| Age | Commit message (Collapse) | Author |
|---|
|
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
|
|
to the 16 bit flags; reminded by claudio, ok henning
|
|
packet within the icmp error packet was wrong. Fix this by using
the pd2.tot_len of the inner packet and substract the old header's
length.
OK mikeb@ henning@
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
from david hill; ok henning
|
|
The lower 2 bits of the tos-header are used for ECN.
(http://tools.ietf.org/html/rfc2474#section-3)
OK henning@, haesbaert@
|
|
compatibility with FreeBSD/NetBSD.
Also rename SIMPLEQ_REMOVE_NEXT to SIMPLEQ_REMOVE_AFTER.
ok mikeb@ guenther@
|
|
moving the state export functionality from pfsync code into pf.
Based on the initial diff diff by guenther, ok henning.
|
|
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
two consecutive host addresses won't generate the same value which
is used as a port number in state entries; ok bluhm, sperreault
|
|
ok bluhm, henning
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
- Fragment offset is in network byte order.
- Check for legal short fragments before calling pf_pull_hdr() to
avoid bogus reason accounting.
- When checking wether the protocol header is within the fragment,
count the IPv6 payload length relative to the end of the IPv6 header.
ok henning@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ markus@
|
|
|
|
make their argument list shorter. Also fix a bug where pf_walk_option6()
used the outer header in the pd2 case.
ok henning@ mikeb@
|
|
latter is called from pf packet logging. This resulted in normalization
and reassembly of bad packets to be logged. So rearrange the code
and move the call to pf_test().
ok henning@
|
|
in pf_test_state_*(). This needs less code and is more consistent.
OK mikeb, markus, henning.
|
|
(there only one state and it's direction is always PF_IN) and don't
exclude icmp echo replies from the test.
ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
ok claudio@ henning@ mikeb@
|
|
pf_state_expires() handled it incorrectly.
discussed with mikeb@
ok henning@
|
|
connection does not observe the route-to option.
ok dlg mikeb
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
just one and the variable name is clear enough. ryan ok
|
|
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
|
KNF, no binary change.
|
|
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
|
AF_INET6. So remove useless af switch defaults here and there.
Always use "switch(af)" instead of "if (af) else" for af dependent
code. Always use AF_ defines instead of PF_ when checking af values.
ok claudio mpf henning
|
|
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
|
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
|
some IPv4 and IPv6 code. Make sure that both code paths set the
same fields in the same order.
ok mpf henning
|
|
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the paramter list of pf_setup_pdesc() as it can
concentrate on its job filling the pf_pdesc struct.
ok henning mpf
|
|
the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by
a local variable. Remove ip_sum and proto_sum from struct pf_pdesc.
ok claudio henning
|
|
pf_setup_pdesc. fixes logging of packets passed statefully. ok bluhm
|
|
been reassembled by normalization.
ok henning claudio
|
|
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
|
It's already in pfvar.h
OK mcbride@
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
|
|
the common function pf_walk_header6(). For that, pf_walk_header6()
can now extract both the information wether it is a fragment and
the final protocol if it is the first fragment. This allows to
match the icmp6 too big packet of a first fragment to the reassembled
packet's state. This is neccesary if a refragmented fragment is
to big for the Path-MTU.
Note that pd.proto contains the real protocol number for the first
fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol
is set to PF_VPROTO_FRAGMENT for all fragments.
ok mcbride@
|
|
Rather than silently dropping ALL icmp packets, return icmp/icmp6 error
for 'informational' message types (but continue dropping ICMP errors
unconditionally).
ok markus sthen henning
|
|
|
|
payload, we missed to drop them. While there, also add a reason
to the corresponding check in pf_test().
ok mcbride@ claudio@
|
|
implementation. ok ryan mpf sthen and also testing pea and halex looked
at it and commented as well
|
|
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@
|
|
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
