| Age | Commit message (Collapse) | Author |
|---|
|
redirection target address. Reported by Michael Lucas. ok mcbride@
|
|
Solves the crashes in pf_route() with -current.
Reports from Michael Lucas and Bjorn Runaker.
|
|
|
|
panics should occur. ok mcbride@
|
|
we don't need the second list of addresses for DIOCCHANGE* operations)
Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0]
is the one being used.
ok henning@ dhartmei@
|
|
print the port number in pf_print_host if it's 0 (like when
pf_print_host is called from pf_map_addr)
ok dhartmei@
|
|
Loading large rulesets consists of two phases. First, the rules are
parsed and added, one by one, to the inactive ruleset. The machine
remains responsive during that phase. Then, the new ruleset is
activated, and the skip steps are calculated. The machine locks up
during that phase. This second phase is greatly reduced with the new
algorithm. With the old one, calculation could take 30s for 12k rules,
with the new one, 100k rules take less than 1s. For small rulesets
(less than 1000 rules), the gain is insignificant.
ok mcbride@, henning@
|
|
|
|
Found by markus@
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
(in the main set) number, not the number of the rule within the anchor.
Eventually, both will get logged. But as long as we only log one number,
this makes more sense.
|
|
|
|
main purpose is making them regress-testable.
|
|
|
|
tcp. A silly copy/paste error by yours truly located by deraadt@
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
this allows for a second queue on pf_rule.
assign packets with tos 0x10 (lowdelay) to this one.
if the second queue isn't specified set pqid = qid
idea dhartmei@
ok dhartmei@ frantzen@ deraadt@
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
- Always fold the key in
Many fixes & suggestions from camield@
ok mickey@ camield@ henning@
|
|
unbreaks compiling kernel without IPv6 support.
how embarassing, spotted by Chris Kuethe
|
|
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
and the returned icmp packets in the return-icmp case
ok dhartmei@
|
|
frantzen@ and dhartmei@
|
|
to the more correct and descriptive "sa_family_t af"
ok dhartmei@ henning@
|
|
reduces cross-file dependancies.
ok dhartmei@ ish@ henning@
|
|
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27
Both the network mask on the source and redirect addresses MUST be the
same, and it works by essentially combining the network section of the
redirect address with the host section of the source address.
from ryan
ok dhartmei@
|
|
this commit is to allow further development in both userland and kernel.
the goal is to replace altq's classifier by pf(4).
- make pf tag a queue id to mbuf and make altq read the queue id
- merge altq config into pf.conf(5)
ok dhartmei@, henning@
|
|
|
|
drop is default, same behaviour as before
support
block drop
to override a return policy
|
|
block return in|out ...
acts like return-rst on tcp, like return-icmp on udp and like an ordinary
block on anything else
ok dhartmei@
|
|
-new field "return_icmp6" in pf_rule
-parser accepts
block return-icmp(ipv4-icmpcode, ipv6-icmpcode)
ok and some input dhartmei@
|
|
instead of just testing return_icmp > 0
ok dhartmei@
|
|
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
|
|
|
|
To detect routing loops use the actual outgoing interface and not the
interface that the rule is to apply to (as there may not be one).
- noticed by mcbride@countersiege.com
- ok dhartmei@, henning@
|
|
binat.
pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks!
ok frantzen@ pb@ jasoni@ deraadt@
|
|
|
|
NULL to full 64 bits on a 64 bit address system. Soultion is to add a
(void *) cast before NULL. This makes a 64 bit MIPS kernel work and will
probably help future 64 bit ports as well.
OK from art@
|
|
allows to use the same proxy port with different external peers.
From Ryan McBride
|
|
sufficient if TH_SYN is set and TH_ACK is unset, ignore TH_ECN etc.
ok frantzen@
|
|
Only affects pfctl -si output for IPv6. And some whitespace KNF.
|
|
interface except the given one. adjust the pf_test_* functions and
pf_skip_step accordingly.
ok dhartmei@
|
|
ok dhartmei@
|
|
|
