Age | Commit message (Collapse) | Author |
|
ok mpi@
|
|
path was taken. This both prevents warnings from clang and acts as a
sanity check.
ok mcbride@ henning@
|
|
to optimize for an INET-only kernel, as well as the fantasy unicorn
INET6-only kernel. (INET-only kernel still works)
prompted by deraadt
ok bluhm sashan
|
|
OK @mcbride
|
|
ok mcbride@
|
|
OK deraadt.
|
|
ok jsg@, ok mpi@
|
|
|
|
rt_mpath_next() to document the difference in behavior between the
multipath and non-multipath routing code.
No that the same pattern is present in if_group_egress_build().
ok claudio@
|
|
it also adds af_unhandled(), where it is currently missing.
ok mcbride@
|
|
|
|
This pseudo-option is a hack to support return-rst on bridge(4). It
passes Ethernet information via a "struct route" through ip_output().
"struct route" is slowly dying...
ok claudio@, benno@
|
|
ok guenther@, henning@
|
|
involved. For outgoing packets the IPsec layer did not clear the
sending socket from the mbuf when the address changed. This resulted
in strange state match and create behavior in pf. So clear the pf
statekey and inp in the packet header for both directions when the
address changes.
Mark Patruck reported the bug, identified my problematic commit and
tested the fix.
OK mikeb@
|
|
compatibility with 4.3BSD in September 1989.
*Pick your own definition for "temporary".
ok bluhm@, claudio@, dlg@
|
|
Do rule counter increments after state has been successfully
installed. This has an additional benefit of making error
handling a bit simpler.
OK mpi, bluhm
|
|
receiving interface in the packet header of every mbuf.
The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.
Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.
Tested by jmatthew@ and krw@, discussed with many.
ok mikeb@, bluhm@, dlg@
|
|
something based on an address family and later assumes one of the paths
was taken. This was initially just calls to panic until guenther
suggested a function to reduce the amount of strings needed.
This reduces the amount of noise with static analysers and acts
as a sanity check.
ok guenther@ bluhm@
|
|
Reshuffle the code around a bit and greatly improve error handling
fixing a few bugs along the way.
Problem reported by and fix was written with Alexandr Nedvedicky.
OK henning
|
|
Since we've strengthened the ICMP state matching procedure during lookup
to only match packets against states set up in a particular direction, we
need to make sure we don't create states on packets that would otherwise
be flowing in the direction opposite to the direction of the state and
prevent further packets from matching the created state due to strict
rules imposed by the ICMP direction check.
Problem reported by Alexandr Nedvedicky, alexandr.nedvedicky-at-oracle.com.
Discussed with reyk@; OK henning
|
|
Checked with blambert@, OK millert, henning
|
|
ok henning
|
|
found by jsg; ok jsg mikeb
|
|
No objection from reyk@, OK markus, hshoexer
|
|
there instead of pf_ioctl.c.
ok henning@
|
|
Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>,
thanks a lot! Ok florian
|
|
its only used for the ip and ip6 network stack input queues, so it
seems unfair that every instance of ifqueue has to carry a pointer
around for this specific use case.
this moves the congestion marker to a kernel global. if we detect
that we're congested, we assume the whole system is busy and punish
all input queues.
marking a system as congested is done by setting the global to the
current value of ticks. as the system moves away from that value,
it moves away from being congested until the comparison fails.
written at s2k15
ok henning@ beck@ bluhm@ claudio@
|
|
SO_BINDANY socket, the new state didn't have a link of the socket's
pcb. So the incoming packets allowed by the state were mistakenly
forwarded and the pcb could not get them. Fix pf not to lost the link
of the pcb when the state is recreated.
ok bluhm mikeb
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
|
|
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.
|
|
no real compat issue since we're using spare bytes.
old -> new ends up with set prio (0, 0) equivalent
new -> old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov <alexey.suslikov at gmail>
ok phessler pelikan dlg
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
was setting max_win to 0 and discarded retransmitted SYN-ACK segments
without wscale if the original SYN contained a wscale option.
with gerhard@, ok henning@
|
|
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
ACK+RST part pointed out by Kojedzinszky Richard <krichy at tvnetwork hu>
ok mikeb dlg phessler claudio
|
|
Packets destinated to link-local addresses are looped back with embedded
scopes because we cannot restore them using the receiving interface (lo0).
Embedded scopes are needed by the routing table to match RTF_LOCAL routes,
but pf(4) never saw them and existing rules are likely to break without
teaching the rule engine about them, found by dlg@ the hard way.
So save and restore embedded scopes around pf_test() for packets going
through loopback.
ok dlg@, mikeb@
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
long live the one true internet.
ok henning mikeb
|
|
This structure is now only used to pass a cached route entry to
ip{6,}_output() which will be converted shortly.
With inputs from millert@, ok bluhm@
|
|
- Unicast packets sent to any local address will have their interface
set to loobpack.
- In order to differentiate traffic from interfaces having identical
link-local addresses, provide the scoped addresses to pf(4).
- Update the icmp6 state lookup logic to match scoped MLL addresses.
- Remove a shortcut in ip6_input() that bypasses pf and always look
for an RTF_LOCAL route.
Packets sent to multicast addresses still retain their original
interface due to the fact that local multicast packet delivering
does not use if_output.
This makes ping6 to link-local addresses work even with pf enabled
and "set skip" on loopbacks, reported by Pieter Verberne.
Debugged, analysed and tested with mikeb@.
ok mikeb@, henning@, sthen@
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
|
|
|
|
ok phessler@ tedu@
|
|
since we might have tweaked the addresses.
Problem reported and fix test by Bastien Durel <bastien at geekwu ! org>,
thanks! OK henning
|
|
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
|
kill the macro.
ok mikeb@, henning@
|
|
ok henning@, phessler@
|
|
rely on "struct route" that should die.
ok claudio@
|
|
anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched." Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.
OK henning
|