| Age | Commit message (Collapse) | Author |
|---|
|
Prevent pf_socket_lookup() reading uninitialised header buffers on fragments.
OK blum@ sashan@
|
|
just use pd->m. Then pf_test() can also operate on pd.m and set
the *m0 value in the caller just before it returns.
OK sashan@
|
|
pf functions. That means less parameters, more consistency and
later we can call functions that need a pd from pf_route().
OK sashan@
|
|
pfvar_priv.h. The pf_headers had to be defined in multiple .c files
before. In pfvar.h it would have unknown storage size, this file
is included in too many places. The idea is to have a private pf
header that is only included in the pf part of the kernel. For now
it contains pf_pdesc and pf_headers, it may be extended later.
discussion, input and OK henning@ procter@ sashan@
|
|
sending, needed soon. ok sashan mikeb lteo
|
|
|
|
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
the additional clusters in the socket buffer and not elsewhere.
OK claudio@
|
|
optimise pf_patch_32(); simplify pf_match_addr()
OK mikeb@
|
|
when fiddling with packets but without the mess that motivated Henning to
remove it. Affects only this one aspect of Henning's checksum work. Also tweak
the basic algorithm and supply a correctness argument.
OK dlg@ deraadt@ sthen@; no objection henning@
|
|
|
|
|
|
OK mpi@ sashan@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
|
OK sthen@
|
|
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix
makes sure we grab reference in m_dup_pkthdr()
OK bluhm@
|
|
----------------------------------------------------------------------
revision 1.961
date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44;
commitid: oBRhtWcDV0ThviVT;
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
----------------------------------------------------------------------
there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being
triggered without much effort, so back this out for now.
|
|
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
|
|
pf_inp_...() lookup, link and unlink functions as an interface.
Locking can be added to them later. Remove the first linking at
the beginning of tcp_input() and udp_input() as it is not necessary.
It will be done later anyway. That code was a relict, from the
time before I had added the second linking.
Input from mikeb@ and sashan@; OK sashan@
|
|
collide with the statekey to inp unlinking.
OK sashan@ mpi@
|
|
OK mpi@, bluhm@
|
|
the code is refactored so the IFQ macros call newly implemented ifq
functions. the ifq code is split so each discipline (priq and hfsc
in our case) is an opaque set of operations that the common ifq
code can call. the common code does the locking, accounting (ifq_len
manipulation), and freeing of the mbuf if the disciplines enqueue
function rejects it. theyre kind of like bufqs in the block layer
with their fifo and nscan disciplines.
the new api also supports atomic switching of disciplines at runtime.
the hfsc setup in pf_ioctl.c has been tweaked to build a complete
hfsc_if structure which it attaches to the send queue in a single
operation, rather than attaching to the interface up front and
building up a list of queues.
the send queue is now mutexed, which raises the expectation that
packets can be enqueued or purged on one cpu while another cpu is
dequeueing them in a driver for transmission. a lot of drivers use
IFQ_POLL to peek at an mbuf and attempt to fit it on the ring before
committing to it with a later IFQ_DEQUEUE operation. if the mbuf
gets freed in between the POLL and DEQUEUE operations, fireworks
will ensue.
to avoid this, the ifq api introduces ifq_deq_begin, ifq_deq_rollback,
and ifq_deq_commit. ifq_deq_begin allows a driver to take the ifq
mutex and get a reference to the mbuf they wish to try and tx. if
there's space, they can ifq_deq_commit it to remove the mbuf and
release the mutex. if there's no space, ifq_deq_rollback simply
releases the mutex. this api was developed to make updating the
drivers using IFQ_POLL easy, instead of having to do significant
semantic changes to avoid POLL that we cannot test on all the
hardware.
the common code has been tested pretty hard, and all the driver
modifications are straightforward except for de(4). if that breaks
it can be dealt with later.
ok mpi@ jmatthew@
|
|
If interface was specified in the packet only if-bound states
attached to this interface must be purged.
ok mpi, looked at by sasha@
|
|
always gets pointer to rule.
- pf_remove_src_node(): function should always remove matching src node,
regardless the sn->rule.ptr being NULL or valid rule
- sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com
OK mpi@, OK mikeb@
|
|
which are routed on behalf route-to action.
OK bluhm@
|
|
to optimize for an INET-only kernel, as well as the fantasy unicorn
INET6-only kernel. (INET-only kernel still works)
prompted by deraadt
ok bluhm sashan
|
|
OK deraadt.
|
|
ok deraadt@, ok floarian@
|
|
This pseudo-option is a hack to support return-rst on bridge(4). It
passes Ethernet information via a "struct route" through ip_output().
"struct route" is slowly dying...
ok claudio@, benno@
|
|
Reshuffle the code around a bit and greatly improve error handling
fixing a few bugs along the way.
Problem reported by and fix was written with Alexandr Nedvedicky.
OK henning
|
|
there instead of pf_ioctl.c.
ok henning@
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
(this file missed from previous commit, noticed by daniel@)
|
|
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.
|
|
no real compat issue since we're using spare bytes.
old -> new ends up with set prio (0, 0) equivalent
new -> old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov <alexey.suslikov at gmail>
ok phessler pelikan dlg
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
fixes some compiler warnings, tested by amd64 base build
ok beck
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
with sys limits in scope, so use PATH_MAX instead.
ok millert guenther
|
|
|
|
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
|
|
|
|
function pflog_bpfcopy() is setting up a packet description with
pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet,
it increments the the pf status counters. This way bad packets
could be accounted multiple times. Now pflog_bpfcopy() passes a
reason pointer NULL to indicate that no accounting should be done.
From Florian Riehm; OK henning@
|
|
anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched." Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.
OK henning
|
|
|
|
From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
|
|
ok pelikan@, henning@
|
|
while there, get rid of the altq ioctls and assciated now obsolete code
|
|
pfi_kif_get annotates the kif with a flag indicating it is the "any" match
pfi_kif_match obeys that flag
ok benno
|
|
|
