| Age | Commit message (Collapse) | Author |
|---|
|
the pf_map_addr. doing otherwise leads to the stack corruption.
bug was reported and fix tested by arjan schrijver, thanks!
ok jsing, henning, florian who has also found the same bug in
pf_route and pf_route6 functions.
|
|
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
|
returns radix_node pointers, inside a new rt_mpath_next, which accepts
and returns rtentry pointers, and start using that instead.
ok claudio@
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
|
|
to the 16 bit flags; reminded by claudio, ok henning
|
|
packet within the icmp error packet was wrong. Fix this by using
the pd2.tot_len of the inner packet and substract the old header's
length.
OK mikeb@ henning@
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
from david hill; ok henning
|
|
The lower 2 bits of the tos-header are used for ECN.
(http://tools.ietf.org/html/rfc2474#section-3)
OK henning@, haesbaert@
|
|
compatibility with FreeBSD/NetBSD.
Also rename SIMPLEQ_REMOVE_NEXT to SIMPLEQ_REMOVE_AFTER.
ok mikeb@ guenther@
|
|
moving the state export functionality from pfsync code into pf.
Based on the initial diff diff by guenther, ok henning.
|
|
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
two consecutive host addresses won't generate the same value which
is used as a port number in state entries; ok bluhm, sperreault
|
|
ok bluhm, henning
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
- Fragment offset is in network byte order.
- Check for legal short fragments before calling pf_pull_hdr() to
avoid bogus reason accounting.
- When checking wether the protocol header is within the fragment,
count the IPv6 payload length relative to the end of the IPv6 header.
ok henning@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ markus@
|
|
|
|
make their argument list shorter. Also fix a bug where pf_walk_option6()
used the outer header in the pd2 case.
ok henning@ mikeb@
|
|
latter is called from pf packet logging. This resulted in normalization
and reassembly of bad packets to be logged. So rearrange the code
and move the call to pf_test().
ok henning@
|
|
in pf_test_state_*(). This needs less code and is more consistent.
OK mikeb, markus, henning.
|
|
(there only one state and it's direction is always PF_IN) and don't
exclude icmp echo replies from the test.
ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
ok claudio@ henning@ mikeb@
|
|
pf_state_expires() handled it incorrectly.
discussed with mikeb@
ok henning@
|
|
connection does not observe the route-to option.
ok dlg mikeb
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
just one and the variable name is clear enough. ryan ok
|
|
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
|
KNF, no binary change.
|
|
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
|
AF_INET6. So remove useless af switch defaults here and there.
Always use "switch(af)" instead of "if (af) else" for af dependent
code. Always use AF_ defines instead of PF_ when checking af values.
ok claudio mpf henning
|
|
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
|
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
|
some IPv4 and IPv6 code. Make sure that both code paths set the
same fields in the same order.
ok mpf henning
|
|
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the paramter list of pf_setup_pdesc() as it can
concentrate on its job filling the pf_pdesc struct.
ok henning mpf
|
|
the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by
a local variable. Remove ip_sum and proto_sum from struct pf_pdesc.
ok claudio henning
|
|
pf_setup_pdesc. fixes logging of packets passed statefully. ok bluhm
|
|
been reassembled by normalization.
ok henning claudio
|
|
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
|
It's already in pfvar.h
OK mcbride@
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
|
