summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2004-12-10allow pf to filter on route labelsHenning Brauer
pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
2004-12-07KNFRyan Thomas McBride
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
pfvar.h. builds kernel and userland.
2004-12-07tree does not compile, spotted by dlg (not obvious how to fix)Theo de Raadt
---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-06support max-src-conn-rate with synproxy, ok mcbride@Daniel Hartmeier
2004-12-05IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6Daniel Hartmeier
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
2004-12-04Add kernel code to keep track of tcp connections which have completedRyan Thomas McBride
the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
2004-11-24fix a bug that leads to a crash when binat rules of the formDaniel Hartmeier
'binat from ... to ... -> (if)' are used, where the interface is dynamic. reported by kos(at)bastard(dot)net, analyzed by Pyun YongHyeon
2004-11-19remove superfluous m_tag_copy/m_tag_prepend, already covered by m_copym2()Daniel Hartmeier
reported by Joerg Sonnenberger, ok henning@
2004-11-12The flag to re-filter pf-generated packets was set wrong by synproxyDaniel Hartmeier
for ACKs. It should filter the ACK replayed to the server, instead of of the one to the client. Thanks to Daniel Polak for testing.
2004-11-07For RST generated due to state mismatch during handshake, don't setDaniel Hartmeier
th_flags TH_ACK and leave th_ack 0, just like the RST generated by the stack in this case. Fixes the Raptor workaround. ok beck@, markus@
2004-09-29reset anchor pointer to NULL when stepping back into the main ruleset,Daniel Hartmeier
fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr showing wrong state counters for anchor rules. found by camield@, ok henning@, -stable candidate
2004-09-20pf_routable(), used for the no-route keyword, was a v4 only implementation,Henning Brauer
and behaved incorrectly when used with v6. impliment the v6 case too. ok canacar mcbride
2004-09-17Clean up reference counting wrt state creation and destruction. FixesRyan Thomas McBride
problems with adaptive timeouts, max-states limits, and rules not being freed from memory. Diff from Chris Pascoe. ok henning@ dhartmei@
2004-07-11backout IPv6 reass-on-scrub patch (more work needs to be done).Jun-ichiro itojun Hagino
requested by deraadt
2004-06-25correct "scrub in" behavior for IPv6.Jun-ichiro itojun Hagino
remaining TODO: - "forward" case kernel behavior (IPv4 too), then pfctl syntax change - red-black tree
2004-06-25IPv6 reassembly on "scrub" directive.Jun-ichiro itojun Hagino
caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
2004-06-22Pull the plug on source-based routing until remaining bugs are eradicated.Cedric Berger
No need to reconfig kernel or rebuild userland stuff. requested deraadt@, help beck@
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
2004-06-21Get rid of pf_test_eh() wrapper.Ryan Thomas McBride
ok cedric@ henning@
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-06-06extend routing table to be able to match and route packets based onCedric Berger
their *source* IP address in addition to their destination address. routing table "destination" now contains a "struct sockaddr_rtin" for IPv4 instead of a "struct sockaddr_in". the routing socket has been extended in a backward-compatible way. todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-11pf_cksum_fixup() was called without last argument from normalization,Daniel Hartmeier
also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
2004-05-11change pf_route() loop detection: introduce a counter (number of timesDaniel Hartmeier
a packet is routed already) in the mbuf tag, allow at most four times. Fixes some legitimate cases broken by the previous change. ok cedric@
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-28make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@Cedric Berger
2004-04-28Dont step into INET6 code, just because af != AF_INETPhilipp Buehler
Also comment #endif properly while being here ok mcbride@
2004-04-27validate the sequence numbers on TCP resets are an exact match. check is onlyMike Frantzen
enabled when we're doing full frag reassembly and thus have full seq info ok markus@
2004-04-26Prevent biases in arc4random() from disclosing the byte order of the firewall.Ryan Thomas McBride
ok deraadt@
2004-04-26anchor refcounting. ok dhartmei@ mcbride@Cedric Berger
2004-04-25prevent an endless loop with route-to lo0, fixes PR 3736,Daniel Hartmeier
ok pb@, henning@, markus@
2004-04-25get rid of a complete state tree walk at state expire while in splnet()Philipp Buehler
ok mcbride@ henning@
2004-04-25sync 'other' in test6, too.Philipp Buehler
ok dhartmei@ mcbride@
2004-04-25don't add PF_GENERATED tag to synproxy generated packets for the secondDaniel Hartmeier
handshake, so they can match rules (and create state) on another interface. ok cedric@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-04-17when the input queue congestion flag is set stop evaluating the rulesetHenning Brauer
and block unconditionally. when the inout queue is full, newly arriving packets are dropped anyway, and while the input queue is full we obviously have a CPU laod problem. with this change, we allow the machine to recover gracefully, dropping a few packets fast instead of a lot slowly over a long time while processing rather old stuff in the input queue, giving somebody a chance to log in on the console and fix stuff instead of going completely unresponsive, and as a nice side effect, let established connections alone. ok kjc@ markus@ beck@
2004-04-05make pftag ** (pass pointer by reference), otherwise it's never updated.Daniel Hartmeier
the parameter serves only as optimization to cache m_tag_get() results. ok henning@
2004-03-26Properly m_copyback() modified TCP sequence number after demodulationDaniel Hartmeier
ok mcbride@, henning@, cedric@, deraadt@
2004-03-25Fix icmp checksum when sequence number modlation is being used.Ryan Thomas McBride
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling. From dhartmei@ ok deraadt@
2004-03-22Support for best effort bulk transfers of states when pfsync syncif isRyan Thomas McBride
configured. This this allows pfsync+carp clusters to come up gracefully without killing active connections. pfsync now prevents carp from preempting to become master until the state table has sync'd. ABI change, any application which use struct pf_state must be recompiled. Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@ for testing and comments. ok deraadt@
2004-03-11Don't call pf_src_tree_remove_state() on error in pf_insert_state(),Ryan Thomas McBride
it's also called in the function which calls pf_insert_state(). Pointed out by Patrick Latifi, ok cedric@ dhartmei@
2004-03-09KNF, ok cedric@ deraadt@Ryan Thomas McBride
2004-02-24Remove redundant logging from pf_test_other().Ryan Thomas McBride
ok henning@ cedric@
2004-02-24KNFRyan Thomas McBride
2004-02-20Make pfsync deal with clearing states bound to a group or interface (egRyan Thomas McBride
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
2004-02-19the 2nd round of the qid assignment change.Kenjiro Cho
make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@
2004-02-10KNFDaniel Hartmeier
2004-02-10plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric,Jun-ichiro itojun Hagino
dhartmei ok