| Age | Commit message (Collapse) | Author |
|---|
|
only bar under foo, not /bar as well.
secondly, when using "load anchor from" from a sub-anchor, the loading
point should be relative to the sub-anchor doing the load (unless absolute
paths are used, of course).
from Boris Polevoy. probably a -stable candidate.
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
allocator on one pool). Should fix PR 4231 and 4240, but reintroduces 4186.
ok deraadt@
|
|
|
|
allocator and two pools, but PR_WAITOK when called from non-interrupt
context (ioctl). add configurable hard limits for tables and table
entries (set limit tables/table-entries), defaulting to 1000/100000.
ok aaron@, henning@, mcbride@, art@
|
|
with this, when you know their name you can list their contents with pfctl
ok ryan
|
|
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
now they abide to the same rules as anchor names referred to by rules:
- initial slashes (/) are stripped
- anchor names with characters after the terminating NUL byte are
considered invalid
ok dhartmei (and previously) beck henning
|
|
on v6 addresses.
Reported by Ilya A. Kovalenko, fix from Cedric Berger.
|
|
ktable being destroyed, which makes it unsafe in a SLIST_FOREACH.
Fix from Chris Pascoe
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
table is destroyed in pfr_setflags_ktable.
Fix from Chris Pascoe
|
|
|
|
pool allocator, _nointr. testing/ok beck@ cedric@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
|
|
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
user visible changes:
- you can add multiple routes with same key (route add A B then route add A C)
- you have to specify gateway address if there are multiple entries on the table
(route delete A B, instead of route delete A)
kernel change:
- radix_node_head has an extra entry
- rnh_deladdr takes extra argument
TODO:
- actually take advantage of multipath (rtalloc -> rtalloc_mpath)
|
|
larger kernel map
|
|
|
|
|
|
|
|
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
|
|
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
|
|
|
|
- Fix two problems with pfr_update_stats().
Filtering was done properly, only stats were wrong.
People should upgrade their kernel if:
- They use bidirectional rules (without "in" or "out") with tables.
- They use tables in negated statements, like "block from !<foo>"
Thanks to David Krause for discovering the problem.
Ok dhartmei@ henning@
|
|
a match. Before that patch, an IP packet with source or dest address of
0.0.0.0 could corrupt the kernel. People filtering DHCP packets on their
firewall using tables should upgrade their kernel now.
Thanks to Chris Cappuccio for the good bug report.
Ok dhartmei@ henning@
|
|
tested on i386 by me and Daniel on macppc.
ok dhartmei@ henning@
|
|
ok dhartmei@ henning@ pb@
|
|
ok dhartmei@ henning@
|
|
ok dhartmei@ henning@
|
|
ok cedric, jason, theo
|
|
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 }
Was causing the kernel to become noisy.
Now duplicates are silently rejected.
|
|
referenced or inactive set. Flags were not updated correctly.
Tested on i386, sparc64. More regression tests coming.
|
|
Makes code more readable.
|
|
Removes "_" from pool names.
Regression tests for memory allocation coming soon....
|
|
- Reject invalid CIDR networks (1.2.3.4/16 & friends).
- Only allow values 0 or 1 for the "neg" flag.
- Require all unused data to be set to 0 in pfr_addr and pfr_table.
- Always check the return value of pfr_route_entry().
- Remove redundant kernel messages.
Tested on i386, sparc64. Pass my (uncommited) regression tests.
|
|
the "negated" attribute of an address. The previous behaviour was incorrect
in both cases (too strict for the add command and too permissive for the
delete command).
ok dhartmei@
|
