summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2004-03-09KNF, ok cedric@ deraadt@Ryan Thomas McBride
2004-02-24Remove redundant logging from pf_test_other().Ryan Thomas McBride
ok henning@ cedric@
2004-02-24KNFRyan Thomas McBride
2004-02-20Make pfsync deal with clearing states bound to a group or interface (egRyan Thomas McBride
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
2004-02-19the 2nd round of the qid assignment change.Kenjiro Cho
make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@
2004-02-10KNFDaniel Hartmeier
2004-02-10plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric,Jun-ichiro itojun Hagino
dhartmei ok
2004-02-10KNFHenning Brauer
2004-02-04Fix a number of bugs with setting pool limits which I introduced withRyan Thomas McBride
source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
2004-02-02Do not evaluate pfi_index2kif[ifp->if_index] if PF is disabled.Cedric Berger
Safer and faster since we know that ifp->if_index can potentially be garbage. ok dhartmei@
2004-01-27drop packet if kif == NULL; ok henning deraadtMarkus Friedl
2004-01-06Drop UDP packets with destination port 0, or zero or oversized payloadDaniel Hartmeier
length (same as udp_input() does, if pf is not enabled). Found by Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
2004-01-050 -> (void *)NULL for last argument of icmp_error(), which is of typeDaniel Hartmeier
struct ifnet *, from Pyun YongHyeon
2004-01-04better macro name (IF_LOCKED -> BOUND_IFACE). from markus.Cedric Berger
2003-12-31spacing. note this, cedricTheo de Raadt
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-19i wrote much of these, assert my copyrightHenning Brauer
2003-12-18resolve compiler warnings, from Pyun YongHyeon, ok cedric@, mcbride@Daniel Hartmeier
2003-12-15ryan left a few for me ;-)Henning Brauer
2003-12-15Fix whitespace screwups before henning wakes up.Ryan Thomas McBride
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-12-12Move PF interface code to new net/pf_if.cCedric Berger
Expect improvements in this area soon. ok dhartmei@ mcbride@
2003-12-11Fix PR3587 and other related problems with NAT and table stats.Cedric Berger
PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
2003-12-08Mbuf tag tcp and udp packets which are translated to localhost, andRyan Thomas McBride
use the the presence of this tag to reverse the match order in in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double bind, binding to both * and localhost in order to differentiate local from non-local connections, and potentially granting more privilege to local ones. This change ensures that redirected connections to localhost do not appear local to such a daemon. Bulk of changes from dhartmei@, some changes markus@ ok dhartmei@ deraadt@
2003-11-28More pf stats fixups:Ryan Thomas McBride
- Don't double count double count icmp packets. - We only want to increment rule and state counters if we're passing the packet, unless it's a 'drop' rule. ok dhartmei@ henning@
2003-11-21Remove redundant arguments to pf_sockaddr_lookup(); proto and af are alreadyRyan Thomas McBride
included in pd. ok dhartmei@ henning@
2003-11-21Remove unused "ipoff" arguments.Ryan Thomas McBride
ok dhartmei@ henning@
2003-11-16pf_test() and pf_test6() consistency:Ryan Thomas McBride
- Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols. - Make stateful connections work for generic protocols on IPv6. ok henning@ dhartmei@
2003-11-09remove stale forward declarationDaniel Hartmeier
2003-11-04add in(6)_pcblookup_listen() and replace all calls to in_pcblookup()Markus Friedl
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen(); in_pcblookup is now only used by bind(2); speeds up pcb lookup for listening sockets; from Claudio Jeker
2003-11-03pf_route() can change output NIC, so we need to check its capabilities.Cedric Berger
good candidate for 3.X errata. ok dhartmei@ henning@ mcbride@
2003-10-31Remove remenants of pf_tree stuff that I missed.Ryan Thomas McBride
2003-10-29fix binat for incoming connections when a netblock (not just a singleDaniel Hartmeier
address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@
2003-10-25Build state search indexes directly on pf_state instead of pf_tree_node.Ryan Thomas McBride
This saves more than 30% memory on state entries, and simplifies the state insertion and removal code as well. NOTE: This changes the pf API; userland tools must be updated to match. ok henning@ dhartmei@
2003-10-10make sure pd is initialized before use (or byte counters may increaseDaniel Hartmeier
by random values). ok mcbride@, cedric@, henning@
2003-10-02correct endian handling of ip->ip_off.Jun-ichiro itojun Hagino
do not try to send incomplete fragments on ENOBUFS case (behavior change from 4.4bsd). dhartmei ok
2003-09-26Rearchitecture of the userland/kernel IOCTL interface for transactions.Cedric Berger
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
2003-09-26Move statistics counters from individual pf_test_<proto>() andRyan Thomas McBride
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce code redundancy, and fix the following bugs: - ICMP packets were not being accounted for correctly (missing statistics code in pf_test_state_icmp() - Some packets were not being counted in the loginterface statistics NOTE: Under some situations with route-to, packets may get counted once on the original interface, and once on the pf-routed interface. This can be dealt with by rules which specify the each interface explicitly. ok cedric@, henning@
2003-09-24Remove state setup no-ops.Ryan Thomas McBride
ok cedric@ frantzen@ henning@
2003-09-01KNFHenning Brauer
2003-09-01Make nat rule update the table counters when no filtering rule is used.Cedric Berger
This is mostly to support the new "nat pass" rule. ok dhartmei@ henning@
2003-08-28fix "pfctl -vvsr" output for rules with tables inside anchors.Cedric Berger
ok henning@
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-08-18prevent looutput() feedback of broadcast/multicast packets if they areDaniel Hartmeier
pf routed. prevents a kernel lockup with some (non-sensical) route-to rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
2003-08-17Missing break, change NULL -> 0 for int parameter (no functionalDaniel Hartmeier
changes), from Andrey Matveev
2003-08-14m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.Jason Wright
2003-08-09This patch remove the restriction that tables cannot be used in routing orCedric Berger
redirection rules... The advantage of using tables in redirection/routing rules is not efficiency, in fact it will run slower than straight address pools. However, this brings a lot of flexibility to PF, allowing simple scripts/daemons to add/remove addresses from redirection/routing pools easily. This implementation support all table features, including cidr blocks and negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6. Tables can also be combined with simple addresses, so the following rule will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }" ok henning@ mcbride@
2003-08-07make pf_match take u_int32_t instead of u_int16_tHenning Brauer
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
2003-07-29Set pf_state->rt_ifp when creating the state entry, instead of doing itDaniel Hartmeier
later on, when another packet matches the state. ok mcbride@