summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-07-28do not leak pf_rule_item_pl items in pf_test_rule() whenHenning Brauer
1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
2009-07-28check that pool_get actually gives us memory in pf_test_rule.Henning Brauer
introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg
2009-07-27tiemout_add -> timeout_add_secBret Lambert
ok claudio@
2009-07-21pf_scrub_ip/ip6 prototypes are already in pfvar.hHenning Brauer
2009-07-19clalloc() can't fail, so there's no need to handle failure cases.Bret Lambert
Change to void function. Also, no need to have global tty stats pointer, so just return it from clalloc, as the caller frees it immediately anyway. ok miod@
2009-07-16Backout rev1.79 of if_vlan.c and rev1.66 of if_trunk.c;Thordur I. Bjornsson
Changes in those revision limited the send queue to one slot. This breaks NFS over vlan(4) has discovered by sthen@. "just plain back it out." deraadt@
2009-07-13Do the same rdomain checking in sppp as we do in the Ethernet case.Claudio Jeker
Encapsulated pppoe packets are moved into the rdomain of the physical interface because it is possible that a pppoe(4) interface is in a different rdomain then the physical interface. OK reyk@
2009-07-13dont initialise ifp->if_snd.ifq_maxlen, and then follow it byDavid Gwynne
IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen). the first was deprecated by the use of IFQ_SET_MAXLEN.
2009-07-13make the send queue one slot long. this forces packets off the virtualDavid Gwynne
interfaces down to the queue on the physical interface immediately. this avoids having the tx mitigation code wasting cpu time dicking around with simply shuffling packets off virtual interface queues and lets it do its job of ammortising the cost of calling a real interfaces start routine. it also prevents an artificial inflation of the physical interfaces queue length where packets could hide on the virtual interfaces queues during softnet before being dumped en masse onto the hardware. this will smooth out the rate at which packets are submitted to the hardware. kjc@ says this has no impact on altq. ya henning@
2009-07-09unsigned -> unsigned intBret Lambert
ok claudio@, henning@
2009-07-08Add the same routing domain assignments and checks into the not so usedClaudio Jeker
protocols as it is currently in if_ethersubr.c. OK reyk@
2009-07-07When adding or changing a MPLS route, add RTF_MPLS flag toMichele Marchetto
routing message. We can then rely on that flag to spot out MPLS routes coming from routing socket. ok claudio@
2009-06-26invert direction for inner icmp state lookups (e.g. traceroute with icmp)Markus Friedl
ok henning, jsing
2009-06-26the pr_usrreq implementation for routing sockets shares exactly one lineBret Lambert
of code between cases, so stop pretending otherwise, and move the if() dance to a switch, as is done in every other pr_usrreq I'm aware of. ok claudio@ michele@
2009-06-25scrub_flags is a u_int8_t, but PFSTATE_SCRUB_TCP is 0x0100, so theStuart Henderson
"reassemble tcp" state option failed to work correctly. Increasing this to u_int16_t fixes kernel/6178. ok deraadt@ henning@
2009-06-24move the "pf_map_addr: selected address" printf up to -xnoisy.Stuart Henderson
ok henning@
2009-06-22Remove unneeded sotorawpcb() call, as the PCB is unmolested betweenBret Lambert
malloc()ing it and calling that macro. No functional change, just tightening things up a bit. ok claudio@ michele@
2009-06-22Check that the address family is appropriate before processing ICMPv4 andJoel Sing
ICMPv6 messages. ok henning@
2009-06-22Always drop ICMPv6 in IPv4 datagrams, not only when compiled with INET6.Joel Sing
Suggested by Max Laier. ok henning@
2009-06-22Fix scrub max-mss for IPv6 traffic.Joel Sing
spotted by naddy@ ok henning@
2009-06-20Decrement routing socket count in MPLS detach caseBret Lambert
While here, fix whitespace (spaces -> tabs) issue spotted by michele@ ok michele@, claudio@
2009-06-17fix flow data values: first and last time, found by f-kons at yandex ruJoerg Goltermann
OK: sthen@, henning@
2009-06-17do better detection of when we have a better version of the tcp sequenceDavid Gwynne
windows than our peer. this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf. lots of testing locally on the production firewalls, also tested by sthen@
2009-06-14enable support for deferring the packet that creates a state so that yourDavid Gwynne
sync peers are able to get the states before the replies. previously there was a race where the reply could hit a partner firewall before it had the state for it, which caused the reply to get processed by the ruleset which probably would drop it. this behaviour is off by default because it does delay packets, which is only wanted in active-active firewalls or when an upstream router is slow to learn that you're moved the active member of the pfsync cluster. it also uses memory keeping the packets in the kernel. use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to disable. tested by sthen@ who loves it. he's got manpage changes coming up for me.
2009-06-12rewrite the way states from pfsync are merged into the local state treeDavid Gwynne
and the conditions on which pfsync will notify its peers on a stale update. each side (ie, the sending and receiving side) of the state update is compared separately. any side that is further along than the local state tree is merged. if any side is further along in the local state table, an update is sent out telling the peers about it. this has been flogged to death on my firewalls.
2009-06-10jj reported a panic in bulk updates to me. this is my attempt to fix theDavid Gwynne
most obvious problem. if the state table is empty, we'd deref a null pointer. tested on my firewalls with big state tables, so existing use cases still work.
2009-06-08in pf_print_state_parts, do not use skw->proto to print the protocolHenning Brauer
but our local copy proto that we very carefully set beforehands. skw being NULL is perfectly valid there.
2009-06-08bring back the fixed PF_AEQ/ANEQ/AZERO macros, the offending use has beenHenning Brauer
found by sthen and fixed, all other callers of these macros checked by both of us
2009-06-08"do not call PF_ANEQ with af=0, dragons". fixes a problem with skipStuart Henderson
steps found with the recent pfvar.h commit to check address families. from & commit req by henning.
2009-06-08gah. something is not quite right, sthen sees strange behaviour fixedHenning Brauer
by backing out the macro fix. something must rely on the broken behaviour
2009-06-08unfuck PF_AEQ PF_ANEQ PF_AZERO macos that got fucked when v6 supportHenning Brauer
was added in 2001. yes i got bitten by inet6 shit again. in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0] is false when the adresses ARE equal. now it goes right in the intended-for-v6 case and starts to compare the other addr32 fields - in the v4 case I have garbage in them, so it reports all v4 as different when they are in fact the same. fix by adding explicit af == INET6 test before going on to compare the rest. found the really hard way (many hours wasted, thought the bug was in my new code) by me. ok sthen markus claudio
2009-06-06when xflags got changed, tell the userland by routing socketsRainer Giedat
ok henning@
2009-06-05Add missing #ifdef INET6 ... #endifAlexander Hall
Makes non-IPv6 kernels build again blame and ok henning@
2009-06-05Initial support for routing domains. This allows to bind interfaces toClaudio Jeker
alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
2009-06-04allow IPvShit to be turned off completely per-interface.Henning Brauer
ifconfig em0 -inet6 deletes all v6 addresses including link-local and prevents new ones from being added. ifconfig em0 inet6 <addr> re-enables v6, brings the link local back and adds optional <addr> ok theo reyk
2009-06-04Emulate a link state in tun(4). The link state goes up when the device isClaudio Jeker
opened and goes down when the device fd is closed. Makes working with qemu a bit nicer when routing to tun(4) interfaces. dlg@ "diff reads good"
2009-06-03make wireless interfaces priority 4 by default. other interfaces remainBob Beck
priority 0. while we are in here make sure we add wi interfaces to group "wlan" in the same way the net80211 stuff already is. this makes dhcp multiple default routes useful on laptops. ok claudio@
2009-06-02do the pf_pkt_addr_changed(m) magic just like gif etcHenning Brauer
tested by Manuel Rodriguez Morales <marodriguez at grupogdt.com>
2009-06-01There is no need to use a variable just for sizeof(). Garbage collect ifa.Claudio Jeker
No binary change.
2009-05-31Consolidate common code for interface attachment into single functionBret Lambert
to save some space in the kernel. Although there are deeper issues with interface attachment, this diff was not meant to address those, just to shave some space ;) ok henning@, claudio@
2009-05-31make set loginterface, set hostid, set reassemble and set debugHenning Brauer
transactional. sanity checked claudio, requested by theo for some time
2009-05-31Hide RTP_DOWN in the kernel and don't expose it to userland. Userland isClaudio Jeker
not smart enough to handle it in a sensible way. Make sure the kernel selected routing priority is actually exported to userland or to help daemons like bgpd to keep correctly track of the routes. This should fix some of the rather strange errors seen by people having multipath routes on their bgpd boxes. While there make the interface priority inheritance on static routes work again. OK henning@
2009-05-31Reenable interface state tracking now that I found and fixed the cause ofClaudio Jeker
the rtfree panic seen by some people.
2009-05-31Fix for the rtfree 2 panic seen by some people before the release. A missingClaudio Jeker
refcnt bump caused the panic to be triggered. While there also make the priority so that the compare is working a bit better. henning@ cries in agony (I already gave up)
2009-05-26inherit the route label on cloned routesReyk Floeter
ok claudio@
2009-05-18The routing table index rtableid has type unsigned int in the routingAlexander Bluhm
code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
2009-05-13dont go splx(s) in the ioctl handler if we havent done splnet(). this addsDavid Gwynne
the splnet calls and the extra splx(s)s necessary for it to be safe. bug found by sthen@
2009-05-13only keep track of the number of updates on tcp connections. state sync onDavid Gwynne
all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over. keep track of updates on tcp still though, their windows need constant attention. tested by sthen@
2009-04-30treat log as what it is, a flag variable. effectively a noop now but stopsHenning Brauer
us relying on where we are setting it. ok ryan dlg
2009-04-23print the type of the icmp message we're bitching about when debugging isDavid Gwynne
turned up in pf_icmp_state_lookup. ok sthen@