| Age | Commit message (Collapse) | Author |
|---|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
|
|
allocator and two pools, but PR_WAITOK when called from non-interrupt
context (ioctl). add configurable hard limits for tables and table
entries (set limit tables/table-entries), defaulting to 1000/100000.
ok aaron@, henning@, mcbride@, art@
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
ok krw@ canacar@
|
|
into a normal one, it sets both peers' sequence windows. Fix a bug where
the previously advertised windows are applied to the wrong side (i.e.
peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This
went undetected because mostly the windows are similar and/or re-
advertised soon. But there are (rare) cases where a synproxy'd connection
would stall right after handshake. Found by Gleb Smirnoff.
|
|
When synproxy sends packets to the destination host, make sure to copy
the 'tag' from the original state entry into the outgoing mbuf.
ok dhartmei@ deraadt@
|
|
|
|
the 'tag' from the original state entry into the outgoing mbuf.
ok henning@ dhartmei@
|
|
|
|
|
|
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
|
|
ok henning@, deraadt@
|
|
'memory' one, which helps debugging. Alters the kernel/userland ABI,
rebuild pfctl and tcpdump. ok henning@
|
|
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure. Found by Gustavo A. Baratto.
ok mcbride@, henning@, markus@
|
|
from pf's perspective.
ok pascoe@ dhartmei@ henning@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
|
|
prevents a possible endless loop in pf_get_sport() with 'static-port'
Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@
ok dhartmei@
|
|
Proposed by mcbride.
ok henning@, mcbride@
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon
|
|
reported by Joerg Sonnenberger, ok henning@
|
|
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client. Thanks to Daniel Polak for testing.
|
|
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround. ok beck@, markus@
|
|
fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr
showing wrong state counters for anchor rules. found by camield@,
ok henning@, -stable candidate
|
|
and behaved incorrectly when used with v6. impliment the v6 case too.
ok canacar mcbride
|
|
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.
Diff from Chris Pascoe.
ok henning@ dhartmei@
|
|
requested by deraadt
|
|
remaining TODO:
- "forward" case kernel behavior (IPv4 too), then pfctl syntax change
- red-black tree
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
No need to reconfig kernel or rebuild userland stuff.
requested deraadt@, help beck@
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
ok cedric@ henning@
|
|
keyword in C++. ok henning@, cedric@
|
|
their *source* IP address in addition to their destination address.
routing table "destination" now contains a "struct sockaddr_rtin"
for IPv4 instead of a "struct sockaddr_in".
the routing socket has been extended in a backward-compatible way.
todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
a packet is routed already) in the mbuf tag, allow at most four times.
Fixes some legitimate cases broken by the previous change. ok cedric@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
