![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.230 / (download) - annotate - [select for diffs], Mon Apr 22 13:30:22 2024 UTC (5 weeks, 6 days ago) by bluhm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.229: +19 -15 lines
Diff to previous 1.229 (colored)
Show pf fragment reassembly counters. Framgent count and statistics are stored in struct pf_status. From there pfctl(8) and systat(1) collect and show them. Note that pfctl -s info needs the -v switch to show fragments. As fragment reassembly has its own mutex, also grab this in pf ipctl(2) and sysctl(2) code. input claudio@; OK henning@
Revision 1.229 / (download) - annotate - [select for diffs], Tue Oct 10 11:25:31 2023 UTC (7 months, 3 weeks ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.228: +5 -5 lines
Diff to previous 1.228 (colored)
Remove dead code in pf_pull_hdr(). pf_pull_hdr() allows to pass an action pointer parameter as output value. This is never used, all callers pass a NULL argument. Remove ACTION_SET() entirely. The logic (fragoff >= len) in pf_pull_hdr() does not work since revision 1.4. Before it was used to drop short TCP or UDP fragments that contained only part of the header. Current code in pf_pull_hdr() drops the packets anyway, so always set reason PFRES_FRAG. OK kn@ sashan@
Revision 1.228 / (download) - annotate - [select for diffs], Thu Jul 6 04:55:05 2023 UTC (10 months, 4 weeks ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.227: +14 -2 lines
Diff to previous 1.227 (colored)
big update to pfsync to try and clean up locking in particular. moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. the big headliner changes in this diff are: - pfsync specific locks this is the whole reason for this diff. rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now has it's own locks to protect it's internal data structures. this is important because pfsync runs a bunch of timeouts and tasks to push pfsync packets out on the wire, or when it's handling requests generated by incoming pfsync packets, both of which happen outside pf itself running. having pfsync specific locks around pfsync data structures makes the mutations of these data structures a lot more explicit and auditable. - partitioning to enable future parallelisation of the network stack, this rewrite includes support for pfsync to partition states into different "slices". these slices run independently, ie, the states collected by one slice are serialised into a separate packet to the states collected and serialised by another slice. states are mapped to pfsync slices based on the pf state hash, which is the same hash that the rest of the network stack and multiq hardware uses. - no more pfsync called from netisr pfsync used to be called from netisr to try and bundle packets, but now that there's multiple pfsync slices this doesnt make sense. instead it uses tasks in softnet tqs. - improved bulk transfer handling there's shiny new state machines around both the bulk transmit and receive handling. pfsync used to do horrible things to carp demotion counters, but now it is very predictable and returns the counters back where they started. - better tdb handling the tdb handling was pretty hairy, but hrvoje has kicked this around a lot with ipsec and sasyncd and we've found and fixed a bunch of issues as a result of that testing. - mpsafe pf state purges this was committed previously, but because the locks pfsync relied on weren't clear this just caused a ton of bugs. as part of this diff it's now reliable, and moves a big chunk of work out from under KERNEL_LOCK, which in turn improves the responsiveness and throughput of a firewall even if you're not using pfsync. there's a bunch of other little changes along the way, but the above are the big ones. hrvoje has done performance testing with this diff and notes a big improvement when pfsync is not in use. performance when pfsync is enabled is about the same, but im hoping the slices means we can scale along with pf as it improves. lots (months) of testing by me and hrvoje on pfsync boxes tests and ok sashan@ deraadt@ says this is a good time to put it in
Revision 1.227 / (download) - annotate - [select for diffs], Sun May 7 16:23:23 2023 UTC (12 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.226: +4 -4 lines
Diff to previous 1.226 (colored)
I preparation for TSO in software, cleanup the fragment code. Use if_output_ml() to send mbuf lists to interfaces. This can be used for TSO, fragments, ARP and ND6. Rename variable fml to ml. In pf_route6() split the if else block. Put the safety check (hlen + firstlen < tlen) into ip_fragment(). It makes the code correct in case the packet is too short to be fragmented. This should not happen, but other functions also have this logic. No functional change. OK sashan@
Revision 1.226 / (download) - annotate - [select for diffs], Sun Nov 6 18:05:05 2022 UTC (18 months, 3 weeks ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.225: +12 -4 lines
Diff to previous 1.225 (colored)
move pfsync_state_import in if_pfsync.c to pf_state_import in pf.c this is straightening the deck chairs. the state import and export code are used by both the pf ioctls and pfsync, but the export code is in pf.c and the import code is in if_pfsync. if pfsync was disabled then the ioctl stuff wouldnt link. moving the import code to pf.c makes it more symmetrical(?) and robust. tweaks and ok from kn@ sashan@
Revision 1.225 / (download) - annotate - [select for diffs], Mon Oct 10 16:43:12 2022 UTC (19 months, 3 weeks ago) by bket
Branch: MAIN
Changes since 1.224: +22 -5 lines
Diff to previous 1.224 (colored)
Recalculate checksum of normalised packet In 2011, henning@ removed fiddling with the ip checksum of normalised packets in r1.131 of sys/net/pf_norm.c. Rationale was that the checksum is always recalculated in all output paths anyway. In 2016, procter@ reintroduced checksum modification to preserve end-to-end checksums in r1.189 of sys/net/pf_norm.c. Likely soomewhere in that timeslot checksum recalculation of normalised packets was broken. With input from bluhm@. OK sashan@, bluhm@
Revision 1.224 / (download) - annotate - [select for diffs], Mon Aug 22 20:35:39 2022 UTC (21 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.223: +13 -18 lines
Diff to previous 1.223 (colored)
Protect pf_reassemble() with pf fragment lock. When the pool limit for fragment entries was reached, pf_create_fragment() called pf_flush_fragments() without lock. This could result in a crash. Let PF_FRAG_LOCK() cover the whole pf_reassemble() function as pf_nfrents++ was also missing the lock. crash found and fix tested by Hrvoje Popovski; OK sashan@
Revision 1.223 / (download) - annotate - [select for diffs], Wed Mar 10 10:21:48 2021 UTC (3 years, 2 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.222: +2 -2 lines
Diff to previous 1.222 (colored)
spelling ok gnezdo@ semarie@ mpi@
Revision 1.222 / (download) - annotate - [select for diffs], Mon Mar 1 11:05:42 2021 UTC (3 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.221: +15 -28 lines
Diff to previous 1.221 (colored)
Refactor ip_fragment() and ip6_fragment(). Use a mbuf list to simplify the handling of the fragment list. Now the functions ip_fragment() and ip6_fragment() always consume the mbuf. They free the mbuf and mbuf list in case of an error and take care about the counter. Adjust the code a bit to make v4 and v6 look similar. Fixes a potential mbuf leak when pf_route6() called pf_refragment6() and it failed. Now the mbuf is always freed by ip6_fragment(). OK dlg@ mvs@
Revision 1.218.8.1 / (download) - annotate - [select for diffs], Wed Feb 24 16:25:34 2021 UTC (3 years, 3 months ago) by bluhm
Branch: OPENBSD_6_7
Changes since 1.218: +26 -1 lines
Diff to previous 1.218 (colored) next main 1.219 (colored)
When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@ this is errata/6.7/035_pffrag.patch.sig
Revision 1.219.4.1 / (download) - annotate - [select for diffs], Wed Feb 24 16:23:33 2021 UTC (3 years, 3 months ago) by bluhm
Branch: OPENBSD_6_8
Changes since 1.219: +26 -1 lines
Diff to previous 1.219 (colored) next main 1.220 (colored)
When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@ this is errata/6.8/014_pffrag.patch.sig
Revision 1.221 / (download) - annotate - [select for diffs], Mon Feb 22 13:04:56 2021 UTC (3 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.220: +26 -1 lines
Diff to previous 1.220 (colored)
When cutting of the head of an overlapping fragment during pf reassembly, reinsert the fragment into the lookup table with correct index. Reported-by: syzbot+d043455a5346f726f1c4@syzkaller.appspotmail.com OK claudio@
Revision 1.220 / (download) - annotate - [select for diffs], Tue Feb 9 14:06:19 2021 UTC (3 years, 3 months ago) by patrick
Branch: MAIN
Changes since 1.219: +1 -7 lines
Diff to previous 1.219 (colored)
Activate use of PF_LOCK() by removing the WITH_PF_LOCK ifdefs. Silence from the network group ok sashan@
Revision 1.219 / (download) - annotate - [select for diffs], Wed Jun 24 22:03:43 2020 UTC (3 years, 11 months ago) by cheloha
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE
Branch point for: OPENBSD_6_8
Changes since 1.218: +4 -4 lines
Diff to previous 1.218 (colored)
kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9) time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
Revision 1.216.2.1 / (download) - annotate - [select for diffs], Thu Feb 28 20:24:17 2019 UTC (5 years, 3 months ago) by bluhm
Branch: OPENBSD_6_4
Changes since 1.216: +3 -3 lines
Diff to previous 1.216 (colored) next main 1.217 (colored)
IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic in pf. fix from sashan@; OK bluhm@ claudio@ bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv OpenBSD 6.4 errata 014
Revision 1.209.2.1 / (download) - annotate - [select for diffs], Thu Feb 28 20:23:14 2019 UTC (5 years, 3 months ago) by bluhm
Branch: OPENBSD_6_3
Changes since 1.209: +3 -3 lines
Diff to previous 1.209 (colored) next main 1.210 (colored)
IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic in pf. fix from sashan@; OK bluhm@ claudio@ bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv OpenBSD 6.3 errata 030
Revision 1.218 / (download) - annotate - [select for diffs], Thu Feb 28 20:20:47 2019 UTC (5 years, 3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Branch point for: OPENBSD_6_7
Changes since 1.217: +3 -3 lines
Diff to previous 1.217 (colored)
IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic in pf. fix from sashan@; OK bluhm@ claudio@ bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Revision 1.217 / (download) - annotate - [select for diffs], Tue Oct 23 09:53:06 2018 UTC (5 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.216: +3 -1 lines
Diff to previous 1.216 (colored)
Make pf compile without DIAGNOSTIC again OK bluhm@ kn@
Revision 1.216 / (download) - annotate - [select for diffs], Mon Sep 10 16:14:07 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE
Branch point for: OPENBSD_6_4
Changes since 1.215: +3 -20 lines
Diff to previous 1.215 (colored)
Instead of calculating the mbuf packet header length here and there, put the algorithm into a new function m_calchdrlen(). Also set an uninitialized m_len to 0 in NFS code. OK claudio@
Revision 1.215 / (download) - annotate - [select for diffs], Mon Sep 10 12:47:02 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.214: +8 -3 lines
Diff to previous 1.214 (colored)
During fragment reassembly, mbuf chains with packet headers were created. Add a new function m_removehdr() do convert packet header mbufs within the chain to regular mbufs. Assert that the mbuf at the beginning of the chain has a packet header. found by Maxime Villard in NetBSD; from markus@; OK claudio@
Revision 1.214 / (download) - annotate - [select for diffs], Mon Sep 10 11:37:26 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.213: +34 -13 lines
Diff to previous 1.213 (colored)
Limit the fragment entry queue length to 64 per bucket. So we have a global limit of 1024 fragments, but it is fine grained to the region of the packet. Smaller packets may have less fragments. This costs another 16 bytes of memory per reassembly and devides the worst case for searching by 8. requestd by claudio@; OK sashan@ claudio@
Revision 1.213 / (download) - annotate - [select for diffs], Sat Sep 8 13:16:58 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.212: +154 -21 lines
Diff to previous 1.212 (colored)
Split the pf(4) fragment reassembly queue into smaller parts. Remember 16 entry points based on the fragment offset. Instead of a worst case of 8196 list traversals we now check a maximum of 512 list entries or 16 array elements. discussed with claudio@ and sashan@; OK sashan@
Revision 1.212 / (download) - annotate - [select for diffs], Tue Sep 4 20:34:10 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.211: +2 -2 lines
Diff to previous 1.211 (colored)
Forgot to rename pf_frent_holes() prototype in previous commit.
Revision 1.211 / (download) - annotate - [select for diffs], Tue Sep 4 19:09:39 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.210: +47 -41 lines
Diff to previous 1.210 (colored)
Avoid traversing the list of fragment entris to check whether the pf(4) reassembly is complete. Instead count the holes that are created when inserting a fragment. If there are no holes left, the fragments are continuous. idea from claudio@; OK claudio@ sashan@
Revision 1.210 / (download) - annotate - [select for diffs], Mon Jun 18 11:00:31 2018 UTC (5 years, 11 months ago) by procter
Branch: MAIN
Changes since 1.209: +101 -152 lines
Diff to previous 1.209 (colored)
Refactor the six ways to find TCP options into one new function. As a result: - MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
Revision 1.209 / (download) - annotate - [select for diffs], Tue Feb 6 09:16:11 2018 UTC (6 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE
Branch point for: OPENBSD_6_3
Changes since 1.208: +1 -1 lines
Diff to previous 1.208 (colored)
some finger muscle workout: bzero -> memset and (very few) bcopy -> memcpy/memmove
Revision 1.208 / (download) - annotate - [select for diffs], Mon Jun 26 18:33:24 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.207: +24 -1 lines
Diff to previous 1.207 (colored)
Fragments for a single connection (a combination of proto,src,dst,af) may easily reuse the fragment id as it is only 16 bit for IPv4. To avoid that pf reassembles them into the wrong packet, throw away stale fragments. With the default timeout this happens after 12,000 newer fragements have been seen. from markus@; OK sashan@
Revision 1.207 / (download) - annotate - [select for diffs], Sat Jun 24 20:32:39 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.206: +111 -61 lines
Diff to previous 1.206 (colored)
To avoid packet loss due to reuse of the 16 bit IPv4 fragment id, we need suitable data structures. Organize the pf fragments with two red-black trees. One is holding the address and protocol information and the other has only the fragment id. This will allow to drop fragemts for specific connections more aggressively. ` from markus@; OK sashan@
Revision 1.206 / (download) - annotate - [select for diffs], Mon Jun 19 17:58:49 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.205: +2 -3 lines
Diff to previous 1.205 (colored)
When dealing with mbuf pointers passed down as function parameters, bugs could easily result in use-after-free or double free. Introduce m_freemp() which automatically resets the pointer before freeing it. So we have less dangling pointers in the kernel. OK krw@ mpi@ claudio@
Revision 1.205 / (download) - annotate - [select for diffs], Mon Jun 5 22:18:28 2017 UTC (6 years, 11 months ago) by sashan
Branch: MAIN
Changes since 1.204: +39 -6 lines
Diff to previous 1.204 (colored)
- let's add PF_LOCK() to enable PF_LOCK(), you must add 'option WITH_PF_LOCK' to your kernel configuration. The code does not do much currently it's just the very small step towards MP. O.K. henning@, mikeb@, mpi@
Revision 1.204 / (download) - annotate - [select for diffs], Mon May 15 12:26:00 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.203: +3 -1 lines
Diff to previous 1.203 (colored)
Enable the NET_LOCK(), take 3. Recursions are still marked as XXXSMP. ok deraadt@, bluhm@
Revision 1.203 / (download) - annotate - [select for diffs], Sun Apr 23 11:37:11 2017 UTC (7 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.202: +5 -5 lines
Diff to previous 1.202 (colored)
Some of the LOG_NOTICE messages from PF were seen in normal operations with certain rulesets and excessively noisy; move them to LOG_INFO (which was previously unused). ok benno@
Revision 1.202 / (download) - annotate - [select for diffs], Fri Mar 17 17:19:16 2017 UTC (7 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.201: +1 -3 lines
Diff to previous 1.201 (colored)
Revert the NET_LOCK() and bring back pf's contention lock for release. For the moment the NET_LOCK() is always taken by threads running under KERNEL_LOCK(). That means it doesn't buy us anything except a possible deadlock that we did not spot. So make sure this doesn't happen, we'll have plenty of time in the next release cycle to stress test it. ok visa@
Revision 1.201 / (download) - annotate - [select for diffs], Mon Jan 30 17:41:34 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.200: +3 -1 lines
Diff to previous 1.200 (colored)
removes the pf_consistency_lock and protects the users with NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep things simple until we're going to redesign PF for a MP world. fixes the crash reported by Kaya Saman. ok mpi@, bluhm@
Revision 1.200 / (download) - annotate - [select for diffs], Thu Dec 29 13:01:48 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.199: +2 -13 lines
Diff to previous 1.199 (colored)
In pf_refragment6() use the valid route from pf_route6() instead of calling rtalloc() again. OK mpi@
Revision 1.199 / (download) - annotate - [select for diffs], Thu Dec 29 00:26:48 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.198: +4 -4 lines
Diff to previous 1.198 (colored)
Use __func__ instead of explicit function name in panic messages.
Revision 1.198 / (download) - annotate - [select for diffs], Wed Dec 28 23:58:20 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.197: +10 -10 lines
Diff to previous 1.197 (colored)
Fix white spaces. No binary change.
Revision 1.197 / (download) - annotate - [select for diffs], Tue Nov 22 19:29:54 2016 UTC (7 years, 6 months ago) by procter
Branch: MAIN
Changes since 1.196: +5 -5 lines
Diff to previous 1.196 (colored)
Fold union pf_headers buffer into struct pf_pdesc (enabled by pfvar_priv.h). Prevent pf_socket_lookup() reading uninitialised header buffers on fragments. OK blum@ sashan@
Revision 1.196 / (download) - annotate - [select for diffs], Mon Nov 21 17:52:20 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.195: +7 -4 lines
Diff to previous 1.195 (colored)
Follow RFC 5722 more strictly when handling overlapping fragments in pf. Drop the whole fragment state if IPv6 fragments appear which have invalid length or fragment-offset or more-fragment-bit. In IPv4 they are considered invalid and just dropped like before. Found by Antonios Atlasis; OK sashan@ sthen@
Revision 1.195 / (download) - annotate - [select for diffs], Wed Oct 26 21:07:22 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.194: +9 -8 lines
Diff to previous 1.194 (colored)
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
Revision 1.194 / (download) - annotate - [select for diffs], Tue Sep 27 04:57:17 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.193: +12 -12 lines
Diff to previous 1.193 (colored)
roll back turning RB into RBT until i get better at this process.
Revision 1.193 / (download) - annotate - [select for diffs], Tue Sep 27 02:51:12 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.192: +12 -12 lines
Diff to previous 1.192 (colored)
move pf from the RB macros to the RBT functions.
Revision 1.192 / (download) - annotate - [select for diffs], Thu Sep 15 02:00:18 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.191: +7 -10 lines
Diff to previous 1.191 (colored)
all pools have their ipl set via pool_setipl, so fold it into pool_init. the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
Revision 1.191 / (download) - annotate - [select for diffs], Fri Sep 2 10:19:49 2016 UTC (7 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.190: +4 -1 lines
Diff to previous 1.190 (colored)
pool_setipl for pf bits ok phessler@ henning@
Revision 1.190 / (download) - annotate - [select for diffs], Wed Aug 24 09:41:12 2016 UTC (7 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.189: +2 -2 lines
Diff to previous 1.189 (colored)
Kill ip6_forward_rt reducing differences between v4 and v6. A single forwarding cache is not the answer. The answer is 42... err PF! ok bluhm@
Revision 1.189 / (download) - annotate - [select for diffs], Wed Aug 17 03:24:12 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.188: +37 -34 lines
Diff to previous 1.188 (colored)
Reintroduce 5.3-style checksum modification to preserve end-to-end checksums when fiddling with packets but without the mess that motivated Henning to remove it. Affects only this one aspect of Henning's checksum work. Also tweak the basic algorithm and supply a correctness argument. OK dlg@ deraadt@ sthen@; no objection henning@
Revision 1.188 / (download) - annotate - [select for diffs], Wed Jun 15 11:49:34 2016 UTC (7 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored)
Kill nd6_output(), it doesn't do anything since the resolution logic has been moved to nd6_resolve(). ok visa@, millert@, florian@, sthen@
Revision 1.187 / (download) - annotate - [select for diffs], Wed Jun 15 11:36:06 2016 UTC (7 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.186: +2 -3 lines
Diff to previous 1.186 (colored)
There's no need to convert values returned by arc4random to the network byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks! ok tedu
Revision 1.186 / (download) - annotate - [select for diffs], Tue May 31 07:35:36 2016 UTC (8 years ago) by mpi
Branch: MAIN
Changes since 1.185: +14 -2 lines
Diff to previous 1.185 (colored)
Do not call nd6_output() without route entry argument. ok sthen@, bluhm@
Revision 1.185 / (download) - annotate - [select for diffs], Sat May 28 12:04:33 2016 UTC (8 years ago) by sthen
Branch: MAIN
Changes since 1.184: +1 -13 lines
Diff to previous 1.184 (colored)
Backout pf.c r1.972, pf_norm.c r1.184, ok claudio pf_test calls pf_refragment6 with dst=NULL, which is passed down to rtable_match which attempts to dereference it.
Revision 1.184 / (download) - annotate - [select for diffs], Tue May 24 05:02:34 2016 UTC (8 years ago) by mpi
Branch: MAIN
Changes since 1.183: +14 -2 lines
Diff to previous 1.183 (colored)
Do not call nd6_output() without route entry argument. ok bluhm@
Revision 1.183 / (download) - annotate - [select for diffs], Tue Nov 24 13:37:16 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.182: +1 -2 lines
Diff to previous 1.182 (colored)
No need for <net/if_types.h> As a bonus this removes a "#if NCARP > 0", say yeah!
Revision 1.182 / (download) - annotate - [select for diffs], Thu Sep 10 08:28:31 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.181: +1 -2 lines
Diff to previous 1.181 (colored)
Kill two simple in6_ifstat_inc().
Revision 1.181 / (download) - annotate - [select for diffs], Wed Aug 19 21:22:41 2015 UTC (8 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.180: +18 -5 lines
Diff to previous 1.180 (colored)
PF must keep IPv6 fragment size as chosen by sender also for packets, which are routed on behalf route-to action. OK bluhm@
Revision 1.180 / (download) - annotate - [select for diffs], Sun Jul 19 01:58:19 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.179: +3 -4 lines
Diff to previous 1.179 (colored)
unused arguments at pf_normalize_tcp_init() and pf_refragment6() OK deraadt.
Revision 1.179 / (download) - annotate - [select for diffs], Sat Jul 18 15:19:44 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.178: +8 -4 lines
Diff to previous 1.178 (colored)
INET/INET6 address family check should be unified in PF it also adds af_unhandled(), where it is currently missing. ok mcbride@
Revision 1.178 / (download) - annotate - [select for diffs], Tue May 5 23:27:47 2015 UTC (9 years, 1 month ago) by chris
Branch: MAIN
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored)
Eliminate rabid semicolon
Revision 1.177 / (download) - annotate - [select for diffs], Wed Apr 29 18:05:56 2015 UTC (9 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.176: +5 -3 lines
Diff to previous 1.176 (colored)
In most cases, IP fragments do not have an Ethernet padding. So add a condition to save a useless call to m_adj() and have a paranoid length check in the other cases. OK henning@
Revision 1.176 / (download) - annotate - [select for diffs], Fri Apr 17 16:42:50 2015 UTC (9 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.175: +6 -2 lines
Diff to previous 1.175 (colored)
On Ethernet packets have a minimal length, so very short packets get padding appended to them. This padding is not stripped off in ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That means PF needs to be careful when reassembling fragmented packets to not include the padding in the reassembled packet. from FreeBSD; via Kristof Provost; OK henning@
Revision 1.175 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:51 2015 UTC (9 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.174: +1 -2 lines
Diff to previous 1.174 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.174 / (download) - annotate - [select for diffs], Sun Feb 8 01:29:19 2015 UTC (9 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.173: +37 -66 lines
Diff to previous 1.173 (colored)
pf normalization code was in dire need of style normalization. ok mpi pelikan
Revision 1.173 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.172: +8 -7 lines
Diff to previous 1.172 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.172 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.171: +1 -5 lines
Diff to previous 1.171 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.171 / (download) - annotate - [select for diffs], Fri Dec 5 15:50:04 2014 UTC (9 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.170: +2 -1 lines
Diff to previous 1.170 (colored)
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>. ok mikeb@, krw@, bluhm@, tedu@
Revision 1.170 / (download) - annotate - [select for diffs], Tue Nov 18 02:37:31 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.169: +1 -2 lines
Diff to previous 1.169 (colored)
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
Revision 1.169 / (download) - annotate - [select for diffs], Fri Oct 10 16:20:03 2014 UTC (9 years, 7 months ago) by sthen
Branch: MAIN
Changes since 1.168: +3 -3 lines
Diff to previous 1.168 (colored)
s/lenght/length/ in comments
Revision 1.168 / (download) - annotate - [select for diffs], Mon Sep 8 06:24:13 2014 UTC (9 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.167: +1 -2 lines
Diff to previous 1.167 (colored)
remove uneeded route.h includes ok miod@ mpi@
Revision 1.167 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.166: +1 -2 lines
Diff to previous 1.166 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.166 / (download) - annotate - [select for diffs], Sun Jul 13 17:41:04 2014 UTC (9 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.165: +4 -1 lines
Diff to previous 1.165 (colored)
When reassembled IPv6 fragments are NATed or RDRed by pf, the checksum has to be recalculated before the packet is fragmented again. Put a missing in6_proto_cksum_out() into pf_refragment6(). This makes run-regress-frag6 and run-regress-frag6-ext pass again. From Matthias Pitzl; OK henning@
Revision 1.165 / (download) - annotate - [select for diffs], Thu Mar 27 12:07:48 2014 UTC (10 years, 2 months ago) by jca
Branch: MAIN
Changes since 1.164: +2 -2 lines
Diff to previous 1.164 (colored)
When enforcing TOS (Traffic Class), preserve the ECN bits, just as we do with IPv4 packets. ok mikeb@
Revision 1.164 / (download) - annotate - [select for diffs], Wed Jan 22 04:34:25 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.163: +1 -1 lines
Diff to previous 1.163 (colored)
one more absolutely obvious bcopy -> memcpy
Revision 1.163 / (download) - annotate - [select for diffs], Sat Nov 16 00:36:01 2013 UTC (10 years, 6 months ago) by chl
Branch: MAIN
Changes since 1.162: +1 -6 lines
Diff to previous 1.162 (colored)
Remove dead assignments and now unused variables. Found by LLVM/Clang Static Analyzer. ok henning@ mikeb@ bluhm@
Revision 1.162 / (download) - annotate - [select for diffs], Thu Oct 17 16:27:42 2013 UTC (10 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.161: +1 -2 lines
Diff to previous 1.161 (colored)
The header file netinet/in_var.h included netinet6/in6_var.h. This created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
Revision 1.161 / (download) - annotate - [select for diffs], Tue Oct 1 20:15:57 2013 UTC (10 years, 8 months ago) by sf
Branch: MAIN
Changes since 1.160: +4 -4 lines
Diff to previous 1.160 (colored)
Format string fixes: Cast time_t to long long and mnt_stat.f_ctime is long long, too
Revision 1.160 / (download) - annotate - [select for diffs], Tue Jul 23 22:47:10 2013 UTC (10 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.159: +1 -3 lines
Diff to previous 1.159 (colored)
Do not reset the fragment timeout each time a fragment arrives. Start the expire counter when the queue is created by the first fragment and drop it if the packet could not be reassembled within 60 seconds. Reported by Antonios Atlasis; OK henning@ deraadt@
Revision 1.159 / (download) - annotate - [select for diffs], Wed Jun 26 09:12:39 2013 UTC (10 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.158: +17 -15 lines
Diff to previous 1.158 (colored)
put the cksum diff back, of course with the bug fixed where we could under some circumstances repair broken checksums on the way. ok ryan naddy mikeb . redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers.
Revision 1.158 / (download) - annotate - [select for diffs], Mon Jun 17 19:50:06 2013 UTC (10 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.157: +3 -3 lines
Diff to previous 1.157 (colored)
Before pulling the TCP options from the mbuf onto the stack, do an additional length check in pf_modulate_sack() and pf_normalize_mss(). Overflow cannot happen due to the restricted values in the length calculation. As this is not obvious, be better safe than sorry. OK henning@
Revision 1.157 / (download) - annotate - [select for diffs], Tue Nov 6 12:32:41 2012 UTC (11 years, 6 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.156: +14 -8 lines
Diff to previous 1.156 (colored)
backout csum diff for the moment, requested by theo
Revision 1.156 / (download) - annotate - [select for diffs], Thu Nov 1 07:55:56 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.155: +7 -13 lines
Diff to previous 1.155 (colored)
redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
Revision 1.155 / (download) - annotate - [select for diffs], Tue Oct 30 12:09:05 2012 UTC (11 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.154: +5 -5 lines
Diff to previous 1.154 (colored)
Use time_uptime for expiration values as time_second can be skewed at runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
Revision 1.154 / (download) - annotate - [select for diffs], Sat May 12 13:08:48 2012 UTC (12 years ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.153: +2 -2 lines
Diff to previous 1.153 (colored)
Ignore/preserve ECN bits on ToS matching and scrubbing. The lower 2 bits of the tos-header are used for ECN. (http://tools.ietf.org/html/rfc2474#section-3) OK henning@, haesbaert@
Revision 1.153 / (download) - annotate - [select for diffs], Fri Feb 3 01:57:51 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.152: +8 -2 lines
Diff to previous 1.152 (colored)
The kernel did not compile without INET6. Put some #ifdefs into pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
Revision 1.152 / (download) - annotate - [select for diffs], Thu Jan 26 20:16:06 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.151: +21 -20 lines
Diff to previous 1.151 (colored)
Clean up the pf normalization code: - Let pf_normalize_ip() and pf_normalize_ip6() take the struct pf_pdesc pd as argument. - Always check wether the mbuf got NULL after normalization to make the code more robust. - Make the code structure of pf_normalize_ip6() more like pf_normalize_ip() to make the differences obvious. ok henning@
Revision 1.151 / (download) - annotate - [select for diffs], Mon Jan 23 18:37:20 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.150: +10 -25 lines
Diff to previous 1.150 (colored)
Do not keep state when dropping overlapping IPv6 fragments in pf and IPv6 stack. ok sperreault@
Revision 1.150 / (download) - annotate - [select for diffs], Sun Jan 15 22:55:35 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.149: +4 -1 lines
Diff to previous 1.149 (colored)
Calling pf_normalize_ip() from pf_setup_pdesc() was bad as the latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
Revision 1.149 / (download) - annotate - [select for diffs], Fri Jan 13 11:24:35 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.148: +43 -8 lines
Diff to previous 1.148 (colored)
Drop IPv6 packets built from overlapping fragments in pf reassembly. The reassembly state will be dropped after timeout, all related fragments are dropped until that. This is conforming to RFC 5722. - Sort pf_fragment fields while there. - If the fr_queue is empty, we had overlapping fragments, don't add new ones. - If we detect overlapping IPv6 fragments, flush the fr_queue and drop all fragments immediately. - Rearrange debug output, to make clear what happens. - An IPv4 fragment that is totaly overlapped does not inclease the bad fragment counter. - Put an KASSERT into pf_isfull_fragment() to make sure that the fr_queue is never emtpy there. discussed with Fernando Gont; ok henning@
Revision 1.148 / (download) - annotate - [select for diffs], Tue Jan 3 17:06:38 2012 UTC (12 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.147: +19 -24 lines
Diff to previous 1.147 (colored)
Instead of having two functions pf_free_fragment() and pf_remove_fragment() doing more or less the same, merge them into one. Just remove fragment entries from the queue in pf_join_fragment() before they are freed. Then pf_remove_fragment() is not needed anymore. ok henning@
Revision 1.147 / (download) - annotate - [select for diffs], Fri Nov 25 12:52:10 2011 UTC (12 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored)
use time_uptime to set state creation values as time_second can be skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. ok deraadt@ mikeb@
Revision 1.146 / (download) - annotate - [select for diffs], Wed Sep 28 17:15:45 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.145: +21 -19 lines
Diff to previous 1.145 (colored)
As requested by henning, move the mbuf pointer into struct pf_pdesc. Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning
Revision 1.145 / (download) - annotate - [select for diffs], Thu Sep 22 14:57:12 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.144: +14 -14 lines
Diff to previous 1.144 (colored)
As I have touched half of pf lines anyway, fix whitespaces now. KNF, no binary change.
Revision 1.144 / (download) - annotate - [select for diffs], Wed Sep 21 19:07:30 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.143: +1 -5 lines
Diff to previous 1.143 (colored)
Check the protocol header length for tcp, udp, icmp, icmp6 in pf_setup_pdesc(). It is better to check and bail out early than to rely on pf_pull_hdr() later. ok henning mpf
Revision 1.143 / (download) - annotate - [select for diffs], Tue Sep 20 10:51:18 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
Put kif and dir into pdesc an use this instead of passing the values around. This is a mechanical change. Initialize pd2 and use it where appropriate. ok henning on an earlier version; ok mpf
Revision 1.142 / (download) - annotate - [select for diffs], Mon Sep 19 12:51:52 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.141: +17 -14 lines
Diff to previous 1.141 (colored)
Consolidate pf function parameters. Move off and hdrlen into pdesc and change their type from int to u_int32_t. Do not pass struct tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af and pd->af intermixed, the latter makes clear where it comes from. Do not calculate the packet length again if pd already has it. Use pd2.off instead of off2. go go go go don't stop henning@ mpf@
Revision 1.141 / (download) - annotate - [select for diffs], Sun Sep 18 11:17:57 2011 UTC (12 years, 8 months ago) by miod
Branch: MAIN
Changes since 1.140: +4 -4 lines
Diff to previous 1.140 (colored)
Fix various format string types to as a minimum match the width of the variables being processed. ok bluhm@ henning@
Revision 1.140 / (download) - annotate - [select for diffs], Mon Jul 18 21:03:10 2011 UTC (12 years, 10 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored)
unbreak set-tos for ipv6; reported by babut at yandex dot ru, with input and ok from bluhm and claudio
Revision 1.139 / (download) - annotate - [select for diffs], Thu Jul 7 20:46:36 2011 UTC (12 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.138: +5 -126 lines
Diff to previous 1.138 (colored)
There were two loops in pf_setup_pdesc() and pf_normalize_ip6() walking over the IPv6 header chain. Merge them into one loop, adjust some length checks and fix IPv6 jumbo option handling. Also allow strange but legal IPv6 packets with plen=0 passing through pf. IPv6 jumbo packets still get dropped. testing dhill@; ok mcbride@ henning@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Jul 5 22:00:04 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.137: +10 -10 lines
Diff to previous 1.137 (colored)
Instead of passing the ip header and mbuf to pf_reassemble(), lookup the header address in the mbuf. ok henning@
Revision 1.137 / (download) - annotate - [select for diffs], Tue Jul 5 19:53:43 2011 UTC (12 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.136: +3 -1 lines
Diff to previous 1.136 (colored)
add missing ifdefs for INET6; diff from form, ok henning, bluhm, claudio
Revision 1.136 / (download) - annotate - [select for diffs], Sun Jul 3 18:08:02 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.135: +7 -1 lines
Diff to previous 1.135 (colored)
Refactor the fragment handling in pf_setup_pdesc() so that AF_INET and AF_INET6 are doing the fragment handling the same way. Makes code more readable. With and OK bluhm@
Revision 1.135 / (download) - annotate - [select for diffs], Tue Jun 21 08:59:47 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.134: +3 -7 lines
Diff to previous 1.134 (colored)
There is no need to handle fragmented TCP reset packets in a special way. Remove PFDESC_IP_REAS and pf_pdesc flags completely. ok claudio@ henning@
Revision 1.134 / (download) - annotate - [select for diffs], Mon Jun 20 19:03:41 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.133: +9 -23 lines
Diff to previous 1.133 (colored)
More cleanup in pf_test/pf_test6 this time mostly the fragment handling. More to come to make the two codepathes a bit more identical. tested by many (esp. krw@ and sthen@) input and OK bluhm@
Revision 1.133 / (download) - annotate - [select for diffs], Tue May 24 14:01:52 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.132: +25 -19 lines
Diff to previous 1.132 (colored)
Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. Call pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
Revision 1.132 / (download) - annotate - [select for diffs], Sat Apr 23 10:00:36 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.131: +3 -5 lines
Diff to previous 1.131 (colored)
pf_scrub_ip() does not modify the given mbuf pointer. So don't pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
Revision 1.131 / (download) - annotate - [select for diffs], Mon Apr 4 14:14:53 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.130: +7 -34 lines
Diff to previous 1.130 (colored)
stop fiddling with the ip checksum here too, it is always recalculated in all output pathes anyway. even worse than in the rest of pf, here we ran circles to update the ip cksum every time we flip a tiny bit in the header... pretty sure dlg claudio ok'd it and it is damn obvious anyway
Revision 1.130 / (download) - annotate - [select for diffs], Thu Mar 24 20:09:44 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.129: +212 -18 lines
Diff to previous 1.129 (colored)
Reassemble IPv6 fragments in pf. In the forward case, pf refragments the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
Revision 1.129 / (download) - annotate - [select for diffs], Wed Mar 23 18:34:17 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.128: +285 -232 lines
Diff to previous 1.128 (colored)
Extract the address family independent functions from pf fragment reassembly code. This makes it possible to reuse them for IPv6. ok claudio@
Revision 1.128 / (download) - annotate - [select for diffs], Tue Feb 1 16:10:31 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.127: +3 -2 lines
Diff to previous 1.127 (colored)
The check for invalid IPv6 fragment size in pf_normalize_ip6() was wrong. As an effect small valid fragmented packets got dropped and some invalid fragmented packets were passed. plen is the payload lenght of the ipv6 packet without the ipv6 header. off is relative to the whole packet including the ipv6 header. Add sizeof(struct ip6_hdr) in the calculation. ok henning@ markus@
Revision 1.127 / (download) - annotate - [select for diffs], Thu Jan 20 15:03:03 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.126: +34 -23 lines
Diff to previous 1.126 (colored)
The reason accounting in pf_reassemble() was not correct. Change pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the reassembled packet. In case of PF_DROP, the mbuf must be valid, e.g. for logging, and will be freed later. In case the reassembled packet is too big, use the reassembled mbuf for PF_DROP. ok henning@ markus@
Revision 1.126 / (download) - annotate - [select for diffs], Wed Jan 19 11:39:57 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.125: +2 -2 lines
Diff to previous 1.125 (colored)
Give pf_normalize_ip() the same 3 way semantics as pf_test(). - PF_DROP, the packet is bad, the mbuf still exists and must be freed. - PF_PASS and *m0 is NULL, the packet has been processed, not an error. - PF_PASS and *m0 is not NULL, continue with packet processing. This fixes a potential mbuf use after free. ok henning@ markus@ mpf@
Revision 1.125 / (download) - annotate - [select for diffs], Thu Jan 6 14:01:36 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.124: +2 -2 lines
Diff to previous 1.124 (colored)
Put htons() around ip_randomid() for pf scrub random-id to make it consistent with the network stack. ok mcbride@ henning@
Revision 1.124 / (download) - annotate - [select for diffs], Fri Dec 31 12:26:57 2010 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.123: +15 -91 lines
Diff to previous 1.123 (colored)
Remove dead code from pf_norm.c. The fragment cache is some leftover from fragment crop. PFFRAG_NOBUFFER and PFFRAG_DROP are never set. pf_cache_pl and pf_cent_pl have no pool_get. ok henning@
Revision 1.123 / (download) - annotate - [select for diffs], Thu Jul 8 19:30:16 2010 UTC (13 years, 10 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.122: +9 -8 lines
Diff to previous 1.122 (colored)
Use correct alignment for scrub max-mss. Based on a diff from deraadt. "that looks about right even though the offset calculation is pure horror" claudio@, ok deraadt@
Revision 1.122 / (download) - annotate - [select for diffs], Fri Jul 2 02:40:16 2010 UTC (13 years, 11 months ago) by blambert
Branch: MAIN
Changes since 1.121: +5 -5 lines
Diff to previous 1.121 (colored)
m_copyback can fail to allocate memory, but is a void fucntion so gymnastics are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
Revision 1.121 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.120: +59 -55 lines
Diff to previous 1.120 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.120 / (download) - annotate - [select for diffs], Tue Sep 1 15:51:06 2009 UTC (14 years, 9 months ago) by jsing
Branch: MAIN
Changes since 1.119: +1 -1 lines
Diff to previous 1.119 (colored)
Clear the IP_DF bit if no-df is enabled, not if it is not enabled. Issue reported by Matthew Dempsky. Same fix suggested by fgsch@. ok henning@
Revision 1.119 / (download) - annotate - [select for diffs], Tue Jul 21 14:48:08 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.118: +1 -6 lines
Diff to previous 1.118 (colored)
pf_scrub_ip/ip6 prototypes are already in pfvar.h
Revision 1.118 / (download) - annotate - [select for diffs], Thu Jun 25 09:30:28 2009 UTC (14 years, 11 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.117: +3 -3 lines
Diff to previous 1.117 (colored)
scrub_flags is a u_int8_t, but PFSTATE_SCRUB_TCP is 0x0100, so the "reassemble tcp" state option failed to work correctly. Increasing this to u_int16_t fixes kernel/6178. ok deraadt@ henning@
Revision 1.117 / (download) - annotate - [select for diffs], Tue Apr 7 13:26:23 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.116: +2 -1 lines
Diff to previous 1.116 (colored)
after i took everything in this fiule apart and reassembled with a lot of new stuff asserting copyright is in order
Revision 1.116 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.115: +47 -528 lines
Diff to previous 1.115 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.115 / (download) - annotate - [select for diffs], Sat Jan 31 20:06:55 2009 UTC (15 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.114: +5 -1 lines
Diff to previous 1.114 (colored)
unbreak ! INET6 case by sprinking #ifdef INET6 noticed by Vladimir Kirillov <proger@uaoug.org.ua>
Revision 1.114 / (download) - annotate - [select for diffs], Thu Jan 29 14:11:45 2009 UTC (15 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.113: +60 -50 lines
Diff to previous 1.113 (colored)
move some code around in preparation for future work: break out the code that doesn't deal with fragment reassembly and only modifies stuff in the ip header to their own functions. pass them what they need instead of making them get the info from a rule ptr. ok dlg ryan
Revision 1.113 / (download) - annotate - [select for diffs], Wed May 7 07:07:29 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.112: +4 -1 lines
Diff to previous 1.112 (colored)
scrub packets based on tags; ok henning
Revision 1.112 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.111: +22 -1 lines
Diff to previous 1.111 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.111 / (download) - annotate - [select for diffs], Sun Dec 30 10:32:24 2007 UTC (16 years, 5 months ago) by mglocker
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.110: +5 -5 lines
Diff to previous 1.110 (colored)
In pf_normalize_tcpopt() call pf_pull_hdr() address family safe. OK dhartmei@
Revision 1.110 / (download) - annotate - [select for diffs], Sun Dec 30 00:16:39 2007 UTC (16 years, 5 months ago) by mglocker
Branch: MAIN
Changes since 1.109: +10 -3 lines
Diff to previous 1.109 (colored)
Make "scrub max-mss" rule work correctly; In pf_normalize_tcpopt() pull the TCP options before processing them. This gets the correct TCP options even if an mbuf chain was used, instead like now pointing into an invalid mbuf data buffer. Will close PR 5623. Diff done together with dhartmei@. OK dhartmei@
Revision 1.109 / (download) - annotate - [select for diffs], Mon May 28 17:16:39 2007 UTC (17 years ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.108: +3 -27 lines
Diff to previous 1.108 (colored)
double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
Revision 1.108 / (download) - annotate - [select for diffs], Sat May 26 00:36:03 2007 UTC (17 years ago) by krw
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored)
More comment typos from Diego Casati. Including winners like funtion, allmost, oustside, seqencer, toghether, nessissary, etc.
Revision 1.104.2.2 / (download) - annotate - [select for diffs], Fri Jun 30 08:32:56 2006 UTC (17 years, 11 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.104.2.1: +25 -1 lines
Diff to previous 1.104.2.1 (colored) to branchpoint 1.104 (colored) next main 1.105 (colored)
MFC: Fix by pascoe@ After fragment reassembly/trimming, pf must revalidate the mbuf tag of the altered chain. The cached tag may have already been freed via m_cat. ok pascoe@
Revision 1.102.2.2 / (download) - annotate - [select for diffs], Tue May 2 22:08:47 2006 UTC (18 years, 1 month ago) by brad
Branch: OPENBSD_3_8
Changes since 1.102.2.1: +22 -5 lines
Diff to previous 1.102.2.1 (colored) to branchpoint 1.102 (colored) next main 1.103 (colored)
MFC: Fix by dhartmei@ fixup IP checksum when modifying IP header fields, based on a patch in fbsd PR 93849 from Max Laier
Revision 1.104.2.1 / (download) - annotate - [select for diffs], Tue May 2 22:00:04 2006 UTC (18 years, 1 month ago) by brad
Branch: OPENBSD_3_9
Changes since 1.104: +22 -5 lines
Diff to previous 1.104 (colored)
MFC: Fix by dhartmei@ fixup IP checksum when modifying IP header fields, based on a patch in fbsd PR 93849 from Max Laier
Revision 1.107 / (download) - annotate - [select for diffs], Sun Apr 16 00:59:52 2006 UTC (18 years, 1 month ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.106: +25 -1 lines
Diff to previous 1.106 (colored)
After fragment reassembly/trimming, pf must revalidate the mbuf tag of the altered chain. The cached tag may have already been freed via m_cat.
Revision 1.106 / (download) - annotate - [select for diffs], Sat Mar 25 20:55:24 2006 UTC (18 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.105: +22 -5 lines
Diff to previous 1.105 (colored)
fixup IP checksum when modifying IP header fields, based on a patch in fbsd PR 93849 from Max Laier, ok claudio@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:42 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.104: +13 -7 lines
Diff to previous 1.104 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.102.2.1 / (download) - annotate - [select for diffs], Thu Jan 19 21:52:53 2006 UTC (18 years, 4 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored)
MFC: Fix by dhartmei@ fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl', but not 'fragment reassemble'), which can cause some fragments to get inserted into the cache twice, thereby violating an invariant, and panic- ing the system subsequently. ok deraadt@ dhartmei@
Revision 1.97.2.1 / (download) - annotate - [select for diffs], Thu Jan 19 21:51:36 2006 UTC (18 years, 4 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored) next main 1.98 (colored)
MFC: Fix by dhartmei@ fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl', but not 'fragment reassemble'), which can cause some fragments to get inserted into the cache twice, thereby violating an invariant, and panic- ing the system subsequently. ok deraadt@ dhartmei@
Revision 1.104 / (download) - annotate - [select for diffs], Wed Jan 18 22:03:21 2006 UTC (18 years, 4 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored)
fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl', but not 'fragment reassemble'), which can cause some fragments to get inserted into the cache twice, thereby violating an invariant, and panic- ing the system subsequently. ok deraadt@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Oct 17 08:43:35 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.102: +10 -17 lines
Diff to previous 1.102 (colored)
make pf use one mbuf tag instead of 6 distinct ones. use a little struct in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
Revision 1.102 / (download) - annotate - [select for diffs], Sat Aug 6 12:11:09 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.101: +3 -3 lines
Diff to previous 1.101 (colored)
correct some spellos
Revision 1.101 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:25 2005 UTC (18 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.100: +13 -7 lines
Diff to previous 1.100 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.100 / (download) - annotate - [select for diffs], Fri May 27 17:22:41 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.99: +8 -8 lines
Diff to previous 1.99 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.99 / (download) - annotate - [select for diffs], Sun May 22 16:22:41 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.98: +3 -3 lines
Diff to previous 1.98 (colored)
honour the 'no' in 'no scrub' rules for IP normalizations. found by mzozd at ad2u dot gr. ok henning@, mcbride@
Revision 1.98 / (download) - annotate - [select for diffs], Sat May 21 21:03:57 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.97: +4 -7 lines
Diff to previous 1.97 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.97 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:12 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.96 / (download) - annotate - [select for diffs], Sat Jul 17 00:17:27 2004 UTC (19 years, 10 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.95: +10 -8 lines
Diff to previous 1.95 (colored)
Repair breakage from the hackathon's time conversion. Using the timestamp as an extension to the sequence number got disabled because of the failing idle limit on PAWS checks. One more thing off my todo list. I need an intern
Revision 1.95 / (download) - annotate - [select for diffs], Sun Jul 11 15:54:21 2004 UTC (19 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.94: +16 -121 lines
Diff to previous 1.94 (colored)
backout IPv6 reass-on-scrub patch (more work needs to be done). requested by deraadt
Revision 1.94 / (download) - annotate - [select for diffs], Mon Jul 5 00:15:20 2004 UTC (19 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.93: +14 -10 lines
Diff to previous 1.93 (colored)
KNF
Revision 1.93 / (download) - annotate - [select for diffs], Sat Jul 3 05:57:12 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.92: +6 -1 lines
Diff to previous 1.92 (colored)
quick workaround until proper PF_FORWARD reass gets implemented.
Revision 1.92 / (download) - annotate - [select for diffs], Fri Jun 25 11:04:03 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.91: +3 -3 lines
Diff to previous 1.91 (colored)
correct "scrub in" behavior for IPv6. remaining TODO: - "forward" case kernel behavior (IPv4 too), then pfctl syntax change - red-black tree
Revision 1.91 / (download) - annotate - [select for diffs], Fri Jun 25 00:42:58 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.90: +116 -16 lines
Diff to previous 1.90 (colored)
IPv6 reassembly on "scrub" directive. caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
Revision 1.90 / (download) - annotate - [select for diffs], Thu Jun 24 19:35:25 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
Changes since 1.89: +6 -5 lines
Diff to previous 1.89 (colored)
This moves access to wall and uptime variables in MI code,
encapsulating all such access into wall-defined functions
that makes sure locking is done as needed.
It also cleans up some uses of wall time vs. uptime some
places, but there is sure to be more of these needed as
well, particularily in MD code. Also, many current calls
to microtime() should probably be changed to getmicrotime(),
or to the {,get}microuptime() versions.
ok art@ deraadt@ aaron@ matthieu@ beck@ sturm@ millert@ others
"Oh, that is not your problem!" from miod@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Jun 21 23:50:36 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
Changes since 1.88: +8 -8 lines
Diff to previous 1.88 (colored)
First step towards more sane time handling in the kernel -- this changes things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Revision 1.14.4.10 / (download) - annotate - [select for diffs], Sun Jun 13 08:50:17 2004 UTC (19 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.14.4.9: +6 -6 lines
Diff to previous 1.14.4.9 (colored) to branchpoint 1.14 (colored) next main 1.15 (colored)
sync to HEAD
Revision 1.88 / (download) - annotate - [select for diffs], Thu Jun 10 14:22:54 2004 UTC (19 years, 11 months ago) by dhartmei
Branch: MAIN
CVS Tags: SMP_SYNC_A
Changes since 1.87: +7 -7 lines
Diff to previous 1.87 (colored)
rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved keyword in C++. ok henning@, cedric@
Revision 1.14.4.9 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:24 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.14.4.8: +338 -35 lines
Diff to previous 1.14.4.8 (colored) to branchpoint 1.14 (colored)
Merge with the trunk
Revision 1.87 / (download) - annotate - [select for diffs], Tue May 11 07:34:11 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
CVS Tags: SMP_SYNC_B
Changes since 1.86: +9 -6 lines
Diff to previous 1.86 (colored)
pf_cksum_fixup() was called without last argument from normalization, also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
Revision 1.86 / (download) - annotate - [select for diffs], Sun May 9 00:16:38 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)
Don't dereference scrub pointer when it's NULL, fix PR 3775, from Marc Huber. ok deraadt@
Revision 1.85 / (download) - annotate - [select for diffs], Wed May 5 23:16:03 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.84: +308 -17 lines
Diff to previous 1.84 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.75.2.1 / (download) - annotate - [select for diffs], Fri Apr 30 23:28:36 2004 UTC (20 years, 1 month ago) by brad
Branch: OPENBSD_3_4
Changes since 1.75: +5 -5 lines
Diff to previous 1.75 (colored) next main 1.76 (colored)
MFC: Fix by frantzen@ be careful about option lengths ok deraadt@
Revision 1.80.2.1 / (download) - annotate - [select for diffs], Fri Apr 30 21:46:33 2004 UTC (20 years, 1 month ago) by brad
Branch: OPENBSD_3_5
Changes since 1.80: +5 -5 lines
Diff to previous 1.80 (colored) next main 1.81 (colored)
MFC: Fix by dhartmei@ prevent an endless loop with route-to lo0, fixes PR 3736 ok deraadt@ dhartmei@
Revision 1.84 / (download) - annotate - [select for diffs], Wed Apr 28 02:43:09 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
Dont step into INET6 code, just because af != AF_INET Also comment #endif properly while being here ok mcbride@
Revision 1.83 / (download) - annotate - [select for diffs], Tue Apr 27 18:28:07 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.82: +9 -4 lines
Diff to previous 1.82 (colored)
validate the sequence numbers on TCP resets are an exact match. check is only enabled when we're doing full frag reassembly and thus have full seq info ok markus@
Revision 1.82 / (download) - annotate - [select for diffs], Mon Apr 26 02:03:38 2004 UTC (20 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.81: +3 -2 lines
Diff to previous 1.81 (colored)
Prevent biases in arc4random() from disclosing the byte order of the firewall. ok deraadt@
Revision 1.81 / (download) - annotate - [select for diffs], Sat Apr 24 19:14:48 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.80: +5 -5 lines
Diff to previous 1.80 (colored)
be careful about option lengths. ok henning@ mcbride@
Revision 1.80 / (download) - annotate - [select for diffs], Tue Mar 9 21:44:41 2004 UTC (20 years, 2 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored)
KNF, ok cedric@ deraadt@
Revision 1.14.4.8 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:22 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.14.4.7: +329 -132 lines
Diff to previous 1.14.4.7 (colored) to branchpoint 1.14 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.79 / (download) - annotate - [select for diffs], Tue Feb 10 18:49:10 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.78: +8 -5 lines
Diff to previous 1.78 (colored)
KNF
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jan 16 21:15:42 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.77: +2 -2 lines
Diff to previous 1.77 (colored)
Fix IPv6 stateful tcp scrubbing by not dereferencing a null pointer. ok dhartmei@ frantzen@
Revision 1.77 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:25 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.76: +18 -14 lines
Diff to previous 1.76 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.76 / (download) - annotate - [select for diffs], Thu Dec 18 20:13:23 2003 UTC (20 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.75: +6 -4 lines
Diff to previous 1.75 (colored)
TCP timestamp modulation (scrub reassemble tcp) fix from frantzen@
Revision 1.55.2.1 / (download) - annotate - [select for diffs], Wed Sep 24 19:31:19 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.55: +78 -74 lines
Diff to previous 1.55 (colored) next main 1.56 (colored)
MFC: Fix by dhartmei@ Fix three cases of potential accesses to free'd memory. At least one of them could be used to panic pf with scrub rules remotely. Found by Rob Pickering. ok millert@
Revision 1.35.2.1 / (download) - annotate - [select for diffs], Wed Sep 24 19:20:31 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.35: +77 -74 lines
Diff to previous 1.35 (colored) next main 1.36 (colored)
MFC: Fix by dhartmei@ Fix three cases of potential accesses to free'd memory. At least one of them could be used to panic pf with scrub rules remotely. Found by Rob Pickering. ok millert@
Revision 1.75 / (download) - annotate - [select for diffs], Fri Aug 29 01:49:08 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.74: +78 -74 lines
Diff to previous 1.74 (colored)
Fix three cases of potential accesses to free'd memory. At least one of them could be used to panic pf with scrub rules remotely. Found by Rob Pickering. ok frantzen@, henning
Revision 1.74 / (download) - annotate - [select for diffs], Fri Aug 22 21:50:34 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
Changes since 1.73: +6 -6 lines
Diff to previous 1.73 (colored)
pf spelling police ok dhartmei@ jmc@
Revision 1.73 / (download) - annotate - [select for diffs], Fri Aug 22 15:19:23 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.72: +2 -2 lines
Diff to previous 1.72 (colored)
KNF
Revision 1.72 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:08 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.71: +5 -1 lines
Diff to previous 1.71 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.71 / (download) - annotate - [select for diffs], Thu Aug 14 19:00:12 2003 UTC (20 years, 9 months ago) by jason
Branch: MAIN
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)
m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.
Revision 1.70 / (download) - annotate - [select for diffs], Thu Jul 17 16:25:52 2003 UTC (20 years, 10 months ago) by frantzen
Branch: MAIN
Changes since 1.69: +25 -20 lines
Diff to previous 1.69 (colored)
fix scrub frag reassembly after the stack's ip_len/ip_off flip correction ok itojun@ and dhartmei@. heckling from henning@
Revision 1.69 / (download) - annotate - [select for diffs], Sat Jul 12 09:33:32 2003 UTC (20 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.68: +4 -4 lines
Diff to previous 1.68 (colored)
Prevent u_int16_t variable from overflowing and get rid of the compiler warning. From Pyun YongHyeon. ok itojun@
Revision 1.68 / (download) - annotate - [select for diffs], Thu Jul 10 05:50:10 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.67: +4 -3 lines
Diff to previous 1.67 (colored)
correct another incorrect comparison in ip6 normalization. don't use m->m_pkthdr.len for checking, as it is not reliable
Revision 1.67 / (download) - annotate - [select for diffs], Thu Jul 10 04:20:59 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored)
wrong comparison of IPv6 packetsize
Revision 1.66 / (download) - annotate - [select for diffs], Wed Jul 9 22:11:08 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.65: +3 -1 lines
Diff to previous 1.65 (colored)
check if m->m_pkthdr.len is too short
Revision 1.65 / (download) - annotate - [select for diffs], Wed Jul 9 22:09:20 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.64: +9 -9 lines
Diff to previous 1.64 (colored)
don't check exact ip6_plen and m->m_pkthdr.len match, as ip6_input() does the m_adj() only after filtering. reported by marc
Revision 1.64 / (download) - annotate - [select for diffs], Wed Jul 9 22:03:16 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.63: +44 -37 lines
Diff to previous 1.63 (colored)
do not flip ip_len/ip_off in netinet stack. deraadt ok. (please test, especially PF portion)
Revision 1.63 / (download) - annotate - [select for diffs], Wed Jul 9 07:18:50 2003 UTC (20 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.62: +3 -2 lines
Diff to previous 1.62 (colored)
KNF
Revision 1.62 / (download) - annotate - [select for diffs], Tue Jul 1 00:28:52 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.61: +3 -1 lines
Diff to previous 1.61 (colored)
wrap pf_normalize_ip6() by #ifdef INET6. pointed out by Wouter Clarie
Revision 1.61 / (download) - annotate - [select for diffs], Sun Jun 29 23:37:12 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.60: +168 -1 lines
Diff to previous 1.60 (colored)
normalize IPv6 packet (no reass, but it is a start). dhartmei & henning ok
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
Revision 1.60 / (download) - annotate - [select for diffs], Sat Jun 28 07:27:20 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.59: +1 -3 lines
Diff to previous 1.59 (colored)
redundant (pfvar.h already have it)
Revision 1.16.2.4 / (download) - annotate - [select for diffs], Mon May 19 22:29:35 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.16.2.3: +318 -141 lines
Diff to previous 1.16.2.3 (colored) to branchpoint 1.16 (colored) next main 1.17 (colored)
sync
Revision 1.14.4.7 / (download) - annotate - [select for diffs], Fri May 16 00:29:44 2003 UTC (21 years ago) by niklas
Branch: SMP
Changes since 1.14.4.6: +120 -12 lines
Diff to previous 1.14.4.6 (colored) to branchpoint 1.14 (colored)
merge the trunk so we will get the genfs and locking fixes
Revision 1.59 / (download) - annotate - [select for diffs], Wed May 14 23:46:45 2003 UTC (21 years ago) by frantzen
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.58: +116 -8 lines
Diff to previous 1.58 (colored)
- modulate TCP Timestamps so they can't be used to detect NAT and to preclude remote uptime determination - scrub modifier "reassemble tcp" turns on stateful TCP normalizations ok henning@ dhartmei@
Revision 1.58 / (download) - annotate - [select for diffs], Wed May 14 08:42:00 2003 UTC (21 years ago) by canacar
Branch: MAIN
Changes since 1.57: +5 -5 lines
Diff to previous 1.57 (colored)
Use official (from pcap people) link type for pflog. With this change, the log header format also changes. The new log format is extendible and allows logging of the originating anchor and ruleset information. ok henning@ dhartmei@ frantzen@
Revision 1.14.4.6 / (download) - annotate - [select for diffs], Tue May 13 19:36:16 2003 UTC (21 years ago) by ho
Branch: SMP
Changes since 1.14.4.5: +94 -3 lines
Diff to previous 1.14.4.5 (colored) to branchpoint 1.14 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.57 / (download) - annotate - [select for diffs], Sun May 11 20:44:03 2003 UTC (21 years ago) by frantzen
Branch: MAIN
Changes since 1.56: +92 -1 lines
Diff to previous 1.56 (colored)
the start of stateful TCP scrubbing. dynamically determine the highest TTL of each side of the TCP connection and prevent it from being reduced ok pb@ dhartmei@
Revision 1.56 / (download) - annotate - [select for diffs], Sat Apr 5 20:20:58 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.55: +3 -3 lines
Diff to previous 1.55 (colored)
Replace the timeout variables by the content of the timeout field of a new pf_default_rule structure. ok dhartmei@
Revision 1.14.4.5 / (download) - annotate - [select for diffs], Fri Mar 28 00:41:29 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.14.4.4: +666 -197 lines
Diff to previous 1.14.4.4 (colored) to branchpoint 1.14 (colored)
Sync the SMP branch with 3.3
Revision 1.55 / (download) - annotate - [select for diffs], Tue Feb 18 08:05:15 2003 UTC (21 years, 3 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.54: +1 -7 lines
Diff to previous 1.54 (colored)
Enforce min-ttl and random-id on inbound scrub as well as outbound. ok dhartmei@
Revision 1.54 / (download) - annotate - [select for diffs], Wed Feb 12 20:43:36 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.53: +10 -6 lines
Diff to previous 1.53 (colored)
Address the NFS problems recently discussed in various threads. Change semantics of scrub option 'no-df' slightly: if the option is used, it now also applies to _fragments_ with IP_DF set, not just to complete packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble' allows to clear IP_DF from fragments, so they don't get dropped but reassembled. This affects several UDP protocols that used PMTU discovery, mostly Linux' NFS implementation. In short, if you have 'scrub in all' now, you probably want to change that to 'scrub in all no-df', unless you want to drop fragments with IP_DF set (some people have good reasons to do the latter, hence the non-default option). ok frantzen@, henning@, cedric@
Revision 1.53 / (download) - annotate - [select for diffs], Sat Feb 8 20:13:20 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.52: +4 -1 lines
Diff to previous 1.52 (colored)
Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Revision 1.52 / (download) - annotate - [select for diffs], Sat Jan 25 19:47:05 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.51: +7 -10 lines
Diff to previous 1.51 (colored)
Fix a bug that potentially caused fragments to be dropped when the overlap calculation got negative. Found by Baruch Even. ok henning@
Revision 1.51 / (download) - annotate - [select for diffs], Thu Jan 9 15:58:35 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.50: +4 -4 lines
Diff to previous 1.50 (colored)
(whitespace) KNF, re-fold -w 80
Revision 1.50 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:07 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.49: +7 -23 lines
Diff to previous 1.49 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.49 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.48: +15 -13 lines
Diff to previous 1.48 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.48 / (download) - annotate - [select for diffs], Sat Jan 4 17:40:51 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.47: +9 -5 lines
Diff to previous 1.47 (colored)
move noroute from flag in pf_rule_addr into type in pf_addr_wrap. ok henning@, mcbride@
Revision 1.47 / (download) - annotate - [select for diffs], Fri Jan 3 19:31:43 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.46: +3 -3 lines
Diff to previous 1.46 (colored)
KNF
Revision 1.46 / (download) - annotate - [select for diffs], Wed Jan 1 16:07:45 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.45: +3 -3 lines
Diff to previous 1.45 (colored)
KNF
Revision 1.45 / (download) - annotate - [select for diffs], Wed Jan 1 04:26:19 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.44: +3 -7 lines
Diff to previous 1.44 (colored)
Remove skip step for action (scrub vs. non-scrub), as scrub rules are stored in a separate list now. Regress tests still pass after sed "s/ a=end / /g", other skip steps are not affected.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Dec 31 19:18:41 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.43: +11 -5 lines
Diff to previous 1.43 (colored)
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
Revision 1.43 / (download) - annotate - [select for diffs], Wed Dec 18 19:17:07 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.42: +54 -52 lines
Diff to previous 1.42 (colored)
KNF
Revision 1.42 / (download) - annotate - [select for diffs], Wed Dec 18 16:28:40 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.41: +17 -17 lines
Diff to previous 1.41 (colored)
Pass skip step values through ioctl interface, pfctl -vvsr shows them, main purpose is making them regress-testable.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Dec 17 12:30:13 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.40: +3 -3 lines
Diff to previous 1.40 (colored)
Merge pf_nat/pf_binat/pf_rdr structs into pf_rule. Simplifies code, allows skip steps on translation rules. Also: - Require a ticket for DIOCCHANGERULE operations to prevent races. - Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations use a rule number, and comparisons happen in userland. Testing and fixes from dhartmei@ and frantzen@ ok dhartmei@ henning@
Revision 1.40 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:32 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.39: +9 -7 lines
Diff to previous 1.39 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.39 / (download) - annotate - [select for diffs], Sat Nov 23 05:16:58 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.38: +9 -9 lines
Diff to previous 1.38 (colored)
kernel code to allow multiple redirection addresses to be specified for nat and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Oct 29 19:51:04 2002 UTC (21 years, 7 months ago) by mickey
Branch: MAIN
Changes since 1.37: +3 -19 lines
Diff to previous 1.37 (colored)
keep all pflog goodies in pflog sources, avoids code duplications; okski frantzen@ and dhartmei@
Revision 1.16.2.3 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:46 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.16.2.2: +500 -69 lines
Diff to previous 1.16.2.2 (colored) to branchpoint 1.16 (colored)
sync to -current
Revision 1.37 / (download) - annotate - [select for diffs], Tue Oct 22 12:23:35 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: UBC_SYNC_B
Changes since 1.36: +3 -2 lines
Diff to previous 1.36 (colored)
Convert "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.36 / (download) - annotate - [select for diffs], Mon Oct 7 14:53:00 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.35: +4 -4 lines
Diff to previous 1.35 (colored)
-Wsign-compare clean
Revision 1.35 / (download) - annotate - [select for diffs], Fri Jun 28 00:08:23 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.34: +5 -5 lines
Diff to previous 1.34 (colored)
KNF
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jun 11 18:03:24 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.33: +93 -51 lines
Diff to previous 1.33 (colored)
split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble', 'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
Revision 1.16.2.2 / (download) - annotate - [select for diffs], Tue Jun 11 03:30:46 2002 UTC (21 years, 11 months ago) by art
Branch: UBC
Changes since 1.16.2.1: +146 -79 lines
Diff to previous 1.16.2.1 (colored) to branchpoint 1.16 (colored)
Sync UBC branch to -current
Revision 1.33 / (download) - annotate - [select for diffs], Tue Jun 11 03:22:04 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.32: +16 -16 lines
Diff to previous 1.32 (colored)
KNF (tabs, return (x))
Revision 1.32 / (download) - annotate - [select for diffs], Tue Jun 11 02:27:19 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.31: +439 -50 lines
Diff to previous 1.31 (colored)
SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
Revision 1.31 / (download) - annotate - [select for diffs], Mon Jun 10 17:05:11 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.30: +1 -2 lines
Diff to previous 1.30 (colored)
Don't #include <sys/malloc.h>
Revision 1.30 / (download) - annotate - [select for diffs], Sat Jun 8 08:09:11 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
keep the count of fragments consistent when we have to do a fail safe drop
Revision 1.29 / (download) - annotate - [select for diffs], Fri Jun 7 21:14:02 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.28: +39 -33 lines
Diff to previous 1.28 (colored)
switch from AVL tree's to herr Provos' red-black trees with suggestions from provos@ ok dhartmei@
Revision 1.28 / (download) - annotate - [select for diffs], Tue May 21 08:42:35 2002 UTC (22 years ago) by espie
Branch: MAIN
Changes since 1.27: +15 -16 lines
Diff to previous 1.27 (colored)
Junk gcc's deprecated __FUNCTION__. Use standard __func__ instead. ok dhartmei@
Revision 1.27 / (download) - annotate - [select for diffs], Sun May 19 22:31:28 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)
KNF again
Revision 1.26 / (download) - annotate - [select for diffs], Thu May 9 21:58:12 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.25: +52 -1 lines
Diff to previous 1.25 (colored)
Add a max-mss option to the scrub rule which will enforce a maximum mss by lowering it to the given value. - ok dhartmei@, provos@
Revision 1.25 / (download) - annotate - [select for diffs], Mon May 6 15:49:54 2002 UTC (22 years, 1 month ago) by jasoni
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
typo in comment
Revision 1.24 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.23: +5 -5 lines
Diff to previous 1.23 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.23 / (download) - annotate - [select for diffs], Sat Apr 20 18:26:03 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
Move normalization messages from log level 'urgent' to 'misc'.
Revision 1.22 / (download) - annotate - [select for diffs], Sat Apr 20 10:13:57 2002 UTC (22 years, 1 month ago) by fgsch
Branch: MAIN
Changes since 1.21: +3 -3 lines
Diff to previous 1.21 (colored)
All calls to pool_get(9) should use PR_xx flags, not M_xx. millert dhartmei ok.
Revision 1.21 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:21 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.20: +8 -5 lines
Diff to previous 1.20 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.14.4.4 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:07 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.14.4.3: +34 -27 lines
Diff to previous 1.14.4.3 (colored) to branchpoint 1.14 (colored)
Merge in trunk
Revision 1.20 / (download) - annotate - [select for diffs], Tue Feb 26 07:25:33 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.19: +1 -4 lines
Diff to previous 1.19 (colored)
Add optional pool memory hard limits, mainly as temporary solution until pool exhaustion causes problems no more.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Feb 25 00:29:07 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.18: +7 -11 lines
Diff to previous 1.18 (colored)
Change timeouts from microtime() to time.tv_sec like in pf.c, initialize fr_timeout, free frent in pf_reassemble() when it's not inserted into a frag. ok provos@
Revision 1.18 / (download) - annotate - [select for diffs], Thu Feb 14 15:32:11 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.17: +27 -13 lines
Diff to previous 1.17 (colored)
Add skip steps for rule action (pass/block vs. scrub) and direction (in vs. out). This speeds up rule set evaluation considerably, because the rules set used to be linearly traversed (even twice) when looking for scrub rules. Ok frantzen@, deraadt@
Revision 1.16.2.1 / (download) - annotate - [select for diffs], Thu Jan 31 22:55:44 2002 UTC (22 years, 4 months ago) by niklas
Branch: UBC
Changes since 1.16: +3 -3 lines
Diff to previous 1.16 (colored)
Merge in -current, builds on i386, otherwise untested
Revision 1.17 / (download) - annotate - [select for diffs], Wed Jan 23 00:39:48 2002 UTC (22 years, 4 months ago) by art
Branch: MAIN
Changes since 1.16: +3 -3 lines
Diff to previous 1.16 (colored)
Pool deals fairly well with physical memory shortage, but it doesn't deal well (not at all) with shortages of the vm_map where the pages are mapped (usually kmem_map). Try to deal with it: - group all information the backend allocator for a pool in a separate struct. The pool will only have a pointer to that struct. - change the pool_init API to reflect that. - link all pools allocating from the same allocator on a linked list. - Since an allocator is responsible to wait for physical memory it will only fail (waitok) when it runs out of its backing vm_map, carefully drain pools using the same allocator so that va space is freed. (see comments in code for caveats and details). - change pool_reclaim to return if it actually succeeded to free some memory, use that information to make draining easier and more efficient. - get rid of PR_URGENT, noone uses it.
Revision 1.14.4.3 / (download) - annotate - [select for diffs], Wed Dec 5 01:02:40 2001 UTC (22 years, 6 months ago) by niklas
Branch: SMP
Changes since 1.14.4.2: +2 -1 lines
Diff to previous 1.14.4.2 (colored) to branchpoint 1.14 (colored)
Merge in -current
Revision 1.16 / (download) - annotate - [select for diffs], Mon Dec 3 22:25:06 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.15: +3 -2 lines
Diff to previous 1.15 (colored)
reason int -> u_short. From Mike Pechkin.
Revision 1.14.4.2 / (download) - annotate - [select for diffs], Tue Nov 13 22:59:58 2001 UTC (22 years, 6 months ago) by niklas
Branch: SMP
Changes since 1.14.4.1: +7 -7 lines
Diff to previous 1.14.4.1 (colored) to branchpoint 1.14 (colored)
merge in -current
Revision 1.15 / (download) - annotate - [select for diffs], Tue Nov 6 11:48:29 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.14: +8 -8 lines
Diff to previous 1.14 (colored)
Use #defines for skip step values. From dgregor@net.ohio-state.edu.
Revision 1.14.4.1 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:02 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.14: +1 -1 lines
Diff to previous 1.14 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.14 / (download) - annotate - [select for diffs], Wed Oct 17 22:21:42 2001 UTC (22 years, 7 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Branch point for: SMP
Changes since 1.13: +3 -1 lines
Diff to previous 1.13 (colored)
make sure we use same key for removal (AF_INET was missing), ok deraadt@, dhartmei@ reported buy wizz@mniam.net
Revision 1.13 / (download) - annotate - [select for diffs], Sun Oct 7 21:34:27 2001 UTC (22 years, 8 months ago) by provos
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
fixes pr/2105
Revision 1.12 / (download) - annotate - [select for diffs], Sat Sep 15 16:47:07 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.11: +7 -7 lines
Diff to previous 1.11 (colored)
Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoing packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6().
Revision 1.11 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.10: +35 -24 lines
Diff to previous 1.10 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.10 / (download) - annotate - [select for diffs], Sat Sep 8 02:10:33 2001 UTC (22 years, 8 months ago) by provos
Branch: MAIN
Changes since 1.9: +4 -3 lines
Diff to previous 1.9 (colored)
initialize variable and more careful bounts checking; okay frantzen@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Sep 6 20:53:44 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.8: +8 -6 lines
Diff to previous 1.8 (colored)
Reflect skip step changes. Spotted by Ryan McBride.
Revision 1.8 / (download) - annotate - [select for diffs], Tue Sep 4 08:55:37 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
#define empty PFLOG_PACKET correctly (no side effects). Closes PR2044. From Claus Assmann.
Revision 1.7 / (download) - annotate - [select for diffs], Fri Aug 31 23:05:22 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.6: +3 -4 lines
Diff to previous 1.6 (colored)
Forgot to commit frag expire tuning before Check for a short ip_hl. Could have caused proto headers to overlap IP header.
Revision 1.6 / (download) - annotate - [select for diffs], Sat Aug 11 12:05:00 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
Add support for ICMP errors referring to ICMP queries/replies. Fixes 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
Revision 1.5 / (download) - annotate - [select for diffs], Thu Aug 2 06:59:25 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +10 -8 lines
Diff to previous 1.4 (colored)
KNF
Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 1 23:07:36 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.3: +101 -1 lines
Diff to previous 1.3 (colored)
stateless tcp normalization along the lines of the normalization paper by handley, paxon and kreibich; okay deraadt@
Revision 1.3 / (download) - annotate - [select for diffs], Tue Jul 17 22:22:14 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.2: +4 -1 lines
Diff to previous 1.2 (colored)
support min-ttl, okay dhartmei@
Revision 1.2 / (download) - annotate - [select for diffs], Tue Jul 17 21:54:26 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.1: +8 -1 lines
Diff to previous 1.1 (colored)
normalize ip_off, make IP_DF stripping optional, return rst is a flag now. okay markus@
Revision 1.1 / (download) - annotate - [select for diffs], Tue Jul 17 20:35:26 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
ip normalization code