Age | Commit message (Collapse) | Author |
|
by random values). ok mcbride@, cedric@, henning@
|
|
do not try to send incomplete fragments on ENOBUFS case
(behavior change from 4.4bsd).
dhartmei ok
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce
code redundancy, and fix the following bugs:
- ICMP packets were not being accounted for correctly (missing
statistics code in pf_test_state_icmp()
- Some packets were not being counted in the loginterface statistics
NOTE: Under some situations with route-to, packets may get counted
once on the original interface, and once on the pf-routed interface.
This can be dealt with by rules which specify the each interface
explicitly.
ok cedric@, henning@
|
|
ok cedric@ frantzen@ henning@
|
|
|
|
This is mostly to support the new "nat pass" rule.
ok dhartmei@ henning@
|
|
ok henning@
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
pf routed. prevents a kernel lockup with some (non-sensical) route-to
rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
|
|
changes), from Andrey Matveev
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
later on, when another packet matches the state. ok mcbride@
|
|
Help daniel@ mcbride@
Ok henning@ mcbride@
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
ip_ouput() flipped byte order. From Pyun YongHyeon. ok itojun@
|
|
(please test, especially PF portion)
|
|
|
|
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter
ruleset, but set the rulepointer to the default rule (which is a pass rule)
in cooperation with daniel.
ok dhartmei@ cedric@ markus@
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
|
|
|
|
from KOZUKA Masahiro <ma-kun@kozuka.jp> with a minor adjustment from itojun
ok itojun@ dhartmei@
|
|
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
the server's MSS is guessed based on the routing table and interface MTU.
Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@
Note: ABI change (new field in struct pf_state), requires a pfctl rebuild
(and tcpdump for pfsync).
|
|
addresses. ok mcbride@, cedric@
|
|
comparing ackskew, otherwise legitimate low acks can get blocked. Was
triggered when asymmetric scale factors where used in combination with
SACK. Report and logs provided by Peter Galbavy. ok frantzen@, henning@
|
|
rules create state. Truly hard to spot. Unless you run the code, of course.
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
|
|
"tagged X" rule), and only get it when we really need it. simplifies code too.
ok dhartmei@ pb@
|
|
In the SYN proxy, generate ACKs with proper window sizes after the
handshakes.
|
|
|
|
the rule. Fixes rdr with address pools using bitmask and source-hash
address selection methods.
ok dhartmei@ henning@
|
|
ok dhartmei@ pb@
|
|
without causing EHOSTUNREACH to be delivered to local sockets, so it works
for outgoing connections originating on the same host. ok frantzen@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
idea from theo.
to speed that up the real mbuf tag is not written until we hit the last match
but an internal variable is used to track the tag.
this can be used to split classification and policy enforcement, for example.
and much much much more...
ok dhartmei@ frantzen@
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
ok dhartmei@ frantzen@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
|
initial maximum window by the scaling factor. otherwise our view of the
allowable sequence window is too big. back out the scaling factor adjustment
from the max window if the other endpoint rejects window scaling
- window scale the forward ACK skew check
ok dhartmei@
|
|
first. The least significant portions of the IPv6 address are more
likely to differ than the more significant ones, since in most
situations half the addresses (either the source or the destination)
will be in the local subnet.
ok dhartmei@ henning@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|