summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2004-09-21Implement "no scrub" to allow exclusion of specific traffic from scrub rules.Aaron Campbell
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
2004-07-12remove PF_FORWARD (which was introduced by ipv6 reass-on-scrub).Jun-ichiro itojun Hagino
daniel found it.
2004-07-11backout IPv6 reass-on-scrub patch (more work needs to be done).Jun-ichiro itojun Hagino
requested by deraadt
2004-06-25re-introduce PF_INOUT and move PF_FORWARD def to the end.Jun-ichiro itojun Hagino
pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
2004-06-25IPv6 reassembly on "scrub" directive.Jun-ichiro itojun Hagino
caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
2004-06-21Get rid of pf_test_eh() wrapper.Ryan Thomas McBride
ok cedric@ henning@
2004-06-14Remove DIOCBEGINRULES, DIOCCOMMITRULES, DIOCBEGINALTQS, DIOCCOMMITALTQS,Cedric Berger
DIOCRINABEGIN, DIOCRINACOMMIT ioctls. Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead. ok beck@ dhartmei@ henning@
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-11pf_cksum_fixup() was called without last argument from normalization,Daniel Hartmeier
also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-28make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@Cedric Berger
2004-04-27validate the sequence numbers on TCP resets are an exact match. check is onlyMike Frantzen
enabled when we're doing full frag reassembly and thus have full seq info ok markus@
2004-04-26anchor refcounting. ok dhartmei@ mcbride@Cedric Berger
2004-04-25get rid of a complete state tree walk at state expire while in splnet()Philipp Buehler
ok mcbride@ henning@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-03-22Support for best effort bulk transfers of states when pfsync syncif isRyan Thomas McBride
configured. This this allows pfsync+carp clusters to come up gracefully without killing active connections. pfsync now prevents carp from preempting to become master until the state table has sync'd. ABI change, any application which use struct pf_state must be recompiled. Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@ for testing and comments. ok deraadt@
2004-02-20Make pfsync deal with clearing states bound to a group or interface (egRyan Thomas McBride
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
2004-02-19Makes pfctl -Fs and pfctl -w works with the optional -i specifier.Cedric Berger
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
2004-02-19the 2nd round of the qid assignment change.Kenjiro Cho
make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@
2004-02-10KNFDaniel Hartmeier
2004-02-10KNFHenning Brauer
2004-02-04Fix a number of bugs with setting pool limits which I introduced withRyan Thomas McBride
source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-15ryan left a few for me ;-)Henning Brauer
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-12-12Move PF interface code to new net/pf_if.cCedric Berger
Expect improvements in this area soon. ok dhartmei@ mcbride@
2003-12-11Fix PR3587 and other related problems with NAT and table stats.Cedric Berger
PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
2003-11-08Add 'no-sync' state option to prevent state transition messages for statesRyan Thomas McBride
created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
2003-10-31Remove remenants of pf_tree stuff that I missed.Ryan Thomas McBride
2003-10-25Build state search indexes directly on pf_state instead of pf_tree_node.Ryan Thomas McBride
This saves more than 30% memory on state entries, and simplifies the state insertion and removal code as well. NOTE: This changes the pf API; userland tools must be updated to match. ok henning@ dhartmei@
2003-09-26Rearchitecture of the userland/kernel IOCTL interface for transactions.Cedric Berger
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
2003-08-22pf spelling policeDavid Krause
ok dhartmei@ jmc@
2003-08-22KNFHenning Brauer
2003-08-22don't expose pf_osfp_fingerprint() to ! _KERNEL. tcpdump et al useMike Frantzen
pf_osfp_fingerprint_hdr() which doesn't work on mbufs. pointed out by Max Laier
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-08-09This patch remove the restriction that tables cannot be used in routing orCedric Berger
redirection rules... The advantage of using tables in redirection/routing rules is not efficiency, in fact it will run slower than straight address pools. However, this brings a lot of flexibility to PF, allowing simple scripts/daemons to add/remove addresses from redirection/routing pools easily. This implementation support all table features, including cidr blocks and negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6. Tables can also be combined with simple addresses, so the following rule will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }" ok henning@ mcbride@
2003-08-07make pf_match take u_int32_t instead of u_int16_tHenning Brauer
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
2003-07-31Make table tickets per-ruleset instead of global.Cedric Berger
Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
2003-07-19Simplify struct pf_pooladdr to include struct pf_addr_wrap directlyCedric Berger
instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
2003-07-04-add a "natpass" field to pf_ruleHenning Brauer
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter ruleset, but set the rulepointer to the default rule (which is a pass rule) in cooperation with daniel. ok dhartmei@ cedric@ markus@
2003-07-03unused global. dhartmei okJun-ichiro itojun Hagino
2003-06-30change that queue ID allocator so it always has the queues sorted by ID.Henning Brauer
that allows us to get rid of the "tagid" global which stored the highest tag ID in use. when allocating a new ID scan the list for a free slot and only use highest + 1 on failure instead of using highest + 1 from the beginning scanning for a dup afterwards. this prevents ID space fragmentation better. as a result this allows us do get rid of the pf_tag_purge() function completely and let pf_tag_unref() remove an entry once the reference counter reaches zero by itself. after all it makes for easier code and is about 50% faster. idea came up during a discussion on icb earlier today between cedric and myself, which itself was particulary inspired by Darren Reed questioning the need for pf_tag_purge on tech-net@netbsd. ok dhartmei@ cedric@
2003-06-30move prototype for pf_tag_purge() to pfvar.hHenning Brauer
2003-06-29normalize IPv6 packet (no reass, but it is a start). dhartmei & henning okJun-ichiro itojun Hagino
- length, jumbo payload option - TTL ("hoplimit" in IPv6 terminology) rewrite
2003-06-21count packets and bidirectionally on state entries, allowing for fine-grainedDamien Miller
traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
2003-06-20Add MSS support to the synproxy. The client's MSS is sent to the server,Daniel Hartmeier
the server's MSS is guessed based on the routing table and interface MTU. Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@ Note: ABI change (new field in struct pf_state), requires a pfctl rebuild (and tcpdump for pfsync).
2003-06-09Attempt to resolve byte order confusion in nat code once and for all.Ryan Thomas McBride
- pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
2003-06-08A table in an anchor creates a real anchor: pfctl -sA works.Cedric Berger
The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@