Age | Commit message (Collapse) | Author |
|
Reshuffle the code around a bit and greatly improve error handling
fixing a few bugs along the way.
Problem reported by and fix was written with Alexandr Nedvedicky.
OK henning
|
|
there instead of pf_ioctl.c.
ok henning@
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
(this file missed from previous commit, noticed by daniel@)
|
|
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.
|
|
no real compat issue since we're using spare bytes.
old -> new ends up with set prio (0, 0) equivalent
new -> old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov <alexey.suslikov at gmail>
ok phessler pelikan dlg
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
fixes some compiler warnings, tested by amd64 base build
ok beck
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
with sys limits in scope, so use PATH_MAX instead.
ok millert guenther
|
|
|
|
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
|
|
|
|
function pflog_bpfcopy() is setting up a packet description with
pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet,
it increments the the pf status counters. This way bad packets
could be accounted multiple times. Now pflog_bpfcopy() passes a
reason pointer NULL to indicate that no accounting should be done.
From Florian Riehm; OK henning@
|
|
anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched." Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.
OK henning
|
|
|
|
From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
|
|
ok pelikan@, henning@
|
|
while there, get rid of the altq ioctls and assciated now obsolete code
|
|
pfi_kif_get annotates the kif with a flag indicating it is the "any" match
pfi_kif_match obeys that flag
ok benno
|
|
|
|
ok henning, "looks fine" mikeb, input from guenther.
|
|
ok henning
|
|
ok florian
|
|
ok deraadt
|
|
uses hfsc behind the scenes; altq stays in parallel for a migration phase.
if.h even more messy for the transition, but eventuelly it should become
readable...
looked over & tested by many, ok phessler sthen
|
|
behaves like before and creates the mapping if needed. if 0, lookup only.
looked over by many, ok phessler sthen
|
|
Start the expire counter when the queue is created by the first
fragment and drop it if the packet could not be reassembled within
60 seconds.
Reported by Antonios Atlasis; OK henning@ deraadt@
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
change for pf, but that's fine at this time. You'll need to rebuild
pf userland after updating your kernel.
change to 'since' member ok henning@
rest ok henning@ deraadt@
|
|
an ABI change involved.
|
|
type**, so no ABI change.
ok henning@ deraadt@
** ...yet
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
|
|
uses it. that is so incedibly wrong...
sorry for the breakage, folks. found by tedu, SMSing me out of my breakfast
bob
|
|
we stepped into a child anchor.
simplify the logic, get rid of the match flag in the anchor stack, just
use the match variable we already had (and used in a boolean style) to track
the nest level we had a match at. when a child anchor had a match we also
have a match in the current anchor, so update the match level accordingly,
and thus correctly honour the quick flag.
reported by, along with the right idea on how to fix this, by Sean Gallagher
\sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
|
|
these days, so:
-move the prototypes from pfvar.h to pf.c
-remove the now useless null point checks for *match, it is always provided
ok ryan
|
|
key we need to sync our state key pointers with whatever values
the function will pick. Not doing so will produce wrong results
if address translation must be applied afterwards and we happen
to have a state key collision. Then pf_translate will follow an
old pointer and punch in garbage addresses into the packet.
Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru>
ok tedu, henning
|
|
Report that this is needed for some netflow collector and tests by
Chris Ivancic & Colin Ligertwood.
OK mikeb@, benno@
|
|
when address translation fails due to no free ports in the configured range.
ok mikeb@
|
|
ok claudio
|
|
ok henning@, zinke@, mikeb@
|
|
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
include sys/mbuf.h in net/pfvar.h.
Flagged by and ok guenther@
|
|
|
|
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
to the 16 bit flags; reminded by claudio, ok henning
|
|
:dlg: the xxx can go
...and this time commit to the real repo and not the one on my laptop
|