wrong in the logged packet, packets that were passed got a valid checksum anyway.
2002-02-15pf only uses seconds for time measuring. There is no need to call microtimeArtur Grabowski
on every packet. Use time.tv_sec to get seconds. In the places where it seemed to matter, make sure that time doesn't change under our feet. And it's really unnecessary to do a test on every packet when the test will only fire once every 10 seconds. That's a real waste of time, that's what we have timeouts for. ok frantzen@
2002-02-14KNFTheo de Raadt
2002-02-14Add skip steps for rule action (pass/block vs. scrub) and directionDaniel Hartmeier
(in vs. out). This speeds up rule set evaluation considerably, because the rules set used to be linearly traversed (even twice) when looking for scrub rules. Ok frantzen@, deraadt@
2002-02-11Remove unused function prototype, from Jason IshDaniel Hartmeier
2002-02-11Remove ancient comment regarding memcmp(), from Jason IshDaniel Hartmeier
2002-01-23Pool deals fairly well with physical memory shortage, but it doesn't dealArtur Grabowski
well (not at all) with shortages of the vm_map where the pages are mapped (usually kmem_map). Try to deal with it: - group all information the backend allocator for a pool in a separate struct. The pool will only have a pointer to that struct. - change the pool_init API to reflect that. - link all pools allocating from the same allocator on a linked list. - Since an allocator is responsible to wait for physical memory it will only fail (waitok) when it runs out of its backing vm_map, carefully drain pools using the same allocator so that va space is freed. (see comments in code for caveats and details). - change pool_reclaim to return if it actually succeeded to free some memory, use that information to make draining easier and more efficient. - get rid of PR_URGENT, noone uses it.
2002-01-12- Only apply fastroute and route-to if we are going in the samejasoni
direction as the rule. - ok dhartmei@
2002-01-09Add labels to rules. These are arbitrary names (not to be confused withDaniel Hartmeier
tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
2002-01-08Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.Daniel Hartmeier
If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
2001-12-31only require write mode for modifying ioctls; dhartmei@, frantzen@, deraadt@ okMichael Shalayeff
2001-12-18Update rt_ifp in DIOCCHANGERULE.jasoni
- noticed by DJ Gregor <gregor.7@osu.edu>
2001-12-11- Log packet while mbuf is still valid.jasoni
- If logging and r == NULL, use r0 leaving r untouched. - Note that pf_route/pf_route6 can free the mbuf. Thanks and ok frantzen@
2001-12-10Add an ioctl to add state entries (DIOCADDSTATE) for proxies.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
2001-12-03Don't reset pf_status.debug and .since on DIOCCLRSTATUS.Daniel Hartmeier
From Dries Schellekens. Closes PR 2227.
2001-12-01217 lines of diff for KNF, dhartmei, you are evilTheo de Raadt
2001-11-30only make a copy of the mbuf if the route rule is dup-tojasoni
2001-11-27typo - use correct mbufjasoni
2001-11-27do pf_route() before logging in case the logging created a bogus ruleMike Frantzen
(fixes a recent panic) OK dhartmei@ jasoni@ mpech@
2001-11-26add fastroute options similar to what is found in ipfjasoni
ok dhartmei@, frantzen@
2001-11-21Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashesDaniel Hartmeier
in pf_test6() for IPv6 packets with options.
2001-11-20don't allow CHANGEBINAT ioctl in securelevel > 1Mike Pechkin
dhartmei@ ok
2001-11-16yes, signed substraction does not work because of underflows, revert the ↵Michael Shalayeff
previous
2001-11-14use substract when comparing keys, for ip addrs as well.Michael Shalayeff
those happen as signed integers and seem to work fine. saves whole bunch of useless code. dhartmei@ ok
2001-11-13fix pf from going off into the weeds on an ipv6 icmp packet with certain optionMike Frantzen
headers. should fix pr #2172 ok dhartmei@
2001-11-06Use #defines for skip step values. From dgregor@net.ohio-state.edu.Daniel Hartmeier
2001-10-24Reset states counter when clearing states.Daniel Hartmeier
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
default now, and can be allowed per rule. ok deraadt@
2001-10-13Patch from Ryan McBride, fixes IPv6 return-rst problem, found byDaniel Hartmeier
Todd Fries. ok deraadt@
2001-10-02Convert ip_off of the inner IP header to host order in pf_test_state_icmp().Daniel Hartmeier
Some of the IP header fields are already converted by ip_input.c (including ip_off), but of course not for inner headers of ICMP packets. The other fields which are left in network order are ok. This broke state search for any ICMP error message who referred to an IP header with the DF flag set, hence any ICMP_UNREACH_NEEDFRAG message. Found by Andreas Gunnarsson <andreas@crt.se>. Thank you.
2001-09-30Tune TCP fsm (99.7% - 99.9% accuracy over 1e6 connections)Mike Frantzen
2001-09-27The skip steps array was one element short (since adding steps for af).Daniel Hartmeier
This invoked undefined behaviour under the proper circumstances.
2001-09-27switch without break. This caused the 'ICMP too short' messages, sinceDaniel Hartmeier
both IPv4 and IPv6 cases were executed. 'switch considered harmful'.
2001-09-27Fix th_ack calculation in pf_send_reset(). return-rst didn't work sinceDaniel Hartmeier
1.150 (at least for IPv4).
2001-09-23Bump up the tcp half closed timeout (single FIN) to an hourMike Frantzen
2001-09-21Fix natlook (broke ftp-proxy) and a memory leak.Daniel Hartmeier
From Ryan McBride.
2001-09-19Patch from Ryan McBride. Compile without INET6, remove unnecessaryDaniel Hartmeier
rewrite++.
2001-09-17icmpv6 nat fix, from Ryan McBrideDaniel Hartmeier
2001-09-15The inner protocol of IPv4 ICMP error messages was ignored, leading toDaniel Hartmeier
'ICMP error message for bad proto' messages and breaking traceroute etc. Please increase debugging level (pfctl -x m) while testing.
2001-09-15Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoingDaniel Hartmeier
packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6().
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-14binat non icmp/udp/tcp protocols as well; ok dhartmei@jasoni
2001-09-11Undo BINAT translation when blocking with return-rst/-icmp.Daniel Hartmeier
Translate at most once. From Ryan McBride.
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-05Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums wereDaniel Hartmeier
broken by NAT/RDR when unset by the sender. Fixes ntpdate behind NAT.
2001-09-05s/pf_natlook/pfioc_natlook (ioctl parameter struct)Daniel Hartmeier
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-15 16:41:58 +0000