summaryrefslogtreecommitdiffstats
path: root/sys/net/pf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use percpu counters for ip6statjca2017-02-051-2/+2
| | | | | | | | | Try to follow the existing examples. Some notes: - don't implement counters_dec() yet, which could be used in two similar chunks of code. Let's see if there are more users first. - stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent. Input from mpi@, ok bluhm@ mpi@
* whitespace, from bluhm@benno2017-01-301-3/+2
|
* removes the pf_consistency_lock and protects the users withbenno2017-01-301-36/+13
| | | | | | | NET_LOCK(). pfioctl() will need the NET_LOCK() anyway. So better keep things simple until we're going to redesign PF for a MP world. fixes the crash reported by Kaya Saman. ok mpi@, bluhm@
* Enable the NET_LOCK(), take 2.mpi2017-01-251-2/+6
| | | | | | Recursions are currently known and marked a XXXSMP. Please report any assert to bugs@
* pf_purge_thread() needs the NET_LOCK().mpi2017-01-091-3/+3
| | | | ok sashan@, visa@
* In pf_refragment6() use the valid route from pf_route6() insteadbluhm2016-12-291-3/+3
| | | | | of calling rtalloc() again. OK mpi@
* In pf_find_state() pkt_sk was set to NULL if pkt_sk->reverse wasbluhm2016-12-281-5/+6
| | | | | | | not valid. This did not work as the value of pkt_sk must be used later to establish the link. So discard the packet statekey only if it is invalid itself and use it to establish the reverse link. From Christiano Haesbaert; OK sashan@
* Better check for a valid route than for an existing route in pfbluhm2016-12-281-13/+14
| | | | | | route-to by calling rtisvalid(). Make pf_route() and pf_route6() similar and move the rtalloc() call to the same place. OK mpi@
* Replace function names with __func__ in debug prints to make grepbluhm2016-12-231-11/+11
| | | | happy.
* Fix white spaces. No binary change.bluhm2016-12-231-15/+15
|
* Use the sizeof udphdr not the sizeof a pointer to it in the af-tojsg2016-12-061-2/+2
| | | | | | | specific part of pf_test_state_icmp(). This worked by accident on LP64 archs as the struct is eight bytes long. ok mikeb@ bluhm@ krw@ jca@
* Path MTU discovery and traceroute did not always work with pf af-to.bluhm2016-11-281-3/+9
| | | | | | | If an incoming packet is directly put into the output path, sending the icmp error packet is never done. As this is basically forwarding, calling ip_forward() for such packets does everything that is needed. OK mikeb@
* Explicitly forbid to combine af-to with route-to in pfctl. Thebluhm2016-11-231-22/+10
| | | | | | | parser cannot handle that correctly and is is unclear wether the kernel code would work. Remove the feature until someone needs it and properly implements and tests it. OK mike@ sashan@ mpi@
* Fold union pf_headers buffer into struct pf_pdesc (enabled by pfvar_priv.h).procter2016-11-221-142/+128
| | | | | Prevent pf_socket_lookup() reading uninitialised header buffers on fragments. OK blum@ sashan@
* In pf_route() and pf_route6() the !r->rt case was only used bybluhm2016-11-211-49/+43
| | | | | | | af-to. pf_route6() called ip6_output() to do the work while pf_route() had some custom implementation for that. It is simpler to call ip_output() or ip6_output() from pf_test() directly. OK procter@ sashan@
* The pf fragment reassembly code accepted IPv6 hop-by-hop headersbluhm2016-11-171-3/+11
| | | | | | after fragment headers. Add an extra check that the hop-by-hop header is always the first extension header after the IPv6 header. Found by Antonios Atlasis; OK sthen@ mpi@
* Instead of passing an extra mbuf pointer to pf_route(), it shouldbluhm2016-11-141-44/+37
| | | | | | just use pd->m. Then pf_test() can also operate on pd.m and set the *m0 value in the caller just before it returns. OK sashan@
* turn ipstat into a set of percpu counters.dlg2016-11-141-6/+6
| | | | | | | | | | | | each counter is identified by an enum value which correspond to the original members of the ipstat struct. ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates. ipstat_inc is a thin wrapper around counters_inc. counters are still returned to userland via the ipstat struct for now. ok mpi@ mikeb@
* - once rule should not attempt to remove its parent rule.sashan2016-10-281-7/+1
| | | | (problem pointed out by Petr, fix proposed by Dilli) _at_ oracle
* Pass a struct pf_pdesc to pf_route() like it is done in the otherbluhm2016-10-271-15/+13
| | | | | | pf functions. That means less parameters, more consistency and later we can call functions that need a pd from pf_route(). OK sashan@
* Put union pf_headers and struct pf_pdesc into separate header filebluhm2016-10-261-30/+14
| | | | | | | | | pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
* - PF should send a challenge ACK as response to SYN, which matches existingsashan2016-10-201-15/+49
| | | | | | | state. Extra thanks goes to bluhm@ for careful testing and fixing patch I've sent to tech@ O.K. henning@ bluhm@
* split pf_send_tcp() into the part that builds the mbuf and the actualhenning2016-10-181-9/+20
| | | | sending, needed soon. ok sashan mikeb lteo
* The variable dlen is always positive and d may be negative. Sobluhm2016-10-181-3/+4
| | | | | declare both with the correct sign in pf_change_icmp_af(). OK henning@
* The checksum of a ICMP "need to frag" packet for TCP was wrong whenbluhm2016-10-181-11/+9
| | | | | | | | | | | created from a ICMP6 "too big" packet. The function pf_change_icmp_af() has code to adjust the pseudo-header checksum in the ICMP6 case, but pf_test_state_icmp() changed the proto before the case was entered. So call pf_change_icmp_af() before the pd->proto is converted in the TCP and UDP payload case like it was already done for ICMP and ICMP6 payload. Found by sys/net/pf_forward regress test; OK henning@
* formatting nit (a tab got lost somewhen)henning2016-10-091-2/+2
|
* Remove redundant comments that say a function must be called atbluhm2016-10-061-4/+2
| | | | | splsoftnet() if the function does a splsoftassert(IPL_SOFTNET) anyway.
* roll back turning RB into RBT until i get better at this process.dlg2016-09-271-31/+30
|
* move pf from the RB macros to the RBT functions.dlg2016-09-271-30/+31
|
* Fix indentation. No binary change.jsg2016-09-221-2/+2
|
* Rename rtable_mpath_next() into rtable_iterate() and make it do a propermpi2016-09-071-11/+6
| | | | | | | | | reference count. rtable_iterate() frees the passed ``rt'' and returns the next one on the multipath list or NULL if there's none. ok dlg@
* Let purge thread to remove once rules, not packets.sashan2016-09-031-3/+43
| | | | | | Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
* Push 'field changed' guards into 'change field' functions;procter2016-08-201-186/+112
| | | | | optimise pf_patch_32(); simplify pf_match_addr() OK mikeb@
* Retire pf_translate_ap()procter2016-08-201-54/+55
| | | | OK mpi@ mikeb@
* Reintroduce 5.3-style checksum modification to preserve end-to-end checksumsprocter2016-08-171-292/+513
| | | | | | | | when fiddling with packets but without the mess that motivated Henning to remove it. Affects only this one aspect of Henning's checksum work. Also tweak the basic algorithm and supply a correctness argument. OK dlg@ deraadt@ sthen@; no objection henning@
* Hide pf internals by moving code from in_ouraddr() to pf_ouraddr().bluhm2016-07-181-1/+22
| | | | OK mpi@ sashan@
* To assist debugging TCP connection reuse with NAT, expand thebluhm2016-06-211-22/+22
| | | | | | existing log in pf_state_key_attach() from the failed to the reuse case. OK mikeb@
* Kill nd6_output(), it doesn't do anything since the resolution logicmpi2016-06-151-2/+2
| | | | | | has been moved to nd6_resolve(). ok visa@, millert@, florian@, sthen@
* There's no need to convert values returned by arc4random to the networkmikeb2016-06-151-3/+3
| | | | | | byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks! ok tedu
* per trending style, add continue to empty loops.tedu2016-06-071-2/+2
| | | | ok mglocker
* Do not call nd6_output() without route entry argument.mpi2016-05-311-2/+11
| | | | ok sthen@, bluhm@
* Backout pf.c r1.972, pf_norm.c r1.184, ok claudiosthen2016-05-281-11/+2
| | | | | pf_test calls pf_refragment6 with dst=NULL, which is passed down to rtable_match which attempts to dereference it.
* Do not call nd6_output() without route entry argument.mpi2016-05-241-2/+11
| | | | ok bluhm@
* Pass a route entry to if_output() instead of relying on arpresolve() magic.mpi2016-05-231-3/+9
| | | | | | | This refactoring aims to reduce the number of places where a route entry is inserted in the routing table. ok bluhm@
* Put back a panic() if an incoming packet already has a statekey.mpi2016-05-031-5/+2
| | | | | | | Apparently nobody can hit this condition anymore or people do not report bugs if their kernel do not panic. ok dlg@, sashan@
* replace m_copym2 with m_dup_pkt for the dup-to handling.dlg2016-04-151-3/+3
| | | | | | | | | note that this uses max_linkhdr as the adjustment arg. this follows what the ip stack does when generating packets as it provides space for link headers (like ethernet headers) to be prepended on the new packet. ok henning@
* Instead of panicking if an mbuf(9) already has a statekey dump itsmpi2016-04-071-5/+17
| | | | | | | | | content and unlink the statekey. This should allow us to find the reminding corner cases of packets looped back in the stack. ok dlg@
* - packet must keep reference to statekeysashan2016-03-291-43/+160
| | | | | | | | | | this is the second attempt to get it in, the first attempt got backed out on Jan 31 2016 the change also contains fixes contributed by Stefan Kempf in earlier iteration. OK srhen@
* - putting back KASSERT(), which I've backed out on Jan 31sashan2016-03-041-1/+7
| | | | | | | | | We don't expect inbound packets to come to PF with statekey attached. - I've also found missing call to pf_pkt_addr_changed() at various places, which needs to get fixed to prevent KASSERT() from firing. OK mpi@, sthen@
* - m_pkthdr.pf.statekey changes are not ready for 5.9, I must back them outsashan2016-01-311-168/+44
| | | | OK sthen@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.