Age | Commit message (Collapse) | Author |
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
update the route specific MTU from the interface (because it could have
changed in between). This only makes sense if we actually have a valid
route but e.g. multicast traffic does no route lookup and so there is no
route at all and we don't need to update anything.
Hit by dlg@'s pfsync rewrite which already found 3 other bugs in the network
stack and slowly makes us wonder how it worked in the first place.
OK mcbride@ dlg@
|
|
being passed down if using HW checksum offload.
From Brad, inspired by NetBSD/FreeBSD. ok markus@
|
|
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.
To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.
tested by todd@, ok hshoexer@, angelos@, todd@
|
|
interfaces and is probably never hit. The other one happens when the
number of packets on the arp hold queue is exceeded. If arpresolve()
returns NULL the mbuf must be on the hold queue or freed.
Fixes the mbuf leak seen by dlg@. Found with dlg@'s insane mbuf leak
diff. OK dlg@
|
|
gets a mac addr for an ip under net.inet.ip.arpqueued.
ok deraadt@
|
|
fixes v6-over-v4 gifs wrt pf chatter about state linking mismatches
ok jsing claudio, tested by Ant La Porte <ant at ukbsd.org>
|
|
ok deraadt@ otto@
|
|
M_ANYCAST6 was only used to signal tcp6_input() that it should drop the
packet and send back icmp error. This can be done in ip6_input() without
the need for a mbuf flag. Gives us back one slot in m_flags for possible
future need. Looked at and some input by naddy@ and henning@. OK dlg@
|
|
arp layer. With a lot of input from deraadt@.
OK dlg@, looks good gollo@ + deraadt@
|
|
address. This cvs commit introduces a queue that buffers a small
burst of packets and resending the packets in correct order when
the ethernet address is resolved. Code written by Armin Wolfermann
<aw@osn.de>.
OK: claudio@ henning@
|
|
no carpdev configured.
I don't see how we can run into this at all, but let's
leave this test for a a little extra safety.
OK henning@
|
|
ok dlg
|
|
#if INET6 => #ifdef INET6
|
|
ok bluhm, fries, mpf; fixes pr 4188
|
|
checksum in the packet it should be trimmed away by the driver and not by
driver independent code. OK brad@
|
|
bug with IPv6 in some circumstances. we'll find it one day...
lots of debugging dhill
|
|
definitely not at will.
|
|
happens with IPv6 TCP traffic, until a better fix is found.
patch from henning@
proded by deraadt@
|
|
ok claudio@
|
|
to prevent state key mismatches.
ok henning@
|
|
spotted by markus@
ok henning@ mpf@
|
|
Found by LLVM/Clang Static Analyzer.
ok mpf@ looks good mk@ ok henning@
|
|
Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.
ok art@, krw@
|
|
key stuff.
|
|
TIME_WAIT socket recycling code to redo the pcb lookup w/out
resetting the inp pointer. Therefore we used the stale pcb,
which leads us to reply with a RST to SYNs received on TIME_WAIT
sockets. Also move the findpcb label below the pf pcb cache lookup,
to avoid using a stale pcb when the caching code gets activated.
OK markus@, henning@
|
|
pcb. the state key ptr in the pcb is the one that had to be used by pf
outbound. but by convention the state key pointer in the pkthdr is the one
used INbound, so pf follows its reverse pointer to find the sk to use,
and since a reverse doesn't exist for locally terminated connections the
reverse pointer is null and thus the whole game a noop.
note that this only affects packets FROM local udp/tcp sockets, for the
other direction everything works as expected.
|
|
gets bigger than 255. OK henning@
|
|
|
|
|
|
header of the matching address family is available. Especially do
not read ip->ip_off from an IPv6 packet header.
ok markus
|
|
leak kernel memory for every closed v6 descriptor with certain options set
ok otto jsing todd claudio
|
|
of expected semantics. thus, for return packets coming out of an ipsec
tunnel, we need to clear the pf state key pointer in the mbuf header
to prevent a state for encapsulated traffic to be linked to the
decapsulated traffic one.
problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some
time to understand what the hell was going on. ok ryan
|
|
ok hshoexer claudio mpf henning
|
|
ok markus, also tested david sthen
|
|
|
|
skipping bitmasks to cover the entire 65536 port space - previously
they covered 512-1024 only.
sysctl needs to be updated to cope with this change; please
"make includes" before rebuilding it.
feedback millert@ ok millert@ deraadt@ markus@
|
|
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan
|
|
|
|
Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.
OK deraadt@
|
|
ok bluhm@
|
|
whilst we're here.
ok henning@ deraadt@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
ok markus@
|
|
ok reyk@
|
|
Reduces the amount of dmesg noise.
Tested and OK mcbride@
|
|
ok markus@ henning@
|
|
ok markus@ mcbride@ henning@ deraadt@
|