Age | Commit message (Collapse) | Author |
|
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
|
|
daniel found it.
|
|
requested by deraadt
|
|
pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
|
|
caveats: (to be addressed soon)
- "scrub in" should queue fragments back into ip6intrq again, but
somehow it does not happen - the packet is kept inside reass queue.
need investigation
- ip6_forwarding path is not tested
- does not use red-black tree. somehow red-black tree behaved badly
and was not robust. performance issue, the above one is more
important.
good things:
- "scrub out" is perfectly ok
- i think now we can inspect upper-layer protocol fields (tcp port)
even if ip6 packet is fragmented.
- reass queue will be cleaned up properly by timeout (60sec). we might
want to impose pool limit as well
|
|
ok cedric@ henning@
|
|
DIOCRINABEGIN, DIOCRINACOMMIT ioctls.
Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead.
ok beck@ dhartmei@ henning@
|
|
keyword in C++. ok henning@, cedric@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
|
|
ok mcbride@ henning@
|
|
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're
sending a clear message, move pfsync_clear_states() inside splnet, and fix
if_pfsync.h includes in pf.c and pf_ioctl.c.
ok cedric@ dhartmei@
|
|
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
|
|
make the semantics in line with the tag assignment, which simplifies
the id management in pf.
ok, henning@
|
|
|
|
|
|
source-tracking. Found by Pyun YongHyeon.
Also add support to pfctl to set the src-nodes pool limit.
"Luckily" some of the bugs cancel each other out; update kernel before
pfctl.
ok dhartmei@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule
ok dhartmei@ deraadt@
|
|
Expect improvements in this area soon.
ok dhartmei@ mcbride@
|
|
PPL that have that problem and cannot upgrade to -current could
just comment out the assertion in pfr_update_stats().
ok dhartmei@ henning@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
|
|
This saves more than 30% memory on state entries, and simplifies the state
insertion and removal code as well.
NOTE: This changes the pf API; userland tools must be updated to match.
ok henning@ dhartmei@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
ok dhartmei@ jmc@
|
|
|
|
pf_osfp_fingerprint_hdr() which doesn't work on mbufs.
pointed out by Max Laier
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter
ruleset, but set the rulepointer to the default rule (which is a pass rule)
in cooperation with daniel.
ok dhartmei@ cedric@ markus@
|
|
|
|
that allows us to get rid of the "tagid" global which stored the highest
tag ID in use.
when allocating a new ID scan the list for a free slot and only use
highest + 1 on failure instead of using highest + 1 from the beginning
scanning for a dup afterwards. this prevents ID space fragmentation better.
as a result this allows us do get rid of the pf_tag_purge() function
completely and let pf_tag_unref() remove an entry once the reference
counter reaches zero by itself.
after all it makes for easier code and is about 50% faster.
idea came up during a discussion on icb earlier today between cedric and
myself, which itself was particulary inspired by Darren Reed questioning the
need for pf_tag_purge on tech-net@netbsd.
ok dhartmei@ cedric@
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
the server's MSS is guessed based on the routing table and interface MTU.
Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@
Note: ABI change (new field in struct pf_state), requires a pfctl rebuild
(and tcpdump for pfsync).
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|