| Age | Commit message (Collapse) | Author |
|---|
|
spotted by Mike Belopuhov <mkb@crypt.org.ru>
|
|
the packet is of the expected address family (AF_INET / AF_INET6).
crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise.
misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing
with nmap; he also helped us big time debugging the problem. thanks!
ok ryan
|
|
which will be used for new interface routes. For example,
ifconfig em0 10.1.1.0 255.255.255.0 rtlabel RING_1
will set the new interface address and attach the route label RING_1 to
the corresponding route.
manpage bits from jmc@
ok claudio@ henning@
|
|
from mickey, ok me markus mickey
|
|
since we include the mbuf header parts for pf unconditionally, we should
be able to check them unconditionally as well. ok mcbride markus
|
|
(&ptr instead of ptr). should fix pflog breakage seen by bob
|
|
|
|
some I found afterwards, ok dlg
|
|
pfioctl()'s DIOCKILLSTATES triggers panic due to wrong test
variable in for() loop.
well analyzed and fixed, excellent PR, applied verbatim, thanks!
(this was fallout from the state - state key split)
|
|
reconfigured after they are set. so they bail out when you try to. so when
you re-run netstart on a machine with vlans, it bails out with
ifconfig: SIOCSETVLAN: Device busy
and IP changes are not done.
make vlan_config() notice when both parent interface and vlan number stay
the same and just return success without doing anything in that case.
allows the IP config thereafter to happen. ok markus jason
|
|
|
|
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
one - pf_test_rule(). now we have one place to make things clearer and
maybe find another few performance bits :)
shrinks i386 GENERIC by 11K, no measurable performance impact or gain.
lots lots lots lots lots of testing and headbanging with ryan,
performance testing ckuethe. ok ryan
|
|
we need a pointer to the inpcb to decide, which was not previously
passed to ip6_output, so this diff is a little bigger.
from itojun, ok ryan
|
|
I am a retard for not testing properly and owe people beers tonight.
|
|
|
|
ok henning@
|
|
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
|
|
instead of one where they where just empty. Figured out by art@
|
|
there was code inside
#if NPF > 0
to prevent feeding back the mbuf do looutput if we are on simplex
interfaces and the packet has been routed by pf, which can lead to a loop
in weird corner cases.
apparently nobody triggered these cases in ages, since pf.h was not included
and thus NPF not defined and thus this code not compiled.
|
|
#if NPF > 0
to prevent feeding back the mbuf do looutput if we are on simplex
interfaces and the packet has been routed by pf, whch can lead to a loop
in weird corner cases.
apparently nobody triggered these cases in ages, since pf.h was not included
and thus NPF not defined and thus this code not compiled.
ok theo
|
|
decomissioned aeon ago. We will not miss it at all.
OK dlg@ henning@ and a lot of cheers by other in the room
|
|
ok henning
|
|
This changes nothing on legacy architectures, but is a bit faster (and simpler)
on the interesting ones.
|
|
OK henning@ mcbride@
|
|
|
|
boring details:
long time ago (in r1.313) code was added to handle protocol checksums:
> Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,
> and drop packets with invalid checksums. Without such a check, pf would
> return RST/ICMP errors even for packets with invalid checksums, which
> could be used to detect the presence of the firewall, reported by
> "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
that meant we did the checksumming for each and every packet traversing pf.
now only do the checksumming right before we send an RST back, so in all
other cases we save that work.
ok bob theo
|
|
Pick reasonble names for the locks involved..
ok tedu@, art@
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
packet. If multiple packets come in on a single interrupt the times mixed into
the randomness pool will be identical or predictably close anyways, and
nanotime() is expensive.
ok toby jason miod claudio
|
|
ok dlg claudio
|
|
ok claudio@ reyk@ henning@ ja ja ja mcbride@
|
|
of reassigning a struct ifnet pointer.
discussed with and ok mcbride@
|
|
|
|
|
|
oustside, seqencer, toghether, nessissary, etc.
|
|
fixes pppoe f_addrhooks panics (e.g. pr 5454); ok canacar
|
|
etherip encapsulation; unbreaks remote ipsec bridges; ok claudio;
additional testing Renaud Allard
|
|
instead of open/close events. Fixes PR 5457 where
an extra open event arrived due to an authentication
timeout/retransmission and confused things. Tested
by RD Thrush and mpf@, discussions and ok mpf@
|
|
OK claudio@ jason@
|
|
addresses in struct arpcom. this lets a nic driver easily see if it wants
allmulti behaviour, which in turn means we can clean some code up.
ok jason@ claudio@ norby@
|
|
makes carp(4) fail-over work over bridge(4). OK michele@ jason@
|
|
in ip6_input(), but pf_test6() is called from bridge code as well.
ok dhartmei@ henning@ deraadt@ claudio@
|
|
drop all packets with routing headers unless the matching rule explicitly
specifies 'allow-opts'.
ok dhartmei@ henning@ deraadt@ claudio@
|
|
|
|
|
|
It shouldn't make a difference, but some
ioctl-callers don't initialize the ifreq properly.
Fixes a panic w/ tun(4) on trunk(4).
OK reyk@, claudio@
|
