summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2006-03-14implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)Damien Miller
which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
2006-02-07mention source of pf_modulate_sack() in comment, no code change,Daniel Hartmeier
ok frantzen@
2006-01-31the TCP SACK option needs sequence number modulationMike Frantzen
ok dhartmei@ and beck@. help + testing from kpfaff AT palloys.com.pl
2005-11-14fix spelloChristopher Pascoe
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-10-26Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next()Ryan Thomas McBride
and calculate the modulator. This ensures that modulated initial sequence numbers have the same properties regarding separation and non-repetition as those generated by our TCP stack. ok markus@ frantzen@
2005-10-25mtag in pf_route is now only used for IPSEC, so #ifdef itHenning Brauer
From: Mike Belopuhov <mkb@crypt.org.ru>
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-08-22when nat'ing icmp 'connections', replace icmp id with proxy valuesDaniel Hartmeier
(similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@
2005-08-22fix rdr to bitmask replacement address pool. patch from Max Laier,Daniel Hartmeier
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe
it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
2005-07-31Change the API for icmp_do_error so that it takes the mtu directly, ratherChristopher Pascoe
than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
2005-07-29Use one "struct pf_state key" declaration at top of pf_test_state_icmp,Christopher Pascoe
instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386).
2005-07-21account ipv4 packets with wrong tcp/udp/icmp checksums and udpMarkus Friedl
packets with invalid uh_len; ok dhartmei
2005-07-04restrict the tcp.finwait timeout (45s) to state combinations where we haveMarkus Friedl
seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning.
2005-06-13make the packet and byte counters on rules and src nodes per direction,Henning Brauer
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
2005-05-27log two pairs of uid/pid through pflog: the uid/pid of the process thatDaniel Hartmeier
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
2005-05-26support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patchDaniel Hartmeier
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
2005-05-23change pool allocation of table entries, no longer use the oldnointrDaniel Hartmeier
allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2005-04-25csum -> csum_flagsBrad Smith
ok krw@ canacar@
2005-04-22When synproxy completes the replayed handshake and modifies the stateDaniel Hartmeier
into a normal one, it sets both peers' sequence windows. Fix a bug where the previously advertised windows are applied to the wrong side (i.e. peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This went undetected because mostly the windows are similar and/or re- advertised soon. But there are (rare) cases where a synproxy'd connection would stall right after handshake. Found by Gleb Smirnoff.
2005-04-15Try this again.Joel Knight
When synproxy sends packets to the destination host, make sure to copy the 'tag' from the original state entry into the outgoing mbuf. ok dhartmei@ deraadt@
2005-04-14back out last, some breakage crept inHenning Brauer
2005-04-14When synproxy sends packets to the destination host, make sure to copyJoel Knight
the 'tag' from the original state entry into the outgoing mbuf. ok henning@ dhartmei@
2005-03-15byte order of mss, only affects synproxy code path, from John L. ScarfoneDaniel Hartmeier
2005-03-04add state's tag for IPv6, too. spotted by markus@Daniel Hartmeier
2005-03-03when tagging, apply the same tag to all packets matching a state entryDaniel Hartmeier
(not just to the initial packet). note: kernel/userland abi change (rebuild pfctl). ok henning@
2005-02-27support 'tagged' in translation rules, non-delayed tag lookupDaniel Hartmeier
ok henning@, deraadt@
2005-01-30Add some more reason counters and use them instead of overloading theDaniel Hartmeier
'memory' one, which helps debugging. Alters the kernel/userland ABI, rebuild pfctl and tcpdump. ok henning@
2005-01-20Use the packet's address family instead of the rule's when selecting aDaniel Hartmeier
replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure. Found by Gustavo A. Baratto. ok mcbride@, henning@, markus@
2005-01-07Make carp(4) traffic always appear on the physical (carpdev) interfaceRyan Thomas McBride
from pf's perspective. ok pascoe@ dhartmei@ henning@
2004-12-22Introduce 'set skip on <ifspec>' to support a list of interfaces where noDaniel Hartmeier
packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
2004-12-17ICMP state entries use the ICMP ID as port for the unique state key. WhenDaniel Hartmeier
checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel. Report and test data by Srebrenko Sehic.
2004-12-14Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,Ryan Thomas McBride
prevents a possible endless loop in pf_get_sport() with 'static-port' Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging by dhartmei@ ok dhartmei@
2004-12-11Handle errors in pf_route{,6} more gracefully.Marco Pfatschbacher
Proposed by mcbride. ok henning@, mcbride@
2004-12-10allow pf to filter on route labelsHenning Brauer
pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
2004-12-07KNFRyan Thomas McBride
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
pfvar.h. builds kernel and userland.
2004-12-07tree does not compile, spotted by dlg (not obvious how to fix)Theo de Raadt
---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-06support max-src-conn-rate with synproxy, ok mcbride@Daniel Hartmeier
2004-12-05IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6Daniel Hartmeier
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
2004-12-04Add kernel code to keep track of tcp connections which have completedRyan Thomas McBride
the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
2004-11-24fix a bug that leads to a crash when binat rules of the formDaniel Hartmeier
'binat from ... to ... -> (if)' are used, where the interface is dynamic. reported by kos(at)bastard(dot)net, analyzed by Pyun YongHyeon
2004-11-19remove superfluous m_tag_copy/m_tag_prepend, already covered by m_copym2()Daniel Hartmeier
reported by Joerg Sonnenberger, ok henning@
2004-11-12The flag to re-filter pf-generated packets was set wrong by synproxyDaniel Hartmeier
for ACKs. It should filter the ACK replayed to the server, instead of of the one to the client. Thanks to Daniel Polak for testing.