Age | Commit message (Collapse) | Author |
|
We could re-embed the scope-id before we do the route lookup,
but then we would just find the very interface we've received
the packet on anyway.
OK markus@, claudio@, henning@
|
|
ok dlg
|
|
reply-to, the sticky-address in the source tracking pool is overwritten
with the reply-to address, resulting in new connections being incorrectly
redirected to the reply-to host (instead of the sticky-address host).
Prevent this by passing a NULL source node reference to pf_map_addr() when
looking up the reply-to host, thus preventing the NAT source node from
being overwritten.
ok mcbride@ henning@
|
|
encapsulation. Decapitalise the 'v' in ICMPv6 whilst here.
ok henning@
|
|
fix potential use of uninitialized value in trunk_port_ioctl() function.
Found by LLVM/Clang Static Analyzer.
ok mpf@ henning@
|
|
before release are fixed, and the extra check i added prevents incorrect
linking if there are still cases with tunnels, tho none of the testers
saw these yet, except for an icmp case that will be fixed shortly. the
extra check prevents misbehavior there.
if you see 'pf: state key linking mismatch' messages please report them to
me along with ifconfig -A and mention if you do any routing or nat tricks.
ok deraadt
|
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
exact reverse of each other. if there is a mismatch don't erstablish the
link and print enough so that we should be able to find the culprit.
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ mpf@
|
|
pf_pkt_addr_changed. atm just clears the state key pointer.
calling this is cleaner than having other parts of the stack clearing
pointers in the pf part of the mbuf packet header directly.
|
|
ok mpf
|
|
effectively disables state key linking and pcb linking - unfortunatly,
there seems to be a bug somewhere in there or triggered by it that
we haven't tracked down yet, so we disable this for now to be on the safe
side for release.
lots of testing and analysis from todd and david.
|
|
more, since they might have been invalidated and free'd.
one synproxy errorpath did so, however. just get the state keys from the
state itself. ok david mcbride
|
|
ok mcbride@ henning@
|
|
ok mcbride@ henning@
|
|
problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer"
<stephan.rickauer>, both @ni.phys.ethz.ch
fix by me, ok mpf
|
|
lists; prevents use of ports corresponding to well-known services.
replace a couple of arc4random()%N with arc4random_uniform(N) that
missed the first round.
ok mcbride@
|
|
state key is freed by pf_state_key_attach(). But in the case of NAT,
there are two state keys allocated, so we must free the second key
manually. Fixes a pf_state_key_pl leak seen in certain cases with
pfsync or with pf state-insert errors.
ok mcbride@ henning@
|
|
can be used and we return the state key back to the pool, don't insert
state items into the tailq using that garbage state key.
this makes things much happier for me.
ok henning@
|
|
that we can attach the state to, make sure to not overwrite the state key
pointer in the state that was just set to the existing state key with the
state key that was supplied with the state and just free'd (well, pool_put'd).
by the time we clean up the state and try to follow it to RB_REMOVE etc
we'd follow that garbage pointer to either an unrelated state key or the old
state key still sitting unused in the pool.
should fix the RB_REMOVE panics some people have been seeing.
"clearly ok, please commit" ryan
|
|
|
|
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan
|
|
ensure that the packet gets rewritten correctly first.
As usual, problem pointed out by david
ok henning
|
|
ok henning
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
|
address in the NATed state key for translation regardless of direction.
Report and testing by david@
|
|
Fixes stateful filtering on enc0.
Problem report, testing, and ok david@
|
|
sk2 and reset sk2's link back to sk1
|
|
the factored out pf_create_state() could return PF_PASS, _DROP, and
_SYNPROXY_DROP. We were treating the latter the same as _PASS and thus
passing the original SYN which we of course don't want in the synproxy
case.
breakage reported by sakurai-san, headscratching with and ok ryan
|
|
key1->reverse = key2; and key2->reverse = key1;
ok ryan
|
|
to not hurt performance while passing the 20 args (sigh)
ok theo ryan, ok + feedback jsing
|
|
impossible that m is NULL here since all callers dereference it
unconditionally beforehands, and find state without and mbuf doesn't
make sense in the first place
|
|
in the header so it cannot get used again in case of somewhat weird
reflection + mbuf-reuse-without-pkthdr-clearing cases. it looks like
gif falls into the latter category.
discussed with and ok theo
|
|
1) only set the state key in the mbuf header in the inbound case
2) only use it in the outbound case
discussed with and ok theo
|
|
|
|
header inbound. on the outbound side, we take that and look for the key
that is the exact opposite, and store that mapping in the state key. on
subsequent packets we don't have to do the lookup on outbound any more.
almost unable to get real benchmarks going here, we know for sure this
gives a more than 5% increase in forwarding performance.
many thanks to ckuethe for stress- and performance-testing.
ok ryan theo
|
|
bidirectional FIN/ACK+ACK handshake.
ok henning@
|
|
ok mpf henning
|
|
connection. If there is a ACK after the initial SYN without ever
seeing a packet from the destination, set the connection to
established.
ok henning@
|
|
place
|
|
into one 8 bit flags field.
shrinks the state structure by 4 bytes on 32bit archs
ryan ok
|
|
do not verify the sequence number against the state if the state is sloppy
and thus doesn't have that information.
independently pointed out by frantzen and ryan, ok ryan
|
|
numbers at all. scary consequences; only tobe used in very specific
situations where you don't see all packets of a connection, e. g.
asymmetric routing. ok ryan reyk theo
|
|
ok deraadt@
|
|
ok mcbride
|
|
almost nobody ran into that because it is ipv6 only
|
|
Bug report and testing from Otto Bretz.
ok henning@
|
|
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
complete the split off of the layer 3/4 adressing information from the extra
information in the actual state. a state key holds a list of states, and a
state points to two state keys - they're only different in the NAT case.
More specificially, it deprecates the (often difficult to understand)
concept of lan, ext, and gwy addresses, replacing them with WIRE and
STACK side address tuples. (af, proto, saddr, daddr, sport, dport).
Concept first brought up some years ago on a ferry ride in bc by ryan and
me, I spent some time over the last year getting closer, and finally
got it completed in japan with ryan. dlg also took part, helped a lot,
and saved us 8 bytes.
This commit removes support for any kind of NAT as well as pfsync.
It also paves the road for some code simplification and some very cool
future stuff.
ok ryan beck, tested by many
|