| Age | Commit message (Collapse) | Author |
|---|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
ok dhartmei@ jmc@
|
|
|
|
pf_osfp_fingerprint_hdr() which doesn't work on mbufs.
pointed out by Max Laier
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
instead of indirectly trough struct pf_rule_addr.
Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.
Needless to say: KERNEL/USERLAND SYNC REQUIRED.
ok henning@ mcbride@
|
|
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter
ruleset, but set the rulepointer to the default rule (which is a pass rule)
in cooperation with daniel.
ok dhartmei@ cedric@ markus@
|
|
|
|
that allows us to get rid of the "tagid" global which stored the highest
tag ID in use.
when allocating a new ID scan the list for a free slot and only use
highest + 1 on failure instead of using highest + 1 from the beginning
scanning for a dup afterwards. this prevents ID space fragmentation better.
as a result this allows us do get rid of the pf_tag_purge() function
completely and let pf_tag_unref() remove an entry once the reference
counter reaches zero by itself.
after all it makes for easier code and is about 50% faster.
idea came up during a discussion on icb earlier today between cedric and
myself, which itself was particulary inspired by Darren Reed questioning the
need for pf_tag_purge on tech-net@netbsd.
ok dhartmei@ cedric@
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
the server's MSS is guessed based on the routing table and interface MTU.
Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@
Note: ABI change (new field in struct pf_state), requires a pfctl rebuild
(and tcpdump for pfsync).
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
|
|
ok dhartmei@ pb@
|
|
without causing EHOSTUNREACH to be delivered to local sockets, so it works
for outgoing connections originating on the same host. ok frantzen@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
|
|
|
first. The least significant portions of the IPv6 address are more
likely to differ than the more significant ones, since in most
situations half the addresses (either the source or the destination)
will be in the local subnet.
ok dhartmei@ henning@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
|
|
-DIOCCHANGERULE (just the affected rule)
-DIOCCOMMITRULES (all filter rules that get committed - one anchor or main rs)
-DIOCCOMMITALTQS (all filter rules, main set plus all anchors)
This fixes a whole bunch of issues.
previously, this was done in userland at load time. This worked fine for the
usual case, full ruleset load. It did not work inside anchors, as the queue
name <-> queue ID mapping is unknown there. Also, if the queue definitions
were changed without reloading the rules too (pfctl -A), the queue IDs on
the rules were not updated.
The three ioctls mentioned above are all entry points where the mapping is
touched.
helpful discussion with dhartmei@ and cedric@ helped verifying my approach
for this fix was right.
ok dhartmei@ cedric@
|
|
so states created by rules in anchors correctly use rule options like
routing and (soon) queues...
Rule number bumped to 32 bit value.
USERLAND NEED TO BE RECOMPILED.
ok dhartmei@ henning@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
Fix a bunch of issues.
Removal of unneeded (r != null) tests coming soon...
ok dhartmei@
|
|
ok dhartmei@ henning@
|
|
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
|
|
|
|
referenced or inactive set. Flags were not updated correctly.
Tested on i386, sparc64. More regression tests coming.
|
|
the "negated" attribute of an address. The previous behaviour was incorrect
in both cases (too strict for the add command and too permissive for the
delete command).
ok dhartmei@
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
ok dhartmei@
|
|
name. ok henning@, mcbride@, cedric@
|
|
ok henning@, mcbride@
|
|
2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs().
3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs().
Tested on i386, sparc64
|
|
ok fgsch@ dhartmei@ henning@
|
|
|
|
(i.e: pfradix -a test 1.2.3.4 1.2.3.4). The ioctl can also report theses
duplicate to the caller using the new PFR_FB_DUPLICATE feedback tag.
|
