| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
So this macro does not make much sense, just call pflog_packet().
OK sashan@ henning@
|
| |
|
|
|
|
|
| |
outgoing state key is the same. In this case the reverse link loops
to the same state key. The assertion in pf_state_key_link_reverse()
did not expect this and the kernel crashed.
bug reported and fix tested by Johan Huldtgren; OK sashan@ visa@
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
|
| |
pf_match_rule() must remember current anchor before descents
towards leaf. it must restore anchor as it ascents towards root.
Bug pointed out and fix also tested by Matthias Pitzl from genua.
OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when syncookies are on, pf will blindly answer each and every SYN with a
syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will
reconstruct the original SYN, shove it through pf_test, where state will
be created if the ruleset permits it. Then massage the freshly created state
(we won't see the SYNACK), set up the sequence number modulator, and call
into the existing synproxy code to start the 3WHS with the backend host.
Add an - somewhat basic for now - adaptive mode where syncookies get enabled
if a certain percentage of the state table is filled up with half-open tcp
connections. This makes pf firewalls resilient against large synflood
attacks.
syncookies are off by default until we gained more experience, considered
experimental for now.
see http://bulabula.org/papers/2017/bsdcan/ for more details.
joint work with sashan@, widely discussed and with lots of input by many
|
| |
|
|
| |
bzero -> memset and (very few) bcopy -> memcpy/memmove
|
| |
|
|
|
| |
of doing it manually.
OK sashan@ visa@
|
| |
|
|
|
|
|
|
| |
an invalid source address. As pf route-to happens after IP source
selection based on a different route, the address should be corrected
after pf has allocated the new route. Especially loopback addresses
must not appear at outgoing packets.
OK sashan@ visa@
|
| |
|
|
|
|
|
| |
decrement the time-to-live or hop-limit field to prevent routing
loops. Sending an ICMP time exceeded error makes traceroute work.
For outgoing packets ip_forward() has already done this.
OK visa@ sashan@
|
| |
|
|
|
|
| |
domain and other mbuf flags. In pf_route6() the bad packet counter
and dup-to check were missing.
OK visa@
|
| |
|
|
|
|
| |
existing statekey in the mbuf header. Reset the statekey in
m_dup_pkthdr().
suggested by and OK sahan@
|
| |
|
|
|
| |
or other states more consistent.
OK visa@ sashan@ on a previous version
|
| |
|
|
|
|
| |
same is already done for options header. Add the routing extension
header to the list that need "allow-opts" to pass.
OK sashan@ visa@
|
| |
|
|
|
|
|
|
| |
work in pf. The function pf_inp_link() takes the state key from
the mbuf and not the one pf_find_state() has just found. Introduce
a new function pf_state_key_link_inpcb() that links the given state
key and inpcb together with some sanity checks.
OK sashan@
|
| |
|
|
|
|
|
|
| |
their IPv6 header hop limit field. Let pf drop neighbor solicitation,
neighbor advertisement, router solicitation, router advertisement,
and redirect ICMP6 packets that do not comply. This enforces that
bogus packets cannot be routed when pf is enabled.
OK mpi@ sashan@ benno@
|
| |
|
|
|
|
|
|
| |
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@
|
| |
|
|
|
|
|
|
|
|
| |
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
| |
|
|
|
|
|
| |
forwarding. It should never match and would cause MP locking
problems. While there remove an useless ifp parameter from
ip_output_ipsec_send().
from markus@; OK visa@ sashan@
|
| |
|
|
|
|
| |
pr_input handlers without KERNEL_LOCK().
ok visa@
|
| |
|
|
|
|
|
|
|
|
| |
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
having pf_ouraddr say a packet is forwarded let's in_ouraddr avoid
doing a route lookup for the packet. however, because it is forwarded
we need to do a route lookup in ip_output anyway to know where it
goes.
in_ouraddr does a bunch of extra checks on the result of the route
lookup that ip_output does not do though, including special handling
of ip_directedbroadcast and M_BCAST. if you have directed broadcast
enabled and do not do these checks, the ethernet layer will loop a
copy of broadcast packets back into the stack recursively which
can blow the thread stack in the kernel.
discussed with jmatthew@, sashan@, and henning@
ok mpi@
diagnosing this led to the enabling of a guard page on amd64 kernel
stacks, which was necessary for correctly identifying this problem.
|
| |
|
|
|
|
|
| |
NOTE: code still runs with single softnet task. change definition of
SOFTNET_TASKS in net/if.c, if you want to have more than one softnet task
OK mpi@, OK phessler@
|
| | |
|
| |
|
|
|
| |
increment in pf_create_state(), decrement in pf_set_protostate().
input & ok bluhm
|
| |
|
|
|
|
| |
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()
ok bluhm benno
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok bluhm@
|
| |
|
|
|
|
|
|
| |
thread to a task running on the `softnettq`.
Tested and inputs from Hrvoje Popovski.
ok visa@, sashan@
|
| |
|
|
|
|
|
|
|
|
|
| |
KERNEL_LOCK().
- radix_node_head are still allocated with malloc(9) and pf_table can
free(9) some.
- pfsync(4) might send some traffic which can exercise IPsec code
Found by bluhm@ and Hrvoje Popovski
|
| |
|
|
|
|
|
|
|
|
| |
The NET_LOCK() is currently what guarantees that accesses to PF data
structures are serialized.
While here use rwsleep(9) instead of calling NET_LOCK()/NET_UNLOCK()
for every iteration.
Tested by Hrvoje Popovski, ok sashan@, visa@
|
| |
|
|
|
|
|
|
|
|
| |
== NULL)". The problem was that setting the inp pointer in the
statekey to NULL was delayed until the statekey refcounter reached
0. So the inp could get linked to another statekey while an mbuf
in the socket buffer was keeping the refcounter at 1. Set the
statekey inp pointer to NULL in pf_state_key_detach() immediately,
then the kassert can be even stricter.
OK sashan@
|
| |
|
|
|
|
|
|
| |
to enable PF_LOCK(), you must add 'option WITH_PF_LOCK' to your kernel
configuration. The code does not do much currently it's just the very
small step towards MP.
O.K. henning@, mikeb@, mpi@
|
| |
|
|
|
|
|
| |
destination options header. Such packets can be passed by adding
"allow-opts" to the rule. So IPv6 options are handled like their
counterpart in IPv4 now.
tested by benno@; OK henning@
|
| | |
|
| |
|
|
|
|
| |
release it beforehand.
ok henning@, benno@
|
| |
|
|
|
|
| |
authentication headers in the IPv4 case. This prevents spending
excessive cpu time on crafted packets.
OK henning@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
headers. pf_walk_header6() steps over it and detects the real
protocol. So to implement a minimal header walking function
pf_walk_header() for IPv4. It does the header checks and jumps
over AH. Then pf does not understand AH as a protocol, it is just
an extension that authenticates the packet. Move some header and
option checks to pf_walk_header() for consistency with IPv6. This
also improves the header check for IPv4 packets in ICMP payload.
OK henning@
|
| |
|
|
|
| |
family switch. This makes the specific calculation more obvious.
OK claudio@
|
| |
|
|
| |
O.K. bluhm@
|
| |
|
|
|
|
|
|
| |
without needing a previously created state by MLD Listener Query. It
wasn't working because: (1) you might not have a previous MLD Listener
Query and (2) the addresses of the Query and Report don't match.
ok mikeb@, sashan@
|
| |
|
|
|
|
|
| |
we actually don't need to pre-allocate per_anchor_stack[], if we use
a 'natural' recursion, when doing anchor tree traversal.
O.K. mikeb@, mpi@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
|
| |
Recursions are still marked as XXXSMP.
ok deraadt@, bluhm@
|
| |
|
|
| |
Reported by Remi Barbier, thanks! OK mpi@
|
| |
|
|
|
|
|
| |
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@
|
| |
|
|
|
|
|
|
|
| |
For the moment the NET_LOCK() is always taken by threads running under
KERNEL_LOCK(). That means it doesn't buy us anything except a possible
deadlock that we did not spot. So make sure this doesn't happen, we'll
have plenty of time in the next release cycle to stress test it.
ok visa@
|
| |
|
|
|
|
|
|
| |
Mainly states of established TCP connections whould be affected resulting
in immediate state removal once the numer of states is bigger than
adaptive.start. Disabling adative timeouts is a workaround to avoid this bug.
Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)
OK mikeb@
|
| |
|
|
|
|
|
|
| |
Output processing may split, encapsulate or obfuscate a single
stream which makes the changed flow ID less useful for purposes
of flow control, for instance fair sharing of bandwidth.
OK dlg
|
| |
|
|
|
|
|
|
| |
Get rid of the old splnet()/splx() dances. What's protecting them right
now is the KERNEL_LOCK(). but since pf(4) look at these tables we want
to protect them in another way, hence the NET_LOCK(), at least as hint.
ok bluhm@
|
| |
|
|
| |
ok mpi@ bluhm@
|
bluhm
benno
sashan
henning
mpi
dlg
rzalamena
mikeb
claudio
jca