Age | Commit message (Collapse) | Author |
|
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo
|
|
exact reverse of each other. if there is a mismatch don't erstablish the
link and print enough so that we should be able to find the culprit.
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ mpf@
|
|
|
|
ok canacar@
|
|
ok brad@
|
|
Malicious PPPoE discovery packets could cause the kernel to
crash.
From canacar@ and inspired by the original fix from NetBSD.
ok canacar@
|
|
pf_pkt_addr_changed. atm just clears the state key pointer.
calling this is cleaner than having other parts of the stack clearing
pointers in the pf part of the mbuf packet header directly.
|
|
ok mpf
|
|
unused mbuf pointer.
OK claudio@
|
|
soon.
|
|
ok henning@
|
|
ok brad@, mpf@, henning@, reyk@
|
|
- don't use in-kernel IFMEDIA ioctls in lacp and remove two KASSERTs
that caused reliable panics - the lacp key can be locally assigned and
we don't need to query the media subtype here.
- unbreak failover/loadbalance/broadcast status handling.
Reported by brad@
ok deraadt@
|
|
do not count address family field twice in tun's if_obytes stats.
ok henning@ reyk@ deraadt@ for the ethernet bits.
ok deraadt@ for the tun bits.
|
|
effectively disables state key linking and pcb linking - unfortunatly,
there seems to be a bug somewhere in there or triggered by it that
we haven't tracked down yet, so we disable this for now to be on the safe
side for release.
lots of testing and analysis from todd and david.
|
|
route prios. playing safe for 4.4-release, as not all parts of the system
deal correctly with route prios yet. ok claudio
|
|
used w/out any trunkports. Patch from Dmitri Alenitchev.
OK reyk@
|
|
ensure that the next message is nicely aligned as well. Some archs (sparc, m88k)have strict alignement issues since the inclusion of 64bit counters in the
messages because those values could end up on non aligned addresses.
Found and fix tested by miod@, OK deraadt@
|
|
and not on the routes with the right prio. So pick up the correct route by
calling rn_mpath_prio() first.
OK henning@
|
|
more, since they might have been invalidated and free'd.
one synproxy errorpath did so, however. just get the state keys from the
state itself. ok david mcbride
|
|
ok mcbride@ henning@
|
|
ok mcbride@ henning@
|
|
problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer"
<stephan.rickauer>, both @ni.phys.ethz.ch
fix by me, ok mpf
|
|
lists; prevents use of ports corresponding to well-known services.
replace a couple of arc4random()%N with arc4random_uniform(N) that
missed the first round.
ok mcbride@
|
|
state key is freed by pf_state_key_attach(). But in the case of NAT,
there are two state keys allocated, so we must free the second key
manually. Fixes a pf_state_key_pl leak seen in certain cases with
pfsync or with pf state-insert errors.
ok mcbride@ henning@
|
|
can be used and we return the state key back to the pool, don't insert
state items into the tailq using that garbage state key.
this makes things much happier for me.
ok henning@
|
|
that we can attach the state to, make sure to not overwrite the state key
pointer in the state that was just set to the existing state key with the
state key that was supplied with the state and just free'd (well, pool_put'd).
by the time we clean up the state and try to follow it to RB_REMOVE etc
we'd follow that garbage pointer to either an unrelated state key or the old
state key still sitting unused in the pool.
should fix the RB_REMOVE panics some people have been seeing.
"clearly ok, please commit" ryan
|
|
|
|
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan
|
|
ensure that the packet gets rewritten correctly first.
As usual, problem pointed out by david
ok henning
|
|
ok henning
|
|
for now add __sparc64__ to the list (ridiculous as it seems, but that is
the best we know to do so far)
ok miod
|
|
and the state-related pf(4) ioctls, and make functions in state creation and
destruction paths more robust in error conditions.
All values in struct pfsync_state now in network byte order, as with pfsync.
testing by david
ok henning, systat parts ok canacar
|
|
Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.
OK deraadt@
|
|
address in the NATed state key for translation regardless of direction.
Report and testing by david@
|
|
for picking states to unlink as the tailq may contain unlinked states.
|
|
Fixes stateful filtering on enc0.
Problem report, testing, and ok david@
|
|
shielded twisted pair cables. this is an upcoming standard.
ok brad@
|
|
Problem report and testing by david@
|
|
state table reorg.
discussed with deraadt and henning, reminded by david
|
|
sk2 and reset sk2's link back to sk1
|
|
- we prefer u_int*_t over uint_*t.
- static is bad for debugging.
- header files should not contain functions.
|
|
Implementation from NetBSD. Ported via FreeBSD's version in trunk^Wlagg(4).
This is still work in progress. Tested with a HP ProCurve 3500.
OK reyk@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
<net/bpf.h> header is not required here.
ok henning@
|
|
ok henning@
|
|
because it conflicted with the change he did in pf_if.c earlier.
He finally woke up to ok (well, ``yes'', really) this version now.
|
|
the allocations in uvm_km_thread, as long as they are PR_WAITOK and
all the memory hogs should be WAITOK in pf now.
"following your explaination, it's ok" henning@
|
|
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
|