| Age | Commit message (Collapse) | Author |
|---|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
when you kill states by IP, it is not all that clear which IP we're talking
about - before or after rewriting?
the old semantics were to always look at the "original" IP, i. e. before
rewriting. ever since the NAT rewrite we were unconditionally looking
at the wire side state key, which is the original address for PF_IN states,
but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case.
should fix "authpf doesn't remove NAT states" seen on misc a while ago
ok & testing & half of the analysis bob (he sez beck)
|
|
moving the state export functionality from pfsync code into pf.
Based on the initial diff diff by guenther, ok henning.
|
|
OK deraadt@, guenther@
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
with every other thing that stores the state id (including other pfsync
messages).
includes improvements to the systat code to consider the creatorid as well
as the state id in its cache to avoid collisions between states created on
different hosts.
tested by me in production and on amd64 talking to sparc64.
ok henning@
|
|
pf_state_expires() handled it incorrectly.
discussed with mikeb@
ok henning@
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
unfortunately altq is one giant namespace violation. rename just those that
conflict with new stuff for now only to be found on my laptop. reduce pain,
the diff is huge already. ok ryan
|
|
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
|
implementation. ok ryan mpf sthen and also testing pea and halex looked
at it and commented as well
|
|
a crash if max-src-* options are triggered both before and after a ruleset
reload, when the rules are overloading to a non-persistent table.
Discovered by and fix from Martin Pelikan.
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@
|
|
write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
|
|
to establish cross rdomain proxy sessions.
OK henning@, mpf@
|
|
All pointers in the struct need to be cleared and reset. So instead of
bcopy the struct and clear some fields start with a clean struct and
assign the values that need to be copied.
Fixes a local vulnerability but only root can issue the problematic ioctl().
Reported by Jean Sigwald, has been in snaps for a while and OK deraadt@
|
|
broken by ryan in australia
problem found & nagging by sthen
jsg found the fix but failed to apply the cluestick correctly ;)
test & ok sthen
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
Reported by Alexander Vladimirov.
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
|
|
the NAT rewrite and ever since then only checked in a couple of plaes
but never set. same for nat_src_node on pf_state.
with this the NAT rewrite made pf over 1000 lines shorter.
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
Found by parfait.
ok henning@
|
|
everything just more complicated. Make sure the structs align nicely.
OK deraadt@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
statements operating as a whitelist, taking care to allow af 0 (which is
the wildcard value in pf rules)
diff from Vadim Zhukov
ok henning
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
transactional. sanity checked claudio, requested by theo for some time
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
not do fragment reassembly. discussed with dlg and ryan in basel.
ok ryan dlg sthen jdixon todd deraadt
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
|
|
ok dlg, henning, sthen
|
|
whether we're called from the interrupt context to the functions
performing allocations.
Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri,
the pr originator.
ok tedu
|
|
ok dlg
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
|
for picking states to unlink as the tailq may contain unlinked states.
|
|
ok henning@
|
