summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_if.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add loginterface support for groups.mpf2007-09-271-30/+36
| | | | | | | | Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
* malloc sweep:henning2007-09-151-3/+2
| | | | | | | -remove useless casts -MALLOC/FREE -> malloc/free -use M_ZERO where appropriate instead of seperate bzero feedback & ok krw, hshoexer
* since thehenning2007-09-011-1/+2
| | | | | | MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
* remove obsolete pfi_statehead and pfik_w_states; ok henning@markus2007-07-131-7/+3
|
* use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesitojun2006-12-131-2/+2
| | | | | (s6_addr16[1] filled) ok dhartmei
* fix updating of tables associated with interface groups used inhenning2006-01-301-22/+24
| | | | | | | | | | | pass to (ifgroup) style notation. instead of walking the list of associated dynaddrs with a pf-abstracted interface which might not be present when there is no reference to them in the rulset, and checking their pointer back to the interface for group memberships, walk the groups an interface is member of directly. even makes the code easier. tests & ok bob ryan markus + tested moritz
* Improve the safety of pf IOCTLs, taking into account that some paths can sleep.pascoe2005-09-281-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
* Rearrange pf_state and pfi_kif so that the parts of the structure neededpascoe2005-08-181-6/+8
| | | | | | | | | | to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
* Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changepascoe2005-08-071-2/+2
| | | | | | to that in rev 1.40 for interface groups. ok henning
* Instead of copying a table structure so we can mask off a bit beforepascoe2005-08-021-6/+3
| | | | | | | "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
* need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it canhenning2005-07-201-3/+2
| | | | | | notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this.
* use a define instead of hardcoding "all" in 3 placeshenning2005-06-061-3/+3
|
* const'ify the char * parameter to pfi_kif_get and pfi_group_changehenning2005-06-051-3/+3
|
* tsc, ryan left debug crap behindhenning2005-06-021-5/+2
|
* Remove duplicate pfi_ifs.mcbride2005-05-281-3/+5
|
* -in our current model, a kif has either a pointer to an interface (ifnet) orhenning2005-05-271-10/+1
| | | | | | | | | a group, or there cannot be addresses associated with it. so we can get rid of checking kifs in the 3rd case and just be done with it. -we don't need to try to manually clear the table used for the (interface) notation when both the ifp and the group pointers are NULL, the pfr_set_addrs call will do the right thing with an empty set of addrs suggested by cedric, ryan ok
* turd polishinghenning2005-05-261-11/+7
|
* repair (self) notation - just attach "self" to the "all" grouphenning2005-05-261-2/+5
|
* when an interface joins or leaves a group call back into pf so it canhenning2005-05-251-3/+21
| | | | update the internal tables used for (ifgroup) notation
* add support for brace notation for interface groups, i. e. (testgroup) matcheshenning2005-05-241-3/+15
| | | | all IPs on all interfaces in testgroup
* further cleanup: don't mimic ifnet and add hooks and the dohooks() stuff tohenning2005-05-231-30/+22
| | | | | | pf's interface abstraction, just attahc a linked list of the dynaddrs to the respective kifs. makes things way easier and will be needed for the next step, ryan jajajaja
* repair updates for the tables used for (interface) notationhenning2005-05-231-2/+6
| | | | | the way it is done is completely retarded, needs fixing with ryan
* no need to search for the kif before callig pf_get_kif, it does that for ushenning2005-05-221-6/+4
|
* allow pf to match on interface groupshenning2005-05-221-5/+42
| | | | | pass on mygroup ... markus ok
* KNFhenning2005-05-211-2/+2
|
* clean up and rework the interface absraction code big time, rip out multiplehenning2005-05-211-375/+224
| | | | | | | | useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
* Catch failed hook_establish call immediately, rather than misbehaving andpascoe2005-04-211-1/+4
| | | | | | panicing at detach time. ok dhartmei@ henning@
* Introduce 'set skip on <ifspec>' to support a list of interfaces where nodhartmei2004-12-221-1/+39
| | | | | | packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
* move splsoftnet() below ACCEPT_FLAGS(), which contains a potential return.dhartmei2004-12-131-2/+2
| | | | from Max Laier.
* Check a NULL dereference before it could happen.mpf2004-12-061-4/+7
| | | | ok mcbride@
* undo last commit, skipping over ifaddrs without IFA_ROUTE has unwantedhenning2004-08-151-4/+1
| | | | sideffects in IPv6 land, noticed by Johan Fredin <griffin@legonet.org>
* skip over interface addresses without IFA_ROUTE, fixes some issue with pppdhenning2004-08-111-1/+4
| | | | from Max Laier <max@love2party.net>
* when inserting a dynamic group entry into the pfi_ifs tree, don't incorrectlydlg2004-08-101-3/+3
| | | | | | | | | create an interface entry with the same name. Prevents panics due to subsequent invalid refcounting. from Chris Pascoe ok dhartmei@ henning@
* Create the group when adding a dynamic interface that's not yet plugged in.mcbride2004-07-111-1/+6
| | | | ok henning@
* remove the half-baked and bogus pfi_dynamic_drivers() which tries to guesshenning2004-07-041-44/+1
| | | | | | which drivers are hotpluggable. since we removed the stupid check from pfctl a few days ago nothing relies on this any more. ok pb@ mcbride@
* Minor fixes suggested by nordin@ and henning@tholo2004-06-251-2/+2
| | | | ok millert@
* First step towards more sane time handling in the kernel -- this changestholo2004-06-211-3/+3
| | | | | | | | things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
* Allow recursive anchors (anchors within anchors, up to 64dhartmei2004-05-191-7/+2
| | | | | | | levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
* Dont step into INET6 code, just because af != AF_INETpb2004-04-281-5/+14
| | | | | | Also comment #endif properly while being here ok mcbride@
* Kill redundant(IPv4) and bogus(IPv6) tests. found+ok dhartmei@cedric2004-03-151-5/+1
|
* KNF, ok cedric@ deraadt@mcbride2004-03-091-4/+4
|
* Make pfsync deal with clearing states bound to a group or interface (egmcbride2004-02-201-2/+1
| | | | | | | | pfctl -i fxp0 -Fs). Also don't send out individual state deletions if we're sending a clear message, move pfsync_clear_states() inside splnet, and fix if_pfsync.h includes in pf.c and pf_ioctl.c. ok cedric@ dhartmei@
* Tighten pfi_skip_if() up, and a bit of KNF. ok mcbride@cedric2004-02-171-3/+14
|
* KNFhenning2004-02-101-29/+27
|
* Repair "set loginterface". Don't flush stats on pfctl -e. pf_status.sincecedric2004-02-091-2/+2
| | | | is the time of last "pf -e" or "pf -d". ok dhartmei@ henning@
* PFI_MTYPE leak; ok cedric@markus2004-01-071-1/+2
|
* spacing. note this, cedricderaadt2003-12-311-5/+5
|
* delay interfaces attach until "self" has been created; ok cedric@markus2003-12-311-2/+2
|
* Many improvements to the handling of interfaces in PF.cedric2003-12-311-75/+747
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
* Move PF interface code to new net/pf_if.ccedric2003-12-121-0/+163
Expect improvements in this area soon. ok dhartmei@ mcbride@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.