summaryrefslogtreecommitdiffstats
path: root/sys/net/pf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* - plugging massive pf_state_key leaksashan2016-01-251-10/+18
| | | | OK mpi@ dlg@ sthen@
* - retrying to commit earlier change, which got backed outsashan2016-01-071-44/+164
| | | | | | | | | | | - yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix makes sure we grab reference in m_dup_pkthdr() OK bluhm@
* revert previous:jasper2015-12-231-153/+44
| | | | | | | | | | | | | | | | ---------------------------------------------------------------------- revision 1.961 date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44; commitid: oBRhtWcDV0ThviVT; - yet another tiny step towards MP PF. This time we need to make sure statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@ ---------------------------------------------------------------------- there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being triggered without much effort, so back this out for now.
* - yet another tiny step towards MP PF. This time we need to make suresashan2015-12-221-44/+153
| | | | | | | statekey attached to packet stays around, while accepted packet is routed through IP stack. OK mpi@, henning@
* g/c pf_change_a6(). it's exactly the same thing as pf_change_ap() with p =henning2015-12-061-22/+9
| | | | | NULL. inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on tech from Aug 17, but redone. ok sashan vgross
* g/c unneeded af (address family) params to pf_change_ap and _icmphenning2015-12-051-67/+60
| | | | | | | | both af and naf (af-to case) are in the pf_pdesc some code shuffling to actually set these before calling pf_change_ap/_icmp inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on tech from Aug 17, but redone ok bluhm vgross
* pass a pointer to pf_test()'s reason to pf_test_rule instead of using ahenning2015-12-051-20/+22
| | | | | | | local one. While we always intended to keep the logging in pf_test_rule and pf_test so seperate that we don't end up with a wrong reason, this is just too fragile and I can't even convince myself that it still is right. pointed out by markus, ok bluhm benno
* ip_send()/ip6_send() allow PF to send response packet in ipsoftnet task.sashan2015-12-031-3/+3
| | | | | | | | | | | this avoids current recursion to pf_test() function. the change also switches icmp_error()/icmp6_error() to use ip_send()/ip6_send() so they are safe for PF. The idea comes from Markus Friedl. bluhm, mikeb and mpi helped me a lot to get it into shape. OK bluhm@, mpi@
* To avoid that the stack manipules the pf statekeys directly, introducebluhm2015-12-031-1/+35
| | | | | | | | | pf_inp_...() lookup, link and unlink functions as an interface. Locking can be added to them later. Remove the first linking at the beginning of tcp_input() and udp_input() as it is not necessary. It will be done later anyway. That code was a relict, from the time before I had added the second linking. Input from mikeb@ and sashan@; OK sashan@
* Rename pf_unlink_state() to pf_remove_state() so the name does notbluhm2015-12-031-10/+10
| | | | | collide with the statekey to inp unlinking. OK sashan@ mpi@
* - hide PF internals to pf_unlink_divert_state() from in_pcb.csashan2015-12-021-1/+15
| | | | OK mpi@, bluhm@
* Kill the RT_REPORT flag to rtalloc() and stop sending RTM_MISS messagesclaudio2015-12-021-6/+6
| | | | | | for failed route lookups. This is something that was maybe useful in the 90is but in this modern times it is just annoying and nothing expect it anyway. OK mpi@, sthen@
* Add a comment after every #endifmpi2015-11-211-5/+5
| | | | requested by sashan@
* Make use if_get() and get rid of rt_ifp.mpi2015-11-201-9/+22
| | | | | | While here keep carp(4) bits under NCARP. Tested by and ok sthen@, ok visa@
* Prefix flowid with ph_ and print it in m_print().mpi2015-11-121-2/+2
| | | | ok dlg@
* Rename rt_mpath_next() into rtable_mpath_next() and provide anmpi2015-11-061-2/+2
| | | | | implementation for ART based on the singly-linked list of route entries.
* Use rt_ifidx rather than rt_ifp.mpi2015-10-271-4/+6
| | | | ok bluhm@
* - pf_insert_src_node(): global argument (arg6) is useless, functionsashan2015-10-131-23/+14
| | | | | | | | | | | always gets pointer to rule. - pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule - sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com OK mpi@, OK mikeb@
* use the state id to set a flowid on an mbuf.dlg2015-10-081-1/+6
| | | | ok mpi@ mikeb@ sthen@
* Always increment rt_use inside rtalloc(9) instead of doing it in somempi2015-09-231-2/+1
| | | | | | specific places. ok claudio@, benno@
* There's no point in abstracting ifp->if_output() as long as pf_test()mpi2015-09-131-3/+3
| | | | | | needs to see lo0 in the output path. ok claudio@
* Stop overwriting the rt_ifp pointer of RTF_LOCAL routes with lo0ifp.mpi2015-09-121-4/+3
| | | | | | | | | Use instead the RTF_LOCAL flag to loop local traffic back to the corresponding protocol queue. With this change rt_ifp is now always the same as rt_ifa->ifa_ifp. ok claudio@
* If M_PREPEND() fails, it frees the mbuf. In this case pf_translate_af()bluhm2015-09-121-2/+4
| | | | | must reset pd->m to avoid a use after free. OK sashan@ mikeb@
* rtfree(9) accepts NULL now.mpi2015-09-111-5/+3
|
* Kill yet another argument to functions in IPv6. This time ip6_output'sclaudio2015-09-111-3/+3
| | | | | | | ifpp - XXX: just for statistics ifpp is always NULL in all callers so that statistic confirms ifpp is dying OK mpi@
* Kill two simple in6_ifstat_inc().mpi2015-09-101-2/+1
|
* add if_put after the if_get.dlg2015-09-091-1/+3
| | | | ok claudio@
* - route-to, dup-to, reply-to should not override the block actionsashan2015-09-011-1/+5
| | | | | | Spotted by Dilli Paudel <dilli ! paudel at oracle ! com> ok jung@, ok mikeb@
* PF must keep IPv6 fragment size as chosen by sender also for packets,sashan2015-08-191-11/+12
| | | | | | which are routed on behalf route-to action. OK bluhm@
* - added /* FALLTHROUGH */ comments, typecasts (u_int32_t)-1, ...sashan2015-07-211-2/+14
| | | | ok mpi@
* Add some panics to default paths where code later assumes a non defaultjsg2015-07-201-1/+3
| | | | | | | path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
* INET6 is here to stay, so stop hauling around never-compiled codemcbride2015-07-201-5/+13
| | | | | | | | to optimize for an INET-only kernel, as well as the fantasy unicorn INET6-only kernel. (INET-only kernel still works) prompted by deraadt ok bluhm sashan
* rule_item might leak, when pf_create_state() failssashan2015-07-191-5/+9
| | | | OK @mcbride
* unsinged variables should not be compared to be leq than 0 (unsigned a <= 0)sashan2015-07-191-3/+3
| | | | ok mcbride@
* unused arguments at pf_normalize_tcp_init() and pf_refragment6()sashan2015-07-191-4/+4
| | | | OK deraadt.
* pf_send_tcp() should also use unhandled_af()sashan2015-07-181-1/+3
| | | | ok jsg@, ok mpi@
* msg.mpisashan2015-07-181-11/+51
|
* Even if pf(4) is not compiled with SMALL_KERNEL add a define aroundmpi2015-07-181-2/+5
| | | | | | | | | rt_mpath_next() to document the difference in behavior between the multipath and non-multipath routing code. No that the same pattern is present in if_group_egress_build(). ok claudio@
* INET/INET6 address family check should be unified in PFsashan2015-07-181-19/+19
| | | | | | it also adds af_unhandled(), where it is currently missing. ok mcbride@
* remove obsolete INET kernel optiontedu2015-07-171-3/+3
|
* Kill IP_ROUTETOETHER.mpi2015-07-161-40/+16
| | | | | | | | | This pseudo-option is a hack to support return-rst on bridge(4). It passes Ethernet information via a "struct route" through ip_output(). "struct route" is slowly dying... ok claudio@, benno@
* Expand ancient NTOHL/NTOHS/HTONS/HTONL macros.mpi2015-07-161-12/+7
| | | | ok guenther@, henning@
* Linking the local socket to pf states went wrong when IPsec wasbluhm2015-07-081-1/+2
| | | | | | | | | | | involved. For outgoing packets the IPsec layer did not clear the sending socket from the mbuf when the address changed. This resulted in strange state match and create behavior in pf. So clear the pf statekey and inp in the packet header for both directions when the address changes. Mark Patruck reported the bug, identified my problematic commit and tested the fix. OK mikeb@
* Get rid of the undocumented & temporary* m_copy() macro added formpi2015-06-301-2/+2
| | | | | | | | compatibility with 4.3BSD in September 1989. *Pick your own definition for "temporary". ok bluhm@, claudio@, dlg@
* Increment rule counters only after successful state insertionmikeb2015-06-221-17/+4
| | | | | | | | Do rule counter increments after state has been successfully installed. This has an additional benefit of making error handling a bit simpler. OK mpi, bluhm
* Store a unique ID, an interface index, rather than a pointer to thempi2015-06-161-3/+4
| | | | | | | | | | | | | | | receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
* Introduce unhandled_af() for cases where code conditionally doesjsg2015-06-071-1/+9
| | | | | | | | | | | something based on an address family and later assumes one of the paths was taken. This was initially just calls to panic until guenther suggested a function to reduce the amount of strings needed. This reduces the amount of noise with static analysers and acts as a sanity check. ok guenther@ bluhm@
* Improve error handling and recovery during state insertionmikeb2015-06-051-31/+41
| | | | | | | | Reshuffle the code around a bit and greatly improve error handling fixing a few bugs along the way. Problem reported by and fix was written with Alexandr Nedvedicky. OK henning
* Don't create ICMP states on reply packets unless tracking states sloppymikeb2015-05-261-2/+7
| | | | | | | | | | | | Since we've strengthened the ICMP state matching procedure during lookup to only match packets against states set up in a particular direction, we need to make sure we don't create states on packets that would otherwise be flowing in the direction opposite to the direction of the state and prevent further packets from matching the created state due to strict rules imposed by the ICMP direction check. Problem reported by Alexandr Nedvedicky, alexandr.nedvedicky-at-oracle.com. Discussed with reyk@; OK henning
* Cut down on if statements around pf_icmp_state_lookupmikeb2015-05-221-23/+15
| | | | Checked with blambert@, OK millert, henning
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.