summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-11-24kill obsolete natpassHenning Brauer
2009-11-23with the old code we initialized the state keys early in some casesHenning Brauer
and thus had to get rid of them if we didn't create state. this is no longer the case, kill dead code. ok claudio
2009-11-23one kinda-missing log |= PFLOG_FORCE in the v6 case, spotted by claudioHenning Brauer
2009-11-23sync the handling of the log flag from pf_test (where it is correct)Henning Brauer
to pf_test6 (where it is wrong in some edge cases, for match rules and logs a packet twice in some cases). ok claudio
2009-11-23pf_test_fragment: we need to bail out if action == PF_DROP, notHenning Brauer
if action != PF_PASS. same was changed in pf_test_rule a while back but the fragment case was forgotten. since everybody reassembles nobody ran into this.
2009-11-23sync some comments with realityHenning Brauer
2009-11-23remove the nat_rule pointer on pf_state and pf_pdesc, obsolete afterHenning Brauer
the NAT rewrite and ever since then only checked in a couple of plaes but never set. same for nat_src_node on pf_state. with this the NAT rewrite made pf over 1000 lines shorter.
2009-11-22cleanup after the NAT changes. we used to have multiple rulesets (scrub,Henning Brauer
NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
2009-11-22Add a lot of bpf and counter manipulation to the bridge. The bridgeTheo de Raadt
sneaks packets on and off network interfaces in some cases without calling the interrupt, start, or output functions, and thus must do these tasks which the drivers cannot do. The gif and vether are rather special. Someone should re-check gre. ok claudio
2009-11-21knfHenning Brauer
2009-11-21Add a way to bind the tunnel endpoint of a gif/gre interface into aClaudio Jeker
different rdomain than the default one. This allows to do MPLS VPNs without the MPLS madness. OK deraadt@, henning@
2009-11-18improve the bpf path. packets we send out via the bridge are seen, butTheo de Raadt
those that come in the bridge are still invisible. the bridge is going to have to bpf those for us.
2009-11-18set IFCAP_VLAN_MTU; from bradTheo de Raadt
2009-11-18do not do setup that ether_ifattach() takes care of; ok jsgTheo de Raadt
2009-11-13Extend the protosw pr_ctlinput function to include the rdomain. This isClaudio Jeker
needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@
2009-11-12be paranoid in case the action array changes size (again, grr)Theo de Raadt
ok dlg
2009-11-12count packets; from claudioTheo de Raadt
2009-11-11Fix some memory leaks in error cases.Jonathan Gray
Found by parfait. ok henning@
2009-11-09bump pfsync protocol versionDavid Gwynne
requested by deraadt@
2009-11-09s/MPLS_DEBUG/VETHER_DEBUGMarco Pfatschbacher
OK deraadt
2009-11-09Every selwakeup() should have a matching KNOTE() (even if kqueue isn'tNicholas Marriott
supported it doesn't do any harm), so put the KNOTE() in selwakeup() itself and remove it from any occurences where both are used, except one for kqueue itself and one in sys_pipe.c (where the selwakeup is under a PIPE_SEL flag). Based on a diff from tedu. ok deraadt
2009-11-09vether(4) is a virtual ethernet device driver which can be usedTheo de Raadt
so that a bridge-etherip-tunnel host can join into the bridge itself. It is ridiculous that this capability was missing from our network stack portfolio, considering we have bgp and ospf daemons... discussed at length with claudio
2009-11-05IPv6 support for divert sockets.Michele Marchetto
tested by phessler@ pyr@ ok claudio@ "go ahead" deraadt@
2009-11-03Use u_int16_t for rdomains for everything. Using various types makesClaudio Jeker
everything just more complicated. Make sure the structs align nicely. OK deraadt@
2009-11-03rtables are stacked on rdomains (it is possible to have multiple routingClaudio Jeker
tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
2009-11-02s/hz/Hz/ on multiples of the SI unit hertz other than MHz.Igor Sobrado
reminded by STeve Andre.
2009-10-29I missed updating a line for the AF_INET6 route case whenJonathan Gray
splitting things out into a seperate pool. Problem noticed and fix tested by sthen@ ok claudio@
2009-10-28Add a dedicated pf pool for route options as suggested by henning,Jonathan Gray
which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
2009-10-26Set the rdomain in bpfwrite() to the interface rdomain so that bpf senderClaudio Jeker
like dhcpd/dhclinet can send packets out of interfaces in other rdomains without hitting the check in ether_output(). With and ok phessler@
2009-10-26Replace pool_get() + bzero() with pool_get(..., PR_ZERO).Michael Knudsen
`OK' claudio
2009-10-10fix mbuf leak in rtinit()Dariusz Swiderski
the mbuf got leaked when detaching an interface, spotted by theo. fixed by me, diff refined by theo eyeballed by claudio@ 'go ahead, commit this' by theo@
2009-10-06Redo the route lookup in the output (and IPv6 forwarding) path if theClaudio Jeker
destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
2009-10-06Replace if (af) tests operating as an af blacklist with stricter switchRyan Thomas McBride
statements operating as a whitelist, taking care to allow af 0 (which is the wildcard value in pf rules) diff from Vadim Zhukov ok henning
2009-10-04Add (again) support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
2009-09-28when inserting a state, turn the error that pf_state_insert returnsDavid Gwynne
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope when inserting an already existing state.
2009-09-21Properly reference count bpf descriptors when using kqueue.Can Erkin Acar
Reported and fix tested by weerd@, ok claudio@
2009-09-17Remove the comaptibility structures for routing socket version 3.Claudio Jeker
The RTM_VERSION bump is 2 years ago and so there is no need for this. Diff made by tedu@ some time ago but got never commited so I do it now.
2009-09-17Wrap trunk_enqueue() calls in splnet() since sending out lacp packetsClaudio Jeker
starts in a timeout handler which runs at a lower spl. This fixes the problems with lacp trunks where some interfaces suddenly fail for no obvious reason. Problem report and fix tested by Stephan A. Rickauer. OK henning, reyk, mpf
2009-09-17Add an splassert check trunk_enqueue() calling this function at anythingClaudio Jeker
below splnet() is a good recipe for doom. OK henning, reyk, mpf
2009-09-16style: in pf_test_state_other, fix indentation, kill excessive newlines,Henning Brauer
add break in the last case block
2009-09-16fix copy & paste error from almost a year ago (bad ryan)Henning Brauer
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found by claudio
2009-09-14Add a way to convert the ifi_link_state to a string without the use ofClaudio Jeker
if_media. This makes link state tracking a lot easier as there is no need to convert if types to if_media types, etc. Additionally this allows us to extend the link states to include states tracked on higher protocol layers. gre(4) keepalives packets, bfd and udld can be implemented without ugly hacks. OK henning, michele, sthen, deraadt
2009-09-09remove inline functions and move some code from the trunk_lacp_input()Reyk Floeter
API function directly to lacp_input() to simplify the code path. ok mpf@
2009-09-08I had not enough oks to commit this diff.Michele Marchetto
Sorry.
2009-09-08Add support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
2009-09-07de-inline a function which gains absolutely no benefit at all from itTheo de Raadt
ok canacar
2009-09-07Fix static-port, found by jmc@. ok henning@.Stuart Henderson
2009-09-01Clear the IP_DF bit if no-df is enabled, not if it is not enabled.Joel Sing
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@. ok henning@
2009-09-01the diff theo calls me insanae for:Henning Brauer
rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
2009-09-01Make rtinit() cope when there is a more specific route available thenClaudio Jeker
the one planned to remove. Do this by going through the dupedkey list looking for the right ifa. Problem found by and OK dlg, OK henning