summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-05-18The routing table index rtableid has type unsigned int in the routingAlexander Bluhm
code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
2009-05-13dont go splx(s) in the ioctl handler if we havent done splnet(). this addsDavid Gwynne
the splnet calls and the extra splx(s)s necessary for it to be safe. bug found by sthen@
2009-05-13only keep track of the number of updates on tcp connections. state sync onDavid Gwynne
all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over. keep track of updates on tcp still though, their windows need constant attention. tested by sthen@
2009-04-30treat log as what it is, a flag variable. effectively a noop now but stopsHenning Brauer
us relying on where we are setting it. ok ryan dlg
2009-04-23print the type of the icmp message we're bitching about when debugging isDavid Gwynne
turned up in pf_icmp_state_lookup. ok sthen@
2009-04-18Make "route(8) change" aware of MPLS.Michele Marchetto
It is now possible to change routes' MPLS parameters via route change. ok laurent@, ok and input claudio@
2009-04-17move the lastr = r assignment behind the anchor rule check so we don'tHenning Brauer
ever try to aplly options from the anchor rule if it was the last matching one but the last matching real rule. it is right but despite begging nobody has the balls to ok it ;(
2009-04-16Really turn fragment reassembly on by default. pfctl must handle thisDavid Krause
since the DIOCSETREASS ioctl is called on every ruleset load and was overriding the initial setting in pfattach(). Fix setting of the global no-df bitmask as well. ok henning@
2009-04-15little dose of scrubbing after the monster changes:Henning Brauer
correctly inherit queue stuff, tag, rtableid from the rule if we have no state some logic simplification and removal of redundant checks ok dlg
2009-04-15move OK ICMP to NOISY level, makes it easier to run at MISC level; ok henning@David Krause
2009-04-15move pfsync stale update messages to NOISY level; ok dlg@ henning@David Krause
2009-04-14Correctly handle the case when state might be NULL in pf_test likeAlexander Yurchenko
all other code do. Should fix pr 6121. ok henning@
2009-04-11Avoid dereferencing a null pointer when pf attempts to translate aJoel Sing
specifically crafted IP datagram. Problem noted by Sebastian Rother. ok henning@ mcbride@ sthen@
2009-04-07after i took everything in this fiule apart and reassembled with a lot ofHenning Brauer
new stuff asserting copyright is in order
2009-04-07turn fragment reassembly on by default. the is little to no reason toHenning Brauer
not do fragment reassembly. discussed with dlg and ryan in basel. ok ryan dlg sthen jdixon todd deraadt
2009-04-061) scrub rules are completely gone.Henning Brauer
2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
2009-04-04use time_uptime instead of time_second internally. time_uptime isntDavid Gwynne
affected by adjusting the clock.
2009-03-31claudio has spent too much time with the mbuf macros.David Gwynne
switch the rtsocket message filter specification so you can or the macros converting the routing socket message types into the mask used by the filter. ie: - ROUTE_SETFILTER(rtfilter, RTM_NEWADDR); - ROUTE_SETFILTER(rtfilter, RTM_DELADDR); - ROUTE_SETFILTER(rtfilter, RTM_IFINFO); - ROUTE_SETFILTER(rtfilter, RTM_IFANNOUNCE); + rtfilter = ROUTE_FILTER(RTM_NEWADDR) | ROUTE_FILTER(RTM_DELADDR) | + ROUTE_FILTER(RTM_IFINFO) | ROUTE_FILTER(RTM_IFANNOUNCE); there's a manpage change coming. ok claudio@
2009-03-31do not include space in the end of the from for a hmac. after discussionDavid Gwynne
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make sense for pfsync. this also firms up some of the input parsing so it handles short frames a bit better.
2009-03-23wait an appropriate amount of time before giving up on a bulk update,David Gwynne
rather than giving up after a hardcoded 5 seconds (which is generally much too short an interval for a bulk update). pointed out by david@, eyeballed by mcbride@
2009-03-17we do know how to handle iack. in the rx path at least.David Gwynne
2009-03-15Introduce splsoftassert(), similar to splassert() but for soft interruptMiod Vallat
levels. This will allow for platforms where soft interrupt levels do not map to real hardware interrupt levels to have soft ipl values overlapping hard ipl values without breaking spl asserts.
2009-03-14Some ICMP types that also have icmp_id, pointed out by markus@Ryan Thomas McBride
ok henning markus
2009-03-09Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctlsRyan Thomas McBride
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
2009-03-07Make sure pd2 has a pointer to the icmp header in the payload; fixesRyan Thomas McBride
panic seen with some some icmp types in icmp error message payloads. Reported by david@ and insan.praja@gmail.com
2009-03-05Fix a panic in ether_output() when attempting to send multicast traffic onMichele Marchetto
MPLS enabled kernels. ok claudio@
2009-03-05Stricter state checking for ICMP and ICMPv6 packets: include the ICMP typeRyan Thomas McBride
in one port of the state key, using the type to determine which side should be the id, and which should be the type. Also: - Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address. - Clear up some mistaken assumptions in the PF code: - Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0. - Don't modify the icmp id field in NAT unless it's echo - Use the full range of possible id's when NATing icmp6 echoy ok henning marco testing matthieu todd
2009-03-02Make sure rt_gateway is not NULL in rt_mpath_matchgate(). It is possible toClaudio Jeker
hit this case with a root node that comes with no real rtentry attached to it. Problem found by Mischa Diehm, OK henning@
2009-03-01rework serialisation of messages slightly.David Gwynne
- pass a void *, rather than an mbuf and an offset into m_data, the callers can do the math for it. - we need to store the size of the messages these functions will serialise into, so dont get the funcs to return it, just add it on in the caller.
2009-03-01check pfsyncs IFF_RUNNING flag before doing stuff. should save time forDavid Gwynne
people who hate^Wdont use pfsync.
2009-03-01i can't see a reason that we'd need to go to splnet to call ip_output.David Gwynne
this cleans up use of splnet.
2009-02-27Do not check the link state when installing a route. This bit was missing inClaudio Jeker
the backout/disabling of the route link state tracking done a few days ago. OK deraadt@
2009-02-27fix quick reuse of tcp states.Henning Brauer
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2 on both ends do not fail but insert the new state anyway and unlink the old one afterwards. pimp error message a bit, too. problem found with NAT by viq <viq@viq.ath.cx> ok theo markus
2009-02-27fix mbuf problems and simplify code, well spotted and input byJoerg Goltermann
Alexander Sabourenkov. mbuf logic is based on claudio's recommendation Tested by Alexander Sabourenkov OK: henning@, claudio@ Theo: "In please..."
2009-02-26bulk updates are sent from a timeout which walks over the state tree andDavid Gwynne
modifies the pfsync state queues, however, it didnt prevent interrupts from whacking the same structures. this diff makes the bulk update code take splsoftnet() to prevent the panics ive been suffering all day when a firewall peer was booted. ok deraadt@
2009-02-24restore the parsing of incoming tdb update messages. this was disabledDavid Gwynne
while i was replacing the guts of pfsync, but i forgot to put it back again. this will make ipsec gateway failover work again. tested by sthen@ and david@ ok deraadt@
2009-02-24Disable rt_if_track() for now. This causes the rtfree panic seen in PR6043Claudio Jeker
and I'm currently unable to find the cause of this. Time is running out so workaround it for now. OK deraadt.
2009-02-24request a bulk update when the pfsync if configuration is changed via anDavid Gwynne
ioctl. without this peers would not request a bulk update when they come up, and therefore will not have the full state tree available for use in failover. ok mcbride@ "go for it" deraadt@
2009-02-23dont put pfsync packets on the wire if no syncdev is specified. issuesDavid Gwynne
reported by david@ an earlier version of this was ok mcbride@ ok deraadt@
2009-02-20Ensure that bpf_mtap() is always called at the same interrupt priorityJoel Sing
level within the tun(4) driver. Otherwise we can be interrupted whilst copying a packet into the BPF buffer, leading to a race between bpf_mtap() calls. This can result in corruption within the BPF buffers. Also ensure that we are at IPL_NET when calling ether_input_mbuf(). Fixes PR6073. ok claudio@, canacar@ (for an earlier version of this diff)
2009-02-18bring back the NAT NOP fix, but this time right.Henning Brauer
when we want to pretend pf_get_translation didn't do anything we must get rid of _both_ state keys and reset all 4 sk pointers to NULL and not leave one key behind and have all 4 pointers point to it - that must fail. tested dhill sthen, david agrees, deraadt ok
2009-02-18if a peer requests a state that is marked as NOSYNC, then skip it.David Gwynne
2009-02-18Free authentication data when detaching sppp from interface.Can Erkin Acar
2009-02-17// style comments shouldnt be in the tree.David Gwynne
reminded by deraadt@
2009-02-17assert copyright over the changes i made.David Gwynne
reminded by deraadt@
2009-02-17init the tdb tailq. hopefully this fixes sthens crash.David Gwynne
2009-02-17fix uninitialized variable.Charles Longeau
found by LLVM/Clang Static Analyzer. ok dlg@
2009-02-16allocate the large structures instead of putting them on the stack, andTheo de Raadt
use M_CANWAIT throughout ok sthen canacar claudio
2009-02-16Allow username and password to be up to 255 characters in length.Can Erkin Acar
Tested by many, thanks. Put it in" deraadt@
2009-02-16pfsync v5, mostly written at n2k9, but based on work done at n2k8.David Gwynne
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@