293894 |
14-Jan-2016 |
glebius |
o Fix invalid TCP checksums with pf(4). [EN-16:02.pf] o Fix YP/NIS client library critical bug. [EN-16:03.yplib] o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Errata: FreeBSD-EN-16:02.pf Errata: FreeBSD-EN-16:03.yplib Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879 Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300 Security: FreeBSD-SA-16:03.linux, CVE-2016-1880 Security: FreeBSD-SA-16:04.linux, CVE-2016-1881 Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882 Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677 Approved by: so |
273196 |
16-Oct-2014 |
glebius |
Merge r273184, r273185 from stable/10: - Use rn_detachhead() instead of direct free(9) for radix tables. - Free radix mask entries on main radix destroy.
PR: 194078 Approved by: re (gjb) |
272461 |
03-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
271306 |
09-Sep-2014 |
glebius |
Merge r270928: explicitly free packet on PF_DROP, otherwise a "quick" rule with "route-to" may still forward it.
PR: 177808 Approved by: re (gjb)
|
270925 |
01-Sep-2014 |
glebius |
Fix ABI broken in r270576. This is direct commit to stable/10.
Reported by: kib
|
270577 |
25-Aug-2014 |
glebius |
Merge r270023 from head: Do not lookup source node twice when pf_map_addr() is used.
PR: 184003 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
270576 |
25-Aug-2014 |
glebius |
Merge r270022 from head: pf_map_addr() can fail and in this case we should drop the packet, otherwise bad consequences including a routing loop can occur.
Move pf_set_rt_ifp() earlier in state creation sequence and inline it, cutting some extra code.
PR: 183997 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
270575 |
25-Aug-2014 |
glebius |
Merge 270010 from head: Fix synproxy with IPv6. pf_test6() was missing a check for M_SKIP_FIREWALL.
PR: 127920 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
270574 |
25-Aug-2014 |
glebius |
Merge r269998 from head: - Count global pf(4) statistics in counter(9). - Do not count global number of states and of src_nodes, use uma_zone_get_cur() to obtain values. - Struct pf_status becomes merely an ioctl API structure, and moves to netpfil/pf/pf.h with its constants. - V_pf_status is now of type struct pf_kstatus.
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH
|
270328 |
22-Aug-2014 |
glebius |
Merge r268492: On machines with strict alignment copy pfsync_state_key from packet on stack to avoid unaligned access.
PR: 187381
|
266678 |
26-May-2014 |
ae |
MFC r266399: Since ipfw nat configures all options in one step, we should set all bits in the mask when calling LibAliasSetMode() to properly clear unneeded options.
PR: 189655
|
265700 |
08-May-2014 |
melifaro |
Merge r258708, r258711, r260247, r261117.
r258708: Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net>
r258711: Simplify O_NAT opcode handling.
r260247: Use rnh_matchaddr instead of rnh_lookup for longest-prefix match. rnh_lookup is effectively the same as rnh_matchaddr if called with empy network mask.
r261117: Reorder struct ip_fw_chain: * move rarely-used fields down * move uh_lock to different cacheline * remove some usused fields
|
265227 |
02-May-2014 |
trociny |
MFC r264963:
Define startup order the same way as it is in dummynet.
|
265008 |
27-Apr-2014 |
mm |
MFC r264689: De-virtualize UMA zone pf_mtag_z and move to global initialization part.
The m_tag struct does not know about vnet context and the pf_mtag_free() callback is called unaware of current vnet. This causes a panic.
PR: kern/182964
|
264813 |
23-Apr-2014 |
ae |
MFC r264540: Set oif only for outgoing packets.
PR: 188543
|
264804 |
23-Apr-2014 |
brueffer |
MFC: r264421
Free resources in error cases; re-indent a curly brace while here.
CID: 1199366 Found with: Coverity Prevent(tm)
|
264454 |
14-Apr-2014 |
mm |
MFC r264220: Execute pf_overload_task() in vnet context. Fixes a vnet kernel panic.
Reviewed by: trociny
|
263680 |
24-Mar-2014 |
glebius |
Merge r263497: fix ipfw + VIMAGE sysctls.
PR: kern/187665
|
263478 |
21-Mar-2014 |
glebius |
Merge r262763, r262767, r262771, r262806 from head: - Remove rt_metrics_lite and simply put its members into rtentry. - Use counter(9) for rt_pksent (former rt_rmx.rmx_pksent). This removes another cache trashing ++ from packet forwarding path. - Create zini/fini methods for the rtentry UMA zone. Via initialize mutex and counter in them. - Fix reporting of rmx_pksent to routing socket. - Fix netstat(1) to report "Use" both in kvm(3) and sysctl(3) mode.
|
263086 |
12-Mar-2014 |
glebius |
Bulk sync of pf changes from head, in attempt to fixup broken build I made in r263029.
Merge r257186,257215,257349,259736,261797.
These changesets split pfvar.h into several smaller headers and make userland utilities to include only some of them.
|
263029 |
11-Mar-2014 |
glebius |
Merge r261882, r261898, r261937, r262760, r262799: Once pf became not covered by a single mutex, many counters in it became race prone. Some just gather statistics, but some are later used in different calculations.
A real problem was the race provoked underflow of the states_cur counter on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this value is used in pf_state_expires() and any state created by this rule is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct pf_rule be counter(9)s.
|
263027 |
11-Mar-2014 |
glebius |
Merge r261029: remove NULL pointer dereference.
|
263026 |
11-Mar-2014 |
glebius |
Merge r261028: fix resource leak and simplify code for DIOCCHANGEADDR.
|
262210 |
19-Feb-2014 |
dim |
MFC r261915:
Under sys/netpfil/ipfw, surround two IPv6-specific static functions with #ifdef INET6, since they are unused when INET6 is disabled.
|
261023 |
22-Jan-2014 |
glebius |
Merge r260377: fix panic on pf_get_translation() failure.
PR: 182557
|
261019 |
22-Jan-2014 |
glebius |
Merge r258478, r258479, r258480, r259719: fixes related to mass source nodes removal.
PR: 176763
|
261018 |
22-Jan-2014 |
glebius |
Merge several fixlets from head:
r257619: Remove unused PFTM_UNTIL_PACKET const. r257620: Code logic of handling PFTM_PURGE into pf_find_state(). r258475: Don't compare unsigned <= 0. r258477: Fix off by ones when scanning source nodes hash.
|
258912 |
04-Dec-2013 |
rodrigc |
MFC r258588
In sys/netpfil/ipfw/ip_fw_nat.c:vnet_ipfw_nat_uninit() we call "IPFW_WLOCK(chain);". This lock gets deleted in sys/netpfil/ipfw/ip_fw2.c:vnet_ipfw_uninit().
Therefore, vnet_ipfw_nat_uninit() *must* be called before vnet_ipfw_uninit(), but this doesn't always happen, because the VNET_SYSINIT order is the same for both functions. In sys/net/netpfil/ipfw/ip_fw2.c and sys/net/netpfil/ipfw/ip_fw_nat.c, IPFW_SI_SUB_FIREWALL == IPFW_NAT_SI_SUB_FIREWALL == SI_SUB_PROTO_IFATTACHDOMAIN and IPFW_MODULE_ORDER == IPFW_NAT_MODULE_ORDER
Consequently, if VIMAGE is enabled, and jails are created and destroyed, the system sometimes crashes, because we are trying to use a deleted lock.
To reproduce the problem: (1) Take a GENERIC kernel config, and add options for: VIMAGE, WITNESS, INVARIANTS. (2) Run this command in a loop: jail -l -u root -c path=/ name=foo persist vnet && jexec foo ifconfig lo0 127.0.0.1/8 && jail -r foo
(see http://lists.freebsd.org/pipermail/freebsd-current/2010-November/021280.html )
Fix the problem by increasing the value of IPFW_NAT_SI_SUB_FIREWALL, so that vnet_ipfw_nat_uninit() runs after vnet_ipfw_uninit().
Approved by: re (gjb)
|
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
255928 |
28-Sep-2013 |
philip |
Use the correct EtherType for logging IPv6 packets.
Reviewed by: melifaro Approved by: re (kib, glebius) MFC after: 3 days
|
255143 |
02-Sep-2013 |
glebius |
Merge 1.12 of pf_lb.c from OpenBSD, with some changes. Original commit:
date: 2010/02/04 14:10:12; author: sthen; state: Exp; lines: +24 -19; pf_get_sport() picks a random port from the port range specified in a nat rule. It should check to see if it's in-use (i.e. matches an existing PF state), if it is, it cycles sequentially through other ports until it finds a free one. However the check was being done with the state keys the wrong way round so it was never actually finding the state to be in-use.
- switch the keys to correct this, avoiding random state collisions with nat. Fixes PR 6300 and problems reported by robert@ and viq.
- check pf_get_sport() return code in pf_test(); if port allocation fails the packet should be dropped rather than sent out untranslated.
Help/ok claudio@.
Some additional changes to 1.12:
- We also need to bzero() the key to zero padding, otherwise key won't match. - Collapse two if blocks into one with ||, since both conditions lead to the same processing. - Only naddr changes in the cycle, so move initialization of other fields above the cycle. - s/u_intXX_t/uintXX_t/g
PR: kern/181690 Submitted by: Olivier Cochard-Labbé <olivier cochard.me> Sponsored by: Nginx, Inc.
|
254781 |
24-Aug-2013 |
mav |
Make dummynet use new direct callout(9) execution mechanism. Since the only thing done by the dummynet handler is taskqueue_enqueue() call, it doesn't need extra switch to the clock SWI context.
On idle system this change in half reduces number of active CPU cycles and wakes up only one CPU from sleep instead of two.
I was going to make this change much earlier as part of calloutng project, but waited for better solution with skipping idle ticks to be implemented. Unfortunately with 10.0 release coming it is better get at least this.
|
254776 |
24-Aug-2013 |
trociny |
Make ipfw nat init/unint work correctly for VIMAGE:
* Do per vnet instance cleanup (previously it was only for vnet0 on module unload, and led to libalias leaks and possible panics due to stale pointer dereferences).
* Instead of protecting ipfw hooks registering/deregistering by only vnet0 lock (which does not prevent pointers access from another vnets), introduce per vnet ipfw_nat_loaded variable. The variable is set after hooks are registered and unset before they are deregistered.
* Devirtualize ifaddr_event_tag as we run only one event handler for all vnets.
* It is supposed that ifaddr_change event handler is called in the interface vnet context, so add an assertion.
Reviewed by: zec MFC after: 2 weeks
|
254523 |
19-Aug-2013 |
andre |
Add m_clrprotoflags() to clear protocol specific mbuf flags at up and downwards layer crossings.
Consistently use it within IP, IPv6 and ethernet protocols.
Discussed with: trociny, glebius
|
253769 |
29-Jul-2013 |
ae |
Fix a possible NULL-pointer dereference on the pfsync(4) reconfiguration.
Reported by: Eugene M. Zheganin
|
251681 |
13-Jun-2013 |
glebius |
Improve locking strategy between keys hash and ID hash.
Before this change state creating sequence was:
1) lock wire key hash 2) link state's wire key 3) unlock wire key hash 4) lock stack key hash 5) link state's stack key 6) unlock stack key hash 7) lock ID hash 8) link into ID hash 9) unlock ID hash
What could happen here is that other thread finds the state via key hash lookup after 6), locks ID hash and does some processing of the state. When the thread creating state unblocks, it finds the state it was inserting already non-virgin.
Now we perform proper interlocking between key hash locks and ID hash lock:
1) lock wire & stack hashes 2) link state's keys 3) lock ID hash 4) unlock wire & stack hashes 5) link into ID hash 6) unlock ID hash
To achieve that, the following hacking was performed in pf_state_key_attach():
- Key hash mutex is marked with MTX_DUPOK. - To avoid deadlock on 2 key hash mutexes, we lock them in order determined by their address value. - pf_state_key_attach() had a magic to reuse a > FIN_WAIT_2 state. It unlinked the conflicting state synchronously. In theory this could require locking a third key hash, which we can't do now. Now we do not remove the state immediately, instead we leave this task to the purge thread. To avoid conflicts in a short period before state is purged, we push to the very end of the TAILQ. - On success, before dropping key hash locks, pf_state_key_attach() locks ID hash and returns.
Tested by: Ian FREISLICH <ianf clue.co.za>
|
250522 |
11-May-2013 |
glebius |
Return meaningful error code from pf_state_key_attach() and pf_state_insert().
|
250521 |
11-May-2013 |
glebius |
Better debug message.
|
250519 |
11-May-2013 |
glebius |
Fix DIOCADDSTATE operation.
|
250518 |
11-May-2013 |
glebius |
Invalid creatorid is always EINVAL, not only when we are in verbose mode.
|
250313 |
06-May-2013 |
glebius |
Improve KASSERT() message.
|
250312 |
06-May-2013 |
glebius |
Simplify printf().
|
250246 |
04-May-2013 |
melifaro |
Use unified method for accessing / updating cached rule pointers.
MFC after: 2 weeks
|
250131 |
01-May-2013 |
eadler |
Correct a few sizeof()s
Submitted by: swildner@DragonFlyBSD.org Reviewed by: alfred
|
250039 |
29-Apr-2013 |
glebius |
Remove useless ifdef KLD_MODULE from dummynet module unload path. This fixes panic on unload.
Reported by: pho
|
249925 |
26-Apr-2013 |
glebius |
Add const qualifier to the dst parameter of the ifnet if_output method.
|
248971 |
01-Apr-2013 |
melifaro |
Fix ipfw rule validation partially broken by r248552.
Pointed by: avg MFC with: r248552
|
248697 |
25-Mar-2013 |
ae |
When we are removing a specific set, call ipfw_expire_dyn_rules only once.
Obtained from: Yandex LLC MFC after: 1 week
|
248552 |
20-Mar-2013 |
melifaro |
Add ipfw support for setting/matching DiffServ codepoints (DSCP).
Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg.
Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).
Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order):
Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin
PR: kern/102471, kern/121122 MFC after: 2 weeks
|
248491 |
19-Mar-2013 |
ae |
Separate the locking macros that are used in the packet flow path from others. This helps easy switch to use pfil(4) lock.
|
248324 |
15-Mar-2013 |
glebius |
Use m_get/m_gethdr instead of compat macros.
Sponsored by: Nginx, Inc.
|
248207 |
12-Mar-2013 |
glebius |
Functions m_getm2() and m_get2() have different order of arguments, and that can drive someone crazy. While m_get2() is young and not documented yet, change its order of arguments to match m_getm2().
Sorry for churn, but better now than later.
|
247626 |
02-Mar-2013 |
melifaro |
Fix callout expiring dynamic rules.
PR: kern/175530 Submitted by: Vladimir Spiridenkov <vs@gtn.ru> MFC after: 2 weeks
|
246822 |
15-Feb-2013 |
glebius |
Finish the r244185. This fixes ever growing counter of pfsync bad length packets, which was actually harmless.
Note that peers with different version of head/ may grow this counter, but it is harmless - all pfsync data is processed.
Reported & tested by: Anton Yuzhaninov <citrin citrin.ru> Sponsored by: Nginx, Inc
|
244769 |
28-Dec-2012 |
glebius |
In netpfil/pf: - Add my copyright to files I've touched a lot this year. - Add dash in front of all copyright notices according to style(9). - Move $OpenBSD$ down below copyright notices. - Remove extra line between cdefs.h and __FBSDID.
|
244634 |
23-Dec-2012 |
melifaro |
Add parentheses to IP_FW_ARG_TABLEARG() definition.
Suggested by: glebius MFC with: r244633
|
244633 |
23-Dec-2012 |
melifaro |
Use unified IP_FW_ARG_TABLEARG() macro for most tablearg checks. Log real value instead of IP_FW_TABLEARG (65535) in ipfw_log().
Noticed by: Vitaliy Tokarenko <rphone@ukr.net> MFC after: 2 weeks
|
244347 |
17-Dec-2012 |
pjd |
Warn about reaching various PF limits.
Reviewed by: glebius Obtained from: WHEEL Systems
|
244268 |
15-Dec-2012 |
trociny |
In pfioctl, if the permission checks failed we returned with vnet context set.
As the checks don't require vnet context, this is fixed by setting vnet after the checks.
PR: kern/160541 Submitted by: Nikos Vassiliadis (slightly different approach)
|
244210 |
14-Dec-2012 |
glebius |
Fix error in r235991. No-sleep version of IFNET_RLOCK() should be used here, since we may hold the main pf rulesets rwlock.
Reported by: Fleuriot Damien <ml my.gd>
|
244202 |
14-Dec-2012 |
glebius |
Fix VIMAGE build broken in r244185.
Submitted by: Nikolai Lifanov <lifanov mail.lifanov.com>
|
244185 |
13-Dec-2012 |
glebius |
Merge rev. 1.119 from OpenBSD:
date: 2009/03/31 01:21:29; author: dlg; state: Exp; lines: +9 -16 ...
this also firms up some of the input parsing so it handles short frames a bit better.
This actually fixes reading beyond mbuf data area in pfsync_input(), that may happen at certain pfsync datagrams.
|
244184 |
13-Dec-2012 |
glebius |
Initialize state id prior to attaching state to key hash. Otherwise a race can happen, when pf_find_state() finds state via key hash, and locks id hash slot 0 instead of appropriate to state id slot.
|
244113 |
11-Dec-2012 |
glebius |
Merge 1.127 from OpenBSD, that closes a regression from 1.125 (merged as r242694): do better detection of when we have a better version of the tcp sequence windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf.
|
243944 |
06-Dec-2012 |
glebius |
Rule memory garbage collecting in new pf scans only states that are on id hash. If a state has been disconnected from id hash, its rule pointers can no longer be dereferenced, and referenced memory can't be modified. Thus, move rule statistics from pf_free_rule() to pf_unlink_rule() and update them prior to releasing id hash slot lock.
Reported by: Ian FREISLICH <ianf cloudseed.co.za>
|
243941 |
06-Dec-2012 |
glebius |
Close possible races between state deletion and sent being sent out from pfsync: - Call into pfsync_delete_state() holding the state lock. - Set the state timeout to PFTM_UNLINKED after state has been moved to the PFSYNC_S_DEL queue in pfsync.
Reported by: Ian FREISLICH <ianf cloudseed.co.za>
|
243940 |
06-Dec-2012 |
glebius |
Remove extra PFSYNC_LOCK() in pfsync_bulk_update() which lead to lock recursion.
Reported by: Ian FREISLICH <ianf cloudseed.co.za>
|
243939 |
06-Dec-2012 |
glebius |
Revert erroneous r242693. A state may have PFTM_UNLINKED being on the PFSYNC_S_DEL queue of pfsync.
|
243882 |
05-Dec-2012 |
glebius |
Mechanically substitute flags from historic mbuf allocator with malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched - sys/mbuf.h edited manually
|
243711 |
30-Nov-2012 |
melifaro |
Use common macros for working with rule/dynamic counters. This is done as preparation to introduce per-cpu ipfw counters.
MFC after: 3 weeks
|
243707 |
30-Nov-2012 |
melifaro |
Make ipfw dynamic states operations SMP-ready.
* Global IPFW_DYN_LOCK() is changed to per-bucket mutex. * State expiration is done in ipfw_tick every second. * No expiration is done on forwarding path. * hash table resize is done automatically and does not flush all states. * Dynamic UMA zone is now allocated per each VNET * State limiting is now done via UMA(9) api.
Discussed with: ipfw MFC after: 3 weeks Sponsored by: Yandex LLC
|
242834 |
09-Nov-2012 |
melifaro |
Simplify sending keepalives. Prepare ipfw_tick() to be used by other consumers.
Reviewed by: ae(basically) MFC after: 2 weeks
|
242694 |
07-Nov-2012 |
glebius |
Merge rev. 1.125 from OpenBSD: date: 2009/06/12 02:03:51; author: dlg; state: Exp; lines: +59 -69 rewrite the way states from pfsync are merged into the local state tree and the conditions on which pfsync will notify its peers on a stale update.
each side (ie, the sending and receiving side) of the state update is compared separately. any side that is further along than the local state tree is merged. if any side is further along in the local state table, an update is sent out telling the peers about it.
|
242693 |
07-Nov-2012 |
glebius |
It may happen that pfsync holds the last reference on a state. In this case keys had already been freed. If encountering such state, then just release last reference.
Not sure this can happen as a runtime race, but can be reproduced by the following scenario:
- enable pfsync - disable pfsync - wait some time - enable pfsync
|
242632 |
05-Nov-2012 |
melifaro |
Add assertion to enforce 'nat global' locking requierements changed by r241908.
Suggested by: adrian, glebius MFC after: 3 days
|
242631 |
05-Nov-2012 |
melifaro |
Use unified print_dyn_rule_flags() function for debugging messages instead of hand-made printfs in every place.
MFC after: 1 week
|
242463 |
02-Nov-2012 |
ae |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set.
Suggested by: andre
|
242161 |
26-Oct-2012 |
glebius |
o Remove last argument to ip_fragment(), and obtain all needed information on checksums directly from mbuf flags. This simplifies code. o Clear CSUM_IP from the mbuf in ip_fragment() if we did checksums in hardware. Some driver may not announce CSUM_IP in theur if_hwassist, although try to do checksums if CSUM_IP set on mbuf. Example is em(4). o While here, consistently use CSUM_IP instead of its alias CSUM_DELAY_IP. After this change CSUM_DELAY_IP vanishes from the stack.
Submitted by: Sebastian Kuzminsky <seb lineratesystems.com>
|
242079 |
25-Oct-2012 |
ae |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
241913 |
22-Oct-2012 |
glebius |
Switch the entire IPv4 stack to keep the IP packet header in network byte order. Any host byte order processing is done in local variables and host byte order values are never[1] written to a packet.
After this change a packet processed by the stack isn't modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to scratch his head trying to figure out what is the byte order at the given place in the stack.
[1] One exception still remains. The raw sockets convert host byte order before pass a packet to an application. Probably this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len, but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru> Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
|
241908 |
22-Oct-2012 |
melifaro |
Remove unnecessary chain read lock in ipfw nat 'global' code. Document case when ipfw chain lock must be held while calling ipfw_nat().
MFC after: 2 weeks
|
241610 |
16-Oct-2012 |
glebius |
Make the "struct if_clone" opaque to users of the cloning API. Users now use function calls:
if_clone_simple() if_clone_advanced()
to initialize a cloner, instead of macros that initialize if_clone structure.
Discussed with: brooks, bz, 1 year ago
|
241394 |
10-Oct-2012 |
kevlo |
Revert previous commit...
Pointyhat to: kevlo (myself)
|
241370 |
09-Oct-2012 |
kevlo |
Prefer NULL over 0 for pointers
|
241369 |
09-Oct-2012 |
kevlo |
Fix typo: s/unknow/unknown
|
241360 |
08-Oct-2012 |
glebius |
Any pfil(9) hooks should be called with already set VNET context.
Reviewed by: bz
|
241359 |
08-Oct-2012 |
glebius |
Catch up with r241245 and do not return packet back in host byte order.
|
241344 |
08-Oct-2012 |
glebius |
After r241245 it appeared that in_delayed_cksum(), which still expects host byte order, was sometimes called with net byte order. Since we are moving towards net byte order throughout the stack, the function was converted to expect net byte order, and its consumers fixed appropriately: - ip_output(), ipfilter(4) not changed, since already call in_delayed_cksum() with header in net byte order. - divert(4), ng_nat(4), ipfw_nat(4) now don't need to swap byte order there and back. - mrouting code and IPv6 ipsec now need to switch byte order there and back, but I hope, this is temporary solution. - In ipsec(4) shifted switch to net byte order prior to in_delayed_cksum(). - pf_route() catches up on r241245 changes to ip_output().
|
241245 |
06-Oct-2012 |
glebius |
A step in resolving mess with byte ordering for AF_INET. After this change:
- All packets in NETISR_IP queue are in net byte order. - ip_input() is entered in net byte order and converts packet to host byte order right _after_ processing pfil(9) hooks. - ip_output() is entered in host byte order and converts packet to net byte order right _before_ processing pfil(9) hooks. - ip_fragment() accepts and emits packet in net byte order. - ip_forward(), ip_mloopback() use host byte order (untouched actually). - ip_fastforward() no longer modifies packet at all (except ip_ttl). - Swapping of byte order there and back removed from the following modules: pf(4), ipfw(4), enc(4), if_bridge(4). - Swapping of byte order added to ipfilter(4), based on __FreeBSD_version - __FreeBSD_version bumped. - pfil(9) manual page updated.
Reviewed by: ray, luigi, eri, melifaro Tested by: glebius (LE), ray (BE)
|
241244 |
06-Oct-2012 |
glebius |
The pfil(9) layer guarantees us presence of the protocol header, so remove extra check, that is always false.
P.S. Also, goto there lead to unlocking a not locked rwlock.
|
241131 |
02-Oct-2012 |
glebius |
To reduce volume of pfsync traffic: - Scan request update queue to prevent doubles. - Do not push undersized daragram in pfsync_update_request().
|
241057 |
29-Sep-2012 |
glebius |
Clear and re-setup all function pointers that glue pf(4) and pfsync(4) together whenever the pfsync0 is brought down or up respectively.
|
241056 |
29-Sep-2012 |
glebius |
Simplify send out queue code: - Write method of a queue now is void,length of item is taken as queue property. - Write methods don't need to know about mbud, supply just buf to them. - No need for safe queue iterator in pfsync_sendout().
Obtained from: OpenBSD
|
241039 |
28-Sep-2012 |
glebius |
Simplify and somewhat redesign interaction between pf_purge_thread() and pf_purge_expired_states().
Now pf purging daemon stores the current hash table index on stack in pf_purge_thread(), and supplies it to next iteration of pf_purge_expired_states(). The latter returns new index back.
The important change is that whenever pf_purge_expired_states() wraps around the array it returns immediately. This makes our knowledge about status of states expiry run more consistent. Prior to this change it could happen that n-th run stopped on i-th entry, and returned (1) as full run complete, then next (n+1) full run stopped on j-th entry, where j < i, and that broke the mark-and-sweep algorythm that saves references rules. A referenced rule was freed, and this later lead to a crash.
|
240836 |
22-Sep-2012 |
glebius |
EBUSY is a better reply for refusing to unload pf(4) or pfsync(4).
Submitted by: pluknet
|
240811 |
22-Sep-2012 |
glebius |
When connection rate hits and we overload a source to a table, we are actually editing table, which means editing rules, thus we need writer access to 'em.
Fix this by offloading the update of table to the same taskqueue, we already use for flushing. Since taskqueues major task is now overloading, and flushing is optional, do mechanical rename s/flush/overload/ in the code related to the taskqueue.
Since overloading tasks do unsafe referencing of rules, provide a bandaid in pf_purge_unlinked_rules(). If the latter sees any queued tasks, then it skips purging for this run.
In table code: - Assert any lock in pfr_lookup_addr(). - Assert writer lock in pfr_route_kentry().
|
240810 |
22-Sep-2012 |
glebius |
In pfr_insert_kentry() return ENOMEM if memory allocation failed.
|
240809 |
22-Sep-2012 |
glebius |
Fix fallout from r236397 in pfr_update_stats(), that was missed later in r237155. We need to zero sockaddr before lookup. While here, make pfr_update_stats() panic on unknown af.
|
240737 |
20-Sep-2012 |
glebius |
Reduce copy/paste when freeing an source node.
|
240736 |
20-Sep-2012 |
glebius |
Utilize Jenkins hash with random seed for source nodes storage.
|
240642 |
18-Sep-2012 |
glebius |
Provide kernel compile time option to make pf(4) default rule to drop.
This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet.
PR: kern/171622 Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
|
240641 |
18-Sep-2012 |
glebius |
Make ruleset anchors in pf(4) reentrant. We've got two problems here:
1) Ruleset parser uses a global variable for anchor stack. 2) When processing a wildcard anchor, matching anchors are marked.
To fix the first one:
o Allocate anchor processing stack on stack. To make this allocation as small as possible, following measures taken: - Maximum stack size reduced from 64 to 32. - The struct pf_anchor_stackframe trimmed by one pointer - parent. We can always obtain the parent via the rule pointer. - When pf_test_rule() calls pf_get_translation(), the former lends its stack to the latter, to avoid recursive allocation 32 entries.
The second one appeared more tricky. The code, that marks anchors was added in OpenBSD rev. 1.516 of pf.c. According to commit log, the idea is to enable the "quick" keyword on an anchor rule. The feature isn't documented anywhere. The most obscure part of the 1.516 was that code examines the "match" mark on a just processed child, which couldn't be put here by current frame. Since this wasn't documented even in the commit message and functionality of this is not clear to me, I decided to drop this examination for now. The rest of 1.516 is redone in a thread safe manner - the mark isn't put on the anchor itself, but on current stack frame. To avoid growing stack frame, we utilize LSB from the rule pointer, relying on kernel malloc(9) returning pointer aligned addresses.
Discussed with: dhartmei
|
240638 |
18-Sep-2012 |
glebius |
Fix DIOCNATLOOK: zero key padding before performing lookup.
|
240494 |
14-Sep-2012 |
glebius |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match.
Discussed with: bz, luigi
|