Age | Commit message (Collapse) | Author |
|
|
|
ok henning@ cedric@
|
|
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
make the semantics in line with the tag assignment, which simplifies
the id management in pf.
ok, henning@
|
|
|
|
dhartmei ok
|
|
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
Safer and faster since we know that ifp->if_index can potentially
be garbage. ok dhartmei@
|
|
|
|
length (same as udp_input() does, if pf is not enabled). Found by
Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
|
|
struct ifnet *, from Pyun YongHyeon
|
|
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
|
|
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
Expect improvements in this area soon.
ok dhartmei@ mcbride@
|
|
PPL that have that problem and cannot upgrade to -current could
just comment out the assertion in pfr_update_stats().
ok dhartmei@ henning@
|
|
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.
Bulk of changes from dhartmei@, some changes markus@
ok dhartmei@ deraadt@
|
|
- Don't double count double count icmp packets.
- We only want to increment rule and state counters if we're passing
the packet, unless it's a 'drop' rule.
ok dhartmei@ henning@
|
|
included in pd.
ok dhartmei@ henning@
|
|
ok dhartmei@ henning@
|
|
- Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols.
- Make stateful connections work for generic protocols on IPv6.
ok henning@ dhartmei@
|
|
|
|
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen();
in_pcblookup is now only used by bind(2); speeds up pcb lookup for
listening sockets; from Claudio Jeker
|
|
good candidate for 3.X errata.
ok dhartmei@ henning@ mcbride@
|
|
|
|
address) is used for source in the binat rule. closes PR 3535, reported
by Karl O.Pinc. ok henning@, cedric@
|
|
This saves more than 30% memory on state entries, and simplifies the state
insertion and removal code as well.
NOTE: This changes the pf API; userland tools must be updated to match.
ok henning@ dhartmei@
|
|
by random values). ok mcbride@, cedric@, henning@
|
|
do not try to send incomplete fragments on ENOBUFS case
(behavior change from 4.4bsd).
dhartmei ok
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce
code redundancy, and fix the following bugs:
- ICMP packets were not being accounted for correctly (missing
statistics code in pf_test_state_icmp()
- Some packets were not being counted in the loginterface statistics
NOTE: Under some situations with route-to, packets may get counted
once on the original interface, and once on the pf-routed interface.
This can be dealt with by rules which specify the each interface
explicitly.
ok cedric@, henning@
|
|
ok cedric@ frantzen@ henning@
|
|
|
|
This is mostly to support the new "nat pass" rule.
ok dhartmei@ henning@
|
|
ok henning@
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
pf routed. prevents a kernel lockup with some (non-sensical) route-to
rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
|
|
changes), from Andrey Matveev
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
later on, when another packet matches the state. ok mcbride@
|