summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_lb.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* When using a pf rule with both nat-to and rdr-to, it could happenbluhm2015-10-151-3/+6
| | | | | | | that the nated source port was reused as destination port. Do not initialize nport at the beginning of the function, but where it is needed. OK sashan@
* - pf_insert_src_node(): global argument (arg6) is useless, functionsashan2015-10-131-3/+2
| | | | | | | | | | | always gets pointer to rule. - pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule - sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com OK mpi@, OK mikeb@
* A recently added sanity check panic in pf_postprocess_addr() wasjsg2015-08-031-2/+2
| | | | | | | | | | | triggered for a reply-to rule. It turns out this case has been using uninitialised memory as if it were a valid pf pool. As the rest of the function assumes a valid pool for now just return. Problem reported by RD Thrush. ok jung@ mikeb@
* Add some panics to default paths where code later assumes a non defaultjsg2015-07-201-1/+3
| | | | | | | path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
* msg.mpisashan2015-07-181-1/+7
|
* INET/INET6 address family check should be unified in PFsashan2015-07-181-2/+8
| | | | | | it also adds af_unhandled(), where it is currently missing. ok mcbride@
* fix the indentation of a block of code, no binary changejsg2015-07-171-16/+16
| | | | ok mikeb@ some time ago
* Expand ancient NTOHL/NTOHS/HTONS/HTONL macros.mpi2015-07-161-9/+9
| | | | ok guenther@, henning@
* Fix pf_map_addr() not to cause dividing by 0. This fixes problem whenyasuoka2015-06-031-5/+17
| | | | | | | using table or dynamic interface addresses for source-hash. Also avoid calling arc4random_uniform() with upper_bound == 0. ok mikeb
* Remove some includes include-what-you-use claims don'tjsg2015-03-141-2/+1
| | | | | | | have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
* init a potentially uninitialised var in pf_postprocess_addrjsg2015-01-061-2/+2
| | | | ok mikeb@ henning@
* unifdef INET in net code as a precursor to removing the pretend option.tedu2014-12-191-7/+1
| | | | | long live the one true internet. ok henning mikeb
* Support source-hash and random with tables and dynifs; not just pools.reyk2014-12-191-18/+49
| | | | | | | | | This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
* Comment is no longer true, remove it.mcbride2014-12-191-4/+1
|
* use siphash for pf_lb. for ipv6, we stretch it out a bit, but good enough.tedu2014-12-181-38/+20
| | | | ok reyk
* move arc4random prototype to systm.h. more appropriate for most codetedu2014-11-181-2/+1
| | | | to include that than rdnvar.h. ok deraadt dlg
* Split the logic for the ICMP and ICMP6 case in pf_get_sport(). Thebluhm2014-11-101-5/+14
| | | | | | | | types ICMP_ECHO and ICMP6_ECHO_REQUEST have their special meaning only if the protocol matches. Put an #ifdef INET6 around ICMP6_ECHO_REQUEST to make the kernel without IPv6 compile. OK henning@
* remove uneeded route.h includesjsg2014-09-081-5/+1
| | | | ok miod@ mpi@
* fix logging strings (correct function name via __func__ + a typo)blambert2014-08-141-10/+8
| | | | ok florian@ henning@
* Fewer <netinet/in_systm.h> !mpi2014-07-221-2/+1
|
* better indentation; no functional changemikeb2014-07-021-68/+69
|
* translate icmpv6 echo id's the same way we do for icmpv4; ok henningmikeb2013-10-301-2/+2
|
* add a comment describing why do we call pf_map_addr again if portmikeb2013-10-301-1/+5
| | | | selection process fails; ok henning
* Remove the number of in6_var.h inclusions by moving some functions andmpi2013-10-241-3/+1
| | | | | | global variables to in6.h. ok deraadt@
* Remove the number of in_var.h inclusions by moving some functions andmpi2013-10-231-2/+1
| | | | | | global variables to in.h. ok mikeb@, deraadt@
* The header file netinet/in_var.h included netinet6/in6_var.h. Thisbluhm2013-10-171-1/+2
| | | | | | | created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
* no need for a lot of code to include proc.htedu2013-03-281-2/+1
|
* make sure the entry from tree_src_tracking is still in the pool;markus2012-12-291-23/+78
| | | | | fixes nat with sticky address and ip address change on pppoe(4) for example; ok henning@, zinke@; mikeb@
* reset the counter in case its current value has been removedmarkus2012-12-291-5/+16
| | | | | from the pool (e.g. ifconfig em0 1.2.3.4 -alias) ok henning@, mikeb@
* pass pf_pool directly to pfr_pool_get(); simplifies the API;markus2012-12-291-64/+14
| | | | ok henning@, zinke@, mikeb@
* Enable support for the 'weight' keyword in the 'least-states'zinke2012-07-091-6/+28
| | | | | | | | | load balancing case, this allows Weighted Least States (WLS). Everything prepared on c2k11 with help from mcbride@. This finally makes PF ready for the cloud. ok henning@ mikeb@ pyr@
* The kernel did not compile without INET6. Put some #ifdefs intobluhm2012-02-031-1/+5
| | | | | | | | | | | | | pf to fix that. - add #ifdef INET6 in obvious places - af translation is only possible with both INET and INET6 - interleave #endif /* INET6 */ and closing brace correctly - it is not necessary to #ifdef function prototypes - do not compile af translate functions at all instead of empty stub, then the linker will report inconsistencies - pf_poolmask() actually takes an sa_family_t not an u_int8_t argument No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC. reported by Olivier Cochard-Labbe; ok mikeb@ henning@
* Since the IPv6 madness is not enough introduce NAT64 -- which is actuallyclaudio2011-10-131-5/+139
| | | | | | | | "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
* Fix various format string types to as a minimum match the width of themiod2011-09-181-2/+2
| | | | | variables being processed. ok bluhm@ henning@
* Make sure we use the right tbl/dyn pointer to check the pfrkt_refcntcost;mcbride2011-07-291-7/+17
| | | | | | improved debugging for error cases inside the weighted round-robin loop. original diff from claudio, ok henning
* Add support for weighted round-robin in load balancing pools and tables.mcbride2011-07-271-18/+57
| | | | | Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
* bring in least-states load balancing algorithmzinke2011-07-031-10/+190
| | | | ok mcbride@ henning@
* exclude link local address from the dynamic interface address poolmikeb2011-05-171-3/+12
| | | | | | so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
* stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot whilehenning2010-06-271-42/+37
| | | | | | | | walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
* pf_get_sport() picks a random port from the port range specified in asthen2010-02-041-19/+24
| | | | | | | | | | | | | | | | nat rule. It should check to see if it's in-use (i.e. matches an existing PF state), if it is, it cycles sequentially through other ports until it finds a free one. However the check was being done with the state keys the wrong way round so it was never actually finding the state to be in-use. - switch the keys to correct this, avoiding random state collisions with nat. Fixes PR 6300 and problems reported by robert@ and viq. - check pf_get_sport() return code in pf_test(); if port allocation fails the packet should be dropped rather than sent out untranslated. Help/ok claudio@.
* Convert pf debug logging to using log()/addlog(), a single standardisedmcbride2010-01-181-15/+13
| | | | | | | definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
* First pass at removing the 'pf_pool' mechanism for translation and routingmcbride2010-01-121-58/+27
| | | | | | | | | | | actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
* fix sticky-address - by pretty much re-implementing it. still followinghenning2009-12-141-23/+30
| | | | | | | | the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
* rtables are stacked on rdomains (it is possible to have multiple routingclaudio2009-11-031-4/+7
| | | | | | | | | | | | | | tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
* Fix static-port, found by jmc@. ok henning@.sthen2009-09-071-2/+3
|
* the diff theo calls me insanae for:henning2009-09-011-257/+55
| | | | | | | | | | | | | | | rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
* move the "pf_map_addr: selected address" printf up to -xnoisy.sthen2009-06-241-2/+2
| | | | ok henning@
* Stricter state checking for ICMP and ICMPv6 packets: include the ICMP typemcbride2009-03-051-4/+7
| | | | | | | | | | | | | | | | in one port of the state key, using the type to determine which side should be the id, and which should be the type. Also: - Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address. - Clear up some mistaken assumptions in the PF code: - Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0. - Don't modify the icmp id field in NAT unless it's echo - Use the full range of possible id's when NATing icmp6 echoy ok henning marco testing matthieu todd
* bring back the NAT NOP fix, but this time right.henning2009-02-181-1/+11
| | | | | | | when we want to pretend pf_get_translation didn't do anything we must get rid of _both_ state keys and reset all 4 sk pointers to NULL and not leave one key behind and have all 4 pointers point to it - that must fail. tested dhill sthen, david agrees, deraadt ok
* revert pf.c r1.629 (which moved to this file) which was causingsthen2009-02-121-10/+1
| | | | | | "panic: pool_do_get(pfstatekeypl): free list modified" discussed with many. ok dlg
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.