summaryrefslogtreecommitdiff
path: root/sys/net/pfvar.h
AgeCommit message (Collapse)Author
2018-09-13Add reference counting for inet pcb, this will be needed when weAlexander Bluhm
start locking the socket. An inp can be referenced by the PCB queue and hashes, by a pf mbuf header, or by a pf state key. OK visa@
2018-09-11- moving state look up outside of PF_LOCK()Alexandr Nedvedicky
this change adds a pf_state_lock rw-lock, which protects consistency of state table in PF. The code delivered in this change is guarded by 'WITH_PF_LOCK', which is still undefined. People, who are willing to experiment and want to run it must do two things: - compile kernel with -DWITH_PF_LOCK - bump NET_TASKQ from 1 to ... sky is the limit, (just select some sensible value for number of tasks your system is able to handle) OK bluhm@
2018-09-10Limit the fragment entry queue length to 64 per bucket. So we haveAlexander Bluhm
a global limit of 1024 fragments, but it is fine grained to the region of the packet. Smaller packets may have less fragments. This costs another 16 bytes of memory per reassembly and devides the worst case for searching by 8. requestd by claudio@; OK sashan@ claudio@
2018-09-08Split the pf(4) fragment reassembly queue into smaller parts.Alexander Bluhm
Remember 16 entry points based on the fragment offset. Instead of a worst case of 8196 list traversals we now check a maximum of 512 list entries or 16 array elements. discussed with claudio@ and sashan@; OK sashan@
2018-07-22Fix arguments of pf_purge_expired_{src_nodes,rules}()Stefan Fritsch
Due to the missing "void", this extern void pf_purge_expired_src_nodes(); is no prototype but a declaration. It is enough to suppress the 'implicit declaration' warning but it does not allow the compiler to check the arguments passed to the calls of the function. Fix the prototypes and don't pass the waslocked argument anymore. It has been removed a year ago. ok sashan henning
2018-07-11provide pfi_group_addmember(), which makes the new member interface inheritHenning Brauer
set flags from the group. ok phessler benno
2018-07-10The year is 2018.Henning Brauer
Mercury, Bowie, Cash, Motorola and DEC all left us. Just pf still has a default state table limit of 10000. Had! Now it's a tiny little bit more, 100k. lead guitar: me ok chorus: phessler theo claudio benno background school girl laughing: bob
2018-07-10provide a generic packet delay functionality. packets to be delayed are markedHenning Brauer
by pf in the packet header. pf_delay_pkt reads the delay value from the packet header, schedules a timeout and re-queues the packet when the timeout fires. ok benno sashan
2018-06-18Refactor the six ways to find TCP options into one new function. As a result:Richard Procter
- MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
2018-04-05Zap the obsolete PF_TRANS_ALTQ.Lawrence Teo
Note: Remember to "make includes" and recompile the following programs together with the kernel: sbin/pfctl usr.sbin/authpf usr.sbin/ftp-proxy usr.sbin/relayd usr.sbin/tftp-proxy Thanks to sthen@ for checking the ports tree. ok bluhm@ sashan@ visa@
2018-02-09oh carp - i didnt mean to commit theseDavid Gwynne
2018-02-09use struct in_addr to represent an address.David Gwynne
2018-02-08make the watermarks/thresholds for entering and leaving syncookie mode whenHenning Brauer
syncookies are set to adaptive tunable, ok claudio benno
2018-02-08add DIOCGETSYNFLWATS to get current synflood detection watermarks,Henning Brauer
ok claudio benno procter
2018-02-07provide counters for # of synfloods detected, # of syncookies sent,Henning Brauer
# of syncookies successfuly validated, ok phessler
2018-02-06syncookies for pf.Henning Brauer
when syncookies are on, pf will blindly answer each and every SYN with a syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will reconstruct the original SYN, shove it through pf_test, where state will be created if the ruleset permits it. Then massage the freshly created state (we won't see the SYNACK), set up the sequence number modulator, and call into the existing synproxy code to start the 3WHS with the backend host. Add an - somewhat basic for now - adaptive mode where syncookies get enabled if a certain percentage of the state table is filled up with half-open tcp connections. This makes pf firewalls resilient against large synflood attacks. syncookies are off by default until we gained more experience, considered experimental for now. see http://bulabula.org/papers/2017/bsdcan/ for more details. joint work with sashan@, widely discussed and with lots of input by many
2017-12-29Make the functions which link the pf state keys to mbufs, inpcbs,Alexander Bluhm
or other states more consistent. OK visa@ sashan@ on a previous version
2017-11-28The divert structure was using the port number to indicate thatAlexander Bluhm
divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
2017-11-27The divert structure was using the port number to indicate thatAlexander Bluhm
divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Convert the pfctl(8) rule parser to divert types, kernel cleanup will be the next step. OK sashan@
2017-11-13add a generic packet rate matching filter. allows things likeHenning Brauer
pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
2017-09-05- split pf_find_or_create_ruleset() to smaller chunks.Alexandr Nedvedicky
tested by Hrvoje OK mpi@, OK bluhm@
2017-08-14move pf_get_wscale + pf_get_mss prototypes to pfvar.h (diff shrinkage)Henning Brauer
2017-08-14add half-open tcp states accounting, road paved by sashanHenning Brauer
increment in pf_create_state(), decrement in pf_set_protostate(). input & ok bluhm
2017-08-13to change a state's state (that term is overloaded in pf, protocol stateHenning Brauer
like ESTABLISHED for tcp here), don't do it directly, but go through a newly introduced pf_set_protostate() ok bluhm benno
2017-08-06Reduce contention on the NET_LOCK() by moving the logic of the pfpurgeMartin Pieuchot
thread to a task running on the `softnettq`. Tested and inputs from Hrvoje Popovski. ok visa@, sashan@
2017-07-19Rework HFSC vs FQ-CoDel checksMike Belopuhov
The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
2017-06-28Introduce a simple mechanism to select the appropriate queue managerMike Belopuhov
Discussed with and OK henning@ at d2k17 as a part of a larger diff.
2017-06-28Extend pf queueing ops to include queue manager hooksMike Belopuhov
Discussed with and OK henning@ at d2k17 as a part of a larger diff.
2017-06-26Fragments for a single connection (a combination of proto,src,dst,af)Alexander Bluhm
may easily reuse the fragment id as it is only 16 bit for IPv4. To avoid that pf reassembles them into the wrong packet, throw away stale fragments. With the default timeout this happens after 12,000 newer fragements have been seen. from markus@; OK sashan@
2017-05-30remove XXX from the comments marking "holes" in the ioctls. I see veryHenning Brauer
very little value in these comments at all, but the XXX is just wrong and in the way when looking for real XXXs. phessler agrees
2017-05-30g/c DIOCCLRRULECTRSHenning Brauer
kinda deprecated for a decade now, nothing in base uses it, nothing in ports uses it (thanks sthen) ok phessler sashan
2017-05-30teach pf_build_tcp() about SACK, ok & with sashanHenning Brauer
2017-05-28Fix bad white spaces, wrap long lines, kill some empty lines.Alexander Bluhm
2017-05-15Enable the NET_LOCK(), take 3.Martin Pieuchot
Recursions are still marked as XXXSMP. ok deraadt@, bluhm@
2017-05-15Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8)Mike Belopuhov
OK sthen, visa
2017-05-02Provide pluggable queueing interface for pfMike Belopuhov
By hiding H-FSC behind pfq_ops structure similar to the ifq_ops, we provide a possibility to plug alternative queueing interfaces for use in pf. This reduces amount of H-FSC specific code in the pf ioctl handler While here, change the the order of elements in hfsc_class_stats to provide some compatibility between queue stat structures of different traffic conditioners. No objections from henning@, ok sthen@
2017-03-17Revert the NET_LOCK() and bring back pf's contention lock for release.Martin Pieuchot
For the moment the NET_LOCK() is always taken by threads running under KERNEL_LOCK(). That means it doesn't buy us anything except a possible deadlock that we did not spot. So make sure this doesn't happen, we'll have plenty of time in the next release cycle to stress test it. ok visa@
2017-02-22Amend a misleading comment mentioning ``ipintrq''.Martin Pieuchot
2017-01-30removes the pf_consistency_lock and protects the users withSebastian Benoit
NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep things simple until we're going to redesign PF for a MP world. fixes the crash reported by Kaya Saman. ok mpi@, bluhm@
2017-01-24A space here, a space there. Soon we're talking real whitespaceKenneth R Westerback
rectification.
2016-12-29In pf_refragment6() use the valid route from pf_route6() insteadAlexander Bluhm
of calling rtalloc() again. OK mpi@
2016-11-22Fold union pf_headers buffer into struct pf_pdesc (enabled by pfvar_priv.h).Richard Procter
Prevent pf_socket_lookup() reading uninitialised header buffers on fragments. OK blum@ sashan@
2016-11-14Instead of passing an extra mbuf pointer to pf_route(), it shouldAlexander Bluhm
just use pd->m. Then pf_test() can also operate on pd.m and set the *m0 value in the caller just before it returns. OK sashan@
2016-10-27Pass a struct pf_pdesc to pf_route() like it is done in the otherAlexander Bluhm
pf functions. That means less parameters, more consistency and later we can call functions that need a pd from pf_route(). OK sashan@
2016-10-26Put union pf_headers and struct pf_pdesc into separate header fileAlexander Bluhm
pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
2016-10-18split pf_send_tcp() into the part that builds the mbuf and the actualHenning Brauer
sending, needed soon. ok sashan mikeb lteo
2016-09-27roll back turning RB into RBT until i get better at this process.David Gwynne
2016-09-27move pf from the RB macros to the RBT functions.David Gwynne
2016-09-03Let purge thread to remove once rules, not packets.Alexandr Nedvedicky
Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
2016-09-03Reduce the factor of the limits derived form NMBCLUSTERS. We wantAlexander Bluhm
the additional clusters in the socket buffer and not elsewhere. OK claudio@