| Age | Commit message (Collapse) | Author |
|---|
|
copyin/out. Change the API so that the state is included in the ioctl
argument, so the ioctl wrappers take care of copying memory as appropriate.
Also change the DIOCGETSTATE API to be more useful. Instead of getting
an arbitrarily "numbered" state (using numbering that can change between
calls), instead search based on id and creatorid. If you want to monitor
only a particular state, you can now use the bulk functions first to find
the appropriate id/creatorid and then fetch it directly from then on.
ok dlg@ henning@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
ok henning@
|
|
there is a 1:1 mapping between direction and the tree the states get
attached to. there is no need to have anything outside the state insertion/
deletion/lookup routinbes know about these internals. so just pass the
direction to the lookup functions and let them pick the right tree.
ok dhartmei markus
|
|
criteria. ok mcbride@
|
|
|
|
keys that can map to multiple states (last not least for ifbound) we don't
need state tables hanging off each struct kif representing an interface
any more. use two globals for the two tables. ok markus ryan
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
previously, we had a set of state tables attached to each interface. so for
every packet we had to do a lookup in the tables for the interface, and
afterwards in the global tables.
since we split state keys and states now, use only the global tables, and
put the actual states in a tail queue attached to the state key. sort the
list so that ifbound states come before global ones. on lookup, we only
have to compare the interface pointer on the actual states and use the
first one where either the interface matches or the state is not interface
bound. thus, if you don't actually use ifbound states, and there is only
one state per state key, the overhead is close to zero, where we had extra
lookups before. in addition to a much cleaner design (that'll allow for more
goodies later) this gives us ~12.5% more forwarding performance.
mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
|
|
since we include the mbuf header parts for pf unconditionally, we should
be able to check them unconditionally as well. ok mcbride markus
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
I am a retard for not testing properly and owe people beers tonight.
|
|
ok henning@
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
this allows an atomic read and reset counters, instead of read, reset in a
later ioctl and lose everything in between.
use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR,
the ioctl requires write permissions and counters are reset after they have
been copied out to userland.
obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not
within anchors (yeah, that's how it all started)
ok dhartmei, mcbride and theo agree as well
|
|
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6).
mcbride ok.
|
|
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
logs go. ok mcbride
|
|
ok henning@ dhartmei@ deraadt@
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
matching that rule so that the forwarding code later can use the
alternate routing table fo lookups (not implemented yet).
the tagging is "sticky", every matching rule modifies, just like the
regular "tag". ok claudio hshoexer, hacked at r2k6
|
|
state limit and adaptive.end of 120% of the state limit.
Explicitly setting the adaptive timeouts will override the default,
and it can be disabled by setting both adaptive.start and adaptive.end to 0.
ok henning@
|
|
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
in the data part for the data from the previously distinct tags.
look up the tag early and carry a pointer to it around.
makes the code easier and saves some tag lookups and thus helps performance,
as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu>
Initially hacked up somewhere over the atlantic ocean in an A330
early testing reyk and moritz, "put it in" theo
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
"established" state. Requires recompiling pfctl, etc.
ok dhartmei@
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
it out of a timeout handler.
This means we will have process context, required when using the oldnointr
pool allocator.
Addresses pr4186, pr4273.
ok dhartmei@ henning@ tedu@
|
|
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h
ok markus@, henning@, mpf@
|
|
|
|
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
|
|
|
This is the basis for further pfsync improvements,
to ensure that pf rules are in sync with the master.
"get it in" mcbride@
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
|
|
update the internal tables used for (ifgroup) notation
|
|
allocator and two pools, but PR_WAITOK when called from non-interrupt
context (ioctl). add configurable hard limits for tables and table
entries (set limit tables/table-entries), defaulting to 1000/100000.
ok aaron@, henning@, mcbride@, art@
|
|
pf's interface abstraction, just attahc a linked list of the dynaddrs to
the respective kifs. makes things way easier and will be needed for the next
step, ryan jajajaja
|
|
pass on mygroup ...
markus ok
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
|
|
'memory' one, which helps debugging. Alters the kernel/userland ABI,
rebuild pfctl and tcpdump. ok henning@
|
|
and userland.
ok henning@ dhartmei@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
