summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_table.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use the table on root always if current table is not active.yasuoka2020-07-281-10/+18
| | | | ok sashan
* kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)cheloha2020-06-241-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
* Fix pfr_kentry_byaddr() to be used for a rule in an anchor. Ityasuoka2020-06-041-41/+23
| | | | | | | | couldn't find an entry if its table is attached a table on the root. This fixes the problem "route-to <TABLE> least-states" doesn't work. The problem is found by IIJ. OK sashan
* free(9) sizes for M_RTABLE.mpi2019-07-081-3/+3
| | | | ok kn@
* Remove useless macroskn2018-12-101-9/+9
| | | | | | These are just unhelpful case conversion. OK sashan henning
* use PFR_RB_NONE consistentlykn2018-10-151-2/+2
| | | | | | | Replace hardcoded 0 and implicit checks with enum as done in all other use cases of `pfra_fback'. No object change. OK sashan
* - memory leak occurs when adding same table twice.sashan2018-03-281-2/+4
| | | | | | (tj found fix in FreeBSD repo for us) OK @bluhm, @henning
* Validate pfra_type after copyin before using it to index an arraymikeb2017-08-161-4/+6
| | | | | | | | | | | | | Don't trust the value of pfra_type blindly since it's coming from userland and sanitize it in pfr_validate_addr that is called after every copyin and also perform the check in pfr_create_kentry before we attempt to use the value not after. Coverity CID 1452909, 1453097, 1453384; Severity: Minor It can be triggered only by root by default or anyone with write access to /dev/pf if such access is provided. ok visa, bcook, sashan, jsg
* Replace the global variables pfr_{sin,sin6} with stack local variablespatrick2017-05-081-28/+48
| | | | | | | so that we can run these parts of pf in parallel. Also replace a single usage of pfr_mask with a stack local variable. ok mpi@
* Convert most of the manual checks for CPU hogging to sched_pause().mpi2017-02-141-3/+2
| | | | | | | | The distinction between preempt() and yield() stays as it is usueful to know if a thread decided to yield by itself or if the kernel told him to go away. ok tedu@, guenther@
* Replace a custom loop calling yield() by the idiom to check if thempi2017-02-091-6/+4
| | | | | | current process is hogging a CPU. ok mikeb@, visa@, tedu@
* A space here, a space there. Soon we're talking real whitespacekrw2017-01-241-6/+6
| | | | rectification.
* Kill unecessary splsoftnet()/splx() dances, what's protecting radixmpi2017-01-231-28/+4
| | | | | | globals is the KERNEL_LOCK(). ok claudio@
* Put union pf_headers and struct pf_pdesc into separate header filebluhm2016-10-261-1/+13
| | | | | | | | | pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
* roll back turning RB into RBT until i get better at this process.dlg2016-09-271-22/+22
|
* move pf from the RB macros to the RBT functions.dlg2016-09-271-22/+22
|
* all pools have their ipl set via pool_setipl, so fold it into pool_init.dlg2016-09-151-13/+7
| | | | | | | | | | | | | | | | | | | | | | the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
* pool_setipl for pf bitsdlg2016-09-021-1/+6
| | | | ok phessler@ henning@
* - fixes potential use-after-free in pfr_set_addrs()sashan2015-11-031-5/+5
| | | | OK mikeb@, OK bluhm@
* rn_inithead() offset argument is now specified in byte, missed in previous.mpi2015-10-071-3/+3
|
* Make every subsystem using a radix tree call rn_init() and pass thempi2015-09-041-1/+3
| | | | | | | | | | | | | | | length of the key as argument. This way every consumer of the radix tree has a chance to explicitly initialize the shared data structures and no longer rely on another subsystem to do the initialization. As a bonus ``dom_maxrtkey'' is no longer used an die. ART kernels should now be fully usable because pf(4) and IPSEC properly initialized the radix tree. ok chris@, reyk@
* Add some panics to default paths where code later assumes a non defaultjsg2015-07-201-1/+3
| | | | | | | path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
* follow up changes on unknown AF handlingsashan2015-07-181-9/+10
| | | | | | | | - PF should always use unhandled_af() - 0 is lame, AF_UNSPEC is profi ok bluhm@
* INET/INET6 address family check should be unified in PFsashan2015-07-181-16/+93
| | | | | | it also adds af_unhandled(), where it is currently missing. ok mcbride@
* Fix rn_match and there for the expoerted lookup functions in radix.cclaudio2015-07-161-16/+1
| | | | | | to never return the internal RNF_ROOT nodes. This removes the checks in the callee to verify that not an RNF_ROOT node was returned. OK mpi@
* Introduce unhandled_af() for cases where code conditionally doesjsg2015-06-071-7/+24
| | | | | | | | | | | something based on an address family and later assumes one of the paths was taken. This was initially just calls to panic until guenther suggested a function to reduce the amount of strings needed. This reduces the amount of noise with static analysers and acts as a sanity check. ok guenther@ bluhm@
* Plug a memory leak in pfr_destroy_kentrymikeb2015-04-091-1/+4
| | | | | | | | | pfi_kif objects allocated for table entries created by route-to or by specifying weight weren't garbage collected when the table entry was destroyed. Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>, thanks! Ok henning, florian
* Table flags are not looked at when a table entry is created.mikeb2015-04-081-8/+8
| | | | | Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>, thanks!
* Remove some includes include-what-you-use claims don'tjsg2015-03-141-2/+1
| | | | | | | have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
* Prevent tables referenced by rules in anchors from getting disabled.mikeb2015-01-201-1/+2
| | | | Analysis and patch by Richard Kojedzinszky, thanks! ok henning
* unifdef INET in net code as a precursor to removing the pretend option.tedu2014-12-191-11/+1
| | | | | long live the one true internet. ok henning mikeb
* remove uneeded route.h includesjsg2014-09-081-2/+1
| | | | ok miod@ mpi@
* add a size argument to free. will be used soon, but for now default to 0.tedu2014-07-121-3/+3
| | | | after discussions with beck deraadt kettenis.
* Collect and display 'match' counters for pf tables.blambert2013-07-051-10/+27
| | | | | | | | While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
* Re-commit: use time_t for storing time_t values. This is an ABIguenther2013-07-041-21/+22
| | | | | | | | change for pf, but that's fine at this time. You'll need to rebuild pf userland after updating your kernel. change to 'since' member ok henning@ rest ok henning@ deraadt@
* Revert previous: sizeof(time_t) != sizeof(long) on LP64, so there wasguenther2013-07-021-22/+21
| | | | an ABI change involved.
* Use time_t for storing time_t values. No change to the underlyingguenther2013-07-021-21/+22
| | | | | | | | type**, so no ABI change. ok henning@ deraadt@ ** ...yet
* DIOCRCLRASTATS ioctl wasn't specifying a timestamp when clearedmikeb2013-02-181-2/+2
| | | | | | | table statistics so it appeared later on as the Epoch. Noticed by [the] Shining on bugs@. Thanks! ok sthen, waver from deraadt
* Unbreak the negation toggle code when re-loading pf tables. Otherwisemarkus2013-01-161-2/+2
| | | | | | negating existing entries on re-load does not work (e.g. changing 192.168.6.0/24 to !192.168.6.0/24 in table was ignoed). ok mikeb@, henning@ mpf@, bluhm@,
* pass pf_pool directly to pfr_pool_get(); simplifies the API;markus2012-12-291-26/+42
| | | | ok henning@, zinke@, mikeb@
* when table content changes we need to reset indexmikeb2012-01-261-4/+4
| | | | | | to the initial value and do not use the counter; reported by Sebastian Benoit and Daniel Krambrock, tested by Sebastian Benoit, ok henning zinke
* Add support for weighted round-robin in load balancing pools and tables.mcbride2011-07-271-37/+126
| | | | | Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
* ensure that we won't enter an endless loop while iterating overmikeb2011-07-081-6/+12
| | | | | an address pool. problem found and solution tested by claudio. ok claudio, henning, "reads fine" to zinke
* bring in least-states load balancing algorithmzinke2011-07-031-17/+128
| | | | ok mcbride@ henning@
* KNF (no change in .o files)mcbride2011-06-141-5/+11
|
* exclude link local address from the dynamic interface address poolmikeb2011-05-171-3/+9
| | | | | | so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
* throw some yields into the pf table code so it doesn't lock up the kernel.tedu2010-11-201-2/+20
| | | | ok deraadt henning
* remove PFR_FLAG_ATOMIC. not used, and doesn't work as advertised.tedu2010-10-231-92/+30
| | | | ok henning
* Convert printf()'s to DPFDEBUG() macro.mcbride2010-09-301-17/+26
| | | | ok dlg
* No "\n" needed at the end of panic() strings.krw2010-08-071-2/+2
| | | | | | | Bogus chunks pointed out by matthew@ and miod@. No cookies for marco@ and jasper@. ok deraadt@ miod@ matthew@ jasper@ macro@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.