| Age | Commit message (Collapse) | Author |
|---|
|
to make it reusable by pf fragment reassembly. No functional change.
discussed with henning@, claudio@, deraadt@, kettenis@
ok guenther@
|
|
and make it void.
ok henning@, markus@, mcbride@
|
|
problem was reported by babut at yandex dot ru in the pr 6564, tested by
the pr originator and me, ok henning mcbride. shaves off a bunch of XXXs.
|
|
using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses
correctly on little-endian systems. ok henning@
|
|
IPv4-ICMP6 and IPv6-ICMP packets are not rewritten in case they are
dropped and logged.
spotted by mikeb@; ok henning@
|
|
not do the same check in pf_test_rule() again.
ok henning
|
|
header lenght was uninitialized. This resulted in a panic in
m_clget(). Initialize hdrlen with 0 and call m_copyback() only if
necessary.
ok henning@
|
|
ok henning@ markus@
|
|
- PF_DROP, the packet is bad, the mbuf still exists and must be freed.
- PF_PASS and *m0 is NULL, the packet has been processed, not an error.
- PF_PASS and *m0 is not NULL, continue with packet processing.
This fixes a potential mbuf use after free.
ok henning@ markus@ mpf@
|
|
ok claudio henning dlg miod
|
|
could be used multiple times for different packets. This happened
when pflow(4) was used. Instead of a global variable, store the
pf_headers in a local variable on the stack.
david@ found the bug, narrowed it down and tested the fix.
ok henning@
|
|
string.
ok henning dlg claudio
|
|
misleading comment that did nothing.
ok henning@ jsing@
|
|
common function pf_addr_compare().
ok henning@
|
|
tracked down and diff sent by Robert B Mills <rbmills at sdf.lonestar.org>
thanks, very good work! ok claudio
|
|
ok henning@
|
|
reason to question himself by adding an XXX
|
|
hardcoding 0.
roughly almost a bit equivalent to what pf_test_rule does. changing the
rdomain for not reassembled fragments is not going to work ever, so the
full dance pf_test_rule does doesn't make sense here.
speaking of sense, I don't see anything remotely resembling sense in
pf filtering on fragments without reassembling them first.
with/ok claudio
|
|
pf_test_rule will have done it already, as correctly XXX-comment noted by
claudio almost a year ago.
pf_test6 (which is scarily different there) didn't have that at all.
|
|
/* XXX This does NOT affect pass rules! */
SLIST_FOREACH(ri, &s->match_rules, entry) {
...
delete that comment, entirely superfluous
|
|
pf_compare_state_keys will stay, we play safe.
|
|
|
|
ok henning@
|
|
behaviour consistent between IPv4 and IPv6.
From martin.pelikan@gmail.com
|
|
forces logging on all subsequent matching rules
real ok theo assumed oks ryan and dlg bikeshedding everyone in the room
implementation time ~ 1 minute
|
|
else and an unneeded if (r)
|
|
|
|
pass or block rule, not the last matching rule. triggered by pr6401.
this means that, for example, a rdr-to on a pass rule can override an
rdr-to on a match rule that comes later in the ruleset. but that's the
semantics: for block and pass rules, the last matching one wins, aka
actions are applied after we're done with ruleset eval, and match rules'
actions are applied on the fly. discussion with dlg and claudio, ok dlg ryan
|
|
value is used in verbose "show rules" output as "states creations", but
match rules never create state. states_cur aka "States" is needed and
correct, match rules are being associated with states. ok ryan
|
|
as it is in the very same moment pf hits that match rule. really awesome
with multiple rdr-to and the like. ok dlg - ryan would ok it too if he was
here right now
|
|
|
|
and 0 if it didn't so we know wether we have to rewrite or not.
ok ryan dlg
and in just an hour from now on this might have reached cvs eventually
from njetwork challenged j2k10 in japan
|
|
information about the packet we're currently dealing with, into its own
function. ok ryan dlg and additional testing sthen
|
|
number space. In fact they are independent and must be handled
separately. Fix traceroute via pf by splitting pf_icmp_mapping()
into IPv4 and IPv6 sections.
ok henning@ mcbride@; tested mcbride@; sure deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
|
|
is for, it is not very obvious... with ryan and jsing
|
|
walking the ruleset and up until state is fully set up) into pf_pdesc instead
of passing around those 4 seperately all the time, also shrinks the argument
count for a few functions that have/partialy had an insane count of arguments.
kinda preparational since we'll need them elsewhere too, soon
ok ryan jsing
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
nat rule. It should check to see if it's in-use (i.e. matches an existing
PF state), if it is, it cycles sequentially through other ports until
it finds a free one. However the check was being done with the state
keys the wrong way round so it was never actually finding the state
to be in-use.
- switch the keys to correct this, avoiding random state collisions
with nat. Fixes PR 6300 and problems reported by robert@ and viq.
- check pf_get_sport() return code in pf_test(); if port allocation
fails the packet should be dropped rather than sent out untranslated.
Help/ok claudio@.
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
ok claudio
|
|
it if we have it.
Requested by dlg, ok henning.
|
|
incorrect error handling
|
|
happy and went to use after free instead. ryan and I think we found the
reason - just freeing that state keys in the error path is wrong as well,
since pf_state_key_setup could have found existing, identical state keys
and linked our state to these. if we now free them the other state that
hung of these state keys would point back to the freed state keys. so
instead of manually trying to free the state keys just call
pf_state_key_detach which has all the magic checks.
with and ok ryan
|
|
is not null, to be safe and to be able to call this with half setup
states. with and ok ryan
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
need two state keys (NAT case), and we succeed allocating the first one
but fail getting the second we'd leak the first one. obvious and thus ok'd
by dlg ryan and theo within seconds
|
|
over the last couple of weeks (ever since I found it): when we are out of
memory for the state keys we leak the state. oh the irony.
instead of just fixing that one case rework the error handling in the entire
function. verified painfully by yours truly by forcefully exercising each
and every error path in there. ryan ok
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
