summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-07-09unsigned -> unsigned intBret Lambert
ok claudio@, henning@
2009-07-08Add the same routing domain assignments and checks into the not so usedClaudio Jeker
protocols as it is currently in if_ethersubr.c. OK reyk@
2009-07-07When adding or changing a MPLS route, add RTF_MPLS flag toMichele Marchetto
routing message. We can then rely on that flag to spot out MPLS routes coming from routing socket. ok claudio@
2009-06-26invert direction for inner icmp state lookups (e.g. traceroute with icmp)Markus Friedl
ok henning, jsing
2009-06-26the pr_usrreq implementation for routing sockets shares exactly one lineBret Lambert
of code between cases, so stop pretending otherwise, and move the if() dance to a switch, as is done in every other pr_usrreq I'm aware of. ok claudio@ michele@
2009-06-25scrub_flags is a u_int8_t, but PFSTATE_SCRUB_TCP is 0x0100, so theStuart Henderson
"reassemble tcp" state option failed to work correctly. Increasing this to u_int16_t fixes kernel/6178. ok deraadt@ henning@
2009-06-24move the "pf_map_addr: selected address" printf up to -xnoisy.Stuart Henderson
ok henning@
2009-06-22Remove unneeded sotorawpcb() call, as the PCB is unmolested betweenBret Lambert
malloc()ing it and calling that macro. No functional change, just tightening things up a bit. ok claudio@ michele@
2009-06-22Check that the address family is appropriate before processing ICMPv4 andJoel Sing
ICMPv6 messages. ok henning@
2009-06-22Always drop ICMPv6 in IPv4 datagrams, not only when compiled with INET6.Joel Sing
Suggested by Max Laier. ok henning@
2009-06-22Fix scrub max-mss for IPv6 traffic.Joel Sing
spotted by naddy@ ok henning@
2009-06-20Decrement routing socket count in MPLS detach caseBret Lambert
While here, fix whitespace (spaces -> tabs) issue spotted by michele@ ok michele@, claudio@
2009-06-17fix flow data values: first and last time, found by f-kons at yandex ruJoerg Goltermann
OK: sthen@, henning@
2009-06-17do better detection of when we have a better version of the tcp sequenceDavid Gwynne
windows than our peer. this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf. lots of testing locally on the production firewalls, also tested by sthen@
2009-06-14enable support for deferring the packet that creates a state so that yourDavid Gwynne
sync peers are able to get the states before the replies. previously there was a race where the reply could hit a partner firewall before it had the state for it, which caused the reply to get processed by the ruleset which probably would drop it. this behaviour is off by default because it does delay packets, which is only wanted in active-active firewalls or when an upstream router is slow to learn that you're moved the active member of the pfsync cluster. it also uses memory keeping the packets in the kernel. use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to disable. tested by sthen@ who loves it. he's got manpage changes coming up for me.
2009-06-12rewrite the way states from pfsync are merged into the local state treeDavid Gwynne
and the conditions on which pfsync will notify its peers on a stale update. each side (ie, the sending and receiving side) of the state update is compared separately. any side that is further along than the local state tree is merged. if any side is further along in the local state table, an update is sent out telling the peers about it. this has been flogged to death on my firewalls.
2009-06-10jj reported a panic in bulk updates to me. this is my attempt to fix theDavid Gwynne
most obvious problem. if the state table is empty, we'd deref a null pointer. tested on my firewalls with big state tables, so existing use cases still work.
2009-06-08in pf_print_state_parts, do not use skw->proto to print the protocolHenning Brauer
but our local copy proto that we very carefully set beforehands. skw being NULL is perfectly valid there.
2009-06-08bring back the fixed PF_AEQ/ANEQ/AZERO macros, the offending use has beenHenning Brauer
found by sthen and fixed, all other callers of these macros checked by both of us
2009-06-08"do not call PF_ANEQ with af=0, dragons". fixes a problem with skipStuart Henderson
steps found with the recent pfvar.h commit to check address families. from & commit req by henning.
2009-06-08gah. something is not quite right, sthen sees strange behaviour fixedHenning Brauer
by backing out the macro fix. something must rely on the broken behaviour
2009-06-08unfuck PF_AEQ PF_ANEQ PF_AZERO macos that got fucked when v6 supportHenning Brauer
was added in 2001. yes i got bitten by inet6 shit again. in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0] is false when the adresses ARE equal. now it goes right in the intended-for-v6 case and starts to compare the other addr32 fields - in the v4 case I have garbage in them, so it reports all v4 as different when they are in fact the same. fix by adding explicit af == INET6 test before going on to compare the rest. found the really hard way (many hours wasted, thought the bug was in my new code) by me. ok sthen markus claudio
2009-06-06when xflags got changed, tell the userland by routing socketsRainer Giedat
ok henning@
2009-06-05Add missing #ifdef INET6 ... #endifAlexander Hall
Makes non-IPv6 kernels build again blame and ok henning@
2009-06-05Initial support for routing domains. This allows to bind interfaces toClaudio Jeker
alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
2009-06-04allow IPvShit to be turned off completely per-interface.Henning Brauer
ifconfig em0 -inet6 deletes all v6 addresses including link-local and prevents new ones from being added. ifconfig em0 inet6 <addr> re-enables v6, brings the link local back and adds optional <addr> ok theo reyk
2009-06-04Emulate a link state in tun(4). The link state goes up when the device isClaudio Jeker
opened and goes down when the device fd is closed. Makes working with qemu a bit nicer when routing to tun(4) interfaces. dlg@ "diff reads good"
2009-06-03make wireless interfaces priority 4 by default. other interfaces remainBob Beck
priority 0. while we are in here make sure we add wi interfaces to group "wlan" in the same way the net80211 stuff already is. this makes dhcp multiple default routes useful on laptops. ok claudio@
2009-06-02do the pf_pkt_addr_changed(m) magic just like gif etcHenning Brauer
tested by Manuel Rodriguez Morales <marodriguez at grupogdt.com>
2009-06-01There is no need to use a variable just for sizeof(). Garbage collect ifa.Claudio Jeker
No binary change.
2009-05-31Consolidate common code for interface attachment into single functionBret Lambert
to save some space in the kernel. Although there are deeper issues with interface attachment, this diff was not meant to address those, just to shave some space ;) ok henning@, claudio@
2009-05-31make set loginterface, set hostid, set reassemble and set debugHenning Brauer
transactional. sanity checked claudio, requested by theo for some time
2009-05-31Hide RTP_DOWN in the kernel and don't expose it to userland. Userland isClaudio Jeker
not smart enough to handle it in a sensible way. Make sure the kernel selected routing priority is actually exported to userland or to help daemons like bgpd to keep correctly track of the routes. This should fix some of the rather strange errors seen by people having multipath routes on their bgpd boxes. While there make the interface priority inheritance on static routes work again. OK henning@
2009-05-31Reenable interface state tracking now that I found and fixed the cause ofClaudio Jeker
the rtfree panic seen by some people.
2009-05-31Fix for the rtfree 2 panic seen by some people before the release. A missingClaudio Jeker
refcnt bump caused the panic to be triggered. While there also make the priority so that the compare is working a bit better. henning@ cries in agony (I already gave up)
2009-05-26inherit the route label on cloned routesReyk Floeter
ok claudio@
2009-05-18The routing table index rtableid has type unsigned int in the routingAlexander Bluhm
code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
2009-05-13dont go splx(s) in the ioctl handler if we havent done splnet(). this addsDavid Gwynne
the splnet calls and the extra splx(s)s necessary for it to be safe. bug found by sthen@
2009-05-13only keep track of the number of updates on tcp connections. state sync onDavid Gwynne
all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over. keep track of updates on tcp still though, their windows need constant attention. tested by sthen@
2009-04-30treat log as what it is, a flag variable. effectively a noop now but stopsHenning Brauer
us relying on where we are setting it. ok ryan dlg
2009-04-23print the type of the icmp message we're bitching about when debugging isDavid Gwynne
turned up in pf_icmp_state_lookup. ok sthen@
2009-04-18Make "route(8) change" aware of MPLS.Michele Marchetto
It is now possible to change routes' MPLS parameters via route change. ok laurent@, ok and input claudio@
2009-04-17move the lastr = r assignment behind the anchor rule check so we don'tHenning Brauer
ever try to aplly options from the anchor rule if it was the last matching one but the last matching real rule. it is right but despite begging nobody has the balls to ok it ;(
2009-04-16Really turn fragment reassembly on by default. pfctl must handle thisDavid Krause
since the DIOCSETREASS ioctl is called on every ruleset load and was overriding the initial setting in pfattach(). Fix setting of the global no-df bitmask as well. ok henning@
2009-04-15little dose of scrubbing after the monster changes:Henning Brauer
correctly inherit queue stuff, tag, rtableid from the rule if we have no state some logic simplification and removal of redundant checks ok dlg
2009-04-15move OK ICMP to NOISY level, makes it easier to run at MISC level; ok henning@David Krause
2009-04-15move pfsync stale update messages to NOISY level; ok dlg@ henning@David Krause
2009-04-14Correctly handle the case when state might be NULL in pf_test likeAlexander Yurchenko
all other code do. Should fix pr 6121. ok henning@
2009-04-11Avoid dereferencing a null pointer when pf attempts to translate aJoel Sing
specifically crafted IP datagram. Problem noted by Sebastian Rother. ok henning@ mcbride@ sthen@
2009-04-07after i took everything in this fiule apart and reassembled with a lot ofHenning Brauer
new stuff asserting copyright is in order