summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2012-12-29pass pf_pool directly to pfr_pool_get(); simplifies the API;Markus Friedl
ok henning@, zinke@, mikeb@
2012-11-06backout csum diff for the moment, requested by theoHenning Brauer
2012-11-01redo most of the protocol (tcp/udp/...) checksum handlingHenning Brauer
-assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
2012-10-30Use time_uptime for expiration values as time_second can be skewed atFlorian Obser
runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
2012-10-08Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need toCamiel Dobbelaar
include sys/mbuf.h in net/pfvar.h. Flagged by and ok guenther@
2012-10-05include sys/mbuf.hCamiel Dobbelaar
2012-09-20Lower pf frags limit to not risk running out of mbuf clustersCamiel Dobbelaar
when dealing with lots of IP fragments. This sets the default to 25% of the mbuf cluster maximum (hint from beck). And the example in the manpage is sane now. ok mikeb henning beck deraadt
2012-09-18prio 0 is valid, therefore, I chose an "impossible" value for prio meaningHenning Brauer
"not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
2012-07-26rename all_state_flags to state_flags to finish the transitionMike Belopuhov
to the 16 bit flags; reminded by claudio, ok henning
2012-07-13remove confuzzling commentHenning Brauer
:dlg: the xxx can go ...and this time commit to the real repo and not the one on my laptop
2012-07-10define a PFSTATE_SCRUBMASK. relying on numeric order of flags is stupidHenning Brauer
and bound to break sooner or later.
2012-07-07rename prio in struct pf_rule and related structs to set_prio so it isHenning Brauer
utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
2012-04-03Fix kernel compilation with pf but without pfsync pseudo-device byMike Belopuhov
moving the state export functionality from pfsync code into pf. Based on the initial diff diff by guenther, ok henning.
2012-02-03The kernel did not compile without INET6. Put some #ifdefs intoAlexander Bluhm
pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
2012-01-26Clean up the pf normalization code:Alexander Bluhm
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct pf_pdesc pd as argument. - Always check wether the mbuf got NULL after normalization to make the code more robust. - Make the code structure of pf_normalize_ip6() more like pf_normalize_ip() to make the differences obvious. ok henning@
2012-01-16Pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6() toAlexander Bluhm
make their argument list shorter. Also fix a bug where pf_walk_option6() used the outer header in the pd2 case. ok henning@ mikeb@
2012-01-15Calling pf_normalize_ip() from pf_setup_pdesc() was bad as theAlexander Bluhm
latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
2011-12-12fixup af-to regression with match rulesMike Belopuhov
pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
2011-11-29use a u_int64_t for the state id in pfsync_state. this makes it consistentDavid Gwynne
with every other thing that stores the state id (including other pfsync messages). includes improvements to the systat code to consider the creatorid as well as the state id in its cache to avoid collisions between states created on different hosts. tested by me in production and on amd64 talking to sparc64. ok henning@
2011-11-28deprecate PFTM_UNTIL_PACKET. nothing in the tree uses it, andDavid Gwynne
pf_state_expires() handled it incorrectly. discussed with mikeb@ ok henning@
2011-11-26Apply route-to to deferred packet; without this the first packet of aRyan Thomas McBride
connection does not observe the route-to option. ok dlg mikeb
2011-10-13Since the IPv6 madness is not enough introduce NAT64 -- which is actuallyClaudio Jeker
"af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
2011-10-07rename some vars and functionsHenning Brauer
unfortunately altq is one giant namespace violation. rename just those that conflict with new stuff for now only to be found on my laptop. reduce pain, the diff is huge already. ok ryan
2011-10-07pf_poolqueue is long dead, remove corpses. from eurobsdcon, ryan okHenning Brauer
2011-09-28As requested by henning, move the mbuf pointer into struct pf_pdesc.Alexander Bluhm
Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning
2011-09-22As I have touched half of pf lines anyway, fix whitespaces now.Alexander Bluhm
KNF, no binary change.
2011-09-20Put kif and dir into pdesc an use this instead of passing the valuesAlexander Bluhm
around. This is a mechanical change. Initialize pd2 and use it where appropriate. ok henning on an earlier version; ok mpf
2011-09-19Consolidate pf function parameters. Move off and hdrlen into pdescAlexander Bluhm
and change their type from int to u_int32_t. Do not pass struct tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af and pd->af intermixed, the latter makes clear where it comes from. Do not calculate the packet length again if pd already has it. Use pd2.off instead of off2. go go go go don't stop henning@ mpf@
2011-09-18Move the pdesc initialization code into pf_setup_pdesc(). UnifyAlexander Bluhm
some IPv4 and IPv6 code. Make sure that both code paths set the same fields in the same order. ok mpf henning
2011-09-18Move the call to pf_test_rule() for fragments that have not beenAlexander Bluhm
reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf
2011-09-17The pd->ip_sum and pd->proto_sum fields are not needed. ReplaceAlexander Bluhm
the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by a local variable. Remove ip_sum and proto_sum from struct pf_pdesc. ok claudio henning
2011-08-30Add support for one shot rules that remove themselves from an activeMike Belopuhov
ruleset after match. In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched. This is an extremely handy technique for firewall proxies. ok henning, mcbride
2011-08-03someone (*cough*henning*cough*) made pf_state.state_flags a u_int16_tDavid Gwynne
without growing it in pfsync_state too. to keep the wire format compat this uses some of the pad bytes to send all the state flags on the wire as well as maintaining the old state_flags field. after 5.0 we'll deprecate the original field and only use the new one. discussed with mcbride and deraadt and based on a diff from deraadt. tested against an "old" pfsync locally. ok mcbride@ henning@ deraadt@
2011-08-02Replace one byte of padding with sa_family_t af in pfsync_state_key;Ryan Thomas McBride
Reject states with pfsync_state->af == 0 in pfsync_state_import(), in preparation for states which specify an address family in each state key instead (change will take place post-5.0). ok dlg henning mikeb
2011-07-27Add support for weighted round-robin in load balancing pools and tables.Ryan Thomas McBride
Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
2011-07-08surprisingly, we use pf as classifier for the new priority queueingHenning Brauer
implementation. ok ryan mpf sthen and also testing pea and halex looked at it and commented as well
2011-07-07There were two loops in pf_setup_pdesc() and pf_normalize_ip6()Alexander Bluhm
walking over the IPv6 header chain. Merge them into one loop, adjust some length checks and fix IPv6 jumbo option handling. Also allow strange but legal IPv6 packets with plen=0 passing through pf. IPv6 jumbo packets still get dropped. testing dhill@; ok mcbride@ henning@
2011-07-07Fold pf_test_fragment() into pf_test_rule(), reduce code and fixesRyan Thomas McBride
a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
2011-07-04Rename the pf_pdesc field rh_cnt to badopts as it is also used forAlexander Bluhm
IPv4 options now. ok mcbride@ henning@
2011-07-04Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6.Claudio Jeker
The functions were 95% identical anyway. While there use struct pf_addr in struct pf_divert instead of some union which is the same. OK bluhm@ mcbride@ and most probably henning@ as well
2011-07-03bring in least-states load balancing algorithmJoerg Zinke
ok mcbride@ henning@
2011-06-21There is no need to handle fragmented TCP reset packets in a specialAlexander Bluhm
way. Remove PFDESC_IP_REAS and pf_pdesc flags completely. ok claudio@ henning@
2011-06-20More cleanup in pf_test/pf_test6 this time mostly the fragmentClaudio Jeker
handling. More to come to make the two codepathes a bit more identical. tested by many (esp. krw@ and sthen@) input and OK bluhm@
2011-05-24Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. CallClaudio Jeker
pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
2011-05-22Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET()Claudio Jeker
because either the info is already available in struct pd or easy to figure out. Makes pf_test() and pf_test6() even more similar (with the target to remove one of them in the near future). OK henning@
2011-05-17exclude link local address from the dynamic interface address poolMike Belopuhov
so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
2011-04-23pf_scrub_ip() does not modify the given mbuf pointer. So don'tAlexander Bluhm
pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
2011-04-22pf_pooladdr_pl does not exist anymore. Remove its extern declaration.Alexander Bluhm
ok henning@
2011-04-12put the accepted socket of a diverted connection into the routing domainMike Belopuhov
of a connection originator. this allows one to query the source rdomain with a SO_RTABLE socket option. figured out with reyk, ok claudio.
2011-04-06Allow PF to filter on the rdomain a packet belongs to. This allows toClaudio Jeker
write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@