summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Collapse)Author
2007-02-22make urpf-failed work with multipath routes.Pierre-Yves Ritschard
ok claudio@
2007-02-19add handling of skip steps for urpf-failed addresses.Pierre-Yves Ritschard
ok dharthmei@, henning@
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
ok kettenis@ cloder@ tom@ henning@
2007-02-08compute pseudo-header checksum based on flnal destination asJun-ichiro itojun Hagino
ip6_dst (i'm bit skeptical about checksumming when the box is not the final destination). drop IPv6 jumbograms, as it could cause various funny symptoms due to ip6_plen being 0 (yup, we should properly handle it instead). ok by deraadt, naddy, hshoexer
2006-12-22add special handling for "urpf-failed" with carp interfaces. theReyk Floeter
unicast reverse path forwarding (URPF) check drops packets coming in on an interface other than that which holds the route back to the packet's source address. this caused problems with routes bound to a carp interface instead of the underlying interface. this diff validates the underlying carpdev if the route is bound to a carp interface. from Pierre-Yves Ritschard (pyr at spootnik.org) ok henning@
2006-12-21in pf_route(), initialize ro to NULL at the beginning. if left un-Daniel Hartmeier
initialized, it might equal &iproute by chance, causing a panic when rtfree() is then mistakenly called.
2006-12-14in "BAD/loose state" messages, also print the packet's original sequenceDaniel Hartmeier
number, it can differ from the sequence number being tested (for packets without payload), and both matter in explaining why a packet mismatched.
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
(s6_addr16[1] filled) ok dhartmei
2006-11-16conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong,Henning Brauer
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that part was missing) when rtableid on the rule is nonzero. problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the multiple routing tables enabling diff, ok mcbride
2006-10-31make pfsync a clonable too, but prevent more than one instance fromHenning Brauer
beeing created for now - much more work would be required to change that input & ok ryan
2006-10-27Split ruleset manipulation functions out into pf_ruleset.c to allow them toRyan Thomas McBride
be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
2006-09-18allow RST from TCP client, even if client does not send data after SYN;Markus Friedl
ok frantzen, dhartmei, henning
2006-09-18fix tos (type-of-service) comparisons. for rules which use 'tos x', compareDaniel Hartmeier
for equality (ip_tos == x). for priority queue assignment, compare AND-wise (ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved bits in ip_tos are used (RFC791, 1349) and more than a single bit is set. from Steve Welham, closes PR5226 and PR5227.
2006-07-06allow rules to point to an alternate routing table, and tag packetsHenning Brauer
matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
2006-05-17missing rtlabel support in pf_addr_wrap_neq()Henning Brauer
PR5122 Jann Fischer <jfi@openbsd.de>, thanks!
2006-03-14implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)Damien Miller
which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
2006-02-07mention source of pf_modulate_sack() in comment, no code change,Daniel Hartmeier
ok frantzen@
2006-01-31the TCP SACK option needs sequence number modulationMike Frantzen
ok dhartmei@ and beck@. help + testing from kpfaff AT palloys.com.pl
2005-11-14fix spelloChristopher Pascoe
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-10-26Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next()Ryan Thomas McBride
and calculate the modulator. This ensures that modulated initial sequence numbers have the same properties regarding separation and non-repetition as those generated by our TCP stack. ok markus@ frantzen@
2005-10-25mtag in pf_route is now only used for IPSEC, so #ifdef itHenning Brauer
From: Mike Belopuhov <mkb@crypt.org.ru>
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-08-22when nat'ing icmp 'connections', replace icmp id with proxy valuesDaniel Hartmeier
(similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@
2005-08-22fix rdr to bitmask replacement address pool. patch from Max Laier,Daniel Hartmeier
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe
it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
2005-07-31Change the API for icmp_do_error so that it takes the mtu directly, ratherChristopher Pascoe
than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
2005-07-29Use one "struct pf_state key" declaration at top of pf_test_state_icmp,Christopher Pascoe
instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386).
2005-07-21account ipv4 packets with wrong tcp/udp/icmp checksums and udpMarkus Friedl
packets with invalid uh_len; ok dhartmei
2005-07-04restrict the tcp.finwait timeout (45s) to state combinations where we haveMarkus Friedl
seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning.
2005-06-13make the packet and byte counters on rules and src nodes per direction,Henning Brauer
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
2005-05-27log two pairs of uid/pid through pflog: the uid/pid of the process thatDaniel Hartmeier
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
2005-05-26support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patchDaniel Hartmeier
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
2005-05-23change pool allocation of table entries, no longer use the oldnointrDaniel Hartmeier
allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2005-04-25csum -> csum_flagsBrad Smith
ok krw@ canacar@
2005-04-22When synproxy completes the replayed handshake and modifies the stateDaniel Hartmeier
into a normal one, it sets both peers' sequence windows. Fix a bug where the previously advertised windows are applied to the wrong side (i.e. peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This went undetected because mostly the windows are similar and/or re- advertised soon. But there are (rare) cases where a synproxy'd connection would stall right after handshake. Found by Gleb Smirnoff.
2005-04-15Try this again.Joel Knight
When synproxy sends packets to the destination host, make sure to copy the 'tag' from the original state entry into the outgoing mbuf. ok dhartmei@ deraadt@
2005-04-14back out last, some breakage crept inHenning Brauer
2005-04-14When synproxy sends packets to the destination host, make sure to copyJoel Knight
the 'tag' from the original state entry into the outgoing mbuf. ok henning@ dhartmei@
2005-03-15byte order of mss, only affects synproxy code path, from John L. ScarfoneDaniel Hartmeier
2005-03-04add state's tag for IPv6, too. spotted by markus@Daniel Hartmeier
2005-03-03when tagging, apply the same tag to all packets matching a state entryDaniel Hartmeier
(not just to the initial packet). note: kernel/userland abi change (rebuild pfctl). ok henning@
2005-02-27support 'tagged' in translation rules, non-delayed tag lookupDaniel Hartmeier
ok henning@, deraadt@
2005-01-30Add some more reason counters and use them instead of overloading theDaniel Hartmeier
'memory' one, which helps debugging. Alters the kernel/userland ABI, rebuild pfctl and tcpdump. ok henning@
2005-01-20Use the packet's address family instead of the rule's when selecting aDaniel Hartmeier
replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure. Found by Gustavo A. Baratto. ok mcbride@, henning@, markus@