summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2008-09-09welcome pflow(4), a netflow v5 compatible flow export interface.Henning Brauer
flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
2008-09-03before linking state keys compare them to verify they actually are theHenning Brauer
exact reverse of each other. if there is a mismatch don't erstablish the link and print enough so that we should be able to find the culprit.
2008-09-02remove dead stores and newly created unused variables.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok henning@ mpf@
2008-08-28some style fixes.Brad Smith
2008-08-28Fix a typo in the naming of the PPPoE input queues, ppoe -> pppoe.Brad Smith
ok canacar@
2008-08-28encode the speed and link state in the local port key.Reyk Floeter
ok brad@
2008-08-27Fix length check when parsing PPPoE discovery phase packets.Brad Smith
Malicious PPPoE discovery packets could cause the kernel to crash. From canacar@ and inspired by the original fix from NetBSD. ok canacar@
2008-08-26introduce a function to be called when addressing information has changed,Henning Brauer
pf_pkt_addr_changed. atm just clears the state key pointer. calling this is cleaner than having other parts of the stack clearing pointers in the pf part of the mbuf packet header directly.
2008-08-22Make pf_print_host() print IPv6 addresses correctly.Alexander Bluhm
ok mpf
2008-08-09turn an MFREE() into an m_free() and garbage collect anThordur I. Bjornsson
unused mbuf pointer. OK claudio@
2008-08-07Remove workaround used for the 4.4 release. More route prio stuff is commingClaudio Jeker
soon.
2008-08-07account spanning tree frames in if_obytes and if_omcasts.Damien Bergamini
ok henning@
2008-08-07do not touch m after IFQ_ENQUEUE()+if_start().Damien Bergamini
ok brad@, mpf@, henning@, reyk@
2008-08-06fix trunk breakage that sneaked in with the lacp diff:Reyk Floeter
- don't use in-kernel IFMEDIA ioctls in lacp and remove two KASSERTs that caused reliable panics - the lacp key can be locally assigned and we don't need to query the media subtype here. - unbreak failover/loadbalance/broadcast status handling. Reported by brad@ ok deraadt@
2008-08-04do not count ethernet header twice in if_obytes stats.Damien Bergamini
do not count address family field twice in tun's if_obytes stats. ok henning@ reyk@ deraadt@ for the ethernet bits. ok deraadt@ for the tun bits.
2008-08-02do not write the pf state key pointer to the pkhdr.Henning Brauer
effectively disables state key linking and pcb linking - unfortunatly, there seems to be a bug somewhere in there or triggered by it that we haven't tracked down yet, so we disable this for now to be on the safe side for release. lots of testing and analysis from todd and david.
2008-08-01force route priority to RTP_DEFAULT unconditionally, effectively disablingHenning Brauer
route prios. playing safe for 4.4-release, as not all parts of the system deal correctly with route prios yet. ok claudio
2008-07-30Prevent a divide by zero panic if trunkproto loadbalance isMarco Pfatschbacher
used w/out any trunkports. Patch from Dmitri Alenitchev. OK reyk@
2008-07-28Align the route message length to the next natural boundary via ALIGN() toClaudio Jeker
ensure that the next message is nicely aligned as well. Some archs (sparc, m88k)have strict alignement issues since the inclusion of 64bit counters in the messages because those values could end up on non aligned addresses. Found and fix tested by miod@, OK deraadt@
2008-07-28Fix the tracking of RTF_MPATH. Until now the magic happend on the first routeClaudio Jeker
and not on the routes with the right prio. So pick up the correct route by calling rn_mpath_prio() first. OK henning@
2008-07-22after pf_state_key_atach nothing must use the state keys passed to it anyHenning Brauer
more, since they might have been invalidated and free'd. one synproxy errorpath did so, however. just get the state keys from the state itself. ok david mcbride
2008-07-21some whitespace cleanup I did while looking through the codeDavid Krause
ok mcbride@ henning@
2008-07-21fix typo that broke rdr rules (without pass) with non-TCP/UDP/ICMP protocolsDavid Krause
ok mcbride@ henning@
2008-07-14m_copy can return NULL, so check for itHenning Brauer
problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer" <stephan.rickauer>, both @ni.phys.ethz.ch fix by me, ok mpf
2008-07-10check pf NAT source port allocation against net.inet.(tcp|udp).baddynamicDamien Miller
lists; prevents use of ports corresponding to well-known services. replace a couple of arc4random()%N with arc4random_uniform(N) that missed the first round. ok mcbride@
2008-07-10In pf_state_insert(), if the first pf_state_key_attach() fails, theDavid Krause
state key is freed by pf_state_key_attach(). But in the case of NAT, there are two state keys allocated, so we must free the second key manually. Fixes a pf_state_key_pl leak seen in certain cases with pfsync or with pf state-insert errors. ok mcbride@ henning@
2008-07-05in pf_state_key_attach(), when there is already an existing state key thatDavid Krause
can be used and we return the state key back to the pool, don't insert state items into the tailq using that garbage state key. this makes things much happier for me. ok henning@
2008-07-04in pf_state_key_attach(), when we find that there already is a state keyHenning Brauer
that we can attach the state to, make sure to not overwrite the state key pointer in the state that was just set to the existing state key with the state key that was supplied with the state and just free'd (well, pool_put'd). by the time we clean up the state and try to follow it to RB_REMOVE etc we'd follow that garbage pointer to either an unrelated state key or the old state key still sitting unused in the pool. should fix the RB_REMOVE panics some people have been seeing. "clearly ok, please commit" ryan
2008-07-04remove prototype for nonexistant functionHenning Brauer
2008-07-03link pf state keys to tcp pcbs and vice versa.Henning Brauer
when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
2008-07-01Don't return immediately if we're actually passing the traffic, we want toRyan Thomas McBride
ensure that the packet gets rewritten correctly first. As usual, problem pointed out by david ok henning
2008-07-01PF_DT_SKIP_STATETREE is no longer used.Ryan Thomas McBride
ok henning
2008-06-29this stupid per-arch SIZEOF_BPF_HDR define is really really stupid, butTheo de Raadt
for now add __sparc64__ to the list (ridiculous as it seems, but that is the best we know to do so far) ok miod
2008-06-29Simplify state creation code; merge state import/export code between pfsyncRyan Thomas McBride
and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
2008-06-26First pass at removing clauses 3 and 4 from NetBSD licenses.Ray Lai
Not sure what's more surprising: how long it took for NetBSD to catch up to the rest of the BSDs (including UCB), or the amount of code that NetBSD has claimed for itself without attributing to the actual authors. OK deraadt@
2008-06-26Fix sticky-address on rdr; With the current nat code, we always use the sameRyan Thomas McBride
address in the NATed state key for translation regardless of direction. Report and testing by david@
2008-06-22Revert 1.203; it's not safe to blindly walk the tailq instead of the rbtreeRyan Thomas McBride
for picking states to unlink as the tailq may contain unlinked states.
2008-06-21Only do state key linking on the outbound path.Ryan Thomas McBride
Fixes stateful filtering on enc0. Problem report, testing, and ok david@
2008-06-19add 10GbaseT media type, 10 Gigabit Ethernet over CAT 6 unshielded orReyk Floeter
shielded twisted pair cables. this is an upcoming standard. ok brad@
2008-06-19Fix handling check for NAT and creation of a second pf_state_key in pfsync.Ryan Thomas McBride
Problem report and testing by david@
2008-06-17Crank PFSYNC_VERSION, lots has changed in struct pfsync_state due to theRyan Thomas McBride
state table reorg. discussed with deraadt and henning, reminded by david
2008-06-16when freeing a state key sk1, look wether it is linked to another state keyHenning Brauer
sk2 and reset sk2's link back to sk1
2008-06-15A bit of cleanup:Marco Pfatschbacher
- we prefer u_int*_t over uint_*t. - static is bad for debugging. - header files should not contain functions.
2008-06-15Add 802.3ad LACP support for trunk(4).Marco Pfatschbacher
Implementation from NetBSD. Ported via FreeBSD's version in trunk^Wlagg(4). This is still work in progress. Tested with a HP ProCurve 3500. OK reyk@
2008-06-14add carppeer; an option to specify a different multicast address orReyk Floeter
even the unicast address of the remote carp peer. this especially helps when the multicast carp advertisements are causing problems in the network (some crappy switches don't do well with multicast), there are conflicts with VRRP, or the policy of the network does not allow multicast (most Internet eXchange points didn't allow carped OpenBGP routers because of the multicast advertisements). discussed with many ok mpf@
2008-06-14Remove NBPFILTER conditional since we do not include "bpfilter.h" and theJoel Sing
<net/bpf.h> header is not required here. ok henning@
2008-06-14Include "pflog.h" so that we get NPFLOG.Joel Sing
ok henning@
2008-06-14Also do the PR_ZERO dance here. This was held back on Henning's requestMichael Knudsen
because it conflicted with the change he did in pf_if.c earlier. He finally woke up to ok (well, ``yes'', really) this version now.
2008-06-14There's no more reason to use oldnointr allocator here since we paceArtur Grabowski
the allocations in uvm_km_thread, as long as they are PR_WAITOK and all the memory hogs should be WAITOK in pf now. "following your explaination, it's ok" henning@
2008-06-14pool_get()s not in interrupt context should not be PR_NOWAIT, butHenning Brauer
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib