| Age | Commit message (Collapse) | Author |
|---|
|
combination with translations was too broad and broke some
more complex setups (creating two states for one connection on
two interfaces, using modulate state for each, and additionally
using route-to/reply-to on one of them), so narrow it to the
cases where it's needed. Reported by henric@.
|
|
and drop packets with invalid checksums. Without such a check, pf would
return RST/ICMP errors even for packets with invalid checksums, which
could be used to detect the presence of the firewall, reported by
"Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
To minimize the cost of checksum calculations, mbuf flags set by
network interfaces capable of hardware checksumming are honoured,
and set when pf performs the calculation, so the TCP/IP stack itself
will not repeat the calculation for the same packet later on.
ok mcbride@ and henning@
|
|
handshake. Solves the issues with the "ACK+1000000 cookie scheme",
which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized
state, "reset is sent"). ok henning@, camield@ and (I guess ;)
frantzen@
|
|
Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and
makes the port mapping more flexble, allows mapping a destination port range
of one size to an other of a different size.
Fixes and additional testing courtesy of dhartmei@
ok dhartmei@
|
|
overlap calculation got negative. Found by Baruch Even. ok henning@
|
|
copies the data to the specified buffer. So, for TCP options, provide
an sufficiently large buffer and copy to there.
|
|
doing it later can invalidate pointers to mbuf data. This fixes subtle
breakage just introduced (with 1.306).
|
|
Interestingly, our own stack uses wscale 1 quite regularly, and I now
suspect that this is what caused most of the state failures I've seen.
They were quite rare, but with working wscale support, they are reduced
even more. ok henning@
|
|
This only happens when using nat/rdr/binat on IPv6 connections, which
hasn't been used before, obviously. But it does work now.
Reported and confirmed by evilted@efnet, ok mcbride@
|
|
|
|
|
|
|
|
inspired by Thorsten Glaser via fries@
ok theo
|
|
pointed out in advance by dhartmei@
|
|
correctly. Also remove some extra cruft in pf_get_sport related to the
"static-port" behaviour.
bug report from mpech@ and form@
testing cedric@
"looks sane to me" henning@
ok dhartmei@
|
|
|
|
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 }
Was causing the kernel to become noisy.
Now duplicates are silently rejected.
|
|
referenced or inactive set. Flags were not updated correctly.
Tested on i386, sparc64. More regression tests coming.
|
|
Makes code more readable.
|
|
Removes "_" from pool names.
Regression tests for memory allocation coming soon....
|
|
- Reject invalid CIDR networks (1.2.3.4/16 & friends).
- Only allow values 0 or 1 for the "neg" flag.
- Require all unused data to be set to 0 in pfr_addr and pfr_table.
- Always check the return value of pfr_route_entry().
- Remove redundant kernel messages.
Tested on i386, sparc64. Pass my (uncommited) regression tests.
|
|
the "negated" attribute of an address. The previous behaviour was incorrect
in both cases (too strict for the add command and too permissive for the
delete command).
ok dhartmei@
|
|
|
|
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
|
|
ok henning@, deraadt@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
ok dhartmei@
|
|
|
|
name. ok henning@, mcbride@, cedric@
|
|
|
|
ok henning@, mcbride@
|
|
|
|
|
|
|
|
interface is LEARNING not the destination.
|
|
2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs().
3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs().
Tested on i386, sparc64
|
|
ok fgsch@ dhartmei@ henning@
|
|
ok dhartmei@ henning@
|
|
pf_test() may be called twice for the same packet. In this case, make
sure the translation is only applied in the second call. This solves
the problem with state insert failures where the second pf_test() call
tried to insert another state entry after the first call's translation.
ok henning@, mcbride@, thanks to Joe Nall for additional testing.
|
|
|
|
|
|
|
|
|
|
|
|
(i.e: pfradix -a test 1.2.3.4 1.2.3.4). The ioctl can also report theses
duplicate to the caller using the new PFR_FB_DUPLICATE feedback tag.
|
|
multiple time in the same ioctl (i.e. pfradix -A/D test test test).
This is not a very efficient implementation, and I'll change it if someone
really add/delete more than hundred of tables in the same ioctl.
|
|
stored in a separate list now. Regress tests still pass after
sed "s/ a=end / /g", other skip steps are not affected.
|
