| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
packet in their payload that matches an exiting connection. It was
not checked whether the outer ICMP packet has the same destination
IP as the source IP of the inner protocol packet. Enforce that
these addresses match, to prevent ICMP packets that do not make
sense.
Issue found by Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken,
Luca Moro at Synacktiv.com
OK sashan@
|
| |
|
|
| |
OK kn@, florian@, visa@, cheloha@
|
| |
|
|
|
|
| |
These are just unhelpful case conversion.
OK sashan henning
|
| |
|
|
| |
dir make debugging much easier than the if alone.
|
| |
|
|
|
|
|
|
|
| |
Regression has been introduced in version 1.1024 (a 6.2 time frame).
It's been discovered and reported by Fabian Mueller-Knapp. Fair amount
of credit goes to kn@, benno@ and henning@ for pointing me to releveant
section of pf.conf(5). Fabian and kn@ also did test the patch.
OK kn@, henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When evaluating the anchor's ruleset, prevent clobbering it's very own
`quick' test result by blindly setting it.
This makes the following pf.conf work as intended (packets would be blocked
since `quick' had no effect):
anchor quick {
pass
}
block
Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks!
OK henning sashan
|
| |
|
|
|
|
| |
start locking the socket. An inp can be referenced by the PCB queue
and hashes, by a pf mbuf header, or by a pf state key.
OK visa@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
this change adds a pf_state_lock rw-lock, which protects consistency
of state table in PF. The code delivered in this change is guarded
by 'WITH_PF_LOCK', which is still undefined. People, who are willing
to experiment and want to run it must do two things:
- compile kernel with -DWITH_PF_LOCK
- bump NET_TASKQ from 1 to ... sky is the limit,
(just select some sensible value for number of tasks your
system is able to handle)
OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the missing "void", this
extern void pf_purge_expired_src_nodes();
is no prototype but a declaration. It is enough to suppress the
'implicit declaration' warning but it does not allow the compiler to
check the arguments passed to the calls of the function.
Fix the prototypes and don't pass the waslocked argument anymore. It has
been removed a year ago.
ok sashan henning
|
| |
|
|
| |
OK mpi@, OK henning@, OK jca@
|
| |
|
|
|
| |
when we moved most of the functionality into a function. g/c the macro
and just call the function. ok mpi jca
|
| |
|
|
|
|
|
|
|
|
| |
the state was created on this host, i. e. not for those pfsync-imported.
whether pfsync-imported states should be accounted is a seperate discussion,
but as things are, we only increment the counter in pf_create_state(), and
imported states don't excercise that path.
probably fixes the half-open states accounting underflow-wraparounds that
some people have been seeing.
ok sashan
|
| |
|
|
|
|
| |
by pf in the packet header. pf_delay_pkt reads the delay value from the packet
header, schedules a timeout and re-queues the packet when the timeout fires.
ok benno sashan
|
| |
|
|
|
|
|
| |
- MSS and WSCALE option candidates must now meet their min type length.
- 'max-mss' is now more tolerant of malformed option lists.
These changes were immaterial to the live traffic I've examined.
OK sashan@ mpi@
|
| |
|
|
|
|
|
|
|
|
| |
pf_state_insert(), so the state key has not been set. When inlining,
the compiler recognized the NULL pointer dereference in
s->key[PF_SK_STACK]->proto and optimized it away. But if pf.c was
compiled with -fno-inline, the system crashed during boot. Add a
NULL check in pf_set_protostate() to handle the situation when the
function is called.
OK sashan@ henning@
|
| |
|
|
|
| |
goto unlock when leaving this block.
OK sashan@ henning@
|
| |
|
|
|
|
|
|
| |
to the network. This is necessary for locally generated icmp packets
that would be dropped otherwise. Refine this check to modify only
the source address of packets that go to the external network. This
allows route-to tricks on loopback interface.
OK sashan@
|
| |
|
|
|
| |
So this macro does not make much sense, just call pflog_packet().
OK sashan@ henning@
|
| |
|
|
|
|
|
| |
outgoing state key is the same. In this case the reverse link loops
to the same state key. The assertion in pf_state_key_link_reverse()
did not expect this and the kernel crashed.
bug reported and fix tested by Johan Huldtgren; OK sashan@ visa@
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
|
| |
pf_match_rule() must remember current anchor before descents
towards leaf. it must restore anchor as it ascents towards root.
Bug pointed out and fix also tested by Matthias Pitzl from genua.
OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when syncookies are on, pf will blindly answer each and every SYN with a
syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will
reconstruct the original SYN, shove it through pf_test, where state will
be created if the ruleset permits it. Then massage the freshly created state
(we won't see the SYNACK), set up the sequence number modulator, and call
into the existing synproxy code to start the 3WHS with the backend host.
Add an - somewhat basic for now - adaptive mode where syncookies get enabled
if a certain percentage of the state table is filled up with half-open tcp
connections. This makes pf firewalls resilient against large synflood
attacks.
syncookies are off by default until we gained more experience, considered
experimental for now.
see http://bulabula.org/papers/2017/bsdcan/ for more details.
joint work with sashan@, widely discussed and with lots of input by many
|
| |
|
|
| |
bzero -> memset and (very few) bcopy -> memcpy/memmove
|
| |
|
|
|
| |
of doing it manually.
OK sashan@ visa@
|
| |
|
|
|
|
|
|
| |
an invalid source address. As pf route-to happens after IP source
selection based on a different route, the address should be corrected
after pf has allocated the new route. Especially loopback addresses
must not appear at outgoing packets.
OK sashan@ visa@
|
| |
|
|
|
|
|
| |
decrement the time-to-live or hop-limit field to prevent routing
loops. Sending an ICMP time exceeded error makes traceroute work.
For outgoing packets ip_forward() has already done this.
OK visa@ sashan@
|
| |
|
|
|
|
| |
domain and other mbuf flags. In pf_route6() the bad packet counter
and dup-to check were missing.
OK visa@
|
| |
|
|
|
|
| |
existing statekey in the mbuf header. Reset the statekey in
m_dup_pkthdr().
suggested by and OK sahan@
|
| |
|
|
|
| |
or other states more consistent.
OK visa@ sashan@ on a previous version
|
| |
|
|
|
|
| |
same is already done for options header. Add the routing extension
header to the list that need "allow-opts" to pass.
OK sashan@ visa@
|
| |
|
|
|
|
|
|
| |
work in pf. The function pf_inp_link() takes the state key from
the mbuf and not the one pf_find_state() has just found. Introduce
a new function pf_state_key_link_inpcb() that links the given state
key and inpcb together with some sanity checks.
OK sashan@
|
| |
|
|
|
|
|
|
| |
their IPv6 header hop limit field. Let pf drop neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement,
and redirect ICMP6 packets that do not comply. This enforces that
bogus packets cannot be routed when pf is enabled.
OK mpi@ sashan@ benno@
|
| |
|
|
|
|
|
|
| |
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@
|
| |
|
|
|
|
|
|
|
|
| |
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
| |
|
|
|
|
|
| |
forwarding. It should never match and would cause MP locking
problems. While there remove an useless ifp parameter from
ip_output_ipsec_send().
from markus@; OK visa@ sashan@
|
| |
|
|
|
|
| |
pr_input handlers without KERNEL_LOCK().
ok visa@
|
| |
|
|
|
|
|
|
|
|
| |
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
having pf_ouraddr say a packet is forwarded let's in_ouraddr avoid
doing a route lookup for the packet. however, because it is forwarded
we need to do a route lookup in ip_output anyway to know where it
goes.
in_ouraddr does a bunch of extra checks on the result of the route
lookup that ip_output does not do though, including special handling
of ip_directedbroadcast and M_BCAST. if you have directed broadcast
enabled and do not do these checks, the ethernet layer will loop a
copy of broadcast packets back into the stack recursively which
can blow the thread stack in the kernel.
discussed with jmatthew@, sashan@, and henning@
ok mpi@
diagnosing this led to the enabling of a guard page on amd64 kernel
stacks, which was necessary for correctly identifying this problem.
|
| |
|
|
|
|
|
| |
NOTE: code still runs with single softnet task. change definition of
SOFTNET_TASKS in net/if.c, if you want to have more than one softnet task
OK mpi@, OK phessler@
|
| | |
|
| |
|
|
|
| |
increment in pf_create_state(), decrement in pf_set_protostate().
input & ok bluhm
|
| |
|
|
|
|
| |
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()
ok bluhm benno
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok bluhm@
|
| |
|
|
|
|
|
|
| |
thread to a task running on the `softnettq`.
Tested and inputs from Hrvoje Popovski.
ok visa@, sashan@
|
| |
|
|
|
|
|
|
|
|
|
| |
KERNEL_LOCK().
- radix_node_head are still allocated with malloc(9) and pf_table can
free(9) some.
- pfsync(4) might send some traffic which can exercise IPsec code
Found by bluhm@ and Hrvoje Popovski
|
| |
|
|
|
|
|
|
|
|
| |
The NET_LOCK() is currently what guarantees that accesses to PF data
structures are serialized.
While here use rwsleep(9) instead of calling NET_LOCK()/NET_UNLOCK()
for every iteration.
Tested by Hrvoje Popovski, ok sashan@, visa@
|
| |
|
|
|
|
|
|
|
|
| |
== NULL)". The problem was that setting the inp pointer in the
statekey to NULL was delayed until the statekey refcounter reached
0. So the inp could get linked to another statekey while an mbuf
in the socket buffer was keeping the refcounter at 1. Set the
statekey inp pointer to NULL in pf_state_key_detach() immediately,
then the kassert can be even stricter.
OK sashan@
|
| |
|
|
|
|
|
|
| |
to enable PF_LOCK(), you must add 'option WITH_PF_LOCK' to your kernel
configuration. The code does not do much currently it's just the very
small step towards MP.
O.K. henning@, mikeb@, mpi@
|
| |
|
|
|
|
|
| |
destination options header. Such packets can be passed by adding
"allow-opts" to the rule. So IPv6 options are handled like their
counterpart in IPv4 now.
tested by benno@; OK henning@
|
| | |
|
bluhm
claudio
kn
henning
sashan
sf
procter
benno
mpi
dlg