summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2007-07-13remove obsolete pfi_statehead and pfik_w_states; ok henning@Markus Friedl
2007-07-10adjust pf_find_state_all() so that it works correctly for the new globalKurt Miller
table/state tail queue design. corrects ftp-proxy errors "server lookup failed (no rdr?)" okay henning@
2007-07-06btintrq has been removed from bt_input.c, don't reference it here.Christian Weisgerber
Makes bluetooth build again. ok uwe@
2007-07-04Fix a use after free crash in in_delmulti(). If a interface is detachedClaudio Jeker
before it is removed from the multicast group in_delmulti() will try to access the no longer available ifp. We invalidate the ifa_ifp back pointer in the ifa in if_detach() now and use the ifa_ifp in in_delmulti() instead of the internal inm_ifp. By doing it this way we know if the interface was removed. This fixes a kernel panic triggered by ospfd and gif(4) tunnels. looks good henning@ reyk@
2007-07-04No m_copyback for ICMP and "other" protocols on rdr/binat.Marco Pfatschbacher
Fixes ICMP packet payload corruption on rdr. OK henning@, markus@
2007-06-26Fix a race condition during ruleset reload; make sure we don't walk offRyan Thomas McBride
the end of the array of rule pointers when attaching a pfsync'd state to a rule. Reported in PR5508 by mayer@netlab.nec.de. ok henning@
2007-06-25crank ifq_maxlen from 50 to 256, so it is not smaller than most interfacesHenning Brauer
rx rings any more. forwarding boxes with many fast interfaces can still use some more, but this is a saner default. ok deraadt markus henric
2007-06-25pretty mechanical change: now that the state tables use seperate stateHenning Brauer
keys that can map to multiple states (last not least for ifbound) we don't need state tables hanging off each struct kif representing an interface any more. use two globals for the two tables. ok markus ryan
2007-06-24Save some bytes and make code more readable by removing junk union andRyan Thomas McBride
unused ifname (this information is in struct pf_state_sync now). Also a bit of KNF on the pf_state struct. ok mpf@ henning@
2007-06-22export the flow/filter information attached to the SA, too; ok hshoexer@Markus Friedl
2007-06-21force logif to zero if no logging is asked forHenning Brauer
check the logif when changing a rule from max laier, ok ryan
2007-06-21reimplement interface bound states in a non-retarded way.Henning Brauer
previously, we had a set of state tables attached to each interface. so for every packet we had to do a lookup in the tables for the interface, and afterwards in the global tables. since we split state keys and states now, use only the global tables, and put the actual states in a tail queue attached to the state key. sort the list so that ifbound states come before global ones. on lookup, we only have to compare the interface pointer on the actual states and use the first one where either the interface matches or the state is not interface bound. thus, if you don't actually use ifbound states, and there is only one state per state key, the overhead is close to zero, where we had extra lookups before. in addition to a much cleaner design (that'll allow for more goodies later) this gives us ~12.5% more forwarding performance. mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
2007-06-20Allow "log" for nat rules without "pass".Marco Pfatschbacher
OK henning@, ``passt scho'' markus@
2007-06-17add back missing bcopy & break, got lost when removing arcnet.Henning Brauer
spotted by Mike Belopuhov <mkb@crypt.org.ru>
2007-06-15in pf_test_rule, before handling IPPROTO_ICMP / IPPROTO_ICMPV6, check thatHenning Brauer
the packet is of the expected address family (AF_INET / AF_INET6). crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise. misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing with nmap; he also helped us big time debugging the problem. thanks! ok ryan
2007-06-14Add a new "rtlabel" option to ifconfig. It allows to specify a route labelReyk Floeter
which will be used for new interface routes. For example, ifconfig em0 10.1.1.0 255.255.255.0 rtlabel RING_1 will set the new interface address and attach the route label RING_1 to the corresponding route. manpage bits from jmc@ ok claudio@ henning@
2007-06-14sprinkle some #ifdef IPSEC so that pfsync compiles w/o ipsecHenning Brauer
from mickey, ok me markus mickey
2007-06-11move definitions for the flags in the mbuf header used by pf to mbuf.hHenning Brauer
since we include the mbuf header parts for pf unconditionally, we should be able to check them unconditionally as well. ok mcbride markus
2007-06-09fix wrong argument passing to m_copyback for the log caseHenning Brauer
(&ptr instead of ptr). should fix pflog breakage seen by bob
2007-06-09sizeof(ptr) is no good if you want sizeof(*ptr). icmp/icmpv6.Henning Brauer
2007-06-08kill arcnet leftovers, some pt out by Mike Belopuhov <mkb@crypt.org.ru>,Henning Brauer
some I found afterwards, ok dlg
2007-06-07PR 5502 From: Marc Huber <Marc.Huber@web.de>Henning Brauer
pfioctl()'s DIOCKILLSTATES triggers panic due to wrong test variable in for() loop. well analyzed and fixed, excellent PR, applied verbatim, thanks! (this was fallout from the state - state key split)
2007-06-06vlan interfaces do not allow the parent interface and the vlan number to beHenning Brauer
reconfigured after they are set. so they bail out when you try to. so when you re-run netstart on a machine with vlans, it bails out with ifconfig: SIOCSETVLAN: Device busy and IP changes are not done. make vlan_config() notice when both parent interface and vlan number stay the same and just return success without doing anything in that case. allows the IP config thereafter to happen. ok markus jason
2007-06-06remove remaining IPX hooks. all inside #ifdef IPX, so no actual changeHenning Brauer
2007-06-02pf_set_rt_ifp accesses state key data, so must be called laterHenning Brauer
2007-06-01factor out duplicated code to allocate state key and cross-reference itHenning Brauer
with a state entry into a new pf_alloc_state_key() function and use it everywhere. makes upcoming changes way easier and is cleaner anyway. conceptually agreed by ryan, but he's on the road now ;(
2007-06-01fold pf_test_tcp(), pf_test_udp(), pf_test_icmp(), pf_test_other() intoHenning Brauer
one - pf_test_rule(). now we have one place to make things clearer and maybe find another few performance bits :) shrinks i386 GENERIC by 11K, no measurable performance impact or gain. lots lots lots lots lots of testing and headbanging with ryan, performance testing ckuethe. ok ryan
2007-06-01apply the "skip ipsec if there are no flows" speedup diff to IPv6 too.Henning Brauer
we need a pointer to the inpcb to decide, which was not previously passed to ip6_output, so this diff is a little bigger. from itojun, ok ryan
2007-05-31Make sure that pf_state_key and pf_state_key_cmp are in sync.Ryan Thomas McBride
I am a retard for not testing properly and owe people beers tonight.
2007-05-31unlink the right state, ryan okHenning Brauer
2007-05-31Move the state id and creatorid (used mainly by pfsync) into struct pf_state.Ryan Thomas McBride
ok henning@
2007-05-31Unbreak pf.c compilation on gcc 2.95 architectures. Found by todd@Ryan Thomas McBride
2007-05-31First step of rearranging pf's state table internals...Ryan Thomas McBride
- Split pf_state into pf_state (used for tracking connection information), and pf_state_key (used for searching the state table) - Use pfsync_state in the ioctl for userland access to the state table. This will sheild userland somewhat from future changes. ok henning@ toby@ pyr@
2007-05-29remove token ring leftovers, ok mcbride pvalHenning Brauer
2007-05-29It helps to commit removals from the tree that has the files cvs removedClaudio Jeker
instead of one where they where just empty. Figured out by art@
2007-05-29now i get my hands dirty in here... from if_ethersubr.c:Henning Brauer
there was code inside #if NPF > 0 to prevent feeding back the mbuf do looutput if we are on simplex interfaces and the packet has been routed by pf, which can lead to a loop in weird corner cases. apparently nobody triggered these cases in ages, since pf.h was not included and thus NPF not defined and thus this code not compiled.
2007-05-29there was code insideHenning Brauer
#if NPF > 0 to prevent feeding back the mbuf do looutput if we are on simplex interfaces and the packet has been routed by pf, whch can lead to a loop in weird corner cases. apparently nobody triggered these cases in ages, since pf.h was not included and thus NPF not defined and thus this code not compiled. ok theo
2007-05-29Move tokenring support to the attic where it can join the cards that whereClaudio Jeker
decomissioned aeon ago. We will not miss it at all. OK dlg@ henning@ and a lot of cheers by other in the room
2007-05-29Define IF_ENQUEUE() and friends as proper C statements using do ... whileUwe Stuehler
ok henning
2007-05-29Use atomic operations to operate on netisr, instead of clearing it at splhigh.Miod Vallat
This changes nothing on legacy architectures, but is a bit faster (and simpler) on the interesting ones.
2007-05-29IMP is dead and nothing uses NETISR_IMP so remove it from the netisr list.Claudio Jeker
OK henning@ mcbride@
2007-05-29Spaces, no binary changes.Claudio Jeker
2007-05-29gain us another 10+% of performance.Henning Brauer
boring details: long time ago (in r1.313) code was added to handle protocol checksums: > Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets, > and drop packets with invalid checksums. Without such a check, pf would > return RST/ICMP errors even for packets with invalid checksums, which > could be used to detect the presence of the firewall, reported by > "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. that meant we did the checksumming for each and every packet traversing pf. now only do the checksumming right before we send an RST back, so in all other cases we save that work. ok bob theo
2007-05-29Add a name argument to the RWLOCK_INITIALIZER macro.Thordur I. Bjornsson
Pick reasonble names for the locks involved.. ok tedu@, art@
2007-05-28double pf performance.Henning Brauer
boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
2007-05-28Only call add_net_randomness() once per interrupt instead of once per ↵Ryan Thomas McBride
packet. If multiple packets come in on a single interrupt the times mixed into the randomness pool will be identical or predictably close anyways, and nanotime() is expensive. ok toby jason miod claudio
2007-05-28Users of arc4random() should include dev/rndvar.h directly.Ryan Thomas McBride
ok dlg claudio
2007-05-27get rid of static.David Gwynne
ok claudio@ reyk@ henning@ ja ja ja mcbride@
2007-05-27clarify things by passing kif->pfik_ifp around in pf_test{,6} insteadPierre-Yves Ritschard
of reassigning a struct ifnet pointer. discussed with and ok mcbride@
2007-05-26add comments indicating why we do m = *m0; again after pf_normalize, ryan okHenning Brauer