![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.538 / (download) - annotate - [select for diffs], Mon May 13 01:15:53 2024 UTC (4 weeks, 1 day ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.537: +1 -5 lines
Diff to previous 1.537 (colored)
remove prototypes with no matching function ok mpi@
Revision 1.537 / (download) - annotate - [select for diffs], Sun May 12 08:31:05 2024 UTC (4 weeks, 2 days ago) by jsg
Branch: MAIN
Changes since 1.536: +1 -3 lines
Diff to previous 1.536 (colored)
sync_ifp and ticket_pabuf don't exist, remove externs
Revision 1.536 / (download) - annotate - [select for diffs], Mon Apr 22 13:30:22 2024 UTC (7 weeks ago) by bluhm
Branch: MAIN
Changes since 1.535: +8 -1 lines
Diff to previous 1.535 (colored)
Show pf fragment reassembly counters. Framgent count and statistics are stored in struct pf_status. From there pfctl(8) and systat(1) collect and show them. Note that pfctl -s info needs the -v switch to show fragments. As fragment reassembly has its own mutex, also grab this in pf ipctl(2) and sysctl(2) code. input claudio@; OK henning@
Revision 1.535 / (download) - annotate - [select for diffs], Mon Jan 1 22:16:51 2024 UTC (5 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.534: +2 -2 lines
Diff to previous 1.534 (colored)
Protect link between pf and inp with mutex. Introduce global mutex to protect the pointers between pf state key and internet PCB. Then in_pcbdisconnect() and in_pcbdetach() do not need exclusive netlock anymore. Use a bunch of read once unlocked access to reduce performance impact. OK sashan@
Revision 1.534 / (download) - annotate - [select for diffs], Tue Oct 10 11:25:31 2023 UTC (8 months ago) by bluhm
Branch: MAIN
Changes since 1.533: +2 -9 lines
Diff to previous 1.533 (colored)
Remove dead code in pf_pull_hdr(). pf_pull_hdr() allows to pass an action pointer parameter as output value. This is never used, all callers pass a NULL argument. Remove ACTION_SET() entirely. The logic (fragoff >= len) in pf_pull_hdr() does not work since revision 1.4. Before it was used to drop short TCP or UDP fragments that contained only part of the header. Current code in pf_pull_hdr() drops the packets anyway, so always set reason PFRES_FRAG. OK kn@ sashan@
Revision 1.533 / (download) - annotate - [select for diffs], Thu Jul 6 04:55:05 2023 UTC (11 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.532: +5 -6 lines
Diff to previous 1.532 (colored)
big update to pfsync to try and clean up locking in particular. moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. the big headliner changes in this diff are: - pfsync specific locks this is the whole reason for this diff. rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now has it's own locks to protect it's internal data structures. this is important because pfsync runs a bunch of timeouts and tasks to push pfsync packets out on the wire, or when it's handling requests generated by incoming pfsync packets, both of which happen outside pf itself running. having pfsync specific locks around pfsync data structures makes the mutations of these data structures a lot more explicit and auditable. - partitioning to enable future parallelisation of the network stack, this rewrite includes support for pfsync to partition states into different "slices". these slices run independently, ie, the states collected by one slice are serialised into a separate packet to the states collected and serialised by another slice. states are mapped to pfsync slices based on the pf state hash, which is the same hash that the rest of the network stack and multiq hardware uses. - no more pfsync called from netisr pfsync used to be called from netisr to try and bundle packets, but now that there's multiple pfsync slices this doesnt make sense. instead it uses tasks in softnet tqs. - improved bulk transfer handling there's shiny new state machines around both the bulk transmit and receive handling. pfsync used to do horrible things to carp demotion counters, but now it is very predictable and returns the counters back where they started. - better tdb handling the tdb handling was pretty hairy, but hrvoje has kicked this around a lot with ipsec and sasyncd and we've found and fixed a bunch of issues as a result of that testing. - mpsafe pf state purges this was committed previously, but because the locks pfsync relied on weren't clear this just caused a ton of bugs. as part of this diff it's now reliable, and moves a big chunk of work out from under KERNEL_LOCK, which in turn improves the responsiveness and throughput of a firewall even if you're not using pfsync. there's a bunch of other little changes along the way, but the above are the big ones. hrvoje has done performance testing with this diff and notes a big improvement when pfsync is not in use. performance when pfsync is enabled is about the same, but im hoping the slices means we can scale along with pf as it improves. lots (months) of testing by me and hrvoje on pfsync boxes tests and ok sashan@ deraadt@ says this is a good time to put it in
Revision 1.532 / (download) - annotate - [select for diffs], Tue Jul 4 11:34:19 2023 UTC (11 months, 1 week ago) by sashan
Branch: MAIN
Changes since 1.531: +2 -1 lines
Diff to previous 1.531 (colored)
The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@
Revision 1.531 / (download) - annotate - [select for diffs], Fri May 26 12:13:26 2023 UTC (12 months, 2 weeks ago) by kn
Branch: MAIN
Changes since 1.530: +10 -4 lines
Diff to previous 1.530 (colored)
Remove net lock from DIOC{S,G}ETLIMIT
Grab the pf lock for pf_pool_limits[] in pfsync such that all access is
covered by the pf lock; document accordingly.
Hard memory pool limits don't need the net lock for protection, pool(9)s
have their own internal lock and the pf lock fully covers limit values.
(pf_pool_limits[] access in DIOCXCOMMIT remains under pf *and net* lock
until the rest in there gets pulled out of the net lock.)
OK sashan
Revision 1.530 / (download) - annotate - [select for diffs], Fri Apr 28 14:08:38 2023 UTC (13 months, 2 weeks ago) by sashan
Branch: MAIN
Changes since 1.529: +5 -2 lines
Diff to previous 1.529 (colored)
This change speeds up DIOCGETRULE ioctl(2) which pfctl(8) uses to retrieve rules from kernel. The current implementation requires like O((n^2)/2) operation to read the complete rule set, because each DIOCGETRULE operation must iterate over previous n rules to find (n + 1)-th rule to read. To address the issue diff introduces a pf_trans structure to keep pointer to next rule to read, thus reading process does not need to iterate from beginning of rule set to reach the next rule. All transactions opened by process get closed either when process is done (reads all rules) or when /dev/pf device is closed. the diff also comes with lots of improvements from dlg@ and kn@ OK dlg@, kn@
Revision 1.529 / (download) - annotate - [select for diffs], Tue Feb 7 17:58:43 2023 UTC (16 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.528: +3 -4 lines
Diff to previous 1.528 (colored)
internal representation of icmp type/code in pfctl(8)/pf(4) does not fit into u_int8_t. Issue has been noticed and kindly reported by amalinin _at_ bh0.amt.ru via bugs@. OK bluhm@
Revision 1.528 / (download) - annotate - [select for diffs], Fri Jan 6 17:44:34 2023 UTC (17 months ago) by sashan
Branch: MAIN
Changes since 1.527: +2 -1 lines
Diff to previous 1.527 (colored)
PF_ANCHOR_STACK_MAX is insufficient protection against stack overflow. On amd64 stack overflows for anchor rule with depth ~30. The tricky thing is the 'safe' depth varies depending on kind of packet processed by pf_match_rule(). For example for local outbound TCP packet stack overflows when recursion if pf_match_rule() reaches depth 24. Instead of lowering PF_ANCHOR_STACK_MAX to 20 and hoping it will be enough on all platforms and for all packets I'd like to stop calling pf_match_rule() recursively. This commit brings back pf_anchor_stackframe array we used to have back in 2017. It also revives patrick@'s idea to pre-allocate stack frame arrays from per-cpu. OK kn@
Revision 1.527 / (download) - annotate - [select for diffs], Wed Jan 4 10:31:55 2023 UTC (17 months ago) by dlg
Branch: MAIN
Changes since 1.526: +1 -5 lines
Diff to previous 1.526 (colored)
move the pf_state_tree_id type from pfvar.h to pfvar_priv.h. the pf_state_tree_id type is private to the kernel. while here, move it from being an RB tree to an RBT tree. this saves about 12k in pf.o on amd64. ok sashan@
Revision 1.526 / (download) - annotate - [select for diffs], Wed Jan 4 02:00:49 2023 UTC (17 months, 1 week ago) by dlg
Branch: MAIN
Changes since 1.525: +3 -6 lines
Diff to previous 1.525 (colored)
move the pf_state_tree rb tree type from pfvar.h to pfvar_priv.h the pf_state_tree types are kernel private, and are not used by userland. make build agrees with me. while here, move the pf_state_tree from the RB macros to the RBT functions. this shaves about 13k off pf.o on amd64. ok sashan@
Revision 1.525 / (download) - annotate - [select for diffs], Thu Dec 22 05:59:27 2022 UTC (17 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.524: +2 -1 lines
Diff to previous 1.524 (colored)
use stoeplitz to generate a hash/flowid for state keys. the hash will be used to partition work in pf and pfsync in the future, and right now it is used as the first comparison in the rb tree state lookup. using stoeplitz means that pf will hash traffic the same way that hardware using a stoeplitz key will hash incoming traffic on rings. stoeplitz is also used by the tcp stack to generate a flow id, which is used to pick which transmit ring is used on nics with multiple queues too. using the same algorithm throughout the stack encourages affinity of packets to rings and softnet threads the whole way through. using the hash as the first comparison in the state rb tree comparison should encourage faster traversal of the state tree by having all the address/port bits summarised into the single hash value. however, tests by hrvoje popovski don't show performance changing. on the plus side, if this change is free from a performance point of view then it makes the future steps more straightforward. discussed at length at h2k22 tested by sashan@ and hrvoje popovski ok tb@ sashan@ claudio@ jmatthew@
Revision 1.524 / (download) - annotate - [select for diffs], Wed Dec 21 02:23:10 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.523: +2 -2 lines
Diff to previous 1.523 (colored)
prefix pf_state_key and pf_state_item struct bits to make them more unique. this makes searching for the struct members easier, which in turn makes tweaking code around them a lot easier too. sk_refcnt in particular would have been a lot nicer to fiddle with than just refcnt because pf_state structs also have a refcnt, which is annoying. tweaks and ok sashan@ reads ok kn@
Revision 1.523 / (download) - annotate - [select for diffs], Mon Dec 19 04:35:33 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.522: +1 -26 lines
Diff to previous 1.522 (colored)
move pf_state_item and pf_state_key structs from pfvar.h to pfvar_priv.h. both of these are kernel private data structures and do not need to be visible to userland. moving them to pfvar_priv.h makes this explicit, and makes it leass scary to tweak them in the future. ok deraadt@ kn@ sashan@
Revision 1.522 / (download) - annotate - [select for diffs], Fri Dec 16 02:05:44 2022 UTC (17 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.521: +1 -2 lines
Diff to previous 1.521 (colored)
always keep pf_state_keys attached to pf_states. pf_state structures don't contain ip addresses, protocols, ports, etc. that information is stored in a pf_state_key struct, which is used to wire a state into the state table. when things like pfsync or the pf state ioctls want to export information about a state, particularly the addresses on it, they needs the pf_state_key struct to read from. before this diff the code assumed that when a state was removed from the state tables it could throw the pf_state_key structs away as part of that removal. this code changes it so once pf_state_insert succeeds, a pf_state will keep its references to the pf_state_key structs until the pf_state struct itself is being destroyed. this allows anything that holds a reference to a pf_state to also look at the pf_state_key structs because they're now effectively an immutable part of the pf_state struct. this is by far the simplest and most straightforward fix for pfsync crashing on pf_state_key dereferences we've come up with so far. it has been made possible by the addition of reference counts to pf_state and pf_state_key structs, which allows us to properly account for this adjusted lifecycle for pf_state_keys on pf_state structs. sashan@ and i have been kicking this diff around for a couple of weeks now. ok sashan@ jmatthew@
Revision 1.521 / (download) - annotate - [select for diffs], Fri Nov 25 20:27:53 2022 UTC (18 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.520: +2 -1 lines
Diff to previous 1.520 (colored)
revert pf.c r1.1152 again: move pf_purge out from under the kernel lock Using systqmp for pf_purge creates a deadlock between pf_purge() and ixgbe_stop() and possibly other drivers. On systqmp pf(4) needs netlock which the interface ioctl(2) is holding. ix(4) waits in sched_barrier() which is also scheduled on the systqmp task queue. Removing the netlock from pf_purge() as a quick fix caused other problems. backout suggested by deraadt@
Revision 1.520 / (download) - annotate - [select for diffs], Fri Nov 11 16:12:08 2022 UTC (18 months, 4 weeks ago) by dlg
Branch: MAIN
Changes since 1.519: +1 -2 lines
Diff to previous 1.519 (colored)
try pf.c r1.1143 again: move pf_purge out from under the kernel lock this also avoids holding NET_LOCK too long. the main change is done by running the purge tasks in systqmp instead of systq. the pf state list was recently reworked so iteration over the state can be done without blocking insertions. however, scanning a lot of states can still take a lot of time, so this also makes the state list scanner yield if it has spent too much time running. the other purge tasks for source nodes, rules, and fragments have been moved to their own timeout/task pair to simplify the time accounting. in my environment, before this change pf purges often took 10 to 50ms. the softclock thread runs next to it often took a similar amount of time, presumably because they ended up spinning waiting for each other. after this change the pf_purges are more like 6 to 12ms, and dont block softclock. most of the variability in the runs now seems to come from contention on the net lock. tested by me sthen@ chris@ ok sashan@ kn@ claudio@ the diff was backed out because it made things a bit more racey, but sashan@ has squashed those races this week. let's try it again.
Revision 1.519 / (download) - annotate - [select for diffs], Fri Nov 11 11:02:35 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.518: +1 -37 lines
Diff to previous 1.518 (colored)
rewrite the pf_state_peer_ntoh and pf_state_peer_hton macros as functions. i can read this code as functions, but it takes too much effort as macros.
Revision 1.518 / (download) - annotate - [select for diffs], Fri Nov 11 10:55:48 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.517: +2 -47 lines
Diff to previous 1.517 (colored)
move struct pf_state from pfvar.h to pfvar_priv.h. we (sashan) are going to add a mutex to the pf_state struct, but a mutex is a kernel data structure that changes shape depending on things like whether MULTIPROCESSOR is enabled, and should therefore not be visible to userland. when we added a mutex to pf_state, compiling pfctl failed because it doesn't know what a mutex is and it can't know which version of it the current kernel is running with. moving struct pf_state to pfvar_priv.h makes it clear it is a private kernel only data structure, and avoids this leak into userland. tested by me and make build ok sashan@
Revision 1.517 / (download) - annotate - [select for diffs], Thu Nov 10 16:29:20 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.516: +40 -52 lines
Diff to previous 1.516 (colored)
revert pf_state mtx commit, because it breaks tree. pfctl does not build OK dlg@
Revision 1.516 / (download) - annotate - [select for diffs], Thu Nov 10 14:22:43 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.515: +52 -40 lines
Diff to previous 1.515 (colored)
Add a mutex to pf_state structure. Mutex retain a consistency of structure members without using a global state lock. The first member which uses protection by mutex is key[] array. more will follow. OK dlg@
Revision 1.515 / (download) - annotate - [select for diffs], Wed Nov 9 23:00:00 2022 UTC (19 months ago) by sashan
Branch: MAIN
Changes since 1.514: +1 -3 lines
Diff to previous 1.514 (colored)
simplify expiration of 'once' rules. let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@
Revision 1.514 / (download) - annotate - [select for diffs], Mon Nov 7 16:35:12 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.513: +1 -0 lines
Diff to previous 1.513 (colored)
revert "move pf_purge out from under the kernel lock". hrvoje popovski showed me pfsync blowing up with this. im backing it out quickly in case something else at the hackathon makes it harder to do later. kn@ agrees
Revision 1.513 / (download) - annotate - [select for diffs], Mon Nov 7 12:56:38 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.512: +1 -2 lines
Diff to previous 1.512 (colored)
move pf_purge out from under the kernel lock and avoid the hogging cpu this also avoids holding NET_LOCK too long. the main change is done by running the purge tasks in systqmp instead of systq. the pf state list was recently reworked so iteration over the state can be done without blocking insertions. however, scanning a lot of states can still take a lot of time, so this also makes the state list scanner yield if it has spent too much time running. the other purge tasks for source nodes, rules, and fragments have been moved to their own timeout/task pair to simplify the time accounting. in my environment, before this change pf purges often took 10 to 50ms. the softclock thread runs next to it often took a similar amount of time, presumably because they ended up spinning waiting for each other. after this change the pf_purges are more like 6 to 12ms, and dont block softclock. most of the variability in the runs now seems to come from contention on the net lock. tested by me sthen@ chris@ ok sashan@ kn@ claudio@
Revision 1.512 / (download) - annotate - [select for diffs], Sun Nov 6 18:05:05 2022 UTC (19 months ago) by dlg
Branch: MAIN
Changes since 1.511: +7 -1 lines
Diff to previous 1.511 (colored)
move pfsync_state_import in if_pfsync.c to pf_state_import in pf.c this is straightening the deck chairs. the state import and export code are used by both the pf ioctls and pfsync, but the export code is in pf.c and the import code is in if_pfsync. if pfsync was disabled then the ioctl stuff wouldnt link. moving the import code to pf.c makes it more symmetrical(?) and robust. tweaks and ok from kn@ sashan@
Revision 1.511 / (download) - annotate - [select for diffs], Mon Oct 10 16:43:12 2022 UTC (20 months ago) by bket
Branch: MAIN
Changes since 1.510: +3 -1 lines
Diff to previous 1.510 (colored)
Recalculate checksum of normalised packet In 2011, henning@ removed fiddling with the ip checksum of normalised packets in r1.131 of sys/net/pf_norm.c. Rationale was that the checksum is always recalculated in all output paths anyway. In 2016, procter@ reintroduced checksum modification to preserve end-to-end checksums in r1.189 of sys/net/pf_norm.c. Likely soomewhere in that timeslot checksum recalculation of normalised packets was broken. With input from bluhm@. OK sashan@, bluhm@
Revision 1.510 / (download) - annotate - [select for diffs], Sat Sep 3 14:57:54 2022 UTC (21 months, 1 week ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.509: +2 -1 lines
Diff to previous 1.509 (colored)
When divert-reply is used, keep some pf states after pcb is dropped if its local address is translated, to prevent its source port from being reused. regress test by blumn. ok blumn
Revision 1.509 / (download) - annotate - [select for diffs], Wed Jul 20 09:33:11 2022 UTC (22 months, 3 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.508: +4 -3 lines
Diff to previous 1.508 (colored)
Add a pool for the allocation of the pf_anchor struct. It was possible to exhaust kernel memory by repeatedly calling pfioctl DIOCXBEGIN with different anchor names. OK bluhm@ Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
Revision 1.508 / (download) - annotate - [select for diffs], Sun Jun 26 11:37:08 2022 UTC (23 months, 2 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.507: +3 -3 lines
Diff to previous 1.507 (colored)
Allow waiting during ktable allocation in pf_ioctl. OK bluhm Reported-by: syzbot+50ea4f33ed5dd9264918@syzkaller.appspotmail.com Reported-by: syzbot+df65f8b7ee8c0089e885@syzkaller.appspotmail.com
Revision 1.507 / (download) - annotate - [select for diffs], Fri Apr 29 09:55:43 2022 UTC (2 years, 1 month ago) by mbuhl
Branch: MAIN
Changes since 1.506: +2 -2 lines
Diff to previous 1.506 (colored)
Release PF und NET lock before calling copyout for DIOCIGETIFACES. OK sashan@ Reported-by: syzbot+b6afd166e314799e3809@syzkaller.appspotmail.com
Revision 1.506 / (download) - annotate - [select for diffs], Thu Apr 21 15:22:49 2022 UTC (2 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.505: +3 -1 lines
Diff to previous 1.505 (colored)
Introduce a dedicated link entries for snapshots in pfsync(4). The purpose of snapshots is to allow pfsync(4) to move items from global lists to local lists (a.k.a. snapshots) under a mutex protection. Snapshots are then processed without holding any mutexes. Such idea does not fly well if link entry is currently used for global lists as well as snapshots. Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing. OK bluhm@
Revision 1.505 / (download) - annotate - [select for diffs], Sun Dec 26 01:00:32 2021 UTC (2 years, 5 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.504: +6 -4 lines
Diff to previous 1.504 (colored)
make 'set skip on ...' in pf.conf dynamic This is an old issue in pf(4): whenever new interface appears in IP stack, we must reload pf.conf to apply 'set skip on ...' to newly plumbed network interfaces. Time has come to fix it. The idea is to also create pfi_kif for interfaces, which are referred by 'set skip on ...'. Such pfi_kif instances are created/destroyed by pfi_set_flags()/pfi_clear_flags(). claudio@ dragged my attention to this in Gouveia. Also his feedback helped me to put change into shape. OK claudio@
Revision 1.504 / (download) - annotate - [select for diffs], Tue Nov 16 20:51:31 2021 UTC (2 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.503: +8 -1 lines
Diff to previous 1.503 (colored)
move memory allocations in pfr_add_addrs() outside of NET_LOCK()/PF_LOCK() scope. feedback by bluhm@ OK bluhm@
Revision 1.503 / (download) - annotate - [select for diffs], Thu Nov 11 12:35:01 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.502: +4 -2 lines
Diff to previous 1.502 (colored)
Allow pfi_kif_get() callers to pre-allocate buffer for new kif. If kif object exists already, then caller must free the pre-allocated buffer. If caller does not pre-allocate buffer, the pfi_kif_get() will get memory from pool using M_NOWAIT flag. Commit is also polishing pfi_initialize() a bit so it uses M_WAITOK allocation for pfi_all. there is no change in current behaviour. feedback by bluhm@ OK bluhm@
Revision 1.502 / (download) - annotate - [select for diffs], Wed Jun 23 06:53:52 2021 UTC (2 years, 11 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.501: +2 -2 lines
Diff to previous 1.501 (colored)
augment the global pf state list with its own locks. before this, things that iterated over the global list of pf states had to take the net, pf, or pf state locks. in particular, the ioctls that dump the state table took the net and pf state locks before iterating over the states and using copyout to export them to userland. when we tried replacing the use rwlocks with mutexes under the pf locks, this blew up because you can't sleep when holding a mutex and there's a sleeping lock used inside copyout. this diff introduces two locks around the global state list: a mutex that protects the head and tail of the list, and an rwlock that protects the links between elements in the list. inserts on the state list only occur during packet handling and can be done by taking the mutex and putting the state on the tail before releasing the mutex. iterating over states is only done from thread/process contexts, so we can take a read lock, then the mutex to get a snapshot of the head and tail pointers, and then keep the read lock to iterate between the head and tail points. because it's a read lock we can then take other sleeping locks (eg, the one inside copyout) without (further) gymnastics. the pf state purge code takes the rwlock exclusively and the mutex to remove elements from the list. this allows the ioctls and purge code to loop over the list concurrently and largely without blocking the creation of states when pf is processing packets. pfsync also iterates over the state list when doing bulk sends, which the state purge code needs to be careful around. ok sashan@
Revision 1.501 / (download) - annotate - [select for diffs], Wed Jun 23 04:16:32 2021 UTC (2 years, 11 months ago) by dlg
Branch: MAIN
Changes since 1.500: +1 -2 lines
Diff to previous 1.500 (colored)
rework pf_state_expires to avoid confusion around state->timeout. im going to make it so pf_purge_expired_states() can gather states largely without sharing a lock with pfsync or actual packet processing in pf. if pf or pfsync unlink a state while pf_purge_expired_states is looking at it, we can race with some checks and fall over a KASSERT. i'm fixing this by having the caller of pf_state_expires read state->timeout first, do it's checks, and then pass the value as an argument into pf_state_expires. this means there's a consistent view of the state->timeout variable across all the checks that pf_purge_expired_states in particular does. if pf/pfsync does change the timeout while pf_purge_expired_states is looking at it, the worst thing that happens is that it doesn't get picked as a candidate for purging in this pass and will have to wait for the next sweep. ok sashan@ as part of a bigger diff
Revision 1.500 / (download) - annotate - [select for diffs], Wed Mar 10 10:21:48 2021 UTC (3 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.499: +2 -2 lines
Diff to previous 1.499 (colored)
spelling ok gnezdo@ semarie@ mpi@
Revision 1.499 / (download) - annotate - [select for diffs], Mon Feb 1 00:31:05 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.498: +5 -5 lines
Diff to previous 1.498 (colored)
change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
Revision 1.498 / (download) - annotate - [select for diffs], Tue Jan 12 00:10:34 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.497: +2 -2 lines
Diff to previous 1.497 (colored)
Sometimes a user ID was logged in pflog(4) although the logopt of the rule did not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to express what it does. The lookup involved is only an implemntation detail. OK kn@ sashan@ mvs@
Revision 1.497 / (download) - annotate - [select for diffs], Wed Oct 14 19:22:14 2020 UTC (3 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.496: +2 -2 lines
Diff to previous 1.496 (colored)
replace a MAXPATHLEN that slipped back in with PATH_MAX so userland won't have to pull in <sys/param.h> ok kn@ sashan@ deraadt@
Revision 1.496 / (download) - annotate - [select for diffs], Mon Aug 24 15:30:58 2020 UTC (3 years, 9 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.495: +1 -2 lines
Diff to previous 1.495 (colored)
Remove ptr_array from struct pf_ruleset Each ruleset's rules are stored in a TAILQ called "ptr" with "rcount" representing the number of rules in the ruleset; "ptr_array" points to an array of the same length. "ptr" is backed by pool_get(9) and may change in size as "expired" rules get removed from the ruleset - see "once" in pf.conf(5). "ptr_array" is allocated momentarily through mallocarray(9) and gets filled with the TAILQ entries, so that the sole user pfsync(4) can access the list of rules by index to pick the n-th rule during state insertion. Remove "ptr_array" and make pfsync iterate over the TAILQ instead to get the matching rule's index. This simplifies both code and data structures and avoids duplicate memory management. OK sashan
Revision 1.495 / (download) - annotate - [select for diffs], Tue Jul 28 16:47:42 2020 UTC (3 years, 10 months ago) by yasuoka
Branch: MAIN
Changes since 1.494: +3 -1 lines
Diff to previous 1.494 (colored)
Use the table on root always if current table is not active. ok sashan
Revision 1.494 / (download) - annotate - [select for diffs], Tue Jul 21 14:10:51 2020 UTC (3 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.493: +1 -0 lines
Diff to previous 1.493 (colored)
rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.h OPT is misleading and usually refers to command line arguments to pfctl ok sashan kn
Revision 1.493 / (download) - annotate - [select for diffs], Sun Nov 17 08:25:05 2019 UTC (4 years, 6 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.492: +3 -2 lines
Diff to previous 1.492 (colored)
"set delay" never worked as committed: the delay field was not copied in and the pf_pktdelay struct ws not declared and initialzed properly. ok rob@ kn@
Revision 1.492 / (download) - annotate - [select for diffs], Tue Jul 9 11:30:19 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.491: +4 -2 lines
Diff to previous 1.491 (colored)
Fix previous commit which made src-node have a reference for the kif. Src-node should use the reference counter since it might live longer than its table entry, rule or the associated states. OK sashan
Revision 1.491 / (download) - annotate - [select for diffs], Tue Jul 2 09:04:53 2019 UTC (4 years, 11 months ago) by yasuoka
Branch: MAIN
Changes since 1.490: +2 -2 lines
Diff to previous 1.490 (colored)
When source address tracking record is used for "route-to", the next hop interface configured with "route-to" was not used. Keep the interface within the pf_src_node and use it when the record is used. OK sashan
Revision 1.490 / (download) - annotate - [select for diffs], Mon Feb 18 13:11:44 2019 UTC (5 years, 3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.489: +3 -3 lines
Diff to previous 1.489 (colored)
Change ps_len of struct pfioc_states and psn_len of struct pfioc_src_nodes to size_t. This avoids integer truncation by casts to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES ioctl(2) arguments change, pfctl(8) and systat(1) should be updated together with the kernel. Calculate number of pf(4) states as size_t in userland. OK sashan@ deraadt@
Revision 1.489 / (download) - annotate - [select for diffs], Mon Dec 17 15:37:41 2018 UTC (5 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.488: +2 -2 lines
Diff to previous 1.488 (colored)
Rename pf_anchor_remove() to pf_remove_anchor()
For semantic consistency with pf_{create,find,remove}_{anchor,ruleset}().
Simplify logic by squashing the if/else block while here.
No functional change.
Feedback jca and mikeb, OK mikeb
Revision 1.488 / (download) - annotate - [select for diffs], Mon Dec 10 16:48:15 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.487: +2 -15 lines
Diff to previous 1.487 (colored)
Remove useless macros These are just unhelpful case conversion. OK sashan henning
Revision 1.487 / (download) - annotate - [select for diffs], Sun Dec 9 19:38:40 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.486: +1 -7 lines
Diff to previous 1.486 (colored)
Zap duplicate signatures Redundant under _KERNEL since introduction in r1.260 from 2006. OK jca
Revision 1.486 / (download) - annotate - [select for diffs], Thu Sep 13 19:53:58 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.485: +3 -1 lines
Diff to previous 1.485 (colored)
Add reference counting for inet pcb, this will be needed when we start locking the socket. An inp can be referenced by the PCB queue and hashes, by a pf mbuf header, or by a pf state key. OK visa@
Revision 1.485 / (download) - annotate - [select for diffs], Tue Sep 11 07:53:38 2018 UTC (5 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.484: +3 -1 lines
Diff to previous 1.484 (colored)
- moving state look up outside of PF_LOCK() this change adds a pf_state_lock rw-lock, which protects consistency of state table in PF. The code delivered in this change is guarded by 'WITH_PF_LOCK', which is still undefined. People, who are willing to experiment and want to run it must do two things: - compile kernel with -DWITH_PF_LOCK - bump NET_TASKQ from 1 to ... sky is the limit, (just select some sensible value for number of tasks your system is able to handle) OK bluhm@
Revision 1.484 / (download) - annotate - [select for diffs], Mon Sep 10 11:37:26 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.483: +8 -1 lines
Diff to previous 1.483 (colored)
Limit the fragment entry queue length to 64 per bucket. So we have a global limit of 1024 fragments, but it is fine grained to the region of the packet. Smaller packets may have less fragments. This costs another 16 bytes of memory per reassembly and devides the worst case for searching by 8. requestd by claudio@; OK sashan@ claudio@
Revision 1.483 / (download) - annotate - [select for diffs], Sat Sep 8 13:16:58 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.482: +7 -1 lines
Diff to previous 1.482 (colored)
Split the pf(4) fragment reassembly queue into smaller parts. Remember 16 entry points based on the fragment offset. Instead of a worst case of 8196 list traversals we now check a maximum of 512 list entries or 16 array elements. discussed with claudio@ and sashan@; OK sashan@
Revision 1.482 / (download) - annotate - [select for diffs], Sun Jul 22 09:09:18 2018 UTC (5 years, 10 months ago) by sf
Branch: MAIN
Changes since 1.481: +3 -3 lines
Diff to previous 1.481 (colored)
Fix arguments of pf_purge_expired_{src_nodes,rules}()
Due to the missing "void", this
extern void pf_purge_expired_src_nodes();
is no prototype but a declaration. It is enough to suppress the
'implicit declaration' warning but it does not allow the compiler to
check the arguments passed to the calls of the function.
Fix the prototypes and don't pass the waslocked argument anymore. It has
been removed a year ago.
ok sashan henning
Revision 1.481 / (download) - annotate - [select for diffs], Wed Jul 11 09:05:51 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.480: +1 -0 lines
Diff to previous 1.480 (colored)
provide pfi_group_addmember(), which makes the new member interface inherit set flags from the group. ok phessler benno
Revision 1.480 / (download) - annotate - [select for diffs], Tue Jul 10 16:48:22 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.479: +3 -3 lines
Diff to previous 1.479 (colored)
The year is 2018. Mercury, Bowie, Cash, Motorola and DEC all left us. Just pf still has a default state table limit of 10000. Had! Now it's a tiny little bit more, 100k. lead guitar: me ok chorus: phessler theo claudio benno background school girl laughing: bob
Revision 1.479 / (download) - annotate - [select for diffs], Tue Jul 10 09:28:27 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.478: +20 -8 lines
Diff to previous 1.478 (colored)
provide a generic packet delay functionality. packets to be delayed are marked by pf in the packet header. pf_delay_pkt reads the delay value from the packet header, schedules a timeout and re-queues the packet when the timeout fires. ok benno sashan
Revision 1.478 / (download) - annotate - [select for diffs], Mon Jun 18 11:00:31 2018 UTC (5 years, 11 months ago) by procter
Branch: MAIN
Changes since 1.477: +3 -1 lines
Diff to previous 1.477 (colored)
Refactor the six ways to find TCP options into one new function. As a result: - MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
Revision 1.477 / (download) - annotate - [select for diffs], Thu Apr 5 03:32:39 2018 UTC (6 years, 2 months ago) by lteo
Branch: MAIN
Changes since 1.476: +2 -2 lines
Diff to previous 1.476 (colored)
Zap the obsolete PF_TRANS_ALTQ. Note: Remember to "make includes" and recompile the following programs together with the kernel: sbin/pfctl usr.sbin/authpf usr.sbin/ftp-proxy usr.sbin/relayd usr.sbin/tftp-proxy Thanks to sthen@ for checking the ports tree. ok bluhm@ sashan@ visa@
Revision 1.476 / (download) - annotate - [select for diffs], Fri Feb 9 09:35:03 2018 UTC (6 years, 4 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.475: +1 -6 lines
Diff to previous 1.475 (colored)
oh carp - i didnt mean to commit these
Revision 1.475 / (download) - annotate - [select for diffs], Fri Feb 9 09:30:37 2018 UTC (6 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.474: +7 -2 lines
Diff to previous 1.474 (colored)
use struct in_addr to represent an address.
Revision 1.474 / (download) - annotate - [select for diffs], Thu Feb 8 09:15:46 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.473: +4 -1 lines
Diff to previous 1.473 (colored)
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
Revision 1.473 / (download) - annotate - [select for diffs], Thu Feb 8 02:25:44 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.472: +3 -1 lines
Diff to previous 1.472 (colored)
add DIOCGETSYNFLWATS to get current synflood detection watermarks, ok claudio benno procter
Revision 1.472 / (download) - annotate - [select for diffs], Wed Feb 7 05:48:47 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.471: +7 -1 lines
Diff to previous 1.471 (colored)
provide counters for # of synfloods detected, # of syncookies sent, # of syncookies successfuly validated, ok phessler
Revision 1.471 / (download) - annotate - [select for diffs], Tue Feb 6 23:44:48 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.470: +22 -0 lines
Diff to previous 1.470 (colored)
syncookies for pf. when syncookies are on, pf will blindly answer each and every SYN with a syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will reconstruct the original SYN, shove it through pf_test, where state will be created if the ruleset permits it. Then massage the freshly created state (we won't see the SYNACK), set up the sequence number modulator, and call into the existing synproxy code to start the 3WHS with the backend host. Add an - somewhat basic for now - adaptive mode where syncookies get enabled if a certain percentage of the state table is filled up with half-open tcp connections. This makes pf firewalls resilient against large synflood attacks. syncookies are off by default until we gained more experience, considered experimental for now. see http://bulabula.org/papers/2017/bsdcan/ for more details. joint work with sashan@, widely discussed and with lots of input by many
Revision 1.470 / (download) - annotate - [select for diffs], Fri Dec 29 17:05:25 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.469: +4 -6 lines
Diff to previous 1.469 (colored)
Make the functions which link the pf state keys to mbufs, inpcbs, or other states more consistent. OK visa@ sashan@ on a previous version
Revision 1.469 / (download) - annotate - [select for diffs], Tue Nov 28 16:05:46 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.468: +4 -2 lines
Diff to previous 1.468 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
Revision 1.468 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:50 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.467: +8 -1 lines
Diff to previous 1.467 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Convert the pfctl(8) rule parser to divert types, kernel cleanup will be the next step. OK sashan@
Revision 1.467 / (download) - annotate - [select for diffs], Mon Nov 13 11:30:11 2017 UTC (6 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.466: +11 -9 lines
Diff to previous 1.466 (colored)
add a generic packet rate matching filter. allows things like pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
Revision 1.466 / (download) - annotate - [select for diffs], Tue Sep 5 22:15:32 2017 UTC (6 years, 9 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.465: +4 -1 lines
Diff to previous 1.465 (colored)
- split pf_find_or_create_ruleset() to smaller chunks. tested by Hrvoje OK mpi@, OK bluhm@
Revision 1.465 / (download) - annotate - [select for diffs], Mon Aug 14 15:58:16 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.464: +3 -1 lines
Diff to previous 1.464 (colored)
move pf_get_wscale + pf_get_mss prototypes to pfvar.h (diff shrinkage)
Revision 1.464 / (download) - annotate - [select for diffs], Mon Aug 14 15:48:29 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.463: +2 -1 lines
Diff to previous 1.463 (colored)
add half-open tcp states accounting, road paved by sashan increment in pf_create_state(), decrement in pf_set_protostate(). input & ok bluhm
Revision 1.463 / (download) - annotate - [select for diffs], Sun Aug 13 16:57:20 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.462: +2 -1 lines
Diff to previous 1.462 (colored)
to change a state's state (that term is overloaded in pf, protocol state like ESTABLISHED for tcp here), don't do it directly, but go through a newly introduced pf_set_protostate() ok bluhm benno
Revision 1.462 / (download) - annotate - [select for diffs], Sun Aug 6 13:16:11 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.461: +1 -2 lines
Diff to previous 1.461 (colored)
Reduce contention on the NET_LOCK() by moving the logic of the pfpurge thread to a task running on the `softnettq`. Tested and inputs from Hrvoje Popovski. ok visa@, sashan@
Revision 1.461 / (download) - annotate - [select for diffs], Wed Jul 19 12:51:31 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.460: +2 -1 lines
Diff to previous 1.460 (colored)
Rework HFSC vs FQ-CoDel checks The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
Revision 1.460 / (download) - annotate - [select for diffs], Wed Jun 28 19:30:24 2017 UTC (6 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.459: +4 -1 lines
Diff to previous 1.459 (colored)
Introduce a simple mechanism to select the appropriate queue manager Discussed with and OK henning@ at d2k17 as a part of a larger diff.
Revision 1.459 / (download) - annotate - [select for diffs], Wed Jun 28 18:31:03 2017 UTC (6 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.458: +12 -5 lines
Diff to previous 1.458 (colored)
Extend pf queueing ops to include queue manager hooks Discussed with and OK henning@ at d2k17 as a part of a larger diff.
Revision 1.458 / (download) - annotate - [select for diffs], Mon Jun 26 18:33:24 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.457: +9 -1 lines
Diff to previous 1.457 (colored)
Fragments for a single connection (a combination of proto,src,dst,af) may easily reuse the fragment id as it is only 16 bit for IPv4. To avoid that pf reassembles them into the wrong packet, throw away stale fragments. With the default timeout this happens after 12,000 newer fragements have been seen. from markus@; OK sashan@
Revision 1.457 / (download) - annotate - [select for diffs], Tue May 30 19:40:54 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.456: +5 -5 lines
Diff to previous 1.456 (colored)
remove XXX from the comments marking "holes" in the ioctls. I see very very little value in these comments at all, but the XXX is just wrong and in the way when looking for real XXXs. phessler agrees
Revision 1.456 / (download) - annotate - [select for diffs], Tue May 30 19:37:54 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.455: +2 -2 lines
Diff to previous 1.455 (colored)
g/c DIOCCLRRULECTRS kinda deprecated for a decade now, nothing in base uses it, nothing in ports uses it (thanks sthen) ok phessler sashan
Revision 1.455 / (download) - annotate - [select for diffs], Tue May 30 08:10:01 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.454: +1 -1 lines
Diff to previous 1.454 (colored)
teach pf_build_tcp() about SACK, ok & with sashan
Revision 1.454 / (download) - annotate - [select for diffs], Sun May 28 16:43:45 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.453: +7 -10 lines
Diff to previous 1.453 (colored)
Fix bad white spaces, wrap long lines, kill some empty lines.
Revision 1.453 / (download) - annotate - [select for diffs], Mon May 15 12:26:00 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.452: +3 -4 lines
Diff to previous 1.452 (colored)
Enable the NET_LOCK(), take 3. Recursions are still marked as XXXSMP. ok deraadt@, bluhm@
Revision 1.452 / (download) - annotate - [select for diffs], Mon May 15 11:23:25 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.451: +12 -1 lines
Diff to previous 1.451 (colored)
Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8) OK sthen, visa
Revision 1.451 / (download) - annotate - [select for diffs], Tue May 2 12:27:37 2017 UTC (7 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.450: +8 -1 lines
Diff to previous 1.450 (colored)
Provide pluggable queueing interface for pf By hiding H-FSC behind pfq_ops structure similar to the ifq_ops, we provide a possibility to plug alternative queueing interfaces for use in pf. This reduces amount of H-FSC specific code in the pf ioctl handler While here, change the the order of elements in hfsc_class_stats to provide some compatibility between queue stat structures of different traffic conditioners. No objections from henning@, ok sthen@
Revision 1.450 / (download) - annotate - [select for diffs], Fri Mar 17 17:19:17 2017 UTC (7 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.449: +4 -3 lines
Diff to previous 1.449 (colored)
Revert the NET_LOCK() and bring back pf's contention lock for release. For the moment the NET_LOCK() is always taken by threads running under KERNEL_LOCK(). That means it doesn't buy us anything except a possible deadlock that we did not spot. So make sure this doesn't happen, we'll have plenty of time in the next release cycle to stress test it. ok visa@
Revision 1.449 / (download) - annotate - [select for diffs], Wed Feb 22 16:12:12 2017 UTC (7 years, 3 months ago) by mpi
Branch: MAIN
Changes since 1.448: +2 -2 lines
Diff to previous 1.448 (colored)
Amend a misleading comment mentioning ``ipintrq''.
Revision 1.448 / (download) - annotate - [select for diffs], Mon Jan 30 17:41:34 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.447: +3 -4 lines
Diff to previous 1.447 (colored)
removes the pf_consistency_lock and protects the users with NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep things simple until we're going to redesign PF for a MP world. fixes the crash reported by Kaya Saman. ok mpi@, bluhm@
Revision 1.447 / (download) - annotate - [select for diffs], Tue Jan 24 10:08:30 2017 UTC (7 years, 4 months ago) by krw
Branch: MAIN
Changes since 1.446: +2 -2 lines
Diff to previous 1.446 (colored)
A space here, a space there. Soon we're talking real whitespace rectification.
Revision 1.446 / (download) - annotate - [select for diffs], Thu Dec 29 13:01:48 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.445: +2 -2 lines
Diff to previous 1.445 (colored)
In pf_refragment6() use the valid route from pf_route6() instead of calling rtalloc() again. OK mpi@
Revision 1.445 / (download) - annotate - [select for diffs], Tue Nov 22 19:29:54 2016 UTC (7 years, 6 months ago) by procter
Branch: MAIN
Changes since 1.444: +4 -4 lines
Diff to previous 1.444 (colored)
Fold union pf_headers buffer into struct pf_pdesc (enabled by pfvar_priv.h). Prevent pf_socket_lookup() reading uninitialised header buffers on fragments. OK blum@ sashan@
Revision 1.444 / (download) - annotate - [select for diffs], Mon Nov 14 13:25:01 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.443: +3 -5 lines
Diff to previous 1.443 (colored)
Instead of passing an extra mbuf pointer to pf_route(), it should just use pd->m. Then pf_test() can also operate on pd.m and set the *m0 value in the caller just before it returns. OK sashan@
Revision 1.443 / (download) - annotate - [select for diffs], Thu Oct 27 21:41:20 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.442: +5 -5 lines
Diff to previous 1.442 (colored)
Pass a struct pf_pdesc to pf_route() like it is done in the other pf functions. That means less parameters, more consistency and later we can call functions that need a pd from pf_route(). OK sashan@
Revision 1.442 / (download) - annotate - [select for diffs], Wed Oct 26 21:07:22 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.441: +5 -58 lines
Diff to previous 1.441 (colored)
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
Revision 1.441 / (download) - annotate - [select for diffs], Tue Oct 18 13:28:01 2016 UTC (7 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.440: +12 -1 lines
Diff to previous 1.440 (colored)
split pf_send_tcp() into the part that builds the mbuf and the actual sending, needed soon. ok sashan mikeb lteo
Revision 1.440 / (download) - annotate - [select for diffs], Tue Sep 27 04:57:17 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.439: +27 -27 lines
Diff to previous 1.439 (colored)
roll back turning RB into RBT until i get better at this process.
Revision 1.439 / (download) - annotate - [select for diffs], Tue Sep 27 02:51:12 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.438: +27 -27 lines
Diff to previous 1.438 (colored)
move pf from the RB macros to the RBT functions.
Revision 1.438 / (download) - annotate - [select for diffs], Sat Sep 3 17:11:40 2016 UTC (7 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.437: +8 -4 lines
Diff to previous 1.437 (colored)
Let purge thread to remove once rules, not packets. Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
Revision 1.437 / (download) - annotate - [select for diffs], Sat Sep 3 14:34:13 2016 UTC (7 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.436: +3 -3 lines
Diff to previous 1.436 (colored)
Reduce the factor of the limits derived form NMBCLUSTERS. We want the additional clusters in the socket buffer and not elsewhere. OK claudio@
Revision 1.436 / (download) - annotate - [select for diffs], Sat Aug 20 08:34:30 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.435: +6 -6 lines
Diff to previous 1.435 (colored)
Push 'field changed' guards into 'change field' functions; optimise pf_patch_32(); simplify pf_match_addr() OK mikeb@
Revision 1.435 / (download) - annotate - [select for diffs], Wed Aug 17 03:24:12 2016 UTC (7 years, 9 months ago) by procter
Branch: MAIN
Changes since 1.434: +9 -10 lines
Diff to previous 1.434 (colored)
Reintroduce 5.3-style checksum modification to preserve end-to-end checksums when fiddling with packets but without the mess that motivated Henning to remove it. Affects only this one aspect of Henning's checksum work. Also tweak the basic algorithm and supply a correctness argument. OK dlg@ deraadt@ sthen@; no objection henning@
Revision 1.434 / (download) - annotate - [select for diffs], Tue Jul 19 13:30:51 2016 UTC (7 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.433: +8 -8 lines
Diff to previous 1.433 (colored)
don't hide globals between function prototypes; ok phessler benno
Revision 1.433 / (download) - annotate - [select for diffs], Mon Jul 18 19:11:18 2016 UTC (7 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.432: +0 -12 lines
Diff to previous 1.432 (colored)
no more cbq_opts - CBQ is gone, ok mpi phessler benno
Revision 1.432 / (download) - annotate - [select for diffs], Mon Jul 18 13:17:44 2016 UTC (7 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.431: +2 -1 lines
Diff to previous 1.431 (colored)
Hide pf internals by moving code from in_ouraddr() to pf_ouraddr(). OK mpi@ sashan@
Revision 1.431 / (download) - annotate - [select for diffs], Tue Mar 29 10:34:42 2016 UTC (8 years, 2 months ago) by sashan
Branch: MAIN
Changes since 1.430: +17 -2 lines
Diff to previous 1.430 (colored)
- packet must keep reference to statekey this is the second attempt to get it in, the first attempt got backed out on Jan 31 2016 the change also contains fixes contributed by Stefan Kempf in earlier iteration. OK srhen@
Revision 1.430 / (download) - annotate - [select for diffs], Sun Jan 31 00:18:07 2016 UTC (8 years, 4 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.429: +1 -16 lines
Diff to previous 1.429 (colored)
- m_pkthdr.pf.statekey changes are not ready for 5.9, I must back them out OK sthen@
Revision 1.429 / (download) - annotate - [select for diffs], Thu Jan 7 22:23:13 2016 UTC (8 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.428: +17 -2 lines
Diff to previous 1.428 (colored)
- retrying to commit earlier change, which got backed out
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix
makes sure we grab reference in m_dup_pkthdr()
OK bluhm@
Revision 1.428 / (download) - annotate - [select for diffs], Wed Dec 23 21:04:55 2015 UTC (8 years, 5 months ago) by jasper
Branch: MAIN
Changes since 1.427: +1 -15 lines
Diff to previous 1.427 (colored)
revert previous: ---------------------------------------------------------------------- revision 1.961 date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44; commitid: oBRhtWcDV0ThviVT; - yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@ ---------------------------------------------------------------------- there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being triggered without much effort, so back this out for now.
Revision 1.427 / (download) - annotate - [select for diffs], Tue Dec 22 13:33:26 2015 UTC (8 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.426: +16 -2 lines
Diff to previous 1.426 (colored)
- yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@
Revision 1.426 / (download) - annotate - [select for diffs], Thu Dec 3 14:05:28 2015 UTC (8 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.425: +4 -1 lines
Diff to previous 1.425 (colored)
To avoid that the stack manipules the pf statekeys directly, introduce pf_inp_...() lookup, link and unlink functions as an interface. Locking can be added to them later. Remove the first linking at the beginning of tcp_input() and udp_input() as it is not necessary. It will be done later anyway. That code was a relict, from the time before I had added the second linking. Input from mikeb@ and sashan@; OK sashan@
Revision 1.425 / (download) - annotate - [select for diffs], Thu Dec 3 09:49:15 2015 UTC (8 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.424: +3 -3 lines
Diff to previous 1.424 (colored)
Rename pf_unlink_state() to pf_remove_state() so the name does not collide with the statekey to inp unlinking. OK sashan@ mpi@
Revision 1.424 / (download) - annotate - [select for diffs], Wed Dec 2 16:00:42 2015 UTC (8 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.423: +2 -1 lines
Diff to previous 1.423 (colored)
- hide PF internals to pf_unlink_divert_state() from in_pcb.c OK mpi@, bluhm@
Revision 1.423 / (download) - annotate - [select for diffs], Fri Nov 20 03:35:23 2015 UTC (8 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.422: +1 -4 lines
Diff to previous 1.422 (colored)
shuffle struct ifqueue so in flight mbufs are protected by a mutex. the code is refactored so the IFQ macros call newly implemented ifq functions. the ifq code is split so each discipline (priq and hfsc in our case) is an opaque set of operations that the common ifq code can call. the common code does the locking, accounting (ifq_len manipulation), and freeing of the mbuf if the disciplines enqueue function rejects it. theyre kind of like bufqs in the block layer with their fifo and nscan disciplines. the new api also supports atomic switching of disciplines at runtime. the hfsc setup in pf_ioctl.c has been tweaked to build a complete hfsc_if structure which it attaches to the send queue in a single operation, rather than attaching to the interface up front and building up a list of queues. the send queue is now mutexed, which raises the expectation that packets can be enqueued or purged on one cpu while another cpu is dequeueing them in a driver for transmission. a lot of drivers use IFQ_POLL to peek at an mbuf and attempt to fit it on the ring before committing to it with a later IFQ_DEQUEUE operation. if the mbuf gets freed in between the POLL and DEQUEUE operations, fireworks will ensue. to avoid this, the ifq api introduces ifq_deq_begin, ifq_deq_rollback, and ifq_deq_commit. ifq_deq_begin allows a driver to take the ifq mutex and get a reference to the mbuf they wish to try and tx. if there's space, they can ifq_deq_commit it to remove the mbuf and release the mutex. if there's no space, ifq_deq_rollback simply releases the mutex. this api was developed to make updating the drivers using IFQ_POLL easy, instead of having to do significant semantic changes to avoid POLL that we cannot test on all the hardware. the common code has been tested pretty hard, and all the driver modifications are straightforward except for de(4). if that breaks it can be dealt with later. ok mpi@ jmatthew@
Revision 1.422 / (download) - annotate - [select for diffs], Fri Oct 30 11:33:55 2015 UTC (8 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.421: +2 -1 lines
Diff to previous 1.421 (colored)
Clean up handling of 'clear states' pfsync packets. If interface was specified in the packet only if-bound states attached to this interface must be purged. ok mpi, looked at by sasha@
Revision 1.421 / (download) - annotate - [select for diffs], Tue Oct 13 19:32:32 2015 UTC (8 years, 8 months ago) by sashan
Branch: MAIN
Changes since 1.420: +2 -2 lines
Diff to previous 1.420 (colored)
- pf_insert_src_node(): global argument (arg6) is useless, function always gets pointer to rule. - pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule - sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com OK mpi@, OK mikeb@
Revision 1.420 / (download) - annotate - [select for diffs], Wed Aug 19 21:22:41 2015 UTC (8 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.419: +3 -2 lines
Diff to previous 1.419 (colored)
PF must keep IPv6 fragment size as chosen by sender also for packets, which are routed on behalf route-to action. OK bluhm@
Revision 1.419 / (download) - annotate - [select for diffs], Mon Jul 20 01:18:33 2015 UTC (8 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.418: +1 -92 lines
Diff to previous 1.418 (colored)
INET6 is here to stay, so stop hauling around never-compiled code to optimize for an INET-only kernel, as well as the fantasy unicorn INET6-only kernel. (INET-only kernel still works) prompted by deraadt ok bluhm sashan
Revision 1.418 / (download) - annotate - [select for diffs], Sun Jul 19 01:58:19 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.417: +3 -4 lines
Diff to previous 1.417 (colored)
unused arguments at pf_normalize_tcp_init() and pf_refragment6() OK deraadt.
Revision 1.417 / (download) - annotate - [select for diffs], Fri Jul 17 19:46:05 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.416: +3 -3 lines
Diff to previous 1.416 (colored)
sa_family_t should not be confused with u_int8_t ok deraadt@, ok floarian@
Revision 1.416 / (download) - annotate - [select for diffs], Thu Jul 16 21:14:21 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.415: +2 -5 lines
Diff to previous 1.415 (colored)
Kill IP_ROUTETOETHER. This pseudo-option is a hack to support return-rst on bridge(4). It passes Ethernet information via a "struct route" through ip_output(). "struct route" is slowly dying... ok claudio@, benno@
Revision 1.415 / (download) - annotate - [select for diffs], Fri Jun 5 13:22:34 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.414: +4 -2 lines
Diff to previous 1.414 (colored)
Improve error handling and recovery during state insertion Reshuffle the code around a bit and greatly improve error handling fixing a few bugs along the way. Problem reported by and fix was written with Alexandr Nedvedicky. OK henning
Revision 1.414 / (download) - annotate - [select for diffs], Sat Apr 11 13:00:12 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.413: +1 -3 lines
Diff to previous 1.413 (colored)
the hfsc pools are only used in hfsc.c, so move the init of them there instead of pf_ioctl.c. ok henning@
Revision 1.413 / (download) - annotate - [select for diffs], Sun Feb 15 10:40:53 2015 UTC (9 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.412: +3 -1 lines
Diff to previous 1.412 (colored)
Rather than using 0xff as a placeholder for "don't check prio", use 0xff to mean "prio is 0". This avoids the need for code changes in programs which add pf rules (as was done in pfctl but not other programs) to handle the new "check prio" functionality. Specifically this unbreaks ftp-proxy. Use of #define rather than magic 0xff suggested by benno. ok benno "if henning doesnt like it he can change it when he recovers from jet-lag" (this file missed from previous commit, noticed by daniel@)
Revision 1.412 / (download) - annotate - [select for diffs], Thu Feb 12 01:24:10 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.411: +1 -1 lines
Diff to previous 1.411 (colored)
change log(matches) semantics slightly to make it more useful. since it is a debug tool change of semantics not considered problematic. up until now, log(matches) forced logging on subsequent matching rules, the actual logging used the log settings from that matched rule. now, log(matches) causes subsequent matches to be logged with the log settings from the log(matches) rule. in particular (this was the driving point), log(matches, to pflog23) allows you to have the trace log going to a seperate pflog interface, not clobbering your regular pflogs, actually not affecting them at all. long conversation with bluhm about it, which didn't lead to a single bit changed in the diff but was very very helpful. ok bluhm as well.
Revision 1.411 / (download) - annotate - [select for diffs], Tue Feb 10 09:28:40 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.410: +1 -1 lines
Diff to previous 1.410 (colored)
include the "set prio" values. no real compat issue since we're using spare bytes. old -> new ends up with set prio (0, 0) equivalent new -> old is entirely harmless, old ignores the prios. requested by Alexey Suslikov <alexey.suslikov at gmail> ok phessler pelikan dlg
Revision 1.410 / (download) - annotate - [select for diffs], Tue Feb 10 06:45:55 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.409: +2 -1 lines
Diff to previous 1.409 (colored)
since we inherit prio (as in, the queuing priority) from outside sources, i. e. on vlan interfaces, it is useful to be able to match on it - effectively matching on classification done elsewhere. i thought i had long implemented that, but chrisz@ asking for it made me notice that wasn't the case. tests by chrisz, ok phessler pelikan
Revision 1.409 / (download) - annotate - [select for diffs], Sat Feb 7 06:27:46 2015 UTC (9 years, 4 months ago) by pelikan
Branch: MAIN
Changes since 1.408: +5 -5 lines
Diff to previous 1.408 (colored)
make RB_PROTOTYPE usage ISO C compliant by removing useless semicolons fixes some compiler warnings, tested by amd64 base build ok beck
Revision 1.408 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.407: +13 -4 lines
Diff to previous 1.407 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.407 / (download) - annotate - [select for diffs], Thu Jan 15 23:56:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.406: +8 -9 lines
Diff to previous 1.406 (colored)
Stop including <sys/param.h> and other stuff. Assume this will be included with sys limits in scope, so use PATH_MAX instead. ok millert guenther
Revision 1.406 / (download) - annotate - [select for diffs], Tue Dec 23 03:24:08 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.405: +1 -8 lines
Diff to previous 1.405 (colored)
unifdef some more INET. v4 4life.
Revision 1.405 / (download) - annotate - [select for diffs], Fri Dec 19 13:04:08 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.404: +7 -1 lines
Diff to previous 1.404 (colored)
Support source-hash and random with tables and dynifs; not just pools. This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
Revision 1.404 / (download) - annotate - [select for diffs], Fri Dec 19 05:36:28 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.403: +2 -2 lines
Diff to previous 1.403 (colored)
add messages to #error so we know what's what (and so unifdef doesn't poop)
Revision 1.403 / (download) - annotate - [select for diffs], Mon Sep 8 18:10:01 2014 UTC (9 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.402: +5 -4 lines
Diff to previous 1.402 (colored)
When logging a packet to a listener on the pflog0 interface, the function pflog_bpfcopy() is setting up a packet description with pf_setup_pdesc(). When pf_setup_pdesc() is droppig a bad packet, it increments the the pf status counters. This way bad packets could be accounted multiple times. Now pflog_bpfcopy() passes a reason pointer NULL to indicate that no accounting should be done. From Florian Riehm; OK henning@
Revision 1.402 / (download) - annotate - [select for diffs], Tue Aug 12 15:29:33 2014 UTC (9 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.401: +2 -1 lines
Diff to previous 1.401 (colored)
Finally implement what's stated in the man page regarding parent anchors for "once" rules: "In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched." Employ an additional pointer pair to keep track of the parent ruleset containing the anchor that we want to remove. OK henning
Revision 1.401 / (download) - annotate - [select for diffs], Wed Jul 2 13:02:08 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.400: +4 -4 lines
Diff to previous 1.400 (colored)
better indentation
Revision 1.400 / (download) - annotate - [select for diffs], Wed Jun 25 16:21:20 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.399: +2 -2 lines
Diff to previous 1.399 (colored)
pf_translate doesn't use the mbuf argument anymore. From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
Revision 1.399 / (download) - annotate - [select for diffs], Tue Apr 22 14:41:03 2014 UTC (10 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.398: +2 -53 lines
Diff to previous 1.398 (colored)
Remove some altq tentacles. ok pelikan@, henning@
Revision 1.398 / (download) - annotate - [select for diffs], Sat Apr 19 12:59:53 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.397: +3 -10 lines
Diff to previous 1.397 (colored)
shrink pf by 445 lines. while there, get rid of the altq ioctls and assciated now obsolete code
Revision 1.397 / (download) - annotate - [select for diffs], Tue Jan 21 01:50:07 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.396: +2 -1 lines
Diff to previous 1.396 (colored)
introduce a way to match "any" interface, excluding loopback ones. pfi_kif_get annotates the kif with a flag indicating it is the "any" match pfi_kif_match obeys that flag ok benno
Revision 1.396 / (download) - annotate - [select for diffs], Mon Jan 20 02:57:50 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.395: +2 -0 lines
Diff to previous 1.395 (colored)
support negated matches on the rcvif, ok dlg benno
Revision 1.395 / (download) - annotate - [select for diffs], Fri Jan 3 12:48:58 2014 UTC (10 years, 5 months ago) by pelikan
Branch: MAIN
Changes since 1.394: +3 -1 lines
Diff to previous 1.394 (colored)
Switch frequently allocated structs from malloc(M_DEVBUF) to separate pools. ok henning, "looks fine" mikeb, input from guenther.
Revision 1.394 / (download) - annotate - [select for diffs], Fri Jan 3 12:43:09 2014 UTC (10 years, 5 months ago) by pelikan
Branch: MAIN
Changes since 1.393: +4 -1 lines
Diff to previous 1.393 (colored)
Make queues disappear correctly on interfaces being destroyed. ok henning
Revision 1.393 / (download) - annotate - [select for diffs], Sun Dec 22 16:49:29 2013 UTC (10 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.392: +4 -4 lines
Diff to previous 1.392 (colored)
change pf_osfp_entry strings to unsigned, to help userland ok florian
Revision 1.392 / (download) - annotate - [select for diffs], Tue Nov 19 17:30:08 2013 UTC (10 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.391: +4 -1 lines
Diff to previous 1.391 (colored)
provide forward declarations for structures ifnet and ifg_group; ok deraadt
Revision 1.391 / (download) - annotate - [select for diffs], Sat Oct 12 12:13:11 2013 UTC (10 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.390: +53 -5 lines
Diff to previous 1.390 (colored)
new bandwidth shaping subsystem, kernel side uses hfsc behind the scenes; altq stays in parallel for a migration phase. if.h even more messy for the transition, but eventuelly it should become readable... looked over & tested by many, ok phessler sthen
Revision 1.390 / (download) - annotate - [select for diffs], Sat Oct 12 11:55:46 2013 UTC (10 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.389: +2 -2 lines
Diff to previous 1.389 (colored)
give tagname2tag and its siblings an extra "create" parameter. if 1, it behaves like before and creates the mapping if needed. if 0, lookup only. looked over by many, ok phessler sthen
Revision 1.389 / (download) - annotate - [select for diffs], Tue Jul 23 22:47:10 2013 UTC (10 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.388: +2 -2 lines
Diff to previous 1.388 (colored)
Do not reset the fragment timeout each time a fragment arrives. Start the expire counter when the queue is created by the first fragment and drop it if the packet could not be reassembled within 60 seconds. Reported by Antonios Atlasis; OK henning@ deraadt@
Revision 1.388 / (download) - annotate - [select for diffs], Fri Jul 5 13:07:58 2013 UTC (10 years, 11 months ago) by blambert
Branch: MAIN
Changes since 1.387: +4 -4 lines
Diff to previous 1.387 (colored)
Collect and display 'match' counters for pf tables. While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
Revision 1.387 / (download) - annotate - [select for diffs], Thu Jul 4 00:19:01 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.386: +7 -7 lines
Diff to previous 1.386 (colored)
Re-commit: use time_t for storing time_t values. This is an ABI change for pf, but that's fine at this time. You'll need to rebuild pf userland after updating your kernel. change to 'since' member ok henning@ rest ok henning@ deraadt@
Revision 1.386 / (download) - annotate - [select for diffs], Tue Jul 2 05:57:37 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.385: +6 -6 lines
Diff to previous 1.385 (colored)
Revert previous: sizeof(time_t) != sizeof(long) on LP64, so there was an ABI change involved.
Revision 1.385 / (download) - annotate - [select for diffs], Tue Jul 2 01:42:01 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.384: +6 -6 lines
Diff to previous 1.384 (colored)
Use time_t for storing time_t values. No change to the underlying type**, so no ABI change. ok henning@ deraadt@ ** ...yet
Revision 1.384 / (download) - annotate - [select for diffs], Wed Jun 26 09:12:39 2013 UTC (10 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.383: +12 -5 lines
Diff to previous 1.383 (colored)
put the cksum diff back, of course with the bug fixed where we could under some circumstances repair broken checksums on the way. ok ryan naddy mikeb . redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers.
Revision 1.383 / (download) - annotate - [select for diffs], Tue Jun 4 19:03:12 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.382: +1 -0 lines
Diff to previous 1.382 (colored)
add a pointer to the protocol checksum header field to pf_pdesc and set it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
Revision 1.382 / (download) - annotate - [select for diffs], Mon Jun 3 15:00:00 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.381: +1 -0 lines
Diff to previous 1.381 (colored)
put back the match member to the anchor stack struct - userland (pfctl) uses it. that is so incedibly wrong... sorry for the breakage, folks. found by tedu, SMSing me out of my breakfast bob
Revision 1.381 / (download) - annotate - [select for diffs], Mon Jun 3 01:41:04 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.380: +1 -2 lines
Diff to previous 1.380 (colored)
fix anchor quick with nested anchors. we lost the quick flag as soon as we stepped into a child anchor. simplify the logic, get rid of the match flag in the anchor stack, just use the match variable we already had (and used in a boolean style) to track the nest level we had a match at. when a child anchor had a match we also have a match in the current anchor, so update the match level accordingly, and thus correctly honour the quick flag. reported by, along with the right idea on how to fix this, by Sean Gallagher \sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
Revision 1.380 / (download) - annotate - [select for diffs], Sat Jun 1 21:18:02 2013 UTC (11 years ago) by henning
Branch: MAIN
Changes since 1.379: +0 -6 lines
Diff to previous 1.379 (colored)
pf_step_{into,out_of}_anchor() are only ever called from pf_test_rule()
these days, so:
-move the prototypes from pfvar.h to pf.c
-remove the now useless null point checks for *match, it is always provided
ok ryan
Revision 1.379 / (download) - annotate - [select for diffs], Fri May 10 11:36:24 2013 UTC (11 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.378: +3 -3 lines
Diff to previous 1.378 (colored)
Since pf_state_key_attach can decide to free the provided state key we need to sync our state key pointers with whatever values the function will pick. Not doing so will produce wrong results if address translation must be applied afterwards and we happen to have a state key collision. Then pf_translate will follow an old pointer and punch in garbage addresses into the packet. Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru> ok tedu, henning
Revision 1.378 / (download) - annotate - [select for diffs], Fri May 3 15:33:47 2013 UTC (11 years, 1 month ago) by florian
Branch: MAIN
Changes since 1.377: +3 -1 lines
Diff to previous 1.377 (colored)
Export ingress/egress interface index in pflow(4). Report that this is needed for some netflow collector and tests by Chris Ivancic & Colin Ligertwood. OK mikeb@, benno@
Revision 1.377 / (download) - annotate - [select for diffs], Mon Mar 11 19:48:40 2013 UTC (11 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.376: +4 -2 lines
Diff to previous 1.376 (colored)
Add a separate "translation" counter and use this rather than "memory" when address translation fails due to no free ports in the configured range. ok mikeb@
Revision 1.376 / (download) - annotate - [select for diffs], Thu Jan 17 00:48:04 2013 UTC (11 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.375: +1 -1 lines
Diff to previous 1.375 (colored)
first or second coming, commie or not commie, one m in coming is sufficient ok claudio
Revision 1.375 / (download) - annotate - [select for diffs], Sat Dec 29 14:53:06 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.374: +3 -5 lines
Diff to previous 1.374 (colored)
pass pf_pool directly to pfr_pool_get(); simplifies the API; ok henning@, zinke@, mikeb@
Revision 1.374 / (download) - annotate - [select for diffs], Tue Nov 6 12:32:41 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.373: +5 -5 lines
Diff to previous 1.373 (colored)
backout csum diff for the moment, requested by theo
Revision 1.373 / (download) - annotate - [select for diffs], Thu Nov 1 07:55:56 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.372: +4 -4 lines
Diff to previous 1.372 (colored)
redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
Revision 1.372 / (download) - annotate - [select for diffs], Tue Oct 30 12:09:05 2012 UTC (11 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.371: +7 -8 lines
Diff to previous 1.371 (colored)
Use time_uptime for expiration values as time_second can be skewed at runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
Revision 1.371 / (download) - annotate - [select for diffs], Mon Oct 8 17:41:55 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.370: +1 -2 lines
Diff to previous 1.370 (colored)
Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to include sys/mbuf.h in net/pfvar.h. Flagged by and ok guenther@
Revision 1.370 / (download) - annotate - [select for diffs], Fri Oct 5 12:32:27 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.369: +2 -1 lines
Diff to previous 1.369 (colored)
include sys/mbuf.h
Revision 1.369 / (download) - annotate - [select for diffs], Thu Sep 20 09:43:49 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.368: +4 -5 lines
Diff to previous 1.368 (colored)
Lower pf frags limit to not risk running out of mbuf clusters when dealing with lots of IP fragments. This sets the default to 25% of the mbuf cluster maximum (hint from beck). And the example in the manpage is sane now. ok mikeb henning beck deraadt
Revision 1.368 / (download) - annotate - [select for diffs], Tue Sep 18 10:11:53 2012 UTC (11 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.367: +2 -1 lines
Diff to previous 1.367 (colored)
prio 0 is valid, therefore, I chose an "impossible" value for prio meaning "not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
Revision 1.367 / (download) - annotate - [select for diffs], Thu Jul 26 12:25:31 2012 UTC (11 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.366: +3 -3 lines
Diff to previous 1.366 (colored)
rename all_state_flags to state_flags to finish the transition to the 16 bit flags; reminded by claudio, ok henning
Revision 1.366 / (download) - annotate - [select for diffs], Fri Jul 13 11:14:04 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.365: +0 -3 lines
Diff to previous 1.365 (colored)
remove confuzzling comment :dlg: the xxx can go ...and this time commit to the real repo and not the one on my laptop
Revision 1.365 / (download) - annotate - [select for diffs], Tue Jul 10 09:38:22 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.364: +1 -0 lines
Diff to previous 1.364 (colored)
define a PFSTATE_SCRUBMASK. relying on numeric order of flags is stupid and bound to break sooner or later.
Revision 1.364 / (download) - annotate - [select for diffs], Sat Jul 7 16:24:32 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.363: +3 -3 lines
Diff to previous 1.363 (colored)
rename prio in struct pf_rule and related structs to set_prio so it is utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
Revision 1.363 / (download) - annotate - [select for diffs], Tue Apr 3 15:09:04 2012 UTC (12 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.362: +3 -1 lines
Diff to previous 1.362 (colored)
Fix kernel compilation with pf but without pfsync pseudo-device by moving the state export functionality from pfsync code into pf. Based on the initial diff diff by guenther, ok henning.
Revision 1.362 / (download) - annotate - [select for diffs], Fri Feb 3 01:57:51 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.361: +2 -4 lines
Diff to previous 1.361 (colored)
The kernel did not compile without INET6. Put some #ifdefs into pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
Revision 1.361 / (download) - annotate - [select for diffs], Thu Jan 26 20:16:06 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.360: +3 -3 lines
Diff to previous 1.360 (colored)
Clean up the pf normalization code: - Let pf_normalize_ip() and pf_normalize_ip6() take the struct pf_pdesc pd as argument. - Always check wether the mbuf got NULL after normalization to make the code more robust. - Make the code structure of pf_normalize_ip6() more like pf_normalize_ip() to make the differences obvious. ok henning@
Revision 1.360 / (download) - annotate - [select for diffs], Mon Jan 16 16:38:01 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.359: +2 -1 lines
Diff to previous 1.359 (colored)
Pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6() to make their argument list shorter. Also fix a bug where pf_walk_option6() used the outer header in the pd2 case. ok henning@ mikeb@
Revision 1.359 / (download) - annotate - [select for diffs], Sun Jan 15 22:55:35 2012 UTC (12 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.358: +4 -2 lines
Diff to previous 1.358 (colored)
Calling pf_normalize_ip() from pf_setup_pdesc() was bad as the latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
Revision 1.358 / (download) - annotate - [select for diffs], Mon Dec 12 21:30:27 2011 UTC (12 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.357: +2 -1 lines
Diff to previous 1.357 (colored)
fixup af-to regression with match rules pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
Revision 1.357 / (download) - annotate - [select for diffs], Tue Nov 29 10:17:52 2011 UTC (12 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.356: +2 -2 lines
Diff to previous 1.356 (colored)
use a u_int64_t for the state id in pfsync_state. this makes it consistent with every other thing that stores the state id (including other pfsync messages). includes improvements to the systat code to consider the creatorid as well as the state id in its cache to avoid collisions between states created on different hosts. tested by me in production and on amd64 talking to sparc64. ok henning@
Revision 1.356 / (download) - annotate - [select for diffs], Mon Nov 28 01:04:50 2011 UTC (12 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.355: +2 -3 lines
Diff to previous 1.355 (colored)
deprecate PFTM_UNTIL_PACKET. nothing in the tree uses it, and pf_state_expires() handled it incorrectly. discussed with mikeb@ ok henning@
Revision 1.355 / (download) - annotate - [select for diffs], Sat Nov 26 03:28:46 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.354: +5 -1 lines
Diff to previous 1.354 (colored)
Apply route-to to deferred packet; without this the first packet of a connection does not observe the route-to option. ok dlg mikeb
Revision 1.354 / (download) - annotate - [select for diffs], Thu Oct 13 18:23:40 2011 UTC (12 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.353: +10 -3 lines
Diff to previous 1.353 (colored)
Since the IPv6 madness is not enough introduce NAT64 -- which is actually "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
Revision 1.353 / (download) - annotate - [select for diffs], Fri Oct 7 17:10:08 2011 UTC (12 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.352: +1 -4 lines
Diff to previous 1.352 (colored)
rename some vars and functions unfortunately altq is one giant namespace violation. rename just those that conflict with new stuff for now only to be found on my laptop. reduce pain, the diff is huge already. ok ryan
Revision 1.352 / (download) - annotate - [select for diffs], Fri Oct 7 14:02:48 2011 UTC (12 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.351: +0 -3 lines
Diff to previous 1.351 (colored)
pf_poolqueue is long dead, remove corpses. from eurobsdcon, ryan ok
Revision 1.351 / (download) - annotate - [select for diffs], Wed Sep 28 17:15:45 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.350: +14 -13 lines
Diff to previous 1.350 (colored)
As requested by henning, move the mbuf pointer into struct pf_pdesc. Also sort pd to the beginning of the functions' parameter lists for consistency. ok henning
Revision 1.350 / (download) - annotate - [select for diffs], Thu Sep 22 14:57:12 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.349: +9 -9 lines
Diff to previous 1.349 (colored)
As I have touched half of pf lines anyway, fix whitespaces now. KNF, no binary change.
Revision 1.349 / (download) - annotate - [select for diffs], Tue Sep 20 10:51:18 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.348: +10 -10 lines
Diff to previous 1.348 (colored)
Put kif and dir into pdesc an use this instead of passing the values around. This is a mechanical change. Initialize pd2 and use it where appropriate. ok henning on an earlier version; ok mpf
Revision 1.348 / (download) - annotate - [select for diffs], Mon Sep 19 12:51:52 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.347: +12 -11 lines
Diff to previous 1.347 (colored)
Consolidate pf function parameters. Move off and hdrlen into pdesc and change their type from int to u_int32_t. Do not pass struct tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af and pd->af intermixed, the latter makes clear where it comes from. Do not calculate the packet length again if pd already has it. Use pd2.off instead of off2. go go go go don't stop henning@ mpf@
Revision 1.347 / (download) - annotate - [select for diffs], Sun Sep 18 13:50:13 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.346: +2 -2 lines
Diff to previous 1.346 (colored)
Move the pdesc initialization code into pf_setup_pdesc(). Unify some IPv4 and IPv6 code. Make sure that both code paths set the same fields in the same order. ok mpf henning
Revision 1.346 / (download) - annotate - [select for diffs], Sun Sep 18 10:40:55 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.345: +2 -5 lines
Diff to previous 1.345 (colored)
Move the call to pf_test_rule() for fragments that have not been reassembled by normalization from pf_setup_pdesc() to pf_test(). This simplifies the paramter list of pf_setup_pdesc() as it can concentrate on its job filling the pf_pdesc struct. ok henning mpf
Revision 1.345 / (download) - annotate - [select for diffs], Sat Sep 17 16:01:55 2011 UTC (12 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.344: +1 -4 lines
Diff to previous 1.344 (colored)
The pd->ip_sum and pd->proto_sum fields are not needed. Replace the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by a local variable. Remove ip_sum and proto_sum from struct pf_pdesc. ok claudio henning
Revision 1.344 / (download) - annotate - [select for diffs], Tue Aug 30 00:40:47 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.343: +4 -1 lines
Diff to previous 1.343 (colored)
Add support for one shot rules that remove themselves from an active ruleset after match. In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched. This is an extremely handy technique for firewall proxies. ok henning, mcbride
Revision 1.343 / (download) - annotate - [select for diffs], Wed Aug 3 00:01:30 2011 UTC (12 years, 10 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.342: +4 -3 lines
Diff to previous 1.342 (colored)
someone (*cough*henning*cough*) made pf_state.state_flags a u_int16_t without growing it in pfsync_state too. to keep the wire format compat this uses some of the pad bytes to send all the state flags on the wire as well as maintaining the old state_flags field. after 5.0 we'll deprecate the original field and only use the new one. discussed with mcbride and deraadt and based on a diff from deraadt. tested against an "old" pfsync locally. ok mcbride@ henning@ deraadt@
Revision 1.342 / (download) - annotate - [select for diffs], Tue Aug 2 13:13:57 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.341: +3 -2 lines
Diff to previous 1.341 (colored)
Replace one byte of padding with sa_family_t af in pfsync_state_key; Reject states with pfsync_state->af == 0 in pfsync_state_import(), in preparation for states which specify an address family in each state key instead (change will take place post-5.0). ok dlg henning mikeb
Revision 1.341 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.340: +16 -8 lines
Diff to previous 1.340 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.340 / (download) - annotate - [select for diffs], Fri Jul 8 18:50:52 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.339: +9 -4 lines
Diff to previous 1.339 (colored)
surprisingly, we use pf as classifier for the new priority queueing implementation. ok ryan mpf sthen and also testing pea and halex looked at it and commented as well
Revision 1.339 / (download) - annotate - [select for diffs], Thu Jul 7 20:46:37 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.338: +2 -2 lines
Diff to previous 1.338 (colored)
There were two loops in pf_setup_pdesc() and pf_normalize_ip6() walking over the IPv6 header chain. Merge them into one loop, adjust some length checks and fix IPv6 jumbo option handling. Also allow strange but legal IPv6 packets with plen=0 passing through pf. IPv6 jumbo packets still get dropped. testing dhill@; ok mcbride@ henning@
Revision 1.338 / (download) - annotate - [select for diffs], Thu Jul 7 00:47:19 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.337: +7 -4 lines
Diff to previous 1.337 (colored)
Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
Revision 1.337 / (download) - annotate - [select for diffs], Mon Jul 4 18:12:51 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.336: +2 -2 lines
Diff to previous 1.336 (colored)
Rename the pf_pdesc field rh_cnt to badopts as it is also used for IPv4 options now. ok mcbride@ henning@
Revision 1.336 / (download) - annotate - [select for diffs], Mon Jul 4 06:54:49 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.335: +4 -9 lines
Diff to previous 1.335 (colored)
Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6. The functions were 95% identical anyway. While there use struct pf_addr in struct pf_divert instead of some union which is the same. OK bluhm@ mcbride@ and most probably henning@ as well
Revision 1.335 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.334: +29 -6 lines
Diff to previous 1.334 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.334 / (download) - annotate - [select for diffs], Tue Jun 21 08:59:47 2011 UTC (12 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.333: +3 -5 lines
Diff to previous 1.333 (colored)
There is no need to handle fragmented TCP reset packets in a special way. Remove PFDESC_IP_REAS and pf_pdesc flags completely. ok claudio@ henning@
Revision 1.333 / (download) - annotate - [select for diffs], Mon Jun 20 19:03:41 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.332: +5 -8 lines
Diff to previous 1.332 (colored)
More cleanup in pf_test/pf_test6 this time mostly the fragment handling. More to come to make the two codepathes a bit more identical. tested by many (esp. krw@ and sthen@) input and OK bluhm@
Revision 1.332 / (download) - annotate - [select for diffs], Tue May 24 14:01:52 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.331: +2 -3 lines
Diff to previous 1.331 (colored)
Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. Call pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
Revision 1.331 / (download) - annotate - [select for diffs], Sun May 22 13:21:24 2011 UTC (13 years ago) by claudio
Branch: MAIN
Changes since 1.330: +2 -2 lines
Diff to previous 1.330 (colored)
Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET() because either the info is already available in struct pd or easy to figure out. Makes pf_test() and pf_test6() even more similar (with the target to remove one of them in the near future). OK henning@
Revision 1.330 / (download) - annotate - [select for diffs], Tue May 17 12:44:05 2011 UTC (13 years ago) by mikeb
Branch: MAIN
Changes since 1.329: +2 -2 lines
Diff to previous 1.329 (colored)
exclude link local address from the dynamic interface address pool so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
Revision 1.329 / (download) - annotate - [select for diffs], Sat Apr 23 10:00:36 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.328: +3 -3 lines
Diff to previous 1.328 (colored)
pf_scrub_ip() does not modify the given mbuf pointer. So don't pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
Revision 1.328 / (download) - annotate - [select for diffs], Fri Apr 22 15:49:28 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.327: +2 -2 lines
Diff to previous 1.327 (colored)
pf_pooladdr_pl does not exist anymore. Remove its extern declaration. ok henning@
Revision 1.327 / (download) - annotate - [select for diffs], Tue Apr 12 10:47:29 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.326: +2 -1 lines
Diff to previous 1.326 (colored)
put the accepted socket of a diverted connection into the routing domain of a connection originator. this allows one to query the source rdomain with a SO_RTABLE socket option. figured out with reyk, ok claudio.
Revision 1.326 / (download) - annotate - [select for diffs], Wed Apr 6 13:18:39 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.325: +10 -8 lines
Diff to previous 1.325 (colored)
Allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.325 / (download) - annotate - [select for diffs], Tue Apr 5 13:48:18 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.324: +2 -2 lines
Diff to previous 1.324 (colored)
ditch fastroute, an ipf feature that made its way into pf before route-to and friends were introduced making it obsolete. one even has to look it up int the ipf manual to get and idea what it's supposed to do. reuse some kernel bits for the upcoming nat64 stuff. "kill it with fire" from mcbride, "what mcbride said" from mpf, "kill kill kill" and ok henning.
Revision 1.324 / (download) - annotate - [select for diffs], Fri Mar 25 10:54:22 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.323: +2 -1 lines
Diff to previous 1.323 (colored)
Include original rdomain in DIOCNATLOOK. This allows userland proxies to establish cross rdomain proxy sessions. OK henning@, mpf@
Revision 1.323 / (download) - annotate - [select for diffs], Thu Mar 24 20:09:44 2011 UTC (13 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.322: +3 -2 lines
Diff to previous 1.322 (colored)
Reassemble IPv6 fragments in pf. In the forward case, pf refragments the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
Revision 1.322 / (download) - annotate - [select for diffs], Mon Mar 7 23:30:19 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.321: +3 -1 lines
Diff to previous 1.321 (colored)
Declare the inline function pf_addr_compare() non-static in pfvar.h to make it reusable by pf fragment reassembly. No functional change. discussed with henning@, claudio@, deraadt@, kettenis@ ok guenther@
Revision 1.321 / (download) - annotate - [select for diffs], Sat Mar 5 01:53:16 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.320: +2 -2 lines
Diff to previous 1.320 (colored)
The function pf_tag_packet() never fails. Remove a redundant check and make it void. ok henning@, markus@, mcbride@
Revision 1.320 / (download) - annotate - [select for diffs], Tue Jan 11 13:35:58 2011 UTC (13 years, 5 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.319: +2 -1 lines
Diff to previous 1.319 (colored)
Perform IP options check in pf_test_rule(), before creating state. ok claudio henning dlg miod
Revision 1.319 / (download) - annotate - [select for diffs], Tue Dec 7 11:39:40 2010 UTC (13 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.318: +2 -2 lines
Diff to previous 1.318 (colored)
remove a bunch of unused arguments ok henning@
Revision 1.318 / (download) - annotate - [select for diffs], Sat Oct 23 15:38:18 2010 UTC (13 years, 7 months ago) by tedu
Branch: MAIN
Changes since 1.317: +1 -2 lines
Diff to previous 1.317 (colored)
remove PFR_FLAG_ATOMIC. not used, and doesn't work as advertised. ok henning
Revision 1.317 / (download) - annotate - [select for diffs], Mon Oct 18 15:55:28 2010 UTC (13 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.316: +1 -15 lines
Diff to previous 1.316 (colored)
Revert non-compatible and undocumented bullshit commited by 3 developers who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
Revision 1.316 / (download) - annotate - [select for diffs], Sun Oct 17 12:14:28 2010 UTC (13 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.315: +14 -0 lines
Diff to previous 1.315 (colored)
Add quirks support to operating system fingerprinting. tcpdump part by mcbride@. ok mcbride@ henning@
Revision 1.315 / (download) - annotate - [select for diffs], Wed Sep 22 05:58:29 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.314: +2 -1 lines
Diff to previous 1.314 (colored)
add a new log opt PF_LOG_MATCHES forces logging on all subsequent matching rules real ok theo assumed oks ryan and dlg bikeshedding everyone in the room implementation time ~ 1 minute
Revision 1.314 / (download) - annotate - [select for diffs], Tue Sep 21 11:29:12 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.313: +2 -1 lines
Diff to previous 1.313 (colored)
assert copyrights / bump years
Revision 1.313 / (download) - annotate - [select for diffs], Tue Sep 21 03:42:17 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.312: +3 -1 lines
Diff to previous 1.312 (colored)
make pf_translate (void so far) return 1 if it actually changed something and 0 if it didn't so we know wether we have to rewrite or not. ok ryan dlg and in just an hour from now on this might have reached cvs eventually from njetwork challenged j2k10 in japan
Revision 1.312 / (download) - annotate - [select for diffs], Tue Sep 21 02:51:35 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.311: +7 -1 lines
Diff to previous 1.311 (colored)
factor our the code to set up pf_pdesc, a central structure in pf carrying information about the packet we're currently dealing with, into its own function. ok ryan dlg and additional testing sthen
Revision 1.311 / (download) - annotate - [select for diffs], Mon Jun 28 23:21:41 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.310: +3 -7 lines
Diff to previous 1.310 (colored)
Clean up iterface stats handling:
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
Revision 1.310 / (download) - annotate - [select for diffs], Sun Jun 27 01:39:43 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.309: +7 -7 lines
Diff to previous 1.309 (colored)
stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot while walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
Revision 1.309 / (download) - annotate - [select for diffs], Fri May 7 13:33:16 2010 UTC (14 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.308: +9 -7 lines
Diff to previous 1.308 (colored)
Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1 accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
Revision 1.308 / (download) - annotate - [select for diffs], Wed Apr 28 12:46:18 2010 UTC (14 years, 1 month ago) by robert
Branch: MAIN
Changes since 1.307: +2 -2 lines
Diff to previous 1.307 (colored)
Cast 'a' to (void *) in the REASON_SET macro. Makes gcc4 happy. ok henning@
Revision 1.307 / (download) - annotate - [select for diffs], Wed Jan 20 21:41:17 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.306: +2 -2 lines
Diff to previous 1.306 (colored)
One \ too many in pfvar.h. From Daniel Dickman <didickman@gmail.com> ok otto
Revision 1.306 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.305: +34 -2 lines
Diff to previous 1.305 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.305 / (download) - annotate - [select for diffs], Wed Jan 13 01:54:38 2010 UTC (14 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.304: +1 -2 lines
Diff to previous 1.304 (colored)
Remove extern reference to pf_pabuf which uses a struct which no longer exists. Makes gcc4 kernels compile again. ok henning@
Revision 1.304 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.303: +57 -52 lines
Diff to previous 1.303 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.303 / (download) - annotate - [select for diffs], Thu Dec 24 04:24:19 2009 UTC (14 years, 5 months ago) by dlg
Branch: MAIN
Changes since 1.302: +3 -1 lines
Diff to previous 1.302 (colored)
add support to pf for filtering a packet by the interface it was received on. use the received-on IFNAME filter option on a pf.conf rule to restrict which packet the interface had to be received on. eg: pass out on em0 from $foo to $bar received-on fxp0 ive been running this in production for a week now. i find it particularly usefull with interface groups. no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Revision 1.302 / (download) - annotate - [select for diffs], Mon Dec 14 12:31:45 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.301: +38 -22 lines
Diff to previous 1.301 (colored)
fix sticky-address - by pretty much re-implementing it. still following the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Revision 1.301 / (download) - annotate - [select for diffs], Tue Nov 24 13:23:55 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.300: +3 -4 lines
Diff to previous 1.300 (colored)
kill obsolete natpass
Revision 1.300 / (download) - annotate - [select for diffs], Mon Nov 23 16:03:10 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.299: +1 -6 lines
Diff to previous 1.299 (colored)
remove the nat_rule pointer on pf_state and pf_pdesc, obsolete after the NAT rewrite and ever since then only checked in a couple of plaes but never set. same for nat_src_node on pf_state. with this the NAT rewrite made pf over 1000 lines shorter.
Revision 1.299 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.298: +7 -10 lines
Diff to previous 1.298 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.298 / (download) - annotate - [select for diffs], Tue Nov 3 17:41:02 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.297: +5 -4 lines
Diff to previous 1.297 (colored)
Use u_int16_t for rdomains for everything. Using various types makes everything just more complicated. Make sure the structs align nicely. OK deraadt@
Revision 1.297 / (download) - annotate - [select for diffs], Tue Nov 3 10:59:04 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.296: +15 -5 lines
Diff to previous 1.296 (colored)
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
Revision 1.296 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.295: +4 -4 lines
Diff to previous 1.295 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.295 / (download) - annotate - [select for diffs], Tue Oct 6 21:21:48 2009 UTC (14 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.294: +2 -1 lines
Diff to previous 1.294 (colored)
Redo the route lookup in the output (and IPv6 forwarding) path if the destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
Revision 1.294 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.293: +3 -3 lines
Diff to previous 1.293 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.293 / (download) - annotate - [select for diffs], Tue Sep 8 17:52:17 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.292: +2 -2 lines
Diff to previous 1.292 (colored)
I had not enough oks to commit this diff. Sorry.
Revision 1.292 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.291: +3 -3 lines
Diff to previous 1.291 (colored)
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
Revision 1.291 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.290: +20 -17 lines
Diff to previous 1.290 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.290 / (download) - annotate - [select for diffs], Thu Jun 25 09:30:28 2009 UTC (14 years, 11 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.289: +6 -6 lines
Diff to previous 1.289 (colored)
scrub_flags is a u_int8_t, but PFSTATE_SCRUB_TCP is 0x0100, so the "reassemble tcp" state option failed to work correctly. Increasing this to u_int16_t fixes kernel/6178. ok deraadt@ henning@
Revision 1.289 / (download) - annotate - [select for diffs], Mon Jun 8 02:39:15 2009 UTC (15 years ago) by henning
Branch: MAIN
Changes since 1.288: +7 -4 lines
Diff to previous 1.288 (colored)
bring back the fixed PF_AEQ/ANEQ/AZERO macros, the offending use has been found by sthen and fixed, all other callers of these macros checked by both of us
Revision 1.288 / (download) - annotate - [select for diffs], Mon Jun 8 01:55:42 2009 UTC (15 years ago) by henning
Branch: MAIN
Changes since 1.287: +4 -7 lines
Diff to previous 1.287 (colored)
gah. something is not quite right, sthen sees strange behaviour fixed by backing out the macro fix. something must rely on the broken behaviour
Revision 1.287 / (download) - annotate - [select for diffs], Mon Jun 8 00:50:30 2009 UTC (15 years ago) by henning
Branch: MAIN
Changes since 1.286: +7 -4 lines
Diff to previous 1.286 (colored)
unfuck PF_AEQ PF_ANEQ PF_AZERO macos that got fucked when v6 support was added in 2001. yes i got bitten by inet6 shit again. in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0] is false when the adresses ARE equal. now it goes right in the intended-for-v6 case and starts to compare the other addr32 fields - in the v4 case I have garbage in them, so it reports all v4 as different when they are in fact the same. fix by adding explicit af == INET6 test before going on to compare the rest. found the really hard way (many hours wasted, thought the bug was in my new code) by me. ok sthen markus claudio
Revision 1.286 / (download) - annotate - [select for diffs], Mon May 18 20:37:13 2009 UTC (15 years ago) by bluhm
Branch: MAIN
Changes since 1.285: +2 -2 lines
Diff to previous 1.285 (colored)
The routing table index rtableid has type unsigned int in the routing code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
Revision 1.285 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.284: +54 -23 lines
Diff to previous 1.284 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.284 / (download) - annotate - [select for diffs], Mon Mar 9 13:53:10 2009 UTC (15 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.283: +4 -1 lines
Diff to previous 1.283 (colored)
Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctls transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
Revision 1.283 / (download) - annotate - [select for diffs], Mon Feb 16 00:31:25 2009 UTC (15 years, 3 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.282: +11 -8 lines
Diff to previous 1.282 (colored)
pfsync v5, mostly written at n2k9, but based on work done at n2k8. WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
Revision 1.282 / (download) - annotate - [select for diffs], Thu Jan 29 15:12:28 2009 UTC (15 years, 4 months ago) by pyr
Branch: MAIN
Changes since 1.281: +27 -1 lines
Diff to previous 1.281 (colored)
Split the address selection from pools away from pf.c and put it in pf_lb.c. This will ease the process of adding more selection types without bloatening pf.c even more. ok and a weird death threat, henning@ raised eyebrow, dlg@
Revision 1.281 / (download) - annotate - [select for diffs], Mon Nov 24 13:22:09 2008 UTC (15 years, 6 months ago) by mikeb
Branch: MAIN
Changes since 1.280: +2 -2 lines
Diff to previous 1.280 (colored)
Fix splasserts seen in pr 5987 by propagating a flag that discribes whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
Revision 1.280 / (download) - annotate - [select for diffs], Wed Oct 8 06:24:50 2008 UTC (15 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.279: +1 -2 lines
Diff to previous 1.279 (colored)
Get rid of the second table entry pool (pfr_kentry_pl2); we're already using the default interrupt handler for both, so there's no need to keep table entries created in interrupt context separate. ok henning art
Revision 1.279 / (download) - annotate - [select for diffs], Mon Sep 22 10:22:19 2008 UTC (15 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.278: +2 -2 lines
Diff to previous 1.278 (colored)
Reorder PFSTATE_PFLOW define: It applies to state_flags, not to sync_flags. OK henning@, gollo@
Revision 1.278 / (download) - annotate - [select for diffs], Tue Sep 9 13:56:39 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.277: +6 -4 lines
Diff to previous 1.277 (colored)
welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
Revision 1.277 / (download) - annotate - [select for diffs], Tue Aug 26 12:17:10 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.276: +2 -1 lines
Diff to previous 1.276 (colored)
introduce a function to be called when addressing information has changed, pf_pkt_addr_changed. atm just clears the state key pointer. calling this is cleaner than having other parts of the stack clearing pointers in the pf part of the mbuf packet header directly.
Revision 1.276 / (download) - annotate - [select for diffs], Thu Jul 3 15:46:23 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.275: +2 -1 lines
Diff to previous 1.275 (colored)
link pf state keys to tcp pcbs and vice versa. when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
Revision 1.275 / (download) - annotate - [select for diffs], Sun Jun 29 08:42:15 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.274: +31 -26 lines
Diff to previous 1.274 (colored)
Simplify state creation code; merge state import/export code between pfsync and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
Revision 1.274 / (download) - annotate - [select for diffs], Wed Jun 11 02:46:35 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.273: +2 -1 lines
Diff to previous 1.273 (colored)
store a pointer to the stack side state key in the mbuf packet header inbound. on the outbound side, we take that and look for the key that is the exact opposite, and store that mapping in the state key. on subsequent packets we don't have to do the lookup on outbound any more. almost unable to get real benchmarks going here, we know for sure this gives a more than 5% increase in forwarding performance. many thanks to ckuethe for stress- and performance-testing. ok ryan theo
Revision 1.273 / (download) - annotate - [select for diffs], Tue Jun 10 20:55:02 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.272: +21 -6 lines
Diff to previous 1.272 (colored)
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
Revision 1.272 / (download) - annotate - [select for diffs], Tue Jun 10 19:32:14 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.271: +5 -7 lines
Diff to previous 1.271 (colored)
save somespace in the state by collapsing two 8 bit ints used as booleans into one 8 bit flags field. shrinks the state structure by 4 bytes on 32bit archs ryan ok
Revision 1.271 / (download) - annotate - [select for diffs], Tue Jun 10 04:24:17 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.270: +6 -1 lines
Diff to previous 1.270 (colored)
implement a sloppy tcpstate tracker which does not look at sequence numbers at all. scary consequences; only tobe used in very specific situations where you don't see all packets of a connection, e. g. asymmetric routing. ok ryan reyk theo
Revision 1.270 / (download) - annotate - [select for diffs], Fri May 30 14:22:48 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.269: +2 -2 lines
Diff to previous 1.269 (colored)
trivial KNF before we go further
Revision 1.269 / (download) - annotate - [select for diffs], Thu May 29 01:00:53 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.268: +32 -31 lines
Diff to previous 1.268 (colored)
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
Revision 1.268 / (download) - annotate - [select for diffs], Thu May 29 00:28:08 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.267: +37 -33 lines
Diff to previous 1.267 (colored)
rewrite the state table logic. complete the split off of the layer 3/4 adressing information from the extra information in the actual state. a state key holds a list of states, and a state points to two state keys - they're only different in the NAT case. More specificially, it deprecates the (often difficult to understand) concept of lan, ext, and gwy addresses, replacing them with WIRE and STACK side address tuples. (af, proto, saddr, daddr, sport, dport). Concept first brought up some years ago on a ferry ride in bc by ryan and me, I spent some time over the last year getting closer, and finally got it completed in japan with ryan. dlg also took part, helped a lot, and saved us 8 bytes. This commit removes support for any kind of NAT as well as pfsync. It also paves the road for some code simplification and some very cool future stuff. ok ryan beck, tested by many
Revision 1.267 / (download) - annotate - [select for diffs], Sun May 18 11:54:04 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.266: +7 -7 lines
Diff to previous 1.266 (colored)
KNF
Revision 1.266 / (download) - annotate - [select for diffs], Fri May 9 13:59:31 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.265: +5 -3 lines
Diff to previous 1.265 (colored)
Add support to kill states by rule label or state id. Fix printing of the state id in pfctl -ss -vv. Remove the psnk_af hack to return the number of killed states. OK markus, beck. "I like it" henning, deraadt. Manpage help from jmc.
Revision 1.265 / (download) - annotate - [select for diffs], Fri May 9 02:44:54 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.264: +15 -1 lines
Diff to previous 1.264 (colored)
divert packets to local socket without modifying the ip header; makes transparent proxies much easier; ok beck@, feedback claudio@
Revision 1.264 / (download) - annotate - [select for diffs], Thu May 8 08:05:16 2008 UTC (16 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.263: +4 -4 lines
Diff to previous 1.263 (colored)
reorder elements in pf_state_peer to avoid wasting memory. cvs blame shows that 3 developers screwed this up. look carefully at this diff and learn how to avoid wasting memory. on a 64 bit architecture, each of these was using 40 bytes instead of 32. ok henning
Revision 1.263 / (download) - annotate - [select for diffs], Wed May 7 07:07:29 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.262: +2 -1 lines
Diff to previous 1.262 (colored)
scrub packets based on tags; ok henning
Revision 1.262 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.261: +3 -1 lines
Diff to previous 1.261 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.261 / (download) - annotate - [select for diffs], Tue May 6 03:45:22 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.260: +3 -2 lines
Diff to previous 1.260 (colored)
Add a counter to record how many states have been created by a rule. It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
Revision 1.260 / (download) - annotate - [select for diffs], Mon May 5 13:00:43 2008 UTC (16 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.259: +1 -2 lines
Diff to previous 1.259 (colored)
remove a useless refcnt in pf_state_key. when it is in fact only used to delete the state key when the number of attached states (in a tailq) drops to zero, we can as well test for the queue beeing empty. this is a leftover from some early version that did things differently. ok ryan
Revision 1.259 / (download) - annotate - [select for diffs], Sun Dec 2 12:08:04 2007 UTC (16 years, 6 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.258: +2 -3 lines
Diff to previous 1.258 (colored)
DIOC{GET,ADD}STATE incorrectly use a user provided pointer without using
copyin/out. Change the API so that the state is included in the ioctl
argument, so the ioctl wrappers take care of copying memory as appropriate.
Also change the DIOCGETSTATE API to be more useful. Instead of getting
an arbitrarily "numbered" state (using numbering that can change between
calls), instead search based on id and creatorid. If you want to monitor
only a particular state, you can now use the bulk functions first to find
the appropriate id/creatorid and then fetch it directly from then on.
ok dlg@ henning@
Revision 1.258 / (download) - annotate - [select for diffs], Thu Sep 27 22:24:05 2007 UTC (16 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.257: +2 -3 lines
Diff to previous 1.257 (colored)
Add loginterface support for groups. Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
Revision 1.257 / (download) - annotate - [select for diffs], Fri Aug 31 12:37:50 2007 UTC (16 years, 9 months ago) by thib
Branch: MAIN
Changes since 1.256: +1 -5 lines
Diff to previous 1.256 (colored)
zap unused "pf_tag" structure. ok henning@
Revision 1.256 / (download) - annotate - [select for diffs], Thu Aug 30 13:07:06 2007 UTC (16 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.255: +2 -3 lines
Diff to previous 1.255 (colored)
mechanic change: there is a 1:1 mapping between direction and the tree the states get attached to. there is no need to have anything outside the state insertion/ deletion/lookup routinbes know about these internals. so just pass the direction to the lookup functions and let them pick the right tree. ok dhartmei markus
Revision 1.255 / (download) - annotate - [select for diffs], Thu Aug 30 09:28:48 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.254: +7 -1 lines
Diff to previous 1.254 (colored)
add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@
Revision 1.254 / (download) - annotate - [select for diffs], Fri Jul 13 09:17:48 2007 UTC (16 years, 11 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.253: +1 -4 lines
Diff to previous 1.253 (colored)
remove obsolete pfi_statehead and pfik_w_states; ok henning@
Revision 1.253 / (download) - annotate - [select for diffs], Mon Jun 25 13:57:18 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.252: +5 -4 lines
Diff to previous 1.252 (colored)
pretty mechanical change: now that the state tables use seperate state keys that can map to multiple states (last not least for ifbound) we don't need state tables hanging off each struct kif representing an interface any more. use two globals for the two tables. ok markus ryan
Revision 1.252 / (download) - annotate - [select for diffs], Sun Jun 24 11:17:13 2007 UTC (16 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.251: +25 -30 lines
Diff to previous 1.251 (colored)
Save some bytes and make code more readable by removing junk union and unused ifname (this information is in struct pf_state_sync now). Also a bit of KNF on the pf_state struct. ok mpf@ henning@
Revision 1.251 / (download) - annotate - [select for diffs], Thu Jun 21 11:55:54 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.250: +6 -2 lines
Diff to previous 1.250 (colored)
reimplement interface bound states in a non-retarded way. previously, we had a set of state tables attached to each interface. so for every packet we had to do a lookup in the tables for the interface, and afterwards in the global tables. since we split state keys and states now, use only the global tables, and put the actual states in a tail queue attached to the state key. sort the list so that ifbound states come before global ones. on lookup, we only have to compare the interface pointer on the actual states and use the first one where either the interface matches or the state is not interface bound. thus, if you don't actually use ifbound states, and there is only one state per state key, the overhead is close to zero, where we had extra lookups before. in addition to a much cleaner design (that'll allow for more goodies later) this gives us ~12.5% more forwarding performance. mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
Revision 1.250 / (download) - annotate - [select for diffs], Mon Jun 11 11:18:14 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.249: +1 -5 lines
Diff to previous 1.249 (colored)
move definitions for the flags in the mbuf header used by pf to mbuf.h since we include the mbuf header parts for pf unconditionally, we should be able to check them unconditionally as well. ok mcbride markus
Revision 1.249 / (download) - annotate - [select for diffs], Fri Jun 1 18:44:23 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.248: +3 -1 lines
Diff to previous 1.248 (colored)
factor out duplicated code to allocate state key and cross-reference it with a state entry into a new pf_alloc_state_key() function and use it everywhere. makes upcoming changes way easier and is cleaner anyway. conceptually agreed by ryan, but he's on the road now ;(
Revision 1.248 / (download) - annotate - [select for diffs], Thu May 31 22:45:36 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.247: +1 -2 lines
Diff to previous 1.247 (colored)
Make sure that pf_state_key and pf_state_key_cmp are in sync. I am a retard for not testing properly and owe people beers tonight.
Revision 1.247 / (download) - annotate - [select for diffs], Thu May 31 18:48:05 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.246: +20 -16 lines
Diff to previous 1.246 (colored)
Move the state id and creatorid (used mainly by pfsync) into struct pf_state. ok henning@
Revision 1.246 / (download) - annotate - [select for diffs], Thu May 31 04:11:42 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.245: +141 -21 lines
Diff to previous 1.245 (colored)
First step of rearranging pf's state table internals... - Split pf_state into pf_state (used for tracking connection information), and pf_state_key (used for searching the state table) - Use pfsync_state in the ioctl for userland access to the state table. This will sheild userland somewhat from future changes. ok henning@ toby@ pyr@
Revision 1.245 / (download) - annotate - [select for diffs], Mon May 28 17:16:39 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.244: +2 -15 lines
Diff to previous 1.244 (colored)
double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
Revision 1.244 / (download) - annotate - [select for diffs], Fri Feb 23 21:31:51 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.243: +3 -2 lines
Diff to previous 1.243 (colored)
if machine has more than 100MB of physmem, default the max table entries to 200,000 instead of the conservative 100,000; ok dhartmei beck tested by ckuethe
Revision 1.243 / (download) - annotate - [select for diffs], Fri Feb 9 11:20:39 2007 UTC (17 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.242: +2 -1 lines
Diff to previous 1.242 (colored)
allow counters to be reset with DIOCGETRULES. this allows an atomic read and reset counters, instead of read, reset in a later ioctl and lose everything in between. use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR, the ioctl requires write permissions and counters are reset after they have been copied out to userland. obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not within anchors (yeah, that's how it all started) ok dhartmei, mcbride and theo agree as well
Revision 1.242 / (download) - annotate - [select for diffs], Wed Dec 13 05:10:15 2006 UTC (17 years, 6 months ago) by itojun
Branch: MAIN
Changes since 1.241: +5 -2 lines
Diff to previous 1.241 (colored)
IPv6 passive OS fingerprinting. reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
Revision 1.241 / (download) - annotate - [select for diffs], Mon Nov 20 14:25:11 2006 UTC (17 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.240: +9 -1 lines
Diff to previous 1.240 (colored)
ioctl to explicitly remove source tracking nodes, diff from Berk D. Demir <bdd@mindcast.org> ok henning dhartmei
Revision 1.240 / (download) - annotate - [select for diffs], Fri Oct 27 13:56:51 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.239: +26 -8 lines
Diff to previous 1.239 (colored)
Split ruleset manipulation functions out into pf_ruleset.c to allow them to be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
Revision 1.239 / (download) - annotate - [select for diffs], Wed Oct 25 11:26:47 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.238: +2 -1 lines
Diff to previous 1.238 (colored)
add a "u_int8_t logif" to struct pfrule to select to which pflog interface logs go. ok mcbride
Revision 1.238 / (download) - annotate - [select for diffs], Tue Oct 17 14:08:17 2006 UTC (17 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.237: +3 -3 lines
Diff to previous 1.237 (colored)
increase max pf tag name size from 16 to 64 characters. ok henning@ dhartmei@ deraadt@
Revision 1.237 / (download) - annotate - [select for diffs], Wed Oct 11 08:42:31 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.236: +2 -1 lines
Diff to previous 1.236 (colored)
Allow the 'quick' keyword on an anchor. IFF there is a matching rule inside the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
Revision 1.236 / (download) - annotate - [select for diffs], Thu Jul 6 13:25:40 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.235: +4 -2 lines
Diff to previous 1.235 (colored)
allow rules to point to an alternate routing table, and tag packets matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
Revision 1.235 / (download) - annotate - [select for diffs], Sun May 28 02:45:45 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.234: +3 -1 lines
Diff to previous 1.234 (colored)
Enable adaptive timeouts by default, with adaptive.start of 60% of the state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
Revision 1.234 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:42 2006 UTC (18 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.233: +21 -18 lines
Diff to previous 1.233 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.233 / (download) - annotate - [select for diffs], Fri Nov 4 08:24:15 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.232: +5 -5 lines
Diff to previous 1.232 (colored)
crank pf_state and pf_src_node byte and packet counters to u_in64_t, since we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
Revision 1.232 / (download) - annotate - [select for diffs], Thu Oct 27 12:34:40 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.231: +3 -1 lines
Diff to previous 1.231 (colored)
Basic support for attaching states from pfsync to the correct rules. Applies only to rules in the main ruleset (not anchors) if the ruleset checksum matches. Necessary to fix the following for pfsync'd states: - per-rule limits on number of states - altq - rule-based settings such as timeouts More work to do re: nat rules, src-nodes, etc. NOTE: This is modifies the pfsync header and version number. Tools which process pfsync packets must be recompiled, and firewalls with different versions will not sync. ok mpf@ henning@ dhartmei@
Revision 1.231 / (download) - annotate - [select for diffs], Mon Oct 17 08:43:35 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.230: +25 -9 lines
Diff to previous 1.230 (colored)
make pf use one mbuf tag instead of 6 distinct ones. use a little struct in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
Revision 1.213.2.1 / (download) - annotate - [select for diffs], Fri Oct 7 19:56:15 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.213: +2 -2 lines
Diff to previous 1.213 (colored) next main 1.214 (colored)
MFC: Fix by pascoe@ Perform pf state/rule/table expiry in a kernel thread instead of running it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ deraadt@ pascoe@
Revision 1.230 / (download) - annotate - [select for diffs], Wed Sep 28 01:46:33 2005 UTC (18 years, 8 months ago) by pascoe
Branch: MAIN
Changes since 1.229: +11 -7 lines
Diff to previous 1.229 (colored)
Improve the safety of pf IOCTLs, taking into account that some paths can sleep. - Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
Revision 1.229 / (download) - annotate - [select for diffs], Thu Aug 18 10:28:14 2005 UTC (18 years, 9 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.228: +37 -19 lines
Diff to previous 1.228 (colored)
Rearrange pf_state and pfi_kif so that the parts of the structure needed to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
Revision 1.228 / (download) - annotate - [select for diffs], Thu Aug 11 05:09:30 2005 UTC (18 years, 10 months ago) by joel
Branch: MAIN
Changes since 1.227: +3 -1 lines
Diff to previous 1.227 (colored)
Only decrement the max-src-conn counter for tcp connections that reached "established" state. Requires recompiling pfctl, etc. ok dhartmei@
Revision 1.227 / (download) - annotate - [select for diffs], Tue Aug 2 12:40:42 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.226: +2 -2 lines
Diff to previous 1.226 (colored)
Instead of copying a table structure so we can mask off a bit before "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
Revision 1.226 / (download) - annotate - [select for diffs], Sun Jul 31 05:20:57 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.225: +2 -2 lines
Diff to previous 1.225 (colored)
Perform pf state/rule/table expiry in a kernel thread instead of running it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
Revision 1.225 / (download) - annotate - [select for diffs], Thu Jun 30 20:52:20 2005 UTC (18 years, 11 months ago) by sturm
Branch: MAIN
Changes since 1.224: +9 -3 lines
Diff to previous 1.224 (colored)
in order for pfvar.h not to conflict with openssl's crypto.h, use PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@
Revision 1.224 / (download) - annotate - [select for diffs], Mon Jun 13 20:54:50 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.223: +2 -2 lines
Diff to previous 1.223 (colored)
spurious XXX comment left over from interface abstraction code whacking
Revision 1.223 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:25 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.222: +5 -5 lines
Diff to previous 1.222 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.222 / (download) - annotate - [select for diffs], Sun Jun 5 20:47:46 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.221: +3 -3 lines
Diff to previous 1.221 (colored)
const'ify the char * parameter to pfi_kif_get and pfi_group_change
Revision 1.221 / (download) - annotate - [select for diffs], Fri May 27 21:41:03 2005 UTC (19 years ago) by mpf
Branch: MAIN
Changes since 1.220: +3 -1 lines
Diff to previous 1.220 (colored)
Calculate an MD5 checksum over the main pf ruleset. This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@
Revision 1.220 / (download) - annotate - [select for diffs], Fri May 27 17:22:41 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.219: +14 -3 lines
Diff to previous 1.219 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.219 / (download) - annotate - [select for diffs], Thu May 26 15:29:48 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.218: +5 -1 lines
Diff to previous 1.218 (colored)
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
Revision 1.218 / (download) - annotate - [select for diffs], Wed May 25 06:50:05 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.217: +2 -1 lines
Diff to previous 1.217 (colored)
when an interface joins or leaves a group call back into pf so it can update the internal tables used for (ifgroup) notation
Revision 1.217 / (download) - annotate - [select for diffs], Mon May 23 23:28:53 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.216: +6 -2 lines
Diff to previous 1.216 (colored)
change pool allocation of table entries, no longer use the oldnointr allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
Revision 1.216 / (download) - annotate - [select for diffs], Mon May 23 22:30:21 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.215: +15 -14 lines
Diff to previous 1.215 (colored)
further cleanup: don't mimic ifnet and add hooks and the dohooks() stuff to pf's interface abstraction, just attahc a linked list of the dynaddrs to the respective kifs. makes things way easier and will be needed for the next step, ryan jajajaja
Revision 1.215 / (download) - annotate - [select for diffs], Sun May 22 18:23:04 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.214: +4 -1 lines
Diff to previous 1.214 (colored)
allow pf to match on interface groups pass on mygroup ... markus ok
Revision 1.214 / (download) - annotate - [select for diffs], Sat May 21 21:03:57 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.213: +26 -57 lines
Diff to previous 1.213 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.213 / (download) - annotate - [select for diffs], Thu Mar 3 07:13:39 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.212: +3 -1 lines
Diff to previous 1.212 (colored)
when tagging, apply the same tag to all packets matching a state entry (not just to the initial packet). note: kernel/userland abi change (rebuild pfctl). ok henning@
Revision 1.212 / (download) - annotate - [select for diffs], Sun Jan 30 00:02:30 2005 UTC (19 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.211: +18 -2 lines
Diff to previous 1.211 (colored)
Add some more reason counters and use them instead of overloading the 'memory' one, which helps debugging. Alters the kernel/userland ABI, rebuild pfctl and tcpdump. ok henning@
Revision 1.211 / (download) - annotate - [select for diffs], Wed Jan 5 18:09:54 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.210: +22 -1 lines
Diff to previous 1.210 (colored)
Define defaults for the timeouts ensure consistency between kernel and userland. ok henning@ dhartmei@
Revision 1.210 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:55 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.209: +7 -1 lines
Diff to previous 1.209 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.209 / (download) - annotate - [select for diffs], Fri Dec 10 22:13:26 2004 UTC (19 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.208: +8 -2 lines
Diff to previous 1.208 (colored)
allow pf to filter on route labels pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
Revision 1.208 / (download) - annotate - [select for diffs], Tue Dec 7 10:33:41 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.207: +5 -2 lines
Diff to previous 1.207 (colored)
re-commit mcbride@'s 'flush global', this time without the breakage in pfvar.h. builds kernel and userland.
Revision 1.207 / (download) - annotate - [select for diffs], Tue Dec 7 09:36:16 2004 UTC (19 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.206: +8 -12 lines
Diff to previous 1.206 (colored)
tree does not compile, spotted by dlg (not obvious how to fix) ---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.206 / (download) - annotate - [select for diffs], Tue Dec 7 05:30:26 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.205: +13 -9 lines
Diff to previous 1.205 (colored)
Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.205 / (download) - annotate - [select for diffs], Sat Dec 4 07:49:48 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.204: +46 -1 lines
Diff to previous 1.204 (colored)
Add kernel code to keep track of tcp connections which have completed the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
Revision 1.204 / (download) - annotate - [select for diffs], Tue Nov 16 20:07:57 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.203: +2 -1 lines
Diff to previous 1.203 (colored)
Fix for PR3983 - Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result of a stale state being detected, and prevent updates with this flag from generating similar messages. - For the specific case where the state->src in the recieved update is ok but the state.dst is not, take the partial update, then "fail" to let the other peers pick up the better data that we have. From Chris Pascoe. ok dhartmei@
Revision 1.203 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:12 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.202 / (download) - annotate - [select for diffs], Mon Jul 12 00:50:22 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.201: +2 -2 lines
Diff to previous 1.201 (colored)
remove PF_FORWARD (which was introduced by ipv6 reass-on-scrub). daniel found it.
Revision 1.201 / (download) - annotate - [select for diffs], Sun Jul 11 15:54:21 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.200: +2 -2 lines
Diff to previous 1.200 (colored)
backout IPv6 reass-on-scrub patch (more work needs to be done). requested by deraadt
Revision 1.200 / (download) - annotate - [select for diffs], Fri Jun 25 10:10:14 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.199: +2 -2 lines
Diff to previous 1.199 (colored)
re-introduce PF_INOUT and move PF_FORWARD def to the end. pfctl is assuming that the keyword == 0 in its parser! (see decl for "dir").
Revision 1.199 / (download) - annotate - [select for diffs], Fri Jun 25 00:42:58 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.198: +3 -3 lines
Diff to previous 1.198 (colored)
IPv6 reassembly on "scrub" directive. caveats: (to be addressed soon) - "scrub in" should queue fragments back into ip6intrq again, but somehow it does not happen - the packet is kept inside reass queue. need investigation - ip6_forwarding path is not tested - does not use red-black tree. somehow red-black tree behaved badly and was not robust. performance issue, the above one is more important. good things: - "scrub out" is perfectly ok - i think now we can inspect upper-layer protocol fields (tcp port) even if ip6 packet is fragmented. - reass queue will be cleaned up properly by timeout (60sec). we might want to impose pool limit as well
Revision 1.198 / (download) - annotate - [select for diffs], Mon Jun 21 19:26:01 2004 UTC (19 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.197: +3 -5 lines
Diff to previous 1.197 (colored)
Get rid of pf_test_eh() wrapper. ok cedric@ henning@
Revision 1.197 / (download) - annotate - [select for diffs], Mon Jun 14 20:53:27 2004 UTC (20 years ago) by cedric
Branch: MAIN
Changes since 1.196: +1 -7 lines
Diff to previous 1.196 (colored)
Remove DIOCBEGINRULES, DIOCCOMMITRULES, DIOCBEGINALTQS, DIOCCOMMITALTQS, DIOCRINABEGIN, DIOCRINACOMMIT ioctls. Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead. ok beck@ dhartmei@ henning@
Revision 1.28.2.11 / (download) - annotate - [select for diffs], Sun Jun 13 08:50:17 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.28.2.10: +3 -3 lines
Diff to previous 1.28.2.10 (colored) next main 1.29 (colored)
sync to HEAD
Revision 1.196 / (download) - annotate - [select for diffs], Thu Jun 10 14:22:54 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
CVS Tags: SMP_SYNC_A
Changes since 1.195: +4 -4 lines
Diff to previous 1.195 (colored)
rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved keyword in C++. ok henning@, cedric@
Revision 1.28.2.10 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:25 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.28.2.9: +86 -62 lines
Diff to previous 1.28.2.9 (colored)
Merge with the trunk
Revision 1.195 / (download) - annotate - [select for diffs], Wed May 19 17:50:52 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
CVS Tags: SMP_SYNC_B
Changes since 1.194: +27 -36 lines
Diff to previous 1.194 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.194 / (download) - annotate - [select for diffs], Tue May 11 07:34:11 2004 UTC (20 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.193: +3 -1 lines
Diff to previous 1.193 (colored)
pf_cksum_fixup() was called without last argument from normalization, also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. From Pyun YongHyeon. ok cedric@
Revision 1.193 / (download) - annotate - [select for diffs], Wed May 5 23:16:03 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.192: +20 -8 lines
Diff to previous 1.192 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.192 / (download) - annotate - [select for diffs], Wed Apr 28 02:51:58 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.191: +5 -1 lines
Diff to previous 1.191 (colored)
make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@
Revision 1.191 / (download) - annotate - [select for diffs], Tue Apr 27 18:28:07 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.190: +6 -3 lines
Diff to previous 1.190 (colored)
validate the sequence numbers on TCP resets are an exact match. check is only enabled when we're doing full frag reassembly and thus have full seq info ok markus@
Revision 1.190 / (download) - annotate - [select for diffs], Mon Apr 26 00:12:28 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.189: +2 -2 lines
Diff to previous 1.189 (colored)
anchor refcounting. ok dhartmei@ mcbride@
Revision 1.189 / (download) - annotate - [select for diffs], Sun Apr 25 18:09:30 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.188: +2 -1 lines
Diff to previous 1.188 (colored)
get rid of a complete state tree walk at state expire while in splnet() ok mcbride@ henning@
Revision 1.188 / (download) - annotate - [select for diffs], Sat Apr 24 23:22:54 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.187: +2 -1 lines
Diff to previous 1.187 (colored)
Add "probability xxx" rule modifier. ok deraadt@
Revision 1.187 / (download) - annotate - [select for diffs], Mon Mar 22 04:54:18 2004 UTC (20 years, 2 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.186: +6 -1 lines
Diff to previous 1.186 (colored)
Support for best effort bulk transfers of states when pfsync syncif is configured. This this allows pfsync+carp clusters to come up gracefully without killing active connections. pfsync now prevents carp from preempting to become master until the state table has sync'd. ABI change, any application which use struct pf_state must be recompiled. Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@ for testing and comments. ok deraadt@
Revision 1.186 / (download) - annotate - [select for diffs], Fri Feb 20 19:22:03 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.185: +2 -1 lines
Diff to previous 1.185 (colored)
Make pfsync deal with clearing states bound to a group or interface (eg pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
Revision 1.185 / (download) - annotate - [select for diffs], Thu Feb 19 21:29:51 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.184: +3 -2 lines
Diff to previous 1.184 (colored)
Makes pfctl -Fs and pfctl -w works with the optional -i specifier. Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
Revision 1.28.2.9 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:22 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.28.2.8: +410 -71 lines
Diff to previous 1.28.2.8 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.184 / (download) - annotate - [select for diffs], Thu Feb 19 07:41:45 2004 UTC (20 years, 3 months ago) by kjc
Branch: MAIN
Changes since 1.183: +4 -3 lines
Diff to previous 1.183 (colored)
the 2nd round of the qid assignment change. make the semantics in line with the tag assignment, which simplifies the id management in pf. ok, henning@
Revision 1.183 / (download) - annotate - [select for diffs], Tue Feb 10 22:42:57 2004 UTC (20 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.182: +7 -7 lines
Diff to previous 1.182 (colored)
KNF
Revision 1.182 / (download) - annotate - [select for diffs], Tue Feb 10 18:49:10 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.181: +9 -9 lines
Diff to previous 1.181 (colored)
KNF
Revision 1.181 / (download) - annotate - [select for diffs], Wed Feb 4 10:43:18 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.180: +3 -1 lines
Diff to previous 1.180 (colored)
Fix a number of bugs with setting pool limits which I introduced with source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
Revision 1.180 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:25 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.179: +161 -50 lines
Diff to previous 1.179 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.179 / (download) - annotate - [select for diffs], Mon Dec 15 09:10:26 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.178: +4 -4 lines
Diff to previous 1.178 (colored)
ryan left a few for me ;-)
Revision 1.178 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.177: +20 -7 lines
Diff to previous 1.177 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.177 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:04 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.176: +56 -6 lines
Diff to previous 1.176 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.176 / (download) - annotate - [select for diffs], Fri Dec 12 20:05:45 2003 UTC (20 years, 6 months ago) by cedric
Branch: MAIN
Changes since 1.175: +5 -5 lines
Diff to previous 1.175 (colored)
Move PF interface code to new net/pf_if.c Expect improvements in this area soon. ok dhartmei@ mcbride@
Revision 1.175 / (download) - annotate - [select for diffs], Thu Dec 11 13:13:27 2003 UTC (20 years, 6 months ago) by cedric
Branch: MAIN
Changes since 1.174: +4 -1 lines
Diff to previous 1.174 (colored)
Fix PR3587 and other related problems with NAT and table stats. PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
Revision 1.174 / (download) - annotate - [select for diffs], Sat Nov 8 00:45:34 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.173: +2 -1 lines
Diff to previous 1.173 (colored)
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
Revision 1.173 / (download) - annotate - [select for diffs], Fri Oct 31 10:34:47 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)
Remove remenants of pf_tree stuff that I missed.
Revision 1.172 / (download) - annotate - [select for diffs], Sat Oct 25 20:27:07 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.171: +15 -16 lines
Diff to previous 1.171 (colored)
Build state search indexes directly on pf_state instead of pf_tree_node. This saves more than 30% memory on state entries, and simplifies the state insertion and removal code as well. NOTE: This changes the pf API; userland tools must be updated to match. ok henning@ dhartmei@
Revision 1.171 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.170: +21 -1 lines
Diff to previous 1.170 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.170 / (download) - annotate - [select for diffs], Fri Aug 22 21:50:34 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.169: +2 -2 lines
Diff to previous 1.169 (colored)
pf spelling police ok dhartmei@ jmc@
Revision 1.169 / (download) - annotate - [select for diffs], Fri Aug 22 15:19:23 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.168: +2 -2 lines
Diff to previous 1.168 (colored)
KNF
Revision 1.168 / (download) - annotate - [select for diffs], Fri Aug 22 14:59:30 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.167: +3 -1 lines
Diff to previous 1.167 (colored)
don't expose pf_osfp_fingerprint() to ! _KERNEL. tcpdump et al use pf_osfp_fingerprint_hdr() which doesn't work on mbufs. pointed out by Max Laier
Revision 1.167 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:08 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.166: +125 -2 lines
Diff to previous 1.166 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.166 / (download) - annotate - [select for diffs], Sat Aug 9 14:56:48 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.165: +8 -2 lines
Diff to previous 1.165 (colored)
This patch remove the restriction that tables cannot be used in routing or
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
Revision 1.165 / (download) - annotate - [select for diffs], Thu Aug 7 14:20:50 2003 UTC (20 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.164: +2 -2 lines
Diff to previous 1.164 (colored)
make pf_match take u_int32_t instead of u_int16_t it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
Revision 1.164 / (download) - annotate - [select for diffs], Thu Jul 31 22:25:55 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.163: +7 -5 lines
Diff to previous 1.163 (colored)
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
Revision 1.163 / (download) - annotate - [select for diffs], Sat Jul 19 13:08:58 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.162: +2 -2 lines
Diff to previous 1.162 (colored)
Simplify struct pf_pooladdr to include struct pf_addr_wrap directly instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
Revision 1.162 / (download) - annotate - [select for diffs], Fri Jul 4 10:39:31 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.161: +2 -1 lines
Diff to previous 1.161 (colored)
-add a "natpass" field to pf_rule -if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter ruleset, but set the rulepointer to the default rule (which is a pass rule) in cooperation with daniel. ok dhartmei@ cedric@ markus@
Revision 1.161 / (download) - annotate - [select for diffs], Thu Jul 3 11:48:39 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.160: +1 -3 lines
Diff to previous 1.160 (colored)
unused global. dhartmei ok
Revision 1.160 / (download) - annotate - [select for diffs], Mon Jun 30 19:09:25 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.159: +1 -2 lines
Diff to previous 1.159 (colored)
change that queue ID allocator so it always has the queues sorted by ID. that allows us to get rid of the "tagid" global which stored the highest tag ID in use. when allocating a new ID scan the list for a free slot and only use highest + 1 on failure instead of using highest + 1 from the beginning scanning for a dup afterwards. this prevents ID space fragmentation better. as a result this allows us do get rid of the pf_tag_purge() function completely and let pf_tag_unref() remove an entry once the reference counter reaches zero by itself. after all it makes for easier code and is about 50% faster. idea came up during a discussion on icb earlier today between cedric and myself, which itself was particulary inspired by Darren Reed questioning the need for pf_tag_purge on tech-net@netbsd. ok dhartmei@ cedric@
Revision 1.159 / (download) - annotate - [select for diffs], Mon Jun 30 10:50:16 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.158: +2 -1 lines
Diff to previous 1.158 (colored)
move prototype for pf_tag_purge() to pfvar.h
Revision 1.158 / (download) - annotate - [select for diffs], Sun Jun 29 23:37:12 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.157: +2 -1 lines
Diff to previous 1.157 (colored)
normalize IPv6 packet (no reass, but it is a start). dhartmei & henning ok
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
Revision 1.157 / (download) - annotate - [select for diffs], Sat Jun 21 09:07:01 2003 UTC (20 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.156: +3 -3 lines
Diff to previous 1.156 (colored)
count packets and bidirectionally on state entries, allowing for fine-grained traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
Revision 1.156 / (download) - annotate - [select for diffs], Fri Jun 20 18:24:57 2003 UTC (20 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.155: +2 -1 lines
Diff to previous 1.155 (colored)
Add MSS support to the synproxy. The client's MSS is sent to the server, the server's MSS is guessed based on the routing table and interface MTU. Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@ Note: ABI change (new field in struct pf_state), requires a pfctl rebuild (and tcpdump for pfsync).
Revision 1.155 / (download) - annotate - [select for diffs], Mon Jun 9 11:14:46 2003 UTC (21 years ago) by mcbride
Branch: MAIN
Changes since 1.154: +1 -2 lines
Diff to previous 1.154 (colored)
Attempt to resolve byte order confusion in nat code once and for all. - pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
Revision 1.154 / (download) - annotate - [select for diffs], Sun Jun 8 09:41:08 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.153: +14 -5 lines
Diff to previous 1.153 (colored)
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
Revision 1.28.2.8 / (download) - annotate - [select for diffs], Sat Jun 7 11:06:07 2003 UTC (21 years ago) by ho
Branch: SMP
Changes since 1.28.2.7: +13 -2 lines
Diff to previous 1.28.2.7 (colored)
Sync SMP branch to -current
Revision 1.153 / (download) - annotate - [select for diffs], Tue Jun 3 12:34:04 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.152: +6 -1 lines
Diff to previous 1.152 (colored)
move some prototypes to pfvar.h. needed soon. pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
Revision 1.58.2.4 / (download) - annotate - [select for diffs], Mon May 19 22:29:54 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.58.2.3: +527 -246 lines
Diff to previous 1.58.2.3 (colored) to branchpoint 1.58 (colored) next main 1.59 (colored)
sync
Revision 1.152 / (download) - annotate - [select for diffs], Sat May 17 02:01:21 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.151: +2 -1 lines
Diff to previous 1.151 (colored)
allow inverse matching on tags ok dhartmei@ pb@
Revision 1.151 / (download) - annotate - [select for diffs], Sat May 17 01:08:50 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.150: +2 -2 lines
Diff to previous 1.150 (colored)
Add an 'action' code that allows the SYN proxy to swallow/drop a packet without causing EHOSTUNREACH to be delivered to local sockets, so it works for outgoing connections originating on the same host. ok frantzen@
Revision 1.150 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.149: +6 -1 lines
Diff to previous 1.149 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.28.2.7 / (download) - annotate - [select for diffs], Fri May 16 00:29:44 2003 UTC (21 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.28.2.6: +52 -20 lines
Diff to previous 1.28.2.6 (colored)
merge the trunk so we will get the genfs and locking fixes
Revision 1.149 / (download) - annotate - [select for diffs], Wed May 14 23:46:45 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.148: +27 -18 lines
Diff to previous 1.148 (colored)
- modulate TCP Timestamps so they can't be used to detect NAT and to preclude remote uptime determination - scrub modifier "reassemble tcp" turns on stateful TCP normalizations ok henning@ dhartmei@
Revision 1.148 / (download) - annotate - [select for diffs], Wed May 14 08:42:00 2003 UTC (21 years, 1 month ago) by canacar
Branch: MAIN
Changes since 1.147: +3 -3 lines
Diff to previous 1.147 (colored)
Use official (from pcap people) link type for pflog. With this change, the log header format also changes. The new log format is extendible and allows logging of the originating anchor and ruleset information. ok henning@ dhartmei@ frantzen@
Revision 1.28.2.6 / (download) - annotate - [select for diffs], Tue May 13 19:36:16 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.28.2.5: +71 -35 lines
Diff to previous 1.28.2.5 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.147 / (download) - annotate - [select for diffs], Tue May 13 17:45:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.146: +20 -1 lines
Diff to previous 1.146 (colored)
add support for tagging packets with arbitary tags and filtering based on those tags later on. ok dhartmei@ pb@ mcbride@ frantzen@
Revision 1.146 / (download) - annotate - [select for diffs], Mon May 12 22:11:18 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.145: +5 -1 lines
Diff to previous 1.145 (colored)
Add comment about special (non-index) PFTM_* values.
Revision 1.145 / (download) - annotate - [select for diffs], Mon May 12 17:49:03 2003 UTC (21 years, 1 month ago) by mcbride
Branch: MAIN
Changes since 1.144: +13 -13 lines
Diff to previous 1.144 (colored)
Reorder IPv6 address comparisons to check the least significant parts first. The least significant portions of the IPv6 address are more likely to differ than the more significant ones, since in most situations half the addresses (either the source or the destination) will be in the local subnet. ok dhartmei@ henning@
Revision 1.144 / (download) - annotate - [select for diffs], Mon May 12 01:25:31 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.143: +8 -3 lines
Diff to previous 1.143 (colored)
Adaptive timeout value scaling. Allows to reduce timeout values as the number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Revision 1.143 / (download) - annotate - [select for diffs], Sun May 11 20:44:03 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.142: +21 -4 lines
Diff to previous 1.142 (colored)
the start of stateful TCP scrubbing. dynamically determine the highest TTL of each side of the TCP connection and prevent it from being reduced ok pb@ dhartmei@
Revision 1.142 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.141: +7 -3 lines
Diff to previous 1.141 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.141 / (download) - annotate - [select for diffs], Sun Apr 27 16:02:08 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.140: +11 -4 lines
Diff to previous 1.140 (colored)
Update the pfioc_table IOCTL structure. Prepare for anchors, improve robustness. WARNING: need to sync kernel/userland. ok dhartmei@
Revision 1.140 / (download) - annotate - [select for diffs], Fri Apr 11 14:40:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.139: +3 -1 lines
Diff to previous 1.139 (colored)
set/update the queue IDs on filter rules (qid and pqid) on -DIOCCHANGERULE (just the affected rule) -DIOCCOMMITRULES (all filter rules that get committed - one anchor or main rs) -DIOCCOMMITALTQS (all filter rules, main set plus all anchors) This fixes a whole bunch of issues. previously, this was done in userland at load time. This worked fine for the usual case, full ruleset load. It did not work inside anchors, as the queue name <-> queue ID mapping is unknown there. Also, if the queue definitions were changed without reloading the rules too (pfctl -A), the queue IDs on the rules were not updated. The three ioctls mentioned above are all entry points where the mapping is touched. helpful discussion with dhartmei@ and cedric@ helped verifying my approach for this fix was right. ok dhartmei@ cedric@
Revision 1.139 / (download) - annotate - [select for diffs], Wed Apr 9 15:32:59 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.138: +11 -11 lines
Diff to previous 1.138 (colored)
Change pf_state structure to point to both a rule and the anchor, so states created by rules in anchors correctly use rule options like routing and (soon) queues... Rule number bumped to 32 bit value. USERLAND NEED TO BE RECOMPILED. ok dhartmei@ henning@
Revision 1.138 / (download) - annotate - [select for diffs], Sat Apr 5 20:20:58 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.137: +2 -3 lines
Diff to previous 1.137 (colored)
Replace the timeout variables by the content of the timeout field of a new pf_default_rule structure. ok dhartmei@
Revision 1.137 / (download) - annotate - [select for diffs], Mon Mar 31 13:15:27 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.136: +3 -1 lines
Diff to previous 1.136 (colored)
Only delete rule structure when no state refer to it. Fix a bunch of issues. Removal of unneeded (r != null) tests coming soon... ok dhartmei@
Revision 1.28.2.5 / (download) - annotate - [select for diffs], Fri Mar 28 00:41:29 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.28.2.4: +668 -226 lines
Diff to previous 1.28.2.4 (colored)
Sync the SMP branch with 3.3
Revision 1.136 / (download) - annotate - [select for diffs], Mon Mar 3 14:33:17 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.135: +3 -3 lines
Diff to previous 1.135 (colored)
Make "pfctl -ss" output easier to parse. NO TRAFFIC -> NO_TRAFFIC. ok dhartmei@ henning@
Revision 1.135 / (download) - annotate - [select for diffs], Sat Feb 8 20:13:20 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.134: +2 -1 lines
Diff to previous 1.134 (colored)
Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Revision 1.134 / (download) - annotate - [select for diffs], Tue Jan 21 22:23:49 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.133: +4 -2 lines
Diff to previous 1.133 (colored)
Support for TCP window scaling (RFC 1323). ok frantzen@
Revision 1.133 / (download) - annotate - [select for diffs], Wed Jan 15 16:28:56 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.132: +2 -1 lines
Diff to previous 1.132 (colored)
Fix a buglet when one "creates" a table which is already in the referenced or inactive set. Flags were not updated correctly. Tested on i386, sparc64. More regression tests coming.
Revision 1.132 / (download) - annotate - [select for diffs], Fri Jan 10 16:09:19 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)
Fix adding and deleting addresses in a table when there is a conflict with the "negated" attribute of an address. The previous behaviour was incorrect in both cases (too strict for the add command and too permissive for the delete command). ok dhartmei@
Revision 1.131 / (download) - annotate - [select for diffs], Thu Jan 9 15:58:35 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.130: +2 -2 lines
Diff to previous 1.130 (colored)
(whitespace) KNF, re-fold -w 80
Revision 1.130 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:45 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.129: +26 -12 lines
Diff to previous 1.129 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.129 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:07 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.128: +40 -19 lines
Diff to previous 1.128 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.128 / (download) - annotate - [select for diffs], Mon Jan 6 14:19:40 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.127: +2 -2 lines
Diff to previous 1.127 (colored)
Move initialisation of radix table globals in pfr_initialize() ok dhartmei@
Revision 1.127 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.126: +15 -6 lines
Diff to previous 1.126 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.126 / (download) - annotate - [select for diffs], Sat Jan 4 17:40:50 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.125: +4 -2 lines
Diff to previous 1.125 (colored)
move noroute from flag in pf_rule_addr into type in pf_addr_wrap. ok henning@, mcbride@
Revision 1.125 / (download) - annotate - [select for diffs], Fri Jan 3 10:39:09 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.124: +8 -4 lines
Diff to previous 1.124 (colored)
1) pfr_insert_kentries() cannot return ENOMEM anymore -> make it void. 2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs(). 3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs(). Tested on i386, sparc64
Revision 1.124 / (download) - annotate - [select for diffs], Thu Jan 2 11:43:20 2003 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.123: +22 -22 lines
Diff to previous 1.123 (colored)
Remove explicit numbering of enums. ok fgsch@ dhartmei@ henning@
Revision 1.123 / (download) - annotate - [select for diffs], Wed Jan 1 16:09:29 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.122: +3 -1 lines
Diff to previous 1.122 (colored)
use a #define for the default state table size
Revision 1.122 / (download) - annotate - [select for diffs], Wed Jan 1 14:16:56 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.121: +2 -2 lines
Diff to previous 1.121 (colored)
Behaves correctly when duplicate addresses are given in the same ioctl. (i.e: pfradix -a test 1.2.3.4 1.2.3.4). The ioctl can also report theses duplicate to the caller using the new PFR_FB_DUPLICATE feedback tag.
Revision 1.121 / (download) - annotate - [select for diffs], Wed Jan 1 04:26:19 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.120: +10 -11 lines
Diff to previous 1.120 (colored)
Remove skip step for action (scrub vs. non-scrub), as scrub rules are stored in a separate list now. Regress tests still pass after sed "s/ a=end / /g", other skip steps are not affected.
Revision 1.120 / (download) - annotate - [select for diffs], Tue Dec 31 19:18:41 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.119: +4 -4 lines
Diff to previous 1.119 (colored)
Split scrub rules out from the filter rules in the kernel.
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
Revision 1.119 / (download) - annotate - [select for diffs], Sun Dec 29 20:07:34 2002 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.118: +152 -1 lines
Diff to previous 1.118 (colored)
Add support for radix tables for source and destination of PF rules. ok dhartmei@, mcbride@, henning@
Revision 1.118 / (download) - annotate - [select for diffs], Mon Dec 23 13:15:18 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.117: +2 -2 lines
Diff to previous 1.117 (colored)
Change from array to single pf_pabuf (no longer need multiple buffers as we don't need the second list of addresses for DIOCCHANGE* operations) Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0] is the one being used. ok henning@ dhartmei@
Revision 1.117 / (download) - annotate - [select for diffs], Sun Dec 22 19:59:13 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.116: +2 -7 lines
Diff to previous 1.116 (colored)
pfioc_changealtq is not needed anymore; queues will eventually be referenced by number in DIOCCHANGEALTQ (like rule and pooladdress) "go for it" henning@
Revision 1.116 / (download) - annotate - [select for diffs], Sun Dec 22 02:33:14 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.115: +3 -4 lines
Diff to previous 1.115 (colored)
mv PF_RULESET_MAX into the enum, slightly less confusing. ok dhartmei@
Revision 1.115 / (download) - annotate - [select for diffs], Wed Dec 18 19:40:41 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.114: +2 -1 lines
Diff to previous 1.114 (colored)
Store translation rule pointer in state entries, so pfctl -vsn can print evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Revision 1.114 / (download) - annotate - [select for diffs], Wed Dec 18 19:04:38 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.113: +7 -6 lines
Diff to previous 1.113 (colored)
little style
Revision 1.113 / (download) - annotate - [select for diffs], Wed Dec 18 16:28:40 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.112: +5 -2 lines
Diff to previous 1.112 (colored)
Pass skip step values through ioctl interface, pfctl -vvsr shows them, main purpose is making them regress-testable.
Revision 1.112 / (download) - annotate - [select for diffs], Tue Dec 17 12:30:13 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.111: +23 -188 lines
Diff to previous 1.111 (colored)
Merge pf_nat/pf_binat/pf_rdr structs into pf_rule. Simplifies code, allows skip steps on translation rules. Also: - Require a ticket for DIOCCHANGERULE operations to prevent races. - Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations use a rule number, and comparisons happen in userland. Testing and fixes from dhartmei@ and frantzen@ ok dhartmei@ henning@
Revision 1.111 / (download) - annotate - [select for diffs], Mon Dec 16 08:49:22 2002 UTC (21 years, 6 months ago) by kjc
Branch: MAIN
Changes since 1.110: +18 -8 lines
Diff to previous 1.110 (colored)
add options for 2 more queueing disciplines, PRIQ and HFSC. ok henning@ dhartmei@
Revision 1.110 / (download) - annotate - [select for diffs], Fri Dec 13 21:48:31 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.109: +2 -0 lines
Diff to previous 1.109 (colored)
add pqueue and pqid to pf_rule. this allows for a second queue on pf_rule. assign packets with tos 0x10 (lowdelay) to this one. if the second queue isn't specified set pqid = qid idea dhartmei@ ok dhartmei@ frantzen@ deraadt@
Revision 1.109 / (download) - annotate - [select for diffs], Thu Dec 12 14:08:52 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
minor KNF
Revision 1.108 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:32 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.107: +117 -44 lines
Diff to previous 1.107 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.107 / (download) - annotate - [select for diffs], Sun Dec 1 19:54:32 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.106: +8 -2 lines
Diff to previous 1.106 (colored)
- Clean up pf_ioctl mainly by adding new functions to handle cleaning and freeing rules. Fixes a number of potential memory leaks and other bugs. - Add new pool_ticket to insure that address pools don't get messed with by someone else while we add rules. - Add a second address pool buffer, so that DIOCCHANGE* operations which use pf_compare* will work correctly. Excellent bug report and anaylsis from DJ Gregor. ok dhartmei@ henning@
Revision 1.106 / (download) - annotate - [select for diffs], Fri Nov 29 18:25:23 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
expose state table changes
Revision 1.105 / (download) - annotate - [select for diffs], Thu Nov 28 12:07:37 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.104: +2 -2 lines
Diff to previous 1.104 (colored)
- MD5 too slow, replace with pf_hash (based on hash from if_bridge.c) - Always fold the key in Many fixes & suggestions from camield@ ok mickey@ camield@ henning@
Revision 1.104 / (download) - annotate - [select for diffs], Tue Nov 26 11:28:13 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored)
pass struct pfioc_changeaddr to DIOCCHANGEADDR rather than struct pfioc_pooladdr an obvious fix from dhartmei@
Revision 1.103 / (download) - annotate - [select for diffs], Sat Nov 23 09:37:02 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.102: +9 -9 lines
Diff to previous 1.102 (colored)
KNF
Revision 1.102 / (download) - annotate - [select for diffs], Sat Nov 23 05:16:58 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.101: +96 -19 lines
Diff to previous 1.101 (colored)
kernel code to allow multiple redirection addresses to be specified for nat and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
Revision 1.101 / (download) - annotate - [select for diffs], Sat Nov 2 16:56:50 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.100: +6 -7 lines
Diff to previous 1.100 (colored)
Make PF_ANEQ(), PF_ANEQ() and PF_AZERO() check the whole address if af is not set to AF_INET6 or AF_INET ok dhartmei@ henning@
Revision 1.58.2.3 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:46 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.58.2.2: +164 -46 lines
Diff to previous 1.58.2.2 (colored) to branchpoint 1.58 (colored)
sync to -current
Revision 1.100 / (download) - annotate - [select for diffs], Tue Oct 22 12:23:35 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: UBC_SYNC_B
Changes since 1.99: +15 -15 lines
Diff to previous 1.99 (colored)
Convert "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.99 / (download) - annotate - [select for diffs], Sun Oct 20 13:08:29 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.98: +1 -9 lines
Diff to previous 1.98 (colored)
Move pf_compare_(rules|nats|binats|rdrs) to pf_ioctl.c. Simplifies and reduces cross-file dependancies. ok dhartmei@ ish@ henning@
Revision 1.98 / (download) - annotate - [select for diffs], Mon Oct 14 12:58:28 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.97: +14 -1 lines
Diff to previous 1.97 (colored)
Allow one to specify a netblock in a binat rule: binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
Revision 1.97 / (download) - annotate - [select for diffs], Thu Oct 10 12:29:33 2002 UTC (21 years, 8 months ago) by mickey
Branch: MAIN
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored)
padd pf_state; dhartmei@ ok
Revision 1.96 / (download) - annotate - [select for diffs], Tue Oct 8 05:12:08 2002 UTC (21 years, 8 months ago) by kjc
Branch: MAIN
Changes since 1.95: +90 -1 lines
Diff to previous 1.95 (colored)
the first step of pf/altq merge. this commit is to allow further development in both userland and kernel. the goal is to replace altq's classifier by pf(4). - make pf tag a queue id to mbuf and make altq read the queue id - merge altq config into pf.conf(5) ok dhartmei@, henning@
Revision 1.95 / (download) - annotate - [select for diffs], Mon Oct 7 13:23:46 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.94: +1 -0 lines
Diff to previous 1.94 (colored)
set block-policy [drop|return] drop is default, same behaviour as before support block drop to override a return policy
Revision 1.94 / (download) - annotate - [select for diffs], Mon Oct 7 13:18:40 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.93: +1 -0 lines
Diff to previous 1.93 (colored)
support a generic return block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
Revision 1.93 / (download) - annotate - [select for diffs], Mon Oct 7 13:15:02 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.92: +1 -0 lines
Diff to previous 1.92 (colored)
make return-icmp work for rules covering both v4 and v6 -new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
Revision 1.92 / (download) - annotate - [select for diffs], Mon Oct 7 12:59:54 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored)
use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or not instead of just testing return_icmp > 0 ok dhartmei@
Revision 1.91 / (download) - annotate - [select for diffs], Mon Oct 7 12:39:29 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored)
Add 'reply-to' to filter rules, similar to route-to, but applying to replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
Revision 1.90 / (download) - annotate - [select for diffs], Sat Oct 5 21:17:57 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.89: +3 -1 lines
Diff to previous 1.89 (colored)
Allow filtering based on IP header's tos field.
Revision 1.89 / (download) - annotate - [select for diffs], Mon Aug 12 16:41:25 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.88: +2 -10 lines
Diff to previous 1.88 (colored)
Use state tree instead of separate (flat) list to find NAT proxy ports, allows to use the same proxy port with different external peers. From Ryan McBride
Revision 1.88 / (download) - annotate - [select for diffs], Mon Jul 15 18:07:17 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.87: +2 -1 lines
Diff to previous 1.87 (colored)
add u_int8_t ifnot to struct pf_rule to support matching packets on any interface except the given one. adjust the pf_test_* functions and pf_skip_step accordingly. ok dhartmei@
Revision 1.87 / (download) - annotate - [select for diffs], Tue Jun 11 18:03:25 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.86: +4 -2 lines
Diff to previous 1.86 (colored)
split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble', 'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
Revision 1.58.2.2 / (download) - annotate - [select for diffs], Tue Jun 11 03:30:46 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.58.2.1: +260 -142 lines
Diff to previous 1.58.2.1 (colored) to branchpoint 1.58 (colored)
Sync UBC branch to -current
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jun 11 02:42:27 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.85: +29 -1 lines
Diff to previous 1.85 (colored)
enumerate UDP and OTHER state levels (similar to tcp_fsm.h) ok dhartmei@, henning@
Revision 1.85 / (download) - annotate - [select for diffs], Tue Jun 11 02:27:19 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.84: +4 -1 lines
Diff to previous 1.84 (colored)
SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
Revision 1.84 / (download) - annotate - [select for diffs], Tue Jun 11 02:12:37 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.83: +2 -1 lines
Diff to previous 1.83 (colored)
Make NAT proxy port range configurable per rule, for instance privileged source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
Revision 1.83 / (download) - annotate - [select for diffs], Tue Jun 11 01:58:00 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.82: +2 -7 lines
Diff to previous 1.82 (colored)
rework pfctl statistics display move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl some input by nick@ ok frantzen@, dhartmei@
Revision 1.82 / (download) - annotate - [select for diffs], Sun Jun 9 20:20:58 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.81: +4 -8 lines
Diff to previous 1.81 (colored)
Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so it includes ports and operator.
Revision 1.81 / (download) - annotate - [select for diffs], Sun Jun 9 08:53:08 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.80: +71 -0 lines
Diff to previous 1.80 (colored)
split ioctl functions out of pf.c into pf_ioctl.c frantzen@, dhartmei@ ok, tested kernel & userland. checked for colliding commits
Revision 1.80 / (download) - annotate - [select for diffs], Sun Jun 9 04:50:27 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.79: +2 -1 lines
Diff to previous 1.79 (colored)
This commit commit commit without testing has to STOP. BE CAREFUL.
Revision 1.79 / (download) - annotate - [select for diffs], Sun Jun 9 04:44:35 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.78: +0 -1 lines
Diff to previous 1.78 (colored)
uncommit, broken (by corrupt diff)
Revision 1.78 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:06 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.77: +2 -1 lines
Diff to previous 1.77 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jun 7 23:06:21 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.76: +2 -2 lines
Diff to previous 1.76 (colored)
increase rule label length from 32 to 64 chars okay dhartmei@, frantzen@
Revision 1.76 / (download) - annotate - [select for diffs], Fri Jun 7 22:53:37 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)
add the possibility to configure a TTL while return-rst ok dhartmei@, ipv6 part itojun@ ok
Revision 1.75 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:35 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.74: +4 -1 lines
Diff to previous 1.74 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Jun 7 21:14:02 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.73: +12 -17 lines
Diff to previous 1.73 (colored)
switch from AVL tree's to herr Provos' red-black trees with suggestions from provos@ ok dhartmei@
Revision 1.73 / (download) - annotate - [select for diffs], Sun May 19 22:31:28 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.72: +14 -14 lines
Diff to previous 1.72 (colored)
KNF again
Revision 1.72 / (download) - annotate - [select for diffs], Sun May 12 00:54:56 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.71: +10 -4 lines
Diff to previous 1.71 (colored)
Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'.
Revision 1.71 / (download) - annotate - [select for diffs], Thu May 9 21:58:12 2002 UTC (22 years, 1 month ago) by jasoni
Branch: MAIN
Changes since 1.70: +2 -1 lines
Diff to previous 1.70 (colored)
Add a max-mss option to the scrub rule which will enforce a maximum mss by lowering it to the given value. - ok dhartmei@, provos@
Revision 1.70 / (download) - annotate - [select for diffs], Thu May 9 19:58:42 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.69: +11 -1 lines
Diff to previous 1.69 (colored)
Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it.
Revision 1.69 / (download) - annotate - [select for diffs], Sun May 5 21:40:22 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.68: +5 -2 lines
Diff to previous 1.68 (colored)
Instead of returning a useless kernel space pointer for the rule that created the state from DIOCGETSTATE(S), return the integer rule number, Print rule number (if existant) from pfctl -vss. Suggested by Jeff Nathan.
Revision 1.68 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.67: +102 -87 lines
Diff to previous 1.67 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.67 / (download) - annotate - [select for diffs], Tue Apr 23 14:32:22 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.66: +2 -1 lines
Diff to previous 1.66 (colored)
Allow explicit filtering of fragments when they are not reassembled. Document fragment handling in the man page. Short version: if you're scrubbing everything (as is recommended, in general), nothing changes. If you want to deal with fragments manually, read the man page. ok frantzen.
Revision 1.66 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:21 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.65: +3 -1 lines
Diff to previous 1.65 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.65 / (download) - annotate - [select for diffs], Mon Mar 25 22:03:01 2002 UTC (22 years, 2 months ago) by frantzen
Branch: MAIN
Changes since 1.64: +10 -1 lines
Diff to previous 1.64 (colored)
add ioctl DIOCKILLSTATES to shootdown a subset of the state table. allows discrimination on src/dst ips and netmask, src/dst port range and protocol. ok dhartmei@
Revision 1.28.2.4 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:07 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.28.2.3: +43 -32 lines
Diff to previous 1.28.2.3 (colored)
Merge in trunk
Revision 1.64 / (download) - annotate - [select for diffs], Tue Feb 26 07:25:33 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.63: +14 -1 lines
Diff to previous 1.63 (colored)
Add optional pool memory hard limits, mainly as temporary solution until pool exhaustion causes problems no more.
Revision 1.63 / (download) - annotate - [select for diffs], Thu Feb 14 23:53:32 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.62: +9 -10 lines
Diff to previous 1.62 (colored)
Reorder struct pf_pdesc members, saves 8 bytes.
Revision 1.62 / (download) - annotate - [select for diffs], Thu Feb 14 15:32:11 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.61: +11 -22 lines
Diff to previous 1.61 (colored)
Add skip steps for rule action (pass/block vs. scrub) and direction (in vs. out). This speeds up rule set evaluation considerably, because the rules set used to be linearly traversed (even twice) when looking for scrub rules. Ok frantzen@, deraadt@
Revision 1.58.2.1 / (download) - annotate - [select for diffs], Thu Jan 31 22:55:44 2002 UTC (22 years, 4 months ago) by niklas
Branch: UBC
Changes since 1.58: +9 -1 lines
Diff to previous 1.58 (colored)
Merge in -current, builds on i386, otherwise untested
Revision 1.61 / (download) - annotate - [select for diffs], Fri Jan 11 20:13:11 2002 UTC (22 years, 5 months ago) by mickey
Branch: MAIN
Changes since 1.60: +3 -1 lines
Diff to previous 1.60 (colored)
pad the pf_state_{host,peer} to a 32bit quantity; dhartmei@ frantzen@ ok
Revision 1.60 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.59: +4 -1 lines
Diff to previous 1.59 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.59 / (download) - annotate - [select for diffs], Tue Jan 8 09:31:55 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.58: +4 -1 lines
Diff to previous 1.58 (colored)
Add "no nat/rdr/binat" to nat.conf. The first matching rule applies. If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
Revision 1.58 / (download) - annotate - [select for diffs], Mon Dec 10 18:28:32 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.57: +2 -1 lines
Diff to previous 1.57 (colored)
Add an ioctl to add state entries (DIOCADDSTATE) for proxies.
Revision 1.57 / (download) - annotate - [select for diffs], Mon Dec 10 18:08:11 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.56: +4 -3 lines
Diff to previous 1.56 (colored)
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
Revision 1.28.2.3 / (download) - annotate - [select for diffs], Wed Dec 5 01:02:40 2001 UTC (22 years, 6 months ago) by niklas
Branch: SMP
Changes since 1.28.2.2: +5 -0 lines
Diff to previous 1.28.2.2 (colored)
Merge in -current
Revision 1.56 / (download) - annotate - [select for diffs], Mon Nov 26 16:50:26 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.55: +6 -1 lines
Diff to previous 1.55 (colored)
add fastroute options similar to what is found in ipf ok dhartmei@, frantzen@
Revision 1.28.2.2 / (download) - annotate - [select for diffs], Tue Nov 13 22:59:58 2001 UTC (22 years, 7 months ago) by niklas
Branch: SMP
Changes since 1.28.2.1: +11 -2 lines
Diff to previous 1.28.2.1 (colored)
merge in -current
Revision 1.55 / (download) - annotate - [select for diffs], Tue Nov 6 11:48:29 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.54: +11 -2 lines
Diff to previous 1.54 (colored)
Use #defines for skip step values. From dgregor@net.ohio-state.edu.
Revision 1.28.2.1 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:03 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.28: +355 -20 lines
Diff to previous 1.28 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.54 / (download) - annotate - [select for diffs], Mon Oct 15 16:22:21 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.53: +3 -2 lines
Diff to previous 1.53 (colored)
Add 'allow-opts' to rules. Packets with IP options will be blocked by default now, and can be allowed per rule. ok deraadt@
Revision 1.53 / (download) - annotate - [select for diffs], Thu Sep 27 17:49:12 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
The skip steps array was one element short (since adding steps for af). This invoked undefined behaviour under the proper circumstances.
Revision 1.52 / (download) - annotate - [select for diffs], Sat Sep 15 16:47:07 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.51: +3 -2 lines
Diff to previous 1.51 (colored)
Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoing packets and is obviously invalid (and not NULL) for IPv6 packets (hence crashed). Pass ifp down instead. sizeof(ih) instead of sizeof(&ih) for pf_pull_hdr() from pf_test6().
Revision 1.51 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.50: +201 -34 lines
Diff to previous 1.50 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.50 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.49: +31 -1 lines
Diff to previous 1.49 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.49 / (download) - annotate - [select for diffs], Wed Sep 5 12:42:31 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.48: +15 -16 lines
Diff to previous 1.48 (colored)
s/pf_natlook/pfioc_natlook (ioctl parameter struct)
Revision 1.48 / (download) - annotate - [select for diffs], Tue Sep 4 12:32:53 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)
Add skip steps for interface (ifp).
Revision 1.47 / (download) - annotate - [select for diffs], Tue Aug 28 00:02:43 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.46: +13 -1 lines
Diff to previous 1.46 (colored)
Bump state timeouts and allow tweaking them from pfctl. (The state timeouts need some _serious_ tuning)
Revision 1.46 / (download) - annotate - [select for diffs], Sat Aug 25 21:54:26 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.45: +4 -1 lines
Diff to previous 1.45 (colored)
PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Aug 21 17:25:59 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
KNF
Revision 1.44 / (download) - annotate - [select for diffs], Sun Aug 19 20:25:22 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.43: +18 -5 lines
Diff to previous 1.43 (colored)
Add new ioctls for adding/removing RDR and NAT rules to/from the active rule sets.
Revision 1.43 / (download) - annotate - [select for diffs], Sun Aug 19 19:03:58 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.42: +3 -2 lines
Diff to previous 1.42 (colored)
Add per-rule byte counter, so mickey can do accounting. We're counting the data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
Revision 1.42 / (download) - annotate - [select for diffs], Sun Aug 19 18:19:08 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.41: +4 -1 lines
Diff to previous 1.41 (colored)
Add per-rule statistics (number of evaluations and number of packets). Packets passed statefully will be counted using the rule that created the state.
Revision 1.41 / (download) - annotate - [select for diffs], Sat Aug 18 22:26:08 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.40: +12 -1 lines
Diff to previous 1.40 (colored)
Add new ioctl for adding/removing individual rules to/from the active rule set.
Revision 1.40 / (download) - annotate - [select for diffs], Sat Aug 18 21:09:13 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.39: +12 -1 lines
Diff to previous 1.39 (colored)
make pfctl -s state SCREAM; frantzen is now happy
Revision 1.39 / (download) - annotate - [select for diffs], Sat Aug 11 12:04:59 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.38: +4 -2 lines
Diff to previous 1.38 (colored)
Add support for ICMP errors referring to ICMP queries/replies. Fixes 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Aug 1 23:07:36 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.37: +2 -1 lines
Diff to previous 1.37 (colored)
stateless tcp normalization along the lines of the normalization paper by handley, paxon and kreibich; okay deraadt@
Revision 1.37 / (download) - annotate - [select for diffs], Sun Jul 29 12:53:17 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)
Implement rule skipping. This is a transparent evaluation optimization, which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl.
Revision 1.36 / (download) - annotate - [select for diffs], Thu Jul 19 00:07:36 2001 UTC (22 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.35: +3 -3 lines
Diff to previous 1.35 (colored)
Fix/complete the handling of the binary ops >< and <> to behave like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
Revision 1.35 / (download) - annotate - [select for diffs], Tue Jul 17 22:22:15 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.34: +2 -1 lines
Diff to previous 1.34 (colored)
support min-ttl, okay dhartmei@
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jul 17 21:54:26 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.33: +6 -2 lines
Diff to previous 1.33 (colored)
normalize ip_off, make IP_DF stripping optional, return rst is a flag now. okay markus@
Revision 1.33 / (download) - annotate - [select for diffs], Tue Jul 17 20:34:51 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.32: +51 -0 lines
Diff to previous 1.32 (colored)
split ip normalization out into a separate file, okay dhartmei@
Revision 1.32 / (download) - annotate - [select for diffs], Mon Jul 9 10:30:56 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.31: +9 -3 lines
Diff to previous 1.31 (colored)
Extend nat/rdr syntax. Add source/destination selection. Make
interface optional. Suggested by rdump@river.com.
nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)]
rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*]
[proto (tcp | udp | icmp)]
Revision 1.31 / (download) - annotate - [select for diffs], Fri Jul 6 21:19:56 2001 UTC (22 years, 11 months ago) by chris
Branch: MAIN
Changes since 1.30: +3 -1 lines
Diff to previous 1.30 (colored)
Allow negative match on interface name for nat and rdr ok dhartmei@
Revision 1.30 / (download) - annotate - [select for diffs], Fri Jul 6 08:26:57 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.29: +5 -5 lines
Diff to previous 1.29 (colored)
do not use quad for counters
Revision 1.29 / (download) - annotate - [select for diffs], Tue Jul 3 03:34:42 2001 UTC (22 years, 11 months ago) by beck
Branch: MAIN
Changes since 1.28: +16 -1 lines
Diff to previous 1.28 (colored)
add DIOCNATLOOK ioctl and pf_natlook structure, this enables a userland process recieving rdr'ed connections to look up the original destination of the connection before it was redirected - this enables the writing of transparent proxies.
Revision 1.28 / (download) - annotate - [select for diffs], Sun Jul 1 23:04:44 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Branch point for: SMP
Changes since 1.27: +6 -3 lines
Diff to previous 1.27 (colored)
tag packets generated by pf (return-rst, return-icmp) so they are not filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@
Revision 1.27 / (download) - annotate - [select for diffs], Sun Jul 1 17:16:03 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.26: +7 -1 lines
Diff to previous 1.26 (colored)
Add port ranges to the rdr directive. Connections can be redirected to either a range of the same size, or a single port. Redirects between ranges of different sizes are not supported. Eg: rdr dc0 10.0.0.0/24 port 60000:61000 -> 127.0.0.1 port 65530:* proto udp rdr xl0 0.0.0.0/0 port 6660:6669 -> 127.0.0.1 port 6667 proto tcp This replaces the wildcard port patch (when port = 0), as it should no longer be necessary. ok dhartmei@
Revision 1.26 / (download) - annotate - [select for diffs], Fri Jun 29 03:09:14 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)
Fix PF_SCRUB enumerator.
Revision 1.25 / (download) - annotate - [select for diffs], Fri Jun 29 00:27:47 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
fix counter/reason array usage
Revision 1.24 / (download) - annotate - [select for diffs], Thu Jun 28 21:53:42 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.23: +8 -4 lines
Diff to previous 1.23 (colored)
first stab at packet normalization. includes full ip reassembly. okay dhartmei@, dugsong@
Revision 1.23 / (download) - annotate - [select for diffs], Wed Jun 27 10:31:51 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.22: +2 -1 lines
Diff to previous 1.22 (colored)
add -z flag for zeroing statistics. -s status no longer resets anything
Revision 1.22 / (download) - annotate - [select for diffs], Wed Jun 27 04:29:21 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.21: +16 -6 lines
Diff to previous 1.21 (colored)
state counter changes
Revision 1.21 / (download) - annotate - [select for diffs], Tue Jun 26 22:56:03 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.20: +3 -1 lines
Diff to previous 1.20 (colored)
name comparison operators
Revision 1.20 / (download) - annotate - [select for diffs], Tue Jun 26 22:51:02 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
fix PFRES_MAX handling
Revision 1.19 / (download) - annotate - [select for diffs], Tue Jun 26 22:26:13 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.18: +17 -7 lines
Diff to previous 1.18 (colored)
array of counters indexed by reason codes
Revision 1.18 / (download) - annotate - [select for diffs], Tue Jun 26 20:50:26 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
add rule nr for Niels
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 26 19:43:14 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.16: +3 -1 lines
Diff to previous 1.16 (colored)
add rule pointer and log option to states
Revision 1.16 / (download) - annotate - [select for diffs], Tue Jun 26 19:01:55 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.15: +4 -1 lines
Diff to previous 1.15 (colored)
use reasons in pull_hdr, default log if pull_hdr fails. okay deraadt@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jun 26 18:17:53 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
no longer pass around **m
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jun 26 15:33:01 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.13: +3 -1 lines
Diff to previous 1.13 (colored)
add a subreason to the link header to allow us to determine why a packet was dropped or passed. from discussion with theo and me.
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jun 26 04:17:11 2001 UTC (22 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.12: +4 -3 lines
Diff to previous 1.12 (colored)
Replicated TCP sequence tracking code in PF from Guido's IPF paper.
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jun 25 22:53:39 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.11: +4 -4 lines
Diff to previous 1.11 (colored)
remaining lists converted to TAILQs
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jun 25 22:08:03 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.10: +3 -2 lines
Diff to previous 1.10 (colored)
use TAILQ instead of homegrown list, other lists will follow
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jun 25 17:17:03 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.9: +46 -16 lines
Diff to previous 1.9 (colored)
revised ioctl interface, first getopt version of pfctl
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jun 25 10:07:15 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.8: +11 -11 lines
Diff to previous 1.8 (colored)
Rename the rest of the structs to be consistent.
Revision 1.8 / (download) - annotate - [select for diffs], Mon Jun 25 09:31:07 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.7: +5 -5 lines
Diff to previous 1.7 (colored)
More renaming.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 25 09:23:32 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.6: +6 -6 lines
Diff to previous 1.6 (colored)
Avoid common names. Needs more work.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 25 00:02:54 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.5: +1 -15 lines
Diff to previous 1.5 (colored)
use only ioctl return values found in errno.h
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jun 24 23:44:00 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.4: +11 -11 lines
Diff to previous 1.4 (colored)
rename ioctlbuffer to pfioc.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jun 24 21:50:29 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +60 -51 lines
Diff to previous 1.3 (colored)
pack structures better; dhartmei ok
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jun 24 21:32:17 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
REGENTS? ;)
Revision 1.2 / (download) - annotate - [select for diffs], Sun Jun 24 21:24:13 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.1: +4 -4 lines
Diff to previous 1.1 (colored)
PACKETFILTER_H now PFVAR_H. thanks smart
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 24 19:48:58 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Initial import of pf, an all-new ipf-compatable packet filter. Insane amounts of work done my dhartmei. Great work!