| Age | Commit message (Collapse) | Author |
|---|
|
(you don't need to fix this file for it to compile. oups. forgotten in the
last commit)
|
|
i found this somewhere in my forest, I don't really remember writing it, the
context indicates I did this in iceland... getting this is to make a 1000+
lines diff less painful (how do I always end up with those)
|
|
and AF_INET6 are doing the fragment handling the same way. Makes
code more readable.
With and OK bluhm@
|
|
This is now possible because carp no longer uses LINK_STATE_UNKNOWN
for a state that is considered down. This will simplify a lot of code.
OK mpf@ mcbride@ henning@
|
|
the obvious cases to return EINVAL and ENXIO.
ok tedu deraadt
|
|
struct. List those types explicitly to make sure that the union
contains enough memory. Before we were just lucky.
ok henning@
|
|
confirmed to fix paul stoeber's crash. ok deraadt sthen
|
|
the pflog code and not setting it will cause a panic in pf_setup_pdesc().
Fixes dhill's crashes with funky v6 packets. OK bluhm@
|
|
way. Remove PFDESC_IP_REAS and pf_pdesc flags completely.
ok claudio@ henning@
|
|
handling. More to come to make the two codepathes a bit more identical.
tested by many (esp. krw@ and sthen@) input and OK bluhm@
|
|
spotted by clang, ok matthew@
|
|
|
|
actually check how many src nodes reference it, rather than checking the
max_src_nodes for the rule which makes no sense. From Martin Pelikan.
|
|
a crash if max-src-* options are triggered both before and after a ruleset
reload, when the rules are overloading to a non-persistent table.
Discovered by and fix from Martin Pelikan.
|
|
pf_scrub in the rule (no-state) case. Since the action (a) may be NULL
for e.g. the implicit pass rule. Should fix the panics seen by other
people.
|
|
pf_scrub with the right arugments in the rule case so that match
rules will work as expected. As a benefit allow setting the tos
on IPv6 packets as well.
OK henning@
|
|
because either the info is already available in struct pd or easy
to figure out. Makes pf_test() and pf_test6() even more similar
(with the target to remove one of them in the near future).
OK henning@
|
|
Feedback from various people, ok henning@
Previously if an interface type (without number), e.g. "set skip on vlan"
or "set skip on em" was used, it would have the undocumented behaviour of
matching any interface of that type.
Now it will only match an interface which is a member of the named group.
This results in some changed behaviour:
If you currently use "set skip" with a physical interface type (e.g.
"set skip on ix") you will need to add the interface to a group of that
name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0.
Interfaces cloned at runtime (e.g. lo, trunk, vlan, pppoe, carp, gif,
mpe and others) default to being in a group named after the interface type,
so for these interfaces there will be no change in behaviour unless you
have deliberately changed groups, e.g. 'ifconfig carp456 -group carp'.
|
|
so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map
to the non routable ipv6 link local address; with suggestions and
ok claudio, henning
|
|
the broadcast shortcut codepath is fixed. ok claudio
|
|
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
|
actually removed it from the timeout wheel before releasing it. if
timeout_del returns 0 then you know the timeout is about to run or
is already running, meaning it will free itself so you dont have
to.
this handling is only done for the undefer paths at SOFTNET since
it is higher than SOFTCLOCK which timeouts run from. it is possible
for a timeout to start running at softclock and get interrupted by
softnet. the undefer in process context blocks both these interrupts
while it undefers, so it is impossible for the timeout to run and
cause the list to be in this inconsistent state.
|
|
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).
testing dlg@ ok claudio@
|
|
that for you without the nasty side-effects of the precomputation?
Fixes strange problems seen on directly connected tunnels and
probably behaves a lot better. This still caches to route for
subsequent packets.
Testing and OK phessler
|
|
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
|
pass a pointer to a pointer to make the code in pf_test() clearer.
ok henning@
|
|
ok henning@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@
|
|
addresses from process context by scheduling a work queue.
Fixes an assertwaitok panic. ok henning
|
|
|
|
ok mikeb@ fries@ mpf@ henning@ dlg@ matthew@
|
|
of a connection originator. this allows one to query the source rdomain
with a SO_RTABLE socket option. figured out with reyk, ok claudio.
|
|
with broadcast packets.
|
|
handling of recursive IPComp payloads. (This code is way old and may
go away soon in favor of using sys/lib/libz, but committing anyway as
plans aren't finalized yet.)
ok deraadt@
|
|
less blessed and non-loved protocols; temporary fix for correctness until
the henning tornado rampages this function.
"pls commit, ok" henning@
|
|
ok matthew@ tedu@, also eyeballed by at least krw@ oga@ kettenis@ jsg@
|
|
write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
|
|
to be ok. there is no checksum we could verify and for the moment these
are locally generated packets anyway. and this really is just the stupid
'stealth bridge detection' countermeasure shit (when you want a "stealth"
bridge and explictely ask pf to return RSTs/icmp errors, you need to
seek medical help in any case).
this is needed so that we eventually can move the in_proto_cksum_out (and
its ipvshit counterpart once we get it) calls to after the pf_test calls
in the output routines
ok dlg fondue-kinda-ok claudio
|
|
ok claudio krw
|
|
|
|
route-to and friends were introduced making it obsolete. one even
has to look it up int the ipf manual to get and idea what it's
supposed to do. reuse some kernel bits for the upcoming nat64
stuff. "kill it with fire" from mcbride, "what mcbride said"
from mpf, "kill kill kill" and ok henning.
|
|
instead of coming at it sideways to detect failure.
ok claudio@
|
|
we don't need 7 f***ing copies of the same code to do the protocol checksums
(or not, depending on hw capabilities). claudio ok
|
|
leads to corrupted memory; backout to await a better fix
|
|
of the gre(4) tunnel. Instead just us a RT_NOCLONING route lookup
and be done with it. Makes gre(4) work between systems in the same
LAN. This diff was enough long on tech@ and nobody complained.
|
|
decision here too, just like in ip_output, pointless.
|
|
in all output pathes anyway.
even worse than in the rest of pf, here we ran circles to update the ip
cksum every time we flip a tiny bit in the header...
pretty sure dlg claudio ok'd it and it is damn obvious anyway
|
|
malloc/bcopy/free, the way He Who Must Not Be Named intended.
"yes please" claudio@
|
|
recalculated in all output pathes anyway (why did it take us 10 years to
notice?). ok claudio definate ok dlg
|
|
chekcsum. turned out is always recalculates it as long as your kernel does
have pf compiled in, as in, always, since compilation of GENERIC without
pf explodes in about a hundred ways.
so rename bridge_filter -> bridge_ip and always compile it, pf or not,
just make the pf_test calls #if NPF, and sync the ip fuckery code with
ip_output. as a bonus this lets us use the checksum offloading to the NIC
if it is capable of that.
ok claudio dlg sthen
|
