| Age | Commit message (Collapse) | Author |
|---|
|
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon
|
|
reported by Joerg Sonnenberger, ok henning@
|
|
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client. Thanks to Daniel Polak for testing.
|
|
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround. ok beck@, markus@
|
|
fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr
showing wrong state counters for anchor rules. found by camield@,
ok henning@, -stable candidate
|
|
and behaved incorrectly when used with v6. impliment the v6 case too.
ok canacar mcbride
|
|
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.
Diff from Chris Pascoe.
ok henning@ dhartmei@
|
|
requested by deraadt
|
|
remaining TODO:
- "forward" case kernel behavior (IPv4 too), then pfctl syntax change
- red-black tree
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
No need to reconfig kernel or rebuild userland stuff.
requested deraadt@, help beck@
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
ok cedric@ henning@
|
|
keyword in C++. ok henning@, cedric@
|
|
their *source* IP address in addition to their destination address.
routing table "destination" now contains a "struct sockaddr_rtin"
for IPv4 instead of a "struct sockaddr_in".
the routing socket has been extended in a backward-compatible way.
todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
a packet is routed already) in the mbuf tag, allow at most four times.
Fixes some legitimate cases broken by the previous change. ok cedric@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
ok deraadt@
|
|
|
|
ok pb@, henning@, markus@
|
|
ok mcbride@ henning@
|
|
ok dhartmei@ mcbride@
|
|
handshake, so they can match rules (and create state) on another interface.
ok cedric@
|
|
|
|
and block unconditionally.
when the inout queue is full, newly arriving packets are dropped anyway,
and while the input queue is full we obviously have a CPU laod problem.
with this change, we allow the machine to recover gracefully, dropping a few
packets fast instead of a lot slowly over a long time while processing rather
old stuff in the input queue, giving somebody a chance to log in on the
console and fix stuff instead of going completely unresponsive, and as a nice
side effect, let established connections alone.
ok kjc@ markus@ beck@
|
|
the parameter serves only as optimization to cache m_tag_get() results.
ok henning@
|
|
ok mcbride@, henning@, cedric@, deraadt@
|
|
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
From dhartmei@
ok deraadt@
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
it's also called in the function which calls pf_insert_state().
Pointed out by Patrick Latifi, ok cedric@ dhartmei@
|
|
|
|
ok henning@ cedric@
|
|
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
make the semantics in line with the tag assignment, which simplifies
the id management in pf.
ok, henning@
|
|
|
|
dhartmei ok
|
|
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
Safer and faster since we know that ifp->if_index can potentially
be garbage. ok dhartmei@
|
|
|
|
length (same as udp_input() does, if pf is not enabled). Found by
Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
|
|
struct ifnet *, from Pyun YongHyeon
|
|
|
|
|
