summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2015-06-05Improve error handling and recovery during state insertionMike Belopuhov
Reshuffle the code around a bit and greatly improve error handling fixing a few bugs along the way. Problem reported by and fix was written with Alexandr Nedvedicky. OK henning
2015-04-11the hfsc pools are only used in hfsc.c, so move the init of themDavid Gwynne
there instead of pf_ioctl.c. ok henning@
2015-02-15Rather than using 0xff as a placeholder for "don't check prio", use 0xff toStuart Henderson
mean "prio is 0". This avoids the need for code changes in programs which add pf rules (as was done in pfctl but not other programs) to handle the new "check prio" functionality. Specifically this unbreaks ftp-proxy. Use of #define rather than magic 0xff suggested by benno. ok benno "if henning doesnt like it he can change it when he recovers from jet-lag" (this file missed from previous commit, noticed by daniel@)
2015-02-12change log(matches) semantics slightly to make it more useful. since itHenning Brauer
is a debug tool change of semantics not considered problematic. up until now, log(matches) forced logging on subsequent matching rules, the actual logging used the log settings from that matched rule. now, log(matches) causes subsequent matches to be logged with the log settings from the log(matches) rule. in particular (this was the driving point), log(matches, to pflog23) allows you to have the trace log going to a seperate pflog interface, not clobbering your regular pflogs, actually not affecting them at all. long conversation with bluhm about it, which didn't lead to a single bit changed in the diff but was very very helpful. ok bluhm as well.
2015-02-10include the "set prio" values.Henning Brauer
no real compat issue since we're using spare bytes. old -> new ends up with set prio (0, 0) equivalent new -> old is entirely harmless, old ignores the prios. requested by Alexey Suslikov <alexey.suslikov at gmail> ok phessler pelikan dlg
2015-02-10since we inherit prio (as in, the queuing priority) from outside sources,Henning Brauer
i. e. on vlan interfaces, it is useful to be able to match on it - effectively matching on classification done elsewhere. i thought i had long implemented that, but chrisz@ asking for it made me notice that wasn't the case. tests by chrisz, ok phessler pelikan
2015-02-07make RB_PROTOTYPE usage ISO C compliant by removing useless semicolonsMartin Pelikan
fixes some compiler warnings, tested by amd64 base build ok beck
2015-01-24Userland (base & ports) was adapted to always include <netinet/in.h>Theo de Raadt
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
2015-01-15Stop including <sys/param.h> and other stuff. Assume this will be includedTheo de Raadt
with sys limits in scope, so use PATH_MAX instead. ok millert guenther
2014-12-23unifdef some more INET. v4 4life.Ted Unangst
2014-12-19Support source-hash and random with tables and dynifs; not just pools.Reyk Floeter
This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
2014-12-19add messages to #error so we know what's what (and so unifdef doesn't poop)Ted Unangst
2014-09-08When logging a packet to a listener on the pflog0 interface, theAlexander Bluhm
function pflog_bpfcopy() is setting up a packet description with pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet, it increments the the pf status counters. This way bad packets could be accounted multiple times. Now pflog_bpfcopy() passes a reason pointer NULL to indicate that no accounting should be done. From Florian Riehm; OK henning@
2014-08-12Finally implement what's stated in the man page regarding parentMike Belopuhov
anchors for "once" rules: "In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched." Employ an additional pointer pair to keep track of the parent ruleset containing the anchor that we want to remove. OK henning
2014-07-02better indentationMike Belopuhov
2014-06-25pf_translate doesn't use the mbuf argument anymore.Mike Belopuhov
From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
2014-04-22Remove some altq tentacles.Martin Pieuchot
ok pelikan@, henning@
2014-04-19shrink pf by 445 lines.Henning Brauer
while there, get rid of the altq ioctls and assciated now obsolete code
2014-01-21introduce a way to match "any" interface, excluding loopback ones.Henning Brauer
pfi_kif_get annotates the kif with a flag indicating it is the "any" match pfi_kif_match obeys that flag ok benno
2014-01-20support negated matches on the rcvif, ok dlg bennoHenning Brauer
2014-01-03Switch frequently allocated structs from malloc(M_DEVBUF) to separate pools.pelikan
ok henning, "looks fine" mikeb, input from guenther.
2014-01-03Make queues disappear correctly on interfaces being destroyed.pelikan
ok henning
2013-12-22change pf_osfp_entry strings to unsigned, to help userlandTheo de Raadt
ok florian
2013-11-19provide forward declarations for structures ifnet and ifg_group;Mike Belopuhov
ok deraadt
2013-10-12new bandwidth shaping subsystem, kernel sideHenning Brauer
uses hfsc behind the scenes; altq stays in parallel for a migration phase. if.h even more messy for the transition, but eventuelly it should become readable... looked over & tested by many, ok phessler sthen
2013-10-12give tagname2tag and its siblings an extra "create" parameter. if 1, itHenning Brauer
behaves like before and creates the mapping if needed. if 0, lookup only. looked over by many, ok phessler sthen
2013-07-23Do not reset the fragment timeout each time a fragment arrives.Alexander Bluhm
Start the expire counter when the queue is created by the first fragment and drop it if the packet could not be reassembled within 60 seconds. Reported by Antonios Atlasis; OK henning@ deraadt@
2013-07-05Collect and display 'match' counters for pf tables.Bret Lambert
While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
2013-07-04Re-commit: use time_t for storing time_t values. This is an ABIPhilip Guenther
change for pf, but that's fine at this time. You'll need to rebuild pf userland after updating your kernel. change to 'since' member ok henning@ rest ok henning@ deraadt@
2013-07-02Revert previous: sizeof(time_t) != sizeof(long) on LP64, so there wasPhilip Guenther
an ABI change involved.
2013-07-02Use time_t for storing time_t values. No change to the underlyingPhilip Guenther
type**, so no ABI change. ok henning@ deraadt@ ** ...yet
2013-06-26put the cksum diff back, of course with the bug fixed where we couldHenning Brauer
under some circumstances repair broken checksums on the way. ok ryan naddy mikeb . redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers.
2013-06-04add a pointer to the protocol checksum header field to pf_pdesc and setHenning Brauer
it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
2013-06-03put back the match member to the anchor stack struct - userland (pfctl)Henning Brauer
uses it. that is so incedibly wrong... sorry for the breakage, folks. found by tedu, SMSing me out of my breakfast bob
2013-06-03fix anchor quick with nested anchors. we lost the quick flag as soon asHenning Brauer
we stepped into a child anchor. simplify the logic, get rid of the match flag in the anchor stack, just use the match variable we already had (and used in a boolean style) to track the nest level we had a match at. when a child anchor had a match we also have a match in the current anchor, so update the match level accordingly, and thus correctly honour the quick flag. reported by, along with the right idea on how to fix this, by Sean Gallagher \sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
2013-06-01pf_step_{into,out_of}_anchor() are only ever called from pf_test_rule()Henning Brauer
these days, so: -move the prototypes from pfvar.h to pf.c -remove the now useless null point checks for *match, it is always provided ok ryan
2013-05-10Since pf_state_key_attach can decide to free the provided stateMike Belopuhov
key we need to sync our state key pointers with whatever values the function will pick. Not doing so will produce wrong results if address translation must be applied afterwards and we happen to have a state key collision. Then pf_translate will follow an old pointer and punch in garbage addresses into the packet. Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru> ok tedu, henning
2013-05-03Export ingress/egress interface index in pflow(4).Florian Obser
Report that this is needed for some netflow collector and tests by Chris Ivancic & Colin Ligertwood. OK mikeb@, benno@
2013-03-11Add a separate "translation" counter and use this rather than "memory"Stuart Henderson
when address translation fails due to no free ports in the configured range. ok mikeb@
2013-01-17first or second coming, commie or not commie, one m in coming is sufficientHenning Brauer
ok claudio
2012-12-29pass pf_pool directly to pfr_pool_get(); simplifies the API;Markus Friedl
ok henning@, zinke@, mikeb@
2012-11-06backout csum diff for the moment, requested by theoHenning Brauer
2012-11-01redo most of the protocol (tcp/udp/...) checksum handlingHenning Brauer
-assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
2012-10-30Use time_uptime for expiration values as time_second can be skewed atFlorian Obser
runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
2012-10-08Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need toCamiel Dobbelaar
include sys/mbuf.h in net/pfvar.h. Flagged by and ok guenther@
2012-10-05include sys/mbuf.hCamiel Dobbelaar
2012-09-20Lower pf frags limit to not risk running out of mbuf clustersCamiel Dobbelaar
when dealing with lots of IP fragments. This sets the default to 25% of the mbuf cluster maximum (hint from beck). And the example in the manpage is sane now. ok mikeb henning beck deraadt
2012-09-18prio 0 is valid, therefore, I chose an "impossible" value for prio meaningHenning Brauer
"not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
2012-07-26rename all_state_flags to state_flags to finish the transitionMike Belopuhov
to the 16 bit flags; reminded by claudio, ok henning
2012-07-13remove confuzzling commentHenning Brauer
:dlg: the xxx can go ...and this time commit to the real repo and not the one on my laptop