summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2008-10-28Always skip "urpf-failed" test for IPv6 link local addresses.Marco Pfatschbacher
We could re-embed the scope-id before we do the route lookup, but then we would just find the very interface we've received the packet on anyway. OK markus@, claudio@, henning@
2008-10-23use the correct idiom for NFOO things which come from "foo.h" filesTheo de Raadt
ok dlg
2008-10-02When redirect is used with sticky-address and a matching pass rule usesJoel Sing
reply-to, the sticky-address in the source tracking pool is overwritten with the reply-to address, resulting in new connections being incorrectly redirected to the reply-to host (instead of the sticky-address host). Prevent this by passing a NULL source node reference to pf_map_addr() when looking up the reply-to host, thus preventing the NAT source node from being overwritten. ok mcbride@ henning@
2008-09-28Teach PF pf_print_state_parts() about IPv4 in IP and IPv6 in IPJoel Sing
encapsulation. Decapitalise the 'v' in ICMPv6 whilst here. ok henning@
2008-09-17remove dead stores and newly created unused variables.Charles Longeau
fix potential use of uninitialized value in trunk_port_ioctl() function. Found by LLVM/Clang Static Analyzer. ok mpf@ henning@
2008-09-10re-enable the state key linking. i believe the bugs that hit us shortlyHenning Brauer
before release are fixed, and the extra check i added prevents incorrect linking if there are still cases with tunnels, tho none of the testers saw these yet, except for an icmp case that will be fixed shortly. the extra check prevents misbehavior there. if you see 'pf: state key linking mismatch' messages please report them to me along with ifconfig -A and mention if you do any routing or nat tricks. ok deraadt
2008-09-09welcome pflow(4), a netflow v5 compatible flow export interface.Henning Brauer
flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
2008-09-03before linking state keys compare them to verify they actually are theHenning Brauer
exact reverse of each other. if there is a mismatch don't erstablish the link and print enough so that we should be able to find the culprit.
2008-09-02remove dead stores and newly created unused variables.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok henning@ mpf@
2008-08-26introduce a function to be called when addressing information has changed,Henning Brauer
pf_pkt_addr_changed. atm just clears the state key pointer. calling this is cleaner than having other parts of the stack clearing pointers in the pf part of the mbuf packet header directly.
2008-08-22Make pf_print_host() print IPv6 addresses correctly.Alexander Bluhm
ok mpf
2008-08-02do not write the pf state key pointer to the pkhdr.Henning Brauer
effectively disables state key linking and pcb linking - unfortunatly, there seems to be a bug somewhere in there or triggered by it that we haven't tracked down yet, so we disable this for now to be on the safe side for release. lots of testing and analysis from todd and david.
2008-07-22after pf_state_key_atach nothing must use the state keys passed to it anyHenning Brauer
more, since they might have been invalidated and free'd. one synproxy errorpath did so, however. just get the state keys from the state itself. ok david mcbride
2008-07-21some whitespace cleanup I did while looking through the codeDavid Krause
ok mcbride@ henning@
2008-07-21fix typo that broke rdr rules (without pass) with non-TCP/UDP/ICMP protocolsDavid Krause
ok mcbride@ henning@
2008-07-14m_copy can return NULL, so check for itHenning Brauer
problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer" <stephan.rickauer>, both @ni.phys.ethz.ch fix by me, ok mpf
2008-07-10check pf NAT source port allocation against net.inet.(tcp|udp).baddynamicDamien Miller
lists; prevents use of ports corresponding to well-known services. replace a couple of arc4random()%N with arc4random_uniform(N) that missed the first round. ok mcbride@
2008-07-10In pf_state_insert(), if the first pf_state_key_attach() fails, theDavid Krause
state key is freed by pf_state_key_attach(). But in the case of NAT, there are two state keys allocated, so we must free the second key manually. Fixes a pf_state_key_pl leak seen in certain cases with pfsync or with pf state-insert errors. ok mcbride@ henning@
2008-07-05in pf_state_key_attach(), when there is already an existing state key thatDavid Krause
can be used and we return the state key back to the pool, don't insert state items into the tailq using that garbage state key. this makes things much happier for me. ok henning@
2008-07-04in pf_state_key_attach(), when we find that there already is a state keyHenning Brauer
that we can attach the state to, make sure to not overwrite the state key pointer in the state that was just set to the existing state key with the state key that was supplied with the state and just free'd (well, pool_put'd). by the time we clean up the state and try to follow it to RB_REMOVE etc we'd follow that garbage pointer to either an unrelated state key or the old state key still sitting unused in the pool. should fix the RB_REMOVE panics some people have been seeing. "clearly ok, please commit" ryan
2008-07-04remove prototype for nonexistant functionHenning Brauer
2008-07-03link pf state keys to tcp pcbs and vice versa.Henning Brauer
when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
2008-07-01Don't return immediately if we're actually passing the traffic, we want toRyan Thomas McBride
ensure that the packet gets rewritten correctly first. As usual, problem pointed out by david ok henning
2008-07-01PF_DT_SKIP_STATETREE is no longer used.Ryan Thomas McBride
ok henning
2008-06-29Simplify state creation code; merge state import/export code between pfsyncRyan Thomas McBride
and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
2008-06-26Fix sticky-address on rdr; With the current nat code, we always use the sameRyan Thomas McBride
address in the NATed state key for translation regardless of direction. Report and testing by david@
2008-06-21Only do state key linking on the outbound path.Ryan Thomas McBride
Fixes stateful filtering on enc0. Problem report, testing, and ok david@
2008-06-16when freeing a state key sk1, look wether it is linked to another state keyHenning Brauer
sk2 and reset sk2's link back to sk1
2008-06-12fix synproxy.Henning Brauer
the factored out pf_create_state() could return PF_PASS, _DROP, and _SYNPROXY_DROP. We were treating the latter the same as _PASS and thus passing the original SYN which we of course don't want in the synproxy case. breakage reported by sakurai-san, headscratching with and ok ryan
2008-06-11when we establish the mapping from a state key, do it both ways, akaHenning Brauer
key1->reverse = key2; and key2->reverse = key1; ok ryan
2008-06-11factor out state creation code for readability; make it static inlineHenning Brauer
to not hurt performance while passing the 20 args (sigh) ok theo ryan, ok + feedback jsing
2008-06-11superfluous to check for m != NULL in pf_find_state, it is plainHenning Brauer
impossible that m is NULL here since all callers dereference it unconditionally beforehands, and find state without and mbuf doesn't make sense in the first place
2008-06-11after finding a state in the outbound path clear the statekey pointerHenning Brauer
in the header so it cannot get used again in case of somewhat weird reflection + mbuf-reuse-without-pkthdr-clearing cases. it looks like gif falls into the latter category. discussed with and ok theo
2008-06-11extra paranoia:Henning Brauer
1) only set the state key in the mbuf header in the inbound case 2) only use it in the outbound case discussed with and ok theo
2008-06-11yuck, fix a last minute collisionHenning Brauer
2008-06-11store a pointer to the stack side state key in the mbuf packetHenning Brauer
header inbound. on the outbound side, we take that and look for the key that is the exact opposite, and store that mapping in the state key. on subsequent packets we don't have to do the lookup on outbound any more. almost unable to get real benchmarks going here, we know for sure this gives a more than 5% increase in forwarding performance. many thanks to ckuethe for stress- and performance-testing. ok ryan theo
2008-06-10Handle the closing of half connections where we don't see the fullReyk Floeter
bidirectional FIN/ACK+ACK handshake. ok henning@
2008-06-10Simplify code slightly; use PR_ZERO with pool_get() rather than bzero().Ryan Thomas McBride
ok mpf henning
2008-06-10Handle a special sloppy case where we only see one half of theReyk Floeter
connection. If there is a ACK after the initial SYN without ever seeing a packet from the destination, set the connection to established. ok henning@
2008-06-10remove a debug check& printf that should not have gone in in the firstHenning Brauer
place
2008-06-10save somespace in the state by collapsing two 8 bit ints used as booleansHenning Brauer
into one 8 bit flags field. shrinks the state structure by 4 bytes on 32bit archs ryan ok
2008-06-10in pf_test_state_icmp when trying tomatch icmp errors to tcp sessionsHenning Brauer
do not verify the sequence number against the state if the state is sloppy and thus doesn't have that information. independently pointed out by frantzen and ryan, ok ryan
2008-06-10implement a sloppy tcpstate tracker which does not look at sequenceHenning Brauer
numbers at all. scary consequences; only tobe used in very specific situations where you don't see all packets of a connection, e. g. asymmetric routing. ok ryan reyk theo
2008-06-09rename arc4random_bytes => arc4random_buf to match libc's nicer name;Damien Miller
ok deraadt@
2008-06-08factor out the tcp sequence number tracking from pf_test_state_tcpHenning Brauer
ok mcbride
2008-06-08null pointer check before derefHenning Brauer
almost nobody ran into that because it is ipv6 only
2008-06-02Fix synproxy breakage introduced with the state table reorganization.Ryan Thomas McBride
Bug report and testing from Otto Bretz. ok henning@
2008-05-30trivial KNF before we go furtherHenning Brauer
2008-05-29Second half of PF state table rearrangement.Ryan Thomas McBride
- Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
2008-05-29rewrite the state table logic.Henning Brauer
complete the split off of the layer 3/4 adressing information from the extra information in the actual state. a state key holds a list of states, and a state points to two state keys - they're only different in the NAT case. More specificially, it deprecates the (often difficult to understand) concept of lan, ext, and gwy addresses, replacing them with WIRE and STACK side address tuples. (af, proto, saddr, daddr, sport, dport). Concept first brought up some years ago on a ferry ride in bc by ryan and me, I spent some time over the last year getting closer, and finally got it completed in japan with ryan. dlg also took part, helped a lot, and saved us 8 bytes. This commit removes support for any kind of NAT as well as pfsync. It also paves the road for some code simplification and some very cool future stuff. ok ryan beck, tested by many