| Age | Commit message (Collapse) | Author |
|---|
|
passed by pf or cause a panic in pf.
fix from sashan@; OK bluhm@ claudio@
bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
|
|
OK bluhm@ kn@
|
|
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@
|
|
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@
|
|
a global limit of 1024 fragments, but it is fine grained to the
region of the packet. Smaller packets may have less fragments.
This costs another 16 bytes of memory per reassembly and devides
the worst case for searching by 8.
requestd by claudio@; OK sashan@ claudio@
|
|
Remember 16 entry points based on the fragment offset. Instead of
a worst case of 8196 list traversals we now check a maximum of 512
list entries or 16 array elements.
discussed with claudio@ and sashan@; OK sashan@
|
|
|
|
pf(4) reassembly is complete. Instead count the holes that are
created when inserting a fragment. If there are no holes left, the
fragments are continuous.
idea from claudio@; OK claudio@ sashan@
|
|
- MSS and WSCALE option candidates must now meet their min type length.
- 'max-mss' is now more tolerant of malformed option lists.
These changes were immaterial to the live traffic I've examined.
OK sashan@ mpi@
|
|
bzero -> memset and (very few) bcopy -> memcpy/memmove
|
|
may easily reuse the fragment id as it is only 16 bit for IPv4. To
avoid that pf reassembles them into the wrong packet, throw away
stale fragments. With the default timeout this happens after 12,000
newer fragements have been seen.
from markus@; OK sashan@
|
|
we need suitable data structures. Organize the pf fragments with
two red-black trees. One is holding the address and protocol
information and the other has only the fragment id. This will allow
to drop fragemts for specific connections more aggressively. `
from markus@; OK sashan@
|
|
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
|
|
to enable PF_LOCK(), you must add 'option WITH_PF_LOCK' to your kernel
configuration. The code does not do much currently it's just the very
small step towards MP.
O.K. henning@, mikeb@, mpi@
|
|
Recursions are still marked as XXXSMP.
ok deraadt@, bluhm@
|
|
with certain rulesets and excessively noisy; move them to LOG_INFO (which was
previously unused). ok benno@
|
|
For the moment the NET_LOCK() is always taken by threads running under
KERNEL_LOCK(). That means it doesn't buy us anything except a possible
deadlock that we did not spot. So make sure this doesn't happen, we'll
have plenty of time in the next release cycle to stress test it.
ok visa@
|
|
NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep
things simple until we're going to redesign PF for a MP world.
fixes the crash reported by Kaya Saman.
ok mpi@, bluhm@
|
|
of calling rtalloc() again.
OK mpi@
|
|
|
|
|
|
Prevent pf_socket_lookup() reading uninitialised header buffers on fragments.
OK blum@ sashan@
|
|
in pf. Drop the whole fragment state if IPv6 fragments appear which
have invalid length or fragment-offset or more-fragment-bit. In
IPv4 they are considered invalid and just dropped like before.
Found by Antonios Atlasis; OK sashan@ sthen@
|
|
pfvar_priv.h. The pf_headers had to be defined in multiple .c files
before. In pfvar.h it would have unknown storage size, this file
is included in too many places. The idea is to have a private pf
header that is only included in the pf part of the kernel. For now
it contains pf_pdesc and pf_headers, it may be extended later.
discussion, input and OK henning@ procter@ sashan@
|
|
|
|
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
ok phessler@ henning@
|
|
A single forwarding cache is not the answer. The answer is 42... err PF!
ok bluhm@
|
|
when fiddling with packets but without the mess that motivated Henning to
remove it. Affects only this one aspect of Henning's checksum work. Also tweak
the basic algorithm and supply a correctness argument.
OK dlg@ deraadt@ sthen@; no objection henning@
|
|
has been moved to nd6_resolve().
ok visa@, millert@, florian@, sthen@
|
|
byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks!
ok tedu
|
|
ok sthen@, bluhm@
|
|
pf_test calls pf_refragment6 with dst=NULL, which is passed down to
rtable_match which attempts to dereference it.
|
|
ok bluhm@
|
|
As a bonus this removes a "#if NCARP > 0", say yeah!
|
|
|
|
which are routed on behalf route-to action.
OK bluhm@
|
|
OK deraadt.
|
|
it also adds af_unhandled(), where it is currently missing.
ok mcbride@
|
|
|
|
add a condition to save a useless call to m_adj() and have a paranoid
length check in the other cases.
OK henning@
|
|
get padding appended to them. This padding is not stripped off in
ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That
means PF needs to be careful when reassembling fragmented packets
to not include the padding in the reassembled packet.
from FreeBSD; via Kristof Provost; OK henning@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
ok mpi pelikan
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
long live the one true internet.
ok henning mikeb
|
|
ok mikeb@, krw@, bluhm@, tedu@
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
|
