| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok henning
|
| |
|
|
| |
found by jsg; ok jsg mikeb
|
| |
|
|
| |
No objection from reyk@, OK markus, hshoexer
|
| |
|
|
|
|
| |
there instead of pf_ioctl.c.
ok henning@
|
| |
|
|
|
| |
Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>,
thanks a lot! Ok florian
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
its only used for the ip and ip6 network stack input queues, so it
seems unfair that every instance of ifqueue has to carry a pointer
around for this specific use case.
this moves the congestion marker to a kernel global. if we detect
that we're congested, we assume the whole system is busy and punish
all input queues.
marking a system as congested is done by setting the global to the
current value of ticks. as the system moves away from that value,
it moves away from being congested until the comparison fails.
written at s2k15
ok henning@ beck@ bluhm@ claudio@
|
| |
|
|
|
|
|
|
|
| |
SO_BINDANY socket, the new state didn't have a link of the socket's
pcb. So the incoming packets allowed by the state were mistakenly
forwarded and the pcb could not get them. Fix pf not to lost the link
of the pcb when the state is recreated.
ok bluhm mikeb
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
|
|
|
|
| |
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.
|
| |
|
|
|
|
|
|
| |
no real compat issue since we're using spare bytes.
old -> new ends up with set prio (0, 0) equivalent
new -> old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov <alexey.suslikov at gmail>
ok phessler pelikan dlg
|
| |
|
|
|
|
|
|
| |
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
| |
|
|
|
|
| |
was setting max_win to 0 and discarded retransmitted SYN-ACK segments
without wscale if the original SYN contained a wscale option.
with gerhard@, ok henning@
|
| |
|
|
|
|
|
|
| |
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
ACK+RST part pointed out by Kojedzinszky Richard <krichy at tvnetwork hu>
ok mikeb dlg phessler claudio
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Packets destinated to link-local addresses are looped back with embedded
scopes because we cannot restore them using the receiving interface (lo0).
Embedded scopes are needed by the routing table to match RTF_LOCAL routes,
but pf(4) never saw them and existing rules are likely to break without
teaching the rule engine about them, found by dlg@ the hard way.
So save and restore embedded scopes around pf_test() for packets going
through loopback.
ok dlg@, mikeb@
|
| |
|
|
|
|
| |
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
|
|
|
| |
This structure is now only used to pass a cached route entry to
ip{6,}_output() which will be converted shortly.
With inputs from millert@, ok bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Unicast packets sent to any local address will have their interface
set to loobpack.
- In order to differentiate traffic from interfaces having identical
link-local addresses, provide the scoped addresses to pf(4).
- Update the icmp6 state lookup logic to match scoped MLL addresses.
- Remove a shortcut in ip6_input() that bypasses pf and always look
for an RTF_LOCAL route.
Packets sent to multicast addresses still retain their original
interface due to the fact that local multicast packet delivering
does not use if_output.
This makes ping6 to link-local addresses work even with pf enabled
and "set skip" on loopbacks, reported by Pieter Verberne.
Debugged, analysed and tested with mikeb@.
ok mikeb@, henning@, sthen@
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| | |
|
| | |
|
| |
|
|
| |
ok phessler@ tedu@
|
| |
|
|
|
|
|
| |
since we might have tweaked the addresses.
Problem reported and fix test by Bastien Durel <bastien at geekwu ! org>,
thanks! OK henning
|
| |
|
|
|
|
| |
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
| |
|
|
|
|
| |
kill the macro.
ok mikeb@, henning@
|
| |
|
|
| |
ok henning@, phessler@
|
| |
|
|
|
|
| |
rely on "struct route" that should die.
ok claudio@
|
| |
|
|
|
|
|
|
|
| |
anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched." Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.
OK henning
|
| |
|
|
|
|
|
|
|
|
|
|
| |
that owns the anchor on the pf anchor stack. There's no reason why we
should check for depth here. As a side effect this makes sure that the
correct nested anchor gets it's counter bumped instead of the top most.
For the save/restore symmetry pf_step_out_of_anchor is made to always
restore previous value of the anchor rule. depth == 0 means what we a
at the top (main ruleset).
OK henning
|
| |
|
|
|
|
|
|
|
|
| |
start with a ruleset pointer assigned to pf_main_ruleset so that
pf_purge_rule doesn't get called with a NULL.
Prompted by the discussion with Alexandr Nedvedicky <alexandr !
nedvedicky at oracle ! com>.
OK henning
|
| | |
|
| |
|
|
|
|
|
|
| |
fixes the rewrite of an IPv6 header of an ICMP6 packet in the payload
of an ICMP6 error packet. Path MTU discovery with ping6 over pf
nat or rdr works again.
Found by src/regress/sys/net/pf_fragment make run-regress-fragping6
OK henning@
|
| |
|
|
|
|
|
|
|
| |
unnecessarily allocating an mbuf tag to store the divert port, just pass
the divert port directly to divert_packet() or divert6_packet() as an
argument.
includes a style fix pointed out by bluhm@
ok bluhm@ henning@ reyk@
|
| | |
|
| |
|
|
| |
From Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>. Thanks!
|
| |
|
|
| |
ok henning@
|
| | |
|
| |
|
|
| |
ok pelikan@, henning@
|
| |
|
|
|
|
| |
ever used to pass on uint32 (for ipsec). stop that madness and just pass
the uint32, 0 in all cases but the two that pass the ipsec flowinfo.
ok deraadt reyk guenther
|
| |
|
|
| |
ok gcc & md5 (alas, no binary change)
|
| |
|
|
| |
while there, get rid of the altq ioctls and assciated now obsolete code
|
| |
|
|
| |
ok benno lteo naddy (back in january)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
| |
|
|
| |
TOS/Traffic Class field of the original packet. Discussed with mikeb@
|
| |
|
|
|
| |
field of IPv6 packets. Issue reported by Christophe Heurtaux on frnog.
ok mikeb@
|
| |
|
|
|
|
|
| |
pf_check_proto_cksum() by letting it use the same in4_cksum() call that
is used for TCP and UDP checksums.
ok henning@ naddy@
|
| |
|
|
|
| |
software. ok naddy
(this is pbly the ultimate commit'n'run)
|
| |
|
|
|
|
|
|
|
|
| |
are are lie, since the software engine emulates hardware offloading
and that is later indistinguishable. so kill the hw cksummed counters.
introduce software checksummed packet counters instead.
tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum.
as before we still have a miscounting bug for inbound with pf on, to be
fixed in the next step.
found by, prodding & ok naddy
|
| | |
|
mikeb
henning
dlg
yasuoka
jsg
sthen
markus
mpi
deraadt
tedu
bluhm
lteo
jca