Age | Commit message (Collapse) | Author |
|
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
The lower 2 bits of the tos-header are used for ECN.
(http://tools.ietf.org/html/rfc2474#section-3)
OK henning@, haesbaert@
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
and IPv6 stack.
ok sperreault@
|
|
latter is called from pf packet logging. This resulted in normalization
and reassembly of bad packets to be logged. So rearrange the code
and move the call to pf_test().
ok henning@
|
|
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
|
|
doing more or less the same, merge them into one. Just remove
fragment entries from the queue in pf_join_fragment() before they
are freed. Then pf_remove_fragment() is not needed anymore.
ok henning@
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
|
KNF, no binary change.
|
|
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
|
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
|
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
|
variables being processed.
ok bluhm@ henning@
|
|
with input and ok from bluhm and claudio
|
|
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@
|
|
the header address in the mbuf.
ok henning@
|
|
|
|
and AF_INET6 are doing the fragment handling the same way. Makes
code more readable.
With and OK bluhm@
|
|
way. Remove PFDESC_IP_REAS and pf_pdesc flags completely.
ok claudio@ henning@
|
|
handling. More to come to make the two codepathes a bit more identical.
tested by many (esp. krw@ and sthen@) input and OK bluhm@
|
|
pf_scrub with the right arugments in the rule case so that match
rules will work as expected. As a benefit allow setting the tos
on IPv6 packets as well.
OK henning@
|
|
pass a pointer to a pointer to make the code in pf_test() clearer.
ok henning@
|
|
in all output pathes anyway.
even worse than in the rest of pf, here we ran circles to update the ip
cksum every time we flip a tiny bit in the header...
pretty sure dlg claudio ok'd it and it is damn obvious anyway
|
|
the packets with the same maximum size. This allows the sender to
determine the optimal fragment size by Path MTU Discovery.
testing sthen@ matthieu@
ok claudio@
|
|
reassembly code. This makes it possible to reuse them for IPv6.
ok claudio@
|
|
wrong. As an effect small valid fragmented packets got dropped and
some invalid fragmented packets were passed. plen is the payload
lenght of the ipv6 packet without the ipv6 header. off is relative
to the whole packet including the ipv6 header. Add sizeof(struct
ip6_hdr) in the calculation.
ok henning@ markus@
|
|
pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the
reassembled packet. In case of PF_DROP, the mbuf must be valid,
e.g. for logging, and will be freed later. In case the reassembled
packet is too big, use the reassembled mbuf for PF_DROP.
ok henning@ markus@
|
|
- PF_DROP, the packet is bad, the mbuf still exists and must be freed.
- PF_PASS and *m0 is NULL, the packet has been processed, not an error.
- PF_PASS and *m0 is not NULL, continue with packet processing.
This fixes a potential mbuf use after free.
ok henning@ markus@ mpf@
|
|
consistent with the network stack.
ok mcbride@ henning@
|
|
from fragment crop. PFFRAG_NOBUFFER and PFFRAG_DROP are never set.
pf_cache_pl and pf_cent_pl have no pool_get.
ok henning@
|
|
"that looks about right even though the offset calculation is pure
horror" claudio@, ok deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@.
ok henning@
|
|
|
|
"reassemble tcp" state option failed to work correctly. Increasing this
to u_int16_t fixes kernel/6178. ok deraadt@ henning@
|
|
new stuff asserting copyright is in order
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
noticed by Vladimir Kirillov <proger@uaoug.org.ua>
|
|
break out the code that doesn't deal with fragment reassembly and only
modifies stuff in the ip header to their own functions. pass them what they
need instead of making them get the info from a rule ptr.
ok dlg ryan
|
|
|
|
|
|
OK dhartmei@
|
|
In pf_normalize_tcpopt() pull the TCP options before processing them.
This gets the correct TCP options even if an mbuf chain was used, instead
like now pointing into an invalid mbuf data buffer.
Will close PR 5623. Diff done together with dhartmei@.
OK dhartmei@
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
oustside, seqencer, toghether, nessissary, etc.
|