Age | Commit message (Collapse) | Author |
|
rather than giving up after a hardcoded 5 seconds (which is generally much
too short an interval for a bulk update).
pointed out by david@, eyeballed by mcbride@
|
|
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
ok henning markus
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
panic seen with some some icmp types in icmp error message payloads.
Reported by david@ and insan.praja@gmail.com
|
|
MPLS enabled kernels.
ok claudio@
|
|
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
|
|
hit this case with a root node that comes with no real rtentry attached to it.
Problem found by Mischa Diehm, OK henning@
|
|
- pass a void *, rather than an mbuf and an offset into m_data, the callers
can do the math for it.
- we need to store the size of the messages these functions will serialise
into, so dont get the funcs to return it, just add it on in the caller.
|
|
people who hate^Wdont use pfsync.
|
|
this cleans up use of splnet.
|
|
the backout/disabling of the route link state tracking done a few days ago.
OK deraadt@
|
|
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2
on both ends do not fail but insert the new state anyway and unlink the
old one afterwards. pimp error message a bit, too.
problem found with NAT by viq <viq@viq.ath.cx>
ok theo markus
|
|
Alexander Sabourenkov. mbuf logic is based on claudio's recommendation
Tested by Alexander Sabourenkov
OK: henning@, claudio@
Theo: "In please..."
|
|
modifies the pfsync state queues, however, it didnt prevent interrupts from
whacking the same structures.
this diff makes the bulk update code take splsoftnet() to prevent the
panics ive been suffering all day when a firewall peer was booted.
ok deraadt@
|
|
while i was replacing the guts of pfsync, but i forgot to put it back
again. this will make ipsec gateway failover work again.
tested by sthen@ and david@
ok deraadt@
|
|
and I'm currently unable to find the cause of this. Time is running out so
workaround it for now. OK deraadt.
|
|
ioctl. without this peers would not request a bulk update when they come
up, and therefore will not have the full state tree available for use in
failover.
ok mcbride@ "go for it" deraadt@
|
|
reported by david@
an earlier version of this was ok mcbride@
ok deraadt@
|
|
level within the tun(4) driver. Otherwise we can be interrupted whilst
copying a packet into the BPF buffer, leading to a race between bpf_mtap()
calls. This can result in corruption within the BPF buffers.
Also ensure that we are at IPL_NET when calling ether_input_mbuf().
Fixes PR6073.
ok claudio@, canacar@ (for an earlier version of this diff)
|
|
when we want to pretend pf_get_translation didn't do anything we must
get rid of _both_ state keys and reset all 4 sk pointers to NULL and
not leave one key behind and have all 4 pointers point to it - that must
fail. tested dhill sthen, david agrees, deraadt ok
|
|
|
|
|
|
reminded by deraadt@
|
|
reminded by deraadt@
|
|
|
|
found by LLVM/Clang Static Analyzer.
ok dlg@
|
|
use M_CANWAIT throughout
ok sthen canacar claudio
|
|
Tested by many, thanks.
Put it in" deraadt@
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
|
|
ok dlg, henning, sthen
|
|
"panic: pool_do_get(pfstatekeypl): free list modified" discussed with many.
ok dlg
|
|
and fix typo while here.
ok canacar@
|
|
Switch the padding field into a MPLS one in rt_msghdr to store
relevant informations.
OK claudio@ laurent@
|
|
can't be used with va_start. change it to u_int.
ok miod@
|
|
As a bonus it eliminates casting from pointer to int.
ok miod@ tedu@ millert@
|
|
noticed by Vladimir Kirillov <proger@uaoug.org.ua>
|
|
to zero for checksum offload; ok henning@
|
|
frees pf states.
ok mcbride@
|
|
pf_lb.c. This will ease the process of adding more selection types
without bloatening pf.c even more.
ok and a weird death threat, henning@
raised eyebrow, dlg@
|
|
break out the code that doesn't deal with fragment reassembly and only
modifies stuff in the ip header to their own functions. pass them what they
need instead of making them get the info from a rule ptr.
ok dlg ryan
|
|
wrong which resulted in a NULL rm_leaf which caussed a NULL deref a bit later.
Check against the right route nodes to figure out if the rm_leaf needs to be
updated. Tested by bluhm@, OK dlg@
|
|
We can now act as edge node and allow ipv4 packets to
enter a Label Switched Path and not just forwarding
MPLS packets.
OK claudio@
|
|
actually a bitfield -- of routing messages a listener is interested in.
This list can be changed with a setsockopt(s, AF_ROUTE, ROUTE_MSGFILTER, ...)
call. OK henning@, dlg@
|
|
pretend there was no match. This prevents pf_state_insert()
to fail with duplicate keys. OK henning@, mcbride@
|
|
|
|
|
|
hash the VLAN priority; ok henning@
|