| Age | Commit message (Collapse) | Author |
|---|
|
gobals used only in this file and explain that the printf/debug
variable must be settable by ddb.
ok henning@, sthen@
|
|
ok deraadt@, tedu@ (implicit)
|
|
ok mikeb@, haesbaert@
jajaja miod@
|
|
declare them once in their corresponding header file.
|
|
ok krw@, mikeb@
|
|
viariables.
ok mikeb@
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
ok mikeb@, markus@
|
|
divert(4) sockets.
Recalculation of these checksums is necessary because (1) PF no longer
updates IP checksums as of pf.c rev 1.731, so translated packets that
are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will
have bad IP checksums and will be reinjected with bad IP checksums if
the userspace program doesn't correct the checksums; (2) the userspace
program may modify the packets, which would invalidate the checksums;
and (3) the divert(4) man page states that checksums are supposed to be
recalculated on reinjection.
This diff has been tested on a public webserver serving both IPv4/IPv6
for more than four weeks. It has also been tested on a firewall with
divert-packet and nat-to/rdr-to where it transferred over 60GB of
FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6
userspace programs that intentionally break the IP and protocol
checksums to confirm that recalculation is done correctly on
reinjection. IPv6 extension headers were tested with Scapy.
Thanks to florian@ for testing the original version of the diff with
dnsfilter and Justin Mayes for testing the original version with Snort
inline. Thanks also to todd@ for helping me in my search for the cause
of this bug.
I would especially like to thank blambert@ for reviewing many versions
of this diff, and providing guidance and tons of helpful feedback.
no objections from florian@
help/ok blambert@, ok henning@
|
|
into one block.
OK mpi@
|
|
instead of 0 for pointers. No binary change.
OK mpi@
|
|
three different ways. Use the same code in udp_usrreq() and
rip_usrreq() and rip6_usrreq(). This also fixes a pcb and socket
leak in udp_usrreq() in case soreserve() fails. Put an splsoftassert()
into in_pcballoc() for safety.
OK mpi@
|
|
reach the socket that the user has specified in pf.conf.
OK reyk@
|
|
OK deraadt@ guenther@
|
|
avoid ugly casts.
OK krw@ tedu@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
.h files to pull it in, if needed
ok tedu
|
|
|
|
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@
|
|
ok millert@, haesbaert@, bluhm@
|
|
ifatoia6 macros do not check the source type. They just cast
anything. Remove needless casts and do not use those macros if the
source type does not match. Remove duplicate defines.
No binary change. OK kettenis@ krw@
|
|
ok beck@, mikeb@
|
|
ok bluhm@, mikeb@
|
|
|
|
defines that were part of rtadvd's code.
ok bluhm@
|
|
dhill.
ok krw@, mikeb@, tedu@ (implicit)
|
|
check for the reference counter.
ok mikeb@, miod@, pelikan@, kettenis@, krw@
|
|
spliced and routed to loopback. The content of the pf header in
the mbuf was keeping the divert information on its way. Reinitialize
the whole packet header of the mbuf and remove the mbuf tags when
the packet gets spliced.
OK claudio@ markus@
|
|
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus
|
|
No functional change.
OK millert@
|
|
case). On our platforms, sizeof(struct sockaddr) matches sizeof(struct
sockaddr_in) so this hasn't caused problems but it is still incorrect.
From Anthony Low. OK martynas@ bluhm@
|
|
the code relevant for UDP from sosend() and soreceive() into somove().
That allows the kernel to directly transfer the UDP data from one
socket to another.
OK claudio@
|
|
the pointer to the statekey in the mbuf.
When an UDP socket is spliced, pf would use this key during ip_output()
although the packet went through two sockets in the meantime. Reset
the mbuf's statekey in tcp_input() and udp_input() to eliminate the
pointer to pf lingering in the socket buffers.
OK claudio@
|
|
ok claudio
|
|
pointer. Allows stricter type checking. No functional change.
OK claudio@
|
|
worked with them to define a specific format, ietf quietly changed their
mind and did something different.
First step of transitioning over two release -- accept both types, but
continue sending old format.
pointed out by david.dahlberg@fkie.fraunhofer.de
ok claudio
|
|
|
|
a gruesome union, to block the compiler from placing the struct
incorrectly aligned on stack frames
ok guenther
|
|
|
|
inside the NPF block. Fixes checksum issues seen on ramdisk kernels.
Initial diff by naddy@, tested and OK by many
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
|
ok mikeb@
|
|
Resurrect the rather silly "unplug my network device while I am
doing nfs diskless revarp" safety code which was disabled due to
a missing "ether.h" include, found by jsg
ok jsg
|
|
An NSC HYPERchannel remnant from the CSRG times bites the dust.
ok deraadt, reyk
|
|
is really needed, instead of an ethernet header and selector.
ok mikeb henning mpf
|
|
include sys/mbuf.h in net/pfvar.h.
Flagged by and ok guenther@
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
|
