summaryrefslogtreecommitdiff
path: root/sys/net/pf_norm.c
AgeCommit message (Collapse)Author
2012-11-06backout csum diff for the moment, requested by theoHenning Brauer
2012-11-01redo most of the protocol (tcp/udp/...) checksum handlingHenning Brauer
-assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
2012-10-30Use time_uptime for expiration values as time_second can be skewed atFlorian Obser
runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
2012-05-12Ignore/preserve ECN bits on ToS matching and scrubbing.Marco Pfatschbacher
The lower 2 bits of the tos-header are used for ECN. (http://tools.ietf.org/html/rfc2474#section-3) OK henning@, haesbaert@
2012-02-03The kernel did not compile without INET6. Put some #ifdefs intoAlexander Bluhm
pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
2012-01-26Clean up the pf normalization code:Alexander Bluhm
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct pf_pdesc pd as argument. - Always check wether the mbuf got NULL after normalization to make the code more robust. - Make the code structure of pf_normalize_ip6() more like pf_normalize_ip() to make the differences obvious. ok henning@
2012-01-23Do not keep state when dropping overlapping IPv6 fragments in pfAlexander Bluhm
and IPv6 stack. ok sperreault@
2012-01-15Calling pf_normalize_ip() from pf_setup_pdesc() was bad as theAlexander Bluhm
latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
2012-01-13Drop IPv6 packets built from overlapping fragments in pf reassembly.Alexander Bluhm
The reassembly state will be dropped after timeout, all related fragments are dropped until that. This is conforming to RFC 5722. - Sort pf_fragment fields while there. - If the fr_queue is empty, we had overlapping fragments, don't add new ones. - If we detect overlapping IPv6 fragments, flush the fr_queue and drop all fragments immediately. - Rearrange debug output, to make clear what happens. - An IPv4 fragment that is totaly overlapped does not inclease the bad fragment counter. - Put an KASSERT into pf_isfull_fragment() to make sure that the fr_queue is never emtpy there. discussed with Fernando Gont; ok henning@
2012-01-03Instead of having two functions pf_free_fragment() and pf_remove_fragment()Alexander Bluhm
doing more or less the same, merge them into one. Just remove fragment entries from the queue in pf_join_fragment() before they are freed. Then pf_remove_fragment() is not needed anymore. ok henning@
2011-11-25use time_uptime to set state creation values as time_second can beDavid Gwynne
skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. ok deraadt@ mikeb@
2011-09-28As requested by henning, move the mbuf pointer into struct pf_pdesc.Alexander Bluhm
Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning
2011-09-22As I have touched half of pf lines anyway, fix whitespaces now.Alexander Bluhm
KNF, no binary change.
2011-09-21Check the protocol header length for tcp, udp, icmp, icmp6 inAlexander Bluhm
pf_setup_pdesc(). It is better to check and bail out early than to rely on pf_pull_hdr() later. ok henning mpf
2011-09-20Put kif and dir into pdesc an use this instead of passing the valuesAlexander Bluhm
around. This is a mechanical change. Initialize pd2 and use it where appropriate. ok henning on an earlier version; ok mpf
2011-09-19Consolidate pf function parameters. Move off and hdrlen into pdescAlexander Bluhm
and change their type from int to u_int32_t. Do not pass struct tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af and pd->af intermixed, the latter makes clear where it comes from. Do not calculate the packet length again if pd already has it. Use pd2.off instead of off2. go go go go don't stop henning@ mpf@
2011-09-18Fix various format string types to as a minimum match the width of theMiod Vallat
variables being processed. ok bluhm@ henning@
2011-07-18unbreak set-tos for ipv6; reported by babut at yandex dot ru,Mike Belopuhov
with input and ok from bluhm and claudio
2011-07-07There were two loops in pf_setup_pdesc() and pf_normalize_ip6()Alexander Bluhm
walking over the IPv6 header chain. Merge them into one loop, adjust some length checks and fix IPv6 jumbo option handling. Also allow strange but legal IPv6 packets with plen=0 passing through pf. IPv6 jumbo packets still get dropped. testing dhill@; ok mcbride@ henning@
2011-07-05Instead of passing the ip header and mbuf to pf_reassemble(), lookupAlexander Bluhm
the header address in the mbuf. ok henning@
2011-07-05add missing ifdefs for INET6; diff from form, ok henning, bluhm, claudioMike Belopuhov
2011-07-03Refactor the fragment handling in pf_setup_pdesc() so that AF_INETClaudio Jeker
and AF_INET6 are doing the fragment handling the same way. Makes code more readable. With and OK bluhm@
2011-06-21There is no need to handle fragmented TCP reset packets in a specialAlexander Bluhm
way. Remove PFDESC_IP_REAS and pf_pdesc flags completely. ok claudio@ henning@
2011-06-20More cleanup in pf_test/pf_test6 this time mostly the fragmentClaudio Jeker
handling. More to come to make the two codepathes a bit more identical. tested by many (esp. krw@ and sthen@) input and OK bluhm@
2011-05-24Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. CallClaudio Jeker
pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
2011-04-23pf_scrub_ip() does not modify the given mbuf pointer. So don'tAlexander Bluhm
pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
2011-04-04stop fiddling with the ip checksum here too, it is always recalculatedHenning Brauer
in all output pathes anyway. even worse than in the rest of pf, here we ran circles to update the ip cksum every time we flip a tiny bit in the header... pretty sure dlg claudio ok'd it and it is damn obvious anyway
2011-03-24Reassemble IPv6 fragments in pf. In the forward case, pf refragmentsAlexander Bluhm
the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
2011-03-23Extract the address family independent functions from pf fragmentAlexander Bluhm
reassembly code. This makes it possible to reuse them for IPv6. ok claudio@
2011-02-01The check for invalid IPv6 fragment size in pf_normalize_ip6() wasAlexander Bluhm
wrong. As an effect small valid fragmented packets got dropped and some invalid fragmented packets were passed. plen is the payload lenght of the ipv6 packet without the ipv6 header. off is relative to the whole packet including the ipv6 header. Add sizeof(struct ip6_hdr) in the calculation. ok henning@ markus@
2011-01-20The reason accounting in pf_reassemble() was not correct. ChangeAlexander Bluhm
pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the reassembled packet. In case of PF_DROP, the mbuf must be valid, e.g. for logging, and will be freed later. In case the reassembled packet is too big, use the reassembled mbuf for PF_DROP. ok henning@ markus@
2011-01-19Give pf_normalize_ip() the same 3 way semantics as pf_test().Alexander Bluhm
- PF_DROP, the packet is bad, the mbuf still exists and must be freed. - PF_PASS and *m0 is NULL, the packet has been processed, not an error. - PF_PASS and *m0 is not NULL, continue with packet processing. This fixes a potential mbuf use after free. ok henning@ markus@ mpf@
2011-01-06Put htons() around ip_randomid() for pf scrub random-id to make itAlexander Bluhm
consistent with the network stack. ok mcbride@ henning@
2010-12-31Remove dead code from pf_norm.c. The fragment cache is some leftoverAlexander Bluhm
from fragment crop. PFFRAG_NOBUFFER and PFFRAG_DROP are never set. pf_cache_pl and pf_cent_pl have no pool_get. ok henning@
2010-07-08Use correct alignment for scrub max-mss. Based on a diff from deraadt.Stuart Henderson
"that looks about right even though the offset calculation is pure horror" claudio@, ok deraadt@
2010-07-02m_copyback can fail to allocate memory, but is a void fucntion so gymnasticsBret Lambert
are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
2010-01-18Convert pf debug logging to using log()/addlog(), a single standardisedRyan Thomas McBride
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
2009-09-01Clear the IP_DF bit if no-df is enabled, not if it is not enabled.Joel Sing
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@. ok henning@
2009-07-21pf_scrub_ip/ip6 prototypes are already in pfvar.hHenning Brauer
2009-06-25scrub_flags is a u_int8_t, but PFSTATE_SCRUB_TCP is 0x0100, so theStuart Henderson
"reassemble tcp" state option failed to work correctly. Increasing this to u_int16_t fixes kernel/6178. ok deraadt@ henning@
2009-04-07after i took everything in this fiule apart and reassembled with a lot ofHenning Brauer
new stuff asserting copyright is in order
2009-04-061) scrub rules are completely gone.Henning Brauer
2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
2009-01-31unbreak ! INET6 case by sprinking #ifdef INET6Henning Brauer
noticed by Vladimir Kirillov <proger@uaoug.org.ua>
2009-01-29move some code around in preparation for future work:Henning Brauer
break out the code that doesn't deal with fragment reassembly and only modifies stuff in the ip header to their own functions. pass them what they need instead of making them get the info from a rule ptr. ok dlg ryan
2008-05-07scrub packets based on tags; ok henningMarkus Friedl
2008-05-07allow setting TOS with scrub; ok mcbride, claudioMarkus Friedl
2007-12-30In pf_normalize_tcpopt() call pf_pull_hdr() address family safe.Marcus Glocker
OK dhartmei@
2007-12-30Make "scrub max-mss" rule work correctly;Marcus Glocker
In pf_normalize_tcpopt() pull the TCP options before processing them. This gets the correct TCP options even if an mbuf chain was used, instead like now pointing into an invalid mbuf data buffer. Will close PR 5623. Diff done together with dhartmei@. OK dhartmei@
2007-05-28double pf performance.Henning Brauer
boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
2007-05-26More comment typos from Diego Casati. Including winners like funtion, allmost,Kenneth R Westerback
oustside, seqencer, toghether, nessissary, etc.