summaryrefslogtreecommitdiff
path: root/sys/net/pf_if.c
AgeCommit message (Collapse)Author
2010-01-18Convert pf debug logging to using log()/addlog(), a single standardisedRyan Thomas McBride
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
2010-01-12First pass at removing the 'pf_pool' mechanism for translation and routingRyan Thomas McBride
actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
2009-08-25Clearly copy the whole, and nothing but the whole, old buffer intoKenneth R Westerback
the resized buffer. From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@. As was the previous commit where I didn't mention Pawel. 'should be olright' henning@
2009-08-25Fix order of memcpy() arguments so data is copied from src to dest,Kenneth R Westerback
not the other way. At least partial fix for interfaces with >64 aliases. From Max Laier via Marc Balmer. 'seems right' sthen@ ok markus@
2009-03-09Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctlsRyan Thomas McBride
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
2008-11-24Fix splasserts seen in pr 5987 by propagating a flag that discribesMike Belopuhov
whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
2008-06-14Also do the PR_ZERO dance here. This was held back on Henning's requestMichael Knudsen
because it conflicted with the change he did in pf_if.c earlier. He finally woke up to ok (well, ``yes'', really) this version now.
2008-06-14pool_get()s not in interrupt context should not be PR_NOWAIT, butHenning Brauer
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
2008-05-18KNFRyan Thomas McBride
2007-11-07Check for pfi_kif's that are neither groups nor have a real interface.Marco Pfatschbacher
This prevents a null-deref when empty groups are used in set loginterface. Fixes PR 5628 as reported by Andreas Bihlmaier. Bad mpf :( OK henning@
2007-09-27Add loginterface support for groups.Marco Pfatschbacher
Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
2007-09-15malloc sweep:Henning Brauer
-remove useless casts -MALLOC/FREE -> malloc/free -use M_ZERO where appropriate instead of seperate bzero feedback & ok krw, hshoexer
2007-09-01since theHenning Brauer
MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
2007-07-13remove obsolete pfi_statehead and pfik_w_states; ok henning@Markus Friedl
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
(s6_addr16[1] filled) ok dhartmei
2006-01-30fix updating of tables associated with interface groups used inHenning Brauer
pass to (ifgroup) style notation. instead of walking the list of associated dynaddrs with a pf-abstracted interface which might not be present when there is no reference to them in the rulset, and checking their pointer back to the interface for group memberships, walk the groups an interface is member of directly. even makes the code easier. tests & ok bob ryan markus + tested moritz
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-07Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changeChristopher Pascoe
to that in rev 1.40 for interface groups. ok henning
2005-08-02Instead of copying a table structure so we can mask off a bit beforeChristopher Pascoe
"validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
2005-07-20need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it canHenning Brauer
notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this.
2005-06-06use a define instead of hardcoding "all" in 3 placesHenning Brauer
2005-06-05const'ify the char * parameter to pfi_kif_get and pfi_group_changeHenning Brauer
2005-06-02tsc, ryan left debug crap behindHenning Brauer
2005-05-28Remove duplicate pfi_ifs.Ryan Thomas McBride
2005-05-27-in our current model, a kif has either a pointer to an interface (ifnet) orHenning Brauer
a group, or there cannot be addresses associated with it. so we can get rid of checking kifs in the 3rd case and just be done with it. -we don't need to try to manually clear the table used for the (interface) notation when both the ifp and the group pointers are NULL, the pfr_set_addrs call will do the right thing with an empty set of addrs suggested by cedric, ryan ok
2005-05-26turd polishingHenning Brauer
2005-05-26repair (self) notation - just attach "self" to the "all" groupHenning Brauer
2005-05-25when an interface joins or leaves a group call back into pf so it canHenning Brauer
update the internal tables used for (ifgroup) notation
2005-05-24add support for brace notation for interface groups, i. e. (testgroup) matchesHenning Brauer
all IPs on all interfaces in testgroup
2005-05-23further cleanup: don't mimic ifnet and add hooks and the dohooks() stuff toHenning Brauer
pf's interface abstraction, just attahc a linked list of the dynaddrs to the respective kifs. makes things way easier and will be needed for the next step, ryan jajajaja
2005-05-23repair updates for the tables used for (interface) notationHenning Brauer
the way it is done is completely retarded, needs fixing with ryan
2005-05-22no need to search for the kif before callig pf_get_kif, it does that for usHenning Brauer
2005-05-22allow pf to match on interface groupsHenning Brauer
pass on mygroup ... markus ok
2005-05-21KNFHenning Brauer
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2005-04-21Catch failed hook_establish call immediately, rather than misbehaving andChristopher Pascoe
panicing at detach time. ok dhartmei@ henning@
2004-12-22Introduce 'set skip on <ifspec>' to support a list of interfaces where noDaniel Hartmeier
packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
2004-12-13move splsoftnet() below ACCEPT_FLAGS(), which contains a potential return.Daniel Hartmeier
from Max Laier.
2004-12-06Check a NULL dereference before it could happen.Marco Pfatschbacher
ok mcbride@
2004-08-15undo last commit, skipping over ifaddrs without IFA_ROUTE has unwantedHenning Brauer
sideffects in IPv6 land, noticed by Johan Fredin <griffin@legonet.org>
2004-08-11skip over interface addresses without IFA_ROUTE, fixes some issue with pppdHenning Brauer
from Max Laier <max@love2party.net>
2004-08-10when inserting a dynamic group entry into the pfi_ifs tree, don't incorrectlyDavid Gwynne
create an interface entry with the same name. Prevents panics due to subsequent invalid refcounting. from Chris Pascoe ok dhartmei@ henning@
2004-07-11Create the group when adding a dynamic interface that's not yet plugged in.Ryan Thomas McBride
ok henning@
2004-07-04remove the half-baked and bogus pfi_dynamic_drivers() which tries to guessHenning Brauer
which drivers are hotpluggable. since we removed the stupid check from pfctl a few days ago nothing relies on this any more. ok pb@ mcbride@
2004-06-25Minor fixes suggested by nordin@ and henning@Thorsten Lockert
ok millert@
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-04-28Dont step into INET6 code, just because af != AF_INETPhilipp Buehler
Also comment #endif properly while being here ok mcbride@
2004-03-15Kill redundant(IPv4) and bogus(IPv6) tests. found+ok dhartmei@Cedric Berger