summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_if.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* fix set skip group matching: don't match partial strings, i. e. 'set skip onhenning2011-07-281-2/+2
| | | | | | lo' must not match a group 'local'. diff from sthen who is not around for a few days, ok me and mpf. I can't find the mail of the guy who initially ran into this problem, sorry for that, thanks for reporting!
* Change 'set skip on <...>' to work with interface groups.sthen2011-05-201-6/+9
| | | | | | | | | | | | | | | | | | | | Feedback from various people, ok henning@ Previously if an interface type (without number), e.g. "set skip on vlan" or "set skip on em" was used, it would have the undocumented behaviour of matching any interface of that type. Now it will only match an interface which is a member of the named group. This results in some changed behaviour: If you currently use "set skip" with a physical interface type (e.g. "set skip on ix") you will need to add the interface to a group of that name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0. Interfaces cloned at runtime (e.g. lo, trunk, vlan, pppoe, carp, gif, mpe and others) default to being in a group named after the interface type, so for these interfaces there will be no change in behaviour unless you have deliberately changed groups, e.g. 'ifconfig carp456 -group carp'.
* Clean up iterface stats handling:mcbride2010-06-281-2/+11
| | | | | | | | | - 'make -Fi' reset ALL the interface statistics can be restricted with -i ifname - 'make -Fa -i ifname' fail (it's meaningless) - get rid of a silly little struct that's only used for one thing ok henning
* Convert pf debug logging to using log()/addlog(), a single standardisedmcbride2010-01-181-9/+16
| | | | | | | definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
* First pass at removing the 'pf_pool' mechanism for translation and routingmcbride2010-01-121-2/+12
| | | | | | | | | | | actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
* Clearly copy the whole, and nothing but the whole, old buffer intokrw2009-08-251-2/+2
| | | | | | | | | the resized buffer. From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@. As was the previous commit where I didn't mention Pawel. 'should be olright' henning@
* Fix order of memcpy() arguments so data is copied from src to dest,krw2009-08-251-2/+2
| | | | | | | not the other way. At least partial fix for interfaces with >64 aliases. From Max Laier via Marc Balmer. 'seems right' sthen@ ok markus@
* Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctlsmcbride2009-03-091-3/+15
| | | | | | | transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
* Fix splasserts seen in pr 5987 by propagating a flag that discribesmikeb2008-11-241-2/+2
| | | | | | | | | | whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
* Also do the PR_ZERO dance here. This was held back on Henning's requestmk2008-06-141-3/+3
| | | | | | because it conflicted with the change he did in pf_if.c earlier. He finally woke up to ok (well, ``yes'', really) this version now.
* pool_get()s not in interrupt context should not be PR_NOWAIT, buthenning2008-06-141-2/+2
| | | | PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
* KNFmcbride2008-05-181-2/+2
|
* Check for pfi_kif's that are neither groups nor have a real interface.mpf2007-11-071-1/+3
| | | | | | | This prevents a null-deref when empty groups are used in set loginterface. Fixes PR 5628 as reported by Andreas Bihlmaier. Bad mpf :( OK henning@
* Add loginterface support for groups.mpf2007-09-271-30/+36
| | | | | | | | Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
* malloc sweep:henning2007-09-151-3/+2
| | | | | | | -remove useless casts -MALLOC/FREE -> malloc/free -use M_ZERO where appropriate instead of seperate bzero feedback & ok krw, hshoexer
* since thehenning2007-09-011-1/+2
| | | | | | MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
* remove obsolete pfi_statehead and pfik_w_states; ok henning@markus2007-07-131-7/+3
|
* use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesitojun2006-12-131-2/+2
| | | | | (s6_addr16[1] filled) ok dhartmei
* fix updating of tables associated with interface groups used inhenning2006-01-301-22/+24
| | | | | | | | | | | pass to (ifgroup) style notation. instead of walking the list of associated dynaddrs with a pf-abstracted interface which might not be present when there is no reference to them in the rulset, and checking their pointer back to the interface for group memberships, walk the groups an interface is member of directly. even makes the code easier. tests & ok bob ryan markus + tested moritz
* Improve the safety of pf IOCTLs, taking into account that some paths can sleep.pascoe2005-09-281-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
* Rearrange pf_state and pfi_kif so that the parts of the structure neededpascoe2005-08-181-6/+8
| | | | | | | | | | to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
* Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changepascoe2005-08-071-2/+2
| | | | | | to that in rev 1.40 for interface groups. ok henning
* Instead of copying a table structure so we can mask off a bit beforepascoe2005-08-021-6/+3
| | | | | | | "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
* need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it canhenning2005-07-201-3/+2
| | | | | | notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this.
* use a define instead of hardcoding "all" in 3 placeshenning2005-06-061-3/+3
|
* const'ify the char * parameter to pfi_kif_get and pfi_group_changehenning2005-06-051-3/+3
|
* tsc, ryan left debug crap behindhenning2005-06-021-5/+2
|
* Remove duplicate pfi_ifs.mcbride2005-05-281-3/+5
|
* -in our current model, a kif has either a pointer to an interface (ifnet) orhenning2005-05-271-10/+1
| | | | | | | | | a group, or there cannot be addresses associated with it. so we can get rid of checking kifs in the 3rd case and just be done with it. -we don't need to try to manually clear the table used for the (interface) notation when both the ifp and the group pointers are NULL, the pfr_set_addrs call will do the right thing with an empty set of addrs suggested by cedric, ryan ok
* turd polishinghenning2005-05-261-11/+7
|
* repair (self) notation - just attach "self" to the "all" grouphenning2005-05-261-2/+5
|
* when an interface joins or leaves a group call back into pf so it canhenning2005-05-251-3/+21
| | | | update the internal tables used for (ifgroup) notation
* add support for brace notation for interface groups, i. e. (testgroup) matcheshenning2005-05-241-3/+15
| | | | all IPs on all interfaces in testgroup
* further cleanup: don't mimic ifnet and add hooks and the dohooks() stuff tohenning2005-05-231-30/+22
| | | | | | pf's interface abstraction, just attahc a linked list of the dynaddrs to the respective kifs. makes things way easier and will be needed for the next step, ryan jajajaja
* repair updates for the tables used for (interface) notationhenning2005-05-231-2/+6
| | | | | the way it is done is completely retarded, needs fixing with ryan
* no need to search for the kif before callig pf_get_kif, it does that for ushenning2005-05-221-6/+4
|
* allow pf to match on interface groupshenning2005-05-221-5/+42
| | | | | pass on mygroup ... markus ok
* KNFhenning2005-05-211-2/+2
|
* clean up and rework the interface absraction code big time, rip out multiplehenning2005-05-211-375/+224
| | | | | | | | useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
* Catch failed hook_establish call immediately, rather than misbehaving andpascoe2005-04-211-1/+4
| | | | | | panicing at detach time. ok dhartmei@ henning@
* Introduce 'set skip on <ifspec>' to support a list of interfaces where nodhartmei2004-12-221-1/+39
| | | | | | packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
* move splsoftnet() below ACCEPT_FLAGS(), which contains a potential return.dhartmei2004-12-131-2/+2
| | | | from Max Laier.
* Check a NULL dereference before it could happen.mpf2004-12-061-4/+7
| | | | ok mcbride@
* undo last commit, skipping over ifaddrs without IFA_ROUTE has unwantedhenning2004-08-151-4/+1
| | | | sideffects in IPv6 land, noticed by Johan Fredin <griffin@legonet.org>
* skip over interface addresses without IFA_ROUTE, fixes some issue with pppdhenning2004-08-111-1/+4
| | | | from Max Laier <max@love2party.net>
* when inserting a dynamic group entry into the pfi_ifs tree, don't incorrectlydlg2004-08-101-3/+3
| | | | | | | | | create an interface entry with the same name. Prevents panics due to subsequent invalid refcounting. from Chris Pascoe ok dhartmei@ henning@
* Create the group when adding a dynamic interface that's not yet plugged in.mcbride2004-07-111-1/+6
| | | | ok henning@
* remove the half-baked and bogus pfi_dynamic_drivers() which tries to guesshenning2004-07-041-44/+1
| | | | | | which drivers are hotpluggable. since we removed the stupid check from pfctl a few days ago nothing relies on this any more. ok pb@ mcbride@
* Minor fixes suggested by nordin@ and henning@tholo2004-06-251-2/+2
| | | | ok millert@
* First step towards more sane time handling in the kernel -- this changestholo2004-06-211-3/+3
| | | | | | | | things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.