| Age | Commit message (Collapse) | Author |
|---|
|
"reassemble tcp" state option failed to work correctly. Increasing this
to u_int16_t fixes kernel/6178. ok deraadt@ henning@
|
|
ok henning@
|
|
malloc()ing it and calling that macro.
No functional change, just tightening things up a bit.
ok claudio@ michele@
|
|
ICMPv6 messages.
ok henning@
|
|
Suggested by Max Laier.
ok henning@
|
|
spotted by naddy@
ok henning@
|
|
While here, fix whitespace (spaces -> tabs) issue spotted by michele@
ok michele@, claudio@
|
|
OK: sthen@, henning@
|
|
windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to
produce, and therefore makes it possible to do usable active-active
statuful firewalls with pf.
lots of testing locally on the production firewalls, also tested by sthen@
|
|
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
|
|
and the conditions on which pfsync will notify its peers on a stale update.
each side (ie, the sending and receiving side) of the state update is
compared separately. any side that is further along than the local state
tree is merged. if any side is further along in the local state table, an
update is sent out telling the peers about it.
this has been flogged to death on my firewalls.
|
|
most obvious problem.
if the state table is empty, we'd deref a null pointer.
tested on my firewalls with big state tables, so existing use cases still
work.
|
|
but our local copy proto that we very carefully set beforehands. skw
being NULL is perfectly valid there.
|
|
found by sthen and fixed, all other callers of these macros checked by both
of us
|
|
steps found with the recent pfvar.h commit to check address families.
from & commit req by henning.
|
|
by backing out the macro fix. something must rely on the broken behaviour
|
|
was added in 2001. yes i got bitten by inet6 shit again.
in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0]
is false when the adresses ARE equal. now it goes right in the
intended-for-v6 case and starts to compare the other addr32 fields -
in the v4 case I have garbage in them, so it reports all v4 as different
when they are in fact the same. fix by adding explicit af == INET6 test
before going on to compare the rest.
found the really hard way (many hours wasted, thought the bug was in my
new code) by me. ok sthen markus claudio
|
|
ok henning@
|
|
Makes non-IPv6 kernels build again
blame and ok henning@
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
ifconfig em0 -inet6
deletes all v6 addresses including link-local and prevents new ones from
being added.
ifconfig em0 inet6 <addr>
re-enables v6, brings the link local back and adds optional <addr>
ok theo reyk
|
|
opened and goes down when the device fd is closed. Makes working with qemu
a bit nicer when routing to tun(4) interfaces.
dlg@ "diff reads good"
|
|
priority 0. while we are in here make sure we add wi interfaces to group "wlan"
in the same way the net80211 stuff already is.
this makes dhcp multiple default routes useful on laptops.
ok claudio@
|
|
tested by Manuel Rodriguez Morales <marodriguez at grupogdt.com>
|
|
No binary change.
|
|
to save some space in the kernel. Although there are deeper issues with
interface attachment, this diff was not meant to address those, just to
shave some space ;)
ok henning@, claudio@
|
|
transactional. sanity checked claudio, requested by theo for some time
|
|
not smart enough to handle it in a sensible way. Make sure the kernel
selected routing priority is actually exported to userland or to help
daemons like bgpd to keep correctly track of the routes. This should fix
some of the rather strange errors seen by people having multipath routes
on their bgpd boxes. While there make the interface priority inheritance
on static routes work again.
OK henning@
|
|
the rtfree panic seen by some people.
|
|
refcnt bump caused the panic to be triggered. While there also make the
priority so that the compare is working a bit better.
henning@ cries in agony (I already gave up)
|
|
ok claudio@
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
the splnet calls and the extra splx(s)s necessary for it to be safe.
bug found by sthen@
|
|
all the other protocols is simply pushing the timeouts along which has a
resolution of 1 second, so it isnt going to be hurt by pfsync taking up
to a second to send it over.
keep track of updates on tcp still though, their windows need constant
attention.
tested by sthen@
|
|
us relying on where we are setting it. ok ryan dlg
|
|
turned up in pf_icmp_state_lookup.
ok sthen@
|
|
It is now possible to change routes' MPLS parameters via route change.
ok laurent@, ok and input claudio@
|
|
ever try to aplly options from the anchor rule if it was the last matching
one but the last matching real rule. it is right but despite begging nobody
has the balls to ok it ;(
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
correctly inherit queue stuff, tag, rtableid from the rule if we have no
state
some logic simplification and removal of redundant checks
ok dlg
|
|
|
|
|
|
all other code do. Should fix pr 6121.
ok henning@
|
|
specifically crafted IP datagram.
Problem noted by Sebastian Rother.
ok henning@ mcbride@ sthen@
|
|
new stuff asserting copyright is in order
|
|
not do fragment reassembly. discussed with dlg and ryan in basel.
ok ryan dlg sthen jdixon todd deraadt
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
affected by adjusting the clock.
|
|
switch the rtsocket message filter specification so you can or the macros
converting the routing socket message types into the mask used by the
filter. ie:
- ROUTE_SETFILTER(rtfilter, RTM_NEWADDR);
- ROUTE_SETFILTER(rtfilter, RTM_DELADDR);
- ROUTE_SETFILTER(rtfilter, RTM_IFINFO);
- ROUTE_SETFILTER(rtfilter, RTM_IFANNOUNCE);
+ rtfilter = ROUTE_FILTER(RTM_NEWADDR) | ROUTE_FILTER(RTM_DELADDR) |
+ ROUTE_FILTER(RTM_IFINFO) | ROUTE_FILTER(RTM_IFANNOUNCE);
there's a manpage change coming.
ok claudio@
|
|
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
|
