| Age | Commit message (Collapse) | Author |
|---|
|
Noticed by Kai_Doernemann_at_genua.de
OK henning@, deraadt@
|
|
Add support for probablities of 0% and 100%.
With and OK deraadt@
|
|
arrives; ok dhartmei, henning, feedback aaron
|
|
been cached in pd->p_len.
ok henning@ markus@
|
|
there is a 1:1 mapping between direction and the tree the states get
attached to. there is no need to have anything outside the state insertion/
deletion/lookup routinbes know about these internals. so just pass the
direction to the lookup functions and let them pick the right tree.
ok dhartmei markus
|
|
|
|
criteria. ok mcbride@
|
|
if (r != NULL && r->rtableid >= 0)
- m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid;
+ m->m_pkthdr.pf.rtableid = r->rtableid;
fortunately it is in pf_send_tcp and thus the effect is very limited, RSTs
sent due to "block return(-rst)" could be routed using the main routing
table instead of an alternate one specified on the block rule.
spotted by Janjaap van Velthooven <janjaap@stack.nl>
|
|
messages, add 'dir=' part to 'loose state' message, ok henning@, markus@
|
|
header are required in the ICMP error). ok deraadt@, henning@
|
|
OK markus@, mcbride@, "sounds reasonable" henning@
|
|
table/state tail queue design. corrects ftp-proxy errors "server lookup
failed (no rdr?)" okay henning@
|
|
Fixes ICMP packet payload corruption on rdr.
OK henning@, markus@
|
|
keys that can map to multiple states (last not least for ifbound) we don't
need state tables hanging off each struct kif representing an interface
any more. use two globals for the two tables. ok markus ryan
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
previously, we had a set of state tables attached to each interface. so for
every packet we had to do a lookup in the tables for the interface, and
afterwards in the global tables.
since we split state keys and states now, use only the global tables, and
put the actual states in a tail queue attached to the state key. sort the
list so that ifbound states come before global ones. on lookup, we only
have to compare the interface pointer on the actual states and use the
first one where either the interface matches or the state is not interface
bound. thus, if you don't actually use ifbound states, and there is only
one state per state key, the overhead is close to zero, where we had extra
lookups before. in addition to a much cleaner design (that'll allow for more
goodies later) this gives us ~12.5% more forwarding performance.
mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
|
|
OK henning@, ``passt scho'' markus@
|
|
the packet is of the expected address family (AF_INET / AF_INET6).
crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise.
misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing
with nmap; he also helped us big time debugging the problem. thanks!
ok ryan
|
|
(&ptr instead of ptr). should fix pflog breakage seen by bob
|
|
|
|
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
one - pf_test_rule(). now we have one place to make things clearer and
maybe find another few performance bits :)
shrinks i386 GENERIC by 11K, no measurable performance impact or gain.
lots lots lots lots lots of testing and headbanging with ryan,
performance testing ckuethe. ok ryan
|
|
we need a pointer to the inpcb to decide, which was not previously
passed to ip6_output, so this diff is a little bigger.
from itojun, ok ryan
|
|
ok henning@
|
|
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
boring details:
long time ago (in r1.313) code was added to handle protocol checksums:
> Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,
> and drop packets with invalid checksums. Without such a check, pf would
> return RST/ICMP errors even for packets with invalid checksums, which
> could be used to detect the presence of the firewall, reported by
> "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
that meant we did the checksumming for each and every packet traversing pf.
now only do the checksumming right before we send an RST back, so in all
other cases we save that work.
ok bob theo
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
ok claudio@ reyk@ henning@ ja ja ja mcbride@
|
|
of reassigning a struct ifnet pointer.
discussed with and ok mcbride@
|
|
|
|
in ip6_input(), but pf_test6() is called from bridge code as well.
ok dhartmei@ henning@ deraadt@ claudio@
|
|
drop all packets with routing headers unless the matching rule explicitly
specifies 'allow-opts'.
ok dhartmei@ henning@ deraadt@ claudio@
|
|
ok claudio@
|
|
ok dharthmei@, henning@
|
|
ok kettenis@ cloder@ tom@ henning@
|
|
ip6_dst (i'm bit skeptical about checksumming when the box is not the
final destination).
drop IPv6 jumbograms, as it could cause various funny symptoms due to
ip6_plen being 0 (yup, we should properly handle it instead).
ok by deraadt, naddy, hshoexer
|
|
unicast reverse path forwarding (URPF) check drops packets coming in
on an interface other than that which holds the route back to the
packet's source address. this caused problems with routes bound to a
carp interface instead of the underlying interface. this diff
validates the underlying carpdev if the route is bound to a carp
interface.
from Pierre-Yves Ritschard (pyr at spootnik.org)
ok henning@
|
|
initialized, it might equal &iproute by chance, causing a panic
when rtfree() is then mistakenly called.
|
|
number, it can differ from the sequence number being tested (for packets
without payload), and both matter in explaining why a packet mismatched.
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that
part was missing) when rtableid on the rule is nonzero.
problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the
multiple routing tables enabling diff, ok mcbride
|
|
beeing created for now - much more work would be required to change that
input & ok ryan
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
ok frantzen, dhartmei, henning
|
|
for equality (ip_tos == x). for priority queue assignment, compare AND-wise
(ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved
bits in ip_tos are used (RFC791, 1349) and more than a single bit is set.
from Steve Welham, closes PR5226 and PR5227.
|
|
matching that rule so that the forwarding code later can use the
alternate routing table fo lookups (not implemented yet).
the tagging is "sticky", every matching rule modifies, just like the
regular "tag". ok claudio hshoexer, hacked at r2k6
|
|
PR5122 Jann Fischer <jfi@openbsd.de>, thanks!
|
