Age | Commit message (Collapse) | Author |
|
|
|
table/state tail queue design. corrects ftp-proxy errors "server lookup
failed (no rdr?)" okay henning@
|
|
Makes bluetooth build again. ok uwe@
|
|
before it is removed from the multicast group in_delmulti() will try to
access the no longer available ifp.
We invalidate the ifa_ifp back pointer in the ifa in if_detach() now and use
the ifa_ifp in in_delmulti() instead of the internal inm_ifp. By doing it
this way we know if the interface was removed.
This fixes a kernel panic triggered by ospfd and gif(4) tunnels.
looks good henning@ reyk@
|
|
Fixes ICMP packet payload corruption on rdr.
OK henning@, markus@
|
|
the end of the array of rule pointers when attaching a pfsync'd state
to a rule. Reported in PR5508 by mayer@netlab.nec.de.
ok henning@
|
|
rx rings any more. forwarding boxes with many fast interfaces can still use
some more, but this is a saner default.
ok deraadt markus henric
|
|
keys that can map to multiple states (last not least for ifbound) we don't
need state tables hanging off each struct kif representing an interface
any more. use two globals for the two tables. ok markus ryan
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
|
|
check the logif when changing a rule
from max laier, ok ryan
|
|
previously, we had a set of state tables attached to each interface. so for
every packet we had to do a lookup in the tables for the interface, and
afterwards in the global tables.
since we split state keys and states now, use only the global tables, and
put the actual states in a tail queue attached to the state key. sort the
list so that ifbound states come before global ones. on lookup, we only
have to compare the interface pointer on the actual states and use the
first one where either the interface matches or the state is not interface
bound. thus, if you don't actually use ifbound states, and there is only
one state per state key, the overhead is close to zero, where we had extra
lookups before. in addition to a much cleaner design (that'll allow for more
goodies later) this gives us ~12.5% more forwarding performance.
mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
|
|
OK henning@, ``passt scho'' markus@
|
|
spotted by Mike Belopuhov <mkb@crypt.org.ru>
|
|
the packet is of the expected address family (AF_INET / AF_INET6).
crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise.
misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing
with nmap; he also helped us big time debugging the problem. thanks!
ok ryan
|
|
which will be used for new interface routes. For example,
ifconfig em0 10.1.1.0 255.255.255.0 rtlabel RING_1
will set the new interface address and attach the route label RING_1 to
the corresponding route.
manpage bits from jmc@
ok claudio@ henning@
|
|
from mickey, ok me markus mickey
|
|
since we include the mbuf header parts for pf unconditionally, we should
be able to check them unconditionally as well. ok mcbride markus
|
|
(&ptr instead of ptr). should fix pflog breakage seen by bob
|
|
|
|
some I found afterwards, ok dlg
|
|
pfioctl()'s DIOCKILLSTATES triggers panic due to wrong test
variable in for() loop.
well analyzed and fixed, excellent PR, applied verbatim, thanks!
(this was fallout from the state - state key split)
|
|
reconfigured after they are set. so they bail out when you try to. so when
you re-run netstart on a machine with vlans, it bails out with
ifconfig: SIOCSETVLAN: Device busy
and IP changes are not done.
make vlan_config() notice when both parent interface and vlan number stay
the same and just return success without doing anything in that case.
allows the IP config thereafter to happen. ok markus jason
|
|
|
|
|
|
with a state entry into a new pf_alloc_state_key() function and use it
everywhere. makes upcoming changes way easier and is cleaner anyway.
conceptually agreed by ryan, but he's on the road now ;(
|
|
one - pf_test_rule(). now we have one place to make things clearer and
maybe find another few performance bits :)
shrinks i386 GENERIC by 11K, no measurable performance impact or gain.
lots lots lots lots lots of testing and headbanging with ryan,
performance testing ckuethe. ok ryan
|
|
we need a pointer to the inpcb to decide, which was not previously
passed to ip6_output, so this diff is a little bigger.
from itojun, ok ryan
|
|
I am a retard for not testing properly and owe people beers tonight.
|
|
|
|
ok henning@
|
|
|
|
- Split pf_state into pf_state (used for tracking connection information),
and pf_state_key (used for searching the state table)
- Use pfsync_state in the ioctl for userland access to the state
table. This will sheild userland somewhat from future changes.
ok henning@ toby@ pyr@
|
|
|
|
instead of one where they where just empty. Figured out by art@
|
|
there was code inside
#if NPF > 0
to prevent feeding back the mbuf do looutput if we are on simplex
interfaces and the packet has been routed by pf, which can lead to a loop
in weird corner cases.
apparently nobody triggered these cases in ages, since pf.h was not included
and thus NPF not defined and thus this code not compiled.
|
|
#if NPF > 0
to prevent feeding back the mbuf do looutput if we are on simplex
interfaces and the packet has been routed by pf, whch can lead to a loop
in weird corner cases.
apparently nobody triggered these cases in ages, since pf.h was not included
and thus NPF not defined and thus this code not compiled.
ok theo
|
|
decomissioned aeon ago. We will not miss it at all.
OK dlg@ henning@ and a lot of cheers by other in the room
|
|
ok henning
|
|
This changes nothing on legacy architectures, but is a bit faster (and simpler)
on the interesting ones.
|
|
OK henning@ mcbride@
|
|
|
|
boring details:
long time ago (in r1.313) code was added to handle protocol checksums:
> Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,
> and drop packets with invalid checksums. Without such a check, pf would
> return RST/ICMP errors even for packets with invalid checksums, which
> could be used to detect the presence of the firewall, reported by
> "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
that meant we did the checksumming for each and every packet traversing pf.
now only do the checksumming right before we send an RST back, so in all
other cases we save that work.
ok bob theo
|
|
Pick reasonble names for the locks involved..
ok tedu@, art@
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
packet. If multiple packets come in on a single interrupt the times mixed into
the randomness pool will be identical or predictably close anyways, and
nanotime() is expensive.
ok toby jason miod claudio
|
|
ok dlg claudio
|
|
ok claudio@ reyk@ henning@ ja ja ja mcbride@
|
|
of reassigning a struct ifnet pointer.
discussed with and ok mcbride@
|
|
|