summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-10-27Basic support for attaching states from pfsync to the correct rules.Ryan Thomas McBride
Applies only to rules in the main ruleset (not anchors) if the ruleset checksum matches. Necessary to fix the following for pfsync'd states: - per-rule limits on number of states - altq - rule-based settings such as timeouts More work to do re: nat rules, src-nodes, etc. NOTE: This is modifies the pfsync header and version number. Tools which process pfsync packets must be recompiled, and firewalls with different versions will not sync. ok mpf@ henning@ dhartmei@
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-08-02Instead of copying a table structure so we can mask off a bit beforeChristopher Pascoe
"validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe
it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
2005-06-30in order for pfvar.h not to conflict with openssl's crypto.h, useNikolay Sturm
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@
2005-06-13spurious XXX comment left over from interface abstraction code whackingHenning Brauer
2005-06-13make the packet and byte counters on rules and src nodes per direction,Henning Brauer
matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
2005-06-05const'ify the char * parameter to pfi_kif_get and pfi_group_changeHenning Brauer
2005-05-27Calculate an MD5 checksum over the main pf ruleset.Marco Pfatschbacher
This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@
2005-05-27log two pairs of uid/pid through pflog: the uid/pid of the process thatDaniel Hartmeier
inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
2005-05-26support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patchDaniel Hartmeier
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
2005-05-25when an interface joins or leaves a group call back into pf so it canHenning Brauer
update the internal tables used for (ifgroup) notation
2005-05-23change pool allocation of table entries, no longer use the oldnointrDaniel Hartmeier
allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
2005-05-23further cleanup: don't mimic ifnet and add hooks and the dohooks() stuff toHenning Brauer
pf's interface abstraction, just attahc a linked list of the dynaddrs to the respective kifs. makes things way easier and will be needed for the next step, ryan jajajaja
2005-05-22allow pf to match on interface groupsHenning Brauer
pass on mygroup ... markus ok
2005-05-21clean up and rework the interface absraction code big time, rip out multipleHenning Brauer
useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
2005-03-03when tagging, apply the same tag to all packets matching a state entryDaniel Hartmeier
(not just to the initial packet). note: kernel/userland abi change (rebuild pfctl). ok henning@
2005-01-30Add some more reason counters and use them instead of overloading theDaniel Hartmeier
'memory' one, which helps debugging. Alters the kernel/userland ABI, rebuild pfctl and tcpdump. ok henning@
2005-01-05Define defaults for the timeouts ensure consistency between kernelRyan Thomas McBride
and userland. ok henning@ dhartmei@
2004-12-22Introduce 'set skip on <ifspec>' to support a list of interfaces where noDaniel Hartmeier
packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
2004-12-10allow pf to filter on route labelsHenning Brauer
pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
pfvar.h. builds kernel and userland.
2004-12-07tree does not compile, spotted by dlg (not obvious how to fix)Theo de Raadt
---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
2004-12-04Add kernel code to keep track of tcp connections which have completedRyan Thomas McBride
the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
2004-11-16Fix for PR3983Ryan Thomas McBride
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result of a stale state being detected, and prevent updates with this flag from generating similar messages. - For the specific case where the state->src in the recieved update is ok but the state.dst is not, take the partial update, then "fail" to let the other peers pick up the better data that we have. From Chris Pascoe. ok dhartmei@
2004-09-21Implement "no scrub" to allow exclusion of specific traffic from scrub rules.Aaron Campbell
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
2004-07-12remove PF_FORWARD (which was introduced by ipv6 reass-on-scrub).Jun-ichiro itojun Hagino
daniel found it.
2004-07-11backout IPv6 reass-on-scrub patch (more work needs to be done).Jun-ichiro itojun Hagino
requested by deraadt
2004-06-25re-introduce PF_INOUT and move PF_FORWARD def to the end.Jun-ichiro itojun Hagino
pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
2004-06-25IPv6 reassembly on "scrub" directive.Jun-ichiro itojun Hagino
caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
2004-06-21Get rid of pf_test_eh() wrapper.Ryan Thomas McBride
ok cedric@ henning@
2004-06-14Remove DIOCBEGINRULES, DIOCCOMMITRULES, DIOCBEGINALTQS, DIOCCOMMITALTQS,Cedric Berger
DIOCRINABEGIN, DIOCRINACOMMIT ioctls. Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead. ok beck@ dhartmei@ henning@
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
keyword in C++. ok henning@, cedric@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-11pf_cksum_fixup() was called without last argument from normalization,Daniel Hartmeier
also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
2004-04-28make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@Cedric Berger
2004-04-27validate the sequence numbers on TCP resets are an exact match. check is onlyMike Frantzen
enabled when we're doing full frag reassembly and thus have full seq info ok markus@
2004-04-26anchor refcounting. ok dhartmei@ mcbride@Cedric Berger
2004-04-25get rid of a complete state tree walk at state expire while in splnet()Philipp Buehler
ok mcbride@ henning@
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-03-22Support for best effort bulk transfers of states when pfsync syncif isRyan Thomas McBride
configured. This this allows pfsync+carp clusters to come up gracefully without killing active connections. pfsync now prevents carp from preempting to become master until the state table has sync'd. ABI change, any application which use struct pf_state must be recompiled. Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@ for testing and comments. ok deraadt@
2004-02-20Make pfsync deal with clearing states bound to a group or interface (egRyan Thomas McBride
pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
2004-02-19Makes pfctl -Fs and pfctl -w works with the optional -i specifier.Cedric Berger
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
2004-02-19the 2nd round of the qid assignment change.Kenjiro Cho
make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@