| Age | Commit message (Collapse) | Author |
|---|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
"established" state. Requires recompiling pfctl, etc.
ok dhartmei@
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
it out of a timeout handler.
This means we will have process context, required when using the oldnointr
pool allocator.
Addresses pr4186, pr4273.
ok dhartmei@ henning@ tedu@
|
|
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h
ok markus@, henning@, mpf@
|
|
|
|
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
|
|
|
This is the basis for further pfsync improvements,
to ensure that pf rules are in sync with the master.
"get it in" mcbride@
|
|
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.
|
|
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@
|
|
update the internal tables used for (ifgroup) notation
|
|
allocator and two pools, but PR_WAITOK when called from non-interrupt
context (ioctl). add configurable hard limits for tables and table
entries (set limit tables/table-entries), defaulting to 1000/100000.
ok aaron@, henning@, mcbride@, art@
|
|
pf's interface abstraction, just attahc a linked list of the dynaddrs to
the respective kifs. makes things way easier and will be needed for the next
step, ryan jajajaja
|
|
pass on mygroup ...
markus ok
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
|
|
'memory' one, which helps debugging. Alters the kernel/userland ABI,
rebuild pfctl and tcpdump. ok henning@
|
|
and userland.
ok henning@ dhartmei@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
daniel found it.
|
|
requested by deraadt
|
|
pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
ok cedric@ henning@
|
|
DIOCRINABEGIN, DIOCRINACOMMIT ioctls.
Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead.
ok beck@ dhartmei@ henning@
|
|
keyword in C++. ok henning@, cedric@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
|
|
ok mcbride@ henning@
|
|
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
|
|
make the semantics in line with the tag assignment, which simplifies
the id management in pf.
ok, henning@
|
|
|
|
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
