#
332494 |
|
13-Apr-2018 |
kp |
MFC r332107:
pf: Improve ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and DIOCRSETTFLAGS
These ioctls can process a number of items at a time, which puts us at risk of overflow in mallocarray() and of impossibly large allocations even if we don't overflow.
Limit the allocation to required size (or the user allocation, if that's smaller). That does mean we need to do the allocation with the rules lock held (so the number doesn't change while we're doing this), so it can't M_WAITOK.
|
#
331117 |
|
18-Mar-2018 |
kp |
MFC r329950:
pf: Cope with overly large net.pf.states_hashsize
If the user configures a states_hashsize or source_nodes_hashsize value we may not have enough memory to allocate this. This used to lock up pf, because these allocations used M_WAITOK.
Cope with this by attempting the allocation with M_NOWAIT and falling back to the default sizes (with M_WAITOK) if these fail.
PR: 209475 Submitted by: Fehmi Noyan Isi <fnoyanisi AT yahoo.com>
|
#
304293 |
|
17-Aug-2016 |
kp |
MFC r289932, r289940:
PF_ANEQ() macro will in most situations returns TRUE comparing two identical IPv4 packets (when it should return FALSE). It happens because PF_ANEQ() doesn't stop if first 32 bits of IPv4 packets are equal and starts to check next 3*32 bits (like for IPv6 packet). Those bits containt some garbage and in result PF_ANEQ() wrongly returns TRUE.
Fix: Check if packet is of AF_INET type and if it is then compare only first 32 bits of data.
PR: 204005 Submitted by: MiĆosz Kaniewski
|
#
289703 |
|
21-Oct-2015 |
kp |
MFC r289316:
pf: Fix TSO issues
In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum.
The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums.
To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum.
PR: 154428, 193579, 198868 Relnotes: yes Sponsored by: RootBSD
|
#
285940 |
|
28-Jul-2015 |
glebius |
Merge 280169: always lock the hash row of a source node when updating its 'states' counter.
PR: 182401
|
#
284579 |
|
18-Jun-2015 |
kp |
Merge r278874, r278925, r278868
- Improve INET/INET6 scope. - style(9) declarations. - Make couple of local functions static. - Even more fixes to !INET and !INET6 kernels. In collaboration with pluknet - Toss declarations to fix regular build and NO_INET6 build.
Differential Revision: https://reviews.freebsd.org/D2823 Reviewed by: gnn
|
#
284571 |
|
18-Jun-2015 |
kp |
Merge r278843, r278858
In the forwarding case refragment the reassembled packets with the same size as they arrived in. This allows the sender to determine the optimal fragment size by Path MTU Discovery.
Roughly based on the OpenBSD work by Alexander Bluhm.
Differential Revision: https://reviews.freebsd.org/D2816 Reviewed by: gnn
|
#
284569 |
|
18-Jun-2015 |
kp |
Merge r278831, r278834
Update the pf fragment handling code to closer match recent OpenBSD. That partially fixes IPv6 fragment handling.
Differential Revision: https://reviews.freebsd.org/D2814 Reviewed by: gnn
|
#
282689 |
|
09-May-2015 |
gnn |
MFC: 281558
Minor change to the macros to make sure that if an AF is passed that is neither AF_INET6 nor AF_INET that we don't touch random bits of memory.
|
#
273736 |
|
27-Oct-2014 |
hselasky |
MFC r263710, r273377, r273378, r273423 and r273455:
- De-vnet hash sizes and hash masks. - Fix multiple issues related to arguments passed to SYSCTL macros.
Sponsored by: Mellanox Technologies
|
#
270574 |
|
25-Aug-2014 |
glebius |
Merge r269998 from head: - Count global pf(4) statistics in counter(9). - Do not count global number of states and of src_nodes, use uma_zone_get_cur() to obtain values. - Struct pf_status becomes merely an ioctl API structure, and moves to netpfil/pf/pf.h with its constants. - V_pf_status is now of type struct pf_kstatus.
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
#
265008 |
|
27-Apr-2014 |
mm |
MFC r264689: De-virtualize UMA zone pf_mtag_z and move to global initialization part.
The m_tag struct does not know about vnet context and the pf_mtag_free() callback is called unaware of current vnet. This causes a panic.
PR: kern/182964
|
#
263086 |
|
12-Mar-2014 |
glebius |
Bulk sync of pf changes from head, in attempt to fixup broken build I made in r263029.
Merge r257186,257215,257349,259736,261797.
These changesets split pfvar.h into several smaller headers and make userland utilities to include only some of them.
|
#
263029 |
|
11-Mar-2014 |
glebius |
Merge r261882, r261898, r261937, r262760, r262799: Once pf became not covered by a single mutex, many counters in it became race prone. Some just gather statistics, but some are later used in different calculations.
A real problem was the race provoked underflow of the states_cur counter on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this value is used in pf_state_expires() and any state created by this rule is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct pf_rule be counter(9)s.
|
#
261019 |
|
22-Jan-2014 |
glebius |
Merge r258478, r258479, r258480, r259719: fixes related to mass source nodes removal.
PR: 176763
|
#
261018 |
|
22-Jan-2014 |
glebius |
Merge several fixlets from head:
r257619: Remove unused PFTM_UNTIL_PACKET const. r257620: Code logic of handling PFTM_PURGE into pf_find_state(). r258475: Don't compare unsigned <= 0. r258477: Fix off by ones when scanning source nodes hash.
|
#
285940 |
|
28-Jul-2015 |
glebius |
Merge 280169: always lock the hash row of a source node when updating its 'states' counter.
PR: 182401
|
#
284579 |
|
18-Jun-2015 |
kp |
Merge r278874, r278925, r278868
- Improve INET/INET6 scope. - style(9) declarations. - Make couple of local functions static. - Even more fixes to !INET and !INET6 kernels. In collaboration with pluknet - Toss declarations to fix regular build and NO_INET6 build.
Differential Revision: https://reviews.freebsd.org/D2823 Reviewed by: gnn
|
#
284571 |
|
18-Jun-2015 |
kp |
Merge r278843, r278858
In the forwarding case refragment the reassembled packets with the same size as they arrived in. This allows the sender to determine the optimal fragment size by Path MTU Discovery.
Roughly based on the OpenBSD work by Alexander Bluhm.
Differential Revision: https://reviews.freebsd.org/D2816 Reviewed by: gnn
|
#
284569 |
|
18-Jun-2015 |
kp |
Merge r278831, r278834
Update the pf fragment handling code to closer match recent OpenBSD. That partially fixes IPv6 fragment handling.
Differential Revision: https://reviews.freebsd.org/D2814 Reviewed by: gnn
|
#
282689 |
|
09-May-2015 |
gnn |
MFC: 281558
Minor change to the macros to make sure that if an AF is passed that is neither AF_INET6 nor AF_INET that we don't touch random bits of memory.
|
#
273736 |
|
27-Oct-2014 |
hselasky |
MFC r263710, r273377, r273378, r273423 and r273455:
- De-vnet hash sizes and hash masks. - Fix multiple issues related to arguments passed to SYSCTL macros.
Sponsored by: Mellanox Technologies
|
#
270574 |
|
25-Aug-2014 |
glebius |
Merge r269998 from head: - Count global pf(4) statistics in counter(9). - Do not count global number of states and of src_nodes, use uma_zone_get_cur() to obtain values. - Struct pf_status becomes merely an ioctl API structure, and moves to netpfil/pf/pf.h with its constants. - V_pf_status is now of type struct pf_kstatus.
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
#
265008 |
|
27-Apr-2014 |
mm |
MFC r264689: De-virtualize UMA zone pf_mtag_z and move to global initialization part.
The m_tag struct does not know about vnet context and the pf_mtag_free() callback is called unaware of current vnet. This causes a panic.
PR: kern/182964
|
#
263086 |
|
12-Mar-2014 |
glebius |
Bulk sync of pf changes from head, in attempt to fixup broken build I made in r263029.
Merge r257186,257215,257349,259736,261797.
These changesets split pfvar.h into several smaller headers and make userland utilities to include only some of them.
|
#
263029 |
|
11-Mar-2014 |
glebius |
Merge r261882, r261898, r261937, r262760, r262799: Once pf became not covered by a single mutex, many counters in it became race prone. Some just gather statistics, but some are later used in different calculations.
A real problem was the race provoked underflow of the states_cur counter on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this value is used in pf_state_expires() and any state created by this rule is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct pf_rule be counter(9)s.
|
#
261019 |
|
22-Jan-2014 |
glebius |
Merge r258478, r258479, r258480, r259719: fixes related to mass source nodes removal.
PR: 176763
|
#
261018 |
|
22-Jan-2014 |
glebius |
Merge several fixlets from head:
r257619: Remove unused PFTM_UNTIL_PACKET const. r257620: Code logic of handling PFTM_PURGE into pf_find_state(). r258475: Don't compare unsigned <= 0. r258477: Fix off by ones when scanning source nodes hash.
|