Age | Commit message (Collapse) | Author |
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
reminded by STeve Andre.
|
|
splitting things out into a seperate pool.
Problem noticed and fix tested by sthen@
ok claudio@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
like dhcpd/dhclinet can send packets out of interfaces in other rdomains
without hitting the check in ether_output().
With and ok phessler@
|
|
`OK' claudio
|
|
the mbuf got leaked when detaching an interface, spotted by theo.
fixed by me, diff refined by theo
eyeballed by claudio@
'go ahead, commit this' by theo@
|
|
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
|
statements operating as a whitelist, taking care to allow af 0 (which is
the wildcard value in pf rules)
diff from Vadim Zhukov
ok henning
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope
when inserting an already existing state.
|
|
Reported and fix tested by weerd@, ok claudio@
|
|
The RTM_VERSION bump is 2 years ago and so there is no need for this.
Diff made by tedu@ some time ago but got never commited so I do it now.
|
|
starts in a timeout handler which runs at a lower spl.
This fixes the problems with lacp trunks where some interfaces suddenly
fail for no obvious reason. Problem report and fix tested by Stephan A.
Rickauer. OK henning, reyk, mpf
|
|
below splnet() is a good recipe for doom.
OK henning, reyk, mpf
|
|
add break in the last case block
|
|
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found
by claudio
|
|
if_media. This makes link state tracking a lot easier as there is no need
to convert if types to if_media types, etc. Additionally this allows us
to extend the link states to include states tracked on higher protocol layers.
gre(4) keepalives packets, bfd and udld can be implemented without ugly hacks.
OK henning, michele, sthen, deraadt
|
|
API function directly to lacp_input() to simplify the code path.
ok mpf@
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
ok canacar
|
|
|
|
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@.
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the one planned to remove. Do this by going through the dupedkey list
looking for the right ifa. Problem found by and OK dlg, OK henning
|
|
the resized buffer.
From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@.
As was the previous commit where I didn't mention Pawel.
'should be olright' henning@
|
|
It currently doesn't compile and this is unlikely to change
as there are many alternatives now since we no longer live
in the early 1990s and Metricom went bankrupt some time ago.
ok many @
|
|
not the other way. At least partial fix for interfaces with >64
aliases. From Max Laier via Marc Balmer.
'seems right' sthen@ ok markus@
|
|
removed in pfsync v5.
|
|
running out of mbufs for rx rings.
if the system low watermark is lower than a rx rings low watermark,
we'll never send a packet up the stack, we'll always recycle it.
found by thib@ on a bge
sadface
|
|
which does pay out, performance wise. one of the conditions to call the
interfaces' if_start routine immediately was "send queue is full".
on a very busy (hammered) machine this will itroduce too much latency
since we spend almost all cpu time in interrupt handlers and softnet,
so the softint actually doing the if_start gets called to seldom and
the queue full check is what triggers the actual transmit.
change the logic to call if's if_start routing immediately when there are
at least 8 packets (or in case if maxlen being smaller than 8, maxlen)
8 chose because it shows best performance in my test setup here.
ok dlg
|
|
to free some for use on the rx rings on network cards.
this modifies m_cluncount to advise callers when we're in such a
situation, and makes them responsible for freeing up the cluster
for allocation by MCLGETI later.
fixes an awesome lockup with sis(4) henning has been experiencing.
this is not the best fix, but it is better than the current situation.
yep deraadt@ tested by henning@
|
|
functions are called, which will turn off DMA. Receiving packets into
your memory after a system reboot is pretty nasty. This will also mean
that the shutdown hooks can go; this solution is smaller.
ok henning miod dlg kettenis
|
|
done in ether_input() but L3 traffic needs to do it self.
|
|
between layer 2 and 3 tunneling mode.
OK claudio@, markus@
|
|
ok mpf@
|
|
even though adding an already existing routing table is not allowed.
Leak found by blambert@, fix by myself. OK blambert@
|
|
1) at least one match rule matched the packet and
2) we do not create state
found by me while fixing the pool_get problem, ok dlg
|
|
introduced by yours truly (no idea how that could happpen), problem
found by sthen the hard way, fix by me. ok dlg
|
|
ok claudio@
|
|
|
|
Change to void function.
Also, no need to have global tty stats pointer, so just return it
from clalloc, as the caller frees it immediately anyway.
ok miod@
|
|
Changes in those revision limited the send queue to one slot.
This breaks NFS over vlan(4) has discovered by sthen@.
"just plain back it out." deraadt@
|
|
Encapsulated pppoe packets are moved into the rdomain of the physical interface
because it is possible that a pppoe(4) interface is in a different rdomain
then the physical interface.
OK reyk@
|
|
IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen).
the first was deprecated by the use of IFQ_SET_MAXLEN.
|
|
interfaces down to the queue on the physical interface immediately.
this avoids having the tx mitigation code wasting cpu time dicking around
with simply shuffling packets off virtual interface queues and lets it
do its job of ammortising the cost of calling a real interfaces start
routine.
it also prevents an artificial inflation of the physical interfaces queue
length where packets could hide on the virtual interfaces queues during
softnet before being dumped en masse onto the hardware. this will smooth
out the rate at which packets are submitted to the hardware.
kjc@ says this has no impact on altq. ya henning@
|
|
ok claudio@, henning@
|
|
protocols as it is currently in if_ethersubr.c. OK reyk@
|
|
routing message. We can then rely on that flag to spot out
MPLS routes coming from routing socket.
ok claudio@
|