Age | Commit message (Collapse) | Author |
|
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
|
ok dlg
|
|
|
|
Found by parfait.
ok henning@
|
|
requested by deraadt@
|
|
OK deraadt
|
|
supported it doesn't do any harm), so put the KNOTE() in selwakeup() itself and
remove it from any occurences where both are used, except one for kqueue itself
and one in sys_pipe.c (where the selwakeup is under a PIPE_SEL flag).
Based on a diff from tedu.
ok deraadt
|
|
so that a bridge-etherip-tunnel host can join into the bridge itself.
It is ridiculous that this capability was missing from our network
stack portfolio, considering we have bgp and ospf daemons...
discussed at length with claudio
|
|
tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@
|
|
everything just more complicated. Make sure the structs align nicely.
OK deraadt@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
reminded by STeve Andre.
|
|
splitting things out into a seperate pool.
Problem noticed and fix tested by sthen@
ok claudio@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
like dhcpd/dhclinet can send packets out of interfaces in other rdomains
without hitting the check in ether_output().
With and ok phessler@
|
|
`OK' claudio
|
|
the mbuf got leaked when detaching an interface, spotted by theo.
fixed by me, diff refined by theo
eyeballed by claudio@
'go ahead, commit this' by theo@
|
|
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
|
statements operating as a whitelist, taking care to allow af 0 (which is
the wildcard value in pf rules)
diff from Vadim Zhukov
ok henning
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope
when inserting an already existing state.
|
|
Reported and fix tested by weerd@, ok claudio@
|
|
The RTM_VERSION bump is 2 years ago and so there is no need for this.
Diff made by tedu@ some time ago but got never commited so I do it now.
|
|
starts in a timeout handler which runs at a lower spl.
This fixes the problems with lacp trunks where some interfaces suddenly
fail for no obvious reason. Problem report and fix tested by Stephan A.
Rickauer. OK henning, reyk, mpf
|
|
below splnet() is a good recipe for doom.
OK henning, reyk, mpf
|
|
add break in the last case block
|
|
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found
by claudio
|
|
if_media. This makes link state tracking a lot easier as there is no need
to convert if types to if_media types, etc. Additionally this allows us
to extend the link states to include states tracked on higher protocol layers.
gre(4) keepalives packets, bfd and udld can be implemented without ugly hacks.
OK henning, michele, sthen, deraadt
|
|
API function directly to lacp_input() to simplify the code path.
ok mpf@
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
ok canacar
|
|
|
|
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@.
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the one planned to remove. Do this by going through the dupedkey list
looking for the right ifa. Problem found by and OK dlg, OK henning
|
|
the resized buffer.
From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@.
As was the previous commit where I didn't mention Pawel.
'should be olright' henning@
|
|
It currently doesn't compile and this is unlikely to change
as there are many alternatives now since we no longer live
in the early 1990s and Metricom went bankrupt some time ago.
ok many @
|
|
not the other way. At least partial fix for interfaces with >64
aliases. From Max Laier via Marc Balmer.
'seems right' sthen@ ok markus@
|
|
removed in pfsync v5.
|
|
running out of mbufs for rx rings.
if the system low watermark is lower than a rx rings low watermark,
we'll never send a packet up the stack, we'll always recycle it.
found by thib@ on a bge
sadface
|
|
which does pay out, performance wise. one of the conditions to call the
interfaces' if_start routine immediately was "send queue is full".
on a very busy (hammered) machine this will itroduce too much latency
since we spend almost all cpu time in interrupt handlers and softnet,
so the softint actually doing the if_start gets called to seldom and
the queue full check is what triggers the actual transmit.
change the logic to call if's if_start routing immediately when there are
at least 8 packets (or in case if maxlen being smaller than 8, maxlen)
8 chose because it shows best performance in my test setup here.
ok dlg
|
|
to free some for use on the rx rings on network cards.
this modifies m_cluncount to advise callers when we're in such a
situation, and makes them responsible for freeing up the cluster
for allocation by MCLGETI later.
fixes an awesome lockup with sis(4) henning has been experiencing.
this is not the best fix, but it is better than the current situation.
yep deraadt@ tested by henning@
|
|
functions are called, which will turn off DMA. Receiving packets into
your memory after a system reboot is pretty nasty. This will also mean
that the shutdown hooks can go; this solution is smaller.
ok henning miod dlg kettenis
|
|
done in ether_input() but L3 traffic needs to do it self.
|
|
between layer 2 and 3 tunneling mode.
OK claudio@, markus@
|
|
ok mpf@
|
|
even though adding an already existing routing table is not allowed.
Leak found by blambert@, fix by myself. OK blambert@
|
|
1) at least one match rule matched the packet and
2) we do not create state
found by me while fixing the pool_get problem, ok dlg
|
|
introduced by yours truly (no idea how that could happpen), problem
found by sthen the hard way, fix by me. ok dlg
|