Age | Commit message (Collapse) | Author |
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
as an extension to the sequence number got disabled because of the failing idle
limit on PAWS checks. One more thing off my todo list. I need an intern
|
|
requested by deraadt
|
|
|
|
|
|
remaining TODO:
- "forward" case kernel behavior (IPv4 too), then pfctl syntax change
- red-black tree
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
encapsulating all such access into wall-defined functions
that makes sure locking is done as needed.
It also cleans up some uses of wall time vs. uptime some
places, but there is sure to be more of these needed as
well, particularily in MD code. Also, many current calls
to microtime() should probably be changed to getmicrotime(),
or to the {,get}microuptime() versions.
ok art@ deraadt@ aaron@ matthieu@ beck@ sturm@ millert@ others
"Oh, that is not your problem!" from miod@
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
keyword in C++. ok henning@, cedric@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
Marc Huber. ok deraadt@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
ok deraadt@
|
|
|
|
|
|
|
|
ok dhartmei@ frantzen@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
them could be used to panic pf with scrub rules remotely. Found by
Rob Pickering. ok frantzen@, henning
|
|
ok dhartmei@ jmc@
|
|
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
|
|
ok itojun@ and dhartmei@. heckling from henning@
|
|
warning. From Pyun YongHyeon. ok itojun@
|
|
don't use m->m_pkthdr.len for checking, as it is not reliable
|
|
|
|
|
|
does the m_adj() only after filtering. reported by marc
|
|
(please test, especially PF portion)
|
|
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
ok dhartmei@
|
|
Change semantics of scrub option 'no-df' slightly: if the option is used,
it now also applies to _fragments_ with IP_DF set, not just to complete
packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble'
allows to clear IP_DF from fragments, so they don't get dropped but
reassembled.
This affects several UDP protocols that used PMTU discovery, mostly
Linux' NFS implementation. In short, if you have 'scrub in all' now,
you probably want to change that to 'scrub in all no-df', unless you
want to drop fragments with IP_DF set (some people have good reasons
to do the latter, hence the non-default option).
ok frantzen@, henning@, cedric@
|
|
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
|
|
overlap calculation got negative. Found by Baruch Even. ok henning@
|
|
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
name. ok henning@, mcbride@, cedric@
|
|
ok henning@, mcbride@
|