Age | Commit message (Collapse) | Author |
|
Change semantics of scrub option 'no-df' slightly: if the option is used,
it now also applies to _fragments_ with IP_DF set, not just to complete
packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble'
allows to clear IP_DF from fragments, so they don't get dropped but
reassembled.
This affects several UDP protocols that used PMTU discovery, mostly
Linux' NFS implementation. In short, if you have 'scrub in all' now,
you probably want to change that to 'scrub in all no-df', unless you
want to drop fragments with IP_DF set (some people have good reasons
to do the latter, hence the non-default option).
ok frantzen@, henning@, cedric@
|
|
ok cedric, jason, theo
|
|
|
|
pfctl.
ok dhartmei@
|
|
- pass back a pointer to state created in pf_test_{tcp|udp|icmp|other}()
so that pf_route()/pf_route6() can peek at it.
- put the PACKET_TAG_PF_ROUTED tag onto the packets _before_ we call
pf_test()/pf_test6() again to prevent looping.
- Call pf_test6() in pf_route6() instead of pf_test() for obvious reasons.
ok dhartmei@
|
|
|
|
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
|
|
struct pf_pooladdr *cur. It was being used incorrectly in the
round-robin case, which meant that the previous address was being selected,
rather than the reall current one.
ok dhartmei@
|
|
|
|
Fix multicast bug; internal multicast members' list was not initialized
correctly. Also, begin to make vlan less ether specific - TR and FDDI
could also be supported.
|
|
combination with translations was too broad and broke some
more complex setups (creating two states for one connection on
two interfaces, using modulate state for each, and additionally
using route-to/reply-to on one of them), so narrow it to the
cases where it's needed. Reported by henric@.
|
|
and drop packets with invalid checksums. Without such a check, pf would
return RST/ICMP errors even for packets with invalid checksums, which
could be used to detect the presence of the firewall, reported by
"Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
To minimize the cost of checksum calculations, mbuf flags set by
network interfaces capable of hardware checksumming are honoured,
and set when pf performs the calculation, so the TCP/IP stack itself
will not repeat the calculation for the same packet later on.
ok mcbride@ and henning@
|
|
handshake. Solves the issues with the "ACK+1000000 cookie scheme",
which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized
state, "reset is sent"). ok henning@, camield@ and (I guess ;)
frantzen@
|
|
Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and
makes the port mapping more flexble, allows mapping a destination port range
of one size to an other of a different size.
Fixes and additional testing courtesy of dhartmei@
ok dhartmei@
|
|
overlap calculation got negative. Found by Baruch Even. ok henning@
|
|
copies the data to the specified buffer. So, for TCP options, provide
an sufficiently large buffer and copy to there.
|
|
doing it later can invalidate pointers to mbuf data. This fixes subtle
breakage just introduced (with 1.306).
|
|
Interestingly, our own stack uses wscale 1 quite regularly, and I now
suspect that this is what caused most of the state failures I've seen.
They were quite rare, but with working wscale support, they are reduced
even more. ok henning@
|
|
This only happens when using nat/rdr/binat on IPv6 connections, which
hasn't been used before, obviously. But it does work now.
Reported and confirmed by evilted@efnet, ok mcbride@
|
|
|
|
|
|
|
|
inspired by Thorsten Glaser via fries@
ok theo
|
|
pointed out in advance by dhartmei@
|
|
correctly. Also remove some extra cruft in pf_get_sport related to the
"static-port" behaviour.
bug report from mpech@ and form@
testing cedric@
"looks sane to me" henning@
ok dhartmei@
|
|
|
|
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 }
Was causing the kernel to become noisy.
Now duplicates are silently rejected.
|
|
referenced or inactive set. Flags were not updated correctly.
Tested on i386, sparc64. More regression tests coming.
|
|
Makes code more readable.
|
|
Removes "_" from pool names.
Regression tests for memory allocation coming soon....
|
|
- Reject invalid CIDR networks (1.2.3.4/16 & friends).
- Only allow values 0 or 1 for the "neg" flag.
- Require all unused data to be set to 0 in pfr_addr and pfr_table.
- Always check the return value of pfr_route_entry().
- Remove redundant kernel messages.
Tested on i386, sparc64. Pass my (uncommited) regression tests.
|
|
the "negated" attribute of an address. The previous behaviour was incorrect
in both cases (too strict for the add command and too permissive for the
delete command).
ok dhartmei@
|
|
|
|
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
|
|
ok henning@, deraadt@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
ok dhartmei@
|
|
|
|
name. ok henning@, mcbride@, cedric@
|
|
|
|
ok henning@, mcbride@
|
|
|
|
|
|
|
|
interface is LEARNING not the destination.
|
|
2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs().
3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs().
Tested on i386, sparc64
|
|
ok fgsch@ dhartmei@ henning@
|