summaryrefslogtreecommitdiff
path: root/sys/net/pf_norm.c
AgeCommit message (Collapse)Author
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-18TCP timestamp modulation (scrub reassemble tcp) fix from frantzen@Daniel Hartmeier
2003-08-29Fix three cases of potential accesses to free'd memory. At least one ofDaniel Hartmeier
them could be used to panic pf with scrub rules remotely. Found by Rob Pickering. ok frantzen@, henning
2003-08-22pf spelling policeDavid Krause
ok dhartmei@ jmc@
2003-08-22KNFHenning Brauer
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-08-14m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.Jason Wright
2003-07-17fix scrub frag reassembly after the stack's ip_len/ip_off flip correctionMike Frantzen
ok itojun@ and dhartmei@. heckling from henning@
2003-07-12Prevent u_int16_t variable from overflowing and get rid of the compilerDaniel Hartmeier
warning. From Pyun YongHyeon. ok itojun@
2003-07-10correct another incorrect comparison in ip6 normalization.Jun-ichiro itojun Hagino
don't use m->m_pkthdr.len for checking, as it is not reliable
2003-07-10wrong comparison of IPv6 packetsizeJun-ichiro itojun Hagino
2003-07-09check if m->m_pkthdr.len is too shortJun-ichiro itojun Hagino
2003-07-09don't check exact ip6_plen and m->m_pkthdr.len match, as ip6_input()Jun-ichiro itojun Hagino
does the m_adj() only after filtering. reported by marc
2003-07-09do not flip ip_len/ip_off in netinet stack. deraadt ok.Jun-ichiro itojun Hagino
(please test, especially PF portion)
2003-07-09KNFDaniel Hartmeier
2003-07-01wrap pf_normalize_ip6() by #ifdef INET6. pointed out by Wouter ClarieJun-ichiro itojun Hagino
2003-06-29normalize IPv6 packet (no reass, but it is a start). dhartmei & henning okJun-ichiro itojun Hagino
- length, jumbo payload option - TTL ("hoplimit" in IPv6 terminology) rewrite
2003-06-28redundant (pfvar.h already have it)Jun-ichiro itojun Hagino
2003-05-14- modulate TCP Timestamps so they can't be used to detect NAT and to precludeMike Frantzen
remote uptime determination - scrub modifier "reassemble tcp" turns on stateful TCP normalizations ok henning@ dhartmei@
2003-05-14Use official (from pcap people) link type for pflog.Can Erkin Acar
With this change, the log header format also changes. The new log format is extendible and allows logging of the originating anchor and ruleset information. ok henning@ dhartmei@ frantzen@
2003-05-11the start of stateful TCP scrubbing. dynamically determine the highest TTL ofMike Frantzen
each side of the TCP connection and prevent it from being reduced ok pb@ dhartmei@
2003-04-05Replace the timeout variables by the content of the timeoutCedric Berger
field of a new pf_default_rule structure. ok dhartmei@
2003-02-18Enforce min-ttl and random-id on inbound scrub as well as outbound.Camiel Dobbelaar
ok dhartmei@
2003-02-12Address the NFS problems recently discussed in various threads.Daniel Hartmeier
Change semantics of scrub option 'no-df' slightly: if the option is used, it now also applies to _fragments_ with IP_DF set, not just to complete packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble' allows to clear IP_DF from fragments, so they don't get dropped but reassembled. This affects several UDP protocols that used PMTU discovery, mostly Linux' NFS implementation. In short, if you have 'scrub in all' now, you probably want to change that to 'scrub in all no-df', unless you want to drop fragments with IP_DF set (some people have good reasons to do the latter, hence the non-default option). ok frantzen@, henning@, cedric@
2003-02-08Add scrub option 'random-id', which replaces IP IDs with random valuesDaniel Hartmeier
for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
2003-01-25Fix a bug that potentially caused fragments to be dropped when theDaniel Hartmeier
overlap calculation got negative. Found by Baruch Even. ok henning@
2003-01-09(whitespace) KNF, re-fold -w 80Daniel Hartmeier
2003-01-07Remove table name hashing (pass the name in each ioctl instead), andDaniel Hartmeier
introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
2003-01-05Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for tableDaniel Hartmeier
name. ok henning@, mcbride@, cedric@
2003-01-04move noroute from flag in pf_rule_addr into type in pf_addr_wrap.Daniel Hartmeier
ok henning@, mcbride@
2003-01-03KNFTheo de Raadt
2003-01-01KNFHenning Brauer
2003-01-01Remove skip step for action (scrub vs. non-scrub), as scrub rules areDaniel Hartmeier
stored in a separate list now. Regress tests still pass after sed "s/ a=end / /g", other skip steps are not affected.
2002-12-31Split scrub rules out from the filter rules in the kernel.Ryan Thomas McBride
Precursor to removing rule.action from skip steps. Also a couple of other small fixes: - s/PF_RULESET_RULE/PF_RULESET_FILTER/ - replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset { - error handling in ioctl of an invalid value in rule.action - counting evaluations and matching packets for scrub rules ok henning@ dhartmei@
2002-12-18KNFHenning Brauer
2002-12-18Pass skip step values through ioctl interface, pfctl -vvsr shows them,Daniel Hartmeier
main purpose is making them regress-testable.
2002-12-17Merge pf_nat/pf_binat/pf_rdr structs into pf_rule. Simplifies code, allowsRyan Thomas McBride
skip steps on translation rules. Also: - Require a ticket for DIOCCHANGERULE operations to prevent races. - Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations use a rule number, and comparisons happen in userland. Testing and fixes from dhartmei@ and frantzen@ ok dhartmei@ henning@
2002-12-06Introduce anchors and named rule sets, allowing to load additional ruleDaniel Hartmeier
sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
2002-11-23kernel code to allow multiple redirection addresses to be specified for natRyan Thomas McBride
and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
2002-10-29keep all pflog goodies in pflog sources, avoids code duplications; okski ↵Michael Shalayeff
frantzen@ and dhartmei@
2002-10-22Convert "int af" and "u_int8_t af" declarations and function argumentsRyan Thomas McBride
to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
2002-10-07-Wsign-compare cleanDaniel Hartmeier
2002-06-28KNFTheo de Raadt
2002-06-11split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble',Mike Frantzen
'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
2002-06-11KNF (tabs, return (x))Daniel Hartmeier
2002-06-11SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragmentsMike Frantzen
without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
2002-06-10Don't #include <sys/malloc.h>Daniel Hartmeier
2002-06-08keep the count of fragments consistent when we have to do a fail safe dropMike Frantzen
2002-06-07switch from AVL tree's to herr Provos' red-black treesMike Frantzen
with suggestions from provos@ ok dhartmei@
2002-05-21Junk gcc's deprecated __FUNCTION__. Use standard __func__ instead.Marc Espie
ok dhartmei@