#
ffeab76b |
|
26-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfil: PFIL_PASS never frees the mbuf pfil hooks (i.e. firewalls) may pass, modify or free the mbuf passed to them. (E.g. when rejecting a packet, or when gathering up packets for reassembly). If the hook returns PFIL_PASS the mbuf must still be present. Assert this in pfil_mem_common() and ensure that ipfilter follows this convention. pf and ipfw already did. Similarly, if the hook returns PFIL_DROPPED or PFIL_CONSUMED the mbuf must have been freed (or now be owned by the firewall for further processing, like packet scheduling or reassembly). This allows us to remove a few extraneous NULL checks. Suggested by: tuexen Reviewed by: tuexen, zlei Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43617
|
#
a8b70cf2 |
|
24-Dec-2023 |
Richard Scheffenegger <rscheff@FreeBSD.org> |
netpfil: Use accessor functions and named constants for all tcphdr flags Update all remaining references to the struct tcphdr th_x2 field. This completes the compatibilty of various aspects with AccECN (TH_AE), after the internal ipfw "re-checksum required" was moved to use the TH_RES1 flag. No functional change. Reviewed By: tuexen, #transport, glebius Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D43172
|
#
29363fb4 |
|
23-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove ancient SCCS tags. Remove ancient SCCS tags from the tree, automated scripting, with two minor fixup to keep things compiling. All the common forms in the tree were removed with a perl script. Sponsored by: Netflix
|
#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
caf32b26 |
|
14-Feb-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
pfil: add pfil_mem_{in,out}() and retire pfil_run_hooks() The 0b70e3e78b0 changed the original design of a single entry point into pfil(9) chains providing separate functions for the filtering points that always provide mbufs and know the direction of a flow. The motivation was to reduce branching. The logical continuation would be to do the same for the filtering points that always provide a memory pointer and retire the single entry point. o Hooks now provide two functions: one for mbufs and optional for memory pointers. o pfil_hook_args() has a new member and pfil_add_hook() has a requirement to zero out uninitialized data. Bump PFIL_VERSION. o As it was before, a hook function for a memory pointer may realloc into an mbuf. Such mbuf would be returned via a pointer that must be provided in argument. o The only hook that supports memory pointers is ipfw:default-link. It is rewritten to provide two functions. o All remaining uses of pfil_run_hooks() are converted to pfil_mem_in(). o Transparent union of pfil_packet_t and tricks to fix pointer alignment are retired. Internal pfil_realloc() reduces down to m_devget() and thus is retired, too. Reviewed by: mjg, ocochard Differential revision: https://reviews.freebsd.org/D37977
|
#
ec6b2822 |
|
13-Feb-2023 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipfilter: ansify Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
c941e8c6 |
|
31-Jan-2023 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Correctly type ipf_pullup() ipf_pullup() outputs a pointer to ip_t. Though returning a pointer to void does work, it is imprecise and not completely correct. MFC after: 1 week
|
#
e68b3792 |
|
07-Dec-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
tcp: embed inpcb into tcpcb For the TCP protocol inpcb storage specify allocation size that would provide space to most of the data a TCP connection needs, embedding into struct tcpcb several structures, that previously were allocated separately. The most import one is the inpcb itself. With embedding we can provide strong guarantee that with a valid TCP inpcb the tcpcb is always valid and vice versa. Also we reduce number of allocs/frees per connection. The embedded inpcb is placed in the beginning of the struct tcpcb, since in_pcballoc() requires that. However, later we may want to move it around for cache line efficiency, and this can be done with a little effort. The new intotcpcb() macro is ready for such move. The congestion algorithm data, the TCP timers and osd(9) data are also embedded into tcpcb, and temprorary struct tcpcb_mem goes away. There was no extra allocation here, but we went through extra pointer every time we accessed this data. One interesting side effect is that now TCP data is allocated from SMR-protected zone. Potentially this allows the TCP stacks or other TCP related modules to utilize that for their own synchronization. Large part of the change was done with sed script: s/tp->ccv->/tp->t_ccv./g s/tp->ccv/\&tp->t_ccv/g s/tp->cc_algo/tp->t_cc/g s/tp->t_timers->tt_/tp->tt_/g s/CCV\(ccv, osd\)/\&CCV(ccv, t_osd)/g Dependency side effect is that code that needs to know struct tcpcb should also know struct inpcb, that added several <netinet/in_pcb.h>. Differential revision: https://reviews.freebsd.org/D37127
|
#
c47db49b |
|
17-Mar-2022 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Support only jails in VNET Jails without VNET have complete access to the ipfilter rules, NAT, pools and logs. This is insecure. Only allow jails to manipulate ipfilter rules, NAT tables and ippools if the jail has its own VNET. Otherwise a jail can affect the global system. This patch brings ipfilter in line with ipfw's support of VNET jails and non-support of non-VNET jails. MFC after: 1 week
|
#
5d4a348d |
|
03-Feb-2022 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Fix indentation error Fixes: 064a5a95649d05ac084bcf2612cbac5575d76358 MFC after: 3 days
|
#
835a0e2f |
|
10-Jan-2022 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: inline is superfluous for an extrn function Remove superfluous inline for function defined as extrn. MFC after: 3 days
|
#
f98cc177 |
|
10-Jan-2022 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Remove redundant else if Combine two else ifs using an or. MFC after: 3 days
|
#
70130151 |
|
03-Jan-2022 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter module: Style(9) requires a space after return Reported by: jrtc27 Fixes: 8c82b37461fa4e60276639df214100fbf559ea6e MFC after: 1 month
|
#
80030b6c |
|
21-Dec-2021 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter module: Fix whitespace errors Replace leading spaces with a tabs on affected lines. MFC after: 1 month
|
#
8c82b374 |
|
21-Dec-2021 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Adjust kernel module returns to conform to style(9) Adjust ipfilter's kernel module return statements to conform to style(9). MFC after: 1 month
|
#
9be9c1c0 |
|
21-Dec-2021 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: INLINE --> inline Replace the INLINE macro with inline. Some ancient compilers supported __inline__ instead of inline. The INLINE hack compensated for it. Ancient compilers are history. Reported by: glebius MFC after: 1 month
|
#
064a5a95 |
|
20-Dec-2021 |
Cy Schubert <cy@FreeBSD.org> |
ipflter: ANSIfy kernel function declarations Convert ipfilter kernel function declarations from K&R to ANSI. This syncs our function declarations with NetBSD hg commit 75edcd7552a0 (apply our changes). Though not copied from NetBSD, this change was partially inspired by NetBSD's work and inspired by style(9). Reviewed by: glebius (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33595
|
#
3b9b51fe |
|
15-Dec-2021 |
Cy Schubert <cy@FreeBSD.org> |
ipfilter: Move kernel bits to netpfil Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sys/netpil. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to netpfil. This is the first of three commits the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
|