| Age | Commit message (Collapse) | Author |
|---|
|
(not just to the initial packet). note: kernel/userland abi change
(rebuild pfctl). ok henning@
|
|
'memory' one, which helps debugging. Alters the kernel/userland ABI,
rebuild pfctl and tcpdump. ok henning@
|
|
and userland.
ok henning@ dhartmei@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
daniel found it.
|
|
requested by deraadt
|
|
pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
ok cedric@ henning@
|
|
DIOCRINABEGIN, DIOCRINACOMMIT ioctls.
Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead.
ok beck@ dhartmei@ henning@
|
|
keyword in C++. ok henning@, cedric@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
|
|
ok mcbride@ henning@
|
|
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
|
|
make the semantics in line with the tag assignment, which simplifies
the id management in pf.
ok, henning@
|
|
|
|
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
Expect improvements in this area soon.
ok dhartmei@ mcbride@
|
|
PPL that have that problem and cannot upgrade to -current could
just comment out the assertion in pfr_update_stats().
ok dhartmei@ henning@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
|
|
This saves more than 30% memory on state entries, and simplifies the state
insertion and removal code as well.
NOTE: This changes the pf API; userland tools must be updated to match.
ok henning@ dhartmei@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
ok dhartmei@ jmc@
|
|
|
|
pf_osfp_fingerprint_hdr() which doesn't work on mbufs.
pointed out by Max Laier
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
