| Age | Commit message (Collapse) | Author |
|---|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
-remove useless casts
-MALLOC/FREE -> malloc/free
-use M_ZERO where appropriate instead of seperate bzero
feedback & ok krw, hshoexer
|
|
version for i386
more architectures and ctob() replacement is being worked on
prodded by and ok miod
|
|
there is a 1:1 mapping between direction and the tree the states get
attached to. there is no need to have anything outside the state insertion/
deletion/lookup routinbes know about these internals. so just pass the
direction to the lookup functions and let them pick the right tree.
ok dhartmei markus
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
check the logif when changing a rule
from max laier, ok ryan
|
|
pfioctl()'s DIOCKILLSTATES triggers panic due to wrong test
variable in for() loop.
well analyzed and fixed, excellent PR, applied verbatim, thanks!
(this was fallout from the state - state key split)
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
ok henning@
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
Pick reasonble names for the locks involved..
ok tedu@, art@
|
|
need uvm/uvm_extern.h to get at uvmexp. oops.
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
this allows an atomic read and reset counters, instead of read, reset in a
later ioctl and lose everything in between.
use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR,
the ioctl requires write permissions and counters are reset after they have
been copied out to userland.
obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not
within anchors (yeah, that's how it all started)
ok dhartmei, mcbride and theo agree as well
|
|
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
logs go. ok mcbride
|
|
numbers, reported by Raja Subramanian; ok henning@
|
|
but third-party tools). a rule must have a non-empty replacement address
list when it's a translation rule but not an anchor call (i.e. "nat ... ->"
needs a replacement address, but "nat-anchor ..." doesn't). the check
confused "rule is an anchor call" with "rule is defined within an anchor".
report from Michal Mertl, Max Laier.
|
|
matching that rule so that the forwarding code later can use the
alternate routing table fo lookups (not implemented yet).
the tagging is "sticky", every matching rule modifies, just like the
regular "tag". ok claudio hshoexer, hacked at r2k6
|
|
state limit and adaptive.end of 120% of the state limit.
Explicitly setting the adaptive timeouts will override the default,
and it can be disabled by setting both adaptive.start and adaptive.end to 0.
ok henning@
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
read-only operation (looking up one state entry), so allow it when /dev/pf
is opened read-only (allows squid to work read-only). from Andrey Matveev.
|
|
computations of change rates. unfortunately, I don't remember who suggested
this.
|
|
|
|
not appear in a function whose return type is void." Lint agrees.
ok (and C99 spec info) cloder@
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
|
|
pf_state buffers on the stack.
ok henning mcbride
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
DIOCGETSTATE.
ok dhartmei mcbride
|
|
have purged all states in the case when an interface name was specified.
pf_purge_expired_states should decrease the count as appropriate.
ok dhartmei
|
|
|
|
inlined), ok art@
|
|
but statics are dangerous in case of concurrency. ok deraadt@
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
Use a static buffer for another large variable, pending further analysis.
prodded deraadt
|
|
it out of a timeout handler.
This means we will have process context, required when using the oldnointr
pool allocator.
Addresses pr4186, pr4273.
ok dhartmei@ henning@ tedu@
|
|
|
|
|
|
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h
ok markus@, henning@, mpf@
|
|
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
|
This is the basis for further pfsync improvements,
to ensure that pf rules are in sync with the master.
"get it in" mcbride@
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
matching source and destination addresses/ports.
ok henning@ dhartmei@ mpf@
|
|
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
|
|
- instead of erroring on an attempt to set hostid to 0, just set it
with arc4random()
ok henning@ dhartmei@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
