| Age | Commit message (Collapse) | Author |
|---|
|
long live the one true internet.
ok henning mikeb
|
|
ok mikeb@, krw@, bluhm@, tedu@
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
|
|
ok miod@ mpi@
|
|
|
|
checksum has to be recalculated before the packet is fragmented
again. Put a missing in6_proto_cksum_out() into pf_refragment6().
This makes run-regress-frag6 and run-regress-frag6-ext pass again.
From Matthias Pitzl; OK henning@
|
|
with IPv4 packets. ok mikeb@
|
|
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ mikeb@ bluhm@
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
and mnt_stat.f_ctime is long long, too
|
|
Start the expire counter when the queue is created by the first
fragment and drop it if the packet could not be reassembled within
60 seconds.
Reported by Antonios Atlasis; OK henning@ deraadt@
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
additional length check in pf_modulate_sack() and pf_normalize_mss().
Overflow cannot happen due to the restricted values in the length
calculation. As this is not obvious, be better safe than sorry.
OK henning@
|
|
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
The lower 2 bits of the tos-header are used for ECN.
(http://tools.ietf.org/html/rfc2474#section-3)
OK henning@, haesbaert@
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
and IPv6 stack.
ok sperreault@
|
|
latter is called from pf packet logging. This resulted in normalization
and reassembly of bad packets to be logged. So rearrange the code
and move the call to pf_test().
ok henning@
|
|
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
|
|
doing more or less the same, merge them into one. Just remove
fragment entries from the queue in pf_join_fragment() before they
are freed. Then pf_remove_fragment() is not needed anymore.
ok henning@
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
|
KNF, no binary change.
|
|
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
|
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
|
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
|
variables being processed.
ok bluhm@ henning@
|
|
with input and ok from bluhm and claudio
|
|
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@
|
|
the header address in the mbuf.
ok henning@
|
|
|
|
and AF_INET6 are doing the fragment handling the same way. Makes
code more readable.
With and OK bluhm@
|
|
way. Remove PFDESC_IP_REAS and pf_pdesc flags completely.
ok claudio@ henning@
|
|
handling. More to come to make the two codepathes a bit more identical.
tested by many (esp. krw@ and sthen@) input and OK bluhm@
|
|
pf_scrub with the right arugments in the rule case so that match
rules will work as expected. As a benefit allow setting the tos
on IPv6 packets as well.
OK henning@
|
|
pass a pointer to a pointer to make the code in pf_test() clearer.
ok henning@
|
|
in all output pathes anyway.
even worse than in the rest of pf, here we ran circles to update the ip
cksum every time we flip a tiny bit in the header...
pretty sure dlg claudio ok'd it and it is damn obvious anyway
|
|
the packets with the same maximum size. This allows the sender to
determine the optimal fragment size by Path MTU Discovery.
testing sthen@ matthieu@
ok claudio@
|
|
reassembly code. This makes it possible to reuse them for IPv6.
ok claudio@
|
|
wrong. As an effect small valid fragmented packets got dropped and
some invalid fragmented packets were passed. plen is the payload
lenght of the ipv6 packet without the ipv6 header. off is relative
to the whole packet including the ipv6 header. Add sizeof(struct
ip6_hdr) in the calculation.
ok henning@ markus@
|
|
pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the
reassembled packet. In case of PF_DROP, the mbuf must be valid,
e.g. for logging, and will be freed later. In case the reassembled
packet is too big, use the reassembled mbuf for PF_DROP.
ok henning@ markus@
|
|
- PF_DROP, the packet is bad, the mbuf still exists and must be freed.
- PF_PASS and *m0 is NULL, the packet has been processed, not an error.
- PF_PASS and *m0 is not NULL, continue with packet processing.
This fixes a potential mbuf use after free.
ok henning@ markus@ mpf@
|
|
consistent with the network stack.
ok mcbride@ henning@
|
|
from fragment crop. PFFRAG_NOBUFFER and PFFRAG_DROP are never set.
pf_cache_pl and pf_cent_pl have no pool_get.
ok henning@
|
|
"that looks about right even though the offset calculation is pure
horror" claudio@, ok deraadt@
|
