Age | Commit message (Collapse) | Author |
|
rdomain 0 for now. OK michele@
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
ok claudio@
|
|
instead of MISC. "makes a little bit more sense" henning@
|
|
ok claudio@ dlg@
|
|
not having sks and sks set to NULL causes random memory to be pool_put().
ok deraadt@ jsing@
|
|
|
|
and thus had to get rid of them if we didn't create state. this is no
longer the case, kill dead code. ok claudio
|
|
|
|
to pf_test6 (where it is wrong in some edge cases, for match rules and
logs a packet twice in some cases). ok claudio
|
|
if action != PF_PASS. same was changed in pf_test_rule a while back
but the fragment case was forgotten. since everybody reassembles nobody
ran into this.
|
|
|
|
the NAT rewrite and ever since then only checked in a couple of plaes
but never set. same for nat_src_node on pf_state.
with this the NAT rewrite made pf over 1000 lines shorter.
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
sneaks packets on and off network interfaces in some cases without
calling the interrupt, start, or output functions, and thus must do
these tasks which the drivers cannot do. The gif and vether are
rather special. Someone should re-check gre.
ok claudio
|
|
|
|
different rdomain than the default one. This allows to do MPLS VPNs
without the MPLS madness. OK deraadt@, henning@
|
|
those that come in the bridge are still invisible. the bridge is going
to have to bpf those for us.
|
|
|
|
|
|
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
|
ok dlg
|
|
|
|
Found by parfait.
ok henning@
|
|
requested by deraadt@
|
|
OK deraadt
|
|
supported it doesn't do any harm), so put the KNOTE() in selwakeup() itself and
remove it from any occurences where both are used, except one for kqueue itself
and one in sys_pipe.c (where the selwakeup is under a PIPE_SEL flag).
Based on a diff from tedu.
ok deraadt
|
|
so that a bridge-etherip-tunnel host can join into the bridge itself.
It is ridiculous that this capability was missing from our network
stack portfolio, considering we have bgp and ospf daemons...
discussed at length with claudio
|
|
tested by phessler@ pyr@
ok claudio@
"go ahead" deraadt@
|
|
everything just more complicated. Make sure the structs align nicely.
OK deraadt@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
reminded by STeve Andre.
|
|
splitting things out into a seperate pool.
Problem noticed and fix tested by sthen@
ok claudio@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
like dhcpd/dhclinet can send packets out of interfaces in other rdomains
without hitting the check in ether_output().
With and ok phessler@
|
|
`OK' claudio
|
|
the mbuf got leaked when detaching an interface, spotted by theo.
fixed by me, diff refined by theo
eyeballed by claudio@
'go ahead, commit this' by theo@
|
|
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
|
statements operating as a whitelist, taking care to allow af 0 (which is
the wildcard value in pf rules)
diff from Vadim Zhukov
ok henning
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope
when inserting an already existing state.
|
|
Reported and fix tested by weerd@, ok claudio@
|
|
The RTM_VERSION bump is 2 years ago and so there is no need for this.
Diff made by tedu@ some time ago but got never commited so I do it now.
|
|
starts in a timeout handler which runs at a lower spl.
This fixes the problems with lacp trunks where some interfaces suddenly
fail for no obvious reason. Problem report and fix tested by Stephan A.
Rickauer. OK henning, reyk, mpf
|
|
below splnet() is a good recipe for doom.
OK henning, reyk, mpf
|
|
add break in the last case block
|
|
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found
by claudio
|
|
if_media. This makes link state tracking a lot easier as there is no need
to convert if types to if_media types, etc. Additionally this allows us
to extend the link states to include states tracked on higher protocol layers.
gre(4) keepalives packets, bfd and udld can be implemented without ugly hacks.
OK henning, michele, sthen, deraadt
|
|
API function directly to lacp_input() to simplify the code path.
ok mpf@
|