Age | Commit message (Collapse) | Author |
|
address) is used for source in the binat rule. closes PR 3535, reported
by Karl O.Pinc. ok henning@, cedric@
|
|
This saves more than 30% memory on state entries, and simplifies the state
insertion and removal code as well.
NOTE: This changes the pf API; userland tools must be updated to match.
ok henning@ dhartmei@
|
|
Fixes leakage of mbufs on error.
Pointed out by Max Laier.
|
|
problems with dhcp.
ok frantzen@ krw@ deraadt@
|
|
Locking prevents dangerous ioctls such as changing the
interface and sending signals to be executed by an
unprivileged process. A filter can also be applied
to packets injected through a bpf descriptor.
These features allow programs using bpf descriptors to
safely drop/seperate privileges.
ok frantzen@ henning@ mcbride@
|
|
|
|
Allows non-ALTQ kernel compile.
Pointed out by tedu@
ok itojun@, "works here" tedu@
|
|
|
|
Allows multiple hosts to share an IP address, providing high availability
and load balancing.
Based on code by mickey@, with additional help from markus@
and Marco_Pfatschbacher@genua.de
ok deraadt@
|
|
by random values). ok mcbride@, cedric@, henning@
|
|
|
|
|
|
none of us can test this, but that does not mean it has to sit in the pr
database
|
|
(behavior change from 4.4bsd).
dhartmei ok
|
|
do not try to send incomplete fragments on ENOBUFS case
(behavior change from 4.4bsd).
dhartmei ok
|
|
which ends up in the pflog pcap file. From dhartmei@
ok dhartmei@, frantzen@, henning@
|
|
|
|
OK krw@, deraadt@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce
code redundancy, and fix the following bugs:
- ICMP packets were not being accounted for correctly (missing
statistics code in pf_test_state_icmp()
- Some packets were not being counted in the loginterface statistics
NOTE: Under some situations with route-to, packets may get counted
once on the original interface, and once on the pf-routed interface.
This can be dealt with by rules which specify the each interface
explicitly.
ok cedric@, henning@
|
|
ok cedric@ frantzen@ henning@
|
|
now call the poll backend. With this change we implement greater
poll(2) functionality instead of emulating it via the select backend.
Adapted from NetBSD and including some changes from FreeBSD.
Tested by many, deraadt@ OK
|
|
ok markus deraadt
|
|
|
|
|
|
This is mostly to support the new "nat pass" rule.
ok dhartmei@ henning@
|
|
them could be used to panic pf with scrub rules remotely. Found by
Rob Pickering. ok frantzen@, henning
|
|
ok henning@
|
|
|
|
by setting it to whatever is suitable for the link type. so we try a guessed
1460 MTU and 1500 MSS if the primary check fails.
algorithm tweak from Michal Zalewski
name a few constants too while I'm in there
|
|
makes routing lookups slightly more expensive, and serves no useful
purpose.
ok itojun@ tedu@
|
|
|
|
disappers. deraadt ok
|
|
deraadt@ ok.
|
|
|
|
|
|
ok dhartmei@ jmc@
|
|
|
|
pf_osfp_fingerprint_hdr() which doesn't work on mbufs.
pointed out by Max Laier
|
|
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
|
|
pf routed. prevents a kernel lockup with some (non-sensical) route-to
rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
|
|
changes), from Andrey Matveev
|
|
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@
|
|
|
|
|
|
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
|
|
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t.
found by aaron@
ok cedric@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
markus ok. miod/paul confirmed
|
|
later on, when another packet matches the state. ok mcbride@
|