summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_ioctl.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Revert previous.mbalmer2009-02-151-7/+2
|
* Fix compilation of kernels that have pf, but not pfsync.mbalmer2009-02-151-2/+7
| | | | ok dlg, henning, sthen
* Fix splasserts seen in pr 5987 by propagating a flag that discribesmikeb2008-11-241-3/+3
| | | | | | | | | | whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
* use the correct idiom for NFOO things which come from "foo.h" filesderaadt2008-10-231-3/+3
| | | | ok dlg
* Simplify state creation code; merge state import/export code between pfsyncmcbride2008-06-291-144/+4
| | | | | | | | | | and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
* Revert 1.203; it's not safe to blindly walk the tailq instead of the rbtreemcbride2008-06-221-3/+3
| | | | for picking states to unlink as the tailq may contain unlinked states.
* Include "pflog.h" so that we get NPFLOG.jsing2008-06-141-1/+2
| | | | ok henning@
* pool_get()s not in interrupt context should not be PR_NOWAIT, buthenning2008-06-141-7/+8
| | | | PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
* Split address setup operations into a separate function. More to come.mcbride2008-06-111-22/+30
| | | | ok henning
* Simplify code slightly; use PR_ZERO with pool_get() rather than bzero().mcbride2008-06-101-3/+2
| | | | ok mpf henning
* when walking the entire state table it makes much more sense to walkhenning2008-06-101-3/+3
| | | | the tailq instead of the rb tree. pt out by kjell some time ago, ok ryan
* save somespace in the state by collapsing two 8 bit ints used as booleanshenning2008-06-101-3/+2
| | | | | | into one 8 bit flags field. shrinks the state structure by 4 bytes on 32bit archs ryan ok
* implement a sloppy tcpstate tracker which does not look at sequencehenning2008-06-101-1/+2
| | | | | | numbers at all. scary consequences; only tobe used in very specific situations where you don't see all packets of a connection, e. g. asymmetric routing. ok ryan reyk theo
* trivial KNF before we go furtherhenning2008-05-301-4/+4
|
* Second half of PF state table rearrangement.mcbride2008-05-291-75/+78
| | | | | | | | | | | | | | | - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
* rewrite the state table logic.henning2008-05-291-45/+52
| | | | | | | | | | | | | | | | | complete the split off of the layer 3/4 adressing information from the extra information in the actual state. a state key holds a list of states, and a state points to two state keys - they're only different in the NAT case. More specificially, it deprecates the (often difficult to understand) concept of lan, ext, and gwy addresses, replacing them with WIRE and STACK side address tuples. (af, proto, saddr, daddr, sport, dport). Concept first brought up some years ago on a ferry ride in bc by ryan and me, I spent some time over the last year getting closer, and finally got it completed in japan with ryan. dlg also took part, helped a lot, and saved us 8 bytes. This commit removes support for any kind of NAT as well as pfsync. It also paves the road for some code simplification and some very cool future stuff. ok ryan beck, tested by many
* KNFmcbride2008-05-181-17/+18
|
* Add support to kill states by rule label or state id.mpf2008-05-091-7/+24
| | | | | | | Fix printing of the state id in pfctl -ss -vv. Remove the psnk_af hack to return the number of killed states. OK markus, beck. "I like it" henning, deraadt. Manpage help from jmc.
* Add a counter to record how many states have been created by a rule.mpf2008-05-061-6/+7
| | | | | | | It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
* Prevent possible overflow of int variable on large memory machines.weingart2008-05-061-2/+2
| | | | ok kettenis@
* DIOC{GET,ADD}STATE incorrectly use a user provided pointer without usingpascoe2007-12-021-12/+9
| | | | | | | | | | | | | copyin/out. Change the API so that the state is included in the ioctl argument, so the ioctl wrappers take care of copying memory as appropriate. Also change the DIOCGETSTATE API to be more useful. Instead of getting an arbitrarily "numbered" state (using numbering that can change between calls), instead search based on id and creatorid. If you want to monitor only a particular state, you can now use the bulk functions first to find the appropriate id/creatorid and then fetch it directly from then on. ok dlg@ henning@
* When pf_insert_state state succeeds, increase the state count on thepascoe2007-12-021-2/+4
| | | | | | | | | default rule. When pf_insert_state fails, it's because a matching state already exists. Return a better error code to the user in this case. ok henning@ dlg@
* initialize altq->altq_disc to NULL, from Max Laierdhartmei2007-12-021-1/+2
|
* Don't put state key if pf_insert_state fails. pf_detach_state would havepascoe2007-12-021-3/+2
| | | | | | | | put it for us already. Also, fix cut-n-paste error in previous commit. ok dlg@ henning@
* Don't leak state if key allocation fails during add.pascoe2007-12-021-1/+2
| | | | ok dlg@ henning@
* Set expiry timestamp when importing a state, otherwise it expires on thepascoe2007-12-021-1/+4
| | | | | | next expiry run. ok dlg@ henning@
* DIOCADDSTATE would always dereference a NULL pointer during this copypascoe2007-12-021-3/+2
| | | | | | | | and what it was copying would get overwritten anyway. Remove the copy and avoid a panic. DIOCGETSTATE would incorrectly dereference a pointer to a pointer, causing another panic. Fix this.
* Add loginterface support for groups.mpf2007-09-271-7/+3
| | | | | | | | Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
* malloc sweep:henning2007-09-151-16/+8
| | | | | | | -remove useless casts -MALLOC/FREE -> malloc/free -use M_ZERO where appropriate instead of seperate bzero feedback & ok krw, hshoexer
* replace the machine dependant bytes-to-clicks macro by the MI ptoa()martin2007-09-011-2/+2
| | | | | | | | version for i386 more architectures and ctob() replacement is being worked on prodded by and ok miod
* mechanic change:henning2007-08-301-3/+3
| | | | | | | | there is a 1:1 mapping between direction and the tree the states get attached to. there is no need to have anything outside the state insertion/ deletion/lookup routinbes know about these internals. so just pass the direction to the lookup functions and let them pick the right tree. ok dhartmei markus
* Save some bytes and make code more readable by removing junk union andmcbride2007-06-241-6/+6
| | | | | | | | unused ifname (this information is in struct pf_state_sync now). Also a bit of KNF on the pf_state struct. ok mpf@ henning@
* force logif to zero if no logging is asked forhenning2007-06-211-1/+9
| | | | | check the logif when changing a rule from max laier, ok ryan
* PR 5502 From: Marc Huber <Marc.Huber@web.de>henning2007-06-071-2/+2
| | | | | | | pfioctl()'s DIOCKILLSTATES triggers panic due to wrong test variable in for() loop. well analyzed and fixed, excellent PR, applied verbatim, thanks! (this was fallout from the state - state key split)
* factor out duplicated code to allocate state key and cross-reference ithenning2007-06-011-8/+3
| | | | | | with a state entry into a new pf_alloc_state_key() function and use it everywhere. makes upcoming changes way easier and is cleaner anyway. conceptually agreed by ryan, but he's on the road now ;(
* Move the state id and creatorid (used mainly by pfsync) into struct pf_state.mcbride2007-05-311-31/+30
| | | | ok henning@
* First step of rearranging pf's state table internals...mcbride2007-05-311-98/+166
| | | | | | | | | | - Split pf_state into pf_state (used for tracking connection information), and pf_state_key (used for searching the state table) - Use pfsync_state in the ioctl for userland access to the state table. This will sheild userland somewhat from future changes. ok henning@ toby@ pyr@
* Add a name argument to the RWLOCK_INITIALIZER macro.thib2007-05-291-2/+2
| | | | | | Pick reasonble names for the locks involved.. ok tedu@, art@
* because sparc has variable pagesize, ctob() varies between machines, and wederaadt2007-02-261-1/+2
| | | | need uvm/uvm_extern.h to get at uvmexp. oops.
* if machine has more than 100MB of physmem, default the max table entriesderaadt2007-02-231-1/+5
| | | | | to 200,000 instead of the conservative 100,000; ok dhartmei beck tested by ckuethe
* allow counters to be reset with DIOCGETRULES.henning2007-02-091-2/+12
| | | | | | | | | | | this allows an atomic read and reset counters, instead of read, reset in a later ioctl and lose everything in between. use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR, the ioctl requires write permissions and counters are reset after they have been copied out to userland. obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not within anchors (yeah, that's how it all started) ok dhartmei, mcbride and theo agree as well
* ioctl to explicitly remove source tracking nodes,mcbride2006-11-201-1/+40
| | | | | | diff from Berk D. Demir <bdd@mindcast.org> ok henning dhartmei
* Split ruleset manipulation functions out into pf_ruleset.c to allow them tomcbride2006-10-271-315/+1
| | | | | | | | | | | | | | | be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
* add a "u_int8_t logif" to struct pfrule to select to which pflog interfacehenning2006-10-251-1/+9
| | | | logs go. ok mcbride
* allow DIOCNATLOOK to look up NAT states for protocols without portdjm2006-08-301-2/+4
| | | | numbers, reported by Raja Subramanian; ok henning@
* fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,dhartmei2006-07-211-2/+2
| | | | | | | | but third-party tools). a rule must have a non-empty replacement address list when it's a translation rule but not an anchor call (i.e. "nat ... ->" needs a replacement address, but "nat-anchor ..." doesn't). the check confused "rule is an anchor call" with "rule is defined within an anchor". report from Michal Mertl, Max Laier.
* allow rules to point to an alternate routing table, and tag packetshenning2006-07-061-1/+9
| | | | | | | matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
* Enable adaptive timeouts by default, with adaptive.start of 60% of themcbride2006-05-281-1/+3
| | | | | | | | state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
* With the exception of two other small uncommited diffs this movesbrad2006-03-041-3/+3
| | | | | | the remainder of the network stack from splimp to splnet. ok miod@
* DIOCNATLOOK was forgotten in the second access control switch. it's adhartmei2006-01-061-1/+2
| | | | | read-only operation (looking up one state entry), so allow it when /dev/pf is opened read-only (allows squid to work read-only). from Andrey Matveev.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.