![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.74 / (download) - annotate - [select for diffs], Wed May 10 22:42:51 2023 UTC (13 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.73: +13 -1 lines
Diff to previous 1.73 (colored)
nat-to may fail to insert state due to conflict on chosen source port number. This is typically indicated by 'wire key attach failed on...' message when pf(4) debugging is enabled. The problem is caused by glitch in pf_get_sport() which fails to discover conflict in advance. In order to fix it we must also calculate toeplitz hash in pf_get_sport() to initialize look up key properly. the bug has been kindly reported by joosepm _von_ gmail _dot_ com OK dlg@
Revision 1.73 / (download) - annotate - [select for diffs], Wed Jan 4 10:31:55 2023 UTC (17 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.72: +3 -5 lines
Diff to previous 1.72 (colored)
move the pf_state_tree_id type from pfvar.h to pfvar_priv.h. the pf_state_tree_id type is private to the kernel. while here, move it from being an RB tree to an RBT tree. this saves about 12k in pf.o on amd64. ok sashan@
Revision 1.72 / (download) - annotate - [select for diffs], Wed Aug 31 11:29:12 2022 UTC (21 months, 1 week ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.71: +10 -5 lines
Diff to previous 1.71 (colored)
make kernel build without INET6 again ok sashan@
Revision 1.71 / (download) - annotate - [select for diffs], Wed Aug 3 08:16:04 2022 UTC (22 months, 1 week ago) by sashan
Branch: MAIN
Changes since 1.70: +33 -12 lines
Diff to previous 1.70 (colored)
Bug was reported by Chriss Cappucio. It has turned out my earlier change to pf_lb.c was not complete. We must add a test to determine number of addresses defined by pool, so we don't treat pool definition 172.16.0.0/16 as a single IP address in pool. If pool is defined as 172.16.0.0/16, then we don't want to fall back to PF_POOL_NONE. Missing this measure in pf_map_addr() may cause pf_get_sport() to enter infinite loop when source ports translation become depleted for the first address found in pool (like 172.16.0.1), because the bug prevents pf_map_addr() to move to next address in pool (like 172.16.0.2). while investigating issue I've also noticed an oddity for small random pools such as 192.168.1.32/28. One would expect the addresses for nat will be randomly picked from range .32 - .47 in this case. however the random selection yield significantly more (like 20%) addresses ending by .32 In order to fix it we make random pool to use arc4random_uniform(~mask + 1) instead of current arc4random(). feedback by claudio@ tested by hrvoje@
Revision 1.70 / (download) - annotate - [select for diffs], Wed Feb 16 08:46:11 2022 UTC (2 years, 3 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.69: +8 -1 lines
Diff to previous 1.69 (colored)
nat-to round-robin without a pool should fallback to POOL_NONE bug reported by giovanni@ OK giovanni@
Revision 1.69 / (download) - annotate - [select for diffs], Thu Dec 16 02:01:59 2021 UTC (2 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.68: +6 -5 lines
Diff to previous 1.68 (colored)
fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else. OK gnezdo@ Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com
Revision 1.68 / (download) - annotate - [select for diffs], Sat Dec 12 22:59:21 2020 UTC (3 years, 5 months ago) by jan
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.67: +4 -6 lines
Diff to previous 1.67 (colored)
Correct wrong type of variable and remove useless casts. OK bluhm@
Revision 1.67 / (download) - annotate - [select for diffs], Wed Jul 29 02:32:13 2020 UTC (3 years, 10 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.66: +8 -8 lines
Diff to previous 1.66 (colored)
Fix previous commit which referred wrong address and returned wrong value. ok sashan
Revision 1.66 / (download) - annotate - [select for diffs], Tue Jul 28 16:47:41 2020 UTC (3 years, 10 months ago) by yasuoka
Branch: MAIN
Changes since 1.65: +21 -21 lines
Diff to previous 1.65 (colored)
Use the table on root always if current table is not active. ok sashan
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jul 24 14:06:33 2020 UTC (3 years, 10 months ago) by yasuoka
Branch: MAIN
Changes since 1.64: +48 -24 lines
Diff to previous 1.64 (colored)
Increase state counter for least-states when the address is selected by sticky-address. Also fix the problem that the interface which is specified by the selected table entry is not used properly. ok jung sashan
Revision 1.64 / (download) - annotate - [select for diffs], Tue Jul 2 09:04:53 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.63: +7 -2 lines
Diff to previous 1.63 (colored)
When source address tracking record is used for "route-to", the next hop interface configured with "route-to" was not used. Keep the interface within the pf_src_node and use it when the record is used. OK sashan
Revision 1.63 / (download) - annotate - [select for diffs], Mon Dec 10 16:48:15 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.62: +31 -31 lines
Diff to previous 1.62 (colored)
Remove useless macros These are just unhelpful case conversion. OK sashan henning
Revision 1.62 / (download) - annotate - [select for diffs], Tue Feb 6 09:16:11 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.61: +5 -3 lines
Diff to previous 1.61 (colored)
some finger muscle workout: bzero -> memset and (very few) bcopy -> memcpy/memmove
Revision 1.61 / (download) - annotate - [select for diffs], Wed Jul 12 14:07:55 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.60: +5 -4 lines
Diff to previous 1.60 (colored)
Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK sashan@ visa@
Revision 1.60 / (download) - annotate - [select for diffs], Sun Apr 23 11:37:11 2017 UTC (7 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.59: +9 -9 lines
Diff to previous 1.59 (colored)
Some of the LOG_NOTICE messages from PF were seen in normal operations with certain rulesets and excessively noisy; move them to LOG_INFO (which was previously unused). ok benno@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Feb 8 01:20:40 2017 UTC (7 years, 4 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)
Remove an uneeded NULL test which was after a deref. ok mpi@ henning@ sashan@
Revision 1.58 / (download) - annotate - [select for diffs], Wed Oct 26 21:07:22 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.57: +11 -10 lines
Diff to previous 1.57 (colored)
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Sep 27 04:57:17 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.56: +3 -3 lines
Diff to previous 1.56 (colored)
roll back turning RB into RBT until i get better at this process.
Revision 1.56 / (download) - annotate - [select for diffs], Tue Sep 27 02:51:12 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.55: +3 -3 lines
Diff to previous 1.55 (colored)
move pf from the RB macros to the RBT functions.
Revision 1.55 / (download) - annotate - [select for diffs], Tue Jul 19 12:51:19 2016 UTC (7 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.54: +0 -5 lines
Diff to previous 1.54 (colored)
remove wrong and misleading comment, ok phessler
Revision 1.54 / (download) - annotate - [select for diffs], Fri Jun 24 13:55:57 2016 UTC (7 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.53: +17 -14 lines
Diff to previous 1.53 (colored)
The function pf_get_sport() did work for out rules only. Make it aware of the direction of the packet. Now nat-to can be used by in rules and together with divert-to. Collisions with existing states are found and produce a "NAT proxy port allocation failed" message. OK henning@ mikeb@
Revision 1.53 / (download) - annotate - [select for diffs], Wed Jun 15 11:36:06 2016 UTC (7 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.52: +6 -10 lines
Diff to previous 1.52 (colored)
There's no need to convert values returned by arc4random to the network byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks! ok tedu
Revision 1.52 / (download) - annotate - [select for diffs], Tue Nov 24 13:37:16 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.51: +1 -2 lines
Diff to previous 1.51 (colored)
No need for <net/if_types.h> As a bonus this removes a "#if NCARP > 0", say yeah!
Revision 1.51 / (download) - annotate - [select for diffs], Thu Oct 15 19:48:44 2015 UTC (8 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.50: +6 -3 lines
Diff to previous 1.50 (colored)
When using a pf rule with both nat-to and rdr-to, it could happen that the nated source port was reused as destination port. Do not initialize nport at the beginning of the function, but where it is needed. OK sashan@
Revision 1.50 / (download) - annotate - [select for diffs], Tue Oct 13 19:32:31 2015 UTC (8 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.49: +2 -3 lines
Diff to previous 1.49 (colored)
- pf_insert_src_node(): global argument (arg6) is useless, function always gets pointer to rule. - pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule - sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com OK mpi@, OK mikeb@
Revision 1.49 / (download) - annotate - [select for diffs], Mon Aug 3 13:33:12 2015 UTC (8 years, 10 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)
A recently added sanity check panic in pf_postprocess_addr() was triggered for a reply-to rule. It turns out this case has been using uninitialised memory as if it were a valid pf pool. As the rest of the function assumes a valid pool for now just return. Problem reported by RD Thrush. ok jung@ mikeb@
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jul 20 18:42:08 2015 UTC (8 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.47: +3 -1 lines
Diff to previous 1.47 (colored)
Add some panics to default paths where code later assumes a non default path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
Revision 1.47 / (download) - annotate - [select for diffs], Sat Jul 18 19:19:00 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.46: +7 -1 lines
Diff to previous 1.46 (colored)
msg.mpi
Revision 1.46 / (download) - annotate - [select for diffs], Sat Jul 18 15:19:44 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.45: +8 -2 lines
Diff to previous 1.45 (colored)
INET/INET6 address family check should be unified in PF it also adds af_unhandled(), where it is currently missing. ok mcbride@
Revision 1.45 / (download) - annotate - [select for diffs], Fri Jul 17 18:39:55 2015 UTC (8 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.44: +15 -15 lines
Diff to previous 1.44 (colored)
fix the indentation of a block of code, no binary change ok mikeb@ some time ago
Revision 1.44 / (download) - annotate - [select for diffs], Thu Jul 16 16:12:15 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.43: +9 -9 lines
Diff to previous 1.43 (colored)
Expand ancient NTOHL/NTOHS/HTONS/HTONL macros. ok guenther@, henning@
Revision 1.43 / (download) - annotate - [select for diffs], Wed Jun 3 11:57:37 2015 UTC (9 years ago) by yasuoka
Branch: MAIN
Changes since 1.42: +17 -5 lines
Diff to previous 1.42 (colored)
Fix pf_map_addr() not to cause dividing by 0. This fixes problem when using table or dynamic interface addresses for source-hash. Also avoid calling arc4random_uniform() with upper_bound == 0. ok mikeb
Revision 1.42 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:51 2015 UTC (9 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.41: +1 -2 lines
Diff to previous 1.41 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.41 / (download) - annotate - [select for diffs], Tue Jan 6 01:49:45 2015 UTC (9 years, 5 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
init a potentially uninitialised var in pf_postprocess_addr ok mikeb@ henning@
Revision 1.40 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.39: +1 -7 lines
Diff to previous 1.39 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.39 / (download) - annotate - [select for diffs], Fri Dec 19 13:04:08 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.38: +49 -18 lines
Diff to previous 1.38 (colored)
Support source-hash and random with tables and dynifs; not just pools. This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
Revision 1.38 / (download) - annotate - [select for diffs], Fri Dec 19 12:31:03 2014 UTC (9 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.37: +1 -4 lines
Diff to previous 1.37 (colored)
Comment is no longer true, remove it.
Revision 1.37 / (download) - annotate - [select for diffs], Thu Dec 18 19:02:56 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.36: +20 -38 lines
Diff to previous 1.36 (colored)
use siphash for pf_lb. for ipv6, we stretch it out a bit, but good enough. ok reyk
Revision 1.36 / (download) - annotate - [select for diffs], Tue Nov 18 02:37:31 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.35: +1 -2 lines
Diff to previous 1.35 (colored)
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
Revision 1.35 / (download) - annotate - [select for diffs], Mon Nov 10 18:49:42 2014 UTC (9 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.34: +14 -5 lines
Diff to previous 1.34 (colored)
Split the logic for the ICMP and ICMP6 case in pf_get_sport(). The types ICMP_ECHO and ICMP6_ECHO_REQUEST have their special meaning only if the protocol matches. Put an #ifdef INET6 around ICMP6_ECHO_REQUEST to make the kernel without IPv6 compile. OK henning@
Revision 1.34 / (download) - annotate - [select for diffs], Mon Sep 8 06:24:13 2014 UTC (9 years, 9 months ago) by jsg
Branch: MAIN
Changes since 1.33: +1 -5 lines
Diff to previous 1.33 (colored)
remove uneeded route.h includes ok miod@ mpi@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Aug 14 07:55:17 2014 UTC (9 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.32: +8 -10 lines
Diff to previous 1.32 (colored)
fix logging strings (correct function name via __func__ + a typo) ok florian@ henning@
Revision 1.32 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.31: +1 -2 lines
Diff to previous 1.31 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.31 / (download) - annotate - [select for diffs], Wed Jul 2 13:06:00 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.30: +69 -68 lines
Diff to previous 1.30 (colored)
better indentation; no functional change
Revision 1.30 / (download) - annotate - [select for diffs], Wed Oct 30 11:21:26 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
translate icmpv6 echo id's the same way we do for icmpv4; ok henning
Revision 1.29 / (download) - annotate - [select for diffs], Wed Oct 30 11:18:32 2013 UTC (10 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.28: +5 -1 lines
Diff to previous 1.28 (colored)
add a comment describing why do we call pf_map_addr again if port selection process fails; ok henning
Revision 1.28 / (download) - annotate - [select for diffs], Thu Oct 24 11:31:43 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.27: +1 -3 lines
Diff to previous 1.27 (colored)
Remove the number of in6_var.h inclusions by moving some functions and global variables to in6.h. ok deraadt@
Revision 1.27 / (download) - annotate - [select for diffs], Wed Oct 23 15:12:42 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.26: +1 -2 lines
Diff to previous 1.26 (colored)
Remove the number of in_var.h inclusions by moving some functions and global variables to in.h. ok mikeb@, deraadt@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Oct 17 16:27:42 2013 UTC (10 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.25: +2 -1 lines
Diff to previous 1.25 (colored)
The header file netinet/in_var.h included netinet6/in6_var.h. This created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
Revision 1.25 / (download) - annotate - [select for diffs], Thu Mar 28 16:45:16 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.24: +1 -2 lines
Diff to previous 1.24 (colored)
no need for a lot of code to include proc.h
Revision 1.24 / (download) - annotate - [select for diffs], Sat Dec 29 14:59:52 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.23: +78 -23 lines
Diff to previous 1.23 (colored)
make sure the entry from tree_src_tracking is still in the pool; fixes nat with sticky address and ip address change on pppoe(4) for example; ok henning@, zinke@; mikeb@
Revision 1.23 / (download) - annotate - [select for diffs], Sat Dec 29 14:54:45 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.22: +16 -5 lines
Diff to previous 1.22 (colored)
reset the counter in case its current value has been removed from the pool (e.g. ifconfig em0 1.2.3.4 -alias) ok henning@, mikeb@
Revision 1.22 / (download) - annotate - [select for diffs], Sat Dec 29 14:53:05 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.21: +14 -64 lines
Diff to previous 1.21 (colored)
pass pf_pool directly to pfr_pool_get(); simplifies the API; ok henning@, zinke@, mikeb@
Revision 1.21 / (download) - annotate - [select for diffs], Mon Jul 9 15:20:57 2012 UTC (11 years, 11 months ago) by zinke
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.20: +28 -6 lines
Diff to previous 1.20 (colored)
Enable support for the 'weight' keyword in the 'least-states' load balancing case, this allows Weighted Least States (WLS). Everything prepared on c2k11 with help from mcbride@. This finally makes PF ready for the cloud. ok henning@ mikeb@ pyr@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Feb 3 01:57:51 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.19: +5 -1 lines
Diff to previous 1.19 (colored)
The kernel did not compile without INET6. Put some #ifdefs into pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
Revision 1.19 / (download) - annotate - [select for diffs], Thu Oct 13 18:23:40 2011 UTC (12 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.18: +139 -5 lines
Diff to previous 1.18 (colored)
Since the IPv6 madness is not enough introduce NAT64 -- which is actually "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
Revision 1.18 / (download) - annotate - [select for diffs], Sun Sep 18 11:17:57 2011 UTC (12 years, 8 months ago) by miod
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
Fix various format string types to as a minimum match the width of the variables being processed. ok bluhm@ henning@
Revision 1.17 / (download) - annotate - [select for diffs], Fri Jul 29 10:48:35 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.16: +17 -7 lines
Diff to previous 1.16 (colored)
Make sure we use the right tbl/dyn pointer to check the pfrkt_refcntcost; improved debugging for error cases inside the weighted round-robin loop. original diff from claudio, ok henning
Revision 1.16 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.15: +57 -18 lines
Diff to previous 1.15 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.15 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.14: +190 -10 lines
Diff to previous 1.14 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.14 / (download) - annotate - [select for diffs], Tue May 17 12:44:05 2011 UTC (13 years ago) by mikeb
Branch: MAIN
Changes since 1.13: +12 -3 lines
Diff to previous 1.13 (colored)
exclude link local address from the dynamic interface address pool so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
Revision 1.13 / (download) - annotate - [select for diffs], Sun Jun 27 01:39:43 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.12: +37 -42 lines
Diff to previous 1.12 (colored)
stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
Revision 1.12 / (download) - annotate - [select for diffs], Thu Feb 4 14:10:12 2010 UTC (14 years, 4 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.11: +24 -19 lines
Diff to previous 1.11 (colored)
pf_get_sport() picks a random port from the port range specified in a nat rule. It should check to see if it's in-use (i.e. matches an existing PF state), if it is, it cycles sequentially through other ports until it finds a free one. However the check was being done with the state keys the wrong way round so it was never actually finding the state to be in-use. - switch the keys to correct this, avoiding random state collisions with nat. Fixes PR 6300 and problems reported by robert@ and viq. - check pf_get_sport() return code in pf_test(); if port allocation fails the packet should be dropped rather than sent out untranslated. Help/ok claudio@.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.10: +13 -15 lines
Diff to previous 1.10 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.9: +27 -58 lines
Diff to previous 1.9 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.9 / (download) - annotate - [select for diffs], Mon Dec 14 12:31:45 2009 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.8: +30 -23 lines
Diff to previous 1.8 (colored)
fix sticky-address - by pretty much re-implementing it. still following the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Revision 1.8 / (download) - annotate - [select for diffs], Tue Nov 3 10:59:04 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.7: +7 -4 lines
Diff to previous 1.7 (colored)
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
Revision 1.7 / (download) - annotate - [select for diffs], Mon Sep 7 08:27:45 2009 UTC (14 years, 9 months ago) by sthen
Branch: MAIN
Changes since 1.6: +3 -2 lines
Diff to previous 1.6 (colored)
Fix static-port, found by jmc@. ok henning@.
Revision 1.6 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.5: +52 -254 lines
Diff to previous 1.5 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.5 / (download) - annotate - [select for diffs], Wed Jun 24 13:27:34 2009 UTC (14 years, 11 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
move the "pf_map_addr: selected address" printf up to -xnoisy. ok henning@
Revision 1.4 / (download) - annotate - [select for diffs], Thu Mar 5 03:09:37 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.3: +7 -4 lines
Diff to previous 1.3 (colored)
Stricter state checking for ICMP and ICMPv6 packets: include the ICMP type
in one port of the state key, using the type to determine which side should
be the id, and which should be the type. Also:
- Handle ICMP6 messages which are typically sent to multicast addresses but
recieve unicast replies, by doing fallthrough lookups against the correct
multicast address.
- Clear up some mistaken assumptions in the PF code:
- Not all ICMP packets have an icmp_id, so simulate one based on other
data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy
ok henning marco
testing matthieu todd
Revision 1.3 / (download) - annotate - [select for diffs], Wed Feb 18 20:06:23 2009 UTC (15 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.2: +11 -1 lines
Diff to previous 1.2 (colored)
bring back the NAT NOP fix, but this time right. when we want to pretend pf_get_translation didn't do anything we must get rid of _both_ state keys and reset all 4 sk pointers to NULL and not leave one key behind and have all 4 pointers point to it - that must fail. tested dhill sthen, david agrees, deraadt ok
Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 12 02:13:15 2009 UTC (15 years, 4 months ago) by sthen
Branch: MAIN
Changes since 1.1: +1 -10 lines
Diff to previous 1.1 (colored)
revert pf.c r1.629 (which moved to this file) which was causing "panic: pool_do_get(pfstatekeypl): free list modified" discussed with many. ok dlg
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jan 29 15:12:28 2009 UTC (15 years, 4 months ago) by pyr
Branch: MAIN
Split the address selection from pools away from pf.c and put it in pf_lb.c. This will ease the process of adding more selection types without bloatening pf.c even more. ok and a weird death threat, henning@ raised eyebrow, dlg@