| Age | Commit message (Collapse) | Author |
|---|
|
no objection from mcbride@ krw@ markus@ deraadt@
|
|
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
large parts written by Florian Obser (florian -at- narrans -dot- de).
feedback from sperreault@ gollo@ sthen@
ok from gollo@ dlg@ henning@
|
|
|
|
pointed out / ok mikeb@
|
|
two consecutive host addresses won't generate the same value which
is used as a port number in state entries; ok bluhm, sperreault
|
|
ok bluhm, henning
|
|
You should use the proper queues via pf instead. ok phessler@ henning@
|
|
returned early. As a result tcpdump -i pflog0 printed uninitialized
kernel memory for short packets. Fix this by copying the mbuf data
we have if we cannot decode the packet.
ok mikeb@ henning@
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
- Fragment offset is in network byte order.
- Check for legal short fragments before calling pf_pull_hdr() to
avoid bogus reason accounting.
- When checking wether the protocol header is within the fragment,
count the IPv6 payload length relative to the end of the IPv6 header.
ok henning@
|
|
to the initial value and do not use the counter;
reported by Sebastian Benoit and Daniel Krambrock,
tested by Sebastian Benoit, ok henning zinke
|
|
and IPv6 stack.
ok sperreault@
|
|
by default. After this change we need to add
ppp.ingress_filter: true
to npppd.conf if it is needed.
ok sthen
|
|
from Michael W. Bombardieri
|
|
compatible equipment provided that the physical interface and other layer 2
devices involved support and are configured to use jumbo frames.
Manpage to follow; typical use is to request 1500 MTU for pppoe, this
requires 1508+ MTU on the physical interface, e.g. "ifconfig em0 mtu 1508;
ifconfig pppoe0 mtu 1500". Known to be usable in the UK with some ISPs
(e.g. aaisp) using BT FTTC backhaul.
From Matt Dainty, originally based on support in NetBSD, changed to
decouple pppoe from physical interface MTU. Tested with UK FTTC by Matt,
no regressions on my standard UK ADSL setup or yasuoka@'s setup (in Japan,
NTT uses 1452 byte MTU for PPPoE and 1500 byte MTU for IPv6 on the same
network).
ok yasuoka@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ markus@
|
|
a packet that is passed to the userland has not incremented, `pipex' passed
the packet mistakenly with invalid ack number. Then `npppd' will drop these
packets, so that caused the problem.
tested jmatthew
ok jmatthew
|
|
|
|
make their argument list shorter. Also fix a bug where pf_walk_option6()
used the outer header in the pd2 case.
ok henning@ mikeb@
|
|
this prevents backup to failover back to master immediately
after getting link back on carpdev interface if underlying
pfsync interface went down as well. instead pfsync will
request a bulk update to get new states from the master.
sthen and mpf like the idea, ok dlg
|
|
so always show as writable to poll()/select().
Behavior pointed out by Fernando Gont. ok deraadt@
|
|
latter is called from pf packet logging. This resulted in normalization
and reassembly of bad packets to be logged. So rearrange the code
and move the call to pf_test().
ok henning@
|
|
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
|
|
from Michael W. Bombardieri; ok henning@
|
|
ok miod@
|
|
cleaner to access the first member via ia_ifa instead of casting.
No binary change.
ok henning@ krw@
|
|
doing more or less the same, merge them into one. Just remove
fragment entries from the queue in pf_join_fragment() before they
are freed. Then pf_remove_fragment() is not needed anymore.
ok henning@
|
|
in pf_test_state_*(). This needs less code and is more consistent.
OK mikeb, markus, henning.
|
|
also don't do af translation if pf_translate didn't succeed. ok henning
|
|
(there only one state and it's direction is always PF_IN) and don't
exclude icmp echo replies from the test.
ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
ok claudio@ henning@ mikeb@
|
|
ok dlg claudio
|
|
with every other thing that stores the state id (including other pfsync
messages).
includes improvements to the systat code to consider the creatorid as well
as the state id in its cache to avoid collisions between states created on
different hosts.
tested by me in production and on amd64 talking to sparc64.
ok henning@
|
|
pf_state_expires() handled it incorrectly.
discussed with mikeb@
ok henning@
|
|
accidental race conditions. From Erik Lax, thanks! ok dlg
|
|
|
|
When transmitting through vlan(4), it will now use the prio value in
pf packet header. When receiving, we save the incoming Cos in the same
place, this gives us the hability to preserve the CoS value across two
different vlan interfaces.
This kills the SIOC[GS]VLANPRIO ioctls and removes the corresponding
buttons from ifconfig(8).
ok henning@ claudio@ mcbride@
|
|
connection does not observe the route-to option.
ok dlg mikeb
|
|
pointed out by Julien Crapovich on misc@
ok deraadt mikeb
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
only when we're going up, not when we set PROMISC or any other
flag. Fixes spontaneous CARP failovers when running tcpdump
on pfsync.
ok henning, mcbride, camield
|
|
From Abel Abraham Camarillo Ojeda, reminded by Brad.
|
|
calculations, and does _not_ denote the time when to expire. So
it should never be added to (set into the future).
Try to reconstruct it with an educated guess on state import and
just set it to the current time on state updates.
This fixes a problem on pfsync listeners where the expiry time
could be double the expected value and cause a lot more states
to linger.
Timeout code from mikeb.
Found and testing by Maxim Bourmistrov.
ok mikeb dlg
|
|
an icmp<->icmp6 state (nat64); ok henning, mcbride, dlg
|
