| Age | Commit message (Collapse) | Author |
|---|
|
This prevents a null-deref when empty groups are used in set loginterface.
Fixes PR 5628 as reported by Andreas Bihlmaier.
Bad mpf :(
OK henning@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
-remove useless casts
-MALLOC/FREE -> malloc/free
-use M_ZERO where appropriate instead of seperate bzero
feedback & ok krw, hshoexer
|
|
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
|
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
pass to (ifgroup)
style notation.
instead of walking the list of associated dynaddrs with a pf-abstracted
interface which might not be present when there is no reference
to them in the rulset, and checking their pointer back to the interface
for group memberships, walk the groups an interface is member of
directly. even makes the code easier.
tests & ok bob ryan markus + tested moritz
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
to that in rev 1.40 for interface groups.
ok henning
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
notice that this kif is not referenced and not attached to an interface
or a group and actually deletes it. plugs a memleak, PR 4267 is caused by
this.
|
|
|
|
|
|
|
|
|
|
a group, or there cannot be addresses associated with it. so we can get rid
of checking kifs in the 3rd case and just be done with it.
-we don't need to try to manually clear the table used for the (interface)
notation when both the ifp and the group pointers are NULL, the pfr_set_addrs
call will do the right thing with an empty set of addrs
suggested by cedric, ryan ok
|
|
|
|
|
|
update the internal tables used for (ifgroup) notation
|
|
all IPs on all interfaces in testgroup
|
|
pf's interface abstraction, just attahc a linked list of the dynaddrs to
the respective kifs. makes things way easier and will be needed for the next
step, ryan jajajaja
|
|
the way it is done is completely retarded, needs fixing
with ryan
|
|
|
|
pass on mygroup ...
markus ok
|
|
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
panicing at detach time.
ok dhartmei@ henning@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
from Max Laier.
|
|
ok mcbride@
|
|
sideffects in IPv6 land, noticed by Johan Fredin <griffin@legonet.org>
|
|
from Max Laier <max@love2party.net>
|
|
create an interface entry with the same name. Prevents panics due to
subsequent invalid refcounting.
from Chris Pascoe
ok dhartmei@ henning@
|
|
ok henning@
|
|
which drivers are hotpluggable. since we removed the stupid check from pfctl
a few days ago nothing relies on this any more.
ok pb@ mcbride@
|
|
ok millert@
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
|
|
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
|
|
|
|
is the time of last "pf -e" or "pf -d". ok dhartmei@ henning@
|
|
|
|
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
