| Age | Commit message (Collapse) | Author |
|---|
|
ok henning, jsing
|
|
ICMPv6 messages.
ok henning@
|
|
Suggested by Max Laier.
ok henning@
|
|
spotted by naddy@
ok henning@
|
|
but our local copy proto that we very carefully set beforehands. skw
being NULL is perfectly valid there.
|
|
steps found with the recent pfvar.h commit to check address families.
from & commit req by henning.
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
us relying on where we are setting it. ok ryan dlg
|
|
turned up in pf_icmp_state_lookup.
ok sthen@
|
|
ever try to aplly options from the anchor rule if it was the last matching
one but the last matching real rule. it is right but despite begging nobody
has the balls to ok it ;(
|
|
correctly inherit queue stuff, tag, rtableid from the rule if we have no
state
some logic simplification and removal of redundant checks
ok dlg
|
|
|
|
all other code do. Should fix pr 6121.
ok henning@
|
|
specifically crafted IP datagram.
Problem noted by Sebastian Rother.
ok henning@ mcbride@ sthen@
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
ok henning markus
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
panic seen with some some icmp types in icmp error message payloads.
Reported by david@ and insan.praja@gmail.com
|
|
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
|
|
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2
on both ends do not fail but insert the new state anyway and unlink the
old one afterwards. pimp error message a bit, too.
problem found with NAT by viq <viq@viq.ath.cx>
ok theo markus
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
to zero for checksum offload; ok henning@
|
|
frees pf states.
ok mcbride@
|
|
pf_lb.c. This will ease the process of adding more selection types
without bloatening pf.c even more.
ok and a weird death threat, henning@
raised eyebrow, dlg@
|
|
pretend there was no match. This prevents pf_state_insert()
to fail with duplicate keys. OK henning@, mcbride@
|
|
may have been allocated earlier by pf_get_translation(). Fixes a
pf_state_key_pl leak triggered by certain ICMP types matching a NAT
rule. Finally located with the help of pool_walk().
ok henning@ dlg@ mcbride@
|
|
whether we're called from the interrupt context to the functions
performing allocations.
Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri,
the pr originator.
ok tedu
|
|
not only over routes of the same prio. This makes it possible to modify
rt_mpath_matchgate() so that if only gateway is specified without a specific
priority it will scan the full list and not only the first routes.
This is also needed for upcoming link state tracking.
|
|
We could re-embed the scope-id before we do the route lookup,
but then we would just find the very interface we've received
the packet on anyway.
OK markus@, claudio@, henning@
|
|
ok dlg
|
|
reply-to, the sticky-address in the source tracking pool is overwritten
with the reply-to address, resulting in new connections being incorrectly
redirected to the reply-to host (instead of the sticky-address host).
Prevent this by passing a NULL source node reference to pf_map_addr() when
looking up the reply-to host, thus preventing the NAT source node from
being overwritten.
ok mcbride@ henning@
|
|
encapsulation. Decapitalise the 'v' in ICMPv6 whilst here.
ok henning@
|
|
fix potential use of uninitialized value in trunk_port_ioctl() function.
Found by LLVM/Clang Static Analyzer.
ok mpf@ henning@
|
|
before release are fixed, and the extra check i added prevents incorrect
linking if there are still cases with tunnels, tho none of the testers
saw these yet, except for an icmp case that will be fixed shortly. the
extra check prevents misbehavior there.
if you see 'pf: state key linking mismatch' messages please report them to
me along with ifconfig -A and mention if you do any routing or nat tricks.
ok deraadt
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
exact reverse of each other. if there is a mismatch don't erstablish the
link and print enough so that we should be able to find the culprit.
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ mpf@
|
|
pf_pkt_addr_changed. atm just clears the state key pointer.
calling this is cleaner than having other parts of the stack clearing
pointers in the pf part of the mbuf packet header directly.
|
|
ok mpf
|
|
effectively disables state key linking and pcb linking - unfortunatly,
there seems to be a bug somewhere in there or triggered by it that
we haven't tracked down yet, so we disable this for now to be on the safe
side for release.
lots of testing and analysis from todd and david.
|
|
more, since they might have been invalidated and free'd.
one synproxy errorpath did so, however. just get the state keys from the
state itself. ok david mcbride
|
|
ok mcbride@ henning@
|
|
ok mcbride@ henning@
|
|
problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer"
<stephan.rickauer>, both @ni.phys.ethz.ch
fix by me, ok mpf
|
|
lists; prevents use of ports corresponding to well-known services.
replace a couple of arc4random()%N with arc4random_uniform(N) that
missed the first round.
ok mcbride@
|
|
state key is freed by pf_state_key_attach(). But in the case of NAT,
there are two state keys allocated, so we must free the second key
manually. Fixes a pf_state_key_pl leak seen in certain cases with
pfsync or with pf state-insert errors.
ok mcbride@ henning@
|
|
can be used and we return the state key back to the pool, don't insert
state items into the tailq using that garbage state key.
this makes things much happier for me.
ok henning@
|
|
that we can attach the state to, make sure to not overwrite the state key
pointer in the state that was just set to the existing state key with the
state key that was supplied with the state and just free'd (well, pool_put'd).
by the time we clean up the state and try to follow it to RB_REMOVE etc
we'd follow that garbage pointer to either an unrelated state key or the old
state key still sitting unused in the pool.
should fix the RB_REMOVE panics some people have been seeing.
"clearly ok, please commit" ryan
|
