summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2003-10-10make sure pd is initialized before use (or byte counters may increaseDaniel Hartmeier
by random values). ok mcbride@, cedric@, henning@
2003-10-02correct endian handling of ip->ip_off.Jun-ichiro itojun Hagino
do not try to send incomplete fragments on ENOBUFS case (behavior change from 4.4bsd). dhartmei ok
2003-09-26Rearchitecture of the userland/kernel IOCTL interface for transactions.Cedric Berger
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
2003-09-26Move statistics counters from individual pf_test_<proto>() andRyan Thomas McBride
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce code redundancy, and fix the following bugs: - ICMP packets were not being accounted for correctly (missing statistics code in pf_test_state_icmp() - Some packets were not being counted in the loginterface statistics NOTE: Under some situations with route-to, packets may get counted once on the original interface, and once on the pf-routed interface. This can be dealt with by rules which specify the each interface explicitly. ok cedric@, henning@
2003-09-24Remove state setup no-ops.Ryan Thomas McBride
ok cedric@ frantzen@ henning@
2003-09-01KNFHenning Brauer
2003-09-01Make nat rule update the table counters when no filtering rule is used.Cedric Berger
This is mostly to support the new "nat pass" rule. ok dhartmei@ henning@
2003-08-28fix "pfctl -vvsr" output for rules with tables inside anchors.Cedric Berger
ok henning@
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-08-18prevent looutput() feedback of broadcast/multicast packets if they areDaniel Hartmeier
pf routed. prevents a kernel lockup with some (non-sensical) route-to rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
2003-08-17Missing break, change NULL -> 0 for int parameter (no functionalDaniel Hartmeier
changes), from Andrey Matveev
2003-08-14m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.Jason Wright
2003-08-09This patch remove the restriction that tables cannot be used in routing orCedric Berger
redirection rules... The advantage of using tables in redirection/routing rules is not efficiency, in fact it will run slower than straight address pools. However, this brings a lot of flexibility to PF, allowing simple scripts/daemons to add/remove addresses from redirection/routing pools easily. This implementation support all table features, including cidr blocks and negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6. Tables can also be combined with simple addresses, so the following rule will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }" ok henning@ mcbride@
2003-08-07make pf_match take u_int32_t instead of u_int16_tHenning Brauer
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
2003-07-29Set pf_state->rt_ifp when creating the state entry, instead of doing itDaniel Hartmeier
later on, when another packet matches the state. ok mcbride@
2003-07-29More aggressive and easier to understand skip steps for addresses.Cedric Berger
Help daniel@ mcbride@ Ok henning@ mcbride@
2003-07-19Simplify struct pf_pooladdr to include struct pf_addr_wrap directlyCedric Berger
instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
2003-07-12Remove two htons(), which were meant as ntohs(), and are wrong sinceDaniel Hartmeier
ip_ouput() flipped byte order. From Pyun YongHyeon. ok itojun@
2003-07-09do not flip ip_len/ip_off in netinet stack. deraadt ok.Jun-ichiro itojun Hagino
(please test, especially PF portion)
2003-07-04cosmetic changes to keep the different code paths in sync; ok henningMarkus Friedl
2003-07-04-add a "natpass" field to pf_ruleHenning Brauer
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter ruleset, but set the rulepointer to the default rule (which is a pass rule) in cooperation with daniel. ok dhartmei@ cedric@ markus@
2003-07-04bad redundant copy; ok danielMarkus Friedl
2003-06-29normalize IPv6 packet (no reass, but it is a start). dhartmei & henning okJun-ichiro itojun Hagino
- length, jumbo payload option - TTL ("hoplimit" in IPv6 terminology) rewrite
2003-06-29unused global. dhartmei okJun-ichiro itojun Hagino
2003-06-28remove duplicated prototype (they are in pfvar.h). dhartmei okJun-ichiro itojun Hagino
2003-06-24in the ipv6 case, allow route-to to route to link-local addressesHenning Brauer
from KOZUKA Masahiro <ma-kun@kozuka.jp> with a minor adjustment from itojun ok itojun@ dhartmei@
2003-06-24KNFHenning Brauer
2003-06-21count packets and bidirectionally on state entries, allowing for fine-grainedDamien Miller
traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
2003-06-20Add MSS support to the synproxy. The client's MSS is sent to the server,Daniel Hartmeier
the server's MSS is guessed based on the routing table and interface MTU. Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@ Note: ABI change (new field in struct pf_state), requires a pfctl rebuild (and tcpdump for pfsync).
2003-06-20Extend 'BAD ICMP' debug message, include icmp type/code and outer IP headerDaniel Hartmeier
addresses. ok mcbride@, cedric@
2003-06-14Use source's window scaling factor (instead of destination's) whenDaniel Hartmeier
comparing ackskew, otherwise legitimate low acks can get blocked. Was triggered when asymmetric scale factors where used in combination with SACK. Report and logs provided by Peter Galbavy. ok frantzen@, henning@
2003-06-10It would kind of help if the flags member was initialized, otherwise randomDaniel Hartmeier
rules create state. Truly hard to spot. Unless you run the code, of course.
2003-06-09Attempt to resolve byte order confusion in nat code once and for all.Ryan Thomas McBride
- pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
2003-06-03move some prototypes to pfvar.h. needed soon.Henning Brauer
pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
2003-05-18speed hack: delay fetching the mbuf tag until we really need it (hit aHenning Brauer
"tagged X" rule), and only get it when we really need it. simplifies code too. ok dhartmei@ pb@
2003-05-18Merge pf_send_ack() and _send_syn() into a generic _send_tcp().Daniel Hartmeier
In the SYN proxy, generate ACKs with proper window sizes after the handshakes.
2003-05-17Correct two comment typos.Daniel Hartmeier
2003-05-17With rdr we want the source IP from the packet, not the source IP fromRyan Thomas McBride
the rule. Fixes rdr with address pools using bitmask and source-hash address selection methods. ok dhartmei@ henning@
2003-05-17allow inverse matching on tagsHenning Brauer
ok dhartmei@ pb@
2003-05-17Add an 'action' code that allows the SYN proxy to swallow/drop a packetDaniel Hartmeier
without causing EHOSTUNREACH to be delivered to local sockets, so it works for outgoing connections originating on the same host. ok frantzen@
2003-05-16TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can useDaniel Hartmeier
'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
2003-05-14- modulate TCP Timestamps so they can't be used to detect NAT and to precludeMike Frantzen
remote uptime determination - scrub modifier "reassemble tcp" turns on stateful TCP normalizations ok henning@ dhartmei@
2003-05-14tag on each matching rule, not just the last one.Henning Brauer
idea from theo. to speed that up the real mbuf tag is not written until we hit the last match but an internal variable is used to track the tag. this can be used to split classification and policy enforcement, for example. and much much much more... ok dhartmei@ frantzen@
2003-05-14Use official (from pcap people) link type for pflog.Can Erkin Acar
With this change, the log header format also changes. The new log format is extendible and allows logging of the originating anchor and ruleset information. ok henning@ dhartmei@ frantzen@
2003-05-142 lines of code bring us tags on nat rulesHenning Brauer
ok dhartmei@ frantzen@
2003-05-13add support for tagging packets with arbitary tags and filtering based onHenning Brauer
those tags later on. ok dhartmei@ pb@ mcbride@ frantzen@
2003-05-12- TCP window scaling is not applied to the SYNs' window so we must retract theMike Frantzen
initial maximum window by the scaling factor. otherwise our view of the allowable sequence window is too big. back out the scaling factor adjustment from the max window if the other endpoint rejects window scaling - window scale the forward ACK skew check ok dhartmei@
2003-05-12Reorder IPv6 address comparisons to check the least significant partsRyan Thomas McBride
first. The least significant portions of the IPv6 address are more likely to differ than the more significant ones, since in most situations half the addresses (either the source or the destination) will be in the local subnet. ok dhartmei@ henning@
2003-05-12Adaptive timeout value scaling. Allows to reduce timeout values as theDaniel Hartmeier
number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
2003-05-11the start of stateful TCP scrubbing. dynamically determine the highest TTL ofMike Frantzen
each side of the TCP connection and prevent it from being reduced ok pb@ dhartmei@