Age | Commit message (Collapse) | Author |
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
the splnet calls and the extra splx(s)s necessary for it to be safe.
bug found by sthen@
|
|
all the other protocols is simply pushing the timeouts along which has a
resolution of 1 second, so it isnt going to be hurt by pfsync taking up
to a second to send it over.
keep track of updates on tcp still though, their windows need constant
attention.
tested by sthen@
|
|
us relying on where we are setting it. ok ryan dlg
|
|
turned up in pf_icmp_state_lookup.
ok sthen@
|
|
It is now possible to change routes' MPLS parameters via route change.
ok laurent@, ok and input claudio@
|
|
ever try to aplly options from the anchor rule if it was the last matching
one but the last matching real rule. it is right but despite begging nobody
has the balls to ok it ;(
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
correctly inherit queue stuff, tag, rtableid from the rule if we have no
state
some logic simplification and removal of redundant checks
ok dlg
|
|
|
|
|
|
all other code do. Should fix pr 6121.
ok henning@
|
|
specifically crafted IP datagram.
Problem noted by Sebastian Rother.
ok henning@ mcbride@ sthen@
|
|
new stuff asserting copyright is in order
|
|
not do fragment reassembly. discussed with dlg and ryan in basel.
ok ryan dlg sthen jdixon todd deraadt
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
affected by adjusting the clock.
|
|
switch the rtsocket message filter specification so you can or the macros
converting the routing socket message types into the mask used by the
filter. ie:
- ROUTE_SETFILTER(rtfilter, RTM_NEWADDR);
- ROUTE_SETFILTER(rtfilter, RTM_DELADDR);
- ROUTE_SETFILTER(rtfilter, RTM_IFINFO);
- ROUTE_SETFILTER(rtfilter, RTM_IFANNOUNCE);
+ rtfilter = ROUTE_FILTER(RTM_NEWADDR) | ROUTE_FILTER(RTM_DELADDR) |
+ ROUTE_FILTER(RTM_IFINFO) | ROUTE_FILTER(RTM_IFANNOUNCE);
there's a manpage change coming.
ok claudio@
|
|
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
|
|
rather than giving up after a hardcoded 5 seconds (which is generally much
too short an interval for a bulk update).
pointed out by david@, eyeballed by mcbride@
|
|
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
ok henning markus
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
panic seen with some some icmp types in icmp error message payloads.
Reported by david@ and insan.praja@gmail.com
|
|
MPLS enabled kernels.
ok claudio@
|
|
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
|
|
hit this case with a root node that comes with no real rtentry attached to it.
Problem found by Mischa Diehm, OK henning@
|
|
- pass a void *, rather than an mbuf and an offset into m_data, the callers
can do the math for it.
- we need to store the size of the messages these functions will serialise
into, so dont get the funcs to return it, just add it on in the caller.
|
|
people who hate^Wdont use pfsync.
|
|
this cleans up use of splnet.
|
|
the backout/disabling of the route link state tracking done a few days ago.
OK deraadt@
|
|
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2
on both ends do not fail but insert the new state anyway and unlink the
old one afterwards. pimp error message a bit, too.
problem found with NAT by viq <viq@viq.ath.cx>
ok theo markus
|
|
Alexander Sabourenkov. mbuf logic is based on claudio's recommendation
Tested by Alexander Sabourenkov
OK: henning@, claudio@
Theo: "In please..."
|
|
modifies the pfsync state queues, however, it didnt prevent interrupts from
whacking the same structures.
this diff makes the bulk update code take splsoftnet() to prevent the
panics ive been suffering all day when a firewall peer was booted.
ok deraadt@
|
|
while i was replacing the guts of pfsync, but i forgot to put it back
again. this will make ipsec gateway failover work again.
tested by sthen@ and david@
ok deraadt@
|
|
and I'm currently unable to find the cause of this. Time is running out so
workaround it for now. OK deraadt.
|
|
ioctl. without this peers would not request a bulk update when they come
up, and therefore will not have the full state tree available for use in
failover.
ok mcbride@ "go for it" deraadt@
|
|
reported by david@
an earlier version of this was ok mcbride@
ok deraadt@
|
|
level within the tun(4) driver. Otherwise we can be interrupted whilst
copying a packet into the BPF buffer, leading to a race between bpf_mtap()
calls. This can result in corruption within the BPF buffers.
Also ensure that we are at IPL_NET when calling ether_input_mbuf().
Fixes PR6073.
ok claudio@, canacar@ (for an earlier version of this diff)
|
|
when we want to pretend pf_get_translation didn't do anything we must
get rid of _both_ state keys and reset all 4 sk pointers to NULL and
not leave one key behind and have all 4 pointers point to it - that must
fail. tested dhill sthen, david agrees, deraadt ok
|
|
|
|
|
|
reminded by deraadt@
|
|
reminded by deraadt@
|
|
|
|
found by LLVM/Clang Static Analyzer.
ok dlg@
|
|
use M_CANWAIT throughout
ok sthen canacar claudio
|
|
Tested by many, thanks.
Put it in" deraadt@
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|