| Age | Commit message (Collapse) | Author |
|---|
|
properly in _both_ directions.
- Handle skip steps properly with binat. (since we're swapping around
src and dst comparisons, we can't use them in all cases)
fix from dhartmei@
ok dhartmei@ henning@ cedric@
|
|
|
|
|
|
pfctl.
ok dhartmei@
|
|
- pass back a pointer to state created in pf_test_{tcp|udp|icmp|other}()
so that pf_route()/pf_route6() can peek at it.
- put the PACKET_TAG_PF_ROUTED tag onto the packets _before_ we call
pf_test()/pf_test6() again to prevent looping.
- Call pf_test6() in pf_route6() instead of pf_test() for obvious reasons.
ok dhartmei@
|
|
|
|
struct pf_pooladdr *cur. It was being used incorrectly in the
round-robin case, which meant that the previous address was being selected,
rather than the reall current one.
ok dhartmei@
|
|
|
|
combination with translations was too broad and broke some
more complex setups (creating two states for one connection on
two interfaces, using modulate state for each, and additionally
using route-to/reply-to on one of them), so narrow it to the
cases where it's needed. Reported by henric@.
|
|
and drop packets with invalid checksums. Without such a check, pf would
return RST/ICMP errors even for packets with invalid checksums, which
could be used to detect the presence of the firewall, reported by
"Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
To minimize the cost of checksum calculations, mbuf flags set by
network interfaces capable of hardware checksumming are honoured,
and set when pf performs the calculation, so the TCP/IP stack itself
will not repeat the calculation for the same packet later on.
ok mcbride@ and henning@
|
|
handshake. Solves the issues with the "ACK+1000000 cookie scheme",
which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized
state, "reset is sent"). ok henning@, camield@ and (I guess ;)
frantzen@
|
|
Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and
makes the port mapping more flexble, allows mapping a destination port range
of one size to an other of a different size.
Fixes and additional testing courtesy of dhartmei@
ok dhartmei@
|
|
copies the data to the specified buffer. So, for TCP options, provide
an sufficiently large buffer and copy to there.
|
|
doing it later can invalidate pointers to mbuf data. This fixes subtle
breakage just introduced (with 1.306).
|
|
Interestingly, our own stack uses wscale 1 quite regularly, and I now
suspect that this is what caused most of the state failures I've seen.
They were quite rare, but with working wscale support, they are reduced
even more. ok henning@
|
|
This only happens when using nat/rdr/binat on IPv6 connections, which
hasn't been used before, obviously. But it does work now.
Reported and confirmed by evilted@efnet, ok mcbride@
|
|
|
|
inspired by Thorsten Glaser via fries@
ok theo
|
|
pointed out in advance by dhartmei@
|
|
correctly. Also remove some extra cruft in pf_get_sport related to the
"static-port" behaviour.
bug report from mpech@ and form@
testing cedric@
"looks sane to me" henning@
ok dhartmei@
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
|
|
name. ok henning@, mcbride@, cedric@
|
|
ok henning@, mcbride@
|
|
|
|
|
|
pf_test() may be called twice for the same packet. In this case, make
sure the translation is only applied in the second call. This solves
the problem with state insert failures where the second pf_test() call
tried to insert another state entry after the first call's translation.
ok henning@, mcbride@, thanks to Joe Nall for additional testing.
|
|
|
|
stored in a separate list now. Regress tests still pass after
sed "s/ a=end / /g", other skip steps are not affected.
|
|
|
|
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
|
|
normal configurations, and sufficient for many. You can always increase
it, if you need more concurrent states and have enough memory (65000 for
64MB RAM, for instance). Suggested earlier by henning@. ok mcbride@
|
|
ok dhartmei@, mcbride@, henning@
|
|
- pull the route-to ifp from the current pf_pooladdr (not the last one)
with stateful rules
- remove unnecessary PF_ACPY and PF_AZERO
ok dhartme@ on pf_route version, pf_route6 is the same.
|
|
redirection target address. Reported by Michael Lucas. ok mcbride@
|
|
Solves the crashes in pf_route() with -current.
Reports from Michael Lucas and Bjorn Runaker.
|
|
|
|
panics should occur. ok mcbride@
|
|
we don't need the second list of addresses for DIOCCHANGE* operations)
Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0]
is the one being used.
ok henning@ dhartmei@
|
|
print the port number in pf_print_host if it's 0 (like when
pf_print_host is called from pf_map_addr)
ok dhartmei@
|
|
Loading large rulesets consists of two phases. First, the rules are
parsed and added, one by one, to the inactive ruleset. The machine
remains responsive during that phase. Then, the new ruleset is
activated, and the skip steps are calculated. The machine locks up
during that phase. This second phase is greatly reduced with the new
algorithm. With the old one, calculation could take 30s for 12k rules,
with the new one, 100k rules take less than 1s. For small rulesets
(less than 1000 rules), the gain is insignificant.
ok mcbride@, henning@
|
|
|
|
Found by markus@
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
(in the main set) number, not the number of the rule within the anchor.
Eventually, both will get logged. But as long as we only log one number,
this makes more sense.
|
|
|
|
main purpose is making them regress-testable.
|
|
|
