![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.1197 / (download) - annotate - [select for diffs], Fri Jun 7 18:24:16 2024 UTC (3 days, 16 hours ago) by bluhm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1196: +8 -3 lines
Diff to previous 1.1196 (colored)
Read IP forwarding variables only once. Do not assume that ip_forwarding and ip_directedbcast cannot change while processing one packet. Read it once and pass down its value with a flag. This is necessary for unlocking the sysctl path. There are a few places where a consistent value does not really matter, they are unchanged. Use a proper ip_ prefix for the global variable. OK claudio@
Revision 1.1196 / (download) - annotate - [select for diffs], Tue May 14 08:26:13 2024 UTC (4 weeks ago) by jsg
Branch: MAIN
Changes since 1.1195: +1 -3 lines
Diff to previous 1.1195 (colored)
remove prototypes with no matching function
Revision 1.1195 / (download) - annotate - [select for diffs], Fri May 10 03:50:12 2024 UTC (4 weeks, 4 days ago) by jsg
Branch: MAIN
Changes since 1.1194: +2 -2 lines
Diff to previous 1.1194 (colored)
make pf_match_rule() prototype match the function
Revision 1.1194 / (download) - annotate - [select for diffs], Fri Apr 12 16:07:09 2024 UTC (8 weeks, 3 days ago) by bluhm
Branch: MAIN
Changes since 1.1193: +11 -9 lines
Diff to previous 1.1193 (colored)
Split single TCP inpcb table into IPv4 and IPv6 parts. With two separate TCP hash tables, each one becomes smaller. When we remove the exclusive net lock from TCP, contention on internet PCB table mutex will be reduced. UDP has been split earlier into IPv4 and IPv6. Replace branch conditions based on INP_IPV6 with assertions. OK mvs@
Revision 1.1193 / (download) - annotate - [select for diffs], Wed Jan 10 16:44:30 2024 UTC (5 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.1192: +3 -1 lines
Diff to previous 1.1192 (colored)
Split UDP PCB table into IPv4 and IPv6. Having two hash tables instead of a common one, reduces table size and contention on the per table lock. The address family is always known in advance. The lookups and loops are more specific. OK sashan@
Revision 1.1192 / (download) - annotate - [select for diffs], Mon Jan 1 22:16:51 2024 UTC (5 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.1191: +88 -49 lines
Diff to previous 1.1191 (colored)
Protect link between pf and inp with mutex. Introduce global mutex to protect the pointers between pf state key and internet PCB. Then in_pcbdisconnect() and in_pcbdetach() do not need exclusive netlock anymore. Use a bunch of read once unlocked access to reduce performance impact. OK sashan@
Revision 1.1191 / (download) - annotate - [select for diffs], Mon Jan 1 17:00:57 2024 UTC (5 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.1190: +7 -7 lines
Diff to previous 1.1190 (colored)
Fix white space in pf.c.
Revision 1.1190 / (download) - annotate - [select for diffs], Thu Dec 28 16:21:08 2023 UTC (5 months, 1 week ago) by aisha
Branch: MAIN
Changes since 1.1189: +2 -5 lines
Diff to previous 1.1189 (colored)
use RB_FOREACH_SAFE for pf_purge_expired_src_nodes OK bluhm@
Revision 1.1186.2.1 / (download) - annotate - [select for diffs], Sun Dec 10 00:31:26 2023 UTC (6 months ago) by mlarkin
Branch: OPENBSD_7_4
Changes since 1.1186: +35 -22 lines
Diff to previous 1.1186 (colored) next main 1.1187 (colored)
A race condition between pf(4)'s processing of packets and expiration of packet states may cause a kernel panic. this is errata/7.4/009_pf.patch.sig
Revision 1.1189 / (download) - annotate - [select for diffs], Fri Dec 1 10:28:32 2023 UTC (6 months, 1 week ago) by sashan
Branch: MAIN
Changes since 1.1188: +35 -22 lines
Diff to previous 1.1188 (colored)
Prevent race between pf_test() and pf_purge_expired_states(). Packets (callers to pf_test()) must alter pf_state::timeout under protection of pf_state::mtx. We also have to make sure the packet does not update pf_state::timeout when ::timeout reaches PFTM_UNLINKED. The first report came from Johan Huldtgren, but he is not the single user who has noticed "st->timeout == PFTM_UNLINKED" assert violation. OK bluhm@
Revision 1.1188 / (download) - annotate - [select for diffs], Tue Oct 10 16:26:06 2023 UTC (8 months ago) by bluhm
Branch: MAIN
Changes since 1.1187: +3 -3 lines
Diff to previous 1.1187 (colored)
pf(4) must not pass packet if state cannot be created. The behavior of the PFRULE_SRCTRACK and max_states check was unintentionally changed by commit revision 1.964. If the state was not created due to some limit had been reached, pf still passed the packet. Restore the old logic by setting action to pass later, after the checks. In pf_test_rule() action is initialized to drop. OK sashan@
Revision 1.1187 / (download) - annotate - [select for diffs], Tue Oct 10 11:25:31 2023 UTC (8 months ago) by bluhm
Branch: MAIN
Changes since 1.1186: +26 -32 lines
Diff to previous 1.1186 (colored)
Remove dead code in pf_pull_hdr(). pf_pull_hdr() allows to pass an action pointer parameter as output value. This is never used, all callers pass a NULL argument. Remove ACTION_SET() entirely. The logic (fragoff >= len) in pf_pull_hdr() does not work since revision 1.4. Before it was used to drop short TCP or UDP fragments that contained only part of the header. Current code in pf_pull_hdr() drops the packets anyway, so always set reason PFRES_FRAG. OK kn@ sashan@
Revision 1.1186 / (download) - annotate - [select for diffs], Fri Sep 8 13:40:52 2023 UTC (9 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE
Branch point for: OPENBSD_7_4
Changes since 1.1185: +0 -8 lines
Diff to previous 1.1185 (colored)
revert previous The change broke IPv6 neighbor discovery, and anton@ reports several regression test failures. ok bluhm@
Revision 1.1185 / (download) - annotate - [select for diffs], Thu Sep 7 09:59:43 2023 UTC (9 months ago) by sashan
Branch: MAIN
Changes since 1.1184: +9 -1 lines
Diff to previous 1.1184 (colored)
pf(4) ignores 'keep state' and 'nat-to' actions for unsolicited icmp error responses. Fix tightens rule matching logic so icmp error responses no longer match 'keep state' rule. In typical scenarios icmp errors (if solicited) should match existing state. The change is going to bite firewalls which deal with asymmetric routes. In those cases the 'keep state' action should be relaxed to sloppy or new 'no state' rule to explicitly match icmp errors should be added. The issue has been reported by Peter J. Philip (pjp _at_ delphinusdns.org). Discussed with bluhm@ and florian@ OK bluhm@
Revision 1.1184 / (download) - annotate - [select for diffs], Mon Jul 31 11:13:09 2023 UTC (10 months, 1 week ago) by dlg
Branch: MAIN
Changes since 1.1183: +5 -1 lines
Diff to previous 1.1183 (colored)
don't let pfsync send an insert message for a state pfsync just inserted sthen@ upgraded and ended up with a lot of pfsync traffic which was mostly made up of the two firewalls telling each other to insert the same state over and over again. this has each of the paths that insert states (actual pf, ioctls, and pfsync) identify themselves so pfsync can enter them into its own state machine in the right place. when pfsync inserts a state into pf, it knows it should just swallow the state silently without sending out another insert for it. ok sthen@ sashan@
Revision 1.1183 / (download) - annotate - [select for diffs], Fri Jul 7 08:05:02 2023 UTC (11 months ago) by bluhm
Branch: MAIN
Changes since 1.1182: +5 -18 lines
Diff to previous 1.1182 (colored)
Fix path MTU discovery for TCP LRO/TSO when forwarding. When doing LRO (Large Receive Offload), the drivers, currently ix(4) and lo(4) only, record an upper bound of the size of the original packets in ph_mss. When sending, either stack or hardware must chop the packets with TSO (TCP Segmentation Offload) to that size. That means we have to call tcp_if_output_tso() before ifp->if_output(). Put that logic into if_output_tso() to avoid code duplication. As TCP packets on the wire do not get larger that way, path MTU discovery should still work. tested by and OK jan@
Revision 1.1182 / (download) - annotate - [select for diffs], Thu Jul 6 04:55:05 2023 UTC (11 months ago) by dlg
Branch: MAIN
Changes since 1.1181: +132 -83 lines
Diff to previous 1.1181 (colored)
big update to pfsync to try and clean up locking in particular. moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. the big headliner changes in this diff are: - pfsync specific locks this is the whole reason for this diff. rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now has it's own locks to protect it's internal data structures. this is important because pfsync runs a bunch of timeouts and tasks to push pfsync packets out on the wire, or when it's handling requests generated by incoming pfsync packets, both of which happen outside pf itself running. having pfsync specific locks around pfsync data structures makes the mutations of these data structures a lot more explicit and auditable. - partitioning to enable future parallelisation of the network stack, this rewrite includes support for pfsync to partition states into different "slices". these slices run independently, ie, the states collected by one slice are serialised into a separate packet to the states collected and serialised by another slice. states are mapped to pfsync slices based on the pf state hash, which is the same hash that the rest of the network stack and multiq hardware uses. - no more pfsync called from netisr pfsync used to be called from netisr to try and bundle packets, but now that there's multiple pfsync slices this doesnt make sense. instead it uses tasks in softnet tqs. - improved bulk transfer handling there's shiny new state machines around both the bulk transmit and receive handling. pfsync used to do horrible things to carp demotion counters, but now it is very predictable and returns the counters back where they started. - better tdb handling the tdb handling was pretty hairy, but hrvoje has kicked this around a lot with ipsec and sasyncd and we've found and fixed a bunch of issues as a result of that testing. - mpsafe pf state purges this was committed previously, but because the locks pfsync relied on weren't clear this just caused a ton of bugs. as part of this diff it's now reliable, and moves a big chunk of work out from under KERNEL_LOCK, which in turn improves the responsiveness and throughput of a firewall even if you're not using pfsync. there's a bunch of other little changes along the way, but the above are the big ones. hrvoje has done performance testing with this diff and notes a big improvement when pfsync is not in use. performance when pfsync is enabled is about the same, but im hoping the slices means we can scale along with pf as it improves. lots (months) of testing by me and hrvoje on pfsync boxes tests and ok sashan@ deraadt@ says this is a good time to put it in
Revision 1.1181 / (download) - annotate - [select for diffs], Mon Jun 5 08:37:27 2023 UTC (12 months, 1 week ago) by sashan
Branch: MAIN
Changes since 1.1180: +4 -1 lines
Diff to previous 1.1180 (colored)
pf_remove_state() should not attempt to remove state which is already removed. OK dlg@
Revision 1.1180 / (download) - annotate - [select for diffs], Mon May 15 16:34:56 2023 UTC (12 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.1179: +5 -18 lines
Diff to previous 1.1179 (colored)
Implement the TCP/IP layer for hardware TCP segmentation offload. If the driver of a network interface claims to support TSO, do not chop the packet in software, but pass it down to the interface layer. Precalculate parts of the pseudo header checksum, but without the packet length. The length of all generated smaller packets is not known yet. Driver and hardware will use the mbuf packet header field ph_mss to calculate it and update checksum. Introduce separate flags IFCAP_TSOv4 and IFCAP_TSOv6 as hardware might support ony one protocol family. The old flag IFXF_TSO is only relevant for large receive offload. It is missnamed, but keep that for now. Note that drivers do not set TSO capabilites yet. Also the ifconfig flags and pseudo interfaces capabilities will be done separately. So this commit should not change behavior. heavily based on the work from jan@; OK sashan@
Revision 1.1179 / (download) - annotate - [select for diffs], Sat May 13 13:35:17 2023 UTC (12 months, 4 weeks ago) by bluhm
Branch: MAIN
Changes since 1.1178: +3 -9 lines
Diff to previous 1.1178 (colored)
Instead of implementing IPv4 header checksum creation everywhere, introduce in_hdr_cksum_out(). It is used like in_proto_cksum_out(). OK claudio@
Revision 1.1178 / (download) - annotate - [select for diffs], Wed May 10 12:07:16 2023 UTC (13 months ago) by bluhm
Branch: MAIN
Changes since 1.1177: +23 -2 lines
Diff to previous 1.1177 (colored)
Implement TCP send offloading, for now in software only. This is meant as a fallback if network hardware does not support TSO. Driver support is still work in progress. TCP output generates large packets. In IP output the packet is chopped to TCP maximum segment size. This reduces the CPU cycles used by pf. The regular output could be assisted by hardware later, but pf route-to and IPsec needs the software fallback in general. For performance comparison or to workaround possible bugs, sysctl net.inet.tcp.tso=0 disables the feature. netstat -s -p tcp shows TSO counter with chopped and generated packets. based on work from jan@ tested by jmc@ jan@ Hrvoje Popovski OK jan@ claudio@
Revision 1.1177 / (download) - annotate - [select for diffs], Mon May 8 13:22:13 2023 UTC (13 months ago) by bluhm
Branch: MAIN
Changes since 1.1176: +3 -5 lines
Diff to previous 1.1176 (colored)
The call to in_proto_cksum_out() is only needed before the packet is passed to ifp->if_output(). The fragment code has its own checksum calculation and the other paths end in goto bad. OK claudio@
Revision 1.1176 / (download) - annotate - [select for diffs], Sun May 7 16:23:23 2023 UTC (13 months ago) by bluhm
Branch: MAIN
Changes since 1.1175: +17 -23 lines
Diff to previous 1.1175 (colored)
I preparation for TSO in software, cleanup the fragment code. Use if_output_ml() to send mbuf lists to interfaces. This can be used for TSO, fragments, ARP and ND6. Rename variable fml to ml. In pf_route6() split the if else block. Put the safety check (hlen + firstlen < tlen) into ip_fragment(). It makes the code correct in case the packet is too short to be fragmented. This should not happen, but other functions also have this logic. No functional change. OK sashan@
Revision 1.1175 / (download) - annotate - [select for diffs], Wed May 3 10:32:47 2023 UTC (13 months, 1 week ago) by kn
Branch: MAIN
Changes since 1.1174: +5 -1 lines
Diff to previous 1.1174 (colored)
Remove net lock from DIOCGETRULESET and DIOCGETRULESETS Both walk the list of rulesets aka. anchors, to yield a total count and specific anchor name, respectively. Same access, different copy out. pf_anchor_global are contained within pf_ioctl.c and pf_ruleset.c and fully protected by the pf lock, as is pf_main_ruleset and its pf.c usage. Rely on and assert for pf lock alone. 'pfctl -sr' on 60k unique rules gets noticably faster, around 2.1s instead of 3.5s. OK sashan
Revision 1.1174 / (download) - annotate - [select for diffs], Fri Apr 28 14:08:34 2023 UTC (13 months, 2 weeks ago) by phessler
Branch: MAIN
Changes since 1.1173: +30 -2 lines
Diff to previous 1.1173 (colored)
Relax the "pass all" rule so all forms of neighbor advertisements are allowed in either direction. This more closely matches the IPv4 ARP behaviour. From sashan@ discussed with kn@ deraadt@
Revision 1.1173 / (download) - annotate - [select for diffs], Thu Mar 23 01:41:12 2023 UTC (14 months, 2 weeks ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.1172: +3 -3 lines
Diff to previous 1.1172 (colored)
fix off-by-one in pf_state_expires() bounds test such a value would have triggered a KASSERT() ok sashan@ deraadt@
Revision 1.1172 / (download) - annotate - [select for diffs], Sat Mar 4 10:55:37 2023 UTC (15 months, 1 week ago) by sashan
Branch: MAIN
Changes since 1.1171: +7 -3 lines
Diff to previous 1.1171 (colored)
pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only. Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail> OK bluhm@
Revision 1.1171 / (download) - annotate - [select for diffs], Sun Jan 22 23:05:51 2023 UTC (16 months, 2 weeks ago) by yasuoka
Branch: MAIN
Changes since 1.1170: +5 -1 lines
Diff to previous 1.1170 (colored)
Fix pf_anchor_stackframe commit to revert pf rule matching to the previous behavior that stops when any rule matches within quick anchors. ok sasha kn
Revision 1.1126.2.1 / (download) - annotate - [select for diffs], Thu Jan 12 13:13:12 2023 UTC (16 months, 4 weeks ago) by bluhm
Branch: OPENBSD_7_1
Changes since 1.1126: +3 -2 lines
Diff to previous 1.1126 (colored) next main 1.1127 (colored)
Binding the accept socket in TCP input relies on the fact that the listen port is not bound to port 0. With a matching pf divert-to rule this assumption is no longer true and could crash the kernel with kassert. In both pf and stack drop TCP packets with destination port 0 before they can do harm. OK sashan@ claudio@ this is errata/7.1/018_tcp.patch.sig
Revision 1.1140.2.2 / (download) - annotate - [select for diffs], Thu Jan 12 13:12:10 2023 UTC (16 months, 4 weeks ago) by bluhm
Branch: OPENBSD_7_2
Changes since 1.1140.2.1: +3 -2 lines
Diff to previous 1.1140.2.1 (colored) to branchpoint 1.1140 (colored) next main 1.1141 (colored)
Binding the accept socket in TCP input relies on the fact that the listen port is not bound to port 0. With a matching pf divert-to rule this assumption is no longer true and could crash the kernel with kassert. In both pf and stack drop TCP packets with destination port 0 before they can do harm. OK sashan@ claudio@ this is errata/7.2/013_tcp.patch.sig
Revision 1.1170 / (download) - annotate - [select for diffs], Thu Jan 12 13:09:47 2023 UTC (16 months, 4 weeks ago) by bluhm
Branch: MAIN
Changes since 1.1169: +3 -2 lines
Diff to previous 1.1169 (colored)
Binding the accept socket in TCP input relies on the fact that the listen port is not bound to port 0. With a matching pf divert-to rule this assumption is no longer true and could crash the kernel with kassert. In both pf and stack drop TCP packets with destination port 0 before they can do harm. OK sashan@ claudio@
Revision 1.1169 / (download) - annotate - [select for diffs], Fri Jan 6 17:44:34 2023 UTC (17 months ago) by sashan
Branch: MAIN
Changes since 1.1168: +150 -67 lines
Diff to previous 1.1168 (colored)
PF_ANCHOR_STACK_MAX is insufficient protection against stack overflow. On amd64 stack overflows for anchor rule with depth ~30. The tricky thing is the 'safe' depth varies depending on kind of packet processed by pf_match_rule(). For example for local outbound TCP packet stack overflows when recursion if pf_match_rule() reaches depth 24. Instead of lowering PF_ANCHOR_STACK_MAX to 20 and hoping it will be enough on all platforms and for all packets I'd like to stop calling pf_match_rule() recursively. This commit brings back pf_anchor_stackframe array we used to have back in 2017. It also revives patrick@'s idea to pre-allocate stack frame arrays from per-cpu. OK kn@
Revision 1.1168 / (download) - annotate - [select for diffs], Thu Jan 5 23:44:35 2023 UTC (17 months ago) by dlg
Branch: MAIN
Changes since 1.1167: +552 -548 lines
Diff to previous 1.1167 (colored)
more consistently name pf_state * variables "st". pf_state ** are generally called "stp" now too. discussed with and ok sashan@
Revision 1.1167 / (download) - annotate - [select for diffs], Wed Jan 4 10:31:55 2023 UTC (17 months ago) by dlg
Branch: MAIN
Changes since 1.1166: +10 -11 lines
Diff to previous 1.1166 (colored)
move the pf_state_tree_id type from pfvar.h to pfvar_priv.h. the pf_state_tree_id type is private to the kernel. while here, move it from being an RB tree to an RBT tree. this saves about 12k in pf.o on amd64. ok sashan@
Revision 1.1166 / (download) - annotate - [select for diffs], Wed Jan 4 02:00:49 2023 UTC (17 months, 1 week ago) by dlg
Branch: MAIN
Changes since 1.1165: +15 -13 lines
Diff to previous 1.1165 (colored)
move the pf_state_tree rb tree type from pfvar.h to pfvar_priv.h the pf_state_tree types are kernel private, and are not used by userland. make build agrees with me. while here, move the pf_state_tree from the RB macros to the RBT functions. this shaves about 13k off pf.o on amd64. ok sashan@
Revision 1.1165 / (download) - annotate - [select for diffs], Mon Jan 2 05:32:40 2023 UTC (17 months, 1 week ago) by dlg
Branch: MAIN
Changes since 1.1164: +2 -2 lines
Diff to previous 1.1164 (colored)
use the pf generated toeplitz hash when setting the mbuf flow id. before this it would use the pf state id, which is just an increasing number. the toeplitz hash is generated/used by the rest of the stack, so this encourages consistent flow of traffic through the system.
Revision 1.1164 / (download) - annotate - [select for diffs], Tue Dec 27 20:13:03 2022 UTC (17 months, 2 weeks ago) by patrick
Branch: MAIN
Changes since 1.1163: +2 -2 lines
Diff to previous 1.1163 (colored)
Fix array bounds mismatch with clang 15 New warning -Warray-parameter is a bit overzealous. ok millert@ tb@
Revision 1.1163 / (download) - annotate - [select for diffs], Sat Dec 24 05:20:32 2022 UTC (17 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.1162: +5 -6 lines
Diff to previous 1.1162 (colored)
fix and enable toeplitz hashing of pf_state_keys again. the hash generated when setting up the pf pdesc struct uses outer addresses, while the addresses used in the state table goes through pf_state_key_addr_setup(), which does interesting things with some ipv6 icmp values. state lookups used pf_state_key_addr_setup(), but pf_state_key_setup copied the pdesc value, causing an inconsistency. pf_state_key_setup now calls pf_state_key_addr_setup(). found by anton@ tested by anton@ florian@
Revision 1.1162 / (download) - annotate - [select for diffs], Fri Dec 23 07:14:55 2022 UTC (17 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.1161: +3 -1 lines
Diff to previous 1.1161 (colored)
disable the use of the has in the pf state key lookup (for now). anton@ says the previous commit breaks ipv6 related regress tests. disabling the use of the hash in the state key compare gets it going again while i can figure out what's going on.
Revision 1.1161 / (download) - annotate - [select for diffs], Thu Dec 22 05:59:27 2022 UTC (17 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.1160: +55 -1 lines
Diff to previous 1.1160 (colored)
use stoeplitz to generate a hash/flowid for state keys. the hash will be used to partition work in pf and pfsync in the future, and right now it is used as the first comparison in the rb tree state lookup. using stoeplitz means that pf will hash traffic the same way that hardware using a stoeplitz key will hash incoming traffic on rings. stoeplitz is also used by the tcp stack to generate a flow id, which is used to pick which transmit ring is used on nics with multiple queues too. using the same algorithm throughout the stack encourages affinity of packets to rings and softnet threads the whole way through. using the hash as the first comparison in the state rb tree comparison should encourage faster traversal of the state tree by having all the address/port bits summarised into the single hash value. however, tests by hrvoje popovski don't show performance changing. on the plus side, if this change is free from a performance point of view then it makes the future steps more straightforward. discussed at length at h2k22 tested by sashan@ and hrvoje popovski ok tb@ sashan@ claudio@ jmatthew@
Revision 1.1160 / (download) - annotate - [select for diffs], Wed Dec 21 03:02:34 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.1159: +2 -2 lines
Diff to previous 1.1159 (colored)
tiny whitespace tweak.
Revision 1.1159 / (download) - annotate - [select for diffs], Wed Dec 21 02:51:06 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.1158: +3 -3 lines
Diff to previous 1.1158 (colored)
consistently use the PF_REF wrappers around refcnts.
Revision 1.1158 / (download) - annotate - [select for diffs], Wed Dec 21 02:23:10 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.1157: +88 -82 lines
Diff to previous 1.1157 (colored)
prefix pf_state_key and pf_state_item struct bits to make them more unique. this makes searching for the struct members easier, which in turn makes tweaking code around them a lot easier too. sk_refcnt in particular would have been a lot nicer to fiddle with than just refcnt because pf_state structs also have a refcnt, which is annoying. tweaks and ok sashan@ reads ok kn@
Revision 1.1157 / (download) - annotate - [select for diffs], Fri Dec 16 02:05:44 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.1156: +108 -73 lines
Diff to previous 1.1156 (colored)
always keep pf_state_keys attached to pf_states. pf_state structures don't contain ip addresses, protocols, ports, etc. that information is stored in a pf_state_key struct, which is used to wire a state into the state table. when things like pfsync or the pf state ioctls want to export information about a state, particularly the addresses on it, they needs the pf_state_key struct to read from. before this diff the code assumed that when a state was removed from the state tables it could throw the pf_state_key structs away as part of that removal. this code changes it so once pf_state_insert succeeds, a pf_state will keep its references to the pf_state_key structs until the pf_state struct itself is being destroyed. this allows anything that holds a reference to a pf_state to also look at the pf_state_key structs because they're now effectively an immutable part of the pf_state struct. this is by far the simplest and most straightforward fix for pfsync crashing on pf_state_key dereferences we've come up with so far. it has been made possible by the addition of reference counts to pf_state and pf_state_key structs, which allows us to properly account for this adjusted lifecycle for pf_state_keys on pf_state structs. sashan@ and i have been kicking this diff around for a couple of weeks now. ok sashan@ jmatthew@
Revision 1.1156 / (download) - annotate - [select for diffs], Fri Nov 25 20:27:53 2022 UTC (18 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.1155: +34 -107 lines
Diff to previous 1.1155 (colored)
revert pf.c r1.1152 again: move pf_purge out from under the kernel lock Using systqmp for pf_purge creates a deadlock between pf_purge() and ixgbe_stop() and possibly other drivers. On systqmp pf(4) needs netlock which the interface ioctl(2) is holding. ix(4) waits in sched_barrier() which is also scheduled on the systqmp task queue. Removing the netlock from pf_purge() as a quick fix caused other problems. backout suggested by deraadt@
Revision 1.1155 / (download) - annotate - [select for diffs], Fri Nov 25 18:03:53 2022 UTC (18 months, 2 weeks ago) by kettenis
Branch: MAIN
Changes since 1.1154: +7 -1 lines
Diff to previous 1.1154 (colored)
Revert previous commit. It was not properly tested and produces splassert warnings. Rushing to pile more stuff on top of it isn't the answer. This needs a rethink. ok deraadt@
Revision 1.1154 / (download) - annotate - [select for diffs], Fri Nov 25 03:45:39 2022 UTC (18 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.1153: +1 -7 lines
Diff to previous 1.1153 (colored)
get rid of NET_LOCK in the pf purge work pf purge was moved to systqmp (to get it away from KERNEL_LOCK) which is also used as the backend for things like intr_barrier and sched_barrier. it is common for network cards to call intr_barrier while holding NET_LOCK, and if pf is trying to get the NET_LOCK in the purge tasks that are now running in systqmp, it's a deadlock. bluhm@ hit this exact issue. sashan@ has been working to get rid of the need for NET_LOCK in pf, so now we can remove the NET_LOCKs here rather than create a pf specific taskq to run these tasks in. ok sashan@ bluhm@
Revision 1.1140.2.1 / (download) - annotate - [select for diffs], Thu Nov 24 22:51:23 2022 UTC (18 months, 2 weeks ago) by bluhm
Branch: OPENBSD_7_2
Changes since 1.1140: +2 -2 lines
Diff to previous 1.1140 (colored)
This diff fixes panic tripped by KASSERT(st->sync_state == PFSYNC_S_NONE) found in pfsync_insert_state(). It is caused by two packets which happen to belong to the same session. Think of UDP stream or two TCP SYN packets transmitted almost simultaneously. The first such packet wins a state lock and inserts state to table. The second packet waits for state lock as a reader. As soon as the first packet is done with state creation it drops the lock and is going to sent S_INS message to its peer via pfsync. The second update meanwhile obtains the state lock as a reader. It finds a state created by the first packet. Later the second packet also finds out the state needs to be updated, because sync_state is still set to PFSYNC_S_NONE. The second packet puts state to snapshot list marking it as S_UPD. All this happens before the first packet has a chance to make a progress. Think of the first packet loses cpu after dropping a write lock. Once the first packet gets running again it trips KASSERT() because sync_state is set to S_UPD. tested by hrvoje@ OK dlg@ from sashan@ this is errata/7.2/008_pfsync.patch.sig
Revision 1.1153 / (download) - annotate - [select for diffs], Sat Nov 12 02:48:14 2022 UTC (18 months, 4 weeks ago) by kn
Branch: MAIN
Changes since 1.1152: +3 -1 lines
Diff to previous 1.1152 (colored)
Put pf_state_import() under NPFSYNC>0 to fix build without pfsync
Revision 1.1152 / (download) - annotate - [select for diffs], Fri Nov 11 16:12:08 2022 UTC (18 months, 4 weeks ago) by dlg
Branch: MAIN
Changes since 1.1151: +107 -34 lines
Diff to previous 1.1151 (colored)
try pf.c r1.1143 again: move pf_purge out from under the kernel lock this also avoids holding NET_LOCK too long. the main change is done by running the purge tasks in systqmp instead of systq. the pf state list was recently reworked so iteration over the state can be done without blocking insertions. however, scanning a lot of states can still take a lot of time, so this also makes the state list scanner yield if it has spent too much time running. the other purge tasks for source nodes, rules, and fragments have been moved to their own timeout/task pair to simplify the time accounting. in my environment, before this change pf purges often took 10 to 50ms. the softclock thread runs next to it often took a similar amount of time, presumably because they ended up spinning waiting for each other. after this change the pf_purges are more like 6 to 12ms, and dont block softclock. most of the variability in the runs now seems to come from contention on the net lock. tested by me sthen@ chris@ ok sashan@ kn@ claudio@ the diff was backed out because it made things a bit more racey, but sashan@ has squashed those races this week. let's try it again.
Revision 1.1151 / (download) - annotate - [select for diffs], Fri Nov 11 15:02:31 2022 UTC (18 months, 4 weeks ago) by dlg
Branch: MAIN
Changes since 1.1150: +3 -1 lines
Diff to previous 1.1150 (colored)
add a mutex to struct pf_state and init it. nothing is protected by it yet but it will allow us to provide consistent updates to individual states without relying on a global lock. getting that right between the packet processing in pf itself, pfsync, the pf purge code, the ioctl paths, etc is not worth the required contortions. while pf_state does grow, it doesn't use more cachelines on machines where we will want to run in parallel with a lot of states. stolen from and ok sashan@
Revision 1.1150 / (download) - annotate - [select for diffs], Fri Nov 11 11:47:12 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.1149: +2 -2 lines
Diff to previous 1.1149 (colored)
rename pfsync_up() to pfsync_is_up() foo_up() where foo is a network driver is usually a function that configures and brings an interface up into a running state. this small tweak just makes the code a bit easier for me to read.
Revision 1.1149 / (download) - annotate - [select for diffs], Fri Nov 11 11:02:35 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.1148: +39 -1 lines
Diff to previous 1.1148 (colored)
rewrite the pf_state_peer_ntoh and pf_state_peer_hton macros as functions. i can read this code as functions, but it takes too much effort as macros.
Revision 1.1148 / (download) - annotate - [select for diffs], Thu Nov 10 16:29:20 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.1147: +23 -37 lines
Diff to previous 1.1147 (colored)
revert pf_state mtx commit, because it breaks tree. pfctl does not build OK dlg@
Revision 1.1147 / (download) - annotate - [select for diffs], Thu Nov 10 14:22:43 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.1146: +37 -23 lines
Diff to previous 1.1146 (colored)
Add a mutex to pf_state structure. Mutex retain a consistency of structure members without using a global state lock. The first member which uses protection by mutex is key[] array. more will follow. OK dlg@
Revision 1.1146 / (download) - annotate - [select for diffs], Wed Nov 9 23:00:00 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.1145: +18 -47 lines
Diff to previous 1.1145 (colored)
simplify expiration of 'once' rules. let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@
Revision 1.1145 / (download) - annotate - [select for diffs], Tue Nov 8 16:20:26 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.1144: +2 -2 lines
Diff to previous 1.1144 (colored)
This diff fixes panic tripped by KASSERT(st->sync_state == PFSYNC_S_NONE) found in pfsync_insert_state(). It is caused by two packets which happen to belong to the same session. Think of UDP stream or two TCP SYN packets transmitted almost simultaneously. The first such packet wins a state lock and inserts state to table. The second packet waits for state lock as a reader. As soon as the first packet is done with state creation it drops the lock and is going to sent S_INS message to its peer via pfsync. The second update meanwhile obtains the state lock as a reader. It finds a state created by the first packet. Later the second packet also finds out the state needs to be updated, because sync_state is still set to PFSYNC_S_NONE. The second packet puts state to snapshot list marking it as S_UPD. All this happens before the first packet has a chance to make a progress. Think of the first packet loses cpu after dropping a write lock. Once the first packet gets running again it trips KASSERT() because sync_state is set to S_UPD. tested by hrvoje@ OK dlg@
Revision 1.1144 / (download) - annotate - [select for diffs], Mon Nov 7 16:35:11 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.1143: +35 -107 lines
Diff to previous 1.1143 (colored)
revert "move pf_purge out from under the kernel lock". hrvoje popovski showed me pfsync blowing up with this. im backing it out quickly in case something else at the hackathon makes it harder to do later. kn@ agrees
Revision 1.1143 / (download) - annotate - [select for diffs], Mon Nov 7 12:56:38 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.1142: +108 -36 lines
Diff to previous 1.1142 (colored)
move pf_purge out from under the kernel lock and avoid the hogging cpu this also avoids holding NET_LOCK too long. the main change is done by running the purge tasks in systqmp instead of systq. the pf state list was recently reworked so iteration over the state can be done without blocking insertions. however, scanning a lot of states can still take a lot of time, so this also makes the state list scanner yield if it has spent too much time running. the other purge tasks for source nodes, rules, and fragments have been moved to their own timeout/task pair to simplify the time accounting. in my environment, before this change pf purges often took 10 to 50ms. the softclock thread runs next to it often took a similar amount of time, presumably because they ended up spinning waiting for each other. after this change the pf_purges are more like 6 to 12ms, and dont block softclock. most of the variability in the runs now seems to come from contention on the net lock. tested by me sthen@ chris@ ok sashan@ kn@ claudio@
Revision 1.1142 / (download) - annotate - [select for diffs], Sun Nov 6 18:05:05 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.1141: +220 -1 lines
Diff to previous 1.1141 (colored)
move pfsync_state_import in if_pfsync.c to pf_state_import in pf.c this is straightening the deck chairs. the state import and export code are used by both the pf ioctls and pfsync, but the export code is in pf.c and the import code is in if_pfsync. if pfsync was disabled then the ioctl stuff wouldnt link. moving the import code to pf.c makes it more symmetrical(?) and robust. tweaks and ok from kn@ sashan@
Revision 1.1141 / (download) - annotate - [select for diffs], Mon Oct 10 16:43:12 2022 UTC (20 months ago) by bket
Branch: MAIN
Changes since 1.1140: +3 -3 lines
Diff to previous 1.1140 (colored)
Recalculate checksum of normalised packet In 2011, henning@ removed fiddling with the ip checksum of normalised packets in r1.131 of sys/net/pf_norm.c. Rationale was that the checksum is always recalculated in all output paths anyway. In 2016, procter@ reintroduced checksum modification to preserve end-to-end checksums in r1.189 of sys/net/pf_norm.c. Likely soomewhere in that timeslot checksum recalculation of normalised packets was broken. With input from bluhm@. OK sashan@, bluhm@
Revision 1.1140 / (download) - annotate - [select for diffs], Sat Sep 3 19:22:19 2022 UTC (21 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE
Branch point for: OPENBSD_7_2
Changes since 1.1139: +2 -2 lines
Diff to previous 1.1139 (colored)
Use a mutex to update tcp_maxidle, tcp_iss, and tcp_now. This removes pressure from the exclusive netlock in tcp_slowtimo(). Reading is done atomically. Ensure that the tcp_now value is read only once per function to provide consistent time. OK yasuoka@
Revision 1.1139 / (download) - annotate - [select for diffs], Sat Sep 3 14:57:54 2022 UTC (21 months, 1 week ago) by yasuoka
Branch: MAIN
Changes since 1.1138: +20 -2 lines
Diff to previous 1.1138 (colored)
When divert-reply is used, keep some pf states after pcb is dropped if its local address is translated, to prevent its source port from being reused. regress test by blumn. ok blumn
Revision 1.1138 / (download) - annotate - [select for diffs], Tue Aug 30 11:53:03 2022 UTC (21 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.1137: +3 -3 lines
Diff to previous 1.1137 (colored)
Refactor internet PCB lookup function. Rename in_pcbhashlookup() so the public API is in_pcblookup() and in_pcblookup_listen(). For internal use introduce in_pcbhash_insert() and in_pcbhash_lookup() to avoid code duplication. Routing domain is unsigned, change the type to u_int. OK mvs@
Revision 1.1137 / (download) - annotate - [select for diffs], Mon Aug 8 12:06:30 2022 UTC (22 months ago) by bluhm
Branch: MAIN
Changes since 1.1136: +3 -1 lines
Diff to previous 1.1136 (colored)
To make protocol input functions MP safe, internet PCB need protection. Use their reference counter in more places. The in_pcb lookup functions hold the PCBs in hash tables protected by table->inpt_mtx mutex. Whenever a result is returned, increment the ref count before releasing the mutex. Then the inp can be used as long as neccessary. Unref it at the end of all functions that call in_pcb lookup. As a shortcut, pf may also hold a reference to the PCB. When pf_inp_lookup() returns it, it also incements the ref count and the caller can handle it like the inp from table lookup. OK sashan@
Revision 1.1136 / (download) - annotate - [select for diffs], Wed Jul 20 09:33:11 2022 UTC (22 months, 3 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.1135: +3 -2 lines
Diff to previous 1.1135 (colored)
Add a pool for the allocation of the pf_anchor struct. It was possible to exhaust kernel memory by repeatedly calling pfioctl DIOCXBEGIN with different anchor names. OK bluhm@ Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
Revision 1.1135 / (download) - annotate - [select for diffs], Tue Jun 28 13:48:06 2022 UTC (23 months, 2 weeks ago) by henning
Branch: MAIN
Changes since 1.1134: +28 -39 lines
Diff to previous 1.1134 (colored)
fix syncookies in conjunction with tcp fast port reuse. This really pointed out that the place syncookies were hooked in was almost, but not completely right. The way it was the special case for tcp fast port reuse in pf_test_state wasn't hit, because the first packet hitting that was the ACK from the peer finishing the 3WHS, and the reconstructed SYN came after. We're now doing pf_find_state (and *only* that) first, then syncookies, then going on so that the old state is thrown away properly and we get a new one with the sequence number modulator set up correctly Bonus: -11 lines of code tracked down (that took a while) + fixed under contract with Hush Communications Canada; special thanks to Lyndon ok sashan
Revision 1.1134 / (download) - annotate - [select for diffs], Sun Jun 26 11:37:08 2022 UTC (23 months, 2 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.1133: +3 -3 lines
Diff to previous 1.1133 (colored)
Allow waiting during ktable allocation in pf_ioctl. OK bluhm Reported-by: syzbot+50ea4f33ed5dd9264918@syzkaller.appspotmail.com Reported-by: syzbot+df65f8b7ee8c0089e885@syzkaller.appspotmail.com
Revision 1.1133 / (download) - annotate - [select for diffs], Mon Jun 13 12:48:00 2022 UTC (23 months, 4 weeks ago) by henning
Branch: MAIN
Changes since 1.1132: +4 -3 lines
Diff to previous 1.1132 (colored)
fix logic bug in pf_find_state() a state in PFTM_PURGE could potentially hide another state on the same state key that is active and we'd incorrectly block the packet I believe that cannot happen as things are now. ok sashan
Revision 1.1132 / (download) - annotate - [select for diffs], Mon May 23 11:17:35 2022 UTC (2 years ago) by bluhm
Branch: MAIN
Changes since 1.1131: +8 -1 lines
Diff to previous 1.1131 (colored)
In pf the kernel paniced if IP options in packet within ICMP payload were truncated. Drop such packets instead. Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com OK sashan@ claudio@
Revision 1.1131 / (download) - annotate - [select for diffs], Mon May 23 09:54:18 2022 UTC (2 years ago) by bluhm
Branch: MAIN
Changes since 1.1130: +8 -8 lines
Diff to previous 1.1130 (colored)
Fix white space.
Revision 1.1130 / (download) - annotate - [select for diffs], Wed May 18 06:02:33 2022 UTC (2 years ago) by miod
Branch: MAIN
Changes since 1.1129: +1 -6 lines
Diff to previous 1.1129 (colored)
Remove #ifdef DDB specific includes, added in 1.968 but related code bits removed in 1.970. ok bluhm@
Revision 1.1129 / (download) - annotate - [select for diffs], Thu May 5 16:44:22 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.1128: +5 -5 lines
Diff to previous 1.1128 (colored)
Clean up divert_packet(). Function does not return error, make it void. Introduce mutex and refcounting for inp like in the other PCB functions. OK sashan@
Revision 1.1128 / (download) - annotate - [select for diffs], Tue May 3 13:32:47 2022 UTC (2 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.1127: +22 -2 lines
Diff to previous 1.1127 (colored)
Make pf(4) more paranoid about IGMP/MLP messages. MLD/IGMP messages with ttl other than 1 will be discarded. Also MLD messages with other than link-local source address will be discarded. IGMP messages with destination address other than multicast class will be discarded. feedback and OK bluhm@, cluadio@
Revision 1.1127 / (download) - annotate - [select for diffs], Fri Apr 29 08:58:49 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.1126: +115 -21 lines
Diff to previous 1.1126 (colored)
IGMP and ICMP6 MLD packets always have the router alert option set. pf blocked IPv4 options and IPv6 option header by default. This forced users to set allow-opts in pf rules. Better let multicast work by default. Detect router alerts by parsing IP options and hop by hop headers. If the packet has only this option and is a multicast control packet, do not block it due to bad options. tested by otto@; OK sashan@
Revision 1.1126 / (download) - annotate - [select for diffs], Thu Mar 17 18:27:55 2022 UTC (2 years, 2 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE
Branch point for: OPENBSD_7_1
Changes since 1.1125: +2 -2 lines
Diff to previous 1.1125 (colored)
fix typos; Martin Vahlensieck
Revision 1.1125 / (download) - annotate - [select for diffs], Sat Mar 5 10:43:32 2022 UTC (2 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.1124: +2 -2 lines
Diff to previous 1.1124 (colored)
#if INET6 -> #ifdef INET6 to be consistent
Revision 1.1124 / (download) - annotate - [select for diffs], Tue Feb 8 18:08:33 2022 UTC (2 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.1123: +4 -3 lines
Diff to previous 1.1123 (colored)
Do not /0 if timeout[PFTM_INTERVAL] manages to become zero crash noticed by gnezdo, a seperate commit will fix the identified cause, but being careful at this point is a good idea. ok sashan
Revision 1.1123 / (download) - annotate - [select for diffs], Sun Jan 2 22:36:04 2022 UTC (2 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.1122: +2 -2 lines
Diff to previous 1.1122 (colored)
spelling ok jmc@ reads ok tb@
Revision 1.1122 / (download) - annotate - [select for diffs], Wed Jul 7 18:38:25 2021 UTC (2 years, 11 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.1121: +22 -8 lines
Diff to previous 1.1121 (colored)
pfsync_undefer() must be called outside of PF_LOCK OK @bluhm
Revision 1.1121 / (download) - annotate - [select for diffs], Wed Jun 23 06:53:52 2021 UTC (2 years, 11 months ago) by dlg
Branch: MAIN
Changes since 1.1120: +96 -44 lines
Diff to previous 1.1120 (colored)
augment the global pf state list with its own locks. before this, things that iterated over the global list of pf states had to take the net, pf, or pf state locks. in particular, the ioctls that dump the state table took the net and pf state locks before iterating over the states and using copyout to export them to userland. when we tried replacing the use rwlocks with mutexes under the pf locks, this blew up because you can't sleep when holding a mutex and there's a sleeping lock used inside copyout. this diff introduces two locks around the global state list: a mutex that protects the head and tail of the list, and an rwlock that protects the links between elements in the list. inserts on the state list only occur during packet handling and can be done by taking the mutex and putting the state on the tail before releasing the mutex. iterating over states is only done from thread/process contexts, so we can take a read lock, then the mutex to get a snapshot of the head and tail pointers, and then keep the read lock to iterate between the head and tail points. because it's a read lock we can then take other sleeping locks (eg, the one inside copyout) without (further) gymnastics. the pf state purge code takes the rwlock exclusively and the mutex to remove elements from the list. this allows the ioctls and purge code to loop over the list concurrently and largely without blocking the creation of states when pf is processing packets. pfsync also iterates over the state list when doing bulk sends, which the state purge code needs to be careful around. ok sashan@
Revision 1.1120 / (download) - annotate - [select for diffs], Wed Jun 23 05:51:27 2021 UTC (2 years, 11 months ago) by dlg
Branch: MAIN
Changes since 1.1119: +6 -2 lines
Diff to previous 1.1119 (colored)
pf_purge_expired_states can check the time once instead of for every state.
Revision 1.1119 / (download) - annotate - [select for diffs], Wed Jun 23 04:16:32 2021 UTC (2 years, 11 months ago) by dlg
Branch: MAIN
Changes since 1.1118: +29 -10 lines
Diff to previous 1.1118 (colored)
rework pf_state_expires to avoid confusion around state->timeout. im going to make it so pf_purge_expired_states() can gather states largely without sharing a lock with pfsync or actual packet processing in pf. if pf or pfsync unlink a state while pf_purge_expired_states is looking at it, we can race with some checks and fall over a KASSERT. i'm fixing this by having the caller of pf_state_expires read state->timeout first, do it's checks, and then pass the value as an argument into pf_state_expires. this means there's a consistent view of the state->timeout variable across all the checks that pf_purge_expired_states in particular does. if pf/pfsync does change the timeout while pf_purge_expired_states is looking at it, the worst thing that happens is that it doesn't get picked as a candidate for purging in this pass and will have to wait for the next sweep. ok sashan@ as part of a bigger diff
Revision 1.1118 / (download) - annotate - [select for diffs], Tue Jun 1 09:57:11 2021 UTC (3 years ago) by dlg
Branch: MAIN
Changes since 1.1117: +3 -3 lines
Diff to previous 1.1117 (colored)
a couple of minor whitespace tweaks. no functional change. am i a pf hacker now?
Revision 1.1117 / (download) - annotate - [select for diffs], Mon May 17 23:01:26 2021 UTC (3 years ago) by sashan
Branch: MAIN
Changes since 1.1116: +13 -6 lines
Diff to previous 1.1116 (colored)
fix state key reference underflow, when sk == skrev the bug has been reported by Sebastien and Olivier Cherrier. it has turned out the pf_state_key_link_reverse() does not grab enough references when both state keys (sk and skrev) are identical. This makes pf to trip assert later, when references are being dropped: panic(ffffffff81dfbc8e) at panic+0x11d __assert(ffffffff81e64b54,ffffffff81e0a6ee,33a,ffffffff81e03b7f) refcnt_rele(fffffd810bf02458) at refcnt_rele+0x6f pf_state_key_unref(fffffd810bf023f0) at pf_state_key_unref+0x21 pf_remove_state(fffffd810c0c4578) at pf_remove_state+0x1fa pf_purge_expired_states(2) at pf_purge_expired_states+0x232 pf_purge(ffffffff82236a30) at pf_purge+0x33 taskq_thread(ffff800000032080) at taskq_thread+0x81 fixed tested by Olivier Cherrier and semarie@ OK semarie@
Revision 1.1116 / (download) - annotate - [select for diffs], Tue Apr 27 09:38:29 2021 UTC (3 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.1115: +14 -6 lines
Diff to previous 1.1115 (colored)
pf_state_key_link_reverse() is prone to race on parallel forwarding we need to adjust assertions. at time we call pf_state_key_link_reverse() is state_key either linked to correct reverse peer or not linked at all. The pf_state_key_link_reverse() is being called as a reader ons tate_lock. There might be more packets, which try to update the state key. OK bluhm@
Revision 1.1115 / (download) - annotate - [select for diffs], Fri Apr 23 03:29:24 2021 UTC (3 years, 1 month ago) by dlg
Branch: MAIN
Changes since 1.1114: +4 -2 lines
Diff to previous 1.1114 (colored)
only skip pf once for packets that are injected by a divert-packet socket. when a divert socket gets a packet from userland to send back through the kernel, it marks it as diverted so pf knows not to divert it back to userland again. this marking stuck to the packet though, so if it went through pf again (eg, on the way out of the network stack) pf would skip it again. this is undesirable if you want pf to do things to the packet on this outgoing hope, such as nat. this has pf clear the mark once it's been used, which allows the next run of a packet through pf to have stuff work on it. found by some people at parta networks. ok sashan@ lteo@ bluhm@ bluhm@ also suggested keeping my diff in the same style as the rest of pf.c
Revision 1.1114 / (download) - annotate - [select for diffs], Wed Mar 10 10:21:48 2021 UTC (3 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.1113: +2 -2 lines
Diff to previous 1.1113 (colored)
spelling ok gnezdo@ semarie@ mpi@
Revision 1.1113 / (download) - annotate - [select for diffs], Mon Mar 1 11:05:42 2021 UTC (3 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.1112: +13 -17 lines
Diff to previous 1.1112 (colored)
Refactor ip_fragment() and ip6_fragment(). Use a mbuf list to simplify the handling of the fragment list. Now the functions ip_fragment() and ip6_fragment() always consume the mbuf. They free the mbuf and mbuf list in case of an error and take care about the counter. Adjust the code a bit to make v4 and v6 look similar. Fixes a potential mbuf leak when pf_route6() called pf_refragment6() and it failed. Now the mbuf is always freed by ip6_fragment(). OK dlg@ mvs@
Revision 1.1112 / (download) - annotate - [select for diffs], Tue Feb 23 11:43:40 2021 UTC (3 years, 3 months ago) by mvs
Branch: MAIN
Changes since 1.1111: +2 -2 lines
Diff to previous 1.1111 (colored)
Use NULL instead of 0 in `m_nextpkt' assignment. ok deraadt@ dlg@
Revision 1.1111 / (download) - annotate - [select for diffs], Tue Feb 16 03:12:32 2021 UTC (3 years, 3 months ago) by dlg
Branch: MAIN
Changes since 1.1110: +4 -3 lines
Diff to previous 1.1110 (colored)
use rtalloc_mpath in pf_route and pf_route6. if you have multiple links to the same destination, this will let you use them with route-to/reply-to/dup-to. ok claudio@
Revision 1.1110 / (download) - annotate - [select for diffs], Fri Feb 12 16:16:10 2021 UTC (3 years, 3 months ago) by patrick
Branch: MAIN
Changes since 1.1109: +7 -1 lines
Diff to previous 1.1109 (colored)
pf_remove_divert_state() is an entry point into pf, modifying the pf state table. Hence we have to grab both the pf lock and the pf state lock. Found by dlg@ ok bluhm@ sashan@
Revision 1.1109 / (download) - annotate - [select for diffs], Fri Feb 12 13:48:31 2021 UTC (3 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.1108: +1 -3 lines
Diff to previous 1.1108 (colored)
Fix null pointer dereference in pf_route6(). Embedding scope into addresses that come from pf cannot be right, so remove the code. Coverity CID 1501718 OK dlg@ claudio@
Revision 1.1108 / (download) - annotate - [select for diffs], Thu Feb 4 00:55:41 2021 UTC (3 years, 4 months ago) by sashan
Branch: MAIN
Changes since 1.1107: +4 -4 lines
Diff to previous 1.1107 (colored)
make if_pfsync.c a better friend with PF_LOCK The code delivered in this change is currently disabled. Brave souls may enable the code by adding -DWITH_PF_LOCK when building customized kernel. Big thanks goes to Hrvoje@ for providing test equipment and testing. As soon as we enter the next release cycle, the WITH_PF_LOCK will be defined as default option for MP kernels. OK dlg@
Revision 1.1107 / (download) - annotate - [select for diffs], Wed Feb 3 07:41:12 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1106: +3 -3 lines
Diff to previous 1.1106 (colored)
change pf_route so pf only runs when packets enter and leave the stack. before this change pf_route operated on the semantic that pf runs when packets go over an interface, so when pf_route changed which interface the packet was on it would run pf_test again. this change changes (restores) the semantic that pf is only supposed to run when packets go in or out of the network stack, even if route-to is responsibly for short circuiting past the network stack. just to be clear, for normal packets (ie, those not touched by route-to/reply-to/dup-to), there isn't a difference between running pf when packets enter or leave the stack, or having pf run when a packet goes over an interface. the main reason for this change is that running the same packet through pf multiple times creates confusion for the state table. by default, pf states are floating, meaning that packets are matched to states regardless of which interface they're going over. if a packet leaving on em0 is rerouted out em1, both traversals will end up using the same state, which at best will make the accounting look weird, or at worst fail some checks in the state and get dropped. another reason for this commit is is to make handling of the changes that route-to makes consistent with other changes that are made to packet. eg, when nat is applied to a packet, we don't run pf_test again with the new addresses. the main caveat with this diff is you can't have one rule that pushes a packet out a different interface, and then have a rule on that second interface that NATs the packet. i'm not convinced this ever worked reliably or was used much anyway, so we don't think it's a big concern. discussed with many, with special thanks to bluhm@, sashan@ and sthen@ for weathering most of that pain. ok claudio@ sashan@ jmatthew@
Revision 1.1106 / (download) - annotate - [select for diffs], Mon Feb 1 00:31:05 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1105: +72 -108 lines
Diff to previous 1.1105 (colored)
change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
Revision 1.1105 / (download) - annotate - [select for diffs], Thu Jan 28 09:37:20 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1104: +15 -15 lines
Diff to previous 1.1104 (colored)
handle "once" rules before letting pfsync defer tx of a packet. pfsync may want to defer the transmission of a packet. it does this so it can try and get a state over to a peer firewall before a host may send a reply to the peer, which would get dropped cos there's no matching state. i think the once rule processing should happen before that. the state is created from the rule, whether the packet the state is for goes out immediately or not shouldn't matter. ok sashan@
Revision 1.1104 / (download) - annotate - [select for diffs], Wed Jan 27 23:53:35 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1103: +10 -1 lines
Diff to previous 1.1103 (colored)
if the route resolved in pf_route is invalid, generate an icmp error. of course this is limited to the !dup-to case. ok sashan@ bluhm@
Revision 1.1103 / (download) - annotate - [select for diffs], Wed Jan 27 04:46:21 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1102: +3 -5 lines
Diff to previous 1.1102 (colored)
have pf_route{,6} clear the pf_pdesc mbuf ref early for route-to/reply-to.
pf_route and pf_route6 are called to take over delivery of the
packet with route-to and reply-to instead of letting it get processed
normally. for the dup-to handling, it copies the mbuf but leaves
the original mbuf in place. pf_route takes over the packet by
clearing the mbuf pointer in the pf_pdesc struct. this diff moves
the clearing of that pointer to the start of the function, rather
than checking for dup-to again on the way out of the function.
i think this is better because it means that it's more robust in
the face of future code changes. even if that's not true, it's still
shorter code in a forwarding path.
ok sashan@ jmatthew@
Revision 1.1102 / (download) - annotate - [select for diffs], Wed Jan 27 03:02:06 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.1101: +3 -3 lines
Diff to previous 1.1101 (colored)
don't run copies of packets made by dup-to through pf_test. dup-to is kind of like what you do with a span port, but is a bit more fine grained. it copies packets in a connection out an interface so that connection can be monitored. it doesnt make sense for pf to see the copied packets and try to match or create new states for them either. at best it needs config to stop pf seeing the copies (eg, set skip on $dup_to_tgt_if). at worst it breaks the connections you're monitoring because the states in pf get confused. found while discussing larger route-to changes on tech@. ok bluhm@ sashan@
Revision 1.1101 / (download) - annotate - [select for diffs], Tue Jan 19 22:22:23 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1100: +3 -10 lines
Diff to previous 1.1100 (colored)
pflog(4) tried to log the translated packet with rdr-to, nat-to, and af-to addresses and ports applied. Therefore it created a mbuf chain on the stack with a partial copy. This is too complicated for IP options, extension header, NAT46 af-to, and fragmented mbuf chains. It even caused a crash in syzkaller. Usually the length checks in pf_setup_pdesc() rejected the faked mbuf and the goto copy logged the packet unmodified. Remove the pflog_mtap() function and call bpf_mtap_hdr() directly. As the old buggy code was bypassed in most cases, tcpdump(8) output of pflog does not change. Uncondionally log the unmodified packet. Reported-by: syzbot+947e89e06ac3fec187d0@syzkaller.appspotmail.com OK sashan@
Revision 1.1100 / (download) - annotate - [select for diffs], Sat Jan 16 13:09:46 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1099: +19 -7 lines
Diff to previous 1.1099 (colored)
The sysctl variable net.inet.ip.forwarding is checked before ip_input() passes the packet to ip_forward(). But with an af-to rule, pf(4) calls ip_forward() directly. Check the forwarding sysctl also in pf to get consistent behavior. This requires to set both ip and ip6 forwarding to get packet flow in both directions over af-to rules. OK kn@
Revision 1.1099 / (download) - annotate - [select for diffs], Fri Jan 15 22:27:49 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1098: +1 -7 lines
Diff to previous 1.1098 (colored)
Remove a check that bypasses pf state tests. It dates back to 2003 when NAT was implemented differently. Now it does not seem to make sense anymore. sashan@ has identified cases where it does harm. dlg@ wants to remove it to simplify route-to code. from dlg@; OK sashan@
Revision 1.1098 / (download) - annotate - [select for diffs], Thu Jan 14 09:44:33 2021 UTC (3 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.1097: +7 -2 lines
Diff to previous 1.1097 (colored)
Fix build without carp: ifp0 is only used within #if NCARP > 0. ok kn mvs
Revision 1.1097 / (download) - annotate - [select for diffs], Mon Jan 4 12:48:27 2021 UTC (3 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1096: +4 -18 lines
Diff to previous 1.1096 (colored)
Minor refactoring in pf(4). Note that struct pfsync_state is no longer memcopied but assigned. Alignment should not be an issue as it is __packed. Part of a larger diff from dlg@; OK dlg@ sashan@
Revision 1.1096 / (download) - annotate - [select for diffs], Thu Dec 10 06:40:22 2020 UTC (3 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.1095: +4 -2 lines
Diff to previous 1.1095 (colored)
when setting a flowid, set the M_FLOWID csum_flags bit too. this "fixes" TCP going over an interface with fq codel enabled. the way the codel code classifies a packet without a flowid set is to randomly assign it to a bucket. this in turn means that packets will get reordered, and tcp hates that. sthen was able to find a test case and narrow down at which time the problem appeared, helped greatly. tested by sthen@ and millert@ ok sashan@ jmatthew@
Revision 1.1095 / (download) - annotate - [select for diffs], Mon Dec 7 08:29:41 2020 UTC (3 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.1094: +2 -2 lines
Diff to previous 1.1094 (colored)
synproxy should be processing incoming SYN packets only. issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@
Revision 1.1094 / (download) - annotate - [select for diffs], Fri Jul 24 18:17:15 2020 UTC (3 years, 10 months ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.1093: +15 -9 lines
Diff to previous 1.1093 (colored)
Use interface index instead of pointer to `ifnet' in carp(4). ok sashan@
Revision 1.1093 / (download) - annotate - [select for diffs], Wed Jun 24 22:03:42 2020 UTC (3 years, 11 months ago) by cheloha
Branch: MAIN
Changes since 1.1092: +20 -20 lines
Diff to previous 1.1092 (colored)
kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9) time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
Revision 1.1092 / (download) - annotate - [select for diffs], Wed Jun 17 06:45:22 2020 UTC (3 years, 11 months ago) by dlg
Branch: MAIN
Changes since 1.1091: +3 -5 lines
Diff to previous 1.1091 (colored)
make ph_flowid in mbufs 16bits by storing whether it's set in csum_flags. i've been wanting to do this for a while, and now that we've got stoeplitz and it gives us 16 bits, it seems like the right time.
Revision 1.1091 / (download) - annotate - [select for diffs], Sun Nov 17 08:25:05 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.1090: +3 -3 lines
Diff to previous 1.1090 (colored)
"set delay" never worked as committed: the delay field was not copied in and the pf_pktdelay struct ws not declared and initialzed properly. ok rob@ kn@
Revision 1.1090 / (download) - annotate - [select for diffs], Thu Oct 17 11:23:49 2019 UTC (4 years, 7 months ago) by millert
Branch: MAIN
Changes since 1.1089: +7 -7 lines
Diff to previous 1.1089 (colored)
Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX. This is clearer and more consistent with the rest of the kernel. OK deraadt@ sashan@
Revision 1.1089 / (download) - annotate - [select for diffs], Thu Aug 29 06:13:46 2019 UTC (4 years, 9 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.1088: +9 -2 lines
Diff to previous 1.1088 (colored)
pf_state_insert() must grab state lock exclusively ok bluhm@
Revision 1.1088 / (download) - annotate - [select for diffs], Mon Aug 26 09:19:12 2019 UTC (4 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.1087: +5 -2 lines
Diff to previous 1.1087 (colored)
pf.conf "set timeout interval 1" causes kernel crash (bug reported and fix tested by Kor) ok kn@
Revision 1.1087 / (download) - annotate - [select for diffs], Thu Jul 18 20:45:10 2019 UTC (4 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.1086: +4 -3 lines
Diff to previous 1.1086 (colored)
follow up to 'once rule' expiration ok lteo@
Revision 1.1086 / (download) - annotate - [select for diffs], Thu Jul 18 02:03:46 2019 UTC (4 years, 10 months ago) by lteo
Branch: MAIN
Changes since 1.1085: +20 -4 lines
Diff to previous 1.1085 (colored)
This commit fixes two bugs involving PF once rules: 1. If a packet happens to match an expired once rule before the rule is removed by the purge thread, the rule will be added to the pf_rule_gcl list again, eventually causing a kernel crash when the purge thread tries to remove the expired rule multiple times; and 2. A packet that matches an expired once rule will still cause a state to be created, so a once rule is not truly a one shot rule while it is in that expired-but-not-purged time window. To fix both bugs, add a check in pf_test_rule() to prevent expired once rules from being added to pf_rule_gcl. The check is added "early" in pf_test_rule() to prevent any new connections from creating state if they match the expired once rule. This commit also includes a tweak by sashan@ to ensure that only one PF task will mark a once rule as expired. Here is sashan@'s commentary: "As soon as there will be more PF tasks running in parallel, we would be able to hit similar crash you are fixing now. The rules are covered by read lock, so with more PF tasks there might be two packets racing to expire at once rule at the same time. Using atomic_cas() is sufficient measure to serialize competing packets." tested by abieber@ who reported the kernel crash on bugs@ ok sashan@
Revision 1.1085 / (download) - annotate - [select for diffs], Thu Jul 11 09:39:52 2019 UTC (4 years, 11 months ago) by sashan
Branch: MAIN
Changes since 1.1084: +5 -3 lines
Diff to previous 1.1084 (colored)
fix NULL pointer dereference, reported and fix tested by sthen ok yasuoka
Revision 1.1084 / (download) - annotate - [select for diffs], Tue Jul 9 11:30:19 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
Changes since 1.1083: +3 -1 lines
Diff to previous 1.1083 (colored)
Fix previous commit which made src-node have a reference for the kif. Src-node should use the reference counter since it might live longer than its table entry, rule or the associated states. OK sashan
Revision 1.1083 / (download) - annotate - [select for diffs], Tue Jul 2 09:04:53 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
Changes since 1.1082: +4 -3 lines
Diff to previous 1.1082 (colored)
When source address tracking record is used for "route-to", the next hop interface configured with "route-to" was not used. Keep the interface within the pf_src_node and use it when the record is used. OK sashan
Revision 1.1082 / (download) - annotate - [select for diffs], Mon Jul 1 12:13:51 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
Changes since 1.1081: +9 -10 lines
Diff to previous 1.1081 (colored)
Link the state and the source track to keep the source track while there are states which refer it. OK sashan
Revision 1.1076.2.1 / (download) - annotate - [select for diffs], Thu Mar 21 13:33:07 2019 UTC (5 years, 2 months ago) by bluhm
Branch: OPENBSD_6_4
Changes since 1.1076: +24 -4 lines
Diff to previous 1.1076 (colored) next main 1.1077 (colored)
States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload that matches an exiting connection. It was not checked whether the outer ICMP packet has the same destination IP as the source IP of the inner protocol packet. Enforce that these addresses match, to prevent ICMP packets that do not make sense. Issue found by Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken, Luca Moro at Synacktiv.com OK sashan@ OpenBSD 6.4 errata 015
Revision 1.1063.2.1 / (download) - annotate - [select for diffs], Thu Mar 21 13:32:12 2019 UTC (5 years, 2 months ago) by bluhm
Branch: OPENBSD_6_3
Changes since 1.1063: +24 -4 lines
Diff to previous 1.1063 (colored) next main 1.1064 (colored)
States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload that matches an exiting connection. It was not checked whether the outer ICMP packet has the same destination IP as the source IP of the inner protocol packet. Enforce that these addresses match, to prevent ICMP packets that do not make sense. Issue found by Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken, Luca Moro at Synacktiv.com OK sashan@ OpenBSD 6.3 errata 031
Revision 1.1081 / (download) - annotate - [select for diffs], Wed Mar 20 20:07:28 2019 UTC (5 years, 2 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.1080: +24 -4 lines
Diff to previous 1.1080 (colored)
States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload that matches an exiting connection. It was not checked whether the outer ICMP packet has the same destination IP as the source IP of the inner protocol packet. Enforce that these addresses match, to prevent ICMP packets that do not make sense. Issue found by Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken, Luca Moro at Synacktiv.com OK sashan@
Revision 1.1080 / (download) - annotate - [select for diffs], Mon Dec 17 09:11:10 2018 UTC (5 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.1079: +2 -2 lines
Diff to previous 1.1079 (colored)
Use timeout_add_sec() instead of timeout_add() with a multiplication with hz OK kn@, florian@, visa@, cheloha@
Revision 1.1079 / (download) - annotate - [select for diffs], Mon Dec 10 16:48:15 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.1078: +34 -32 lines
Diff to previous 1.1078 (colored)
Remove useless macros These are just unhelpful case conversion. OK sashan henning
Revision 1.1078 / (download) - annotate - [select for diffs], Thu Nov 15 13:16:37 2018 UTC (5 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.1077: +3 -2 lines
Diff to previous 1.1077 (colored)
in the "pf: key search" debug message, add the direction. interface *and* dir make debugging much easier than the if alone.
Revision 1.1077 / (download) - annotate - [select for diffs], Tue Oct 16 22:49:41 2018 UTC (5 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.1076: +5 -4 lines
Diff to previous 1.1076 (colored)
- pf: honor quick on anchor rules Regression has been introduced in version 1.1024 (a 6.2 time frame). It's been discovered and reported by Fabian Mueller-Knapp. Fair amount of credit goes to kn@, benno@ and henning@ for pointing me to releveant section of pf.conf(5). Fabian and kn@ also did test the patch. OK kn@, henning@
Revision 1.1076 / (download) - annotate - [select for diffs], Thu Oct 4 20:25:59 2018 UTC (5 years, 8 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE
Branch point for: OPENBSD_6_4
Changes since 1.1075: +7 -1 lines
Diff to previous 1.1075 (colored)
Honor quick on anchor rules
When evaluating the anchor's ruleset, prevent clobbering it's very own
`quick' test result by blindly setting it.
This makes the following pf.conf work as intended (packets would be blocked
since `quick' had no effect):
anchor quick {
pass
}
block
Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks!
OK henning sashan
Revision 1.1075 / (download) - annotate - [select for diffs], Thu Sep 13 19:53:58 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.1074: +27 -7 lines
Diff to previous 1.1074 (colored)
Add reference counting for inet pcb, this will be needed when we start locking the socket. An inp can be referenced by the PCB queue and hashes, by a pf mbuf header, or by a pf state key. OK visa@
Revision 1.1074 / (download) - annotate - [select for diffs], Tue Sep 11 07:53:38 2018 UTC (5 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.1073: +117 -33 lines
Diff to previous 1.1073 (colored)
- moving state look up outside of PF_LOCK() this change adds a pf_state_lock rw-lock, which protects consistency of state table in PF. The code delivered in this change is guarded by 'WITH_PF_LOCK', which is still undefined. People, who are willing to experiment and want to run it must do two things: - compile kernel with -DWITH_PF_LOCK - bump NET_TASKQ from 1 to ... sky is the limit, (just select some sensible value for number of tasks your system is able to handle) OK bluhm@
Revision 1.1073 / (download) - annotate - [select for diffs], Sun Jul 22 09:09:18 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.1072: +2 -2 lines
Diff to previous 1.1072 (colored)
Fix arguments of pf_purge_expired_{src_nodes,rules}()
Due to the missing "void", this
extern void pf_purge_expired_src_nodes();
is no prototype but a declaration. It is enough to suppress the
'implicit declaration' warning but it does not allow the compiler to
check the arguments passed to the calls of the function.
Fix the prototypes and don't pass the waslocked argument anymore. It has
been removed a year ago.
ok sashan henning
Revision 1.1072 / (download) - annotate - [select for diffs], Thu Jul 12 14:28:07 2018 UTC (5 years, 11 months ago) by sashan
Branch: MAIN
Changes since 1.1071: +5 -6 lines
Diff to previous 1.1071 (colored)
trade few 'goto unlock: for 'break' in pf_test() OK mpi@, OK henning@, OK jca@
Revision 1.1071 / (download) - annotate - [select for diffs], Wed Jul 11 11:39:31 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.1070: +69 -56 lines
Diff to previous 1.1070 (colored)
the STATE_LOOKUP macro made sense ages ago. It stopped making sense when we moved most of the functionality into a function. g/c the macro and just call the function. ok mpi jca
Revision 1.1070 / (download) - annotate - [select for diffs], Tue Jul 10 13:01:38 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.1069: +2 -2 lines
Diff to previous 1.1069 (colored)
in pf_set_protostate(), only decrement the half-open states counter when the state was created on this host, i. e. not for those pfsync-imported. whether pfsync-imported states should be accounted is a seperate discussion, but as things are, we only increment the counter in pf_create_state(), and imported states don't excercise that path. probably fixes the half-open states accounting underflow-wraparounds that some people have been seeing. ok sashan
Revision 1.1069 / (download) - annotate - [select for diffs], Tue Jul 10 09:28:27 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.1068: +42 -2 lines
Diff to previous 1.1068 (colored)
provide a generic packet delay functionality. packets to be delayed are marked by pf in the packet header. pf_delay_pkt reads the delay value from the packet header, schedules a timeout and re-queues the packet when the timeout fires. ok benno sashan
Revision 1.1068 / (download) - annotate - [select for diffs], Mon Jun 18 11:00:31 2018 UTC (5 years, 11 months ago) by procter
Branch: MAIN
Changes since 1.1067: +91 -106 lines
Diff to previous 1.1067 (colored)
Refactor the six ways to find TCP options into one new function. As a result: - MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
Revision 1.1067 / (download) - annotate - [select for diffs], Mon Jun 4 12:22:45 2018 UTC (6 years ago) by bluhm
Branch: MAIN
Changes since 1.1066: +3 -2 lines
Diff to previous 1.1066 (colored)
The function pf_create_state() calls pf_set_protostate() before pf_state_insert(), so the state key has not been set. When inlining, the compiler recognized the NULL pointer dereference in s->key[PF_SK_STACK]->proto and optimized it away. But if pf.c was compiled with -fno-inline, the system crashed during boot. Add a NULL check in pf_set_protostate() to handle the situation when the function is called. OK sashan@ henning@
Revision 1.1066 / (download) - annotate - [select for diffs], Fri Jun 1 12:38:25 2018 UTC (6 years ago) by bluhm
Branch: MAIN
Changes since 1.1065: +2 -2 lines
Diff to previous 1.1065 (colored)
While sending the pf syncookie, we are holding the pf lock. So goto unlock when leaving this block. OK sashan@ henning@
Revision 1.1065 / (download) - annotate - [select for diffs], Thu May 10 08:52:01 2018 UTC (6 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.1064: +5 -3 lines
Diff to previous 1.1064 (colored)
pf route-to should not send packets from 127.0.0.1 or ::1 address to the network. This is necessary for locally generated icmp packets that would be dropped otherwise. Refine this check to modify only the source address of packets that go to the external network. This allows route-to tricks on loopback interface. OK sashan@
Revision 1.1064 / (download) - annotate - [select for diffs], Fri Apr 6 10:39:15 2018 UTC (6 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.1063: +6 -6 lines
Diff to previous 1.1063 (colored)
All users of the PFLOG_PACKET() macro are inside "#if NPFLOG > 0". So this macro does not make much sense, just call pflog_packet(). OK sashan@ henning@
Revision 1.1063 / (download) - annotate - [select for diffs], Tue Mar 6 17:35:53 2018 UTC (6 years, 3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE
Branch point for: OPENBSD_6_3
Changes since 1.1062: +4 -5 lines
Diff to previous 1.1062 (colored)
If source and destination addresses are equal, the incoming and outgoing state key is the same. In this case the reverse link loops to the same state key. The assertion in pf_state_key_link_reverse() did not expect this and the kernel crashed. bug reported and fix tested by Johan Huldtgren; OK sashan@ visa@
Revision 1.1062 / (download) - annotate - [select for diffs], Tue Feb 27 09:24:56 2018 UTC (6 years, 3 months ago) by benno
Branch: MAIN
Changes since 1.1061: +5 -1 lines
Diff to previous 1.1061 (colored)
make kernel compile again without INET6 ok mpi@
Revision 1.1061 / (download) - annotate - [select for diffs], Sun Feb 18 21:45:30 2018 UTC (6 years, 3 months ago) by sashan
Branch: MAIN
Changes since 1.1060: +16 -9 lines
Diff to previous 1.1060 (colored)
- regression in pflog output pf_match_rule() must remember current anchor before descents towards leaf. it must restore anchor as it ascents towards root. Bug pointed out and fix also tested by Matthias Pitzl from genua. OK bluhm@
Revision 1.1060 / (download) - annotate - [select for diffs], Tue Feb 6 23:44:48 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.1059: +51 -4 lines
Diff to previous 1.1059 (colored)
syncookies for pf. when syncookies are on, pf will blindly answer each and every SYN with a syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will reconstruct the original SYN, shove it through pf_test, where state will be created if the ruleset permits it. Then massage the freshly created state (we won't see the SYNACK), set up the sequence number modulator, and call into the existing synproxy code to start the 3WHS with the backend host. Add an - somewhat basic for now - adaptive mode where syncookies get enabled if a certain percentage of the state table is filled up with half-open tcp connections. This makes pf firewalls resilient against large synflood attacks. syncookies are off by default until we gained more experience, considered experimental for now. see http://bulabula.org/papers/2017/bsdcan/ for more details. joint work with sashan@, widely discussed and with lots of input by many
Revision 1.1059 / (download) - annotate - [select for diffs], Tue Feb 6 09:16:11 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.1058: +15 -15 lines
Diff to previous 1.1058 (colored)
some finger muscle workout: bzero -> memset and (very few) bcopy -> memcpy/memmove
Revision 1.1058 / (download) - annotate - [select for diffs], Fri Jan 19 12:57:15 2018 UTC (6 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1057: +6 -21 lines
Diff to previous 1.1057 (colored)
Use the pf state key linking functions in two more places instead of doing it manually. OK sashan@ visa@
Revision 1.1057 / (download) - annotate - [select for diffs], Tue Jan 16 14:48:38 2018 UTC (6 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1056: +13 -6 lines
Diff to previous 1.1056 (colored)
If pf route-to is used for locally generated packets, they may have an invalid source address. As pf route-to happens after IP source selection based on a different route, the address should be corrected after pf has allocated the new route. Especially loopback addresses must not appear at outgoing packets. OK sashan@ visa@
Revision 1.1056 / (download) - annotate - [select for diffs], Mon Jan 15 12:25:03 2018 UTC (6 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.1055: +23 -1 lines
Diff to previous 1.1055 (colored)
When pf(4) forwards incoming packets with route-to or reply-to, decrement the time-to-live or hop-limit field to prevent routing loops. Sending an ICMP time exceeded error makes traceroute work. For outgoing packets ip_forward() has already done this. OK visa@ sashan@
Revision 1.1055 / (download) - annotate - [select for diffs], Wed Jan 10 13:57:17 2018 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1054: +17 -15 lines
Diff to previous 1.1054 (colored)
Use pf_send_icmp() consistently in pf_route(). It sets the routing domain and other mbuf flags. In pf_route6() the bad packet counter and dup-to check were missing. OK visa@
Revision 1.1054 / (download) - annotate - [select for diffs], Fri Dec 29 23:55:22 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1053: +2 -1 lines
Diff to previous 1.1053 (colored)
Make sure that pf_mbuf_link_state_key() does not overwrite an existing statekey in the mbuf header. Reset the statekey in m_dup_pkthdr(). suggested by and OK sahan@
Revision 1.1053 / (download) - annotate - [select for diffs], Fri Dec 29 17:05:25 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1052: +59 -34 lines
Diff to previous 1.1052 (colored)
Make the functions which link the pf state keys to mbufs, inpcbs, or other states more consistent. OK visa@ sashan@ on a previous version
Revision 1.1052 / (download) - annotate - [select for diffs], Thu Dec 28 11:37:44 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1051: +3 -1 lines
Diff to previous 1.1051 (colored)
pf drops IPv4 packets with any options by default. For IPv6 the same is already done for options header. Add the routing extension header to the list that need "allow-opts" to pass. OK sashan@ visa@
Revision 1.1051 / (download) - annotate - [select for diffs], Sun Dec 24 14:18:19 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1050: +15 -3 lines
Diff to previous 1.1050 (colored)
There was a corner case where linking the inp to the state key did work in pf. The function pf_inp_link() takes the state key from the mbuf and not the one pf_find_state() has just found. Introduce a new function pf_state_key_link_inpcb() that links the given state key and inpcb together with some sanity checks. OK sashan@
Revision 1.1050 / (download) - annotate - [select for diffs], Mon Dec 4 15:13:12 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1049: +9 -1 lines
Diff to previous 1.1049 (colored)
RFC 4861 requires that all neighbor discovery packets have 255 in their IPv6 header hop limit field. Let pf drop neighbor solicitation, neighbor advertisement, router solicitation, router advertisement, and redirect ICMP6 packets that do not comply. This enforces that bogus packets cannot be routed when pf is enabled. OK mpi@ sashan@ benno@
Revision 1.1049 / (download) - annotate - [select for diffs], Fri Dec 1 10:33:33 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1048: +4 -4 lines
Diff to previous 1.1048 (colored)
Simplify the reverse PCB lookup logic. The PF_TAG_TRANSLATE_LOCALHOST security check prevents that the user accidentally configures redirect where a divert-to would be appropriate. Instead of spreading the logic into tcp and udp input, check the flag during PCB listen lookup. This also reduces parameters of in_pcblookup_listen(). OK visa@
Revision 1.1048 / (download) - annotate - [select for diffs], Tue Nov 28 16:05:46 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1047: +11 -8 lines
Diff to previous 1.1047 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
Revision 1.1047 / (download) - annotate - [select for diffs], Wed Nov 22 12:28:49 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1046: +14 -2 lines
Diff to previous 1.1046 (colored)
It does not make sense to call pcb lookup from pf during packet forwarding. It should never match and would cause MP locking problems. While there remove an useless ifp parameter from ip_output_ipsec_send(). from markus@; OK visa@ sashan@
Revision 1.1046 / (download) - annotate - [select for diffs], Mon Nov 20 10:35:24 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.1045: +3 -1 lines
Diff to previous 1.1045 (colored)
Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running pr_input handlers without KERNEL_LOCK(). ok visa@
Revision 1.1045 / (download) - annotate - [select for diffs], Mon Nov 13 11:30:11 2017 UTC (6 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.1044: +15 -3 lines
Diff to previous 1.1044 (colored)
add a generic packet rate matching filter. allows things like pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
Revision 1.1044 / (download) - annotate - [select for diffs], Mon Nov 13 01:24:09 2017 UTC (6 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.1043: +1 -5 lines
Diff to previous 1.1043 (colored)
remove the ability for pf_ouraddr to say that a packet is forwarded. having pf_ouraddr say a packet is forwarded let's in_ouraddr avoid doing a route lookup for the packet. however, because it is forwarded we need to do a route lookup in ip_output anyway to know where it goes. in_ouraddr does a bunch of extra checks on the result of the route lookup that ip_output does not do though, including special handling of ip_directedbroadcast and M_BCAST. if you have directed broadcast enabled and do not do these checks, the ethernet layer will loop a copy of broadcast packets back into the stack recursively which can blow the thread stack in the kernel. discussed with jmatthew@, sashan@, and henning@ ok mpi@ diagnosing this led to the enabling of a guard page on amd64 kernel stacks, which was necessary for correctly identifying this problem.
Revision 1.1043 / (download) - annotate - [select for diffs], Tue Oct 31 22:05:12 2017 UTC (6 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.1042: +2 -2 lines
Diff to previous 1.1042 (colored)
- add one more softnet taskq NOTE: code still runs with single softnet task. change definition of SOFTNET_TASKS in net/if.c, if you want to have more than one softnet task OK mpi@, OK phessler@
Revision 1.1042 / (download) - annotate - [select for diffs], Mon Aug 14 15:58:16 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.1041: +1 -3 lines
Diff to previous 1.1041 (colored)
move pf_get_wscale + pf_get_mss prototypes to pfvar.h (diff shrinkage)
Revision 1.1041 / (download) - annotate - [select for diffs], Mon Aug 14 15:48:29 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.1040: +13 -3 lines
Diff to previous 1.1040 (colored)
add half-open tcp states accounting, road paved by sashan increment in pf_create_state(), decrement in pf_set_protostate(). input & ok bluhm
Revision 1.1040 / (download) - annotate - [select for diffs], Sun Aug 13 16:57:20 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.1039: +95 -57 lines
Diff to previous 1.1039 (colored)
to change a state's state (that term is overloaded in pf, protocol state like ESTABLISHED for tcp here), don't do it directly, but go through a newly introduced pf_set_protostate() ok bluhm benno
Revision 1.1039 / (download) - annotate - [select for diffs], Fri Aug 11 21:24:19 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.1038: +3 -4 lines
Diff to previous 1.1038 (colored)
Remove NET_LOCK()'s argument. Tested by Hrvoje Popovski, ok bluhm@
Revision 1.1038 / (download) - annotate - [select for diffs], Sun Aug 6 13:16:11 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.1037: +35 -24 lines
Diff to previous 1.1037 (colored)
Reduce contention on the NET_LOCK() by moving the logic of the pfpurge thread to a task running on the `softnettq`. Tested and inputs from Hrvoje Popovski. ok visa@, sashan@
Revision 1.1037 / (download) - annotate - [select for diffs], Tue Jul 4 14:10:15 2017 UTC (6 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.1036: +5 -6 lines
Diff to previous 1.1036 (colored)
Revert previous, it exposed two edge cases still requiring the KERNEL_LOCK(). - radix_node_head are still allocated with malloc(9) and pf_table can free(9) some. - pfsync(4) might send some traffic which can exercise IPsec code Found by bluhm@ and Hrvoje Popovski
Revision 1.1036 / (download) - annotate - [select for diffs], Mon Jul 3 08:11:21 2017 UTC (6 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.1035: +6 -5 lines
Diff to previous 1.1035 (colored)
Drop the KERNEL_LOCK() in pf_purge_thread(). The NET_LOCK() is currently what guarantees that accesses to PF data structures are serialized. While here use rwsleep(9) instead of calling NET_LOCK()/NET_UNLOCK() for every iteration. Tested by Hrvoje Popovski, ok sashan@, visa@
Revision 1.1035 / (download) - annotate - [select for diffs], Wed Jun 21 15:29:23 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.1034: +3 -3 lines
Diff to previous 1.1034 (colored)
Fix kernel diagnostic assertion "(sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL)". The problem was that setting the inp pointer in the statekey to NULL was delayed until the statekey refcounter reached 0. So the inp could get linked to another statekey while an mbuf in the socket buffer was keeping the refcounter at 1. Set the statekey inp pointer to NULL in pf_state_key_detach() immediately, then the kassert can be even stricter. OK sashan@
Revision 1.1034 / (download) - annotate - [select for diffs], Mon Jun 5 22:18:28 2017 UTC (7 years ago) by sashan
Branch: MAIN
Changes since 1.1033: +34 -13 lines
Diff to previous 1.1033 (colored)
- let's add PF_LOCK() to enable PF_LOCK(), you must add 'option WITH_PF_LOCK' to your kernel configuration. The code does not do much currently it's just the very small step towards MP. O.K. henning@, mikeb@, mpi@
Revision 1.1033 / (download) - annotate - [select for diffs], Wed May 31 09:19:10 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.1032: +8 -3 lines
Diff to previous 1.1032 (colored)
Block IPv6 packets in pf(4) that have hop-by-hop options header or destination options header. Such packets can be passed by adding "allow-opts" to the rule. So IPv6 options are handled like their counterpart in IPv4 now. tested by benno@; OK henning@
Revision 1.1032 / (download) - annotate - [select for diffs], Tue May 30 08:10:01 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.1031: +12 -4 lines
Diff to previous 1.1031 (colored)
teach pf_build_tcp() about SACK, ok & with sashan
Revision 1.1031 / (download) - annotate - [select for diffs], Mon May 29 14:18:32 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.1030: +2 -6 lines
Diff to previous 1.1030 (colored)
export_pflow() is no longer grabbing the NET_LOCK(), so no need to release it beforehand. ok henning@, benno@
Revision 1.1030 / (download) - annotate - [select for diffs], Sun May 28 16:55:54 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.1029: +16 -6 lines
Diff to previous 1.1029 (colored)
Limit the nested header chain for IPv6 extensions headers and for authentication headers in the IPv4 case. This prevents spending excessive cpu time on crafted packets. OK henning@
Revision 1.1029 / (download) - annotate - [select for diffs], Sun May 28 16:43:45 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.1028: +7 -5 lines
Diff to previous 1.1028 (colored)
Fix bad white spaces, wrap long lines, kill some empty lines.
Revision 1.1028 / (download) - annotate - [select for diffs], Sun May 28 14:54:00 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.1027: +52 -18 lines
Diff to previous 1.1027 (colored)
Pf was handling IPv4 and IPv6 differently regarding AH extension headers. pf_walk_header6() steps over it and detects the real protocol. So to implement a minimal header walking function pf_walk_header() for IPv4. It does the header checks and jumps over AH. Then pf does not understand AH as a protocol, it is just an extension that authenticates the packet. Move some header and option checks to pf_walk_header() for consistency with IPv6. This also improves the header check for IPv4 packets in ICMP payload. OK henning@
Revision 1.1027 / (download) - annotate - [select for diffs], Tue May 23 09:09:03 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.1026: +10 -14 lines
Diff to previous 1.1026 (colored)
Move the common length check in pf_pull_hdr() after the address family switch. This makes the specific calculation more obvious. OK claudio@
Revision 1.1026 / (download) - annotate - [select for diffs], Sat May 20 22:56:43 2017 UTC (7 years ago) by sashan
Branch: MAIN
Changes since 1.1025: +2 -1 lines
Diff to previous 1.1025 (colored)
- fixes regression found by pf_forward test O.K. bluhm@
Revision 1.1025 / (download) - annotate - [select for diffs], Fri May 19 10:43:05 2017 UTC (7 years ago) by rzalamena
Branch: MAIN
Changes since 1.1024: +9 -3 lines
Diff to previous 1.1024 (colored)
Change PF behavior to allow MLD Listener Report packets to be sent without needing a previously created state by MLD Listener Query. It wasn't working because: (1) you might not have a previous MLD Listener Query and (2) the addresses of the Query and Report don't match. ok mikeb@, sashan@
Revision 1.1024 / (download) - annotate - [select for diffs], Tue May 16 22:16:30 2017 UTC (7 years ago) by sashan
Branch: MAIN
Changes since 1.1023: +271 -251 lines
Diff to previous 1.1023 (colored)
- percpu anchor stacks we actually don't need to pre-allocate per_anchor_stack[], if we use a 'natural' recursion, when doing anchor tree traversal. O.K. mikeb@, mpi@
Revision 1.1023 / (download) - annotate - [select for diffs], Tue May 16 12:24:01 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.1022: +3 -3 lines
Diff to previous 1.1022 (colored)
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED(). ok visa@
Revision 1.1022 / (download) - annotate - [select for diffs], Mon May 15 12:26:00 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.1021: +15 -36 lines
Diff to previous 1.1021 (colored)
Enable the NET_LOCK(), take 3. Recursions are still marked as XXXSMP. ok deraadt@, bluhm@
Revision 1.1019.4.1 / (download) - annotate - [select for diffs], Sat May 6 22:46:19 2017 UTC (7 years, 1 month ago) by mikeb
Branch: OPENBSD_6_1
Changes since 1.1019: +2 -1 lines
Diff to previous 1.1019 (colored) next main 1.1020 (colored)
Put back the call to pf_remove_src_node lost in the netlock backout Reported by Remi Barbier, thanks! OK mpi@
Revision 1.1021 / (download) - annotate - [select for diffs], Fri May 5 16:30:39 2017 UTC (7 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.1020: +2 -1 lines
Diff to previous 1.1020 (colored)
Put back the call to pf_remove_src_node lost in the netlock backout Reported by Remi Barbier, thanks! OK mpi@
Revision 1.1020 / (download) - annotate - [select for diffs], Thu May 4 15:00:24 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.1019: +3 -3 lines
Diff to previous 1.1019 (colored)
Introduce sstosa() for converting sockaddr_storage with a type safe inline function instead of casting it to sockaddr. While there, use inline instead of __inline for all these conversions. Some struct sockaddr casts can be avoided completely. OK dhill@ mpi@
Revision 1.1019 / (download) - annotate - [select for diffs], Fri Mar 17 17:19:16 2017 UTC (7 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE
Branch point for: OPENBSD_6_1
Changes since 1.1018: +36 -16 lines
Diff to previous 1.1018 (colored)
Revert the NET_LOCK() and bring back pf's contention lock for release. For the moment the NET_LOCK() is always taken by threads running under KERNEL_LOCK(). That means it doesn't buy us anything except a possible deadlock that we did not spot. So make sure this doesn't happen, we'll have plenty of time in the next release cycle to stress test it. ok visa@
Revision 1.965.2.1 / (download) - annotate - [select for diffs], Thu Mar 9 17:44:29 2017 UTC (7 years, 3 months ago) by benno
Branch: OPENBSD_5_9
Changes since 1.965: +3 -3 lines
Diff to previous 1.965 (colored) next main 1.966 (colored)
OpenBSD 5.9 errata 36
MFC sys/net/pf.c rev 1.1018 claudio
Prevent integer overflow in PF when calculating the adaptive timeout.
Mainly states of established TCP connections whould be affected resulting
in immediate state removal once the numer of states is bigger than
adaptive.start. Disabling adative timeouts is a workaround to avoid this bug.
Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)
OK mikeb@
Revision 1.979.4.1 / (download) - annotate - [select for diffs], Thu Mar 9 17:43:50 2017 UTC (7 years, 3 months ago) by benno
Branch: OPENBSD_6_0
Changes since 1.979: +3 -3 lines
Diff to previous 1.979 (colored) next main 1.980 (colored)
OpenBSD 6.0 errata 19
MFC sys/net/pf.c rev 1.1018 claudio
Prevent integer overflow in PF when calculating the adaptive timeout.
Mainly states of established TCP connections whould be affected resulting
in immediate state removal once the numer of states is bigger than
adaptive.start. Disabling adative timeouts is a workaround to avoid this bug.
Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)
OK mikeb@
Revision 1.1018 / (download) - annotate - [select for diffs], Thu Mar 9 05:47:28 2017 UTC (7 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.1017: +3 -3 lines
Diff to previous 1.1017 (colored)
Prevent integer overflow in PF when calculating the adaptive timeout. Mainly states of established TCP connections whould be affected resulting in immediate state removal once the numer of states is bigger than adaptive.start. Disabling adative timeouts is a workaround to avoid this bug. Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr) OK mikeb@
Revision 1.1017 / (download) - annotate - [select for diffs], Tue Mar 7 16:28:37 2017 UTC (7 years, 3 months ago) by mikeb
Branch: MAIN
Changes since 1.1016: +2 -2 lines
Diff to previous 1.1016 (colored)
Don't overwrite the flow ID once it's set Output processing may split, encapsulate or obfuscate a single stream which makes the changed flow ID less useful for purposes of flow control, for instance fair sharing of bandwidth. OK dlg
Revision 1.1016 / (download) - annotate - [select for diffs], Tue Mar 7 09:29:40 2017 UTC (7 years, 3 months ago) by mpi
Branch: MAIN
Changes since 1.1015: +3 -1 lines
Diff to previous 1.1015 (colored)
Enforce that tcbtable and udbtable must be accessed with the NET_LOCK(). Get rid of the old splnet()/splx() dances. What's protecting them right now is the KERNEL_LOCK(). but since pf(4) look at these tables we want to protect them in another way, hence the NET_LOCK(), at least as hint. ok bluhm@
Revision 1.1015 / (download) - annotate - [select for diffs], Thu Feb 9 15:19:32 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
Changes since 1.1014: +3 -3 lines
Diff to previous 1.1014 (colored)
percpu counters for TCP stats ok mpi@ bluhm@
Revision 1.1014 / (download) - annotate - [select for diffs], Sun Feb 5 16:04:14 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
Changes since 1.1013: +2 -2 lines
Diff to previous 1.1013 (colored)
Use percpu counters for ip6stat Try to follow the existing examples. Some notes: - don't implement counters_dec() yet, which could be used in two similar chunks of code. Let's see if there are more users first. - stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent. Input from mpi@, ok bluhm@ mpi@
Revision 1.1013 / (download) - annotate - [select for diffs], Mon Jan 30 17:52:24 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.1012: +2 -3 lines
Diff to previous 1.1012 (colored)
whitespace, from bluhm@
Revision 1.1012 / (download) - annotate - [select for diffs], Mon Jan 30 17:41:33 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.1011: +13 -36 lines
Diff to previous 1.1011 (colored)
removes the pf_consistency_lock and protects the users with NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep things simple until we're going to redesign PF for a MP world. fixes the crash reported by Kaya Saman. ok mpi@, bluhm@
Revision 1.1011 / (download) - annotate - [select for diffs], Wed Jan 25 06:15:50 2017 UTC (7 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.1010: +6 -2 lines
Diff to previous 1.1010 (colored)
Enable the NET_LOCK(), take 2. Recursions are currently known and marked a XXXSMP. Please report any assert to bugs@
Revision 1.1010 / (download) - annotate - [select for diffs], Mon Jan 9 14:47:13 2017 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.1009: +3 -3 lines
Diff to previous 1.1009 (colored)
pf_purge_thread() needs the NET_LOCK(). ok sashan@, visa@
Revision 1.1009 / (download) - annotate - [select for diffs], Thu Dec 29 13:01:48 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1008: +3 -3 lines
Diff to previous 1.1008 (colored)
In pf_refragment6() use the valid route from pf_route6() instead of calling rtalloc() again. OK mpi@
Revision 1.1008 / (download) - annotate - [select for diffs], Wed Dec 28 15:36:15 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1007: +6 -5 lines
Diff to previous 1.1007 (colored)
In pf_find_state() pkt_sk was set to NULL if pkt_sk->reverse was not valid. This did not work as the value of pkt_sk must be used later to establish the link. So discard the packet statekey only if it is invalid itself and use it to establish the reverse link. From Christiano Haesbaert; OK sashan@
Revision 1.1007 / (download) - annotate - [select for diffs], Wed Dec 28 15:19:02 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1006: +14 -13 lines
Diff to previous 1.1006 (colored)
Better check for a valid route than for an existing route in pf route-to by calling rtisvalid(). Make pf_route() and pf_route6() similar and move the rtalloc() call to the same place. OK mpi@
Revision 1.1006 / (download) - annotate - [select for diffs], Fri Dec 23 20:49:41 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1005: +11 -11 lines
Diff to previous 1.1005 (colored)
Replace function names with __func__ in debug prints to make grep happy.
Revision 1.1005 / (download) - annotate - [select for diffs], Fri Dec 23 19:46:13 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.1004: +15 -15 lines
Diff to previous 1.1004 (colored)
Fix white spaces. No binary change.
Revision 1.1004 / (download) - annotate - [select for diffs], Tue Dec 6 00:01:55 2016 UTC (7 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.1003: +2 -2 lines
Diff to previous 1.1003 (colored)
Use the sizeof udphdr not the sizeof a pointer to it in the af-to specific part of pf_test_state_icmp(). This worked by accident on LP64 archs as the struct is eight bytes long. ok mikeb@ bluhm@ krw@ jca@
Revision 1.1003 / (download) - annotate - [select for diffs], Mon Nov 28 23:15:30 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1002: +9 -3 lines
Diff to previous 1.1002 (colored)
Path MTU discovery and traceroute did not always work with pf af-to. If an incoming packet is directly put into the output path, sending the icmp error packet is never done. As this is basically forwarding, calling ip_forward() for such packets does everything that is needed. OK mikeb@
Revision 1.1002 / (download) - annotate - [select for diffs], Wed Nov 23 12:13:23 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.1001: +10 -22 lines
Diff to previous 1.1001 (colored)
Explicitly forbid to combine af-to with route-to in pfctl. The parser cannot handle that correctly and is is unclear wether the kernel code would work. Remove the feature until someone needs it and properly implements and tests it. OK mike@ sashan@ mpi@
Revision 1.1001 / (download) - annotate - [select for diffs], Tue Nov 22 19:29:54 2016 UTC (7 years, 6 months ago) by procter
Branch: MAIN
Changes since 1.1000: +128 -142 lines
Diff to previous 1.1000 (colored)
Fold union pf_headers buffer into struct pf_pdesc (enabled by pfvar_priv.h). Prevent pf_socket_lookup() reading uninitialised header buffers on fragments. OK blum@ sashan@
Revision 1.1000 / (download) - annotate - [select for diffs], Mon Nov 21 15:23:18 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.999: +43 -49 lines
Diff to previous 1.999 (colored)
In pf_route() and pf_route6() the !r->rt case was only used by af-to. pf_route6() called ip6_output() to do the work while pf_route() had some custom implementation for that. It is simpler to call ip_output() or ip6_output() from pf_test() directly. OK procter@ sashan@
Revision 1.999 / (download) - annotate - [select for diffs], Thu Nov 17 13:17:32 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.998: +11 -3 lines
Diff to previous 1.998 (colored)
The pf fragment reassembly code accepted IPv6 hop-by-hop headers after fragment headers. Add an extra check that the hop-by-hop header is always the first extension header after the IPv6 header. Found by Antonios Atlasis; OK sthen@ mpi@
Revision 1.998 / (download) - annotate - [select for diffs], Mon Nov 14 13:25:00 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.997: +37 -44 lines
Diff to previous 1.997 (colored)
Instead of passing an extra mbuf pointer to pf_route(), it should just use pd->m. Then pf_test() can also operate on pd.m and set the *m0 value in the caller just before it returns. OK sashan@
Revision 1.997 / (download) - annotate - [select for diffs], Mon Nov 14 03:51:53 2016 UTC (7 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.996: +6 -6 lines
Diff to previous 1.996 (colored)
turn ipstat into a set of percpu counters. each counter is identified by an enum value which correspond to the original members of the ipstat struct. ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates. ipstat_inc is a thin wrapper around counters_inc. counters are still returned to userland via the ipstat struct for now. ok mpi@ mikeb@
Revision 1.996 / (download) - annotate - [select for diffs], Fri Oct 28 07:54:19 2016 UTC (7 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.995: +1 -7 lines
Diff to previous 1.995 (colored)
- once rule should not attempt to remove its parent rule. (problem pointed out by Petr, fix proposed by Dilli) _at_ oracle
Revision 1.995 / (download) - annotate - [select for diffs], Thu Oct 27 21:41:20 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.994: +13 -15 lines
Diff to previous 1.994 (colored)
Pass a struct pf_pdesc to pf_route() like it is done in the other pf functions. That means less parameters, more consistency and later we can call functions that need a pd from pf_route(). OK sashan@
Revision 1.994 / (download) - annotate - [select for diffs], Wed Oct 26 21:07:22 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.993: +14 -30 lines
Diff to previous 1.993 (colored)
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
Revision 1.993 / (download) - annotate - [select for diffs], Thu Oct 20 23:18:43 2016 UTC (7 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.992: +49 -15 lines
Diff to previous 1.992 (colored)
- PF should send a challenge ACK as response to SYN, which matches existing state. Extra thanks goes to bluhm@ for careful testing and fixing patch I've sent to tech@ O.K. henning@ bluhm@
Revision 1.992 / (download) - annotate - [select for diffs], Tue Oct 18 13:28:01 2016 UTC (7 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.991: +20 -9 lines
Diff to previous 1.991 (colored)
split pf_send_tcp() into the part that builds the mbuf and the actual sending, needed soon. ok sashan mikeb lteo
Revision 1.991 / (download) - annotate - [select for diffs], Tue Oct 18 11:29:27 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.990: +4 -3 lines
Diff to previous 1.990 (colored)
The variable dlen is always positive and d may be negative. So declare both with the correct sign in pf_change_icmp_af(). OK henning@
Revision 1.990 / (download) - annotate - [select for diffs], Tue Oct 18 11:20:42 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.989: +9 -11 lines
Diff to previous 1.989 (colored)
The checksum of a ICMP "need to frag" packet for TCP was wrong when created from a ICMP6 "too big" packet. The function pf_change_icmp_af() has code to adjust the pseudo-header checksum in the ICMP6 case, but pf_test_state_icmp() changed the proto before the case was entered. So call pf_change_icmp_af() before the pd->proto is converted in the TCP and UDP payload case like it was already done for ICMP and ICMP6 payload. Found by sys/net/pf_forward regress test; OK henning@
Revision 1.989 / (download) - annotate - [select for diffs], Sun Oct 9 18:01:57 2016 UTC (7 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.988: +2 -2 lines
Diff to previous 1.988 (colored)
formatting nit (a tab got lost somewhen)
Revision 1.988 / (download) - annotate - [select for diffs], Thu Oct 6 19:09:08 2016 UTC (7 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.987: +2 -4 lines
Diff to previous 1.987 (colored)
Remove redundant comments that say a function must be called at splsoftnet() if the function does a splsoftassert(IPL_SOFTNET) anyway.
Revision 1.987 / (download) - annotate - [select for diffs], Tue Sep 27 04:57:17 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.986: +30 -31 lines
Diff to previous 1.986 (colored)
roll back turning RB into RBT until i get better at this process.
Revision 1.986 / (download) - annotate - [select for diffs], Tue Sep 27 02:51:12 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.985: +31 -30 lines
Diff to previous 1.985 (colored)
move pf from the RB macros to the RBT functions.
Revision 1.985 / (download) - annotate - [select for diffs], Thu Sep 22 10:50:19 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.984: +2 -2 lines
Diff to previous 1.984 (colored)
Fix indentation. No binary change.
Revision 1.984 / (download) - annotate - [select for diffs], Wed Sep 7 09:36:49 2016 UTC (7 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.983: +6 -11 lines
Diff to previous 1.983 (colored)
Rename rtable_mpath_next() into rtable_iterate() and make it do a proper reference count. rtable_iterate() frees the passed ``rt'' and returns the next one on the multipath list or NULL if there's none. ok dlg@
Revision 1.983 / (download) - annotate - [select for diffs], Sat Sep 3 17:11:40 2016 UTC (7 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.982: +43 -3 lines
Diff to previous 1.982 (colored)
Let purge thread to remove once rules, not packets. Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
Revision 1.982 / (download) - annotate - [select for diffs], Sat Aug 20 08:34:30 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.981: +112 -186 lines
Diff to previous 1.981 (colored)
Push 'field changed' guards into 'change field' functions; optimise pf_patch_32(); simplify pf_match_addr() OK mikeb@
Revision 1.981 / (download) - annotate - [select for diffs], Sat Aug 20 08:31:36 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.980: +55 -54 lines
Diff to previous 1.980 (colored)
Retire pf_translate_ap() OK mpi@ mikeb@
Revision 1.980 / (download) - annotate - [select for diffs], Wed Aug 17 03:24:11 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.979: +514 -293 lines
Diff to previous 1.979 (colored)
Reintroduce 5.3-style checksum modification to preserve end-to-end checksums when fiddling with packets but without the mess that motivated Henning to remove it. Affects only this one aspect of Henning's checksum work. Also tweak the basic algorithm and supply a correctness argument. OK dlg@ deraadt@ sthen@; no objection henning@
Revision 1.979 / (download) - annotate - [select for diffs], Mon Jul 18 13:17:44 2016 UTC (7 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE
Branch point for: OPENBSD_6_0
Changes since 1.978: +22 -1 lines
Diff to previous 1.978 (colored)
Hide pf internals by moving code from in_ouraddr() to pf_ouraddr(). OK mpi@ sashan@
Revision 1.978 / (download) - annotate - [select for diffs], Tue Jun 21 16:45:37 2016 UTC (7 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.977: +22 -22 lines
Diff to previous 1.977 (colored)
To assist debugging TCP connection reuse with NAT, expand the existing log in pf_state_key_attach() from the failed to the reuse case. OK mikeb@
Revision 1.977 / (download) - annotate - [select for diffs], Wed Jun 15 11:49:34 2016 UTC (7 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.976: +2 -2 lines
Diff to previous 1.976 (colored)
Kill nd6_output(), it doesn't do anything since the resolution logic has been moved to nd6_resolve(). ok visa@, millert@, florian@, sthen@
Revision 1.976 / (download) - annotate - [select for diffs], Wed Jun 15 11:36:06 2016 UTC (7 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.975: +3 -3 lines
Diff to previous 1.975 (colored)
There's no need to convert values returned by arc4random to the network byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks! ok tedu
Revision 1.975 / (download) - annotate - [select for diffs], Tue Jun 7 01:31:54 2016 UTC (8 years ago) by tedu
Branch: MAIN
Changes since 1.974: +2 -2 lines
Diff to previous 1.974 (colored)
per trending style, add continue to empty loops. ok mglocker
Revision 1.974 / (download) - annotate - [select for diffs], Tue May 31 07:35:36 2016 UTC (8 years ago) by mpi
Branch: MAIN
Changes since 1.973: +11 -2 lines
Diff to previous 1.973 (colored)
Do not call nd6_output() without route entry argument. ok sthen@, bluhm@
Revision 1.973 / (download) - annotate - [select for diffs], Sat May 28 12:04:33 2016 UTC (8 years ago) by sthen
Branch: MAIN
Changes since 1.972: +1 -10 lines
Diff to previous 1.972 (colored)
Backout pf.c r1.972, pf_norm.c r1.184, ok claudio pf_test calls pf_refragment6 with dst=NULL, which is passed down to rtable_match which attempts to dereference it.
Revision 1.972 / (download) - annotate - [select for diffs], Tue May 24 05:02:34 2016 UTC (8 years ago) by mpi
Branch: MAIN
Changes since 1.971: +11 -2 lines
Diff to previous 1.971 (colored)
Do not call nd6_output() without route entry argument. ok bluhm@
Revision 1.971 / (download) - annotate - [select for diffs], Mon May 23 12:26:28 2016 UTC (8 years ago) by mpi
Branch: MAIN
Changes since 1.970: +9 -3 lines
Diff to previous 1.970 (colored)
Pass a route entry to if_output() instead of relying on arpresolve() magic. This refactoring aims to reduce the number of places where a route entry is inserted in the routing table. ok bluhm@
Revision 1.970 / (download) - annotate - [select for diffs], Tue May 3 12:13:38 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.969: +2 -5 lines
Diff to previous 1.969 (colored)
Put back a panic() if an incoming packet already has a statekey. Apparently nobody can hit this condition anymore or people do not report bugs if their kernel do not panic. ok dlg@, sashan@
Revision 1.969 / (download) - annotate - [select for diffs], Fri Apr 15 02:54:17 2016 UTC (8 years, 1 month ago) by dlg
Branch: MAIN
Changes since 1.968: +3 -3 lines
Diff to previous 1.968 (colored)
replace m_copym2 with m_dup_pkt for the dup-to handling. note that this uses max_linkhdr as the adjustment arg. this follows what the ip stack does when generating packets as it provides space for link headers (like ethernet headers) to be prepended on the new packet. ok henning@
Revision 1.968 / (download) - annotate - [select for diffs], Thu Apr 7 14:28:16 2016 UTC (8 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.967: +17 -5 lines
Diff to previous 1.967 (colored)
Instead of panicking if an mbuf(9) already has a statekey dump its content and unlink the statekey. This should allow us to find the reminding corner cases of packets looped back in the stack. ok dlg@
Revision 1.967 / (download) - annotate - [select for diffs], Tue Mar 29 10:34:42 2016 UTC (8 years, 2 months ago) by sashan
Branch: MAIN
Changes since 1.966: +160 -43 lines
Diff to previous 1.966 (colored)
- packet must keep reference to statekey this is the second attempt to get it in, the first attempt got backed out on Jan 31 2016 the change also contains fixes contributed by Stefan Kempf in earlier iteration. OK srhen@
Revision 1.966 / (download) - annotate - [select for diffs], Fri Mar 4 22:38:23 2016 UTC (8 years, 3 months ago) by sashan
Branch: MAIN
Changes since 1.965: +7 -1 lines
Diff to previous 1.965 (colored)
- putting back KASSERT(), which I've backed out on Jan 31 We don't expect inbound packets to come to PF with statekey attached. - I've also found missing call to pf_pkt_addr_changed() at various places, which needs to get fixed to prevent KASSERT() from firing. OK mpi@, sthen@
Revision 1.965 / (download) - annotate - [select for diffs], Sun Jan 31 00:18:07 2016 UTC (8 years, 4 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE
Branch point for: OPENBSD_5_9
Changes since 1.964: +44 -168 lines
Diff to previous 1.964 (colored)
- m_pkthdr.pf.statekey changes are not ready for 5.9, I must back them out OK sthen@
Revision 1.964 / (download) - annotate - [select for diffs], Mon Jan 25 18:49:57 2016 UTC (8 years, 4 months ago) by sashan
Branch: MAIN
Changes since 1.963: +18 -10 lines
Diff to previous 1.963 (colored)
- plugging massive pf_state_key leak OK mpi@ dlg@ sthen@
Revision 1.963 / (download) - annotate - [select for diffs], Thu Jan 7 22:23:13 2016 UTC (8 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.962: +164 -44 lines
Diff to previous 1.962 (colored)
- retrying to commit earlier change, which got backed out
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix
makes sure we grab reference in m_dup_pkthdr()
OK bluhm@
Revision 1.962 / (download) - annotate - [select for diffs], Wed Dec 23 21:04:55 2015 UTC (8 years, 5 months ago) by jasper
Branch: MAIN
Changes since 1.961: +43 -152 lines
Diff to previous 1.961 (colored)
revert previous: ---------------------------------------------------------------------- revision 1.961 date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44; commitid: oBRhtWcDV0ThviVT; - yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@ ---------------------------------------------------------------------- there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being triggered without much effort, so back this out for now.
Revision 1.961 / (download) - annotate - [select for diffs], Tue Dec 22 13:33:26 2015 UTC (8 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.960: +153 -44 lines
Diff to previous 1.960 (colored)
- yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@
Revision 1.960 / (download) - annotate - [select for diffs], Sun Dec 6 10:03:23 2015 UTC (8 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.959: +9 -22 lines
Diff to previous 1.959 (colored)
g/c pf_change_a6(). it's exactly the same thing as pf_change_ap() with p = NULL. inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on tech from Aug 17, but redone. ok sashan vgross
Revision 1.959 / (download) - annotate - [select for diffs], Sat Dec 5 21:23:51 2015 UTC (8 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.958: +60 -67 lines
Diff to previous 1.958 (colored)
g/c unneeded af (address family) params to pf_change_ap and _icmp both af and naf (af-to case) are in the pf_pdesc some code shuffling to actually set these before calling pf_change_ap/_icmp inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on tech from Aug 17, but redone ok bluhm vgross
Revision 1.958 / (download) - annotate - [select for diffs], Sat Dec 5 14:58:06 2015 UTC (8 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.957: +21 -19 lines
Diff to previous 1.957 (colored)
pass a pointer to pf_test()'s reason to pf_test_rule instead of using a local one. While we always intended to keep the logging in pf_test_rule and pf_test so seperate that we don't end up with a wrong reason, this is just too fragile and I can't even convince myself that it still is right. pointed out by markus, ok bluhm benno
Revision 1.957 / (download) - annotate - [select for diffs], Thu Dec 3 21:11:53 2015 UTC (8 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.956: +3 -3 lines
Diff to previous 1.956 (colored)
ip_send()/ip6_send() allow PF to send response packet in ipsoftnet task. this avoids current recursion to pf_test() function. the change also switches icmp_error()/icmp6_error() to use ip_send()/ip6_send() so they are safe for PF. The idea comes from Markus Friedl. bluhm, mikeb and mpi helped me a lot to get it into shape. OK bluhm@, mpi@
Revision 1.956 / (download) - annotate - [select for diffs], Thu Dec 3 14:05:28 2015 UTC (8 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.955: +35 -1 lines
Diff to previous 1.955 (colored)
To avoid that the stack manipules the pf statekeys directly, introduce pf_inp_...() lookup, link and unlink functions as an interface. Locking can be added to them later. Remove the first linking at the beginning of tcp_input() and udp_input() as it is not necessary. It will be done later anyway. That code was a relict, from the time before I had added the second linking. Input from mikeb@ and sashan@; OK sashan@
Revision 1.955 / (download) - annotate - [select for diffs], Thu Dec 3 09:49:15 2015 UTC (8 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.954: +10 -10 lines
Diff to previous 1.954 (colored)
Rename pf_unlink_state() to pf_remove_state() so the name does not collide with the statekey to inp unlinking. OK sashan@ mpi@
Revision 1.954 / (download) - annotate - [select for diffs], Wed Dec 2 16:00:42 2015 UTC (8 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.953: +15 -1 lines
Diff to previous 1.953 (colored)
- hide PF internals to pf_unlink_divert_state() from in_pcb.c OK mpi@, bluhm@
Revision 1.953 / (download) - annotate - [select for diffs], Wed Dec 2 13:29:25 2015 UTC (8 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.952: +6 -6 lines
Diff to previous 1.952 (colored)
Kill the RT_REPORT flag to rtalloc() and stop sending RTM_MISS messages for failed route lookups. This is something that was maybe useful in the 90is but in this modern times it is just annoying and nothing expect it anyway. OK mpi@, sthen@
Revision 1.952 / (download) - annotate - [select for diffs], Sat Nov 21 11:29:40 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.951: +5 -5 lines
Diff to previous 1.951 (colored)
Add a comment after every #endif requested by sashan@
Revision 1.951 / (download) - annotate - [select for diffs], Fri Nov 20 10:42:51 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.950: +22 -9 lines
Diff to previous 1.950 (colored)
Make use if_get() and get rid of rt_ifp. While here keep carp(4) bits under NCARP. Tested by and ok sthen@, ok visa@
Revision 1.950 / (download) - annotate - [select for diffs], Thu Nov 12 10:07:14 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.949: +2 -2 lines
Diff to previous 1.949 (colored)
Prefix flowid with ph_ and print it in m_print(). ok dlg@
Revision 1.949 / (download) - annotate - [select for diffs], Fri Nov 6 17:55:55 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.948: +2 -2 lines
Diff to previous 1.948 (colored)
Rename rt_mpath_next() into rtable_mpath_next() and provide an implementation for ART based on the singly-linked list of route entries.
Revision 1.948 / (download) - annotate - [select for diffs], Tue Oct 27 10:52:17 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.947: +6 -4 lines
Diff to previous 1.947 (colored)
Use rt_ifidx rather than rt_ifp. ok bluhm@
Revision 1.947 / (download) - annotate - [select for diffs], Tue Oct 13 19:32:31 2015 UTC (8 years, 8 months ago) by sashan
Branch: MAIN
Changes since 1.946: +14 -23 lines
Diff to previous 1.946 (colored)
- pf_insert_src_node(): global argument (arg6) is useless, function always gets pointer to rule. - pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule - sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com OK mpi@, OK mikeb@
Revision 1.946 / (download) - annotate - [select for diffs], Thu Oct 8 11:36:51 2015 UTC (8 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.945: +6 -1 lines
Diff to previous 1.945 (colored)
use the state id to set a flowid on an mbuf. ok mpi@ mikeb@ sthen@
Revision 1.945 / (download) - annotate - [select for diffs], Wed Sep 23 08:49:46 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.944: +1 -2 lines
Diff to previous 1.944 (colored)
Always increment rt_use inside rtalloc(9) instead of doing it in some specific places. ok claudio@, benno@
Revision 1.944 / (download) - annotate - [select for diffs], Sun Sep 13 17:53:44 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.943: +3 -3 lines
Diff to previous 1.943 (colored)
There's no point in abstracting ifp->if_output() as long as pf_test() needs to see lo0 in the output path. ok claudio@
Revision 1.943 / (download) - annotate - [select for diffs], Sat Sep 12 20:26:06 2015 UTC (8 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.942: +3 -4 lines
Diff to previous 1.942 (colored)
Stop overwriting the rt_ifp pointer of RTF_LOCAL routes with lo0ifp. Use instead the RTF_LOCAL flag to loop local traffic back to the corresponding protocol queue. With this change rt_ifp is now always the same as rt_ifa->ifa_ifp. ok claudio@
Revision 1.942 / (download) - annotate - [select for diffs], Sat Sep 12 16:32:27 2015 UTC (8 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.941: +4 -2 lines
Diff to previous 1.941 (colored)
If M_PREPEND() fails, it frees the mbuf. In this case pf_translate_af() must reset pd->m to avoid a use after free. OK sashan@ mikeb@
Revision 1.941 / (download) - annotate - [select for diffs], Fri Sep 11 15:21:31 2015 UTC (8 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.940: +3 -5 lines
Diff to previous 1.940 (colored)
rtfree(9) accepts NULL now.
Revision 1.940 / (download) - annotate - [select for diffs], Fri Sep 11 08:17:06 2015 UTC (8 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.939: +3 -3 lines
Diff to previous 1.939 (colored)
Kill yet another argument to functions in IPv6. This time ip6_output's ifpp - XXX: just for statistics ifpp is always NULL in all callers so that statistic confirms ifpp is dying OK mpi@
Revision 1.939 / (download) - annotate - [select for diffs], Thu Sep 10 08:28:31 2015 UTC (8 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.938: +1 -2 lines
Diff to previous 1.938 (colored)
Kill two simple in6_ifstat_inc().
Revision 1.938 / (download) - annotate - [select for diffs], Wed Sep 9 20:03:56 2015 UTC (8 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.937: +3 -1 lines
Diff to previous 1.937 (colored)
add if_put after the if_get. ok claudio@
Revision 1.937 / (download) - annotate - [select for diffs], Tue Sep 1 19:12:25 2015 UTC (8 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.936: +5 -1 lines
Diff to previous 1.936 (colored)
- route-to, dup-to, reply-to should not override the block action Spotted by Dilli Paudel <dilli ! paudel at oracle ! com> ok jung@, ok mikeb@
Revision 1.936 / (download) - annotate - [select for diffs], Wed Aug 19 21:22:41 2015 UTC (8 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.935: +12 -11 lines
Diff to previous 1.935 (colored)
PF must keep IPv6 fragment size as chosen by sender also for packets, which are routed on behalf route-to action. OK bluhm@
Revision 1.935 / (download) - annotate - [select for diffs], Tue Jul 21 02:32:04 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.934: +14 -2 lines
Diff to previous 1.934 (colored)
- added /* FALLTHROUGH */ comments, typecasts (u_int32_t)-1, ... ok mpi@
Revision 1.934 / (download) - annotate - [select for diffs], Mon Jul 20 18:42:08 2015 UTC (8 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.933: +3 -1 lines
Diff to previous 1.933 (colored)
Add some panics to default paths where code later assumes a non default path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
Revision 1.933 / (download) - annotate - [select for diffs], Mon Jul 20 01:18:33 2015 UTC (8 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.932: +13 -5 lines
Diff to previous 1.932 (colored)
INET6 is here to stay, so stop hauling around never-compiled code to optimize for an INET-only kernel, as well as the fantasy unicorn INET6-only kernel. (INET-only kernel still works) prompted by deraadt ok bluhm sashan
Revision 1.932 / (download) - annotate - [select for diffs], Sun Jul 19 23:13:58 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.931: +9 -5 lines
Diff to previous 1.931 (colored)
rule_item might leak, when pf_create_state() fails OK @mcbride
Revision 1.931 / (download) - annotate - [select for diffs], Sun Jul 19 05:48:11 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.930: +3 -3 lines
Diff to previous 1.930 (colored)
unsinged variables should not be compared to be leq than 0 (unsigned a <= 0) ok mcbride@
Revision 1.930 / (download) - annotate - [select for diffs], Sun Jul 19 01:58:19 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.929: +4 -4 lines
Diff to previous 1.929 (colored)
unused arguments at pf_normalize_tcp_init() and pf_refragment6() OK deraadt.
Revision 1.929 / (download) - annotate - [select for diffs], Sat Jul 18 23:11:35 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.928: +3 -1 lines
Diff to previous 1.928 (colored)
pf_send_tcp() should also use unhandled_af() ok jsg@, ok mpi@
Revision 1.928 / (download) - annotate - [select for diffs], Sat Jul 18 19:19:00 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.927: +51 -11 lines
Diff to previous 1.927 (colored)
msg.mpi
Revision 1.927 / (download) - annotate - [select for diffs], Sat Jul 18 15:47:01 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.926: +5 -2 lines
Diff to previous 1.926 (colored)
Even if pf(4) is not compiled with SMALL_KERNEL add a define around rt_mpath_next() to document the difference in behavior between the multipath and non-multipath routing code. No that the same pattern is present in if_group_egress_build(). ok claudio@
Revision 1.926 / (download) - annotate - [select for diffs], Sat Jul 18 15:19:44 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.925: +19 -19 lines
Diff to previous 1.925 (colored)
INET/INET6 address family check should be unified in PF it also adds af_unhandled(), where it is currently missing. ok mcbride@
Revision 1.925 / (download) - annotate - [select for diffs], Fri Jul 17 22:52:29 2015 UTC (8 years, 10 months ago) by tedu
Branch: MAIN
Changes since 1.924: +3 -3 lines
Diff to previous 1.924 (colored)
remove obsolete INET kernel option
Revision 1.924 / (download) - annotate - [select for diffs], Thu Jul 16 21:14:21 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.923: +16 -40 lines
Diff to previous 1.923 (colored)
Kill IP_ROUTETOETHER. This pseudo-option is a hack to support return-rst on bridge(4). It passes Ethernet information via a "struct route" through ip_output(). "struct route" is slowly dying... ok claudio@, benno@
Revision 1.923 / (download) - annotate - [select for diffs], Thu Jul 16 16:12:15 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.922: +7 -12 lines
Diff to previous 1.922 (colored)
Expand ancient NTOHL/NTOHS/HTONS/HTONL macros. ok guenther@, henning@
Revision 1.922 / (download) - annotate - [select for diffs], Wed Jul 8 13:03:26 2015 UTC (8 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.921: +2 -1 lines
Diff to previous 1.921 (colored)
Linking the local socket to pf states went wrong when IPsec was involved. For outgoing packets the IPsec layer did not clear the sending socket from the mbuf when the address changed. This resulted in strange state match and create behavior in pf. So clear the pf statekey and inp in the packet header for both directions when the address changes. Mark Patruck reported the bug, identified my problematic commit and tested the fix. OK mikeb@
Revision 1.921 / (download) - annotate - [select for diffs], Tue Jun 30 15:30:17 2015 UTC (8 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.920: +2 -2 lines
Diff to previous 1.920 (colored)
Get rid of the undocumented & temporary* m_copy() macro added for compatibility with 4.3BSD in September 1989. *Pick your own definition for "temporary". ok bluhm@, claudio@, dlg@
Revision 1.920 / (download) - annotate - [select for diffs], Mon Jun 22 15:58:23 2015 UTC (8 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.919: +4 -17 lines
Diff to previous 1.919 (colored)
Increment rule counters only after successful state insertion Do rule counter increments after state has been successfully installed. This has an additional benefit of making error handling a bit simpler. OK mpi, bluhm
Revision 1.919 / (download) - annotate - [select for diffs], Tue Jun 16 11:09:39 2015 UTC (8 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.918: +4 -3 lines
Diff to previous 1.918 (colored)
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
Revision 1.918 / (download) - annotate - [select for diffs], Sun Jun 7 12:02:28 2015 UTC (9 years ago) by jsg
Branch: MAIN
Changes since 1.917: +9 -1 lines
Diff to previous 1.917 (colored)
Introduce unhandled_af() for cases where code conditionally does something based on an address family and later assumes one of the paths was taken. This was initially just calls to panic until guenther suggested a function to reduce the amount of strings needed. This reduces the amount of noise with static analysers and acts as a sanity check. ok guenther@ bluhm@
Revision 1.917 / (download) - annotate - [select for diffs], Fri Jun 5 13:22:34 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.916: +41 -31 lines
Diff to previous 1.916 (colored)
Improve error handling and recovery during state insertion Reshuffle the code around a bit and greatly improve error handling fixing a few bugs along the way. Problem reported by and fix was written with Alexandr Nedvedicky. OK henning
Revision 1.916 / (download) - annotate - [select for diffs], Tue May 26 16:17:51 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.915: +7 -2 lines
Diff to previous 1.915 (colored)
Don't create ICMP states on reply packets unless tracking states sloppy Since we've strengthened the ICMP state matching procedure during lookup to only match packets against states set up in a particular direction, we need to make sure we don't create states on packets that would otherwise be flowing in the direction opposite to the direction of the state and prevent further packets from matching the created state due to strict rules imposed by the ICMP direction check. Problem reported by Alexandr Nedvedicky, alexandr.nedvedicky-at-oracle.com. Discussed with reyk@; OK henning
Revision 1.915 / (download) - annotate - [select for diffs], Fri May 22 14:18:55 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.914: +15 -23 lines
Diff to previous 1.914 (colored)
Cut down on if statements around pf_icmp_state_lookup Checked with blambert@, OK millert, henning
Revision 1.914 / (download) - annotate - [select for diffs], Fri May 22 14:16:09 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.913: +17 -23 lines
Diff to previous 1.913 (colored)
Cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore. ok henning
Revision 1.913 / (download) - annotate - [select for diffs], Mon May 11 12:22:14 2015 UTC (9 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.912: +4 -2 lines
Diff to previous 1.912 (colored)
fix a potential use-after-free in pf_state_rm_src_node found by jsg; ok jsg mikeb
Revision 1.912 / (download) - annotate - [select for diffs], Fri Apr 17 11:04:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.911: +1 -17 lines
Diff to previous 1.911 (colored)
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
Revision 1.911 / (download) - annotate - [select for diffs], Sat Apr 11 13:00:12 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.910: +1 -2 lines
Diff to previous 1.910 (colored)
the hfsc pools are only used in hfsc.c, so move the init of them there instead of pf_ioctl.c. ok henning@
Revision 1.910 / (download) - annotate - [select for diffs], Wed Apr 8 12:50:21 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.909: +2 -2 lines
Diff to previous 1.909 (colored)
Destination table needs it's own negation flag passed to the pfr_update_stats. Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>, thanks a lot! Ok florian
Revision 1.909 / (download) - annotate - [select for diffs], Wed Mar 18 12:23:15 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.908: +2 -18 lines
Diff to previous 1.908 (colored)
remove the congestion handling from struct ifqueue. its only used for the ip and ip6 network stack input queues, so it seems unfair that every instance of ifqueue has to carry a pointer around for this specific use case. this moves the congestion marker to a kernel global. if we detect that we're congested, we assume the whole system is busy and punish all input queues. marking a system as congested is done by setting the global to the current value of ticks. as the system moves away from that value, it moves away from being congested until the comparison fails. written at s2k15 ok henning@ beck@ bluhm@ claudio@
Revision 1.908 / (download) - annotate - [select for diffs], Mon Mar 16 02:40:55 2015 UTC (9 years, 2 months ago) by yasuoka
Branch: MAIN
Changes since 1.907: +4 -1 lines
Diff to previous 1.907 (colored)
When state creations happen in short term by outgoing packets of one SO_BINDANY socket, the new state didn't have a link of the socket's pcb. So the incoming packets allowed by the state were mistakenly forwarded and the pcb could not get them. Fix pf not to lost the link of the pcb when the state is recreated. ok bluhm mikeb
Revision 1.907 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:51 2015 UTC (9 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.906: +1 -2 lines
Diff to previous 1.906 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.906 / (download) - annotate - [select for diffs], Sat Feb 14 23:32:41 2015 UTC (9 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.905: +3 -3 lines
Diff to previous 1.905 (colored)
Rather than using 0xff as a placeholder for "don't check prio", use 0xff to mean "prio is 0". This avoids the need for code changes in programs which add pf rules (as was done in pfctl but not other programs) to handle the new "check prio" functionality. Specifically this unbreaks ftp-proxy. Use of #define rather than magic 0xff suggested by benno. ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
Revision 1.905 / (download) - annotate - [select for diffs], Thu Feb 12 01:24:10 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.904: +30 -10 lines
Diff to previous 1.904 (colored)
change log(matches) semantics slightly to make it more useful. since it is a debug tool change of semantics not considered problematic. up until now, log(matches) forced logging on subsequent matching rules, the actual logging used the log settings from that matched rule. now, log(matches) causes subsequent matches to be logged with the log settings from the log(matches) rule. in particular (this was the driving point), log(matches, to pflog23) allows you to have the trace log going to a seperate pflog interface, not clobbering your regular pflogs, actually not affecting them at all. long conversation with bluhm about it, which didn't lead to a single bit changed in the diff but was very very helpful. ok bluhm as well.
Revision 1.904 / (download) - annotate - [select for diffs], Tue Feb 10 09:28:40 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.903: +2 -0 lines
Diff to previous 1.903 (colored)
include the "set prio" values. no real compat issue since we're using spare bytes. old -> new ends up with set prio (0, 0) equivalent new -> old is entirely harmless, old ignores the prios. requested by Alexey Suslikov <alexey.suslikov at gmail> ok phessler pelikan dlg
Revision 1.903 / (download) - annotate - [select for diffs], Tue Feb 10 06:45:55 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.902: +4 -1 lines
Diff to previous 1.902 (colored)
since we inherit prio (as in, the queuing priority) from outside sources, i. e. on vlan interfaces, it is useful to be able to match on it - effectively matching on classification done elsewhere. i thought i had long implemented that, but chrisz@ asking for it made me notice that wasn't the case. tests by chrisz, ok phessler pelikan
Revision 1.902 / (download) - annotate - [select for diffs], Mon Feb 9 19:14:48 2015 UTC (9 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.901: +4 -3 lines
Diff to previous 1.901 (colored)
correctly reset max_win if the SYN-ACK lacks a wscale option. pf was setting max_win to 0 and discarded retransmitted SYN-ACK segments without wscale if the original SYN contained a wscale option. with gerhard@, ok henning@
Revision 1.901 / (download) - annotate - [select for diffs], Sat Feb 7 09:15:25 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.900: +1 -1 lines
Diff to previous 1.900 (colored)
pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. ACK+RST part pointed out by Kojedzinszky Richard <krichy at tvnetwork hu> ok mikeb dlg phessler claudio
Revision 1.900 / (download) - annotate - [select for diffs], Thu Feb 5 01:10:57 2015 UTC (9 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.899: +1 -6 lines
Diff to previous 1.899 (colored)
Make sure pf(4) does not see embedded scopes. Packets destinated to link-local addresses are looped back with embedded scopes because we cannot restore them using the receiving interface (lo0). Embedded scopes are needed by the routing table to match RTF_LOCAL routes, but pf(4) never saw them and existing rules are likely to break without teaching the rule engine about them, found by dlg@ the hard way. So save and restore embedded scopes around pf_test() for packets going through loopback. ok dlg@, mikeb@
Revision 1.899 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.898: +2 -1 lines
Diff to previous 1.898 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.868.4.2 / (download) - annotate - [select for diffs], Sat Jan 3 00:42:15 2015 UTC (9 years, 5 months ago) by brad
Branch: OPENBSD_5_5
Changes since 1.868.4.1: +4 -2 lines
Diff to previous 1.868.4.1 (colored) to branchpoint 1.868 (colored) next main 1.869 (colored)
Put back a m_copyback() that got lost in rev 1.837 of pf.c. This fixes the rewrite of an IPv6 header of an ICMP6 packet in the payload of an ICMP6 error packet. Path MTU discovery with ping6 over pf nat or rdr works again.
Revision 1.868.4.1 / (download) - annotate - [select for diffs], Sat Jan 3 00:37:05 2015 UTC (9 years, 5 months ago) by brad
Branch: OPENBSD_5_5
Changes since 1.868: +3 -1 lines
Diff to previous 1.868 (colored)
Ask networking stack to recalculate the ICMPv6 checksum in pf_route6 since we might have tweaked the addresses.
Revision 1.883.4.1 / (download) - annotate - [select for diffs], Sat Jan 3 00:30:23 2015 UTC (9 years, 5 months ago) by brad
Branch: OPENBSD_5_6
Changes since 1.883: +3 -1 lines
Diff to previous 1.883 (colored) next main 1.884 (colored)
Ask networking stack to recalculate the ICMPv6 checksum in pf_route6 since we might have tweaked the addresses.
Revision 1.898 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.897: +1 -81 lines
Diff to previous 1.897 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.897 / (download) - annotate - [select for diffs], Thu Dec 11 08:45:44 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.896: +44 -65 lines
Diff to previous 1.896 (colored)
Do not use "struct route" when it is not necessary.
This structure is now only used to pass a cached route entry to
ip{6,}_output() which will be converted shortly.
With inputs from millert@, ok bluhm@
Revision 1.896 / (download) - annotate - [select for diffs], Thu Nov 20 13:54:24 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.895: +7 -2 lines
Diff to previous 1.895 (colored)
Rework the handling of interfaces and IPv6 addresses for local delivery. - Unicast packets sent to any local address will have their interface set to loobpack. - In order to differentiate traffic from interfaces having identical link-local addresses, provide the scoped addresses to pf(4). - Update the icmp6 state lookup logic to match scoped MLL addresses. - Remove a shortcut in ip6_input() that bypasses pf and always look for an RTF_LOCAL route. Packets sent to multicast addresses still retain their original interface due to the fact that local multicast packet delivering does not use if_output. This makes ping6 to link-local addresses work even with pf enabled and "set skip" on loopbacks, reported by Pieter Verberne. Debugged, analysed and tested with mikeb@. ok mikeb@, henning@, sthen@
Revision 1.895 / (download) - annotate - [select for diffs], Tue Nov 18 02:37:31 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.894: +1 -2 lines
Diff to previous 1.894 (colored)
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
Revision 1.894 / (download) - annotate - [select for diffs], Sun Nov 16 17:40:17 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.893: +8 -8 lines
Diff to previous 1.893 (colored)
remove now unnecessary casts from hash update calls.
Revision 1.893 / (download) - annotate - [select for diffs], Sun Nov 16 17:37:42 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.892: +19 -16 lines
Diff to previous 1.892 (colored)
convert to use sha512 for pf iss. ok deraadt dlg
Revision 1.892 / (download) - annotate - [select for diffs], Sun Nov 16 11:58:14 2014 UTC (9 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.891: +2 -1 lines
Diff to previous 1.891 (colored)
mix the rdomain (rtable?) into the hash for tcp iss generation. ok phessler@ tedu@
Revision 1.891 / (download) - annotate - [select for diffs], Tue Nov 11 11:37:05 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.890: +3 -1 lines
Diff to previous 1.890 (colored)
Ask networking stack to recalculate the ICMPv6 checksum in pf_route6 since we might have tweaked the addresses. Problem reported and fix test by Bastien Durel <bastien at geekwu ! org>, thanks! OK henning
Revision 1.890 / (download) - annotate - [select for diffs], Sat Nov 1 21:40:38 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.889: +10 -10 lines
Diff to previous 1.889 (colored)
Rename rtalloc1() into rtalloc(9) and convert its flags to only enable functionnality instead of a mix of enable/disable. ok bluhm@, jca@
Revision 1.889 / (download) - annotate - [select for diffs], Tue Oct 14 09:52:25 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.888: +5 -5 lines
Diff to previous 1.888 (colored)
Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and kill the macro. ok mikeb@, henning@
Revision 1.888 / (download) - annotate - [select for diffs], Wed Oct 8 07:37:01 2014 UTC (9 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.887: +9 -5 lines
Diff to previous 1.887 (colored)
Use rtalloc1() instead of rtalloc_noclone(). ok henning@, phessler@
Revision 1.887 / (download) - annotate - [select for diffs], Sat Sep 27 12:26:16 2014 UTC (9 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.886: +2 -2 lines
Diff to previous 1.886 (colored)
Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer rely on "struct route" that should die. ok claudio@
Revision 1.886 / (download) - annotate - [select for diffs], Tue Aug 12 15:29:33 2014 UTC (9 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.885: +12 -6 lines
Diff to previous 1.885 (colored)
Finally implement what's stated in the man page regarding parent anchors for "once" rules: "In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched." Employ an additional pointer pair to keep track of the parent ruleset containing the anchor that we want to remove. OK henning
Revision 1.885 / (download) - annotate - [select for diffs], Tue Aug 12 14:42:06 2014 UTC (9 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.884: +4 -2 lines
Diff to previous 1.884 (colored)
Make sure that pf_step_into_anchor always saves a pointer to the rule that owns the anchor on the pf anchor stack. There's no reason why we should check for depth here. As a side effect this makes sure that the correct nested anchor gets it's counter bumped instead of the top most. For the save/restore symmetry pf_step_out_of_anchor is made to always restore previous value of the anchor rule. depth == 0 means what we a at the top (main ruleset). OK henning
Revision 1.884 / (download) - annotate - [select for diffs], Tue Aug 12 14:38:27 2014 UTC (9 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.883: +2 -1 lines
Diff to previous 1.883 (colored)
Apart from some minor code reshuffling the big change is that we start with a ruleset pointer assigned to pf_main_ruleset so that pf_purge_rule doesn't get called with a NULL. Prompted by the discussion with Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. OK henning
Revision 1.883 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:09 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE
Branch point for: OPENBSD_5_6
Changes since 1.882: +1 -2 lines
Diff to previous 1.882 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.882 / (download) - annotate - [select for diffs], Sun Jul 13 16:58:43 2014 UTC (9 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.881: +4 -2 lines
Diff to previous 1.881 (colored)
Put back a m_copyback() that got lost in rev 1.837 of pf.c. This fixes the rewrite of an IPv6 header of an ICMP6 packet in the payload of an ICMP6 error packet. Path MTU discovery with ping6 over pf nat or rdr works again. Found by src/regress/sys/net/pf_fragment make run-regress-fragping6 OK henning@
Revision 1.881 / (download) - annotate - [select for diffs], Thu Jul 10 03:17:59 2014 UTC (9 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.880: +5 -10 lines
Diff to previous 1.880 (colored)
Simplify the way divert(4) sends packets to userspace: Instead of unnecessarily allocating an mbuf tag to store the divert port, just pass the divert port directly to divert_packet() or divert6_packet() as an argument. includes a style fix pointed out by bluhm@ ok bluhm@ henning@ reyk@
Revision 1.880 / (download) - annotate - [select for diffs], Wed Jul 2 13:04:50 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.879: +8 -8 lines
Diff to previous 1.879 (colored)
u_int32_t's can't go negative
Revision 1.879 / (download) - annotate - [select for diffs], Wed Jun 25 16:21:20 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.878: +3 -3 lines
Diff to previous 1.878 (colored)
pf_translate doesn't use the mbuf argument anymore. From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
Revision 1.878 / (download) - annotate - [select for diffs], Tue May 20 11:03:13 2014 UTC (10 years ago) by mpi
Branch: MAIN
Changes since 1.877: +2 -2 lines
Diff to previous 1.877 (colored)
Assign the queue ID to the correct packet header when sending ICMP messages. ok henning@
Revision 1.877 / (download) - annotate - [select for diffs], Thu Apr 24 11:55:12 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.876: +6 -0 lines
Diff to previous 1.876 (colored)
ewps... repair qid assignment
Revision 1.876 / (download) - annotate - [select for diffs], Tue Apr 22 14:41:03 2014 UTC (10 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.875: +2 -9 lines
Diff to previous 1.875 (colored)
Remove some altq tentacles. ok pelikan@, henning@
Revision 1.875 / (download) - annotate - [select for diffs], Mon Apr 21 12:22:25 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.874: +3 -3 lines
Diff to previous 1.874 (colored)
ip_output() using varargs always struck me as bizarre, esp since it's only ever used to pass on uint32 (for ipsec). stop that madness and just pass the uint32, 0 in all cases but the two that pass the ipsec flowinfo. ok deraadt reyk guenther
Revision 1.874 / (download) - annotate - [select for diffs], Mon Apr 21 11:10:54 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.873: +3 -5 lines
Diff to previous 1.873 (colored)
we'll do fine without casting NULL to struct foo * / void * ok gcc & md5 (alas, no binary change)
Revision 1.873 / (download) - annotate - [select for diffs], Sat Apr 19 12:59:53 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.872: +0 -23 lines
Diff to previous 1.872 (colored)
shrink pf by 445 lines. while there, get rid of the altq ioctls and assciated now obsolete code
Revision 1.872 / (download) - annotate - [select for diffs], Fri Apr 18 15:13:01 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.871: +10 -22 lines
Diff to previous 1.871 (colored)
pf_send_tcp: ask the stack to do the cksum instead of doing it manually ok benno lteo naddy (back in january)
Revision 1.871 / (download) - annotate - [select for diffs], Mon Apr 14 09:06:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.870: +22 -18 lines
Diff to previous 1.870 (colored)
"struct pkthdr" holds a routing table ID, not a routing domain one. Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
Revision 1.870 / (download) - annotate - [select for diffs], Mon Mar 10 17:27:06 2014 UTC (10 years, 3 months ago) by jca
Branch: MAIN
Changes since 1.869: +3 -1 lines
Diff to previous 1.869 (colored)
When translating packets from one address family to another, pass the TOS/Traffic Class field of the original packet. Discussed with mikeb@
Revision 1.869 / (download) - annotate - [select for diffs], Mon Mar 10 17:22:27 2014 UTC (10 years, 3 months ago) by jca
Branch: MAIN
Changes since 1.868: +2 -2 lines
Diff to previous 1.868 (colored)
When setting up the packet description, also retrieve the Traffic Class field of IPv6 packets. Issue reported by Christophe Heurtaux on frnog. ok mikeb@
Revision 1.868 / (download) - annotate - [select for diffs], Sat Jan 25 03:39:00 2014 UTC (10 years, 4 months ago) by lteo
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE
Branch point for: OPENBSD_5_5
Changes since 1.867: +5 -17 lines
Diff to previous 1.867 (colored)
Simplify and shorten the way ICMP checksums are verified in pf_check_proto_cksum() by letting it use the same in4_cksum() call that is used for TCP and UDP checksums. ok henning@ naddy@
Revision 1.867 / (download) - annotate - [select for diffs], Fri Jan 24 12:07:50 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.866: +8 -1 lines
Diff to previous 1.866 (colored)
in pf_check_proto_cksum, updtae the swcksum counters if we cksummed in software. ok naddy (this is pbly the ultimate commit'n'run)
Revision 1.866 / (download) - annotate - [select for diffs], Thu Jan 23 23:51:29 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.865: +4 -8 lines
Diff to previous 1.865 (colored)
since the cksum rewrite the counters for hardware checksummed packets are are lie, since the software engine emulates hardware offloading and that is later indistinguishable. so kill the hw cksummed counters. introduce software checksummed packet counters instead. tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum. as before we still have a miscounting bug for inbound with pf on, to be fixed in the next step. found by, prodding & ok naddy
Revision 1.865 / (download) - annotate - [select for diffs], Wed Jan 22 04:33:34 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.864: +7 -7 lines
Diff to previous 1.864 (colored)
7x bcopy -> memcpy, impossibility of overlaps verified. ok benno dlg
Revision 1.864 / (download) - annotate - [select for diffs], Mon Jan 20 02:57:49 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.863: +2 -1 lines
Diff to previous 1.863 (colored)
support negated matches on the rcvif, ok dlg benno
Revision 1.863 / (download) - annotate - [select for diffs], Fri Jan 3 12:48:58 2014 UTC (10 years, 5 months ago) by pelikan
Branch: MAIN
Changes since 1.862: +2 -1 lines
Diff to previous 1.862 (colored)
Switch frequently allocated structs from malloc(M_DEVBUF) to separate pools. ok henning, "looks fine" mikeb, input from guenther.
Revision 1.862 / (download) - annotate - [select for diffs], Mon Nov 18 20:30:04 2013 UTC (10 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.861: +5 -3 lines
Diff to previous 1.861 (colored)
The prio value of a pf match rule was overridden by a later pass rule even if the latter had no prio flag. Fix match rules with prio to work as expected. Found by Roman Kravchuk; reported and tested by Alexey Suslikov; OK henning@
Revision 1.861 / (download) - annotate - [select for diffs], Sat Nov 16 00:36:01 2013 UTC (10 years, 6 months ago) by chl
Branch: MAIN
Changes since 1.860: +2 -8 lines
Diff to previous 1.860 (colored)
Remove dead assignments and now unused variables. Found by LLVM/Clang Static Analyzer. ok henning@ mikeb@ bluhm@
Revision 1.860 / (download) - annotate - [select for diffs], Fri Nov 15 21:34:51 2013 UTC (10 years, 6 months ago) by haesbaert
Branch: MAIN
Changes since 1.859: +1 -5 lines
Diff to previous 1.859 (colored)
Revert 1.858, as it causes panics of inp: kernel diagnostic assertion \"sotoinpcb(inp->inp_socket) == inp\" failed: file "../../../../netinet/tcp_input.c", line 646 Will think of a better fix.
Revision 1.859 / (download) - annotate - [select for diffs], Fri Nov 15 16:15:41 2013 UTC (10 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.858: +2 -1 lines
Diff to previous 1.858 (colored)
After discussion with deraadt@ and Fernando Gont, it seems that the stack should still scan for IPv6 type 0 routing headers. There are OpenBSD routers running without pf and there are plenty of legacy implementations supporting RH0. Bring back the function ip6_check_rh0hdr() that I removed a month ago. As an improvement to the prevoius solution, only scan the header chain in ip6_input() if the packet has not been inspected by pf. Both implementations drop packets with RH0 anywhere in the extension header chain. OK mikeb@ henning@
Revision 1.858 / (download) - annotate - [select for diffs], Fri Nov 15 10:18:26 2013 UTC (10 years, 6 months ago) by haesbaert
Branch: MAIN
Changes since 1.857: +5 -1 lines
Diff to previous 1.857 (colored)
Forget socket linking on pf_pkt_addr_changed(), this fixes among other things, setups with ipsec+ifbound. The sympthon was that local IPSec packets (tunnel->tunnel) would not match state after the latest pf_find_state() changes. The first packet would go through, but the subsequent ones would fail the match and collide later with the existing state. ok henning@ markus@
Revision 1.857 / (download) - annotate - [select for diffs], Wed Oct 30 11:35:10 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.856: +3 -1 lines
Diff to previous 1.856 (colored)
Allow to compile a kernel without INET6. ok henning@
Revision 1.856 / (download) - annotate - [select for diffs], Wed Oct 30 11:21:26 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.855: +13 -1 lines
Diff to previous 1.855 (colored)
translate icmpv6 echo id's the same way we do for icmpv4; ok henning
Revision 1.855 / (download) - annotate - [select for diffs], Mon Oct 28 12:09:41 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.854: +13 -11 lines
Diff to previous 1.854 (colored)
previous udp port number rewrite fix turned out to be a work around the incorrect pf_change_ap call; while here make the tcp case use pf_change_ap since it shares the same properties. ok henning
Revision 1.854 / (download) - annotate - [select for diffs], Thu Oct 24 11:14:33 2013 UTC (10 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.853: +3 -3 lines
Diff to previous 1.853 (colored)
Move obvious kernel prototypes (and structure's with kernel pointers, obviously only used in the kernel) behind #ifdef _KERNEL
Revision 1.853 / (download) - annotate - [select for diffs], Wed Oct 23 16:13:54 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.852: +3 -1 lines
Diff to previous 1.852 (colored)
translate port numbers for inner udp packets when they're returned as a payload of icmp error messages; makes traceroute6 operate across a nat64 gateway. prompted by sthen, ok henning
Revision 1.852 / (download) - annotate - [select for diffs], Wed Oct 23 15:12:42 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.851: +1 -2 lines
Diff to previous 1.851 (colored)
Remove the number of in_var.h inclusions by moving some functions and global variables to in.h. ok mikeb@, deraadt@
Revision 1.851 / (download) - annotate - [select for diffs], Wed Oct 23 11:06:56 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.850: +5 -3 lines
Diff to previous 1.850 (colored)
overwrite icmp packet type-specific nextptr field only when we're changing it. fixes an icmp to icmpv6 translation regression found by todd and sthen. ok henning sthen
Revision 1.850 / (download) - annotate - [select for diffs], Tue Oct 22 15:35:57 2013 UTC (10 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.849: +4 -2 lines
Diff to previous 1.849 (colored)
In pf_test_state_icmp(), actually copy pd->hdr.any back into the mbuf as intended after the ICMP/ICMPv6 checksum is zeroed in pf_cksum(). This resolves an issue found by sthen@ where ICMP traffic with nat-to failed due to incorrect checksums. Fix tested by sthen@ and myself OK henning@
Revision 1.849 / (download) - annotate - [select for diffs], Mon Oct 21 09:39:23 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.848: +17 -3 lines
Diff to previous 1.848 (colored)
pf_translate: missing conditonal pf_check_proto_cksum calls before mucking with the icmpid. impact of the bug is quite limited, only affect icmp echo requests & reply through nat when the natting does not actually change any address. ok bluhm, found while hunting something else sthen is seeing
Revision 1.848 / (download) - annotate - [select for diffs], Sun Oct 20 13:42:36 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.847: +5 -1 lines
Diff to previous 1.847 (colored)
in pf_cksum, set the icmp/icmp6 cksums to 0, for comsistency with tcp/udp with & ok bluhm
Revision 1.847 / (download) - annotate - [select for diffs], Sun Oct 20 13:21:56 2013 UTC (10 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.846: +2 -2 lines
Diff to previous 1.846 (colored)
rt_mpath_next() was always called with 0 in the last argument. So drop it. OK henning@
Revision 1.846 / (download) - annotate - [select for diffs], Sun Oct 20 11:03:00 2013 UTC (10 years, 7 months ago) by phessler
Branch: MAIN
Changes since 1.845: +5 -5 lines
Diff to previous 1.845 (colored)
Put a large chunk of the IPv6 rdomain support in-tree. Still some important missing pieces, and this is not yet enabled. OK bluhm@
Revision 1.845 / (download) - annotate - [select for diffs], Sat Oct 19 10:47:53 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.844: +1 -11 lines
Diff to previous 1.844 (colored)
pf_cksum doesn't need to compute the pseudo hdr cksum any more. ok lteo florian
Revision 1.844 / (download) - annotate - [select for diffs], Thu Oct 17 16:27:41 2013 UTC (10 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.843: +2 -1 lines
Diff to previous 1.843 (colored)
The header file netinet/in_var.h included netinet6/in6_var.h. This created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
Revision 1.843 / (download) - annotate - [select for diffs], Sat Oct 12 12:13:10 2013 UTC (10 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.842: +6 -3 lines
Diff to previous 1.842 (colored)
new bandwidth shaping subsystem, kernel side uses hfsc behind the scenes; altq stays in parallel for a migration phase. if.h even more messy for the transition, but eventuelly it should become readable... looked over & tested by many, ok phessler sthen
Revision 1.842 / (download) - annotate - [select for diffs], Fri Oct 11 10:58:42 2013 UTC (10 years, 8 months ago) by gerhard
Branch: MAIN
Changes since 1.841: +2 -2 lines
Diff to previous 1.841 (colored)
Prevent non-data packets from being dropped. ok bluhm@ mikeb@
Revision 1.841 / (download) - annotate - [select for diffs], Wed Oct 9 09:32:01 2013 UTC (10 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.840: +7 -8 lines
Diff to previous 1.840 (colored)
Don't leak ruleitems from match rules when hitting a per-rule max state limit. ok henning
Revision 1.840 / (download) - annotate - [select for diffs], Fri Sep 27 10:20:08 2013 UTC (10 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.839: +9 -5 lines
Diff to previous 1.839 (colored)
IPv6 atomic fragments must not go the reassembly queue, but be processed immediately. Let pf step over an atomic fragment header and handle the packet like an unfragmented. OK mikeb@
Revision 1.839 / (download) - annotate - [select for diffs], Mon Aug 19 09:16:25 2013 UTC (10 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.838: +2 -2 lines
Diff to previous 1.838 (colored)
in pf_test_rule, when dealing with a match rule, obey the match rule's quick flag to decide wether to abort ruleset eval instead of the last matching rule's one. makes "match quick" abort ruleset evaluation with the current block/pass state. from Maxim Khitrov <max at mxcrypt.com>, ok bluhm mikeb
Revision 1.838 / (download) - annotate - [select for diffs], Fri Jul 5 13:07:57 2013 UTC (10 years, 11 months ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.837: +5 -13 lines
Diff to previous 1.837 (colored)
Collect and display 'match' counters for pf tables. While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
Revision 1.837 / (download) - annotate - [select for diffs], Wed Jun 26 09:12:39 2013 UTC (10 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.836: +230 -383 lines
Diff to previous 1.836 (colored)
put the cksum diff back, of course with the bug fixed where we could under some circumstances repair broken checksums on the way. ok ryan naddy mikeb . redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers.
Revision 1.836 / (download) - annotate - [select for diffs], Wed Jun 26 07:53:59 2013 UTC (10 years, 11 months ago) by blambert
Branch: MAIN
Changes since 1.835: +18 -1 lines
Diff to previous 1.835 (colored)
Rudimentary counter fix for tables used in match rules. Fixes an issue seen by reyk@ ok henning@ reyk@
Revision 1.835 / (download) - annotate - [select for diffs], Mon Jun 17 19:50:06 2013 UTC (10 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.834: +3 -3 lines
Diff to previous 1.834 (colored)
Before pulling the TCP options from the mbuf onto the stack, do an additional length check in pf_modulate_sack() and pf_normalize_mss(). Overflow cannot happen due to the restricted values in the length calculation. As this is not obvious, be better safe than sorry. OK henning@
Revision 1.834 / (download) - annotate - [select for diffs], Wed Jun 5 00:56:35 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.833: +17 -41 lines
Diff to previous 1.833 (colored)
after the pf_test_state folding, in pf_test in the proto switch, the udp and the default case are 100% identical, tcp does a little more, but that is easier to add w/ two "if tcp" blocks in the default case, so the udp and tcp cases die. ok bluhm
Revision 1.833 / (download) - annotate - [select for diffs], Tue Jun 4 19:07:59 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.832: +101 -246 lines
Diff to previous 1.832 (colored)
fold pf_test_state_{tcp,udp,other} into one pf_test_state.
the _icmp variant stays because it is completely different.
factor out the synproxy code into a new pf_synproxy() for readability.
pf_setup_pdesc sets us up with access to ports, cksum etc in a protocol
independent matter, so we don't need many protocol switches here.
tcp and udp were almost identical, the _other case changes significantly -
not too unlikely this fixes a subtle bug or two in that case.
ok ryan benno bluhm mikeb
Revision 1.832 / (download) - annotate - [select for diffs], Tue Jun 4 19:03:11 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.831: +4 -1 lines
Diff to previous 1.831 (colored)
add a pointer to the protocol checksum header field to pf_pdesc and set it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
Revision 1.831 / (download) - annotate - [select for diffs], Tue Jun 4 18:58:28 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.830: +4 -1 lines
Diff to previous 1.830 (colored)
make pf_change_ap() usable without a port. if the port pointer is NULL, just return after being done with the address. ok bluhm ryan mikeb
Revision 1.830 / (download) - annotate - [select for diffs], Mon Jun 3 16:57:05 2013 UTC (11 years ago) by bluhm
Branch: MAIN
Changes since 1.829: +16 -2 lines
Diff to previous 1.829 (colored)
Link pf states and socket inpcbs together more tightly. The linking was only done when a packet traveled up the stack from pf to tcp_input(). Now also link the state and inpcb when the packet is going down from tcp_output() to pf. As a consequence, divert-reply states where the initial SYN does not get an answer, can be handled more correctly. This change is part of a larger diff that has been backed out in 2011. Bring the feature back in small steps to see when bad things start to happen. OK henning deraadt
Revision 1.829 / (download) - annotate - [select for diffs], Mon Jun 3 16:32:00 2013 UTC (11 years ago) by bluhm
Branch: MAIN
Changes since 1.828: +9 -9 lines
Diff to previous 1.828 (colored)
Update o[sd]port whenever n[sd]port is changed. This fixes a regression introduced with pf.c 1.827 and allows us to create icmp states again. OK henning@
Revision 1.828 / (download) - annotate - [select for diffs], Mon Jun 3 01:41:04 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.827: +11 -16 lines
Diff to previous 1.827 (colored)
fix anchor quick with nested anchors. we lost the quick flag as soon as we stepped into a child anchor. simplify the logic, get rid of the match flag in the anchor stack, just use the match variable we already had (and used in a boolean style) to track the nest level we had a match at. when a child anchor had a match we also have a match in the current anchor, so update the match level accordingly, and thus correctly honour the quick flag. reported by, along with the right idea on how to fix this, by Sean Gallagher \sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
Revision 1.827 / (download) - annotate - [select for diffs], Sun Jun 2 23:06:36 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.826: +2 -5 lines
Diff to previous 1.826 (colored)
set up osport and odport (original src/dst port) in pf_setup_pdesc instead of late in pf_test_rule - need that for upcoming changes. ok ryan
Revision 1.826 / (download) - annotate - [select for diffs], Sat Jun 1 21:18:02 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.825: +8 -5 lines
Diff to previous 1.825 (colored)
pf_step_{into,out_of}_anchor() are only ever called from pf_test_rule()
these days, so:
-move the prototypes from pfvar.h to pf.c
-remove the now useless null point checks for *match, it is always provided
ok ryan
Revision 1.825 / (download) - annotate - [select for diffs], Tue May 14 23:59:26 2013 UTC (11 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.824: +2 -2 lines
Diff to previous 1.824 (colored)
Pass the correct pointer to pool_put if pf_state_key_attach fails. Thanks to Brian Poole <pooleb @ gmail ! com> for noticing this.
Revision 1.824 / (download) - annotate - [select for diffs], Fri May 10 11:36:24 2013 UTC (11 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.823: +11 -8 lines
Diff to previous 1.823 (colored)
Since pf_state_key_attach can decide to free the provided state key we need to sync our state key pointers with whatever values the function will pick. Not doing so will produce wrong results if address translation must be applied afterwards and we happen to have a state key collision. Then pf_translate will follow an old pointer and punch in garbage addresses into the packet. Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru> ok tedu, henning
Revision 1.823 / (download) - annotate - [select for diffs], Fri May 3 15:33:47 2013 UTC (11 years, 1 month ago) by florian
Branch: MAIN
Changes since 1.822: +7 -1 lines
Diff to previous 1.822 (colored)
Export ingress/egress interface index in pflow(4). Report that this is needed for some netflow collector and tests by Chris Ivancic & Colin Ligertwood. OK mikeb@, benno@
Revision 1.822 / (download) - annotate - [select for diffs], Wed Apr 10 08:50:59 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.821: +2 -4 lines
Diff to previous 1.821 (colored)
Remove various external variable declaration from sources files and move them to the corresponding header with an appropriate comment if necessary. ok guenther@
Revision 1.821 / (download) - annotate - [select for diffs], Fri Mar 29 13:16:14 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.820: +4 -5 lines
Diff to previous 1.820 (colored)
Declare struct pf_state_key in the mbuf and in_pcb header files to avoid ugly casts. OK krw@ tedu@
Revision 1.820 / (download) - annotate - [select for diffs], Thu Mar 28 00:32:11 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.819: +5 -5 lines
Diff to previous 1.819 (colored)
Unfortunately the satosin, sintosa, ifatoia, satosin6, sin6tosa, ifatoia6 macros do not check the source type. They just cast anything. Remove needless casts and do not use those macros if the source type does not match. Remove duplicate defines. No binary change. OK kettenis@ krw@
Revision 1.819 / (download) - annotate - [select for diffs], Mon Mar 11 19:48:40 2013 UTC (11 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.818: +3 -3 lines
Diff to previous 1.818 (colored)
Add a separate "translation" counter and use this rather than "memory" when address translation fails due to no free ports in the configured range. ok mikeb@
Revision 1.818 / (download) - annotate - [select for diffs], Sun Jan 20 22:51:16 2013 UTC (11 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.817: +9 -6 lines
Diff to previous 1.817 (colored)
Make pf TCP sequence number tracking less strict by one octet for FIN packets. The data of a TCP packet must fit into the announced window, but this is not required for the sequence number of the FIN. A packet with the FIN bit set and containing data that fits exactly into the announced window was blocked. Our stack generates such packets when the receive buffer size is set to 1024. Now pf uses only the data lenght for window comparison. OK henning@
Revision 1.817 / (download) - annotate - [select for diffs], Fri Nov 23 18:35:25 2012 UTC (11 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.816: +13 -8 lines
Diff to previous 1.816 (colored)
make sure to always pass an array of struct pf_src_node pointers to the pf_map_addr. doing otherwise leads to the stack corruption. bug was reported and fix tested by arjan schrijver, thanks! ok jsing, henning, florian who has also found the same bug in pf_route and pf_route6 functions.
Revision 1.816 / (download) - annotate - [select for diffs], Tue Nov 6 12:32:41 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.815: +350 -149 lines
Diff to previous 1.815 (colored)
backout csum diff for the moment, requested by theo
Revision 1.815 / (download) - annotate - [select for diffs], Thu Nov 1 07:55:56 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.814: +148 -349 lines
Diff to previous 1.814 (colored)
redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
Revision 1.814 / (download) - annotate - [select for diffs], Tue Oct 30 12:09:05 2012 UTC (11 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.813: +29 -24 lines
Diff to previous 1.813 (colored)
Use time_uptime for expiration values as time_second can be skewed at runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
Revision 1.813 / (download) - annotate - [select for diffs], Sun Oct 21 13:06:02 2012 UTC (11 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.812: +5 -4 lines
Diff to previous 1.812 (colored)
Add the IP_DIVERTFL socket option on divert(4) sockets to control which packets (as in direction) of the traffic will be diverted through the divert socket. ok claudio@, henning@
Revision 1.812 / (download) - annotate - [select for diffs], Wed Sep 19 12:35:07 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.811: +4 -6 lines
Diff to previous 1.811 (colored)
More radix internals pushdown; place rn_mpath_next, which accepts and returns radix_node pointers, inside a new rt_mpath_next, which accepts and returns rtentry pointers, and start using that instead. ok claudio@
Revision 1.811 / (download) - annotate - [select for diffs], Tue Sep 18 10:11:53 2012 UTC (11 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.810: +9 -12 lines
Diff to previous 1.810 (colored)
prio 0 is valid, therefore, I chose an "impossible" value for prio meaning "not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
Revision 1.810 / (download) - annotate - [select for diffs], Thu Aug 30 11:43:36 2012 UTC (11 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.809: +4 -1 lines
Diff to previous 1.809 (colored)
Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja <insan () ims-solusi ! com>. Thanks! OK mcbride, henning
Revision 1.809 / (download) - annotate - [select for diffs], Thu Jul 26 12:25:31 2012 UTC (11 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.808: +2 -4 lines
Diff to previous 1.808 (colored)
rename all_state_flags to state_flags to finish the transition to the 16 bit flags; reminded by claudio, ok henning
Revision 1.808 / (download) - annotate - [select for diffs], Tue Jul 10 17:33:48 2012 UTC (11 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.807: +6 -5 lines
Diff to previous 1.807 (colored)
With address family translation, the ip length of the quoted ip packet within the icmp error packet was wrong. Fix this by using the pd2.tot_len of the inner packet and substract the old header's length. OK mikeb@ henning@
Revision 1.807 / (download) - annotate - [select for diffs], Sat Jul 7 16:24:32 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.806: +19 -19 lines
Diff to previous 1.806 (colored)
rename prio in struct pf_rule and related structs to set_prio so it is utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
Revision 1.806 / (download) - annotate - [select for diffs], Tue Jun 26 13:14:42 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.805: +7 -3 lines
Diff to previous 1.805 (colored)
initialize 'reason' variable before passing it to the pflog_packet; from david hill; ok henning
Revision 1.805 / (download) - annotate - [select for diffs], Sat May 12 13:08:48 2012 UTC (12 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.804: +2 -2 lines
Diff to previous 1.804 (colored)
Ignore/preserve ECN bits on ToS matching and scrubbing. The lower 2 bits of the tos-header are used for ECN. (http://tools.ietf.org/html/rfc2474#section-3) OK henning@, haesbaert@
Revision 1.804 / (download) - annotate - [select for diffs], Wed Apr 11 13:29:14 2012 UTC (12 years, 2 months ago) by naddy
Branch: MAIN
Changes since 1.803: +2 -2 lines
Diff to previous 1.803 (colored)
SLIST_REMOVE_NEXT -> SLIST_REMOVE_AFTER for better consistency and compatibility with FreeBSD/NetBSD. Also rename SIMPLEQ_REMOVE_NEXT to SIMPLEQ_REMOVE_AFTER. ok mikeb@ guenther@
Revision 1.803 / (download) - annotate - [select for diffs], Tue Apr 3 15:09:03 2012 UTC (12 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.802: +70 -1 lines
Diff to previous 1.802 (colored)
Fix kernel compilation with pf but without pfsync pseudo-device by moving the state export functionality from pfsync code into pf. Based on the initial diff diff by guenther, ok henning.
Revision 1.802 / (download) - annotate - [select for diffs], Sun Feb 5 22:38:06 2012 UTC (12 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.801: +75 -36 lines
Diff to previous 1.801 (colored)
Improve the ICMPv6 direction check Following bluhm's advice this changes the way we setup state keys and perform state lookups for ICMPv6 Neighbor Discovery packets: - replace the NS-dst with ND target address; - replace the NA-src with ND target address; - replace the NA-dst with unspecified address if it is a multicast. This allows pf to match Address Resolution, Neighbor Unreachability Detection and Duplicate Address Detection packets to the corresponding states without the need to create new ones or match unrelated ones. As a side effect we're doing now one state table lookup for ND packets instead of two. Fixes a bug uncovered by one of the previous commits that virtually breaks IPv6 connectivity after few minutes of use. ok stsp henning, with and ok bluhm
Revision 1.801 / (download) - annotate - [select for diffs], Fri Feb 3 01:57:51 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.800: +41 -21 lines
Diff to previous 1.800 (colored)
The kernel did not compile without INET6. Put some #ifdefs into pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
Revision 1.800 / (download) - annotate - [select for diffs], Sat Jan 28 14:07:02 2012 UTC (12 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.799: +13 -9 lines
Diff to previous 1.799 (colored)
improve icmp virtual id generation for ND and MLD packets so that two consecutive host addresses won't generate the same value which is used as a port number in state entries; ok bluhm, sperreault
Revision 1.799 / (download) - annotate - [select for diffs], Sat Jan 28 14:00:06 2012 UTC (12 years, 4 months ago) by mikeb
Branch: MAIN
Changes since 1.798: +3 -3 lines
Diff to previous 1.798 (colored)
try to lookup the icmp state based on a correct packet descriptor; ok bluhm, henning
Revision 1.798 / (download) - annotate - [select for diffs], Thu Jan 26 20:16:06 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.797: +7 -8 lines
Diff to previous 1.797 (colored)
Clean up the pf normalization code: - Let pf_normalize_ip() and pf_normalize_ip6() take the struct pf_pdesc pd as argument. - Always check wether the mbuf got NULL after normalization to make the code more robust. - Make the code structure of pf_normalize_ip6() more like pf_normalize_ip() to make the differences obvious. ok henning@
Revision 1.797 / (download) - annotate - [select for diffs], Thu Jan 26 18:19:59 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.796: +17 -15 lines
Diff to previous 1.796 (colored)
Minor fixes for pf_walk_header6(): - Fragment offset is in network byte order. - Check for legal short fragments before calling pf_pull_hdr() to avoid bogus reason accounting. - When checking wether the protocol header is within the fragment, count the IPv6 payload length relative to the end of the IPv6 header. ok henning@
Revision 1.796 / (download) - annotate - [select for diffs], Wed Jan 18 17:21:50 2012 UTC (12 years, 4 months ago) by chl
Branch: MAIN
Changes since 1.795: +2 -6 lines
Diff to previous 1.795 (colored)
Remove dead assignments and newly created unused variables. Found by LLVM/Clang Static Analyzer. ok henning@ markus@
Revision 1.795 / (download) - annotate - [select for diffs], Tue Jan 17 21:12:17 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.794: +2 -2 lines
Diff to previous 1.794 (colored)
Fix trailing whitespace.
Revision 1.794 / (download) - annotate - [select for diffs], Mon Jan 16 16:38:01 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.793: +55 -63 lines
Diff to previous 1.793 (colored)
Pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6() to make their argument list shorter. Also fix a bug where pf_walk_option6() used the outer header in the pd2 case. ok henning@ mikeb@
Revision 1.793 / (download) - annotate - [select for diffs], Sun Jan 15 22:55:35 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.792: +62 -84 lines
Diff to previous 1.792 (colored)
Calling pf_normalize_ip() from pf_setup_pdesc() was bad as the latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
Revision 1.792 / (download) - annotate - [select for diffs], Wed Dec 21 23:00:16 2011 UTC (12 years, 5 months ago) by mpf
Branch: MAIN
Changes since 1.791: +12 -32 lines
Diff to previous 1.791 (colored)
Just use pd->sidx and pd->didx to reverse the state key arguments in pf_test_state_*(). This needs less code and is more consistent. OK mikeb, markus, henning.
Revision 1.791 / (download) - annotate - [select for diffs], Mon Dec 19 23:32:36 2011 UTC (12 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.790: +10 -4 lines
Diff to previous 1.790 (colored)
improve the icmp direction check to deal correctly with af-to states (there only one state and it's direction is always PF_IN) and don't exclude icmp echo replies from the test. ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
Revision 1.790 / (download) - annotate - [select for diffs], Mon Dec 12 21:30:27 2011 UTC (12 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.789: +3 -3 lines
Diff to previous 1.789 (colored)
fixup af-to regression with match rules pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
Revision 1.789 / (download) - annotate - [select for diffs], Fri Dec 2 03:15:31 2011 UTC (12 years, 6 months ago) by haesbaert
Branch: MAIN
Changes since 1.788: +3 -4 lines
Diff to previous 1.788 (colored)
Kill unused IFCAP_IPSEC and IFCAP_IPCOMP. ok claudio@ henning@ mikeb@
Revision 1.788 / (download) - annotate - [select for diffs], Mon Nov 28 01:04:50 2011 UTC (12 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.787: +1 -3 lines
Diff to previous 1.787 (colored)
deprecate PFTM_UNTIL_PACKET. nothing in the tree uses it, and pf_state_expires() handled it incorrectly. discussed with mikeb@ ok henning@
Revision 1.787 / (download) - annotate - [select for diffs], Sat Nov 26 03:28:46 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.786: +1 -5 lines
Diff to previous 1.786 (colored)
Apply route-to to deferred packet; without this the first packet of a connection does not observe the route-to option. ok dlg mikeb
Revision 1.786 / (download) - annotate - [select for diffs], Fri Nov 25 12:52:10 2011 UTC (12 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.785: +3 -3 lines
Diff to previous 1.785 (colored)
use time_uptime to set state creation values as time_second can be skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. ok deraadt@ mikeb@
Revision 1.785 / (download) - annotate - [select for diffs], Fri Oct 21 09:21:44 2011 UTC (12 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.784: +5 -1 lines
Diff to previous 1.784 (colored)
add forgotten fixup for icmp6 id's when translating; ok henning
Revision 1.784 / (download) - annotate - [select for diffs], Thu Oct 13 18:23:39 2011 UTC (12 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.783: +910 -123 lines
Diff to previous 1.783 (colored)
Since the IPv6 madness is not enough introduce NAT64 -- which is actually "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
Revision 1.783 / (download) - annotate - [select for diffs], Fri Oct 7 14:24:10 2011 UTC (12 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.782: +0 -2 lines
Diff to previous 1.782 (colored)
remove inaccurate comment - we don't have state tableS any more, there is just one and the variable name is clear enough. ryan ok
Revision 1.782 / (download) - annotate - [select for diffs], Wed Sep 28 17:15:45 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.781: +207 -213 lines
Diff to previous 1.781 (colored)
As requested by henning, move the mbuf pointer into struct pf_pdesc. Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning
Revision 1.781 / (download) - annotate - [select for diffs], Thu Sep 22 14:57:12 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.780: +20 -20 lines
Diff to previous 1.780 (colored)
As I have touched half of pf lines anyway, fix whitespaces now. KNF, no binary change.
Revision 1.780 / (download) - annotate - [select for diffs], Wed Sep 21 19:07:30 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.779: +18 -2 lines
Diff to previous 1.779 (colored)
Check the protocol header length for tcp, udp, icmp, icmp6 in pf_setup_pdesc(). It is better to check and bail out early than to rely on pf_pull_hdr() later. ok henning mpf
Revision 1.779 / (download) - annotate - [select for diffs], Tue Sep 20 15:17:26 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.778: +22 -25 lines
Diff to previous 1.778 (colored)
pf_setup_pdesc() panics if address family is neither AF_INET nor AF_INET6. So remove useless af switch defaults here and there. Always use "switch(af)" instead of "if (af) else" for af dependent code. Always use AF_ defines instead of PF_ when checking af values. ok claudio mpf henning
Revision 1.778 / (download) - annotate - [select for diffs], Tue Sep 20 10:51:18 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.777: +120 -128 lines
Diff to previous 1.777 (colored)
Put kif and dir into pdesc an use this instead of passing the values around. This is a mechanical change. Initialize pd2 and use it where appropriate. ok henning on an earlier version; ok mpf
Revision 1.777 / (download) - annotate - [select for diffs], Mon Sep 19 12:51:52 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.776: +136 -161 lines
Diff to previous 1.776 (colored)
Consolidate pf function parameters. Move off and hdrlen into pdesc and change their type from int to u_int32_t. Do not pass struct tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af and pd->af intermixed, the latter makes clear where it comes from. Do not calculate the packet length again if pd already has it. Use pd2.off instead of off2. go go go go don't stop henning@ mpf@
Revision 1.776 / (download) - annotate - [select for diffs], Sun Sep 18 13:50:13 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.775: +22 -24 lines
Diff to previous 1.775 (colored)
Move the pdesc initialization code into pf_setup_pdesc(). Unify some IPv4 and IPv6 code. Make sure that both code paths set the same fields in the same order. ok mpf henning
Revision 1.775 / (download) - annotate - [select for diffs], Sun Sep 18 10:40:55 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.774: +17 -20 lines
Diff to previous 1.774 (colored)
Move the call to pf_test_rule() for fragments that have not been reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf
Revision 1.774 / (download) - annotate - [select for diffs], Sat Sep 17 16:01:55 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.773: +14 -17 lines
Diff to previous 1.773 (colored)
The pd->ip_sum and pd->proto_sum fields are not needed. Replace the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by a local variable. Remove ip_sum and proto_sum from struct pf_pdesc. ok claudio henning
Revision 1.773 / (download) - annotate - [select for diffs], Sat Sep 17 11:34:49 2011 UTC (12 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.772: +10 -15 lines
Diff to previous 1.772 (colored)
move initialisation of pd->nsaddr and pd->ndaddr from pf_test_rule to pf_setup_pdesc. fixes logging of packets passed statefully. ok bluhm
Revision 1.772 / (download) - annotate - [select for diffs], Sat Sep 17 10:12:37 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.771: +19 -30 lines
Diff to previous 1.771 (colored)
Deduplicate IPv4 and IPv6 code that handles fragments that have not been reassembled by normalization. ok henning claudio
Revision 1.771 / (download) - annotate - [select for diffs], Tue Aug 30 00:40:47 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.770: +4 -1 lines
Diff to previous 1.770 (colored)
Add support for one shot rules that remove themselves from an active ruleset after match. In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched. This is an extremely handy technique for firewall proxies. ok henning, mcbride
Revision 1.770 / (download) - annotate - [select for diffs], Wed Aug 3 12:28:40 2011 UTC (12 years, 10 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.769: +1 -2 lines
Diff to previous 1.769 (colored)
Remove redundant prototype for pf_socket_lookup(). It's already in pfvar.h OK mcbride@
Revision 1.769 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.768: +3 -9 lines
Diff to previous 1.768 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.768 / (download) - annotate - [select for diffs], Sun Jul 24 12:13:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.767: +5 -6 lines
Diff to previous 1.767 (colored)
OS fingerprinting can only be done on rules that explicitly specify TCP now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop. ok henning sthen
Revision 1.767 / (download) - annotate - [select for diffs], Sat Jul 23 21:17:47 2011 UTC (12 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.766: +76 -61 lines
Diff to previous 1.766 (colored)
Replace the IPv6 header walking loop in pf_test_state_icmp() with the common function pf_walk_header6(). For that, pf_walk_header6() can now extract both the information wether it is a fragment and the final protocol if it is the first fragment. This allows to match the icmp6 too big packet of a first fragment to the reassembled packet's state. This is neccesary if a refragmented fragment is to big for the Path-MTU. Note that pd.proto contains the real protocol number for the first fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol is set to PF_VPROTO_FRAGMENT for all fragments. ok mcbride@
Revision 1.766 / (download) - annotate - [select for diffs], Fri Jul 22 14:57:31 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.765: +6 -3 lines
Diff to previous 1.765 (colored)
Sync 'block return' behaviour for ICMP packets with our IP stack: Rather than silently dropping ALL icmp packets, return icmp/icmp6 error for 'informational' message types (but continue dropping ICMP errors unconditionally). ok markus sthen henning
Revision 1.765 / (download) - annotate - [select for diffs], Fri Jul 22 13:05:29 2011 UTC (12 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.764: +4 -4 lines
Diff to previous 1.764 (colored)
fix typos, martin pelikan
Revision 1.764 / (download) - annotate - [select for diffs], Sat Jul 9 17:42:19 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.763: +15 -3 lines
Diff to previous 1.763 (colored)
If ipv4+icmp6 or ipv6+icmp packets were embedded into an icmp payload, we missed to drop them. While there, also add a reason to the corresponding check in pf_test(). ok mcbride@ claudio@
Revision 1.763 / (download) - annotate - [select for diffs], Fri Jul 8 18:50:51 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.762: +26 -5 lines
Diff to previous 1.762 (colored)
surprisingly, we use pf as classifier for the new priority queueing implementation. ok ryan mpf sthen and also testing pea and halex looked at it and commented as well
Revision 1.762 / (download) - annotate - [select for diffs], Thu Jul 7 20:46:36 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.761: +193 -76 lines
Diff to previous 1.761 (colored)
There were two loops in pf_setup_pdesc() and pf_normalize_ip6() walking over the IPv6 header chain. Merge them into one loop, adjust some length checks and fix IPv6 jumbo option handling. Also allow strange but legal IPv6 packets with plen=0 passing through pf. IPv6 jumbo packets still get dropped. testing dhill@; ok mcbride@ henning@
Revision 1.761 / (download) - annotate - [select for diffs], Thu Jul 7 00:47:18 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.760: +169 -214 lines
Diff to previous 1.760 (colored)
Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
Revision 1.760 / (download) - annotate - [select for diffs], Tue Jul 5 19:53:43 2011 UTC (12 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.759: +11 -1 lines
Diff to previous 1.759 (colored)
add missing ifdefs for INET6; diff from form, ok henning, bluhm, claudio
Revision 1.759 / (download) - annotate - [select for diffs], Mon Jul 4 18:12:51 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.758: +5 -5 lines
Diff to previous 1.758 (colored)
Rename the pf_pdesc field rh_cnt to badopts as it is also used for IPv4 options now. ok mcbride@ henning@
Revision 1.758 / (download) - annotate - [select for diffs], Mon Jul 4 16:26:23 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.757: +7 -11 lines
Diff to previous 1.757 (colored)
IPv4 packets with IP options get dropped and no state is created. IPv6 packets with routing headers get also dropped. Use the same fix for them to avoid that a state is created. ok claudio@
Revision 1.757 / (download) - annotate - [select for diffs], Mon Jul 4 06:54:49 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.756: +49 -268 lines
Diff to previous 1.756 (colored)
Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6. The functions were 95% identical anyway. While there use struct pf_addr in struct pf_divert instead of some union which is the same. OK bluhm@ mcbride@ and most probably henning@ as well
Revision 1.756 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.755: +25 -11 lines
Diff to previous 1.755 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.755 / (download) - annotate - [select for diffs], Sun Jul 3 23:33:38 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.754: +60 -95 lines
Diff to previous 1.754 (colored)
In pf_setup_pdesc() the code for analysing TCP and UDP headers was the same for v4 and v6. Deduplicate by moving the protocol switch after the address family switch. ok henning@ claudio@
Revision 1.754 / (download) - annotate - [select for diffs], Sun Jul 3 18:42:45 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.753: +13 -18 lines
Diff to previous 1.753 (colored)
garbage collect unused parameter to PFLOG_PACKET i found this somewhere in my forest, I don't really remember writing it, the context indicates I did this in iceland... getting this is to make a 1000+ lines diff less painful (how do I always end up with those)
Revision 1.753 / (download) - annotate - [select for diffs], Sun Jul 3 18:08:02 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.752: +32 -39 lines
Diff to previous 1.752 (colored)
Refactor the fragment handling in pf_setup_pdesc() so that AF_INET and AF_INET6 are doing the fragment handling the same way. Makes code more readable. With and OK bluhm@
Revision 1.752 / (download) - annotate - [select for diffs], Fri Jul 1 21:00:40 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.751: +3 -1 lines
Diff to previous 1.751 (colored)
The pf_headers union may also contain a mld_hdr or nd_neighbor_solicit struct. List those types explicitly to make sure that the union contains enough memory. Before we were just lucky. ok henning@
Revision 1.751 / (download) - annotate - [select for diffs], Thu Jun 23 19:10:40 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.750: +2 -3 lines
Diff to previous 1.750 (colored)
Set pd->af very early in pf_setup_pdesc() since the AF is used in the pflog code and not setting it will cause a panic in pf_setup_pdesc(). Fixes dhill's crashes with funky v6 packets. OK bluhm@
Revision 1.750 / (download) - annotate - [select for diffs], Tue Jun 21 08:59:47 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.749: +4 -5 lines
Diff to previous 1.749 (colored)
There is no need to handle fragmented TCP reset packets in a special way. Remove PFDESC_IP_REAS and pf_pdesc flags completely. ok claudio@ henning@
Revision 1.749 / (download) - annotate - [select for diffs], Mon Jun 20 19:03:41 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.748: +101 -76 lines
Diff to previous 1.748 (colored)
More cleanup in pf_test/pf_test6 this time mostly the fragment handling. More to come to make the two codepathes a bit more identical. tested by many (esp. krw@ and sthen@) input and OK bluhm@
Revision 1.748 / (download) - annotate - [select for diffs], Tue Jun 14 10:14:01 2011 UTC (13 years ago) by mcbride
Branch: MAIN
Changes since 1.747: +12 -11 lines
Diff to previous 1.747 (colored)
KNF (no change in .o files)
Revision 1.747 / (download) - annotate - [select for diffs], Thu Jun 2 22:08:40 2011 UTC (13 years ago) by sthen
Branch: MAIN
Changes since 1.746: +2 -2 lines
Diff to previous 1.746 (colored)
When checking to see if a rule is referenced by any source-tracking nodes, actually check how many src nodes reference it, rather than checking the max_src_nodes for the rule which makes no sense. From Martin Pelikan.
Revision 1.746 / (download) - annotate - [select for diffs], Wed May 25 06:48:12 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.745: +5 -5 lines
Diff to previous 1.745 (colored)
Don't do last minute changes to diffs. Revert the argument change to pf_scrub in the rule (no-state) case. Since the action (a) may be NULL for e.g. the implicit pass rule. Should fix the panics seen by other people.
Revision 1.745 / (download) - annotate - [select for diffs], Tue May 24 14:01:51 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.744: +9 -5 lines
Diff to previous 1.744 (colored)
Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. Call pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
Revision 1.744 / (download) - annotate - [select for diffs], Sun May 22 13:21:24 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.743: +44 -36 lines
Diff to previous 1.743 (colored)
Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET() because either the info is already available in struct pd or easy to figure out. Makes pf_test() and pf_test6() even more similar (with the target to remove one of them in the near future). OK henning@
Revision 1.743 / (download) - annotate - [select for diffs], Fri May 13 14:31:16 2011 UTC (13 years, 1 month ago) by oga
Branch: MAIN
Changes since 1.742: +2 -25 lines
Diff to previous 1.742 (colored)
Revert the pf->socket linking diff. at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw with xxxterm not sure about pirofti) involving pool corruption while using this commit. krw and todd confirm that this backout fixes the problem. ok blambert@ krw@, todd@ henning@ and kettenis@ Double link between pf states and sockets. Henning has already implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
Revision 1.742 / (download) - annotate - [select for diffs], Sun Apr 24 19:36:54 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.741: +25 -2 lines
Diff to previous 1.741 (colored)
Double link between pf states and sockets. Henning has already implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
Revision 1.741 / (download) - annotate - [select for diffs], Sat Apr 23 10:00:36 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.740: +5 -5 lines
Diff to previous 1.740 (colored)
pf_scrub_ip() does not modify the given mbuf pointer. So don't pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
Revision 1.740 / (download) - annotate - [select for diffs], Tue Apr 12 10:47:29 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.739: +3 -1 lines
Diff to previous 1.739 (colored)
put the accepted socket of a diverted connection into the routing domain of a connection originator. this allows one to query the source rdomain with a SO_RTABLE socket option. figured out with reyk, ok claudio.
Revision 1.739 / (download) - annotate - [select for diffs], Thu Apr 7 19:35:05 2011 UTC (13 years, 2 months ago) by miod
Branch: MAIN
Changes since 1.738: +2 -2 lines
Diff to previous 1.738 (colored)
Correctly initialize local variables in pf_check_proto_cksum(), even for less blessed and non-loved protocols; temporary fix for correctness until the henning tornado rampages this function. "pls commit, ok" henning@
Revision 1.738 / (download) - annotate - [select for diffs], Wed Apr 6 13:18:39 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.737: +10 -1 lines
Diff to previous 1.737 (colored)
Allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.737 / (download) - annotate - [select for diffs], Tue Apr 5 20:36:59 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.736: +6 -3 lines
Diff to previous 1.736 (colored)
in pf_check_proto_cksum, consider packets with the CSUM_OUT flags set to be ok. there is no checksum we could verify and for the moment these are locally generated packets anyway. and this really is just the stupid 'stealth bridge detection' countermeasure shit (when you want a "stealth" bridge and explictely ask pf to return RSTs/icmp errors, you need to seek medical help in any case). this is needed so that we eventually can move the in_proto_cksum_out (and its ipvshit counterpart once we get it) calls to after the pf_test calls in the output routines ok dlg fondue-kinda-ok claudio
Revision 1.736 / (download) - annotate - [select for diffs], Tue Apr 5 18:01:21 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.735: +3 -3 lines
Diff to previous 1.735 (colored)
mechanic rename M_{TCP|UDP}V4_CSUM_OUT -> M_{TCP|UDP}_CSUM_OUT
ok claudio krw
Revision 1.735 / (download) - annotate - [select for diffs], Tue Apr 5 15:51:41 2011 UTC (13 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.734: +18 -10 lines
Diff to previous 1.734 (colored)
handle ACK prioritization for v6, ok henning@
Revision 1.734 / (download) - annotate - [select for diffs], Tue Apr 5 13:48:18 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.733: +6 -5 lines
Diff to previous 1.733 (colored)
ditch fastroute, an ipf feature that made its way into pf before route-to and friends were introduced making it obsolete. one even has to look it up int the ipf manual to get and idea what it's supposed to do. reuse some kernel bits for the upcoming nat64 stuff. "kill it with fire" from mcbride, "what mcbride said" from mpf, "kill kill kill" and ok henning.
Revision 1.733 / (download) - annotate - [select for diffs], Mon Apr 4 17:44:43 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.732: +2 -15 lines
Diff to previous 1.732 (colored)
de-guttenberg our stack a bit we don't need 7 f***ing copies of the same code to do the protocol checksums (or not, depending on hw capabilities). claudio ok
Revision 1.732 / (download) - annotate - [select for diffs], Mon Apr 4 14:16:48 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.731: +2 -3 lines
Diff to previous 1.731 (colored)
and stop special casing the bridge for the ip cksum hardware offload decision here too, just like in ip_output, pointless.
Revision 1.731 / (download) - annotate - [select for diffs], Mon Apr 4 14:00:16 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.730: +48 -80 lines
Diff to previous 1.730 (colored)
there is no point at all in updating the ip checksum. it is always recalculated in all output pathes anyway (why did it take us 10 years to notice?). ok claudio definate ok dlg
Revision 1.730 / (download) - annotate - [select for diffs], Thu Mar 24 20:09:44 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.729: +16 -3 lines
Diff to previous 1.729 (colored)
Reassemble IPv6 fragments in pf. In the forward case, pf refragments the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
Revision 1.729 / (download) - annotate - [select for diffs], Mon Mar 7 23:30:18 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.728: +2 -4 lines
Diff to previous 1.728 (colored)
Declare the inline function pf_addr_compare() non-static in pfvar.h to make it reusable by pf fragment reassembly. No functional change. discussed with henning@, claudio@, deraadt@, kettenis@ ok guenther@
Revision 1.728 / (download) - annotate - [select for diffs], Sat Mar 5 01:53:16 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.727: +4 -14 lines
Diff to previous 1.727 (colored)
The function pf_tag_packet() never fails. Remove a redundant check and make it void. ok henning@, markus@, mcbride@
Revision 1.727 / (download) - annotate - [select for diffs], Wed Feb 23 15:46:14 2011 UTC (13 years, 3 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.726: +6 -9 lines
Diff to previous 1.726 (colored)
fixup source address rewriting for the icmp errors with the rdr-to setup. problem was reported by babut at yandex dot ru in the pr 6564, tested by the pr originator and me, ok henning mcbride. shaves off a bunch of XXXs.
Revision 1.690.2.1 / (download) - annotate - [select for diffs], Wed Feb 16 19:13:44 2011 UTC (13 years, 3 months ago) by sthen
Branch: OPENBSD_4_7
Changes since 1.690: +7 -7 lines
Diff to previous 1.690 (colored) next main 1.691 (colored)
Merge PF fix from -current. Thanks jsg@ mcbride@ for testing. ---- Add missing byte-order swap to pf_match_addr_range. Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses correctly on little-endian systems. ok henning@ ----
Revision 1.696.2.1 / (download) - annotate - [select for diffs], Wed Feb 16 19:13:21 2011 UTC (13 years, 3 months ago) by sthen
Branch: OPENBSD_4_8
Changes since 1.696: +7 -7 lines
Diff to previous 1.696 (colored) next main 1.697 (colored)
Merge PF fix from -current. Thanks jsg@ mcbride@ for testing. ---- Add missing byte-order swap to pf_match_addr_range. Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses correctly on little-endian systems. ok henning@ ----
Revision 1.726 / (download) - annotate - [select for diffs], Mon Feb 14 11:01:36 2011 UTC (13 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.725: +7 -7 lines
Diff to previous 1.725 (colored)
Add missing byte-order swap to pf_match_addr_range. Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses correctly on little-endian systems. ok henning@
Revision 1.725 / (download) - annotate - [select for diffs], Sun Feb 6 23:12:12 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.724: +19 -14 lines
Diff to previous 1.724 (colored)
pf_translate() may be called from pflog_packet(). Make sure that IPv4-ICMP6 and IPv6-ICMP packets are not rewritten in case they are dropped and logged. spotted by mikeb@; ok henning@
Revision 1.724 / (download) - annotate - [select for diffs], Sun Feb 6 13:08:49 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.723: +1 -5 lines
Diff to previous 1.723 (colored)
pf_test() and pf_test6() drop IPv4-ICMP6 and IPv6-ICMP packets. Do not do the same check in pf_test_rule() again. ok henning
Revision 1.723 / (download) - annotate - [select for diffs], Sat Feb 5 17:29:05 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.722: +3 -2 lines
Diff to previous 1.722 (colored)
When a packet with an unusual protocol number got rewritten, the header lenght was uninitialized. This resulted in a panic in m_clget(). Initialize hdrlen with 0 and call m_copyback() only if necessary. ok henning@
Revision 1.722 / (download) - annotate - [select for diffs], Sat Jan 22 11:43:57 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.721: +30 -28 lines
Diff to previous 1.721 (colored)
Pf must not scrub packets which will be dropped anyway. ok henning@ markus@
Revision 1.721 / (download) - annotate - [select for diffs], Wed Jan 19 11:39:56 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.720: +5 -1 lines
Diff to previous 1.720 (colored)
Give pf_normalize_ip() the same 3 way semantics as pf_test(). - PF_DROP, the packet is bad, the mbuf still exists and must be freed. - PF_PASS and *m0 is NULL, the packet has been processed, not an error. - PF_PASS and *m0 is not NULL, continue with packet processing. This fixes a potential mbuf use after free. ok henning@ markus@ mpf@
Revision 1.720 / (download) - annotate - [select for diffs], Tue Jan 11 13:35:58 2011 UTC (13 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.719: +43 -29 lines
Diff to previous 1.719 (colored)
Perform IP options check in pf_test_rule(), before creating state. ok claudio henning dlg miod
Revision 1.719 / (download) - annotate - [select for diffs], Mon Jan 10 18:57:59 2011 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.718: +7 -5 lines
Diff to previous 1.718 (colored)
If pf_test() was called recursively, the global variable pf_hdrs could be used multiple times for different packets. This happened when pflow(4) was used. Instead of a global variable, store the pf_headers in a local variable on the stack. david@ found the bug, narrowed it down and tested the fix. ok henning@
Revision 1.718 / (download) - annotate - [select for diffs], Mon Jan 10 10:26:38 2011 UTC (13 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.717: +15 -16 lines
Diff to previous 1.717 (colored)
DPFPRINTF already adds the "pf: ", no need to put it in the error string. ok henning dlg claudio
Revision 1.717 / (download) - annotate - [select for diffs], Wed Jan 5 17:36:55 2011 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.716: +2 -11 lines
Diff to previous 1.716 (colored)
Remove mbuf ptr save dance in pf_test6(). It was a leftover with misleading comment that did nothing. ok henning@ jsing@
Revision 1.716 / (download) - annotate - [select for diffs], Fri Dec 31 12:21:36 2010 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.715: +37 -76 lines
Diff to previous 1.715 (colored)
Address comparisson is implemented twice in pf.c. Put this into a common function pf_addr_compare(). ok henning@
Revision 1.715 / (download) - annotate - [select for diffs], Fri Dec 24 20:12:56 2010 UTC (13 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.714: +3 -3 lines
Diff to previous 1.714 (colored)
in pf_src_connlimit, the indices to sk->addr were swapped. tracked down and diff sent by Robert B Mills <rbmills at sdf.lonestar.org> thanks, very good work! ok claudio
Revision 1.714 / (download) - annotate - [select for diffs], Tue Dec 7 11:39:40 2010 UTC (13 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.713: +38 -40 lines
Diff to previous 1.713 (colored)
remove a bunch of unused arguments ok henning@
Revision 1.713 / (download) - annotate - [select for diffs], Fri Sep 24 02:28:10 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.712: +2 -2 lines
Diff to previous 1.712 (colored)
itojun picked exactly the right reason in that REASON_SET call. really no reason to question himself by adding an XXX
Revision 1.712 / (download) - annotate - [select for diffs], Fri Sep 24 02:22:37 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.711: +3 -3 lines
Diff to previous 1.711 (colored)
use pd->rdomain for the PF_MISMATCHAW checks in pf_test_fragment instead of hardcoding 0. roughly almost a bit equivalent to what pf_test_rule does. changing the rdomain for not reassembled fragments is not going to work ever, so the full dance pf_test_rule does doesn't make sense here. speaking of sense, I don't see anything remotely resembling sense in pf filtering on fragments without reassembling them first. with/ok claudio
Revision 1.711 / (download) - annotate - [select for diffs], Fri Sep 24 02:15:00 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.710: +1 -3 lines
Diff to previous 1.710 (colored)
no need to pf_tag_packet in the stateless case in pf_test since pf_test_rule will have done it already, as correctly XXX-comment noted by claudio almost a year ago. pf_test6 (which is scarily different there) didn't have that at all.
Revision 1.710 / (download) - annotate - [select for diffs], Fri Sep 24 02:06:47 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.709: +1 -7 lines
Diff to previous 1.709 (colored)
hello, this is captain obvious speaking:
/* XXX This does NOT affect pass rules! */
SLIST_FOREACH(ri, &s->match_rules, entry) {
...
delete that comment, entirely superfluous
Revision 1.709 / (download) - annotate - [select for diffs], Fri Sep 24 01:56:12 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.708: +1 -2 lines
Diff to previous 1.708 (colored)
remove misleading XXX comment. it is pretty clear by now that pf_compare_state_keys will stay, we play safe.
Revision 1.708 / (download) - annotate - [select for diffs], Fri Sep 24 01:53:22 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.707: +4 -6 lines
Diff to previous 1.707 (colored)
nicer linewraps, purely cosmetic
Revision 1.707 / (download) - annotate - [select for diffs], Fri Sep 24 00:55:48 2010 UTC (13 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.706: +4 -5 lines
Diff to previous 1.706 (colored)
kill some unused arguments to pf_create_state ok henning@
Revision 1.706 / (download) - annotate - [select for diffs], Thu Sep 23 14:17:02 2010 UTC (13 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.705: +68 -81 lines
Diff to previous 1.705 (colored)
Break out rule counter update code into a separate function, makes the behaviour consistent between IPv4 and IPv6. From martin.pelikan@gmail.com
Revision 1.705 / (download) - annotate - [select for diffs], Wed Sep 22 05:58:29 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.704: +7 -3 lines
Diff to previous 1.704 (colored)
add a new log opt PF_LOG_MATCHES forces logging on all subsequent matching rules real ok theo assumed oks ryan and dlg bikeshedding everyone in the room implementation time ~ 1 minute
Revision 1.704 / (download) - annotate - [select for diffs], Wed Sep 22 02:12:36 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.703: +5 -16 lines
Diff to previous 1.703 (colored)
various whitespace fixes that my hands did while i was looking for sth else and an unneeded if (r)
Revision 1.703 / (download) - annotate - [select for diffs], Tue Sep 21 11:29:12 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.702: +2 -2 lines
Diff to previous 1.702 (colored)
assert copyrights / bump years
Revision 1.702 / (download) - annotate - [select for diffs], Tue Sep 21 10:43:41 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.701: +5 -5 lines
Diff to previous 1.701 (colored)
after ruleset eval is done, we must apply actions from the last matching pass or block rule, not the last matching rule. triggered by pr6401. this means that, for example, a rdr-to on a pass rule can override an rdr-to on a match rule that comes later in the ruleset. but that's the semantics: for block and pass rules, the last matching one wins, aka actions are applied after we're done with ruleset eval, and match rules' actions are applied on the fly. discussion with dlg and claudio, ok dlg ryan
Revision 1.701 / (download) - annotate - [select for diffs], Tue Sep 21 10:37:33 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.700: +2 -4 lines
Diff to previous 1.700 (colored)
do not increment states_tot on match rules. it is purely cosmetic, this value is used in verbose "show rules" output as "states creations", but match rules never create state. states_cur aka "States" is needed and correct, match rules are being associated with states. ok ryan
Revision 1.700 / (download) - annotate - [select for diffs], Tue Sep 21 07:04:24 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.699: +8 -12 lines
Diff to previous 1.699 (colored)
make "match log" rules log on the fly. thus you can log and see the packet as it is in the very same moment pf hits that match rule. really awesome with multiple rdr-to and the like. ok dlg - ryan would ok it too if he was here right now
Revision 1.699 / (download) - annotate - [select for diffs], Tue Sep 21 04:09:33 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.698: +1 -2 lines
Diff to previous 1.698 (colored)
remove now obsolete XXX comment
Revision 1.698 / (download) - annotate - [select for diffs], Tue Sep 21 03:42:17 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.697: +49 -20 lines
Diff to previous 1.697 (colored)
make pf_translate (void so far) return 1 if it actually changed something and 0 if it didn't so we know wether we have to rewrite or not. ok ryan dlg and in just an hour from now on this might have reached cvs eventually from njetwork challenged j2k10 in japan
Revision 1.697 / (download) - annotate - [select for diffs], Tue Sep 21 02:51:35 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.696: +272 -222 lines
Diff to previous 1.696 (colored)
factor our the code to set up pf_pdesc, a central structure in pf carrying information about the packet we're currently dealing with, into its own function. ok ryan dlg and additional testing sthen
Revision 1.696 / (download) - annotate - [select for diffs], Thu Aug 5 17:21:19 2010 UTC (13 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE
Branch point for: OPENBSD_4_8
Changes since 1.695: +164 -125 lines
Diff to previous 1.695 (colored)
In pf_icmp_mapping() the ICMP and ICMPv6 types shared the same number space. In fact they are independent and must be handled separately. Fix traceroute via pf by splitting pf_icmp_mapping() into IPv4 and IPv6 sections. ok henning@ mcbride@; tested mcbride@; sure deraadt@
Revision 1.695 / (download) - annotate - [select for diffs], Fri Jul 2 02:40:16 2010 UTC (13 years, 11 months ago) by blambert
Branch: MAIN
Changes since 1.694: +33 -27 lines
Diff to previous 1.694 (colored)
m_copyback can fail to allocate memory, but is a void fucntion so gymnastics are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
Revision 1.694 / (download) - annotate - [select for diffs], Thu Jul 1 19:45:29 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.693: +4 -4 lines
Diff to previous 1.693 (colored)
g/c unused param to pf_translate
Revision 1.693 / (download) - annotate - [select for diffs], Sun Jun 27 21:58:35 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.692: +4 -4 lines
Diff to previous 1.692 (colored)
fix a comment and add a new one to make clear what the mbuf ptr save dance is for, it is not very obvious... with ryan and jsing
Revision 1.692 / (download) - annotate - [select for diffs], Sun Jun 27 01:39:43 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.691: +44 -51 lines
Diff to previous 1.691 (colored)
stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
Revision 1.691 / (download) - annotate - [select for diffs], Fri May 7 13:33:16 2010 UTC (14 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.690: +26 -19 lines
Diff to previous 1.690 (colored)
Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1 accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
Revision 1.690 / (download) - annotate - [select for diffs], Thu Feb 4 14:10:12 2010 UTC (14 years, 4 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE
Branch point for: OPENBSD_4_7
Changes since 1.689: +13 -5 lines
Diff to previous 1.689 (colored)
pf_get_sport() picks a random port from the port range specified in a nat rule. It should check to see if it's in-use (i.e. matches an existing PF state), if it is, it cycles sequentially through other ports until it finds a free one. However the check was being done with the state keys the wrong way round so it was never actually finding the state to be in-use. - switch the keys to correct this, avoiding random state collisions with nat. Fixes PR 6300 and problems reported by robert@ and viq. - check pf_get_sport() return code in pf_test(); if port allocation fails the packet should be dropped rather than sent out untranslated. Help/ok claudio@.
Revision 1.689 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.688: +193 -189 lines
Diff to previous 1.688 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.688 / (download) - annotate - [select for diffs], Thu Jan 14 20:43:19 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.687: +2 -2 lines
Diff to previous 1.687 (colored)
henning and I are both dumbasses, testing &foo against NULL is pointless. ok claudio
Revision 1.687 / (download) - annotate - [select for diffs], Thu Jan 14 01:19:46 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.686: +3 -1 lines
Diff to previous 1.686 (colored)
When printing states in debug output, print the rule number that created it if we have it. Requested by dlg, ok henning.
Revision 1.686 / (download) - annotate - [select for diffs], Thu Jan 14 01:06:14 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.685: +1 -2 lines
Diff to previous 1.685 (colored)
i forgot to remove a now obsolete comment in pf_create_state about incorrect error handling
Revision 1.685 / (download) - annotate - [select for diffs], Thu Jan 14 00:00:05 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.684: +4 -5 lines
Diff to previous 1.684 (colored)
in pf_create_state, when we fixed the leaks, we were a bit too trigger happy and went to use after free instead. ryan and I think we found the reason - just freeing that state keys in the error path is wrong as well, since pf_state_key_setup could have found existing, identical state keys and linked our state to these. if we now free them the other state that hung of these state keys would point back to the freed state keys. so instead of manually trying to free the state keys just call pf_state_key_detach which has all the magic checks. with and ok ryan
Revision 1.684 / (download) - annotate - [select for diffs], Wed Jan 13 23:45:14 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.683: +4 -1 lines
Diff to previous 1.683 (colored)
in pf_state_key_detach, ensure that the state key pointer on the state is not null, to be safe and to be able to call this with half setup states. with and ok ryan
Revision 1.683 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.682: +22 -23 lines
Diff to previous 1.682 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.682 / (download) - annotate - [select for diffs], Mon Jan 11 04:07:07 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.681: +4 -3 lines
Diff to previous 1.681 (colored)
"final" leak in state creation: in pf_state_key_setup, if we actually need two state keys (NAT case), and we succeed allocating the first one but fail getting the second we'd leak the first one. obvious and thus ok'd by dlg ryan and theo within seconds
Revision 1.681 / (download) - annotate - [select for diffs], Mon Jan 11 03:52:03 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.680: +21 -32 lines
Diff to previous 1.680 (colored)
fix a bug in pf_create_state that was a major source of amusement for me over the last couple of weeks (ever since I found it): when we are out of memory for the state keys we leak the state. oh the irony. instead of just fixing that one case rework the error handling in the entire function. verified painfully by yours truly by forcefully exercising each and every error path in there. ryan ok
Revision 1.680 / (download) - annotate - [select for diffs], Thu Dec 24 04:24:19 2009 UTC (14 years, 5 months ago) by dlg
Branch: MAIN
Changes since 1.679: +28 -1 lines
Diff to previous 1.679 (colored)
add support to pf for filtering a packet by the interface it was received on. use the received-on IFNAME filter option on a pf.conf rule to restrict which packet the interface had to be received on. eg: pass out on em0 from $foo to $bar received-on fxp0 ive been running this in production for a week now. i find it particularly usefull with interface groups. no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Revision 1.679 / (download) - annotate - [select for diffs], Mon Dec 14 12:31:45 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.678: +149 -82 lines
Diff to previous 1.678 (colored)
fix sticky-address - by pretty much re-implementing it. still following the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Revision 1.678 / (download) - annotate - [select for diffs], Tue Dec 8 08:26:33 2009 UTC (14 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.677: +3 -3 lines
Diff to previous 1.677 (colored)
move "pf: key search" and "pf: key setup" messages to PF_DEBUG_NOISY instead of MISC. "makes a little bit more sense" henning@
Revision 1.677 / (download) - annotate - [select for diffs], Thu Nov 26 14:34:49 2009 UTC (14 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.676: +2 -2 lines
Diff to previous 1.676 (colored)
magical fix for a fault which reliably brings my firewalls down. i think not having sks and sks set to NULL causes random memory to be pool_put(). ok deraadt@ jsing@
Revision 1.676 / (download) - annotate - [select for diffs], Mon Nov 23 18:41:21 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.675: +2 -10 lines
Diff to previous 1.675 (colored)
with the old code we initialized the state keys early in some cases and thus had to get rid of them if we didn't create state. this is no longer the case, kill dead code. ok claudio
Revision 1.675 / (download) - annotate - [select for diffs], Mon Nov 23 18:10:43 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.674: +2 -1 lines
Diff to previous 1.674 (colored)
one kinda-missing log |= PFLOG_FORCE in the v6 case, spotted by claudio
Revision 1.674 / (download) - annotate - [select for diffs], Mon Nov 23 18:04:10 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.673: +32 -18 lines
Diff to previous 1.673 (colored)
sync the handling of the log flag from pf_test (where it is correct) to pf_test6 (where it is wrong in some edge cases, for match rules and logs a packet twice in some cases). ok claudio
Revision 1.673 / (download) - annotate - [select for diffs], Mon Nov 23 17:22:11 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.672: +2 -2 lines
Diff to previous 1.672 (colored)
pf_test_fragment: we need to bail out if action == PF_DROP, not if action != PF_PASS. same was changed in pf_test_rule a while back but the fragment case was forgotten. since everybody reassembles nobody ran into this.
Revision 1.672 / (download) - annotate - [select for diffs], Mon Nov 23 17:18:05 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.671: +4 -6 lines
Diff to previous 1.671 (colored)
sync some comments with reality
Revision 1.671 / (download) - annotate - [select for diffs], Mon Nov 23 16:03:10 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.670: +20 -77 lines
Diff to previous 1.670 (colored)
remove the nat_rule pointer on pf_state and pf_pdesc, obsolete after the NAT rewrite and ever since then only checked in a couple of plaes but never set. same for nat_src_node on pf_state. with this the NAT rewrite made pf over 1000 lines shorter.
Revision 1.670 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.669: +11 -11 lines
Diff to previous 1.669 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.669 / (download) - annotate - [select for diffs], Sat Nov 21 20:54:27 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.668: +3 -3 lines
Diff to previous 1.668 (colored)
knf
Revision 1.668 / (download) - annotate - [select for diffs], Thu Nov 5 20:50:14 2009 UTC (14 years, 7 months ago) by michele
Branch: MAIN
Changes since 1.667: +19 -1 lines
Diff to previous 1.667 (colored)
IPv6 support for divert sockets. tested by phessler@ pyr@ ok claudio@ "go ahead" deraadt@
Revision 1.667 / (download) - annotate - [select for diffs], Tue Nov 3 10:59:04 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.666: +102 -47 lines
Diff to previous 1.666 (colored)
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
Revision 1.666 / (download) - annotate - [select for diffs], Thu Oct 29 10:28:27 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.665: +2 -2 lines
Diff to previous 1.665 (colored)
I missed updating a line for the AF_INET6 route case when splitting things out into a seperate pool. Problem noticed and fix tested by sthen@ ok claudio@
Revision 1.665 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.664: +15 -14 lines
Diff to previous 1.664 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.664 / (download) - annotate - [select for diffs], Tue Oct 6 21:21:48 2009 UTC (14 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.663: +29 -13 lines
Diff to previous 1.663 (colored)
Redo the route lookup in the output (and IPv6 forwarding) path if the destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
Revision 1.663 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.662: +19 -1 lines
Diff to previous 1.662 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.662 / (download) - annotate - [select for diffs], Wed Sep 16 12:28:19 2009 UTC (14 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.661: +3 -6 lines
Diff to previous 1.661 (colored)
style: in pf_test_state_other, fix indentation, kill excessive newlines, add break in the last case block
Revision 1.661 / (download) - annotate - [select for diffs], Wed Sep 16 12:26:55 2009 UTC (14 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.660: +3 -3 lines
Diff to previous 1.660 (colored)
fix copy & paste error from almost a year ago (bad ryan) PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found by claudio
Revision 1.660 / (download) - annotate - [select for diffs], Tue Sep 8 17:52:17 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.659: +0 -18 lines
Diff to previous 1.659 (colored)
I had not enough oks to commit this diff. Sorry.
Revision 1.659 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.658: +19 -1 lines
Diff to previous 1.658 (colored)
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
Revision 1.658 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.657: +237 -292 lines
Diff to previous 1.657 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.655.4.1 / (download) - annotate - [select for diffs], Thu Aug 6 11:15:18 2009 UTC (14 years, 10 months ago) by henning
Branch: OPENBSD_4_6
Changes since 1.655: +17 -4 lines
Diff to previous 1.655 (colored) next main 1.656 (colored)
MFC, ok deraadt
Revision 1.657 / (download) - annotate - [select for diffs], Tue Jul 28 11:22:33 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.656: +8 -0
lines
Diff to previous 1.656 (colored)
do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
Revision 1.657 / (download) - annotate - [select for diffs], Tue Jul 28 11:22:33 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.656: +8 -0
lines
Diff to previous 1.656 (colored)
do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
Revision 1.656 / (download) - annotate - [select for diffs], Tue Jul 28 11:20:09 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.655: +9 -4
lines
Diff to previous 1.655 (colored)
check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg
Revision 1.656 / (download) - annotate - [select for diffs], Tue Jul 28 11:20:09 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.655: +9 -4
lines
Diff to previous 1.655 (colored)
check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg
Revision 1.655 / (download) - annotate - [select for diffs], Fri Jun 26 19:39:49 2009 UTC (14 years, 11 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE
Branch point for: OPENBSD_4_6
Changes since 1.654: +11 -9 lines
Diff to previous 1.654 (colored)
invert direction for inner icmp state lookups (e.g. traceroute with icmp) ok henning, jsing
Revision 1.654 / (download) - annotate - [select for diffs], Mon Jun 22 17:04:02 2009 UTC (14 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.653: +7 -1 lines
Diff to previous 1.653 (colored)
Check that the address family is appropriate before processing ICMPv4 and ICMPv6 messages. ok henning@
Revision 1.653 / (download) - annotate - [select for diffs], Mon Jun 22 16:55:14 2009 UTC (14 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.652: +1 -3 lines
Diff to previous 1.652 (colored)
Always drop ICMPv6 in IPv4 datagrams, not only when compiled with INET6. Suggested by Max Laier. ok henning@
Revision 1.652 / (download) - annotate - [select for diffs], Mon Jun 22 13:55:39 2009 UTC (14 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.651: +7 -0 lines
Diff to previous 1.651 (colored)
Fix scrub max-mss for IPv6 traffic. spotted by naddy@ ok henning@
Revision 1.651 / (download) - annotate - [select for diffs], Mon Jun 8 03:56:14 2009 UTC (15 years ago) by henning
Branch: MAIN
Changes since 1.650: +2 -2 lines
Diff to previous 1.650 (colored)
in pf_print_state_parts, do not use skw->proto to print the protocol but our local copy proto that we very carefully set beforehands. skw being NULL is perfectly valid there.
Revision 1.650 / (download) - annotate - [select for diffs], Mon Jun 8 02:36:06 2009 UTC (15 years ago) by sthen
Branch: MAIN
Changes since 1.649: +3 -3 lines
Diff to previous 1.649 (colored)
"do not call PF_ANEQ with af=0, dragons". fixes a problem with skip steps found with the recent pfvar.h commit to check address families. from & commit req by henning.
Revision 1.649 / (download) - annotate - [select for diffs], Fri Jun 5 00:05:21 2009 UTC (15 years ago) by claudio
Branch: MAIN
Changes since 1.648: +29 -17 lines
Diff to previous 1.648 (colored)
Initial support for routing domains. This allows to bind interfaces to alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
Revision 1.648 / (download) - annotate - [select for diffs], Mon May 18 20:37:13 2009 UTC (15 years ago) by bluhm
Branch: MAIN
Changes since 1.647: +5 -5 lines
Diff to previous 1.647 (colored)
The routing table index rtableid has type unsigned int in the routing code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
Revision 1.647 / (download) - annotate - [select for diffs], Thu Apr 30 12:54:32 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.646: +12 -12 lines
Diff to previous 1.646 (colored)
treat log as what it is, a flag variable. effectively a noop now but stops us relying on where we are setting it. ok ryan dlg
Revision 1.646 / (download) - annotate - [select for diffs], Thu Apr 23 02:01:21 2009 UTC (15 years, 1 month ago) by dlg
Branch: MAIN
Changes since 1.645: +2 -2 lines
Diff to previous 1.645 (colored)
print the type of the icmp message we're bitching about when debugging is turned up in pf_icmp_state_lookup. ok sthen@
Revision 1.645 / (download) - annotate - [select for diffs], Fri Apr 17 18:37:06 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.644: +2 -2 lines
Diff to previous 1.644 (colored)
move the lastr = r assignment behind the anchor rule check so we don't ever try to aplly options from the anchor rule if it was the last matching one but the last matching real rule. it is right but despite begging nobody has the balls to ok it ;(
Revision 1.644 / (download) - annotate - [select for diffs], Wed Apr 15 13:10:38 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.643: +18 -13 lines
Diff to previous 1.643 (colored)
little dose of scrubbing after the monster changes: correctly inherit queue stuff, tag, rtableid from the rule if we have no state some logic simplification and removal of redundant checks ok dlg
Revision 1.643 / (download) - annotate - [select for diffs], Wed Apr 15 05:14:45 2009 UTC (15 years, 2 months ago) by david
Branch: MAIN
Changes since 1.642: +2 -2 lines
Diff to previous 1.642 (colored)
move OK ICMP to NOISY level, makes it easier to run at MISC level; ok henning@
Revision 1.642 / (download) - annotate - [select for diffs], Tue Apr 14 19:39:56 2009 UTC (15 years, 2 months ago) by grange
Branch: MAIN
Changes since 1.641: +7 -5 lines
Diff to previous 1.641 (colored)
Correctly handle the case when state might be NULL in pf_test like all other code do. Should fix pr 6121. ok henning@
Revision 1.634.2.1 / (download) - annotate - [select for diffs], Sat Apr 11 23:43:40 2009 UTC (15 years, 2 months ago) by sthen
Branch: OPENBSD_4_5
Changes since 1.634: +17 -1 lines
Diff to previous 1.634 (colored) next main 1.635 (colored)
Avoid dereferencing a null pointer when pf attempts to translate a specifically crafted IP datagram. Problem noted by Sebastian Rother. fix from jsing. ok henning@ mcbride@
Revision 1.614.2.1 / (download) - annotate - [select for diffs], Sat Apr 11 23:43:32 2009 UTC (15 years, 2 months ago) by sthen
Branch: OPENBSD_4_4
Changes since 1.614: +17 -1 lines
Diff to previous 1.614 (colored) next main 1.615 (colored)
Avoid dereferencing a null pointer when pf attempts to translate a specifically crafted IP datagram. Problem noted by Sebastian Rother. fix from jsing. ok henning@ mcbride@
Revision 1.567.2.1 / (download) - annotate - [select for diffs], Sat Apr 11 23:43:23 2009 UTC (15 years, 2 months ago) by sthen
Branch: OPENBSD_4_3
Changes since 1.567: +17 -1 lines
Diff to previous 1.567 (colored) next main 1.568 (colored)
Avoid dereferencing a null pointer when pf attempts to translate a specifically crafted IP datagram. Problem noted by Sebastian Rother. fix from jsing. ok henning@ mcbride@
Revision 1.641 / (download) - annotate - [select for diffs], Sat Apr 11 23:42:05 2009 UTC (15 years, 2 months ago) by jsing
Branch: MAIN
Changes since 1.640: +16 -0 lines
Diff to previous 1.640 (colored)
Avoid dereferencing a null pointer when pf attempts to translate a specifically crafted IP datagram. Problem noted by Sebastian Rother. ok henning@ mcbride@ sthen@
Revision 1.640 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.639: +196 -83 lines
Diff to previous 1.639 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.639 / (download) - annotate - [select for diffs], Sun Mar 15 19:40:41 2009 UTC (15 years, 3 months ago) by miod
Branch: MAIN
Changes since 1.638: +4 -4 lines
Diff to previous 1.638 (colored)
Introduce splsoftassert(), similar to splassert() but for soft interrupt levels. This will allow for platforms where soft interrupt levels do not map to real hardware interrupt levels to have soft ipl values overlapping hard ipl values without breaking spl asserts.
Revision 1.638 / (download) - annotate - [select for diffs], Sat Mar 14 23:44:09 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.637: +4 -4 lines
Diff to previous 1.637 (colored)
Some ICMP types that also have icmp_id, pointed out by markus@ ok henning markus
Revision 1.637 / (download) - annotate - [select for diffs], Mon Mar 9 13:53:09 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.636: +6 -6 lines
Diff to previous 1.636 (colored)
Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctls transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
Revision 1.636 / (download) - annotate - [select for diffs], Sat Mar 7 01:15:41 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.635: +3 -2 lines
Diff to previous 1.635 (colored)
Make sure pd2 has a pointer to the icmp header in the payload; fixes panic seen with some some icmp types in icmp error message payloads. Reported by david@ and insan.praja@gmail.com
Revision 1.635 / (download) - annotate - [select for diffs], Thu Mar 5 03:09:37 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.634: +327 -91 lines
Diff to previous 1.634 (colored)
Stricter state checking for ICMP and ICMPv6 packets: include the ICMP type
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
Revision 1.634 / (download) - annotate - [select for diffs], Fri Feb 27 12:37:45 2009 UTC (15 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE
Branch point for: OPENBSD_4_5
Changes since 1.633: +35 -13 lines
Diff to previous 1.633 (colored)
fix quick reuse of tcp states. when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2 on both ends do not fail but insert the new state anyway and unlink the old one afterwards. pimp error message a bit, too. problem found with NAT by viq <viq@viq.ath.cx> ok theo markus
Revision 1.633 / (download) - annotate - [select for diffs], Mon Feb 16 00:31:25 2009 UTC (15 years, 3 months ago) by dlg
Branch: MAIN
Changes since 1.632: +36 -16 lines
Diff to previous 1.632 (colored)
pfsync v5, mostly written at n2k9, but based on work done at n2k8. WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
Revision 1.632 / (download) - annotate - [select for diffs], Fri Jan 30 17:27:20 2009 UTC (15 years, 4 months ago) by naddy
Branch: MAIN
Changes since 1.631: +3 -4 lines
Diff to previous 1.631 (colored)
sync the part copied from ip_output: always initialize IP checksum to zero for checksum offload; ok henning@
Revision 1.631 / (download) - annotate - [select for diffs], Fri Jan 30 10:32:26 2009 UTC (15 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.630: +7 -1 lines
Diff to previous 1.630 (colored)
sprinkle splassert(IPL_SOFTNET) around the code that inserts, unlinks, and frees pf states. ok mcbride@
Revision 1.630 / (download) - annotate - [select for diffs], Thu Jan 29 15:12:28 2009 UTC (15 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.629: +1 -614 lines
Diff to previous 1.629 (colored)
Split the address selection from pools away from pf.c and put it in pf_lb.c. This will ease the process of adding more selection types without bloatening pf.c even more. ok and a weird death threat, henning@ raised eyebrow, dlg@
Revision 1.629 / (download) - annotate - [select for diffs], Tue Jan 27 17:33:07 2009 UTC (15 years, 4 months ago) by mpf
Branch: MAIN
Changes since 1.628: +10 -1 lines
Diff to previous 1.628 (colored)
If a packet translation was a NOP, undo separate NAT key and pretend there was no match. This prevents pf_state_insert() to fail with duplicate keys. OK henning@, mcbride@
Revision 1.628 / (download) - annotate - [select for diffs], Fri Jan 16 23:43:01 2009 UTC (15 years, 4 months ago) by david
Branch: MAIN
Changes since 1.627: +6 -1 lines
Diff to previous 1.627 (colored)
In pf_test_rule(), if we don't create a state, free any state keys that may have been allocated earlier by pf_get_translation(). Fixes a pf_state_key_pl leak triggered by certain ICMP types matching a NAT rule. Finally located with the help of pool_walk(). ok henning@ dlg@ mcbride@
Revision 1.627 / (download) - annotate - [select for diffs], Mon Nov 24 13:22:09 2008 UTC (15 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.626: +2 -2 lines
Diff to previous 1.626 (colored)
Fix splasserts seen in pr 5987 by propagating a flag that discribes whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
Revision 1.626 / (download) - annotate - [select for diffs], Fri Nov 21 18:01:30 2008 UTC (15 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.625: +2 -2 lines
Diff to previous 1.625 (colored)
Change rn_mpath_next() to be able to walk over the full multipath list not only over routes of the same prio. This makes it possible to modify rt_mpath_matchgate() so that if only gateway is specified without a specific priority it will scan the full list and not only the first routes. This is also needed for upcoming link state tracking.
Revision 1.625 / (download) - annotate - [select for diffs], Tue Oct 28 22:57:01 2008 UTC (15 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.624: +7 -1 lines
Diff to previous 1.624 (colored)
Always skip "urpf-failed" test for IPv6 link local addresses. We could re-embed the scope-id before we do the route lookup, but then we would just find the very interface we've received the packet on anyway. OK markus@, claudio@, henning@
Revision 1.624 / (download) - annotate - [select for diffs], Thu Oct 23 22:22:43 2008 UTC (15 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.623: +13 -13 lines
Diff to previous 1.623 (colored)
use the correct idiom for NFOO things which come from "foo.h" files ok dlg
Revision 1.623 / (download) - annotate - [select for diffs], Thu Oct 2 15:12:45 2008 UTC (15 years, 8 months ago) by jsing
Branch: MAIN
Changes since 1.622: +3 -4 lines
Diff to previous 1.622 (colored)
When redirect is used with sticky-address and a matching pass rule uses reply-to, the sticky-address in the source tracking pool is overwritten with the reply-to address, resulting in new connections being incorrectly redirected to the reply-to host (instead of the sticky-address host). Prevent this by passing a NULL source node reference to pf_map_addr() when looking up the reply-to host, thus preventing the NAT source node from being overwritten. ok mcbride@ henning@
Revision 1.622 / (download) - annotate - [select for diffs], Sun Sep 28 14:39:55 2008 UTC (15 years, 8 months ago) by jsing
Branch: MAIN
Changes since 1.621: +7 -1 lines
Diff to previous 1.621 (colored)
Teach PF pf_print_state_parts() about IPv4 in IP and IPv6 in IP encapsulation. Decapitalise the 'v' in ICMPv6 whilst here. ok henning@
Revision 1.621 / (download) - annotate - [select for diffs], Wed Sep 17 20:10:37 2008 UTC (15 years, 8 months ago) by chl
Branch: MAIN
Changes since 1.620: +2 -5 lines
Diff to previous 1.620 (colored)
remove dead stores and newly created unused variables. fix potential use of uninitialized value in trunk_port_ioctl() function. Found by LLVM/Clang Static Analyzer. ok mpf@ henning@
Revision 1.620 / (download) - annotate - [select for diffs], Wed Sep 10 09:10:17 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.619: +1 -5 lines
Diff to previous 1.619 (colored)
re-enable the state key linking. i believe the bugs that hit us shortly before release are fixed, and the extra check i added prevents incorrect linking if there are still cases with tunnels, tho none of the testers saw these yet, except for an icmp case that will be fixed shortly. the extra check prevents misbehavior there. if you see 'pf: state key linking mismatch' messages please report them to me along with ifconfig -A and mention if you do any routing or nat tricks. ok deraadt
Revision 1.619 / (download) - annotate - [select for diffs], Tue Sep 9 13:56:39 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.618: +9 -1 lines
Diff to previous 1.618 (colored)
welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
Revision 1.618 / (download) - annotate - [select for diffs], Wed Sep 3 12:57:19 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.617: +37 -2 lines
Diff to previous 1.617 (colored)
before linking state keys compare them to verify they actually are the exact reverse of each other. if there is a mismatch don't erstablish the link and print enough so that we should be able to find the culprit.
Revision 1.617 / (download) - annotate - [select for diffs], Tue Sep 2 17:35:16 2008 UTC (15 years, 9 months ago) by chl
Branch: MAIN
Changes since 1.616: +3 -3 lines
Diff to previous 1.616 (colored)
remove dead stores and newly created unused variables. Found by LLVM/Clang Static Analyzer. ok henning@ mpf@
Revision 1.616 / (download) - annotate - [select for diffs], Tue Aug 26 12:17:10 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.615: +11 -1 lines
Diff to previous 1.615 (colored)
introduce a function to be called when addressing information has changed, pf_pkt_addr_changed. atm just clears the state key pointer. calling this is cleaner than having other parts of the stack clearing pointers in the pf part of the mbuf packet header directly.
Revision 1.615 / (download) - annotate - [select for diffs], Fri Aug 22 00:35:08 2008 UTC (15 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.614: +18 -19 lines
Diff to previous 1.614 (colored)
Make pf_print_host() print IPv6 addresses correctly. ok mpf
Revision 1.614 / (download) - annotate - [select for diffs], Sat Aug 2 12:34:37 2008 UTC (15 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE
Branch point for: OPENBSD_4_4
Changes since 1.613: +5 -1 lines
Diff to previous 1.613 (colored)
do not write the pf state key pointer to the pkhdr. effectively disables state key linking and pcb linking - unfortunatly, there seems to be a bug somewhere in there or triggered by it that we haven't tracked down yet, so we disable this for now to be on the safe side for release. lots of testing and analysis from todd and david.
Revision 1.613 / (download) - annotate - [select for diffs], Tue Jul 22 12:31:35 2008 UTC (15 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.612: +8 -5 lines
Diff to previous 1.612 (colored)
after pf_state_key_atach nothing must use the state keys passed to it any more, since they might have been invalidated and free'd. one synproxy errorpath did so, however. just get the state keys from the state itself. ok david mcbride
Revision 1.612 / (download) - annotate - [select for diffs], Mon Jul 21 15:58:59 2008 UTC (15 years, 10 months ago) by david
Branch: MAIN
Changes since 1.611: +6 -6 lines
Diff to previous 1.611 (colored)
some whitespace cleanup I did while looking through the code ok mcbride@ henning@
Revision 1.611 / (download) - annotate - [select for diffs], Mon Jul 21 15:56:55 2008 UTC (15 years, 10 months ago) by david
Branch: MAIN
Changes since 1.610: +2 -2 lines
Diff to previous 1.610 (colored)
fix typo that broke rdr rules (without pass) with non-TCP/UDP/ICMP protocols ok mcbride@ henning@
Revision 1.610 / (download) - annotate - [select for diffs], Mon Jul 14 13:29:45 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.609: +4 -2 lines
Diff to previous 1.609 (colored)
m_copy can return NULL, so check for it problem found by "Adrian M. Whatley" <amw> and "Stephan A. Rickauer" <stephan.rickauer>, both @ni.phys.ethz.ch fix by me, ok mpf
Revision 1.609 / (download) - annotate - [select for diffs], Thu Jul 10 07:41:21 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.608: +6 -6 lines
Diff to previous 1.608 (colored)
check pf NAT source port allocation against net.inet.(tcp|udp).baddynamic lists; prevents use of ports corresponding to well-known services. replace a couple of arc4random()%N with arc4random_uniform(N) that missed the first round. ok mcbride@
Revision 1.608 / (download) - annotate - [select for diffs], Thu Jul 10 05:44:54 2008 UTC (15 years, 11 months ago) by david
Branch: MAIN
Changes since 1.607: +9 -6 lines
Diff to previous 1.607 (colored)
In pf_state_insert(), if the first pf_state_key_attach() fails, the state key is freed by pf_state_key_attach(). But in the case of NAT, there are two state keys allocated, so we must free the second key manually. Fixes a pf_state_key_pl leak seen in certain cases with pfsync or with pf state-insert errors. ok mcbride@ henning@
Revision 1.607 / (download) - annotate - [select for diffs], Sat Jul 5 16:57:50 2008 UTC (15 years, 11 months ago) by david
Branch: MAIN
Changes since 1.606: +3 -3 lines
Diff to previous 1.606 (colored)
in pf_state_key_attach(), when there is already an existing state key that can be used and we return the state key back to the pool, don't insert state items into the tailq using that garbage state key. this makes things much happier for me. ok henning@
Revision 1.606 / (download) - annotate - [select for diffs], Fri Jul 4 00:56:48 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.605: +3 -3 lines
Diff to previous 1.605 (colored)
in pf_state_key_attach(), when we find that there already is a state key that we can attach the state to, make sure to not overwrite the state key pointer in the state that was just set to the existing state key with the state key that was supplied with the state and just free'd (well, pool_put'd). by the time we clean up the state and try to follow it to RB_REMOVE etc we'd follow that garbage pointer to either an unrelated state key or the old state key still sitting unused in the pool. should fix the RB_REMOVE panics some people have been seeing. "clearly ok, please commit" ryan
Revision 1.605 / (download) - annotate - [select for diffs], Fri Jul 4 00:09:31 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.604: +1 -3 lines
Diff to previous 1.604 (colored)
remove prototype for nonexistant function
Revision 1.604 / (download) - annotate - [select for diffs], Thu Jul 3 15:46:23 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.603: +3 -1 lines
Diff to previous 1.603 (colored)
link pf state keys to tcp pcbs and vice versa. when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
Revision 1.603 / (download) - annotate - [select for diffs], Tue Jul 1 13:07:02 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.602: +2 -1 lines
Diff to previous 1.602 (colored)
Don't return immediately if we're actually passing the traffic, we want to ensure that the packet gets rewritten correctly first. As usual, problem pointed out by david ok henning
Revision 1.602 / (download) - annotate - [select for diffs], Tue Jul 1 12:56:19 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.601: +1 -3 lines
Diff to previous 1.601 (colored)
PF_DT_SKIP_STATETREE is no longer used. ok henning
Revision 1.601 / (download) - annotate - [select for diffs], Sun Jun 29 08:42:15 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.600: +82 -97 lines
Diff to previous 1.600 (colored)
Simplify state creation code; merge state import/export code between pfsync and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
Revision 1.600 / (download) - annotate - [select for diffs], Thu Jun 26 03:56:20 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.599: +4 -8 lines
Diff to previous 1.599 (colored)
Fix sticky-address on rdr; With the current nat code, we always use the same address in the NATed state key for translation regardless of direction. Report and testing by david@
Revision 1.599 / (download) - annotate - [select for diffs], Sat Jun 21 02:05:46 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.598: +2 -2 lines
Diff to previous 1.598 (colored)
Only do state key linking on the outbound path. Fixes stateful filtering on enc0. Problem report, testing, and ok david@
Revision 1.598 / (download) - annotate - [select for diffs], Mon Jun 16 01:16:04 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.597: +3 -1 lines
Diff to previous 1.597 (colored)
when freeing a state key sk1, look wether it is linked to another state key sk2 and reset sk2's link back to sk1
Revision 1.597 / (download) - annotate - [select for diffs], Thu Jun 12 18:41:41 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.596: +9 -4 lines
Diff to previous 1.596 (colored)
fix synproxy. the factored out pf_create_state() could return PF_PASS, _DROP, and _SYNPROXY_DROP. We were treating the latter the same as _PASS and thus passing the original SYN which we of course don't want in the synproxy case. breakage reported by sakurai-san, headscratching with and ok ryan
Revision 1.596 / (download) - annotate - [select for diffs], Wed Jun 11 17:52:37 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.595: +4 -2 lines
Diff to previous 1.595 (colored)
when we establish the mapping from a state key, do it both ways, aka key1->reverse = key2; and key2->reverse = key1; ok ryan
Revision 1.595 / (download) - annotate - [select for diffs], Wed Jun 11 04:04:19 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.594: +222 -200 lines
Diff to previous 1.594 (colored)
factor out state creation code for readability; make it static inline to not hurt performance while passing the 20 args (sigh) ok theo ryan, ok + feedback jsing
Revision 1.594 / (download) - annotate - [select for diffs], Wed Jun 11 03:36:33 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.593: +4 -4 lines
Diff to previous 1.593 (colored)
superfluous to check for m != NULL in pf_find_state, it is plain impossible that m is NULL here since all callers dereference it unconditionally beforehands, and find state without and mbuf doesn't make sense in the first place
Revision 1.593 / (download) - annotate - [select for diffs], Wed Jun 11 03:28:10 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.592: +3 -0 lines
Diff to previous 1.592 (colored)
after finding a state in the outbound path clear the statekey pointer in the header so it cannot get used again in case of somewhat weird reflection + mbuf-reuse-without-pkthdr-clearing cases. it looks like gif falls into the latter category. discussed with and ok theo
Revision 1.592 / (download) - annotate - [select for diffs], Wed Jun 11 03:26:03 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.591: +4 -4 lines
Diff to previous 1.591 (colored)
extra paranoia: 1) only set the state key in the mbuf header in the inbound case 2) only use it in the outbound case discussed with and ok theo
Revision 1.591 / (download) - annotate - [select for diffs], Wed Jun 11 02:54:05 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.590: +2 -2 lines
Diff to previous 1.590 (colored)
yuck, fix a last minute collision
Revision 1.590 / (download) - annotate - [select for diffs], Wed Jun 11 02:46:34 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.589: +35 -20 lines
Diff to previous 1.589 (colored)
store a pointer to the stack side state key in the mbuf packet header inbound. on the outbound side, we take that and look for the key that is the exact opposite, and store that mapping in the state key. on subsequent packets we don't have to do the lookup on outbound any more. almost unable to get real benchmarks going here, we know for sure this gives a more than 5% increase in forwarding performance. many thanks to ckuethe for stress- and performance-testing. ok ryan theo
Revision 1.589 / (download) - annotate - [select for diffs], Tue Jun 10 22:59:13 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.588: +10 -1 lines
Diff to previous 1.588 (colored)
Handle the closing of half connections where we don't see the full bidirectional FIN/ACK+ACK handshake. ok henning@
Revision 1.588 / (download) - annotate - [select for diffs], Tue Jun 10 22:39:31 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.587: +4 -7 lines
Diff to previous 1.587 (colored)
Simplify code slightly; use PR_ZERO with pool_get() rather than bzero(). ok mpf henning
Revision 1.587 / (download) - annotate - [select for diffs], Tue Jun 10 21:14:39 2008 UTC (16 years ago) by reyk
Branch: MAIN
Changes since 1.586: +17 -2 lines
Diff to previous 1.586 (colored)
Handle a special sloppy case where we only see one half of the connection. If there is a ACK after the initial SYN without ever seeing a packet from the destination, set the connection to established. ok henning@
Revision 1.586 / (download) - annotate - [select for diffs], Tue Jun 10 20:05:13 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.585: +1 -3 lines
Diff to previous 1.585 (colored)
remove a debug check& printf that should not have gone in in the first place
Revision 1.585 / (download) - annotate - [select for diffs], Tue Jun 10 19:32:13 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.584: +9 -7 lines
Diff to previous 1.584 (colored)
save somespace in the state by collapsing two 8 bit ints used as booleans into one 8 bit flags field. shrinks the state structure by 4 bytes on 32bit archs ryan ok
Revision 1.584 / (download) - annotate - [select for diffs], Tue Jun 10 04:26:31 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.583: +2 -2 lines
Diff to previous 1.583 (colored)
in pf_test_state_icmp when trying tomatch icmp errors to tcp sessions do not verify the sequence number against the state if the state is sloppy and thus doesn't have that information. independently pointed out by frantzen and ryan, ok ryan
Revision 1.583 / (download) - annotate - [select for diffs], Tue Jun 10 04:24:17 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.582: +63 -6 lines
Diff to previous 1.582 (colored)
implement a sloppy tcpstate tracker which does not look at sequence numbers at all. scary consequences; only tobe used in very specific situations where you don't see all packets of a connection, e. g. asymmetric routing. ok ryan reyk theo
Revision 1.582 / (download) - annotate - [select for diffs], Mon Jun 9 07:07:16 2008 UTC (16 years ago) by djm
Branch: MAIN
Changes since 1.581: +2 -2 lines
Diff to previous 1.581 (colored)
rename arc4random_bytes => arc4random_buf to match libc's nicer name; ok deraadt@
Revision 1.581 / (download) - annotate - [select for diffs], Sun Jun 8 21:30:44 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.580: +157 -144 lines
Diff to previous 1.580 (colored)
factor out the tcp sequence number tracking from pf_test_state_tcp ok mcbride
Revision 1.580 / (download) - annotate - [select for diffs], Sun Jun 8 17:23:19 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.579: +3 -2 lines
Diff to previous 1.579 (colored)
null pointer check before deref almost nobody ran into that because it is ipv6 only
Revision 1.579 / (download) - annotate - [select for diffs], Mon Jun 2 11:38:22 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.578: +22 -19 lines
Diff to previous 1.578 (colored)
Fix synproxy breakage introduced with the state table reorganization. Bug report and testing from Otto Bretz. ok henning@
Revision 1.578 / (download) - annotate - [select for diffs], Fri May 30 14:22:48 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.577: +5 -4 lines
Diff to previous 1.577 (colored)
trivial KNF before we go further
Revision 1.577 / (download) - annotate - [select for diffs], Thu May 29 01:00:53 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.576: +735 -711 lines
Diff to previous 1.576 (colored)
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
Revision 1.576 / (download) - annotate - [select for diffs], Thu May 29 00:28:07 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.575: +434 -518 lines
Diff to previous 1.575 (colored)
rewrite the state table logic. complete the split off of the layer 3/4 adressing information from the extra information in the actual state. a state key holds a list of states, and a state points to two state keys - they're only different in the NAT case. More specificially, it deprecates the (often difficult to understand) concept of lan, ext, and gwy addresses, replacing them with WIRE and STACK side address tuples. (af, proto, saddr, daddr, sport, dport). Concept first brought up some years ago on a ferry ride in bc by ryan and me, I spent some time over the last year getting closer, and finally got it completed in japan with ryan. dlg also took part, helped a lot, and saved us 8 bytes. This commit removes support for any kind of NAT as well as pfsync. It also paves the road for some code simplification and some very cool future stuff. ok ryan beck, tested by many
Revision 1.575 / (download) - annotate - [select for diffs], Sun May 18 11:54:04 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.574: +44 -44 lines
Diff to previous 1.574 (colored)
KNF
Revision 1.574 / (download) - annotate - [select for diffs], Thu May 15 19:40:37 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.573: +3 -2 lines
Diff to previous 1.573 (colored)
divert for ipv6; ok henning, pyr
Revision 1.573 / (download) - annotate - [select for diffs], Fri May 9 02:44:54 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.572: +52 -2 lines
Diff to previous 1.572 (colored)
divert packets to local socket without modifying the ip header; makes transparent proxies much easier; ok beck@, feedback claudio@
Revision 1.572 / (download) - annotate - [select for diffs], Wed May 7 07:07:29 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.571: +1 -2 lines
Diff to previous 1.571 (colored)
scrub packets based on tags; ok henning
Revision 1.571 / (download) - annotate - [select for diffs], Wed May 7 06:15:26 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.570: +0 -16 lines
Diff to previous 1.570 (colored)
backout last change, it's already there....
Revision 1.570 / (download) - annotate - [select for diffs], Tue May 6 09:44:25 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.569: +17 -1 lines
Diff to previous 1.569 (colored)
Kill state if we get SYN for a state that has been closed from both sides. ok henning@
Revision 1.569 / (download) - annotate - [select for diffs], Tue May 6 03:45:21 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.568: +20 -15 lines
Diff to previous 1.568 (colored)
Add a counter to record how many states have been created by a rule. It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
Revision 1.568 / (download) - annotate - [select for diffs], Mon May 5 13:00:43 2008 UTC (16 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.567: +2 -3 lines
Diff to previous 1.567 (colored)
remove a useless refcnt in pf_state_key. when it is in fact only used to delete the state key when the number of attached states (in a tailq) drops to zero, we can as well test for the queue beeing empty. this is a leftover from some early version that did things differently. ok ryan
Revision 1.567 / (download) - annotate - [select for diffs], Wed Feb 20 23:40:13 2008 UTC (16 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE
Branch point for: OPENBSD_4_3
Changes since 1.566: +16 -4 lines
Diff to previous 1.566 (colored)
make return-rst work correctly in the IPv6 case again. broken by me almost a year ago with the proto_checksum changes :( problem noticed & fix tested by Helmut Schneider <jumper99@gmx.de> narrowed down & ok dhartmei
Revision 1.566 / (download) - annotate - [select for diffs], Sat Feb 16 12:22:19 2008 UTC (16 years, 3 months ago) by markus
Branch: MAIN
Changes since 1.565: +42 -5 lines
Diff to previous 1.565 (colored)
switch to RFC 1948 style ISN, too; ok mcbride, dhartmei, henning
Revision 1.552.2.1 / (download) - annotate - [select for diffs], Tue Nov 27 16:37:57 2007 UTC (16 years, 6 months ago) by henning
Branch: OPENBSD_4_2
Changes since 1.552: +5 -5 lines
Diff to previous 1.552 (colored) next main 1.553 (colored)
MFC: rev 1.565 (me) fix a memory leak
Revision 1.565 / (download) - annotate - [select for diffs], Thu Nov 22 02:01:46 2007 UTC (16 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.564: +5 -5 lines
Diff to previous 1.564 (colored)
pf_src_tree_remove_state() is called upon pf_insert_state() failures. but pf_insert_state does fiddle with the state's state_key pointer - it has too -, and can leave it at NULL. pf_src_tree_remove_state() tried to grab the protocol from it. fortunately that is superfluous here, since tcp_est will never be set in the non-tcp case - it is only touched in pf_src_connlimit which in turn is only ever called from pf_test_tcp(). ok mcbride + identical diff from pascoe, but he was a few minutes late :)
Revision 1.564 / (download) - annotate - [select for diffs], Sun Nov 18 21:53:47 2007 UTC (16 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.563: +1 -2 lines
Diff to previous 1.563 (colored)
backout 1.562 since it triggers the problem described in pr 5648 please close the pr after another solution is found for both problems
Revision 1.563 / (download) - annotate - [select for diffs], Fri Nov 16 14:03:37 2007 UTC (16 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.562: +12 -4 lines
Diff to previous 1.562 (colored)
in pf_test_fragment(), ignore protocol-specific criteria for packets of different protocols. from Max Laier. ok markus@, henning@
Revision 1.562 / (download) - annotate - [select for diffs], Sun Nov 11 23:58:43 2007 UTC (16 years, 7 months ago) by pascoe
Branch: MAIN
Changes since 1.561: +2 -1 lines
Diff to previous 1.561 (colored)
Don't leak pfstatekey upon insert conflict (most often caused via pfsync). tested david@, ok dhartmei@
Revision 1.561 / (download) - annotate - [select for diffs], Wed Oct 31 21:15:27 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.560: +5 -3 lines
Diff to previous 1.560 (colored)
'block return' must not send anything on blocked icmp packets. Noticed by Kai_Doernemann_at_genua.de OK henning@, deraadt@
Revision 1.560 / (download) - annotate - [select for diffs], Thu Oct 25 21:36:21 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.559: +5 -3 lines
Diff to previous 1.559 (colored)
Fix probability rules w/ numbers (e.g probability 0.4). Add support for probablities of 0% and 100%. With and OK deraadt@
Revision 1.559 / (download) - annotate - [select for diffs], Tue Sep 18 18:45:59 2007 UTC (16 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.558: +17 -1 lines
Diff to previous 1.558 (colored)
allow state reuse for tcp if both sides are in FIN_WAIT_2 and a new SYN arrives; ok dhartmei, henning, feedback aaron
Revision 1.558 / (download) - annotate - [select for diffs], Fri Sep 7 20:34:10 2007 UTC (16 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.557: +2 -4 lines
Diff to previous 1.557 (colored)
Do not recalculate TCP payload length in pf_test_rule() as it has been cached in pd->p_len. ok henning@ markus@
Revision 1.557 / (download) - annotate - [select for diffs], Thu Aug 30 13:07:06 2007 UTC (16 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.556: +16 -19 lines
Diff to previous 1.556 (colored)
mechanic change: there is a 1:1 mapping between direction and the tree the states get attached to. there is no need to have anything outside the state insertion/ deletion/lookup routinbes know about these internals. so just pass the direction to the lookup functions and let them pick the right tree. ok dhartmei markus
Revision 1.556 / (download) - annotate - [select for diffs], Thu Aug 30 10:43:43 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.555: +2 -1 lines
Diff to previous 1.555 (colored)
handle address ranges in skip step calculation
Revision 1.555 / (download) - annotate - [select for diffs], Thu Aug 30 09:28:48 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.554: +39 -1 lines
Diff to previous 1.554 (colored)
add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@
Revision 1.554 / (download) - annotate - [select for diffs], Tue Aug 28 16:09:12 2007 UTC (16 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.553: +2 -2 lines
Diff to previous 1.553 (colored)
showing this diff is shameful...
if (r != NULL && r->rtableid >= 0)
- m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid;
+ m->m_pkthdr.pf.rtableid = r->rtableid;
fortunately it is in pf_send_tcp and thus the effect is very limited, RSTs
sent due to "block return(-rst)" could be routed using the main routing
table instead of an alternate one specified on the block rule.
spotted by Janjaap van Velthooven <janjaap@stack.nl>
Revision 1.553 / (download) - annotate - [select for diffs], Thu Aug 23 11:15:49 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.552: +8 -4 lines
Diff to previous 1.552 (colored)
allow RSTs with th_seq == seqlo +- 1, reduces the amount of 'loose state' messages, add 'dir=' part to 'loose state' message, ok henning@, markus@
Revision 1.552 / (download) - annotate - [select for diffs], Tue Aug 21 15:57:27 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE
Branch point for: OPENBSD_4_2
Changes since 1.551: +1 -2 lines
Diff to previous 1.551 (colored)
don't access th_flags when it isn't available (only 8 bytes of the header are required in the ICMP error). ok deraadt@, henning@
Revision 1.551 / (download) - annotate - [select for diffs], Wed Jul 18 15:39:44 2007 UTC (16 years, 10 months ago) by mpf
Branch: MAIN
Changes since 1.550: +2 -2 lines
Diff to previous 1.550 (colored)
Don't drop outgoing packets in case of a congested input queue. OK markus@, mcbride@, "sounds reasonable" henning@
Revision 1.550 / (download) - annotate - [select for diffs], Tue Jul 10 15:58:37 2007 UTC (16 years, 11 months ago) by kurt
Branch: MAIN
Changes since 1.549: +14 -26 lines
Diff to previous 1.549 (colored)
adjust pf_find_state_all() so that it works correctly for the new global table/state tail queue design. corrects ftp-proxy errors "server lookup failed (no rdr?)" okay henning@
Revision 1.549 / (download) - annotate - [select for diffs], Wed Jul 4 08:14:14 2007 UTC (16 years, 11 months ago) by mpf
Branch: MAIN
Changes since 1.548: +1 -3 lines
Diff to previous 1.548 (colored)
No m_copyback for ICMP and "other" protocols on rdr/binat. Fixes ICMP packet payload corruption on rdr. OK henning@, markus@
Revision 1.548 / (download) - annotate - [select for diffs], Mon Jun 25 13:57:18 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.547: +13 -9 lines
Diff to previous 1.547 (colored)
pretty mechanical change: now that the state tables use seperate state keys that can map to multiple states (last not least for ifbound) we don't need state tables hanging off each struct kif representing an interface any more. use two globals for the two tables. ok markus ryan
Revision 1.547 / (download) - annotate - [select for diffs], Sun Jun 24 11:17:13 2007 UTC (16 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.546: +8 -8 lines
Diff to previous 1.546 (colored)
Save some bytes and make code more readable by removing junk union and unused ifname (this information is in struct pf_state_sync now). Also a bit of KNF on the pf_state struct. ok mpf@ henning@
Revision 1.546 / (download) - annotate - [select for diffs], Thu Jun 21 11:55:54 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.545: +125 -84 lines
Diff to previous 1.545 (colored)
reimplement interface bound states in a non-retarded way. previously, we had a set of state tables attached to each interface. so for every packet we had to do a lookup in the tables for the interface, and afterwards in the global tables. since we split state keys and states now, use only the global tables, and put the actual states in a tail queue attached to the state key. sort the list so that ifbound states come before global ones. on lookup, we only have to compare the interface pointer on the actual states and use the first one where either the interface matches or the state is not interface bound. thus, if you don't actually use ifbound states, and there is only one state per state key, the overhead is close to zero, where we had extra lookups before. in addition to a much cleaner design (that'll allow for more goodies later) this gives us ~12.5% more forwarding performance. mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
Revision 1.545 / (download) - annotate - [select for diffs], Wed Jun 20 14:14:17 2007 UTC (16 years, 11 months ago) by mpf
Branch: MAIN
Changes since 1.544: +2 -2 lines
Diff to previous 1.544 (colored)
Allow "log" for nat rules without "pass". OK henning@, ``passt scho'' markus@
Revision 1.544 / (download) - annotate - [select for diffs], Fri Jun 15 08:18:59 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.543: +7 -4 lines
Diff to previous 1.543 (colored)
in pf_test_rule, before handling IPPROTO_ICMP / IPPROTO_ICMPV6, check that the packet is of the expected address family (AF_INET / AF_INET6). crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise. misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing with nmap; he also helped us big time debugging the problem. thanks! ok ryan
Revision 1.543 / (download) - annotate - [select for diffs], Sat Jun 9 18:30:47 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.542: +2 -2 lines
Diff to previous 1.542 (colored)
fix wrong argument passing to m_copyback for the log case (&ptr instead of ptr). should fix pflog breakage seen by bob
Revision 1.542 / (download) - annotate - [select for diffs], Sat Jun 9 16:32:00 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.541: +3 -3 lines
Diff to previous 1.541 (colored)
sizeof(ptr) is no good if you want sizeof(*ptr). icmp/icmpv6.
Revision 1.541 / (download) - annotate - [select for diffs], Sat Jun 2 01:28:55 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.540: +3 -2 lines
Diff to previous 1.540 (colored)
pf_set_rt_ifp accesses state key data, so must be called later
Revision 1.540 / (download) - annotate - [select for diffs], Fri Jun 1 18:44:22 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.539: +70 -59 lines
Diff to previous 1.539 (colored)
factor out duplicated code to allocate state key and cross-reference it with a state entry into a new pf_alloc_state_key() function and use it everywhere. makes upcoming changes way easier and is cleaner anyway. conceptually agreed by ryan, but he's on the road now ;(
Revision 1.539 / (download) - annotate - [select for diffs], Fri Jun 1 18:01:59 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.538: +359 -1018 lines
Diff to previous 1.538 (colored)
fold pf_test_tcp(), pf_test_udp(), pf_test_icmp(), pf_test_other() into one - pf_test_rule(). now we have one place to make things clearer and maybe find another few performance bits :) shrinks i386 GENERIC by 11K, no measurable performance impact or gain. lots lots lots lots lots of testing and headbanging with ryan, performance testing ckuethe. ok ryan
Revision 1.538 / (download) - annotate - [select for diffs], Fri Jun 1 00:52:38 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.537: +3 -3 lines
Diff to previous 1.537 (colored)
apply the "skip ipsec if there are no flows" speedup diff to IPv6 too. we need a pointer to the inpcb to decide, which was not previously passed to ip6_output, so this diff is a little bigger. from itojun, ok ryan
Revision 1.537 / (download) - annotate - [select for diffs], Thu May 31 18:48:05 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.536: +25 -27 lines
Diff to previous 1.536 (colored)
Move the state id and creatorid (used mainly by pfsync) into struct pf_state. ok henning@
Revision 1.536 / (download) - annotate - [select for diffs], Thu May 31 06:22:40 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.535: +4 -2 lines
Diff to previous 1.535 (colored)
Unbreak pf.c compilation on gcc 2.95 architectures. Found by todd@
Revision 1.535 / (download) - annotate - [select for diffs], Thu May 31 04:11:42 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.534: +343 -255 lines
Diff to previous 1.534 (colored)
First step of rearranging pf's state table internals... - Split pf_state into pf_state (used for tracking connection information), and pf_state_key (used for searching the state table) - Use pfsync_state in the ioctl for userland access to the state table. This will sheild userland somewhat from future changes. ok henning@ toby@ pyr@
Revision 1.534 / (download) - annotate - [select for diffs], Tue May 29 00:50:41 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.533: +16 -49 lines
Diff to previous 1.533 (colored)
gain us another 10+% of performance. boring details: long time ago (in r1.313) code was added to handle protocol checksums: > Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets, > and drop packets with invalid checksums. Without such a check, pf would > return RST/ICMP errors even for packets with invalid checksums, which > could be used to detect the presence of the firewall, reported by > "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. that meant we did the checksumming for each and every packet traversing pf. now only do the checksumming right before we send an RST back, so in all other cases we save that work. ok bob theo
Revision 1.533 / (download) - annotate - [select for diffs], Mon May 28 17:16:39 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.532: +47 -104 lines
Diff to previous 1.532 (colored)
double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
Revision 1.532 / (download) - annotate - [select for diffs], Sun May 27 21:17:38 2007 UTC (17 years ago) by dlg
Branch: MAIN
Changes since 1.531: +4 -2 lines
Diff to previous 1.531 (colored)
get rid of static. ok claudio@ reyk@ henning@ ja ja ja mcbride@
Revision 1.531 / (download) - annotate - [select for diffs], Sun May 27 18:30:02 2007 UTC (17 years ago) by pyr
Branch: MAIN
Changes since 1.530: +9 -7 lines
Diff to previous 1.530 (colored)
clarify things by passing kif->pfik_ifp around in pf_test{,6} instead
of reassigning a struct ifnet pointer.
discussed with and ok mcbride@
Revision 1.530 / (download) - annotate - [select for diffs], Sat May 26 20:12:02 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.529: +3 -3 lines
Diff to previous 1.529 (colored)
add comments indicating why we do m = *m0; again after pf_normalize, ryan ok
Revision 1.529 / (download) - annotate - [select for diffs], Tue May 8 23:36:25 2007 UTC (17 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.528: +8 -0 lines
Diff to previous 1.528 (colored)
block ALL packets with rthdr0 in pf_test6(). We already do this in ip6_input(), but pf_test6() is called from bridge code as well. ok dhartmei@ henning@ deraadt@ claudio@
Revision 1.528 / (download) - annotate - [select for diffs], Tue May 8 23:31:20 2007 UTC (17 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.527: +20 -49 lines
Diff to previous 1.527 (colored)
Routing headers are dangerous. Deal with them the same way as IPv4 options: drop all packets with routing headers unless the matching rule explicitly specifies 'allow-opts'. ok dhartmei@ henning@ deraadt@ claudio@
Revision 1.527 / (download) - annotate - [select for diffs], Thu Feb 22 15:23:23 2007 UTC (17 years, 3 months ago) by pyr
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.526: +42 -16 lines
Diff to previous 1.526 (colored)
make urpf-failed work with multipath routes. ok claudio@
Revision 1.526 / (download) - annotate - [select for diffs], Mon Feb 19 10:18:58 2007 UTC (17 years, 3 months ago) by pyr
Branch: MAIN
Changes since 1.525: +2 -1 lines
Diff to previous 1.525 (colored)
add handling of skip steps for urpf-failed addresses. ok dharthmei@, henning@
Revision 1.525 / (download) - annotate - [select for diffs], Wed Feb 14 00:53:48 2007 UTC (17 years, 4 months ago) by jsg
Branch: MAIN
Changes since 1.524: +2 -2 lines
Diff to previous 1.524 (colored)
Consistently spell FALLTHROUGH to appease lint. ok kettenis@ cloder@ tom@ henning@
Revision 1.524 / (download) - annotate - [select for diffs], Thu Feb 8 15:24:24 2007 UTC (17 years, 4 months ago) by itojun
Branch: MAIN
Changes since 1.523: +86 -7 lines
Diff to previous 1.523 (colored)
compute pseudo-header checksum based on flnal destination as ip6_dst (i'm bit skeptical about checksumming when the box is not the final destination). drop IPv6 jumbograms, as it could cause various funny symptoms due to ip6_plen being 0 (yup, we should properly handle it instead). ok by deraadt, naddy, hshoexer
Revision 1.523 / (download) - annotate - [select for diffs], Fri Dec 22 13:24:52 2006 UTC (17 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.522: +10 -1 lines
Diff to previous 1.522 (colored)
add special handling for "urpf-failed" with carp interfaces. the unicast reverse path forwarding (URPF) check drops packets coming in on an interface other than that which holds the route back to the packet's source address. this caused problems with routes bound to a carp interface instead of the underlying interface. this diff validates the underlying carpdev if the route is bound to a carp interface. from Pierre-Yves Ritschard (pyr at spootnik.org) ok henning@
Revision 1.522 / (download) - annotate - [select for diffs], Thu Dec 21 12:26:51 2006 UTC (17 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.521: +2 -2 lines
Diff to previous 1.521 (colored)
in pf_route(), initialize ro to NULL at the beginning. if left un- initialized, it might equal &iproute by chance, causing a panic when rtfree() is then mistakenly called.
Revision 1.521 / (download) - annotate - [select for diffs], Thu Dec 14 20:40:54 2006 UTC (17 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.520: +7 -6 lines
Diff to previous 1.520 (colored)
in "BAD/loose state" messages, also print the packet's original sequence number, it can differ from the sequence number being tested (for packets without payload), and both matter in explaining why a packet mismatched.
Revision 1.520 / (download) - annotate - [select for diffs], Wed Dec 13 09:01:59 2006 UTC (17 years, 6 months ago) by itojun
Branch: MAIN
Changes since 1.519: +2 -2 lines
Diff to previous 1.519 (colored)
use IN6_IS_SCOPE_EMBED to check kernel-internal form addresses (s6_addr16[1] filled) ok dhartmei
Revision 1.519 / (download) - annotate - [select for diffs], Thu Nov 16 13:17:15 2006 UTC (17 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.518: +5 -5 lines
Diff to previous 1.518 (colored)
conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong, we need to do so whenever we do have a (pf) tag != 0 on the state OR (that part was missing) when rtableid on the rule is nonzero. problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the multiple routing tables enabling diff, ok mcbride
Revision 1.518 / (download) - annotate - [select for diffs], Tue Oct 31 14:49:01 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.517: +4 -3 lines
Diff to previous 1.517 (colored)
make pfsync a clonable too, but prevent more than one instance from beeing created for now - much more work would be required to change that input & ok ryan
Revision 1.517 / (download) - annotate - [select for diffs], Fri Oct 27 13:56:51 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.516: +1 -14 lines
Diff to previous 1.516 (colored)
Split ruleset manipulation functions out into pf_ruleset.c to allow them to be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
Revision 1.516 / (download) - annotate - [select for diffs], Wed Oct 11 08:42:31 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.515: +54 -26 lines
Diff to previous 1.515 (colored)
Allow the 'quick' keyword on an anchor. IFF there is a matching rule inside the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
Revision 1.515 / (download) - annotate - [select for diffs], Mon Sep 18 09:53:05 2006 UTC (17 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.514: +3 -3 lines
Diff to previous 1.514 (colored)
allow RST from TCP client, even if client does not send data after SYN; ok frantzen, dhartmei, henning
Revision 1.514 / (download) - annotate - [select for diffs], Mon Sep 18 07:03:35 2006 UTC (17 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.513: +8 -8 lines
Diff to previous 1.513 (colored)
fix tos (type-of-service) comparisons. for rules which use 'tos x', compare for equality (ip_tos == x). for priority queue assignment, compare AND-wise (ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved bits in ip_tos are used (RFC791, 1349) and more than a single bit is set. from Steve Welham, closes PR5226 and PR5227.
Revision 1.513 / (download) - annotate - [select for diffs], Thu Jul 6 13:25:40 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.512: +37 -16 lines
Diff to previous 1.512 (colored)
allow rules to point to an alternate routing table, and tag packets matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
Revision 1.512 / (download) - annotate - [select for diffs], Wed May 17 14:50:47 2006 UTC (18 years ago) by henning
Branch: MAIN
Changes since 1.511: +3 -1 lines
Diff to previous 1.511 (colored)
missing rtlabel support in pf_addr_wrap_neq() PR5122 Jann Fischer <jfi@openbsd.de>, thanks!
Revision 1.502.2.1 / (download) - annotate - [select for diffs], Tue May 2 22:55:52 2006 UTC (18 years, 1 month ago) by brad
Branch: OPENBSD_3_8
Changes since 1.502: +79 -1 lines
Diff to previous 1.502 (colored) next main 1.503 (colored)
MFC: Fix by frantzen@ the TCP SACK option needs sequence number modulation
Revision 1.511 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:42 2006 UTC (18 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.510: +36 -18 lines
Diff to previous 1.510 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.510 / (download) - annotate - [select for diffs], Tue Feb 7 18:41:14 2006 UTC (18 years, 4 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.509: +2 -1 lines
Diff to previous 1.509 (colored)
mention source of pf_modulate_sack() in comment, no code change, ok frantzen@
Revision 1.509 / (download) - annotate - [select for diffs], Tue Jan 31 03:40:31 2006 UTC (18 years, 4 months ago) by frantzen
Branch: MAIN
Changes since 1.508: +79 -1 lines
Diff to previous 1.508 (colored)
the TCP SACK option needs sequence number modulation ok dhartmei@ and beck@. help + testing from kpfaff AT palloys.com.pl
Revision 1.508 / (download) - annotate - [select for diffs], Mon Nov 14 09:18:55 2005 UTC (18 years, 7 months ago) by pascoe
Branch: MAIN
Changes since 1.507: +5 -5 lines
Diff to previous 1.507 (colored)
fix spello
Revision 1.507 / (download) - annotate - [select for diffs], Fri Nov 4 08:24:15 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.506: +6 -5 lines
Diff to previous 1.506 (colored)
crank pf_state and pf_src_node byte and packet counters to u_in64_t, since we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
Revision 1.506 / (download) - annotate - [select for diffs], Wed Oct 26 03:47:33 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.505: +4 -3 lines
Diff to previous 1.505 (colored)
Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next() and calculate the modulator. This ensures that modulated initial sequence numbers have the same properties regarding separation and non-repetition as those generated by our TCP stack. ok markus@ frantzen@
Revision 1.505 / (download) - annotate - [select for diffs], Tue Oct 25 11:19:35 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.504: +4 -2 lines
Diff to previous 1.504 (colored)
mtag in pf_route is now only used for IPSEC, so #ifdef it From: Mike Belopuhov <mkb@crypt.org.ru>
Revision 1.504 / (download) - annotate - [select for diffs], Mon Oct 17 08:43:35 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.503: +125 -198 lines
Diff to previous 1.503 (colored)
make pf use one mbuf tag instead of 6 distinct ones. use a little struct in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
Revision 1.483.2.1 / (download) - annotate - [select for diffs], Fri Oct 7 19:56:14 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.483: +13 -13 lines
Diff to previous 1.483 (colored) next main 1.484 (colored)
MFC: Fix by pascoe@ Perform pf state/rule/table expiry in a kernel thread instead of running it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ deraadt@ pascoe@
Revision 1.503 / (download) - annotate - [select for diffs], Wed Sep 28 01:46:32 2005 UTC (18 years, 8 months ago) by pascoe
Branch: MAIN
Changes since 1.502: +85 -21 lines
Diff to previous 1.502 (colored)
Improve the safety of pf IOCTLs, taking into account that some paths can sleep. - Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
Revision 1.502 / (download) - annotate - [select for diffs], Mon Aug 22 11:54:25 2005 UTC (18 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.501: +56 -22 lines
Diff to previous 1.501 (colored)
when nat'ing icmp 'connections', replace icmp id with proxy values (similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@
Revision 1.501 / (download) - annotate - [select for diffs], Mon Aug 22 09:48:05 2005 UTC (18 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.500: +6 -1 lines
Diff to previous 1.500 (colored)
fix rdr to bitmask replacement address pool. patch from Max Laier, reported by Boris Polevoy, tested by Jean Debogue, ok henning@
Revision 1.500 / (download) - annotate - [select for diffs], Thu Aug 18 10:28:13 2005 UTC (18 years, 9 months ago) by pascoe
Branch: MAIN
Changes since 1.499: +17 -17 lines
Diff to previous 1.499 (colored)
Rearrange pf_state and pfi_kif so that the parts of the structure needed to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
Revision 1.499 / (download) - annotate - [select for diffs], Thu Aug 11 05:09:29 2005 UTC (18 years, 10 months ago) by joel
Branch: MAIN
Changes since 1.498: +3 -3 lines
Diff to previous 1.498 (colored)
Only decrement the max-src-conn counter for tcp connections that reached "established" state. Requires recompiling pfctl, etc. ok dhartmei@
Revision 1.498 / (download) - annotate - [select for diffs], Sun Jul 31 05:20:56 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.497: +12 -13 lines
Diff to previous 1.497 (colored)
Perform pf state/rule/table expiry in a kernel thread instead of running it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
Revision 1.497 / (download) - annotate - [select for diffs], Sun Jul 31 03:30:55 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.496: +3 -3 lines
Diff to previous 1.496 (colored)
Change the API for icmp_do_error so that it takes the mtu directly, rather than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
Revision 1.496 / (download) - annotate - [select for diffs], Fri Jul 29 06:26:43 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.495: +2 -9 lines
Diff to previous 1.495 (colored)
Use one "struct pf_state key" declaration at top of pf_test_state_icmp, instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386).
Revision 1.495 / (download) - annotate - [select for diffs], Thu Jul 21 08:02:26 2005 UTC (18 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.494: +6 -1 lines
Diff to previous 1.494 (colored)
account ipv4 packets with wrong tcp/udp/icmp checksums and udp packets with invalid uh_len; ok dhartmei
Revision 1.494 / (download) - annotate - [select for diffs], Mon Jul 4 08:28:04 2005 UTC (18 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.493: +3 -3 lines
Diff to previous 1.493 (colored)
restrict the tcp.finwait timeout (45s) to state combinations where we have seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning.
Revision 1.493 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:25 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.492: +29 -27 lines
Diff to previous 1.492 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.492 / (download) - annotate - [select for diffs], Fri May 27 17:22:40 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.491: +52 -47 lines
Diff to previous 1.491 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.491 / (download) - annotate - [select for diffs], Thu May 26 15:29:48 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.490: +45 -17 lines
Diff to previous 1.490 (colored)
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
Revision 1.490 / (download) - annotate - [select for diffs], Mon May 23 23:28:53 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.489: +7 -2 lines
Diff to previous 1.489 (colored)
change pool allocation of table entries, no longer use the oldnointr allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
Revision 1.489 / (download) - annotate - [select for diffs], Sat May 21 21:03:57 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.488: +25 -32 lines
Diff to previous 1.488 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.488 / (download) - annotate - [select for diffs], Mon Apr 25 17:55:51 2005 UTC (19 years, 1 month ago) by brad
Branch: MAIN
Changes since 1.487: +12 -12 lines
Diff to previous 1.487 (colored)
csum -> csum_flags ok krw@ canacar@
Revision 1.487 / (download) - annotate - [select for diffs], Fri Apr 22 09:53:18 2005 UTC (19 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.486: +3 -3 lines
Diff to previous 1.486 (colored)
When synproxy completes the replayed handshake and modifies the state into a normal one, it sets both peers' sequence windows. Fix a bug where the previously advertised windows are applied to the wrong side (i.e. peer A's seqhi is peer A's seqlo plus peer B's, not A's, window). This went undetected because mostly the windows are similar and/or re- advertised soon. But there are (rare) cases where a synproxy'd connection would stall right after handshake. Found by Gleb Smirnoff.
Revision 1.486 / (download) - annotate - [select for diffs], Fri Apr 15 12:59:40 2005 UTC (19 years, 2 months ago) by joel
Branch: MAIN
Changes since 1.485: +16 -11 lines
Diff to previous 1.485 (colored)
Try this again. When synproxy sends packets to the destination host, make sure to copy the 'tag' from the original state entry into the outgoing mbuf. ok dhartmei@ deraadt@
Revision 1.485 / (download) - annotate - [select for diffs], Thu Apr 14 08:21:01 2005 UTC (19 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.484: +9 -15 lines
Diff to previous 1.484 (colored)
back out last, some breakage crept in
Revision 1.484 / (download) - annotate - [select for diffs], Thu Apr 14 02:19:09 2005 UTC (19 years, 2 months ago) by joel
Branch: MAIN
Changes since 1.483: +16 -10 lines
Diff to previous 1.483 (colored)
When synproxy sends packets to the destination host, make sure to copy the 'tag' from the original state entry into the outgoing mbuf. ok henning@ dhartmei@
Revision 1.483 / (download) - annotate - [select for diffs], Tue Mar 15 17:38:43 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.482: +2 -1 lines
Diff to previous 1.482 (colored)
byte order of mss, only affects synproxy code path, from John L. Scarfone
Revision 1.482 / (download) - annotate - [select for diffs], Fri Mar 4 11:01:32 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.481: +4 -1 lines
Diff to previous 1.481 (colored)
add state's tag for IPv6, too. spotted by markus@
Revision 1.481 / (download) - annotate - [select for diffs], Thu Mar 3 07:13:39 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.480: +22 -1 lines
Diff to previous 1.480 (colored)
when tagging, apply the same tag to all packets matching a state entry (not just to the initial packet). note: kernel/userland abi change (rebuild pfctl). ok henning@
Revision 1.480 / (download) - annotate - [select for diffs], Sun Feb 27 15:08:39 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.479: +21 -15 lines
Diff to previous 1.479 (colored)
support 'tagged' in translation rules, non-delayed tag lookup ok henning@, deraadt@
Revision 1.433.2.8 / (download) - annotate - [select for diffs], Sat Feb 19 22:47:44 2005 UTC (19 years, 3 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.7: +2 -2 lines
Diff to previous 1.433.2.7 (colored) to branchpoint 1.433 (colored) next main 1.434 (colored)
MFC: Fix by dhartmei@ Use the packet's address family instead of the rule's when selecting a replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure. Found by Gustavo A. Baratto. ok deraadt@ dhartmei@
Revision 1.457.2.8 / (download) - annotate - [select for diffs], Sat Feb 19 22:38:33 2005 UTC (19 years, 3 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.7: +2 -2 lines
Diff to previous 1.457.2.7 (colored) to branchpoint 1.457 (colored) next main 1.458 (colored)
MFC: Fix by dhartmei@ Use the packet's address family instead of the rule's when selecting a replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure. Found by Gustavo A. Baratto. ok deraadt@ dhartmei@
Revision 1.479 / (download) - annotate - [select for diffs], Sun Jan 30 00:02:30 2005 UTC (19 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.478: +107 -47 lines
Diff to previous 1.478 (colored)
Add some more reason counters and use them instead of overloading the 'memory' one, which helps debugging. Alters the kernel/userland ABI, rebuild pfctl and tcpdump. ok henning@
Revision 1.478 / (download) - annotate - [select for diffs], Thu Jan 20 18:07:33 2005 UTC (19 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.477: +2 -2 lines
Diff to previous 1.477 (colored)
Use the packet's address family instead of the rule's when selecting a replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure. Found by Gustavo A. Baratto. ok mcbride@, henning@, markus@
Revision 1.477 / (download) - annotate - [select for diffs], Fri Jan 7 18:58:39 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.476: +7 -1 lines
Diff to previous 1.476 (colored)
Make carp(4) traffic always appear on the physical (carpdev) interface from pf's perspective. ok pascoe@ dhartmei@ henning@
Revision 1.433.2.7 / (download) - annotate - [select for diffs], Thu Jan 6 14:15:43 2005 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.6: +4 -4 lines
Diff to previous 1.433.2.6 (colored) to branchpoint 1.433 (colored)
MFC: Fix by dhartmei@ ICMP state entries use the ICMP ID as port for the unique state key. When checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel. Report and test data by Srebrenko Sehic. ok deraadt@
Revision 1.457.2.7 / (download) - annotate - [select for diffs], Thu Jan 6 14:11:56 2005 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.6: +4 -4 lines
Diff to previous 1.457.2.6 (colored) to branchpoint 1.457 (colored)
MFC: Fix by dhartmei@ ICMP state entries use the ICMP ID as port for the unique state key. When checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel. Report and test data by Srebrenko Sehic. ok deraadt@
Revision 1.476 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:55 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.475: +5 -1 lines
Diff to previous 1.475 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.433.2.6 / (download) - annotate - [select for diffs], Sun Dec 19 18:52:27 2004 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.5: +7 -4 lines
Diff to previous 1.433.2.5 (colored) to branchpoint 1.433 (colored)
MFC: Fix by dhartmei@ IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6 header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped. Reported by Bernhard Schmidt. ok deraadt@ dhartmei@ mcbride@
Revision 1.457.2.6 / (download) - annotate - [select for diffs], Sun Dec 19 18:48:57 2004 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.5: +7 -4 lines
Diff to previous 1.457.2.5 (colored) to branchpoint 1.457 (colored)
MFC: Fix by dhartmei@ IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6 header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped. Reported by Bernhard Schmidt. ok deraadt@ dhartmei@ mcbride@
Revision 1.475 / (download) - annotate - [select for diffs], Fri Dec 17 17:32:28 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.474: +4 -4 lines
Diff to previous 1.474 (colored)
ICMP state entries use the ICMP ID as port for the unique state key. When checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel. Report and test data by Srebrenko Sehic.
Revision 1.433.2.5 / (download) - annotate - [select for diffs], Thu Dec 16 02:05:39 2004 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.4: +3 -1 lines
Diff to previous 1.433.2.4 (colored) to branchpoint 1.433 (colored)
MFC: Fix by mcbride@ Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN, prevents a possible endless loop in pf_get_sport() with 'static-port' Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging by dhartmei@ ok mcbride@ dhartmei@ deraadt@ henning@
Revision 1.457.2.5 / (download) - annotate - [select for diffs], Thu Dec 16 02:04:55 2004 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.4: +3 -1 lines
Diff to previous 1.457.2.4 (colored) to branchpoint 1.457 (colored)
MFC: Fix by mcbride@ Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN, prevents a possible endless loop in pf_get_sport() with 'static-port' Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging by dhartmei@ ok mcbride@ dhartmei@ deraadt@ henning@
Revision 1.474 / (download) - annotate - [select for diffs], Tue Dec 14 03:49:06 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.473: +3 -1 lines
Diff to previous 1.473 (colored)
Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN, prevents a possible endless loop in pf_get_sport() with 'static-port' Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging by dhartmei@ ok dhartmei@
Revision 1.473 / (download) - annotate - [select for diffs], Sat Dec 11 11:45:44 2004 UTC (19 years, 6 months ago) by mpf
Branch: MAIN
Changes since 1.472: +33 -14 lines
Diff to previous 1.472 (colored)
Handle errors in pf_route{,6} more gracefully.
Proposed by mcbride.
ok henning@, mcbride@
Revision 1.472 / (download) - annotate - [select for diffs], Fri Dec 10 22:13:25 2004 UTC (19 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.471: +44 -1 lines
Diff to previous 1.471 (colored)
allow pf to filter on route labels pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
Revision 1.471 / (download) - annotate - [select for diffs], Tue Dec 7 18:02:03 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.470: +5 -4 lines
Diff to previous 1.470 (colored)
KNF
Revision 1.470 / (download) - annotate - [select for diffs], Tue Dec 7 10:33:41 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.469: +9 -6 lines
Diff to previous 1.469 (colored)
re-commit mcbride@'s 'flush global', this time without the breakage in pfvar.h. builds kernel and userland.
Revision 1.469 / (download) - annotate - [select for diffs], Tue Dec 7 09:36:16 2004 UTC (19 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.468: +5 -8 lines
Diff to previous 1.468 (colored)
tree does not compile, spotted by dlg (not obvious how to fix) ---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.468 / (download) - annotate - [select for diffs], Tue Dec 7 05:30:25 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.467: +9 -6 lines
Diff to previous 1.467 (colored)
Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.467 / (download) - annotate - [select for diffs], Mon Dec 6 23:28:38 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.466: +13 -11 lines
Diff to previous 1.466 (colored)
support max-src-conn-rate with synproxy, ok mcbride@
Revision 1.466 / (download) - annotate - [select for diffs], Sun Dec 5 12:12:01 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.465: +8 -5 lines
Diff to previous 1.465 (colored)
IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6 header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
Revision 1.465 / (download) - annotate - [select for diffs], Sat Dec 4 07:49:48 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.464: +164 -11 lines
Diff to previous 1.464 (colored)
Add kernel code to keep track of tcp connections which have completed the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
Revision 1.433.2.4 / (download) - annotate - [select for diffs], Sun Nov 28 19:55:33 2004 UTC (19 years, 6 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.3: +2 -2 lines
Diff to previous 1.433.2.3 (colored) to branchpoint 1.433 (colored)
MFC: Fix by dhartmei@ fix a bug that leads to a crash when binat rules of the form 'binat from ... to ... -> (if)' are used, where the interface is dynamic. reported by kos(at)bastard(dot)net, analyzed by Pyun YongHyeon ok deraadt@
Revision 1.457.2.4 / (download) - annotate - [select for diffs], Sun Nov 28 06:21:44 2004 UTC (19 years, 6 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.3: +2 -2 lines
Diff to previous 1.457.2.3 (colored) to branchpoint 1.457 (colored)
MFC: Fix by dhartmei@ fix a bug that leads to a crash when binat rules of the form 'binat from ... to ... -> (if)' are used, where the interface is dynamic. reported by kos(at)bastard(dot)net, analyzed by Pyun YongHyeon ok deraadt@
Revision 1.464 / (download) - annotate - [select for diffs], Wed Nov 24 00:36:10 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.463: +2 -2 lines
Diff to previous 1.463 (colored)
fix a bug that leads to a crash when binat rules of the form 'binat from ... to ... -> (if)' are used, where the interface is dynamic. reported by kos(at)bastard(dot)net, analyzed by Pyun YongHyeon
Revision 1.463 / (download) - annotate - [select for diffs], Fri Nov 19 18:20:10 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.462: +1 -7 lines
Diff to previous 1.462 (colored)
remove superfluous m_tag_copy/m_tag_prepend, already covered by m_copym2() reported by Joerg Sonnenberger, ok henning@
Revision 1.457.2.3 / (download) - annotate - [select for diffs], Sat Nov 13 23:48:51 2004 UTC (19 years, 7 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.2: +3 -3 lines
Diff to previous 1.457.2.2 (colored) to branchpoint 1.457 (colored)
MFC: Fix by dhartmei@ The flag to re-filter pf-generated packets was set wrong by synproxy for ACKs. It should filter the ACK replayed to the server, instead of of the one to the client. ok deraadt@ dhartmei@
Revision 1.457.2.2 / (download) - annotate - [select for diffs], Sat Nov 13 23:46:26 2004 UTC (19 years, 7 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457.2.1: +4 -11 lines
Diff to previous 1.457.2.1 (colored) to branchpoint 1.457 (colored)
MFC: Fix by dhartmei@ For RST generated due to state mismatch during handshake, don't set th_flags TH_ACK and leave th_ack 0, just like the RST generated by the stack in this case. Fixes the Raptor workaround. ok deraadt@ dhartmei@
Revision 1.433.2.3 / (download) - annotate - [select for diffs], Sat Nov 13 23:24:37 2004 UTC (19 years, 7 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.2: +4 -11 lines
Diff to previous 1.433.2.2 (colored) to branchpoint 1.433 (colored)
MFC: Fix by dhartmei@ For RST generated due to state mismatch during handshake, don't set th_flags TH_ACK and leave th_ack 0, just like the RST generated by the stack in this case. Fixes the Raptor workaround. ok deraadt@ dhartmei@
Revision 1.462 / (download) - annotate - [select for diffs], Fri Nov 12 19:44:44 2004 UTC (19 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.461: +3 -3 lines
Diff to previous 1.461 (colored)
The flag to re-filter pf-generated packets was set wrong by synproxy for ACKs. It should filter the ACK replayed to the server, instead of of the one to the client. Thanks to Daniel Polak for testing.
Revision 1.461 / (download) - annotate - [select for diffs], Sun Nov 7 01:16:52 2004 UTC (19 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.460: +4 -11 lines
Diff to previous 1.460 (colored)
For RST generated due to state mismatch during handshake, don't set th_flags TH_ACK and leave th_ack 0, just like the RST generated by the stack in this case. Fixes the Raptor workaround. ok beck@, markus@
Revision 1.457.2.1 / (download) - annotate - [select for diffs], Sat Nov 6 00:39:35 2004 UTC (19 years, 7 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.457: +3 -1 lines
Diff to previous 1.457 (colored)
MFC: Fix by dhartmei@ reset anchor pointer to NULL when stepping back into the main ruleset, fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr showing wrong state counters for anchor rules. found by camield@ ok deraadt@ dhartmei@
Revision 1.460 / (download) - annotate - [select for diffs], Wed Sep 29 10:32:33 2004 UTC (19 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.459: +3 -1 lines
Diff to previous 1.459 (colored)
reset anchor pointer to NULL when stepping back into the main ruleset, fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr showing wrong state counters for anchor rules. found by camield@, ok henning@, -stable candidate
Revision 1.459 / (download) - annotate - [select for diffs], Mon Sep 20 19:56:01 2004 UTC (19 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.458: +28 -9 lines
Diff to previous 1.458 (colored)
pf_routable(), used for the no-route keyword, was a v4 only implementation, and behaved incorrectly when used with v6. impliment the v6 case too. ok canacar mcbride
Revision 1.458 / (download) - annotate - [select for diffs], Fri Sep 17 21:49:15 2004 UTC (19 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.457: +29 -21 lines
Diff to previous 1.457 (colored)
Clean up reference counting wrt state creation and destruction. Fixes problems with adaptive timeouts, max-states limits, and rules not being freed from memory. Diff from Chris Pascoe. ok henning@ dhartmei@
Revision 1.389.2.5 / (download) - annotate - [select for diffs], Sat Jul 17 03:32:12 2004 UTC (19 years, 10 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.389.2.4: +53 -42 lines
Diff to previous 1.389.2.4 (colored) to branchpoint 1.389 (colored) next main 1.390 (colored)
MFC: Fix by dhartmei@ change pf_route() loop detection: introduce a counter (number of times a packet is routed already) in the mbuf tag, allow at most four times. Fixes some legitimate cases broken by the previous change. ok deraadt@ dhartmei@
Revision 1.433.2.2 / (download) - annotate - [select for diffs], Sat Jul 17 03:22:34 2004 UTC (19 years, 10 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433.2.1: +53 -42 lines
Diff to previous 1.433.2.1 (colored) to branchpoint 1.433 (colored)
MFC: Fix by dhartmei@ change pf_route() loop detection: introduce a counter (number of times a packet is routed already) in the mbuf tag, allow at most four times. Fixes some legitimate cases broken by the previous change. ok deraadt@ dhartmei@
Revision 1.457 / (download) - annotate - [select for diffs], Sun Jul 11 15:54:21 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.456: +11 -94 lines
Diff to previous 1.456 (colored)
backout IPv6 reass-on-scrub patch (more work needs to be done). requested by deraadt
Revision 1.456 / (download) - annotate - [select for diffs], Fri Jun 25 11:04:03 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.455: +3 -4 lines
Diff to previous 1.455 (colored)
correct "scrub in" behavior for IPv6. remaining TODO: - "forward" case kernel behavior (IPv4 too), then pfctl syntax change - red-black tree
Revision 1.455 / (download) - annotate - [select for diffs], Fri Jun 25 00:42:58 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.454: +95 -11 lines
Diff to previous 1.454 (colored)
IPv6 reassembly on "scrub" directive. caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
Revision 1.454 / (download) - annotate - [select for diffs], Tue Jun 22 07:35:19 2004 UTC (19 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.453: +12 -16 lines
Diff to previous 1.453 (colored)
Pull the plug on source-based routing until remaining bugs are eradicated. No need to reconfig kernel or rebuild userland stuff. requested deraadt@, help beck@
Revision 1.453 / (download) - annotate - [select for diffs], Mon Jun 21 23:50:36 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
Changes since 1.452: +20 -20 lines
Diff to previous 1.452 (colored)
First step towards more sane time handling in the kernel -- this changes things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Revision 1.452 / (download) - annotate - [select for diffs], Mon Jun 21 19:26:01 2004 UTC (19 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.451: +5 -17 lines
Diff to previous 1.451 (colored)
Get rid of pf_test_eh() wrapper. ok cedric@ henning@
Revision 1.95.2.13 / (download) - annotate - [select for diffs], Sun Jun 13 08:50:16 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.95.2.12: +18 -18 lines
Diff to previous 1.95.2.12 (colored) next main 1.96 (colored)
sync to HEAD
Revision 1.451 / (download) - annotate - [select for diffs], Thu Jun 10 14:22:54 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
CVS Tags: SMP_SYNC_A
Changes since 1.450: +19 -19 lines
Diff to previous 1.450 (colored)
rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved keyword in C++. ok henning@, cedric@
Revision 1.95.2.12 / (download) - annotate - [select for diffs], Mon Jun 7 20:41:36 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.95.2.11: +15 -11 lines
Diff to previous 1.95.2.11 (colored)
sync to head
Revision 1.450 / (download) - annotate - [select for diffs], Sun Jun 6 16:49:08 2004 UTC (20 years ago) by cedric
Branch: MAIN
CVS Tags: SMP_SYNC_B
Changes since 1.449: +16 -12 lines
Diff to previous 1.449 (colored)
extend routing table to be able to match and route packets based on their *source* IP address in addition to their destination address. routing table "destination" now contains a "struct sockaddr_rtin" for IPv4 instead of a "struct sockaddr_in". the routing socket has been extended in a backward-compatible way. todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
Revision 1.95.2.11 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:24 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.95.2.10: +481 -334 lines
Diff to previous 1.95.2.10 (colored)
Merge with the trunk
Revision 1.449 / (download) - annotate - [select for diffs], Wed May 19 17:50:51 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.448: +112 -61 lines
Diff to previous 1.448 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.448 / (download) - annotate - [select for diffs], Tue May 11 07:34:11 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.447: +1 -3 lines
Diff to previous 1.447 (colored)
pf_cksum_fixup() was called without last argument from normalization, also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
Revision 1.447 / (download) - annotate - [select for diffs], Tue May 11 07:06:52 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.446: +53 -42 lines
Diff to previous 1.446 (colored)
change pf_route() loop detection: introduce a counter (number of times a packet is routed already) in the mbuf tag, allow at most four times. Fixes some legitimate cases broken by the previous change. ok cedric@
Revision 1.446 / (download) - annotate - [select for diffs], Wed May 5 23:16:03 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.445: +18 -10 lines
Diff to previous 1.445 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.389.2.4 / (download) - annotate - [select for diffs], Fri Apr 30 23:27:57 2004 UTC (20 years, 1 month ago) by brad
Branch: OPENBSD_3_4
Changes since 1.389.2.3: +8 -11 lines
Diff to previous 1.389.2.3 (colored) to branchpoint 1.389 (colored)
MFC: Fix by dhartmei@ prevent an endless loop with route-to lo0, fixes PR 3736 ok deraadt@ dhartmei@
Revision 1.433.2.1 / (download) - annotate - [select for diffs], Fri Apr 30 21:46:33 2004 UTC (20 years, 1 month ago) by brad
Branch: OPENBSD_3_5
Changes since 1.433: +8 -11 lines
Diff to previous 1.433 (colored)
MFC: Fix by dhartmei@ prevent an endless loop with route-to lo0, fixes PR 3736 ok deraadt@ dhartmei@
Revision 1.445 / (download) - annotate - [select for diffs], Wed Apr 28 02:51:58 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.444: +56 -14 lines
Diff to previous 1.444 (colored)
make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@
Revision 1.444 / (download) - annotate - [select for diffs], Wed Apr 28 02:43:08 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.443: +47 -22 lines
Diff to previous 1.443 (colored)
Dont step into INET6 code, just because af != AF_INET Also comment #endif properly while being here ok mcbride@
Revision 1.443 / (download) - annotate - [select for diffs], Tue Apr 27 18:28:07 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.442: +9 -6 lines
Diff to previous 1.442 (colored)
validate the sequence numbers on TCP resets are an exact match. check is only enabled when we're doing full frag reassembly and thus have full seq info ok markus@
Revision 1.442 / (download) - annotate - [select for diffs], Mon Apr 26 02:03:38 2004 UTC (20 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.441: +15 -11 lines
Diff to previous 1.441 (colored)
Prevent biases in arc4random() from disclosing the byte order of the firewall. ok deraadt@
Revision 1.441 / (download) - annotate - [select for diffs], Mon Apr 26 00:12:27 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.440: +1 -28 lines
Diff to previous 1.440 (colored)
anchor refcounting. ok dhartmei@ mcbride@
Revision 1.440 / (download) - annotate - [select for diffs], Sun Apr 25 18:45:57 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.439: +8 -11 lines
Diff to previous 1.439 (colored)
prevent an endless loop with route-to lo0, fixes PR 3736, ok pb@, henning@, markus@
Revision 1.439 / (download) - annotate - [select for diffs], Sun Apr 25 18:09:29 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.438: +39 -34 lines
Diff to previous 1.438 (colored)
get rid of a complete state tree walk at state expire while in splnet() ok mcbride@ henning@
Revision 1.438 / (download) - annotate - [select for diffs], Sun Apr 25 02:32:35 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.437: +4 -1 lines
Diff to previous 1.437 (colored)
sync 'other' in test6, too. ok dhartmei@ mcbride@
Revision 1.437 / (download) - annotate - [select for diffs], Sun Apr 25 00:34:08 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.436: +23 -19 lines
Diff to previous 1.436 (colored)
don't add PF_GENERATED tag to synproxy generated packets for the second handshake, so they can match rules (and create state) on another interface. ok cedric@
Revision 1.436 / (download) - annotate - [select for diffs], Sat Apr 24 23:22:54 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.435: +11 -1 lines
Diff to previous 1.435 (colored)
Add "probability xxx" rule modifier. ok deraadt@
Revision 1.435 / (download) - annotate - [select for diffs], Sat Apr 17 00:13:36 2004 UTC (20 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.434: +42 -17 lines
Diff to previous 1.434 (colored)
when the input queue congestion flag is set stop evaluating the ruleset and block unconditionally. when the inout queue is full, newly arriving packets are dropped anyway, and while the input queue is full we obviously have a CPU laod problem. with this change, we allow the machine to recover gracefully, dropping a few packets fast instead of a lot slowly over a long time while processing rather old stuff in the input queue, giving somebody a chance to log in on the console and fix stuff instead of going completely unresponsive, and as a nice side effect, let established connections alone. ok kjc@ markus@ beck@
Revision 1.389.2.3 / (download) - annotate - [select for diffs], Sat Apr 10 09:38:19 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.389.2.2: +11 -6 lines
Diff to previous 1.389.2.2 (colored) to branchpoint 1.389 (colored)
MFC: Fix by dhartmei@ and mcbride@ 1.433 Properly m_copyback() modified TCP sequence number after demodulation 1.432 Fix icmp checksum when sequence number modlation is being used. Also fix a daddr vs saddr cut-n-paste error in ICMP error handling. Fixes PR 3724 ok deraadt@
Revision 1.434 / (download) - annotate - [select for diffs], Mon Apr 5 08:19:49 2004 UTC (20 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.433: +11 -11 lines
Diff to previous 1.433 (colored)
make pftag ** (pass pointer by reference), otherwise it's never updated. the parameter serves only as optimization to cache m_tag_get() results. ok henning@
Revision 1.433 / (download) - annotate - [select for diffs], Fri Mar 26 22:20:57 2004 UTC (20 years, 2 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.432: +9 -4 lines
Diff to previous 1.432 (colored)
Properly m_copyback() modified TCP sequence number after demodulation ok mcbride@, henning@, cedric@, deraadt@
Revision 1.432 / (download) - annotate - [select for diffs], Thu Mar 25 03:03:49 2004 UTC (20 years, 2 months ago) by mcbride
Branch: MAIN
Changes since 1.431: +3 -3 lines
Diff to previous 1.431 (colored)
Fix icmp checksum when sequence number modlation is being used. Also fix a daddr vs saddr cut-n-paste error in ICMP error handling. From dhartmei@ ok deraadt@
Revision 1.431 / (download) - annotate - [select for diffs], Mon Mar 22 04:54:17 2004 UTC (20 years, 2 months ago) by mcbride
Branch: MAIN
Changes since 1.430: +4 -1 lines
Diff to previous 1.430 (colored)
Support for best effort bulk transfers of states when pfsync syncif is configured. This this allows pfsync+carp clusters to come up gracefully without killing active connections. pfsync now prevents carp from preempting to become master until the state table has sync'd. ABI change, any application which use struct pf_state must be recompiled. Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@ for testing and comments. ok deraadt@
Revision 1.328.2.6 / (download) - annotate - [select for diffs], Sun Mar 14 00:15:05 2004 UTC (20 years, 3 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.328.2.5: +4 -2 lines
Diff to previous 1.328.2.5 (colored) to branchpoint 1.328 (colored) next main 1.329 (colored)
MFC: Fix by itojun@ plug mbuf leak (ip_fragment() always free mbuf on error). missing pieces from my previous commit. ok deraadt@
Revision 1.389.2.2 / (download) - annotate - [select for diffs], Sun Mar 14 00:13:42 2004 UTC (20 years, 3 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.389.2.1: +4 -2 lines
Diff to previous 1.389.2.1 (colored) to branchpoint 1.389 (colored)
MFC: Fix by itojun@ plug mbuf leak (ip_fragment() always free mbuf on error). missing pieces from my previous commit. ok deraadt@
Revision 1.430 / (download) - annotate - [select for diffs], Thu Mar 11 10:15:26 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.429: +2 -3 lines
Diff to previous 1.429 (colored)
Don't call pf_src_tree_remove_state() on error in pf_insert_state(), it's also called in the function which calls pf_insert_state(). Pointed out by Patrick Latifi, ok cedric@ dhartmei@
Revision 1.429 / (download) - annotate - [select for diffs], Tue Mar 9 21:44:40 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.428: +8 -9 lines
Diff to previous 1.428 (colored)
KNF, ok cedric@ deraadt@
Revision 1.428 / (download) - annotate - [select for diffs], Tue Feb 24 12:09:34 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.427: +1 -4 lines
Diff to previous 1.427 (colored)
Remove redundant logging from pf_test_other(). ok henning@ cedric@
Revision 1.427 / (download) - annotate - [select for diffs], Tue Feb 24 06:53:30 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.426: +3 -3 lines
Diff to previous 1.426 (colored)
KNF
Revision 1.426 / (download) - annotate - [select for diffs], Fri Feb 20 19:22:03 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.425: +4 -1 lines
Diff to previous 1.425 (colored)
Make pfsync deal with clearing states bound to a group or interface (eg pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
Revision 1.95.2.10 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:21 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.95.2.9: +1724 -932 lines
Diff to previous 1.95.2.9 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.425 / (download) - annotate - [select for diffs], Thu Feb 19 07:41:45 2004 UTC (20 years, 3 months ago) by kjc
Branch: MAIN
Changes since 1.424: +1 -32 lines
Diff to previous 1.424 (colored)
the 2nd round of the qid assignment change. make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@
Revision 1.424 / (download) - annotate - [select for diffs], Tue Feb 10 22:42:57 2004 UTC (20 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.423: +21 -21 lines
Diff to previous 1.423 (colored)
KNF
Revision 1.423 / (download) - annotate - [select for diffs], Tue Feb 10 20:20:01 2004 UTC (20 years, 4 months ago) by itojun
Branch: MAIN
Changes since 1.422: +4 -2 lines
Diff to previous 1.422 (colored)
plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric, dhartmei ok
Revision 1.422 / (download) - annotate - [select for diffs], Tue Feb 10 18:49:10 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.421: +21 -13 lines
Diff to previous 1.421 (colored)
KNF
Revision 1.421 / (download) - annotate - [select for diffs], Wed Feb 4 10:43:18 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.420: +6 -3 lines
Diff to previous 1.420 (colored)
Fix a number of bugs with setting pool limits which I introduced with source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
Revision 1.420 / (download) - annotate - [select for diffs], Mon Feb 2 12:47:50 2004 UTC (20 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.419: +5 -3 lines
Diff to previous 1.419 (colored)
Do not evaluate pfi_index2kif[ifp->if_index] if PF is disabled. Safer and faster since we know that ifp->if_index can potentially be garbage. ok dhartmei@
Revision 1.419 / (download) - annotate - [select for diffs], Tue Jan 27 09:31:15 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.418: +7 -1 lines
Diff to previous 1.418 (colored)
drop packet if kif == NULL; ok henning deraadt
Revision 1.418 / (download) - annotate - [select for diffs], Tue Jan 6 20:24:33 2004 UTC (20 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.417: +13 -1 lines
Diff to previous 1.417 (colored)
Drop UDP packets with destination port 0, or zero or oversized payload length (same as udp_input() does, if pf is not enabled). Found by Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
Revision 1.417 / (download) - annotate - [select for diffs], Mon Jan 5 18:41:47 2004 UTC (20 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.416: +2 -2 lines
Diff to previous 1.416 (colored)
0 -> (void *)NULL for last argument of icmp_error(), which is of type struct ifnet *, from Pyun YongHyeon
Revision 1.416 / (download) - annotate - [select for diffs], Sun Jan 4 12:56:33 2004 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.415: +6 -6 lines
Diff to previous 1.415 (colored)
better macro name (IF_LOCKED -> BOUND_IFACE). from markus.
Revision 1.415 / (download) - annotate - [select for diffs], Wed Dec 31 22:14:42 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.414: +3 -3 lines
Diff to previous 1.414 (colored)
spacing. note this, cedric
Revision 1.414 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:25 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.413: +274 -158 lines
Diff to previous 1.413 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.413 / (download) - annotate - [select for diffs], Fri Dec 19 16:12:43 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.412: +2 -1 lines
Diff to previous 1.412 (colored)
i wrote much of these, assert my copyright
Revision 1.412 / (download) - annotate - [select for diffs], Thu Dec 18 16:07:38 2003 UTC (20 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.411: +2 -2 lines
Diff to previous 1.411 (colored)
resolve compiler warnings, from Pyun YongHyeon, ok cedric@, mcbride@
Revision 1.411 / (download) - annotate - [select for diffs], Mon Dec 15 09:10:25 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.410: +8 -8 lines
Diff to previous 1.410 (colored)
ryan left a few for me ;-)
Revision 1.410 / (download) - annotate - [select for diffs], Mon Dec 15 07:28:25 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.409: +20 -20 lines
Diff to previous 1.409 (colored)
Fix whitespace screwups before henning wakes up.
Revision 1.409 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.408: +71 -3 lines
Diff to previous 1.408 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.408 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.407: +500 -155 lines
Diff to previous 1.407 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.407 / (download) - annotate - [select for diffs], Fri Dec 12 20:05:45 2003 UTC (20 years, 6 months ago) by cedric
Branch: MAIN
Changes since 1.406: +1 -97 lines
Diff to previous 1.406 (colored)
Move PF interface code to new net/pf_if.c Expect improvements in this area soon. ok dhartmei@ mcbride@
Revision 1.406 / (download) - annotate - [select for diffs], Thu Dec 11 13:13:27 2003 UTC (20 years, 6 months ago) by cedric
Branch: MAIN
Changes since 1.405: +125 -77 lines
Diff to previous 1.405 (colored)
Fix PR3587 and other related problems with NAT and table stats. PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
Revision 1.405 / (download) - annotate - [select for diffs], Mon Dec 8 07:07:35 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.404: +43 -3 lines
Diff to previous 1.404 (colored)
Mbuf tag tcp and udp packets which are translated to localhost, and
use the the presence of this tag to reverse the match order in
in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double
bind, binding to both * and localhost in order to differentiate local
from non-local connections, and potentially granting more privilege to
local ones. This change ensures that redirected connections to localhost
do not appear local to such a daemon.
Bulk of changes from dhartmei@, some changes markus@
ok dhartmei@ deraadt@
Revision 1.404 / (download) - annotate - [select for diffs], Fri Nov 28 01:06:59 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.403: +31 -35 lines
Diff to previous 1.403 (colored)
More pf stats fixups: - Don't double count double count icmp packets. - We only want to increment rule and state counters if we're passing the packet, unless it's a 'drop' rule. ok dhartmei@ henning@
Revision 1.403 / (download) - annotate - [select for diffs], Fri Nov 21 01:47:16 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.402: +9 -14 lines
Diff to previous 1.402 (colored)
Remove redundant arguments to pf_sockaddr_lookup(); proto and af are already included in pd. ok dhartmei@ henning@
Revision 1.402 / (download) - annotate - [select for diffs], Fri Nov 21 01:43:43 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.401: +25 -25 lines
Diff to previous 1.401 (colored)
Remove unused "ipoff" arguments. ok dhartmei@ henning@
Revision 1.401 / (download) - annotate - [select for diffs], Sun Nov 16 23:23:16 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.400: +13 -3 lines
Diff to previous 1.400 (colored)
pf_test() and pf_test6() consistency: - Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols. - Make stateful connections work for generic protocols on IPv6. ok henning@ dhartmei@
Revision 1.400 / (download) - annotate - [select for diffs], Sun Nov 9 11:25:01 2003 UTC (20 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.399: +1 -2 lines
Diff to previous 1.399 (colored)
remove stale forward declaration
Revision 1.399 / (download) - annotate - [select for diffs], Tue Nov 4 21:43:15 2003 UTC (20 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.398: +3 -5 lines
Diff to previous 1.398 (colored)
add in(6)_pcblookup_listen() and replace all calls to in_pcblookup() with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen(); in_pcblookup is now only used by bind(2); speeds up pcb lookup for listening sockets; from Claudio Jeker
Revision 1.398 / (download) - annotate - [select for diffs], Mon Nov 3 07:50:00 2003 UTC (20 years, 7 months ago) by cedric
Branch: MAIN
Changes since 1.397: +29 -1 lines
Diff to previous 1.397 (colored)
pf_route() can change output NIC, so we need to check its capabilities. good candidate for 3.X errata. ok dhartmei@ henning@ mcbride@
Revision 1.397 / (download) - annotate - [select for diffs], Fri Oct 31 10:34:47 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.396: +2 -2 lines
Diff to previous 1.396 (colored)
Remove remenants of pf_tree stuff that I missed.
Revision 1.328.2.5 / (download) - annotate - [select for diffs], Fri Oct 31 06:36:16 2003 UTC (20 years, 7 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.328.2.4: +2 -2 lines
Diff to previous 1.328.2.4 (colored) to branchpoint 1.328 (colored)
MFC: Fix by dhartmei@ fix binat for incoming connections when a netblock (not just a single address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@ ok deraadt@
Revision 1.389.2.1 / (download) - annotate - [select for diffs], Fri Oct 31 06:06:29 2003 UTC (20 years, 7 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.389: +2 -2 lines
Diff to previous 1.389 (colored)
MFC: Fix by dhartmei@ fix binat for incoming connections when a netblock (not just a single address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@ ok deraadt@
Revision 1.396 / (download) - annotate - [select for diffs], Wed Oct 29 15:35:08 2003 UTC (20 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.395: +2 -2 lines
Diff to previous 1.395 (colored)
fix binat for incoming connections when a netblock (not just a single address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@
Revision 1.395 / (download) - annotate - [select for diffs], Sat Oct 25 20:27:07 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.394: +269 -177 lines
Diff to previous 1.394 (colored)
Build state search indexes directly on pf_state instead of pf_tree_node. This saves more than 30% memory on state entries, and simplifies the state insertion and removal code as well. NOTE: This changes the pf API; userland tools must be updated to match. ok henning@ dhartmei@
Revision 1.394 / (download) - annotate - [select for diffs], Fri Oct 10 15:26:40 2003 UTC (20 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.393: +3 -3 lines
Diff to previous 1.393 (colored)
make sure pd is initialized before use (or byte counters may increase by random values). ok mcbride@, cedric@, henning@
Revision 1.393 / (download) - annotate - [select for diffs], Thu Oct 2 05:47:30 2003 UTC (20 years, 8 months ago) by itojun
Branch: MAIN
Changes since 1.392: +2 -2 lines
Diff to previous 1.392 (colored)
correct endian handling of ip->ip_off. do not try to send incomplete fragments on ENOBUFS case (behavior change from 4.4bsd). dhartmei ok
Revision 1.392 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:08 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.391: +2 -1 lines
Diff to previous 1.391 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.391 / (download) - annotate - [select for diffs], Fri Sep 26 14:48:19 2003 UTC (20 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.390: +79 -137 lines
Diff to previous 1.390 (colored)
Move statistics counters from individual pf_test_<proto>() and pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce code redundancy, and fix the following bugs: - ICMP packets were not being accounted for correctly (missing statistics code in pf_test_state_icmp() - Some packets were not being counted in the loginterface statistics NOTE: Under some situations with route-to, packets may get counted once on the original interface, and once on the pf-routed interface. This can be dealt with by rules which specify the each interface explicitly. ok cedric@, henning@
Revision 1.390 / (download) - annotate - [select for diffs], Wed Sep 24 17:18:03 2003 UTC (20 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.389: +1 -35 lines
Diff to previous 1.389 (colored)
Remove state setup no-ops. ok cedric@ frantzen@ henning@
Revision 1.389 / (download) - annotate - [select for diffs], Mon Sep 1 15:08:39 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.388: +2 -2 lines
Diff to previous 1.388 (colored)
KNF
Revision 1.388 / (download) - annotate - [select for diffs], Mon Sep 1 10:41:38 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
Changes since 1.387: +21 -15 lines
Diff to previous 1.387 (colored)
Make nat rule update the table counters when no filtering rule is used. This is mostly to support the new "nat pass" rule. ok dhartmei@ henning@
Revision 1.387 / (download) - annotate - [select for diffs], Thu Aug 28 09:41:03 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
Changes since 1.386: +9 -4 lines
Diff to previous 1.386 (colored)
fix "pfctl -vvsr" output for rules with tables inside anchors. ok henning@
Revision 1.386 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:07 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.385: +68 -50 lines
Diff to previous 1.385 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.385 / (download) - annotate - [select for diffs], Mon Aug 18 11:01:41 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.384: +19 -17 lines
Diff to previous 1.384 (colored)
prevent looutput() feedback of broadcast/multicast packets if they are pf routed. prevents a kernel lockup with some (non-sensical) route-to rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
Revision 1.384 / (download) - annotate - [select for diffs], Sun Aug 17 15:36:48 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.383: +3 -2 lines
Diff to previous 1.383 (colored)
Missing break, change NULL -> 0 for int parameter (no functional changes), from Andrey Matveev
Revision 1.383 / (download) - annotate - [select for diffs], Thu Aug 14 19:00:12 2003 UTC (20 years, 10 months ago) by jason
Branch: MAIN
Changes since 1.382: +33 -40 lines
Diff to previous 1.382 (colored)
m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.
Revision 1.328.2.4 / (download) - annotate - [select for diffs], Sat Aug 9 18:23:10 2003 UTC (20 years, 10 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.328.2.3: +2 -3 lines
Diff to previous 1.328.2.3 (colored) to branchpoint 1.328 (colored)
MFC: Fix by mcbride@ With rdr we want the source IP from the packet, not the source IP from the rule. Fixes rdr with address pools using bitmask and source-hash address selection methods. ok dhartmei@ henning@ ok deraadt@
Revision 1.382 / (download) - annotate - [select for diffs], Sat Aug 9 14:56:48 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.381: +40 -23 lines
Diff to previous 1.381 (colored)
This patch remove the restriction that tables cannot be used in routing or
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
Revision 1.381 / (download) - annotate - [select for diffs], Thu Aug 7 14:20:50 2003 UTC (20 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.380: +2 -2 lines
Diff to previous 1.380 (colored)
make pf_match take u_int32_t instead of u_int16_t it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
Revision 1.380 / (download) - annotate - [select for diffs], Tue Jul 29 20:56:55 2003 UTC (20 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.379: +33 -13 lines
Diff to previous 1.379 (colored)
Set pf_state->rt_ifp when creating the state entry, instead of doing it later on, when another packet matches the state. ok mcbride@
Revision 1.379 / (download) - annotate - [select for diffs], Tue Jul 29 00:51:32 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.378: +36 -23 lines
Diff to previous 1.378 (colored)
More aggressive and easier to understand skip steps for addresses. Help daniel@ mcbride@ Ok henning@ mcbride@
Revision 1.378 / (download) - annotate - [select for diffs], Sat Jul 19 13:08:58 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.377: +21 -20 lines
Diff to previous 1.377 (colored)
Simplify struct pf_pooladdr to include struct pf_addr_wrap directly instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
Revision 1.377 / (download) - annotate - [select for diffs], Sat Jul 12 09:36:23 2003 UTC (20 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.376: +1 -3 lines
Diff to previous 1.376 (colored)
Remove two htons(), which were meant as ntohs(), and are wrong since ip_ouput() flipped byte order. From Pyun YongHyeon. ok itojun@
Revision 1.328.2.3 / (download) - annotate - [select for diffs], Thu Jul 10 22:34:28 2003 UTC (20 years, 11 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.328.2.2: +14 -19 lines
Diff to previous 1.328.2.2 (colored) to branchpoint 1.328 (colored)
MFC: Fix by dhartmei@ Fix nat proxy port allocation. In case a range was manually specified, ports outside that range could be used with a probability inversely proportional to the size of the specified range (occured often with very small, rarely with larger ranges). Reported by Gopakumar Pillai, ok henning@ ok deraadt@ dhartmei@
Revision 1.376 / (download) - annotate - [select for diffs], Wed Jul 9 22:03:15 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.375: +15 -15 lines
Diff to previous 1.375 (colored)
do not flip ip_len/ip_off in netinet stack. deraadt ok. (please test, especially PF portion)
Revision 1.375 / (download) - annotate - [select for diffs], Fri Jul 4 10:57:27 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.374: +16 -13 lines
Diff to previous 1.374 (colored)
cosmetic changes to keep the different code paths in sync; ok henning
Revision 1.374 / (download) - annotate - [select for diffs], Fri Jul 4 10:39:30 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.373: +25 -5 lines
Diff to previous 1.373 (colored)
-add a "natpass" field to pf_rule -if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter ruleset, but set the rulepointer to the default rule (which is a pass rule) in cooperation with daniel. ok dhartmei@ cedric@ markus@
Revision 1.373 / (download) - annotate - [select for diffs], Fri Jul 4 08:24:52 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.372: +1 -2 lines
Diff to previous 1.372 (colored)
bad redundant copy; ok daniel
Revision 1.372 / (download) - annotate - [select for diffs], Sun Jun 29 23:37:12 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.371: +6 -1 lines
Diff to previous 1.371 (colored)
normalize IPv6 packet (no reass, but it is a start). dhartmei & henning ok
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
Revision 1.371 / (download) - annotate - [select for diffs], Sun Jun 29 12:25:03 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.370: +1 -2 lines
Diff to previous 1.370 (colored)
unused global. dhartmei ok
Revision 1.370 / (download) - annotate - [select for diffs], Sat Jun 28 00:27:10 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.369: +1 -11 lines
Diff to previous 1.369 (colored)
remove duplicated prototype (they are in pfvar.h). dhartmei ok
Revision 1.369 / (download) - annotate - [select for diffs], Tue Jun 24 13:55:13 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.368: +5 -3 lines
Diff to previous 1.368 (colored)
in the ipv6 case, allow route-to to route to link-local addresses from KOZUKA Masahiro <ma-kun@kozuka.jp> with a minor adjustment from itojun ok itojun@ dhartmei@
Revision 1.368 / (download) - annotate - [select for diffs], Tue Jun 24 13:52:50 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.367: +3 -3 lines
Diff to previous 1.367 (colored)
KNF
Revision 1.367 / (download) - annotate - [select for diffs], Sat Jun 21 09:07:01 2003 UTC (20 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.366: +35 -25 lines
Diff to previous 1.366 (colored)
count packets and bidirectionally on state entries, allowing for fine-grained traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
Revision 1.366 / (download) - annotate - [select for diffs], Fri Jun 20 18:24:57 2003 UTC (20 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.365: +130 -17 lines
Diff to previous 1.365 (colored)
Add MSS support to the synproxy. The client's MSS is sent to the server, the server's MSS is guessed based on the routing table and interface MTU. Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@ Note: ABI change (new field in struct pf_state), requires a pfctl rebuild (and tcpdump for pfsync).
Revision 1.365 / (download) - annotate - [select for diffs], Fri Jun 20 17:38:24 2003 UTC (20 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.364: +7 -2 lines
Diff to previous 1.364 (colored)
Extend 'BAD ICMP' debug message, include icmp type/code and outer IP header addresses. ok mcbride@, cedric@
Revision 1.328.2.2 / (download) - annotate - [select for diffs], Sun Jun 15 20:35:45 2003 UTC (21 years ago) by brad
Branch: OPENBSD_3_3
Changes since 1.328.2.1: +3 -3 lines
Diff to previous 1.328.2.1 (colored) to branchpoint 1.328 (colored)
Fix by dhartmei@ apply correct window scaling to ackskew deraadt@ ok
Revision 1.364 / (download) - annotate - [select for diffs], Sat Jun 14 07:23:15 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.363: +3 -3 lines
Diff to previous 1.363 (colored)
Use source's window scaling factor (instead of destination's) when comparing ackskew, otherwise legitimate low acks can get blocked. Was triggered when asymmetric scale factors where used in combination with SACK. Report and logs provided by Peter Galbavy. ok frantzen@, henning@
Revision 1.363 / (download) - annotate - [select for diffs], Tue Jun 10 22:05:03 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.362: +3 -1 lines
Diff to previous 1.362 (colored)
It would kind of help if the flags member was initialized, otherwise random rules create state. Truly hard to spot. Unless you run the code, of course.
Revision 1.362 / (download) - annotate - [select for diffs], Mon Jun 9 11:14:46 2003 UTC (21 years ago) by mcbride
Branch: MAIN
Changes since 1.361: +16 -15 lines
Diff to previous 1.361 (colored)
Attempt to resolve byte order confusion in nat code once and for all. - pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
Revision 1.95.2.9 / (download) - annotate - [select for diffs], Sat Jun 7 11:06:06 2003 UTC (21 years ago) by ho
Branch: SMP
Changes since 1.95.2.8: +248 -162 lines
Diff to previous 1.95.2.8 (colored)
Sync SMP branch to -current
Revision 1.361 / (download) - annotate - [select for diffs], Tue Jun 3 12:34:04 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.360: +1 -3 lines
Diff to previous 1.360 (colored)
move some prototypes to pfvar.h. needed soon. pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
Revision 1.328.2.1 / (download) - annotate - [select for diffs], Sat May 31 00:57:50 2003 UTC (21 years ago) by margarida
Branch: OPENBSD_3_3
Changes since 1.328: +2 -1 lines
Diff to previous 1.328 (colored)
Pull patch from -current: Fix by dhartmei@ Fix a bug that prevents rdr/binat (but not nat) from working for protocols other than TCP, UDP and ICMP (for instance GRE). Reported by Gunnar Helliesen. Ok deraadt@
Revision 1.180.2.4 / (download) - annotate - [select for diffs], Mon May 19 22:29:34 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.180.2.3: +2418 -1367 lines
Diff to previous 1.180.2.3 (colored) to branchpoint 1.180 (colored) next main 1.181 (colored)
sync
Revision 1.360 / (download) - annotate - [select for diffs], Sun May 18 19:58:56 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.359: +42 -74 lines
Diff to previous 1.359 (colored)
speed hack: delay fetching the mbuf tag until we really need it (hit a "tagged X" rule), and only get it when we really need it. simplifies code too. ok dhartmei@ pb@
Revision 1.359 / (download) - annotate - [select for diffs], Sun May 18 18:33:28 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.358: +96 -184 lines
Diff to previous 1.358 (colored)
Merge pf_send_ack() and _send_syn() into a generic _send_tcp(). In the SYN proxy, generate ACKs with proper window sizes after the handshakes.
Revision 1.358 / (download) - annotate - [select for diffs], Sat May 17 21:15:23 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.357: +3 -3 lines
Diff to previous 1.357 (colored)
Correct two comment typos.
Revision 1.357 / (download) - annotate - [select for diffs], Sat May 17 03:04:45 2003 UTC (21 years, 1 month ago) by mcbride
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.356: +2 -3 lines
Diff to previous 1.356 (colored)
With rdr we want the source IP from the packet, not the source IP from the rule. Fixes rdr with address pools using bitmask and source-hash address selection methods. ok dhartmei@ henning@
Revision 1.356 / (download) - annotate - [select for diffs], Sat May 17 02:01:20 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.355: +16 -6 lines
Diff to previous 1.355 (colored)
allow inverse matching on tags ok dhartmei@ pb@
Revision 1.355 / (download) - annotate - [select for diffs], Sat May 17 01:08:50 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.354: +29 -20 lines
Diff to previous 1.354 (colored)
Add an 'action' code that allows the SYN proxy to swallow/drop a packet without causing EHOSTUNREACH to be delivered to local sockets, so it works for outgoing connections originating on the same host. ok frantzen@
Revision 1.354 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.353: +203 -13 lines
Diff to previous 1.353 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.95.2.8 / (download) - annotate - [select for diffs], Fri May 16 00:29:43 2003 UTC (21 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.95.2.7: +261 -66 lines
Diff to previous 1.95.2.7 (colored)
merge the trunk so we will get the genfs and locking fixes
Revision 1.353 / (download) - annotate - [select for diffs], Wed May 14 23:46:45 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.352: +26 -15 lines
Diff to previous 1.352 (colored)
- modulate TCP Timestamps so they can't be used to detect NAT and to preclude remote uptime determination - scrub modifier "reassemble tcp" turns on stateful TCP normalizations ok henning@ dhartmei@
Revision 1.352 / (download) - annotate - [select for diffs], Wed May 14 21:50:56 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.351: +124 -46 lines
Diff to previous 1.351 (colored)
tag on each matching rule, not just the last one. idea from theo. to speed that up the real mbuf tag is not written until we hit the last match but an internal variable is used to track the tag. this can be used to split classification and policy enforcement, for example. and much much much more... ok dhartmei@ frantzen@
Revision 1.351 / (download) - annotate - [select for diffs], Wed May 14 08:42:00 2003 UTC (21 years, 1 month ago) by canacar
Branch: MAIN
Changes since 1.350: +72 -50 lines
Diff to previous 1.350 (colored)
Use official (from pcap people) link type for pflog. With this change, the log header format also changes. The new log format is extendible and allows logging of the originating anchor and ruleset information. ok henning@ dhartmei@ frantzen@
Revision 1.350 / (download) - annotate - [select for diffs], Wed May 14 04:51:10 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.349: +12 -8 lines
Diff to previous 1.349 (colored)
2 lines of code bring us tags on nat rules ok dhartmei@ frantzen@
Revision 1.95.2.7 / (download) - annotate - [select for diffs], Tue May 13 19:36:15 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.95.2.6: +544 -430 lines
Diff to previous 1.95.2.6 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.349 / (download) - annotate - [select for diffs], Tue May 13 17:45:23 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.348: +57 -1 lines
Diff to previous 1.348 (colored)
add support for tagging packets with arbitary tags and filtering based on those tags later on. ok dhartmei@ pb@ mcbride@ frantzen@
Revision 1.348 / (download) - annotate - [select for diffs], Mon May 12 22:53:47 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.347: +29 -5 lines
Diff to previous 1.347 (colored)
- TCP window scaling is not applied to the SYNs' window so we must retract the initial maximum window by the scaling factor. otherwise our view of the allowable sequence window is too big. back out the scaling factor adjustment from the max window if the other endpoint rejects window scaling - window scale the forward ACK skew check ok dhartmei@
Revision 1.347 / (download) - annotate - [select for diffs], Mon May 12 17:49:03 2003 UTC (21 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.346: +13 -13 lines
Diff to previous 1.346 (colored)
Reorder IPv6 address comparisons to check the least significant parts first. The least significant portions of the IPv6 address are more likely to differ than the more significant ones, since in most situations half the addresses (either the source or the destination) will be in the local subnet. ok dhartmei@ henning@
Revision 1.346 / (download) - annotate - [select for diffs], Mon May 12 01:25:31 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.345: +60 -29 lines
Diff to previous 1.345 (colored)
Adaptive timeout value scaling. Allows to reduce timeout values as the number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Revision 1.345 / (download) - annotate - [select for diffs], Sun May 11 20:44:03 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.344: +30 -7 lines
Diff to previous 1.344 (colored)
the start of stateful TCP scrubbing. dynamically determine the highest TTL of each side of the TCP connection and prevent it from being reduced ok pb@ dhartmei@
Revision 1.344 / (download) - annotate - [select for diffs], Sun May 11 01:17:15 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.343: +17 -12 lines
Diff to previous 1.343 (colored)
Use sizeof(struct icmp6_hdr) instead of ICMP_MINLEN for IPv6, both are 8 bytes, but the former is more appropriate. ok frantzen@
Revision 1.343 / (download) - annotate - [select for diffs], Sat May 10 23:32:48 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.342: +51 -7 lines
Diff to previous 1.342 (colored)
Pass ICMP error messages referring to non-TCP/UDP/ICMP packets statefully, instead of just dropping them. ok frantzen@, henning@, pb@
Revision 1.342 / (download) - annotate - [select for diffs], Sat May 10 23:04:31 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.341: +33 -1 lines
Diff to previous 1.341 (colored)
Support return-icmp for 'other' protocols (non-TCP/UDP/ICMP), for instance stock OpenBSD stack returns 'protocol unreachable'. ok frantzen@, henning@, pb@
Revision 1.341 / (download) - annotate - [select for diffs], Sat May 10 22:33:33 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.340: +15 -12 lines
Diff to previous 1.340 (colored)
Prepare pf_change_icmp() for parameter ip == NULL use. ok frantzen@, henning@, pb@
Revision 1.340 / (download) - annotate - [select for diffs], Tue May 6 21:21:23 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.339: +2 -1 lines
Diff to previous 1.339 (colored)
Fix a bug that prevents rdr/binat (but not nat) from working for protocols other than TCP, UDP and ICMP (for instance GRE). Reported by Gunnar Helliesen. ok henning@
Revision 1.339 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.338: +3 -5 lines
Diff to previous 1.338 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.338 / (download) - annotate - [select for diffs], Fri Apr 25 17:41:25 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.337: +14 -19 lines
Diff to previous 1.337 (colored)
Fix nat proxy port allocation. In case a range was manually specified, ports outside that range could be used with a probability inversely proportional to the size of the specified range (occured often with very small, rarely with larger ranges). Reported by Gopakumar Pillai, ok henning@
Revision 1.337 / (download) - annotate - [select for diffs], Fri Apr 11 14:40:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.336: +30 -1 lines
Diff to previous 1.336 (colored)
set/update the queue IDs on filter rules (qid and pqid) on -DIOCCHANGERULE (just the affected rule) -DIOCCOMMITRULES (all filter rules that get committed - one anchor or main rs) -DIOCCOMMITALTQS (all filter rules, main set plus all anchors) This fixes a whole bunch of issues. previously, this was done in userland at load time. This worked fine for the usual case, full ruleset load. It did not work inside anchors, as the queue name <-> queue ID mapping is unknown there. Also, if the queue definitions were changed without reloading the rules too (pfctl -A), the queue IDs on the rules were not updated. The three ioctls mentioned above are all entry points where the mapping is touched. helpful discussion with dhartmei@ and cedric@ helped verifying my approach for this fix was right. ok dhartmei@ cedric@
Revision 1.336 / (download) - annotate - [select for diffs], Wed Apr 9 18:21:58 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.335: +2 -2 lines
Diff to previous 1.335 (colored)
KNF
Revision 1.335 / (download) - annotate - [select for diffs], Wed Apr 9 15:32:59 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.334: +149 -112 lines
Diff to previous 1.334 (colored)
Change pf_state structure to point to both a rule and the anchor, so states created by rules in anchors correctly use rule options like routing and (soon) queues... Rule number bumped to 32 bit value. USERLAND NEED TO BE RECOMPILED. ok dhartmei@ henning@
Revision 1.334 / (download) - annotate - [select for diffs], Sat Apr 5 20:24:58 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.333: +167 -225 lines
Diff to previous 1.333 (colored)
Stick pf_default_rule everytime a packet pass because of the implicit "pass all" first rule match and remove all "r == NULL" tests which are now useless. ok dhartmei@
Revision 1.333 / (download) - annotate - [select for diffs], Sat Apr 5 20:20:58 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.332: +3 -36 lines
Diff to previous 1.332 (colored)
Replace the timeout variables by the content of the timeout field of a new pf_default_rule structure. ok dhartmei@
Revision 1.332 / (download) - annotate - [select for diffs], Sat Apr 5 20:18:23 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.331: +84 -79 lines
Diff to previous 1.331 (colored)
Cleanup by replacing a bunch of "(*rm)" by just "r" ok dhartmei@
Revision 1.331 / (download) - annotate - [select for diffs], Thu Apr 3 15:27:17 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.330: +16 -8 lines
Diff to previous 1.330 (colored)
Back out my last change, which was incorrect or incomplete. States can still be created without a rule for people who have only NAT rules, for example.
Revision 1.330 / (download) - annotate - [select for diffs], Thu Apr 3 13:17:24 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.329: +9 -17 lines
Diff to previous 1.329 (colored)
Remove (state->rule.ptr != NULL) tests: this is always true now. ok dhartmei@
Revision 1.329 / (download) - annotate - [select for diffs], Mon Mar 31 13:15:27 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.328: +5 -3 lines
Diff to previous 1.328 (colored)
Only delete rule structure when no state refer to it. Fix a bunch of issues. Removal of unneeded (r != null) tests coming soon... ok dhartmei@
Revision 1.95.2.6 / (download) - annotate - [select for diffs], Fri Mar 28 00:41:28 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.95.2.5: +2253 -2836 lines
Diff to previous 1.95.2.5 (colored)
Sync the SMP branch with 3.3
Revision 1.328 / (download) - annotate - [select for diffs], Fri Mar 21 12:47:36 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.327: +5 -5 lines
Diff to previous 1.327 (colored)
- Add missing "\n" to some pf_table.c printf() - Fix two problems with pfr_update_stats(). Filtering was done properly, only stats were wrong. People should upgrade their kernel if: - They use bidirectional rules (without "in" or "out") with tables. - They use tables in negated statements, like "block from !<foo>" Thanks to David Krause for discovering the problem. Ok dhartmei@ henning@
Revision 1.327 / (download) - annotate - [select for diffs], Sun Mar 9 20:26:12 2003 UTC (21 years, 3 months ago) by frantzen
Branch: MAIN
Changes since 1.326: +5 -5 lines
Diff to previous 1.326 (colored)
tighten the TCP state code in relation to a FIN before any server responses ok dhartmei@ henning@
Revision 1.326 / (download) - annotate - [select for diffs], Tue Mar 4 11:23:43 2003 UTC (21 years, 3 months ago) by pb
Branch: MAIN
Changes since 1.325: +26 -9 lines
Diff to previous 1.325 (colored)
(really) support user/group rules with 'inet6' pointed out by hugh ok dhartmei@, henning@
Revision 1.325 / (download) - annotate - [select for diffs], Sun Mar 2 12:00:39 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.324: +5 -2 lines
Diff to previous 1.324 (colored)
Use priority queue for TCP ACKs that have no payload. Very useful on asymmetric links. ok henning@, cedric@
Revision 1.324 / (download) - annotate - [select for diffs], Thu Feb 27 13:35:57 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.323: +21 -1 lines
Diff to previous 1.323 (colored)
make packet classification for altq work in the IPv6 case ok dhartmei@ cedric@ + "looks good" mcbride@
Revision 1.323 / (download) - annotate - [select for diffs], Thu Feb 27 12:56:04 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.322: +12 -1 lines
Diff to previous 1.322 (colored)
Repair IPv6 support for tables. ok dhartmei@ henning@
Revision 1.322 / (download) - annotate - [select for diffs], Tue Feb 25 17:54:06 2003 UTC (21 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.321: +23 -16 lines
Diff to previous 1.321 (colored)
- Handle src and dst comparisons correctly for binat so that it works properly in _both_ directions. - Handle skip steps properly with binat. (since we're swapping around src and dst comparisons, we can't use them in all cases) fix from dhartmei@ ok dhartmei@ henning@ cedric@
Revision 1.321 / (download) - annotate - [select for diffs], Sun Feb 16 21:30:13 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.320: +5 -5 lines
Diff to previous 1.320 (colored)
KNF
Revision 1.320 / (download) - annotate - [select for diffs], Wed Feb 12 14:41:07 2003 UTC (21 years, 4 months ago) by jason
Branch: MAIN
Changes since 1.319: +1 -2 lines
Diff to previous 1.319 (colored)
Remove commons; inspired by netbsd.
Revision 1.319 / (download) - annotate - [select for diffs], Wed Feb 12 12:50:29 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.318: +5 -5 lines
Diff to previous 1.318 (colored)
Make r.rpool.proxy_port[] a consistent byte order to match cleanup in pfctl. ok dhartmei@
Revision 1.318 / (download) - annotate - [select for diffs], Wed Feb 12 03:02:23 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.317: +72 -38 lines
Diff to previous 1.317 (colored)
Fix a bunch of pf_route() bugs:
- pass back a pointer to state created in pf_test_{tcp|udp|icmp|other}()
so that pf_route()/pf_route6() can peek at it.
- put the PACKET_TAG_PF_ROUTED tag onto the packets _before_ we call
pf_test()/pf_test6() again to prevent looping.
- Call pf_test6() in pf_route6() instead of pf_test() for obvious reasons.
ok dhartmei@
Revision 1.317 / (download) - annotate - [select for diffs], Sun Feb 9 16:21:00 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.316: +3 -2 lines
Diff to previous 1.316 (colored)
Slightly less noisy debug printf from pf_map_addr(), ok mcbride@
Revision 1.316 / (download) - annotate - [select for diffs], Wed Feb 5 13:07:20 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.315: +10 -10 lines
Diff to previous 1.315 (colored)
Remove the confusing and more-or-less unnecessary temporary struct pf_pooladdr *cur. It was being used incorrectly in the round-robin case, which meant that the previous address was being selected, rather than the reall current one. ok dhartmei@
Revision 1.315 / (download) - annotate - [select for diffs], Sat Feb 1 15:20:16 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.314: +7 -1 lines
Diff to previous 1.314 (colored)
Make it build without INET6 again.
Revision 1.314 / (download) - annotate - [select for diffs], Fri Jan 31 19:36:39 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.313: +5 -4 lines
Diff to previous 1.313 (colored)
The fix introduced with 1.294 to solve issues with route-to in combination with translations was too broad and broke some more complex setups (creating two states for one connection on two interfaces, using modulate state for each, and additionally using route-to/reply-to on one of them), so narrow it to the cases where it's needed. Reported by henric@.
Revision 1.313 / (download) - annotate - [select for diffs], Fri Jan 31 19:22:11 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.312: +117 -1 lines
Diff to previous 1.312 (colored)
Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets, and drop packets with invalid checksums. Without such a check, pf would return RST/ICMP errors even for packets with invalid checksums, which could be used to detect the presence of the firewall, reported by "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. To minimize the cost of checksum calculations, mbuf flags set by network interfaces capable of hardware checksumming are honoured, and set when pf performs the calculation, so the TCP/IP stack itself will not repeat the calculation for the same packet later on. ok mcbride@ and henning@
Revision 1.312 / (download) - annotate - [select for diffs], Fri Jan 31 19:09:12 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.311: +10 -2 lines
Diff to previous 1.311 (colored)
Send a RST when an invalid packet matches a TCP state during the handshake. Solves the issues with the "ACK+1000000 cookie scheme", which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized state, "reset is sent"). ok henning@, camield@ and (I guess ;) frantzen@
Revision 1.311 / (download) - annotate - [select for diffs], Sat Jan 25 22:48:45 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.310: +9 -4 lines
Diff to previous 1.310 (colored)
Fix the behaviour of rdr rules which redirect to a range of ports; Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and makes the port mapping more flexble, allows mapping a destination port range of one size to an other of a different size. Fixes and additional testing courtesy of dhartmei@ ok dhartmei@
Revision 1.310 / (download) - annotate - [select for diffs], Fri Jan 24 15:55:36 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.309: +14 -25 lines
Diff to previous 1.309 (colored)
Sigh, pf_pull_hdr (aka pf_pull_hair) doesn't do an m_pullup, it merely copies the data to the specified buffer. So, for TCP options, provide an sufficiently large buffer and copy to there.
Revision 1.309 / (download) - annotate - [select for diffs], Fri Jan 24 15:05:31 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.308: +18 -6 lines
Diff to previous 1.308 (colored)
Move the mbuf pullup for TCP options to the beginning of TCP handling, doing it later can invalidate pointers to mbuf data. This fixes subtle breakage just introduced (with 1.306).
Revision 1.308 / (download) - annotate - [select for diffs], Fri Jan 24 11:30:00 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.307: +25 -14 lines
Diff to previous 1.307 (colored)
Fix wscale support, the first version didn't really work right. Interestingly, our own stack uses wscale 1 quite regularly, and I now suspect that this is what caused most of the state failures I've seen. They were quite rare, but with working wscale support, they are reduced even more. ok henning@
Revision 1.307 / (download) - annotate - [select for diffs], Thu Jan 23 13:36:17 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.306: +7 -4 lines
Diff to previous 1.306 (colored)
Fix a bug where the kernel crashes when translating IPv6 ICMP packets. This only happens when using nat/rdr/binat on IPv6 connections, which hasn't been used before, obviously. But it does work now. Reported and confirmed by evilted@efnet, ok mcbride@
Revision 1.306 / (download) - annotate - [select for diffs], Tue Jan 21 22:23:49 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.305: +59 -6 lines
Diff to previous 1.305 (colored)
Support for TCP window scaling (RFC 1323). ok frantzen@
Revision 1.305 / (download) - annotate - [select for diffs], Sun Jan 19 13:52:18 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.304: +6 -6 lines
Diff to previous 1.304 (colored)
format string fixes inspired by Thorsten Glaser via fries@ ok theo
Revision 1.304 / (download) - annotate - [select for diffs], Sat Jan 18 06:31:59 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.303: +2 -2 lines
Diff to previous 1.303 (colored)
Argh! KNF. pointed out in advance by dhartmei@
Revision 1.303 / (download) - annotate - [select for diffs], Sat Jan 18 05:07:45 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.302: +12 -17 lines
Diff to previous 1.302 (colored)
Make nat behave the way it used to by copying back the random source port correctly. Also remove some extra cruft in pf_get_sport related to the "static-port" behaviour. bug report from mpech@ and form@ testing cedric@ "looks sane to me" henning@ ok dhartmei@
Revision 1.302 / (download) - annotate - [select for diffs], Thu Jan 9 15:58:35 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.301: +29 -23 lines
Diff to previous 1.301 (colored)
(whitespace) KNF, re-fold -w 80
Revision 1.301 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.300: +10 -1 lines
Diff to previous 1.300 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.300 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:07 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.299: +52 -90 lines
Diff to previous 1.299 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.299 / (download) - annotate - [select for diffs], Mon Jan 6 10:08:36 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.298: +2 -2 lines
Diff to previous 1.298 (colored)
knf
Revision 1.298 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.297: +91 -82 lines
Diff to previous 1.297 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.297 / (download) - annotate - [select for diffs], Sat Jan 4 17:40:51 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.296: +35 -23 lines
Diff to previous 1.296 (colored)
move noroute from flag in pf_rule_addr into type in pf_addr_wrap. ok henning@, mcbride@
Revision 1.296 / (download) - annotate - [select for diffs], Sat Jan 4 16:35:00 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.295: +7 -7 lines
Diff to previous 1.295 (colored)
Honour noroute in skip step calculation, found by cedric@
Revision 1.295 / (download) - annotate - [select for diffs], Fri Jan 3 19:31:43 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.294: +13 -12 lines
Diff to previous 1.294 (colored)
KNF
Revision 1.294 / (download) - annotate - [select for diffs], Thu Jan 2 01:56:56 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.293: +27 -49 lines
Diff to previous 1.293 (colored)
When route-to/reply-to is used in combination with address translation, pf_test() may be called twice for the same packet. In this case, make sure the translation is only applied in the second call. This solves the problem with state insert failures where the second pf_test() call tried to insert another state entry after the first call's translation. ok henning@, mcbride@, thanks to Joe Nall for additional testing.
Revision 1.293 / (download) - annotate - [select for diffs], Wed Jan 1 16:09:29 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.292: +2 -2 lines
Diff to previous 1.292 (colored)
use a #define for the default state table size
Revision 1.292 / (download) - annotate - [select for diffs], Wed Jan 1 04:26:19 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.291: +6 -19 lines
Diff to previous 1.291 (colored)
Remove skip step for action (scrub vs. non-scrub), as scrub rules are stored in a separate list now. Regress tests still pass after sed "s/ a=end / /g", other skip steps are not affected.
Revision 1.291 / (download) - annotate - [select for diffs], Wed Jan 1 03:53:22 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.290: +4 -6 lines
Diff to previous 1.290 (colored)
Fix breakage from PF_RULESET_MAX increase, regress tests match again.
Revision 1.290 / (download) - annotate - [select for diffs], Tue Dec 31 19:18:41 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.289: +16 -16 lines
Diff to previous 1.289 (colored)
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
Revision 1.289 / (download) - annotate - [select for diffs], Tue Dec 31 00:00:44 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.288: +2 -2 lines
Diff to previous 1.288 (colored)
Use a default state table limit of 10000 entries. This is safe for all normal configurations, and sufficient for many. You can always increase it, if you need more concurrent states and have enough memory (65000 for 64MB RAM, for instance). Suggested earlier by henning@. ok mcbride@
Revision 1.288 / (download) - annotate - [select for diffs], Sun Dec 29 20:07:34 2002 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.287: +20 -9 lines
Diff to previous 1.287 (colored)
Add support for radix tables for source and destination of PF rules. ok dhartmei@, mcbride@, henning@
Revision 1.287 / (download) - annotate - [select for diffs], Fri Dec 27 21:43:58 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.286: +6 -10 lines
Diff to previous 1.286 (colored)
Fixups for pf_route and pf_route6. - pull the route-to ifp from the current pf_pooladdr (not the last one) with stateful rules - remove unnecessary PF_ACPY and PF_AZERO ok dhartme@ on pf_route version, pf_route6 is the same.
Revision 1.286 / (download) - annotate - [select for diffs], Fri Dec 27 16:55:15 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.285: +9 -7 lines
Diff to previous 1.285 (colored)
Handle binat-anchor rules in pf_match_translation(), they don't have a redirection target address. Reported by Michael Lucas. ok mcbride@
Revision 1.285 / (download) - annotate - [select for diffs], Fri Dec 27 15:20:30 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.284: +6 -2 lines
Diff to previous 1.284 (colored)
Initialize rt_ifp in newly allocated pf_state objects to NULL. Solves the crashes in pf_route() with -current. Reports from Michael Lucas and Bjorn Runaker.
Revision 1.284 / (download) - annotate - [select for diffs], Thu Dec 26 16:21:37 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.283: +2 -2 lines
Diff to previous 1.283 (colored)
Prettier debug printing in pf_map_addr.
Revision 1.283 / (download) - annotate - [select for diffs], Thu Dec 26 15:51:51 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.282: +69 -70 lines
Diff to previous 1.282 (colored)
Additional sanity checks for pf_route(). Please report when any of these panics should occur. ok mcbride@
Revision 1.282 / (download) - annotate - [select for diffs], Mon Dec 23 13:15:18 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.281: +2 -2 lines
Diff to previous 1.281 (colored)
Change from array to single pf_pabuf (no longer need multiple buffers as we don't need the second list of addresses for DIOCCHANGE* operations) Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0] is the one being used. ok henning@ dhartmei@
Revision 1.281 / (download) - annotate - [select for diffs], Sun Dec 22 02:37:58 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.280: +21 -14 lines
Diff to previous 1.280 (colored)
Handle rdr rules with unspecified proxy ports correctly. Also don't print the port number in pf_print_host if it's 0 (like when pf_print_host is called from pf_map_addr) ok dhartmei@
Revision 1.280 / (download) - annotate - [select for diffs], Thu Dec 19 12:46:06 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.279: +56 -57 lines
Diff to previous 1.279 (colored)
Replace skip step calculation so it scales O(n) instead of O(n*n). Loading large rulesets consists of two phases. First, the rules are parsed and added, one by one, to the inactive ruleset. The machine remains responsive during that phase. Then, the new ruleset is activated, and the skip steps are calculated. The machine locks up during that phase. This second phase is greatly reduced with the new algorithm. With the old one, calculation could take 30s for 12k rules, with the new one, 100k rules take less than 1s. For small rulesets (less than 1000 rules), the gain is insignificant. ok mcbride@, henning@
Revision 1.279 / (download) - annotate - [select for diffs], Thu Dec 19 11:05:11 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.278: +5 -4 lines
Diff to previous 1.278 (colored)
fix 'no nat/rdr/binat' evaluation. from mcbride@, slightly modified :)
Revision 1.278 / (download) - annotate - [select for diffs], Thu Dec 19 10:49:54 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.277: +5 -5 lines
Diff to previous 1.277 (colored)
Initialize pf_state.nat_rule to NULL if there's no translation used. Found by markus@
Revision 1.277 / (download) - annotate - [select for diffs], Wed Dec 18 19:40:41 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.276: +39 -1 lines
Diff to previous 1.276 (colored)
Store translation rule pointer in state entries, so pfctl -vsn can print evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Revision 1.276 / (download) - annotate - [select for diffs], Wed Dec 18 18:35:30 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.275: +7 -7 lines
Diff to previous 1.275 (colored)
When logging packets matched by rules within anchors, use the anchor rule (in the main set) number, not the number of the rule within the anchor. Eventually, both will get logged. But as long as we only log one number, this makes more sense.
Revision 1.275 / (download) - annotate - [select for diffs], Wed Dec 18 16:59:47 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.274: +198 -194 lines
Diff to previous 1.274 (colored)
big KNF round
Revision 1.274 / (download) - annotate - [select for diffs], Wed Dec 18 16:28:40 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.273: +51 -51 lines
Diff to previous 1.273 (colored)
Pass skip step values through ioctl interface, pfctl -vvsr shows them, main purpose is making them regress-testable.
Revision 1.273 / (download) - annotate - [select for diffs], Wed Dec 18 16:03:25 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.272: +2 -2 lines
Diff to previous 1.272 (colored)
KNF
Revision 1.272 / (download) - annotate - [select for diffs], Wed Dec 18 14:41:37 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.271: +2 -2 lines
Diff to previous 1.271 (colored)
Match the rule protocol against the actual protocol of the packet, not just tcp. A silly copy/paste error by yours truly located by deraadt@
Revision 1.271 / (download) - annotate - [select for diffs], Tue Dec 17 12:30:13 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.270: +235 -425 lines
Diff to previous 1.270 (colored)
Merge pf_nat/pf_binat/pf_rdr structs into pf_rule. Simplifies code, allows skip steps on translation rules. Also: - Require a ticket for DIOCCHANGERULE operations to prevent races. - Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations use a rule number, and comparisons happen in userland. Testing and fixes from dhartmei@ and frantzen@ ok dhartmei@ henning@
Revision 1.270 / (download) - annotate - [select for diffs], Fri Dec 13 21:48:30 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.269: +5 -2 lines
Diff to previous 1.269 (colored)
add pqueue and pqid to pf_rule. this allows for a second queue on pf_rule. assign packets with tos 0x10 (lowdelay) to this one. if the second queue isn't specified set pqid = qid idea dhartmei@ ok dhartmei@ frantzen@ deraadt@
Revision 1.269 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:32 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.268: +293 -137 lines
Diff to previous 1.268 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.268 / (download) - annotate - [select for diffs], Tue Dec 3 15:52:33 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.267: +3 -3 lines
Diff to previous 1.267 (colored)
no need to mh_align (while it's wrong), cleaner mtu setting; dhartmei@ ok
Revision 1.267 / (download) - annotate - [select for diffs], Sun Dec 1 19:54:32 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.266: +2 -2 lines
Diff to previous 1.266 (colored)
- Clean up pf_ioctl mainly by adding new functions to handle cleaning and freeing rules. Fixes a number of potential memory leaks and other bugs. - Add new pool_ticket to insure that address pools don't get messed with by someone else while we add rules. - Add a second address pool buffer, so that DIOCCHANGE* operations which use pf_compare* will work correctly. Excellent bug report and anaylsis from DJ Gregor. ok dhartmei@ henning@
Revision 1.266 / (download) - annotate - [select for diffs], Sun Dec 1 01:20:02 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.265: +3 -3 lines
Diff to previous 1.265 (colored)
pfsync currently causes kernel faults, so we don't want to call these functions ok dhartmei@
Revision 1.265 / (download) - annotate - [select for diffs], Fri Nov 29 18:25:22 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.264: +10 -2 lines
Diff to previous 1.264 (colored)
expose state table changes
Revision 1.264 / (download) - annotate - [select for diffs], Thu Nov 28 12:07:37 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.263: +62 -27 lines
Diff to previous 1.263 (colored)
- MD5 too slow, replace with pf_hash (based on hash from if_bridge.c) - Always fold the key in Many fixes & suggestions from camield@ ok mickey@ camield@ henning@
Revision 1.263 / (download) - annotate - [select for diffs], Sun Nov 24 22:45:48 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.262: +2 -2 lines
Diff to previous 1.262 (colored)
move } outside #ifdef INET6 unbreaks compiling kernel without IPv6 support. how embarassing, spotted by Chris Kuethe
Revision 1.262 / (download) - annotate - [select for diffs], Sat Nov 23 09:37:01 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.261: +54 -55 lines
Diff to previous 1.261 (colored)
KNF
Revision 1.261 / (download) - annotate - [select for diffs], Sat Nov 23 05:48:01 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.260: +2 -2 lines
Diff to previous 1.260 (colored)
pass a pointer to the hash, not the first chunk of it
Revision 1.260 / (download) - annotate - [select for diffs], Sat Nov 23 05:16:58 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.259: +390 -155 lines
Diff to previous 1.259 (colored)
kernel code to allow multiple redirection addresses to be specified for nat and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
Revision 1.259 / (download) - annotate - [select for diffs], Fri Nov 22 09:54:35 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.258: +46 -11 lines
Diff to previous 1.258 (colored)
on block rules, let queue apply to the RST packets in the return-rst case and the returned icmp packets in the return-icmp case ok dhartmei@
Revision 1.258 / (download) - annotate - [select for diffs], Tue Oct 29 19:51:04 2002 UTC (21 years, 7 months ago) by mickey
Branch: MAIN
Changes since 1.257: +4 -65 lines
Diff to previous 1.257 (colored)
keep all pflog goodies in pflog sources, avoids code duplications; okski frantzen@ and dhartmei@
Revision 1.180.2.3 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:46 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.180.2.2: +397 -405 lines
Diff to previous 1.180.2.2 (colored) to branchpoint 1.180 (colored)
sync to -current
Revision 1.257 / (download) - annotate - [select for diffs], Tue Oct 22 12:23:35 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: UBC_SYNC_B
Changes since 1.256: +43 -37 lines
Diff to previous 1.256 (colored)
Convert "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.256 / (download) - annotate - [select for diffs], Sun Oct 20 13:08:29 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.255: +1 -132 lines
Diff to previous 1.255 (colored)
Move pf_compare_(rules|nats|binats|rdrs) to pf_ioctl.c. Simplifies and reduces cross-file dependancies. ok dhartmei@ ish@ henning@
Revision 1.255 / (download) - annotate - [select for diffs], Mon Oct 14 12:58:27 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.254: +87 -40 lines
Diff to previous 1.254 (colored)
Allow one to specify a netblock in a binat rule: binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
Revision 1.254 / (download) - annotate - [select for diffs], Tue Oct 8 05:12:08 2002 UTC (21 years, 8 months ago) by kjc
Branch: MAIN
Changes since 1.253: +28 -1 lines
Diff to previous 1.253 (colored)
the first step of pf/altq merge. this commit is to allow further development in both userland and kernel. the goal is to replace altq's classifier by pf(4). - make pf tag a queue id to mbuf and make altq read the queue id - merge altq config into pf.conf(5) ok dhartmei@, henning@
Revision 1.253 / (download) - annotate - [select for diffs], Mon Oct 7 14:53:00 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.252: +8 -7 lines
Diff to previous 1.252 (colored)
-Wsign-compare clean
Revision 1.252 / (download) - annotate - [select for diffs], Mon Oct 7 13:23:45 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.251: +0 -0 lines
Diff to previous 1.251 (colored)
set block-policy [drop|return] drop is default, same behaviour as before support block drop to override a return policy
Revision 1.251 / (download) - annotate - [select for diffs], Mon Oct 7 13:18:40 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.250: +6 -3 lines
Diff to previous 1.250 (colored)
support a generic return block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
Revision 1.250 / (download) - annotate - [select for diffs], Mon Oct 7 13:15:02 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.249: +9 -2 lines
Diff to previous 1.249 (colored)
make return-icmp work for rules covering both v4 and v6 -new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
Revision 1.249 / (download) - annotate - [select for diffs], Mon Oct 7 12:59:54 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.248: +8 -6 lines
Diff to previous 1.248 (colored)
use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or not instead of just testing return_icmp > 0 ok dhartmei@
Revision 1.248 / (download) - annotate - [select for diffs], Mon Oct 7 12:39:29 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.247: +3 -3 lines
Diff to previous 1.247 (colored)
Add 'reply-to' to filter rules, similar to route-to, but applying to replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
Revision 1.247 / (download) - annotate - [select for diffs], Sat Oct 5 21:17:57 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.246: +14 -1 lines
Diff to previous 1.246 (colored)
Allow filtering based on IP header's tos field.
Revision 1.246 / (download) - annotate - [select for diffs], Fri Oct 4 17:45:55 2002 UTC (21 years, 8 months ago) by ish
Branch: MAIN
Changes since 1.245: +11 -9 lines
Diff to previous 1.245 (colored)
[to the right branch this time] To detect routing loops use the actual outgoing interface and not the interface that the rule is to apply to (as there may not be one). - noticed by mcbride@countersiege.com - ok dhartmei@, henning@
Revision 1.201.2.1 / (download) - annotate - [select for diffs], Mon Sep 30 18:30:51 2002 UTC (21 years, 8 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.201: +2 -2 lines
Diff to previous 1.201 (colored) next main 1.202 (colored)
Pull in patch from current: Fix (henning): daddr was used where saddr was meant while checking incoming udp packets for binat. pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks!
Revision 1.163.2.5 / (download) - annotate - [select for diffs], Mon Sep 30 18:11:13 2002 UTC (21 years, 8 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.163.2.4: +2 -2 lines
Diff to previous 1.163.2.4 (colored) to branchpoint 1.163 (colored) next main 1.164 (colored)
MFC (henning@): daddr was used where saddr was meant while checking incoming udp packets for binat. pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks! ok frantzen@ pb@ jasoni@ deraadt@
Revision 1.245 / (download) - annotate - [select for diffs], Fri Sep 27 17:57:53 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.244: +2 -2 lines
Diff to previous 1.244 (colored)
daddr was used where saddr was meant while checking incoming packets for binat. pointed out by Ryan McBride, mcbride at countersiege dot com, Thanks! ok frantzen@ pb@ jasoni@ deraadt@
Revision 1.244 / (download) - annotate - [select for diffs], Wed Sep 11 05:38:47 2002 UTC (21 years, 9 months ago) by itojun
Branch: MAIN
Changes since 1.243: +2 -2 lines
Diff to previous 1.243 (colored)
KNF - return is not a function.
Revision 1.243 / (download) - annotate - [select for diffs], Wed Aug 28 15:43:02 2002 UTC (21 years, 9 months ago) by pefo
Branch: MAIN
Changes since 1.242: +3 -2 lines
Diff to previous 1.242 (colored)
Fix a problem where passing NULL as a pointer with varargs does not promote NULL to full 64 bits on a 64 bit address system. Soultion is to add a (void *) cast before NULL. This makes a 64 bit MIPS kernel work and will probably help future 64 bit ports as well. OK from art@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Aug 12 16:41:25 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.241: +39 -103 lines
Diff to previous 1.241 (colored)
Use state tree instead of separate (flat) list to find NAT proxy ports, allows to use the same proxy port with different external peers. From Ryan McBride
Revision 1.241 / (download) - annotate - [select for diffs], Thu Aug 8 14:31:51 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.240: +3 -3 lines
Diff to previous 1.240 (colored)
th_flags doesn't have to be equal to TH_SYN to generate modulator, it's sufficient if TH_SYN is set and TH_ACK is unset, ignore TH_ECN etc. ok frantzen@
Revision 1.240 / (download) - annotate - [select for diffs], Wed Jul 24 17:56:03 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.239: +9 -9 lines
Diff to previous 1.239 (colored)
Use host order when adding packet size to interface statistics counter. Only affects pfctl -si output for IPv6. And some whitespace KNF.
Revision 1.239 / (download) - annotate - [select for diffs], Mon Jul 15 18:07:17 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.238: +15 -7 lines
Diff to previous 1.238 (colored)
add u_int8_t ifnot to struct pf_rule to support matching packets on any interface except the given one. adjust the pf_test_* functions and pf_skip_step accordingly. ok dhartmei@
Revision 1.238 / (download) - annotate - [select for diffs], Mon Jul 15 17:52:44 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.237: +1 -3 lines
Diff to previous 1.237 (colored)
remove duplicated interface check in test_icmp ok dhartmei@
Revision 1.237 / (download) - annotate - [select for diffs], Fri Jul 12 15:52:26 2002 UTC (21 years, 11 months ago) by art
Branch: MAIN
Changes since 1.236: +1 -4 lines
Diff to previous 1.236 (colored)
Remove duplicate function declarations (they are in pfvar.h).
Revision 1.236 / (download) - annotate - [select for diffs], Wed Jul 10 22:17:58 2002 UTC (21 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.235: +8 -5 lines
Diff to previous 1.235 (colored)
let IPv6 fragment go through based on normal rulesets. TODO: sort-of normalization against fragments for inspection ok dhartmei@
Revision 1.235 / (download) - annotate - [select for diffs], Fri Jun 14 21:35:00 2002 UTC (22 years ago) by todd
Branch: MAIN
Changes since 1.234: +3 -3 lines
Diff to previous 1.234 (colored)
spelling; from Brian Poole <raj@cerias.purdue.edu>
Revision 1.180.2.2 / (download) - annotate - [select for diffs], Tue Jun 11 03:30:45 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.180.2.1: +875 -1936 lines
Diff to previous 1.180.2.1 (colored) to branchpoint 1.180 (colored)
Sync UBC branch to -current
Revision 1.234 / (download) - annotate - [select for diffs], Tue Jun 11 02:42:27 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.233: +15 -15 lines
Diff to previous 1.233 (colored)
enumerate UDP and OTHER state levels (similar to tcp_fsm.h) ok dhartmei@, henning@
Revision 1.233 / (download) - annotate - [select for diffs], Tue Jun 11 02:12:37 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.232: +28 -9 lines
Diff to previous 1.232 (colored)
Make NAT proxy port range configurable per rule, for instance privileged source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
Revision 1.232 / (download) - annotate - [select for diffs], Tue Jun 11 02:02:21 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.231: +39 -8 lines
Diff to previous 1.231 (colored)
Don't panic when pf_insert_state() detects an attempt to insert a duplicate key. Instead, log according to log level and return gracefully. ok frantzen@
Revision 1.231 / (download) - annotate - [select for diffs], Tue Jun 11 01:58:31 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.230: +27 -27 lines
Diff to previous 1.230 (colored)
KNF return x -> return (x), ok frantzen@
Revision 1.230 / (download) - annotate - [select for diffs], Mon Jun 10 19:31:44 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.229: +17 -8 lines
Diff to previous 1.229 (colored)
Allow ports to be specified in nat rules, useful later on for individual proxy port ranges.
Revision 1.229 / (download) - annotate - [select for diffs], Mon Jun 10 17:05:10 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.228: +1 -2 lines
Diff to previous 1.228 (colored)
Don't #include <sys/malloc.h>
Revision 1.228 / (download) - annotate - [select for diffs], Sun Jun 9 20:20:58 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.227: +21 -15 lines
Diff to previous 1.227 (colored)
Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so it includes ports and operator.
Revision 1.227 / (download) - annotate - [select for diffs], Sun Jun 9 10:55:59 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.226: +8 -5 lines
Diff to previous 1.226 (colored)
reapply patch from jasoni@ for ICMP6_PACKET_TOO_BIG both have been lost, due to diff thinking about reversing those lines after merge tested
Revision 1.226 / (download) - annotate - [select for diffs], Sun Jun 9 10:52:38 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.225: +13 -8 lines
Diff to previous 1.225 (colored)
reapply patch from jasoni@ for pf_route[6]
Revision 1.225 / (download) - annotate - [select for diffs], Sun Jun 9 08:53:08 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.224: +18 -1449 lines
Diff to previous 1.224 (colored)
split ioctl functions out of pf.c into pf_ioctl.c frantzen@, dhartmei@ ok, tested kernel & userland. checked for colliding commits
Revision 1.224 / (download) - annotate - [select for diffs], Sun Jun 9 04:44:34 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.223: +1434 -11 lines
Diff to previous 1.223 (colored)
uncommit, broken (by corrupt diff)
Revision 1.223 / (download) - annotate - [select for diffs], Sun Jun 9 03:57:18 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.222: +11 -1434 lines
Diff to previous 1.222 (colored)
new file sys/net/pf_ioctl.c functions moved from pf.c to there ok dhartmei@, frantzen@ testing myself + henning@, kernel & userland utils fine
Revision 1.222 / (download) - annotate - [select for diffs], Sun Jun 9 01:49:42 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.221: +8 -5 lines
Diff to previous 1.221 (colored)
increment ifs6_in_toobig if ipv6 packet too large for interface in pf_route6().
Revision 1.221 / (download) - annotate - [select for diffs], Sun Jun 9 01:44:31 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.220: +13 -8 lines
Diff to previous 1.220 (colored)
in pf_route{6}, if too large for outgoing interface and not allowed to
fragment, send the proper icmp error.
- ok frantzen@
Revision 1.220 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:06 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.219: +27 -16 lines
Diff to previous 1.219 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.219 / (download) - annotate - [select for diffs], Fri Jun 7 22:53:37 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.218: +12 -6 lines
Diff to previous 1.218 (colored)
add the possibility to configure a TTL while return-rst ok dhartmei@, ipv6 part itojun@ ok
Revision 1.218 / (download) - annotate - [select for diffs], Fri Jun 7 21:46:08 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.217: +27 -21 lines
Diff to previous 1.217 (colored)
in pf_route{6}, do not pass thru pf_test again if the outgoing
interface has not changed
- ok dhartmei@
Revision 1.217 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:35 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.216: +27 -11 lines
Diff to previous 1.216 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.216 / (download) - annotate - [select for diffs], Fri Jun 7 21:14:02 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.215: +166 -389 lines
Diff to previous 1.215 (colored)
switch from AVL tree's to herr Provos' red-black trees with suggestions from provos@ ok dhartmei@
Revision 1.215 / (download) - annotate - [select for diffs], Fri Jun 7 20:59:20 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.214: +30 -1 lines
Diff to previous 1.214 (colored)
Call pf_test() from pf_route() to filter (and translate) routed packets, too. Use mbuf tag to prevent loops. Suggested by Darren Reed. ok frantzen@
Revision 1.214 / (download) - annotate - [select for diffs], Fri Jun 7 18:45:59 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.213: +2 -2 lines
Diff to previous 1.213 (colored)
sync behaviour about DF bit between ip_output()/tcp_response() and pf_send_reset() while sending a RST ok dhartmei@, itojun@, frantzen@
Revision 1.213 / (download) - annotate - [select for diffs], Sat Jun 1 04:06:47 2002 UTC (22 years ago) by hugh
Branch: MAIN
Changes since 1.212: +5 -1 lines
Diff to previous 1.212 (colored)
ECN flag support for pf. Committed in consultation with Daniel.
Revision 1.212 / (download) - annotate - [select for diffs], Fri May 31 20:58:25 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.211: +2 -2 lines
Diff to previous 1.211 (colored)
respect rmx_mtu (cached PMTUD result) on outbound. deraadt/angelos ok
Revision 1.211 / (download) - annotate - [select for diffs], Fri May 31 19:45:17 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.210: +2 -2 lines
Diff to previous 1.210 (colored)
KNF
Revision 1.210 / (download) - annotate - [select for diffs], Tue May 28 17:28:14 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.209: +18 -101 lines
Diff to previous 1.209 (colored)
remove duplicated fragmentation code in favour of ip_fragment().. - ok dhartmei@
Revision 1.209 / (download) - annotate - [select for diffs], Sun May 19 22:31:28 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.208: +3 -3 lines
Diff to previous 1.208 (colored)
KNF again
Revision 1.208 / (download) - annotate - [select for diffs], Sun May 12 02:21:14 2002 UTC (22 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.207: +13 -16 lines
Diff to previous 1.207 (colored)
correct AH header chasing. ok dhartmei@openbsd
Revision 1.207 / (download) - annotate - [select for diffs], Sun May 12 00:54:56 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.206: +38 -27 lines
Diff to previous 1.206 (colored)
Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'.
Revision 1.206 / (download) - annotate - [select for diffs], Thu May 9 19:58:42 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.205: +96 -6 lines
Diff to previous 1.205 (colored)
Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it.
Revision 1.205 / (download) - annotate - [select for diffs], Sun May 5 21:40:22 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.204: +33 -25 lines
Diff to previous 1.204 (colored)
Instead of returning a useless kernel space pointer for the rule that created the state from DIOCGETSTATE(S), return the integer rule number, Print rule number (if existant) from pfctl -vss. Suggested by Jeff Nathan.
Revision 1.204 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.203: +330 -68 lines
Diff to previous 1.203 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.203 / (download) - annotate - [select for diffs], Tue Apr 23 14:32:22 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.202: +78 -1 lines
Diff to previous 1.202 (colored)
Allow explicit filtering of fragments when they are not reassembled. Document fragment handling in the man page. Short version: if you're scrubbing everything (as is recommended, in general), nothing changes. If you want to deal with fragments manually, read the man page. ok frantzen.
Revision 1.202 / (download) - annotate - [select for diffs], Sat Apr 20 10:13:57 2002 UTC (22 years, 1 month ago) by fgsch
Branch: MAIN
Changes since 1.201: +2 -2 lines
Diff to previous 1.201 (colored)
All calls to pool_get(9) should use PR_xx flags, not M_xx. millert dhartmei ok.
Revision 1.201 / (download) - annotate - [select for diffs], Mon Apr 8 17:49:43 2002 UTC (22 years, 2 months ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE
Branch point for: OPENBSD_3_1
Changes since 1.200: +5 -1 lines
Diff to previous 1.200 (colored)
Credit DARPA/USAF appropriately.
Revision 1.200 / (download) - annotate - [select for diffs], Sun Mar 31 13:02:08 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.199: +2 -2 lines
Diff to previous 1.199 (colored)
Use ip_defttl as ttl for return-rst instead of an arbitrary hardcoded value (128). This matches the stack's default setting and honours sysctl net.inet.ip.ttl, making RSTs generated by pf harder to distinguish from RSTs sent by the real destination.
Revision 1.199 / (download) - annotate - [select for diffs], Sat Mar 30 06:21:00 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.198: +3 -2 lines
Diff to previous 1.198 (colored)
Initialize sequence number high limit from 1 to the real value with the first packet. ok frantzen@
Revision 1.95.2.5 / (download) - annotate - [select for diffs], Thu Mar 28 14:57:37 2002 UTC (22 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.95.2.4: +2 -2 lines
Diff to previous 1.95.2.4 (colored)
Merge in -current from roughly a week ago
Revision 1.198 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:21 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
Changes since 1.197: +57 -9 lines
Diff to previous 1.197 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.197 / (download) - annotate - [select for diffs], Tue Mar 26 20:24:51 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.196: +2 -1 lines
Diff to previous 1.196 (colored)
Change default logging level from none to urgent. Should never print anything, and if it does, it should be reported.
Revision 1.196 / (download) - annotate - [select for diffs], Mon Mar 25 23:33:13 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.195: +17 -3 lines
Diff to previous 1.195 (colored)
Ignore 'keep state' for ICMP errors whose inner headers mismatch state but are passed by rules. Found by Henning Brauer.
Revision 1.195 / (download) - annotate - [select for diffs], Mon Mar 25 22:03:01 2002 UTC (22 years, 2 months ago) by frantzen
Branch: MAIN
Changes since 1.194: +36 -1 lines
Diff to previous 1.194 (colored)
add ioctl DIOCKILLSTATES to shootdown a subset of the state table. allows discrimination on src/dst ips and netmask, src/dst port range and protocol. ok dhartmei@
Revision 1.194 / (download) - annotate - [select for diffs], Fri Mar 8 11:32:52 2002 UTC (22 years, 3 months ago) by mpech
Branch: MAIN
Changes since 1.193: +3 -3 lines
Diff to previous 1.193 (colored)
Fix arc4random() usage; add more randomness to pf_get_sport(). dhartmei@, provos@ ok
Revision 1.95.2.4 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:06 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.95.2.3: +499 -179 lines
Diff to previous 1.95.2.3 (colored)
Merge in trunk
Revision 1.193 / (download) - annotate - [select for diffs], Tue Feb 26 07:25:33 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.192: +40 -2 lines
Diff to previous 1.192 (colored)
Add optional pool memory hard limits, mainly as temporary solution until pool exhaustion causes problems no more.
Revision 1.192 / (download) - annotate - [select for diffs], Sat Feb 23 00:03:58 2002 UTC (22 years, 3 months ago) by art
Branch: MAIN
Changes since 1.191: +5 -5 lines
Diff to previous 1.191 (colored)
Pools that are only used in the ioctls can use the nointr allocator.
Revision 1.163.2.4 / (download) - annotate - [select for diffs], Thu Feb 21 04:23:24 2002 UTC (22 years, 3 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.163.2.3: +6 -2 lines
Diff to previous 1.163.2.3 (colored) to branchpoint 1.163 (colored)
Pull in patch from current: Fix (dhartmei): Don't reset pf_status.debug and .since on DIOCCLRSTATUS. From Dries Schellekens. Closes PR 2227.
Revision 1.191 / (download) - annotate - [select for diffs], Sun Feb 17 21:48:05 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.190: +26 -7 lines
Diff to previous 1.190 (colored)
Calculate IP checksum and copyback modified headers before logging a packet. Closes PR2402. Note that checksums were only wrong in the logged packet, packets that were passed got a valid checksum anyway.
Revision 1.190 / (download) - annotate - [select for diffs], Fri Feb 15 15:42:52 2002 UTC (22 years, 4 months ago) by art
Branch: MAIN
Changes since 1.189: +52 -51 lines
Diff to previous 1.189 (colored)
pf only uses seconds for time measuring. There is no need to call microtime on every packet. Use time.tv_sec to get seconds. In the places where it seemed to matter, make sure that time doesn't change under our feet. And it's really unnecessary to do a test on every packet when the test will only fire once every 10 seconds. That's a real waste of time, that's what we have timeouts for. ok frantzen@
Revision 1.189 / (download) - annotate - [select for diffs], Thu Feb 14 19:46:49 2002 UTC (22 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.188: +3 -3 lines
Diff to previous 1.188 (colored)
KNF
Revision 1.188 / (download) - annotate - [select for diffs], Thu Feb 14 15:32:11 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.187: +26 -30 lines
Diff to previous 1.187 (colored)
Add skip steps for rule action (pass/block vs. scrub) and direction (in vs. out). This speeds up rule set evaluation considerably, because the rules set used to be linearly traversed (even twice) when looking for scrub rules. Ok frantzen@, deraadt@
Revision 1.187 / (download) - annotate - [select for diffs], Mon Feb 11 16:22:48 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.186: +1 -3 lines
Diff to previous 1.186 (colored)
Remove unused function prototype, from Jason Ish
Revision 1.186 / (download) - annotate - [select for diffs], Mon Feb 11 16:21:26 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.185: +1 -5 lines
Diff to previous 1.185 (colored)
Remove ancient comment regarding memcmp(), from Jason Ish
Revision 1.180.2.1 / (download) - annotate - [select for diffs], Thu Jan 31 22:55:44 2002 UTC (22 years, 4 months ago) by niklas
Branch: UBC
Changes since 1.180: +80 -47 lines
Diff to previous 1.180 (colored)
Merge in -current, builds on i386, otherwise untested
Revision 1.185 / (download) - annotate - [select for diffs], Wed Jan 23 00:39:48 2002 UTC (22 years, 4 months ago) by art
Branch: MAIN
Changes since 1.184: +8 -9 lines
Diff to previous 1.184 (colored)
Pool deals fairly well with physical memory shortage, but it doesn't deal well (not at all) with shortages of the vm_map where the pages are mapped (usually kmem_map). Try to deal with it: - group all information the backend allocator for a pool in a separate struct. The pool will only have a pointer to that struct. - change the pool_init API to reflect that. - link all pools allocating from the same allocator on a linked list. - Since an allocator is responsible to wait for physical memory it will only fail (waitok) when it runs out of its backing vm_map, carefully drain pools using the same allocator so that va space is freed. (see comments in code for caveats and details). - change pool_reclaim to return if it actually succeeded to free some memory, use that information to make draining easier and more efficient. - get rid of PR_URGENT, noone uses it.
Revision 1.184 / (download) - annotate - [select for diffs], Sat Jan 12 01:34:49 2002 UTC (22 years, 5 months ago) by jasoni
Branch: MAIN
Changes since 1.183: +27 -30 lines
Diff to previous 1.183 (colored)
- Only apply fastroute and route-to if we are going in the same direction as the rule. - ok dhartmei@
Revision 1.183 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.182: +13 -1 lines
Diff to previous 1.182 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.182 / (download) - annotate - [select for diffs], Tue Jan 8 09:31:55 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.181: +16 -7 lines
Diff to previous 1.181 (colored)
Add "no nat/rdr/binat" to nat.conf. The first matching rule applies. If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
Revision 1.181 / (download) - annotate - [select for diffs], Mon Dec 31 16:46:39 2001 UTC (22 years, 5 months ago) by mickey
Branch: MAIN
Changes since 1.180: +20 -4 lines
Diff to previous 1.180 (colored)
only require write mode for modifying ioctls; dhartmei@, frantzen@, deraadt@ ok
Revision 1.180 / (download) - annotate - [select for diffs], Tue Dec 18 00:14:20 2001 UTC (22 years, 5 months ago) by jasoni
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.179: +10 -1 lines
Diff to previous 1.179 (colored)
Update rt_ifp in DIOCCHANGERULE. - noticed by DJ Gregor <gregor.7@osu.edu>
Revision 1.163.2.3 / (download) - annotate - [select for diffs], Thu Dec 13 19:52:37 2001 UTC (22 years, 6 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.163.2.2: +4 -1 lines
Diff to previous 1.163.2.2 (colored) to branchpoint 1.163 (colored)
Pull in patches from current: Fix (dhartmei, mpech): - Reset states counter when clearing states. - don't allow CHANGEBINAT ioctl in securelevel > 1; dhartmei@ ok
Revision 1.179 / (download) - annotate - [select for diffs], Tue Dec 11 03:08:47 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.178: +25 -25 lines
Diff to previous 1.178 (colored)
- Log packet while mbuf is still valid. - If logging and r == NULL, use r0 leaving r untouched. - Note that pf_route/pf_route6 can free the mbuf. Thanks and ok frantzen@
Revision 1.178 / (download) - annotate - [select for diffs], Mon Dec 10 18:28:32 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.177: +40 -21 lines
Diff to previous 1.177 (colored)
Add an ioctl to add state entries (DIOCADDSTATE) for proxies.
Revision 1.177 / (download) - annotate - [select for diffs], Mon Dec 10 18:08:11 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.176: +226 -15 lines
Diff to previous 1.176 (colored)
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
Revision 1.163.2.2 / (download) - annotate - [select for diffs], Wed Dec 5 19:47:39 2001 UTC (22 years, 6 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.163.2.1: +13 -10 lines
Diff to previous 1.163.2.1 (colored) to branchpoint 1.163 (colored)
Pull in patch from current: Fix (dhartmei): Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashes in pf_test6() for IPv6 packets with options.
Revision 1.95.2.3 / (download) - annotate - [select for diffs], Wed Dec 5 01:02:40 2001 UTC (22 years, 6 months ago) by niklas
Branch: SMP
Changes since 1.95.2.2: +379 -73 lines
Diff to previous 1.95.2.2 (colored)
Merge in -current
Revision 1.176 / (download) - annotate - [select for diffs], Mon Dec 3 18:47:46 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.175: +6 -2 lines
Diff to previous 1.175 (colored)
Don't reset pf_status.debug and .since on DIOCCLRSTATUS. From Dries Schellekens. Closes PR 2227.
Revision 1.175 / (download) - annotate - [select for diffs], Sat Dec 1 19:11:41 2001 UTC (22 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.174: +59 -61 lines
Diff to previous 1.174 (colored)
217 lines of diff for KNF, dhartmei, you are evil
Revision 1.174 / (download) - annotate - [select for diffs], Fri Nov 30 17:01:54 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.173: +15 -9 lines
Diff to previous 1.173 (colored)
only make a copy of the mbuf if the route rule is dup-to
Revision 1.173 / (download) - annotate - [select for diffs], Tue Nov 27 20:29:25 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)
typo - use correct mbuf
Revision 1.172 / (download) - annotate - [select for diffs], Tue Nov 27 17:50:36 2001 UTC (22 years, 6 months ago) by frantzen
Branch: MAIN
Changes since 1.171: +19 -15 lines
Diff to previous 1.171 (colored)
do pf_route() before logging in case the logging created a bogus rule (fixes a recent panic) OK dhartmei@ jasoni@ mpech@
Revision 1.171 / (download) - annotate - [select for diffs], Mon Nov 26 16:50:26 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.170: +289 -1 lines
Diff to previous 1.170 (colored)
add fastroute options similar to what is found in ipf ok dhartmei@, frantzen@
Revision 1.170 / (download) - annotate - [select for diffs], Wed Nov 21 19:00:24 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.169: +13 -10 lines
Diff to previous 1.169 (colored)
Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashes in pf_test6() for IPv6 packets with options.
Revision 1.169 / (download) - annotate - [select for diffs], Tue Nov 20 09:27:58 2001 UTC (22 years, 6 months ago) by mpech
Branch: MAIN
Changes since 1.168: +3 -1 lines
Diff to previous 1.168 (colored)
don't allow CHANGEBINAT ioctl in securelevel > 1 dhartmei@ ok
Revision 1.168 / (download) - annotate - [select for diffs], Fri Nov 16 11:07:20 2001 UTC (22 years, 7 months ago) by mickey
Branch: MAIN
Changes since 1.167: +41 -15 lines
Diff to previous 1.167 (colored)
yes, signed substraction does not work because of underflows, revert the previous
Revision 1.167 / (download) - annotate - [select for diffs], Wed Nov 14 23:30:36 2001 UTC (22 years, 7 months ago) by mickey
Branch: MAIN
Changes since 1.166: +16 -42 lines
Diff to previous 1.166 (colored)
use substract when comparing keys, for ip addrs as well. those happen as signed integers and seem to work fine. saves whole bunch of useless code. dhartmei@ ok
Revision 1.95.2.2 / (download) - annotate - [select for diffs], Tue Nov 13 22:59:58 2001 UTC (22 years, 7 months ago) by niklas
Branch: SMP
Changes since 1.95.2.1: +33 -33 lines
Diff to previous 1.95.2.1 (colored)
merge in -current
Revision 1.163.2.1 / (download) - annotate - [select for diffs], Tue Nov 13 18:45:11 2001 UTC (22 years, 7 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.163: +11 -10 lines
Diff to previous 1.163 (colored)
Pull in patch from current (Errata 006): fix pf from going off into the weeds on an ipv6 icmp packet with certain option headers. should fix pr #2172 ok dhartmei@
Revision 1.166 / (download) - annotate - [select for diffs], Tue Nov 13 17:45:26 2001 UTC (22 years, 7 months ago) by frantzen
Branch: MAIN
Changes since 1.165: +11 -10 lines
Diff to previous 1.165 (colored)
fix pf from going off into the weeds on an ipv6 icmp packet with certain option headers. should fix pr #2172 ok dhartmei@
Revision 1.165 / (download) - annotate - [select for diffs], Tue Nov 6 11:48:29 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.164: +33 -33 lines
Diff to previous 1.164 (colored)
Use #defines for skip step values. From dgregor@net.ohio-state.edu.
Revision 1.95.2.1 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:02 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.95: +3230 -1387 lines
Diff to previous 1.95 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.164 / (download) - annotate - [select for diffs], Wed Oct 24 09:07:38 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.163: +2 -1 lines
Diff to previous 1.163 (colored)
Reset states counter when clearing states.
Revision 1.163 / (download) - annotate - [select for diffs], Mon Oct 15 16:22:21 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.162: +107 -81 lines
Diff to previous 1.162 (colored)
Add 'allow-opts' to rules. Packets with IP options will be blocked by default now, and can be allowed per rule. ok deraadt@
Revision 1.162 / (download) - annotate - [select for diffs], Sat Oct 13 23:07:19 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.161: +2 -1 lines
Diff to previous 1.161 (colored)
Patch from Ryan McBride, fixes IPv6 return-rst problem, found by Todd Fries. ok deraadt@
Revision 1.161 / (download) - annotate - [select for diffs], Tue Oct 2 08:44:21 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.160: +2 -2 lines
Diff to previous 1.160 (colored)
Convert ip_off of the inner IP header to host order in pf_test_state_icmp(). Some of the IP header fields are already converted by ip_input.c (including ip_off), but of course not for inner headers of ICMP packets. The other fields which are left in network order are ok. This broke state search for any ICMP error message who referred to an IP header with the DF flag set, hence any ICMP_UNREACH_NEEDFRAG message. Found by Andreas Gunnarsson <andreas@crt.se>. Thank you.
Revision 1.160 / (download) - annotate - [select for diffs], Sun Sep 30 03:49:18 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.159: +5 -5 lines
Diff to previous 1.159 (colored)
Tune TCP fsm (99.7% - 99.9% accuracy over 1e6 connections)
Revision 1.159 / (download) - annotate - [select for diffs], Thu Sep 27 17:49:12 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
The skip steps array was one element short (since adding steps for af). This invoked undefined behaviour under the proper circumstances.
Revision 1.158 / (download) - annotate - [select for diffs], Thu Sep 27 15:15:17 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.157: +3 -1 lines
Diff to previous 1.157 (colored)
switch without break. This caused the 'ICMP too short' messages, since both IPv4 and IPv6 cases were executed. 'switch considered harmful'.
Revision 1.157 / (download) - annotate - [select for diffs], Thu Sep 27 14:02:44 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.156: +2 -2 lines
Diff to previous 1.156 (colored)
Fix th_ack calculation in pf_send_reset(). return-rst didn't work since 1.150 (at least for IPv4).
Revision 1.156 / (download) - annotate - [select for diffs], Sun Sep 23 04:07:07 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.155: +2 -2 lines
Diff to previous 1.155 (colored)
Bump up the tcp half closed timeout (single FIN) to an hour
Revision 1.155 / (download) - annotate - [select for diffs], Fri Sep 21 07:18:49 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.154: +19 -3 lines
Diff to previous 1.154 (colored)
Fix natlook (broke ftp-proxy) and a memory leak. From Ryan McBride.
Revision 1.154 / (download) - annotate - [select for diffs], Wed Sep 19 11:09:59 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.153: +9 -10 lines
Diff to previous 1.153 (colored)
Patch from Ryan McBride. Compile without INET6, remove unnecessary rewrite++.
Revision 1.153 / (download) - annotate - [select for diffs], Mon Sep 17 17:16:27 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.152: +19 -1 lines
Diff to previous 1.152 (colored)
icmpv6 nat fix, from Ryan McBride
Revision 1.152 / (download) - annotate - [select for diffs], Sat Sep 15 22:25:25 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.151: +2 -1 lines
Diff to previous 1.151 (colored)
The inner protocol of IPv4 ICMP error messages was ignored, leading to 'ICMP error message for bad proto' messages and breaking traceroute etc. Please increase debugging level (pfctl -x m) while testing.
Revision 1.151 / (download) - annotate - [select for diffs], Sat Sep 15 16:47:07 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.150: +18 -26 lines
Diff to previous 1.150 (colored)
Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoing packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6().
Revision 1.150 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.149: +1432 -454 lines
Diff to previous 1.149 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.149 / (download) - annotate - [select for diffs], Fri Sep 14 20:22:18 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.148: +18 -1 lines
Diff to previous 1.148 (colored)
binat non icmp/udp/tcp protocols as well; ok dhartmei@
Revision 1.148 / (download) - annotate - [select for diffs], Tue Sep 11 22:20:48 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.147: +11 -7 lines
Diff to previous 1.147 (colored)
Undo BINAT translation when blocking with return-rst/-icmp. Translate at most once. From Ryan McBride.
Revision 1.147 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.146: +304 -14 lines
Diff to previous 1.146 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.146 / (download) - annotate - [select for diffs], Wed Sep 5 19:12:59 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.145: +63 -56 lines
Diff to previous 1.145 (colored)
Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums were broken by NAT/RDR when unset by the sender. Fixes ntpdate behind NAT.
Revision 1.145 / (download) - annotate - [select for diffs], Wed Sep 5 12:42:31 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.144: +2 -2 lines
Diff to previous 1.144 (colored)
s/pf_natlook/pfioc_natlook (ioctl parameter struct)
Revision 1.144 / (download) - annotate - [select for diffs], Tue Sep 4 12:32:53 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.143: +32 -31 lines
Diff to previous 1.143 (colored)
Add skip steps for interface (ifp).
Revision 1.143 / (download) - annotate - [select for diffs], Tue Sep 4 08:55:37 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
#define empty PFLOG_PACKET correctly (no side effects). Closes PR2044. From Claus Assmann.
Revision 1.142 / (download) - annotate - [select for diffs], Fri Aug 31 23:05:22 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.141: +7 -1 lines
Diff to previous 1.141 (colored)
Forgot to commit frag expire tuning before Check for a short ip_hl. Could have caused proto headers to overlap IP header.
Revision 1.141 / (download) - annotate - [select for diffs], Tue Aug 28 08:12:17 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.140: +4 -1 lines
Diff to previous 1.140 (colored)
Add new ioctls to securelevel check, from Can Erkin Acar <canacar@eee.metu.edu.tr>
Revision 1.140 / (download) - annotate - [select for diffs], Tue Aug 28 00:02:43 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.139: +70 -15 lines
Diff to previous 1.139 (colored)
Bump state timeouts and allow tweaking them from pfctl. (The state timeouts need some _serious_ tuning)
Revision 1.139 / (download) - annotate - [select for diffs], Sun Aug 26 23:23:03 2001 UTC (22 years, 9 months ago) by niklas
Branch: MAIN
Changes since 1.138: +2 -2 lines
Diff to previous 1.138 (colored)
2nd uninitialized variable that bit me today
Revision 1.138 / (download) - annotate - [select for diffs], Sat Aug 25 21:54:25 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.137: +76 -23 lines
Diff to previous 1.137 (colored)
PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.
Revision 1.137 / (download) - annotate - [select for diffs], Wed Aug 22 03:02:25 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.136: +16 -9 lines
Diff to previous 1.136 (colored)
Correct the setup of the intial TCP state window and pre-validate th_ack on an FIN|ACK close if the client has never responded.
Revision 1.136 / (download) - annotate - [select for diffs], Wed Aug 22 00:26:10 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.135: +17 -5 lines
Diff to previous 1.135 (colored)
Fix panic in pf (was my fault) caused by a bad key compare optimization Add debug output to track loose state matches
Revision 1.135 / (download) - annotate - [select for diffs], Tue Aug 21 17:25:59 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.134: +4 -4 lines
Diff to previous 1.134 (colored)
KNF
Revision 1.134 / (download) - annotate - [select for diffs], Tue Aug 21 01:54:17 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.133: +20 -11 lines
Diff to previous 1.133 (colored)
Pass closing TCP connections through looser state machine (handle Solaris' stupid spurious ACK|FINs after a close)
Revision 1.133 / (download) - annotate - [select for diffs], Sun Aug 19 20:25:22 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.132: +183 -9 lines
Diff to previous 1.132 (colored)
Add new ioctls for adding/removing RDR and NAT rules to/from the active rule sets.
Revision 1.132 / (download) - annotate - [select for diffs], Sun Aug 19 20:00:39 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.131: +14 -21 lines
Diff to previous 1.131 (colored)
Quick optimization of pf_tree_key_compare (should half the instruction count)
Revision 1.131 / (download) - annotate - [select for diffs], Sun Aug 19 19:46:08 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.130: +14 -17 lines
Diff to previous 1.130 (colored)
Make more money for mickey (count entire IP packets for statistics, not just inner data).
Revision 1.130 / (download) - annotate - [select for diffs], Sun Aug 19 19:08:35 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.129: +10 -8 lines
Diff to previous 1.129 (colored)
Yet another batch of improvements and un-fuckups to the TCP state code. Improved the state miss debug messages to cover the new checks.
Revision 1.129 / (download) - annotate - [select for diffs], Sun Aug 19 19:03:58 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.128: +20 -5 lines
Diff to previous 1.128 (colored)
Add per-rule byte counter, so mickey can do accounting. We're counting the data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
Revision 1.128 / (download) - annotate - [select for diffs], Sun Aug 19 18:19:08 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.127: +13 -1 lines
Diff to previous 1.127 (colored)
Add per-rule statistics (number of evaluations and number of packets). Packets passed statefully will be counted using the rule that created the state.
Revision 1.127 / (download) - annotate - [select for diffs], Sun Aug 19 17:03:00 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.126: +30 -25 lines
Diff to previous 1.126 (colored)
Unfuck some TCP state stuff that would drop the SYN|ACK. Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5
Revision 1.126 / (download) - annotate - [select for diffs], Sun Aug 19 01:53:26 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.125: +79 -28 lines
Diff to previous 1.125 (colored)
Loosened TCP state code which should allow stupid stacks to shotgun their SYNs and provide better handling for pre-existing connections.
Revision 1.125 / (download) - annotate - [select for diffs], Sat Aug 18 22:26:08 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.124: +107 -1 lines
Diff to previous 1.124 (colored)
Add new ioctl for adding/removing individual rules to/from the active rule set.
Revision 1.124 / (download) - annotate - [select for diffs], Sat Aug 18 21:09:13 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.123: +47 -2 lines
Diff to previous 1.123 (colored)
make pfctl -s state SCREAM; frantzen is now happy
Revision 1.123 / (download) - annotate - [select for diffs], Sat Aug 11 12:05:00 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.122: +119 -50 lines
Diff to previous 1.122 (colored)
Add support for ICMP errors referring to ICMP queries/replies. Fixes 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
Revision 1.122 / (download) - annotate - [select for diffs], Wed Aug 1 23:07:36 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.121: +6 -3 lines
Diff to previous 1.121 (colored)
stateless tcp normalization along the lines of the normalization paper by handley, paxon and kreibich; okay deraadt@
Revision 1.121 / (download) - annotate - [select for diffs], Mon Jul 30 23:00:37 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.120: +39 -40 lines
Diff to previous 1.120 (colored)
never before has a file so often deviated from KNF
Revision 1.120 / (download) - annotate - [select for diffs], Sun Jul 29 12:53:17 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.119: +149 -28 lines
Diff to previous 1.119 (colored)
Implement rule skipping. This is a transparent evaluation optimization, which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl.
Revision 1.119 / (download) - annotate - [select for diffs], Wed Jul 25 12:22:28 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.118: +164 -32 lines
Diff to previous 1.118 (colored)
nat proxy port randomization by ben fleis.
Revision 1.118 / (download) - annotate - [select for diffs], Sat Jul 21 23:26:41 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.117: +40 -9 lines
Diff to previous 1.117 (colored)
print additional debugging information for 'insert invalid' messages. occurs for some people (never for me), and I need more information. will be removed after the issue is resolved. please report these, if you get them.
Revision 1.117 / (download) - annotate - [select for diffs], Thu Jul 19 00:07:36 2001 UTC (22 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.116: +5 -3 lines
Diff to previous 1.116 (colored)
Fix/complete the handling of the binary ops >< and <> to behave like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
Revision 1.116 / (download) - annotate - [select for diffs], Wed Jul 18 22:24:07 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.115: +4 -3 lines
Diff to previous 1.115 (colored)
fix pf_get_rdr() for single port (dport2 == 0) rules. found by lebel@.
Revision 1.115 / (download) - annotate - [select for diffs], Tue Jul 17 21:54:25 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.114: +3 -3 lines
Diff to previous 1.114 (colored)
normalize ip_off, make IP_DF stripping optional, return rst is a flag now. okay markus@
Revision 1.114 / (download) - annotate - [select for diffs], Tue Jul 17 20:34:51 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.113: +8 -499 lines
Diff to previous 1.113 (colored)
split ip normalization out into a separate file, okay dhartmei@
Revision 1.113 / (download) - annotate - [select for diffs], Sun Jul 15 23:05:04 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.112: +3 -1 lines
Diff to previous 1.112 (colored)
increase src->state to 1 when creating state from intermediate (non-SYN) packets. this fixes one class of BAD state messages (where seqlo=0, seqhi=1).
Revision 1.112 / (download) - annotate - [select for diffs], Sat Jul 14 10:36:53 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored)
use int instead of signed char. doesn't use more memory (padding occurs) and is actually faster.
Revision 1.111 / (download) - annotate - [select for diffs], Fri Jul 13 23:44:08 2001 UTC (22 years, 11 months ago) by fgsch
Branch: MAIN
Changes since 1.110: +25 -27 lines
Diff to previous 1.110 (colored)
indent.
Revision 1.110 / (download) - annotate - [select for diffs], Fri Jul 13 01:52:10 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.109: +30 -32 lines
Diff to previous 1.109 (colored)
everytime i clean in here, i get a 250 line diff...
Revision 1.109 / (download) - annotate - [select for diffs], Wed Jul 11 16:14:15 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.108: +18 -24 lines
Diff to previous 1.108 (colored)
Simplify pf_pull_hdr(), don't use inner IP header's ip_len or ip_off in case of pf_test_state_icmp(). This solves the "ICMP error message too short" problems. Reported by ycchang and heko.
Revision 1.108 / (download) - annotate - [select for diffs], Mon Jul 9 23:15:27 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.107: +4 -1 lines
Diff to previous 1.107 (colored)
do compare in host order. found by millert@.
Revision 1.107 / (download) - annotate - [select for diffs], Mon Jul 9 10:30:57 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.106: +47 -36 lines
Diff to previous 1.106 (colored)
Extend nat/rdr syntax. Add source/destination selection. Make
interface optional. Suggested by rdump@river.com.
nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)]
rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*]
[proto (tcp | udp | icmp)]
Revision 1.106 / (download) - annotate - [select for diffs], Sat Jul 7 01:56:09 2001 UTC (22 years, 11 months ago) by marc
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
get rid of compiler warning
Revision 1.105 / (download) - annotate - [select for diffs], Fri Jul 6 23:01:30 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.104: +17 -2 lines
Diff to previous 1.104 (colored)
style change #2, avoid (a == b) == c
Revision 1.104 / (download) - annotate - [select for diffs], Fri Jul 6 22:45:32 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.103: +73 -32 lines
Diff to previous 1.103 (colored)
style change #1, avoid ternary operator
Revision 1.103 / (download) - annotate - [select for diffs], Fri Jul 6 22:22:45 2001 UTC (22 years, 11 months ago) by chris
Branch: MAIN
Changes since 1.102: +5 -3 lines
Diff to previous 1.102 (colored)
theo requests less archaic style
Revision 1.102 / (download) - annotate - [select for diffs], Fri Jul 6 22:09:00 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.101: +251 -275 lines
Diff to previous 1.101 (colored)
don't evaluate rules for packets that have state but mismatch seq range (could create duplicate state)
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jul 6 21:19:55 2001 UTC (22 years, 11 months ago) by chris
Branch: MAIN
Changes since 1.100: +3 -3 lines
Diff to previous 1.100 (colored)
Allow negative match on interface name for nat and rdr ok dhartmei@
Revision 1.100 / (download) - annotate - [select for diffs], Fri Jul 6 17:40:34 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.99: +30 -20 lines
Diff to previous 1.99 (colored)
some cleanup, okay dhartmei@
Revision 1.99 / (download) - annotate - [select for diffs], Thu Jul 5 21:39:29 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.98: +2 -1 lines
Diff to previous 1.98 (colored)
initalize fragment correctly
Revision 1.98 / (download) - annotate - [select for diffs], Wed Jul 4 20:00:38 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.97: +16 -24 lines
Diff to previous 1.97 (colored)
call ip_output() correctly, use ICMP_MINLEN, only m_copyback() where needed. ok deraadt@
Revision 1.97 / (download) - annotate - [select for diffs], Tue Jul 3 04:20:47 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.96: +163 -171 lines
Diff to previous 1.96 (colored)
grr, you guys keep not obeying KNF
Revision 1.96 / (download) - annotate - [select for diffs], Tue Jul 3 03:34:41 2001 UTC (22 years, 11 months ago) by beck
Branch: MAIN
Changes since 1.95: +45 -2 lines
Diff to previous 1.95 (colored)
add DIOCNATLOOK ioctl and pf_natlook structure, this enables a userland process recieving rdr'ed connections to look up the original destination of the connection before it was redirected - this enables the writing of transparent proxies.
Revision 1.95 / (download) - annotate - [select for diffs], Mon Jul 2 19:19:49 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Branch point for: SMP
Changes since 1.94: +4 -2 lines
Diff to previous 1.94 (colored)
another memory leak
Revision 1.94 / (download) - annotate - [select for diffs], Mon Jul 2 19:18:40 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.93: +4 -2 lines
Diff to previous 1.93 (colored)
fix memory leak
Revision 1.93 / (download) - annotate - [select for diffs], Sun Jul 1 23:31:31 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.92: +2 -4 lines
Diff to previous 1.92 (colored)
-Wall
Revision 1.92 / (download) - annotate - [select for diffs], Sun Jul 1 23:04:44 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.91: +56 -42 lines
Diff to previous 1.91 (colored)
tag packets generated by pf (return-rst, return-icmp) so they are not filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@
Revision 1.91 / (download) - annotate - [select for diffs], Sun Jul 1 17:16:03 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.90: +32 -7 lines
Diff to previous 1.90 (colored)
Add port ranges to the rdr directive. Connections can be redirected to either a range of the same size, or a single port. Redirects between ranges of different sizes are not supported. Eg: rdr dc0 10.0.0.0/24 port 60000:61000 -> 127.0.0.1 port 65530:* proto udp rdr xl0 0.0.0.0/0 port 6660:6669 -> 127.0.0.1 port 6667 proto tcp This replaces the wildcard port patch (when port = 0), as it should no longer be necessary. ok dhartmei@
Revision 1.90 / (download) - annotate - [select for diffs], Sun Jul 1 11:22:45 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.89: +18 -20 lines
Diff to previous 1.89 (colored)
for ICMP error messages refering to TCP packets, only use the first 8 bytes of the TCP header. drop ackskew test and th_sum update.
Revision 1.89 / (download) - annotate - [select for diffs], Fri Jun 29 16:48:02 2001 UTC (22 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.88: +194 -173 lines
Diff to previous 1.88 (colored)
Prepend pf_ to limit potential namespace problems, shorten some lines.
Revision 1.88 / (download) - annotate - [select for diffs], Fri Jun 29 12:57:02 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.87: +25 -21 lines
Diff to previous 1.87 (colored)
list instead of tailq for frents, use pool hardlimits, correctly free after complete reassembly
Revision 1.87 / (download) - annotate - [select for diffs], Thu Jun 28 22:49:49 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.86: +11 -5 lines
Diff to previous 1.86 (colored)
lower hiwat limits, enforce hi water mark
Revision 1.86 / (download) - annotate - [select for diffs], Thu Jun 28 22:38:16 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.85: +269 -205 lines
Diff to previous 1.85 (colored)
add tree traversal code (new pf_tree_node->parent), dump states TAILQ and traverse a tree instead.
Revision 1.85 / (download) - annotate - [select for diffs], Thu Jun 28 22:36:09 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.84: +18 -38 lines
Diff to previous 1.84 (colored)
wrap 5-tuple rule match with MATCH_TUPLE. from ben fleis <ben@monkey.org>
Revision 1.84 / (download) - annotate - [select for diffs], Thu Jun 28 22:17:42 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.83: +2 -1 lines
Diff to previous 1.83 (colored)
forgot to init fr_timeout
Revision 1.83 / (download) - annotate - [select for diffs], Thu Jun 28 21:53:41 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.82: +469 -9 lines
Diff to previous 1.82 (colored)
first stab at packet normalization. includes full ip reassembly. okay dhartmei@, dugsong@
Revision 1.82 / (download) - annotate - [select for diffs], Thu Jun 28 10:04:19 2001 UTC (22 years, 11 months ago) by hugh
Branch: MAIN
Changes since 1.81: +18 -1 lines
Diff to previous 1.81 (colored)
Disallow filter modification when the system is "highly secure". Passed by dhartmei.
Revision 1.81 / (download) - annotate - [select for diffs], Wed Jun 27 22:41:25 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.80: +25 -24 lines
Diff to previous 1.80 (colored)
change pf_tree_key->addr[2] from u_int32_t to struct in_addr for Niels
Revision 1.80 / (download) - annotate - [select for diffs], Wed Jun 27 22:05:20 2001 UTC (22 years, 11 months ago) by jasoni
Branch: MAIN
Changes since 1.79: +6 -4 lines
Diff to previous 1.79 (colored)
in rdr rules, let port 0 be the port wildcard; ok dhartmei@
Revision 1.79 / (download) - annotate - [select for diffs], Wed Jun 27 21:34:57 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored)
change pf_tree_node->state to void *, so Niels can use a tree for fragment handling
Revision 1.78 / (download) - annotate - [select for diffs], Wed Jun 27 16:07:16 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.77: +4 -4 lines
Diff to previous 1.77 (colored)
use proper icmp define
Revision 1.77 / (download) - annotate - [select for diffs], Wed Jun 27 10:31:51 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.76: +6 -8 lines
Diff to previous 1.76 (colored)
add -z flag for zeroing statistics. -s status no longer resets anything
Revision 1.76 / (download) - annotate - [select for diffs], Wed Jun 27 10:27:43 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.75: +3 -2 lines
Diff to previous 1.75 (colored)
add microtime, which seems to have gotten lost.
Revision 1.75 / (download) - annotate - [select for diffs], Wed Jun 27 04:24:43 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.74: +83 -73 lines
Diff to previous 1.74 (colored)
big KNF
Revision 1.74 / (download) - annotate - [select for diffs], Wed Jun 27 04:01:56 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.73: +2 -7 lines
Diff to previous 1.73 (colored)
remove unneccessary check in ioctl
Revision 1.73 / (download) - annotate - [select for diffs], Wed Jun 27 03:47:01 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.72: +2 -2 lines
Diff to previous 1.72 (colored)
typo
Revision 1.72 / (download) - annotate - [select for diffs], Wed Jun 27 03:39:11 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.71: +5 -3 lines
Diff to previous 1.71 (colored)
for other protocols, keep correct track of match stats
Revision 1.71 / (download) - annotate - [select for diffs], Wed Jun 27 03:24:23 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.70: +34 -2 lines
Diff to previous 1.70 (colored)
handle non-TCP/UDP/ICMP protocols
Revision 1.70 / (download) - annotate - [select for diffs], Wed Jun 27 02:13:43 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.69: +1 -22 lines
Diff to previous 1.69 (colored)
remove print_ip, its unused
Revision 1.69 / (download) - annotate - [select for diffs], Wed Jun 27 02:10:17 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.68: +10 -24 lines
Diff to previous 1.68 (colored)
clean up TAILQ usage
Revision 1.68 / (download) - annotate - [select for diffs], Wed Jun 27 01:57:17 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.67: +4 -4 lines
Diff to previous 1.67 (colored)
KNF
Revision 1.67 / (download) - annotate - [select for diffs], Wed Jun 27 01:55:54 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.66: +41 -35 lines
Diff to previous 1.66 (colored)
only set reason code match if there was a rule that we matched
Revision 1.66 / (download) - annotate - [select for diffs], Tue Jun 26 23:26:24 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.65: +27 -19 lines
Diff to previous 1.65 (colored)
update match counts
Revision 1.65 / (download) - annotate - [select for diffs], Tue Jun 26 22:56:02 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.64: +10 -10 lines
Diff to previous 1.64 (colored)
name comparison operators
Revision 1.64 / (download) - annotate - [select for diffs], Tue Jun 26 22:26:12 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.63: +24 -11 lines
Diff to previous 1.63 (colored)
array of counters indexed by reason codes
Revision 1.63 / (download) - annotate - [select for diffs], Tue Jun 26 21:47:40 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.62: +14 -26 lines
Diff to previous 1.62 (colored)
rules have numbers now, use them. add two spl locks.
Revision 1.62 / (download) - annotate - [select for diffs], Tue Jun 26 20:56:36 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.61: +11 -10 lines
Diff to previous 1.61 (colored)
rule nr is in rule now
Revision 1.61 / (download) - annotate - [select for diffs], Tue Jun 26 20:50:26 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.60: +4 -2 lines
Diff to previous 1.60 (colored)
add rule nr for Niels
Revision 1.60 / (download) - annotate - [select for diffs], Tue Jun 26 20:06:36 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.59: +12 -5 lines
Diff to previous 1.59 (colored)
pass rule to logging for state matches
Revision 1.59 / (download) - annotate - [select for diffs], Tue Jun 26 19:51:04 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.58: +22 -21 lines
Diff to previous 1.58 (colored)
log-all causes state matches to log packets to pflog
Revision 1.58 / (download) - annotate - [select for diffs], Tue Jun 26 19:43:14 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.57: +10 -1 lines
Diff to previous 1.57 (colored)
add rule pointer and log option to states
Revision 1.57 / (download) - annotate - [select for diffs], Tue Jun 26 19:09:43 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.56: +3 -2 lines
Diff to previous 1.56 (colored)
get rid of another printf
Revision 1.56 / (download) - annotate - [select for diffs], Tue Jun 26 19:01:55 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.55: +39 -23 lines
Diff to previous 1.55 (colored)
use reasons in pull_hdr, default log if pull_hdr fails. okay deraadt@
Revision 1.55 / (download) - annotate - [select for diffs], Tue Jun 26 18:17:53 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.54: +35 -36 lines
Diff to previous 1.54 (colored)
no longer pass around **m
Revision 1.54 / (download) - annotate - [select for diffs], Tue Jun 26 17:45:57 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.53: +4 -2 lines
Diff to previous 1.53 (colored)
deal with NULL rule being passed to logging
Revision 1.53 / (download) - annotate - [select for diffs], Tue Jun 26 15:58:42 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.52: +21 -41 lines
Diff to previous 1.52 (colored)
fix logging. the ip header is contained in the first mbuf. itojun and me.
Revision 1.52 / (download) - annotate - [select for diffs], Tue Jun 26 15:35:41 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.51: +3 -2 lines
Diff to previous 1.51 (colored)
forgot htons
Revision 1.51 / (download) - annotate - [select for diffs], Tue Jun 26 15:33:00 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.50: +9 -8 lines
Diff to previous 1.50 (colored)
add a subreason to the link header to allow us to determine why a packet was dropped or passed. from discussion with theo and me.
Revision 1.50 / (download) - annotate - [select for diffs], Tue Jun 26 12:27:16 2001 UTC (22 years, 11 months ago) by wilfried
Branch: MAIN
Changes since 1.49: +7 -7 lines
Diff to previous 1.49 (colored)
allow 0.0.0.0/x in rules
Revision 1.49 / (download) - annotate - [select for diffs], Tue Jun 26 11:17:31 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
more suitable error values when DIOCSTART/STOP fail; peters@telia.net
Revision 1.48 / (download) - annotate - [select for diffs], Tue Jun 26 06:58:28 2001 UTC (22 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)
no // comments
Revision 1.47 / (download) - annotate - [select for diffs], Tue Jun 26 05:03:36 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.46: +2 -4 lines
Diff to previous 1.46 (colored)
avoid useless m_copyback
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jun 26 05:02:11 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.45: +23 -21 lines
Diff to previous 1.45 (colored)
use m_copydata for 1st ip header too.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Jun 26 04:57:34 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.44: +154 -80 lines
Diff to previous 1.44 (colored)
avoid m_pulldown (and mbuf alloc/free). - copy the data content of mbuf to local data structure by m_copydata. - if we did any NAT operation, copy the updated content back by m_copyback. XXX PFLOG_PACKET will now log the original packet, before the NAT. is it correct? XXX does not do m_copyback on PF_DROP case. is it okay?
Revision 1.44 / (download) - annotate - [select for diffs], Tue Jun 26 04:24:45 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.43: +29 -29 lines
Diff to previous 1.43 (colored)
pass ip header offset to child functions. a preparation for m_pulldown -> m_copydata transition.
Revision 1.43 / (download) - annotate - [select for diffs], Tue Jun 26 04:17:11 2001 UTC (22 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.42: +100 -33 lines
Diff to previous 1.42 (colored)
Replicated TCP sequence tracking code in PF from Guido's IPF paper.
Revision 1.42 / (download) - annotate - [select for diffs], Tue Jun 26 04:02:50 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
sigh
Revision 1.41 / (download) - annotate - [select for diffs], Tue Jun 26 04:00:29 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.40: +4 -1 lines
Diff to previous 1.40 (colored)
pflog_packet fails on NULL mbuf
Revision 1.40 / (download) - annotate - [select for diffs], Tue Jun 26 00:11:00 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)
mea culpa
Revision 1.39 / (download) - annotate - [select for diffs], Mon Jun 25 23:02:20 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.38: +27 -20 lines
Diff to previous 1.38 (colored)
extend the logging via a new link header type. export interface, direction, action and rule nr.
Revision 1.38 / (download) - annotate - [select for diffs], Mon Jun 25 22:53:39 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.37: +79 -57 lines
Diff to previous 1.37 (colored)
remaining lists converted to TAILQs
Revision 1.37 / (download) - annotate - [select for diffs], Mon Jun 25 22:08:03 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.36: +34 -37 lines
Diff to previous 1.36 (colored)
use TAILQ instead of homegrown list, other lists will follow
Revision 1.36 / (download) - annotate - [select for diffs], Mon Jun 25 20:48:17 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.35: +69 -58 lines
Diff to previous 1.35 (colored)
first stab at packet logging for pf. inspired by late night dreams of art. we just pass drop and passed packets to different pseudo interface that can be listened to with bpf.
Revision 1.35 / (download) - annotate - [select for diffs], Mon Jun 25 19:53:37 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.34: +20 -21 lines
Diff to previous 1.34 (colored)
Unnecessary gotos.
Revision 1.34 / (download) - annotate - [select for diffs], Mon Jun 25 19:22:26 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.33: +14 -6 lines
Diff to previous 1.33 (colored)
Rework COMMITRULES. First we swap in the new rules, then we free the old (freeing can be done outside splnet).
Revision 1.33 / (download) - annotate - [select for diffs], Mon Jun 25 17:17:04 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.32: +325 -157 lines
Diff to previous 1.32 (colored)
revised ioctl interface, first getopt version of pfctl
Revision 1.32 / (download) - annotate - [select for diffs], Mon Jun 25 16:53:20 2001 UTC (22 years, 11 months ago) by jasoni
Branch: MAIN
Changes since 1.31: +4 -4 lines
Diff to previous 1.31 (colored)
display correct direction in log
Revision 1.31 / (download) - annotate - [select for diffs], Mon Jun 25 10:07:14 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.30: +4 -4 lines
Diff to previous 1.30 (colored)
Rename the rest of the structs to be consistent.
Revision 1.30 / (download) - annotate - [select for diffs], Mon Jun 25 09:57:08 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.29: +13 -13 lines
Diff to previous 1.29 (colored)
fix -> cksum_fixup
Revision 1.29 / (download) - annotate - [select for diffs], Mon Jun 25 09:46:20 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.28: +8 -5 lines
Diff to previous 1.28 (colored)
No c++ comments.
Revision 1.28 / (download) - annotate - [select for diffs], Mon Jun 25 09:35:52 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.27: +16 -16 lines
Diff to previous 1.27 (colored)
Even more global variables with too common names.
Revision 1.27 / (download) - annotate - [select for diffs], Mon Jun 25 09:31:07 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.26: +40 -40 lines
Diff to previous 1.26 (colored)
More renaming.
Revision 1.26 / (download) - annotate - [select for diffs], Mon Jun 25 09:23:30 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.25: +94 -94 lines
Diff to previous 1.25 (colored)
Avoid common names. Needs more work.
Revision 1.25 / (download) - annotate - [select for diffs], Mon Jun 25 08:58:21 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.24: +21 -21 lines
Diff to previous 1.24 (colored)
rename tree_node -> pf_tree_node
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jun 25 08:42:08 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.23: +4 -4 lines
Diff to previous 1.23 (colored)
more
Revision 1.23 / (download) - annotate - [select for diffs], Mon Jun 25 08:39:48 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
no point using a char here.
Revision 1.22 / (download) - annotate - [select for diffs], Mon Jun 25 05:28:03 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.21: +25 -26 lines
Diff to previous 1.21 (colored)
packetfilter -> pf in messages
Revision 1.21 / (download) - annotate - [select for diffs], Mon Jun 25 01:52:55 2001 UTC (22 years, 11 months ago) by mickey
Branch: MAIN
Changes since 1.20: +9 -9 lines
Diff to previous 1.20 (colored)
remove inlines they are plain wrong
Revision 1.20 / (download) - annotate - [select for diffs], Mon Jun 25 01:00:35 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.19: +2 -4 lines
Diff to previous 1.19 (colored)
do not drop unsupported protocol. default to pass. needs to be configurable later.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Jun 25 00:14:57 2001 UTC (22 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.18: +110 -112 lines
Diff to previous 1.18 (colored)
Some KNF, do not have a char fiel between pointers, it creates padding. Do not inline expensive functions, esp. not such declared after first use.
Revision 1.18 / (download) - annotate - [select for diffs], Mon Jun 25 00:02:54 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.17: +15 -15 lines
Diff to previous 1.17 (colored)
use only ioctl return values found in errno.h
Revision 1.17 / (download) - annotate - [select for diffs], Sun Jun 24 23:56:32 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.16: +1 -5 lines
Diff to previous 1.16 (colored)
do not refer uninitialized var
Revision 1.16 / (download) - annotate - [select for diffs], Sun Jun 24 23:50:11 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
printf string fix
Revision 1.15 / (download) - annotate - [select for diffs], Sun Jun 24 23:48:53 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.14: +98 -51 lines
Diff to previous 1.14 (colored)
remove assumption that protocol header follows the ip header. always pass "off" around. pull_hdr: remove asumption that ip header is on the top of mbuf. we use pull_hdr on icmp payload (= original ip packet) parsing. avoid mbuf overrun on icmp parsing. never use pointer operations to get the pointer to next header.
Revision 1.14 / (download) - annotate - [select for diffs], Sun Jun 24 23:43:59 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (colored)
rename ioctlbuffer to pfioc.
Revision 1.13 / (download) - annotate - [select for diffs], Sun Jun 24 23:29:14 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.12: +18 -18 lines
Diff to previous 1.12 (colored)
u_long/u_short and memcpy/memset changes
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jun 24 23:26:14 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.11: +6 -6 lines
Diff to previous 1.11 (colored)
fix error returns from open and close
Revision 1.11 / (download) - annotate - [select for diffs], Sun Jun 24 23:10:23 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +50 -47 lines
Diff to previous 1.10 (colored)
more attempts at cleanup
Revision 1.10 / (download) - annotate - [select for diffs], Sun Jun 24 22:42:18 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.9: +56 -28 lines
Diff to previous 1.9 (colored)
Use pool for state, tree, nat, rdr, etc. Remove some unnecessary printfs.
Revision 1.9 / (download) - annotate - [select for diffs], Sun Jun 24 22:12:05 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.8: +73 -81 lines
Diff to previous 1.8 (colored)
more cleaning
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jun 24 21:50:29 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +39 -22 lines
Diff to previous 1.7 (colored)
pack structures better; dhartmei ok
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jun 24 21:29:29 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
REGENTS? ;)
Revision 1.6 / (download) - annotate - [select for diffs], Sun Jun 24 21:16:02 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.5: +3 -3 lines
Diff to previous 1.5 (colored)
on pull_hdr(), check short m->m_pkthdr.len. fix mesasge (it's not the first fragment, it's too short packet)
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jun 24 21:10:24 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.4: +35 -24 lines
Diff to previous 1.4 (colored)
backout m_copydata portion. NAT code assumes that they can touch the mbuf directly. use m_pulldown instead.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jun 24 20:54:55 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.3: +18 -16 lines
Diff to previous 1.3 (colored)
pull_hdr() now takes header offset explicitly, to help header chain parsing (v6, ipsec)
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jun 24 20:49:40 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.2: +4 -2 lines
Diff to previous 1.2 (colored)
drop if packet is too short
Revision 1.2 / (download) - annotate - [select for diffs], Sun Jun 24 20:47:37 2001 UTC (22 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.1: +25 -22 lines
Diff to previous 1.1 (colored)
check M_PKTHDR (DIAGNOSTIC) avoid m_pullup for headers other than IPv4 header itself (will be critical for IPv6 and and chained headers like headers after AH). deraadt ok
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 24 19:48:58 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Initial import of pf, an all-new ipf-compatable packet filter. Insane amounts of work done my dhartmei. Great work!