#
54c62e3e |
|
17-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf: work around icmp6 packet-too-big not being sent when binat-ing If we're applying NPTv6 we pass a packet with a modified source and/or destination address to the network stack. If that packet then turns out to be larger than the MTU of the sending interface the stack will attempt to generate an icmp6 packet-too-big error, but may fail to look up the appropriate source address for that error message. Even if it does, pf would still have to undo the binat operation inside the icmp6 packet so the sending host can make sense of the error. We can avoid both problems entirely by having pf also perform the MTU check (taking the potential refragmentation into account), and generating the icmp6 error directly in pf. See also: https://redmine.pfsense.org/issues/14290 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43499
|
#
04932601 |
|
07-Dec-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: store state creation/expiration timestamps with milisecond precision The primary beneficiary is pflow(4), which expects milisecond precision in timestamps. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43112
|
#
948e8413 |
|
02-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pflog: pass the action to pflog directly If a packet is malformed, it is dropped by pf(4). The rule referenced in pflog(4) is the default rule. As the default rule is a pass rule, tcpdump printed "pass" although the packet was actually dropped. Use the actual action, rather than the rule's action, or an attempt at guessing the correct action. Inspired by OpenBSD's 'pflog(4) logs packet dropped by default rule with block.' commit. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
a8b70cf2 |
|
24-Dec-2023 |
Richard Scheffenegger <rscheff@FreeBSD.org> |
netpfil: Use accessor functions and named constants for all tcphdr flags Update all remaining references to the struct tcphdr th_x2 field. This completes the compatibilty of various aspects with AccECN (TH_AE), after the internal ipfw "re-checksum required" was moved to use the TH_RES1 flag. No functional change. Reviewed By: tuexen, #transport, glebius Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D43172
|
#
7093414c |
|
17-Nov-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: sctp heartbeats confirm a connection When we create a new state for multihomed sctp connections (i.e. based on INIT/INIT_ACK or ASCONF parameters) the new connection will never see a COOKIE/COOKIE_ACK exchange. We should consider HEARTBEAT_ACK to be a confirmation that the connection is established. This ensures that such connections do not time out earlier than expected. MFC after: 1 week Sponsored by: Orange Business Services
|
#
d6d38b02 |
|
17-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix missing SCTP multihomed states The existing code to create extra states when SCTP endpoints supplied extra addresses missed a case. As a result we failed to generate all of the required states. Briefly, if host A has address 1 and 2 and host B has addres 3 and 4 we generated 1 - 3 and 2 - 3, as well as 1 - 4, but not 2 - 4. Store the list of endpoints supplied by each host and use those to generate all of the connection permutations. MFC after: 1 week Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D42361
|
#
ede5d4ff |
|
26-Oct-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix packet reassembly Don't drop fragmented packets when reassembly is disabled, they can be matched by rules with "fragment" keyword. Ensure that presence of scrub rules forces old behaviour. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D42355
|
#
51a78dd2 |
|
01-Sep-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: improve SCTP state validation Only create new states for INIT chunks, or when we're creating a secondary state for a multihomed association. Store and verify verification tag. MFC after: 3 weeks Sponsored by: Orange Business Services
|
#
10aa9ddb |
|
02-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support SCTP multihoming SCTP may announce additional IP addresses it'll use in the INIT/INIT_ACK chunks, or in ASCONF chunks at any time during the connection. Parse these parameters, evaluate the ruleset for the new connection and if allowed create the corresponding states. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D41637
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
76afcbb5 |
|
13-Jul-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: handle multiple IPv6 fragment headers With 'scrub fragment reassemble' if a packet contains multiple IPv6 fragment headers we would reassemble the packet and immediately continue processing it. That is, we'd remove the first fragment header and expect the next header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if it's another fragment header we'd not treat the packet correctly. That is, we'd fail to recognise the payload and treat it as if it were an IPv6 fragment rather than as its actual payload. Fix this by restarting the normalisation on the reassembled packet. If there are multiple fragment headers drop the packet. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) MFC after: instant Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
d1bc1e9e |
|
31-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: support 'return' for SCTP Send an SCTP Abort message if we're refusing a connection, just like we send a RST for TCP. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40864
|
#
010ee43f |
|
27-Apr-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: initial SCTP support Basic state tracking for SCTP. This means we scan through the packet to identify the different chunks (so we can identify state changes). MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D40862
|
#
6b4ed16d |
|
12-Jul-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Simplify rule actions logic Actions applied to a processed packet come in case of stateless firewalling from a rule or in case of statefull firewalling from a state. The state obtains the actions from a rule when it is created by a rule or by pfsync. The logic for deciding if actions come from a rule or a state is spread across many places in pf. There already is struct pf_rule_actions in struct pf_pdesc and thus it can be used as a central place for storing actions and their parameters. OpenBSD does something similar: they also store the actions in struct pf_pdesc and have no variables in pf_test() but they use separate variables instead of a structure. By using struct pf_rule_actions we can simplify the code even further. Applying of actions is done *only* in pf_rule_to_actions() no matter if for the legacy scrub rules or for the normal match / pass rules. The logic of choosing if rule or state actions are used is applied only once in pf_test() by copying the whole struct. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D41009
|
#
f2064dd1 |
|
12-Jul-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix duplicate storage of direction The variable storing the direction of a processed packet is passed around to many functions. Most of those functions already have a pointer to struct pf_pdesc which also contains the direction. By using the one in struct pf_pdesc we can reduce the amount of arguments passed around. Reviewed by: kp Sponsored by: InnGames GmbH Differential Revision: https://reviews.freebsd.org/D41008
|
#
7dc3be36 |
|
19-Jun-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix usage of pf tags with syncookies The value stored in pf_mtag->tag comes from "tag" and "match tag" keywords in pf.conf and must not be abused for storing other information. A ruleset with enough tags could set or remove the bits responsible for PF_TAG_SYNCOOKIE_RECREATED. Move this syncookie status to pf_mtag->flags. Rename this and other related constants in a way that will prevent such mistakes in the future. Move PF_REASSEMBLED constant to mbuf.h and rename accordingly because it's not a flag stored in pf_mtag, but an identifier of a different m_tag. Change the value of the constant to avoid conflicts with other m_tags using MTAG_ABI_COMPAT. Rename the variables in pf_build_tcp() and pf_send_tcp() in to reduce confusion. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D40587
|
#
c4a32455 |
|
19-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: remove the use of caddr_t Replace caddr_t with void *, or more accurate types. Suggested by: glebius Reviewed by: zlei Differential Revision: https://reviews.freebsd.org/D40186
|
#
bf206a1d |
|
04-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: remove NULL check before uma_zfree() uma_zfree() can be called on a NULL pointer. Simplify the pf code a little by removing the redundant checks. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
39282ef3 |
|
13-Apr-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules Introduce the OpenBSD syntax of "scrub" option for "match" and "pass" rules and the "set reassemble" flag. The patch is backward-compatible, pf.conf can be still written in FreeBSD-style. Obtained from: OpenBSD MFC after: never Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D38025
|
#
ad729f8d |
|
23-Mar-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: ignore ip6_output() return value in pf_refragment6() We can't do anything if ip6_output() fails, other than discard the packet which ip6_output() already does for us. Mark the return value as ignored. Reported by: emaste, Coverity Sponsored by: Rubicon Communications, LLC (Netgate)
|
#
80e76c61 |
|
13-Mar-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: set scope in pf_refragment6() Link-local traffic needs to have a scope embedded before it's passed on to ip6_output(). Do so in pf_refragment6(), because when we end up here in the output path we may have passed through ip6_output() already (before being reassembled), where the scope would have been removed. Re-embed the scope so that link-local traffic is sent correctly. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D39062
|
#
b52b61c0 |
|
12-Mar-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: distinguish forwarding and output cases for pf_refragment6() Re-introduce PFIL_FWD, because pf's pf_refragment6() needs to know if we're ip6_forward()-ing or ip6_output()-ing. ip6_forward() relies on m->m_pkthdr.rcvif, at least for link-local traffic (for in6_get_unicast_scopeid()). rcvif is not set for locally generated traffic (e.g. from icmp6_reflect()), so we need to call the correct output function. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revisi: https://reviews.freebsd.org/D39061
|
#
57e047e5 |
|
22-Nov-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow scrub rules without fragment reassemble scrub rules have defaulted to handling fragments for a long time, but since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611 this has become less obvious and more expensive ("reassemble" being the more expensive option, even if it's the one the vast majority of users should be using). Extend the 'scrub' syntax to allow fragment reassembly to be disabled, while retaining the other scrub behaviour (e.g. TTL changes, random-id, ..) using 'scrub fragment no reassemble'. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37459
|
#
c36f9041 |
|
22-Nov-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: remove unused variables No functional change intended. Reviewed by: glebius MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33085
|
#
bcd4c17c |
|
19-Oct-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: fix some cc --analyze warnings Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
0a7d1fc6 |
|
15-Aug-2021 |
Samuel Robinette <samrobinette95@gmail.com> |
pf: implement set-tos for IPv6 Extend the existing set-tos keyword to also be able to set traffic class on IPv6 traffic. Add tests for this as well. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D31564
|
#
87c010e6 |
|
24-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: batch critical section for several counters Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
02cf67cc |
|
22-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: switch rule counters to pf_counter_u64 Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
6f1fb656 |
|
23-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: drop redundant 'else' in pf_normalize_* Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
211cddf9 |
|
06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: rename pf_state to pf_kstate Indicate that this is a kernel-only structure, and make it easier to distinguish from others used to communicate with userspace. Reviewed by: mjg MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31096
|
#
d38630f6 |
|
04-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: store L4 headers in pf_pdesc Rather than pointers to the headers store full copies. This brings us slightly closer to what OpenBSD does, and also makes more sense than storing pointers to stack variable copies of the headers. Reviewed by: donner, scottl MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30719
|
#
055c55ab |
|
27-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix IP checksum on reassembly If we reassemble a packet we modify the IP header (to set the length and remove the fragment offset information), but we failed to update the checksum. On certain setups (mostly where we did not re-fragment again afterwards) this could lead to us sending out packets with incorrect checksums. PR: 255432 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30026
|
#
5f1b1f18 |
|
25-Feb-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix incorrect fragment handling A sequence of overlapping IPv4 fragments could crash the kernel in pf due to an assertion. Reported by: Alexander Bluhm Obtained from: OpenBSD MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
320c1116 |
|
12-Dec-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Split pfi_kif into a user and kernel space structure No functional change. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27761
|
#
c3adacda |
|
05-Dec-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Change pf_krule counters to use counter_u64 This improves the cache behaviour of pf and results in improved throughput. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27760
|
#
e86bddea |
|
05-Dec-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Split pf_rule into kernel and user space versions No functional change intended. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27758
|
#
c3f69af0 |
|
20-Dec-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix unaligned checksum updates The algorithm we use to update checksums only works correctly if the updated data is aligned on 16-bit boundaries (relative to the start of the packet). Import the OpenBSD fix for this issue. PR: 240416 Obtained from: OpenBSD MFC after: 1 week Reviewed by: tuexen (previous version) Differential Revision: https://reviews.freebsd.org/D27696
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
df03977d |
|
26-Apr-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Virtualise pf_frag_mtx The pf_frag_mtx mutex protects the fragments queue. The fragments queue is virtualised already (i.e. per-vnet) so it makes no sense to block jail A from accessing its fragments queue while jail B is accessing its own fragments queue. Virtualise the lock for improved concurrency. Differential Revision: https://reviews.freebsd.org/D24504
|
#
492f3a31 |
|
24-Nov-2019 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add endline to all DPFPRINTF() DPFPRINTF() doesn't automatically add an endline, so be consistent and always add it.
|
#
f287767d |
|
29-Jul-2019 |
Kristof Provost <kp@FreeBSD.org> |
pf: Remove partial RFC2675 support Remove our (very partial) support for RFC2675 Jumbograms. They're not used, not actually supported and not a good idea. Reviewed by: thj@ Differential Revision: https://reviews.freebsd.org/D21086
|
#
6f4909de |
|
01-Mar-2019 |
Kristof Provost <kp@FreeBSD.org> |
pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic We mistakenly used the extoff value from the last packet to patch the next_header field. If a malicious host sends a chain of fragmented packets where the first packet and the final packet have different lengths or number of extension headers we'd patch the next_header at the wrong offset. This can potentially lead to panics or rule bypasses. Security: CVE-2019-5597 Obtained from: OpenBSD Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
|
#
58ef854f |
|
02-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix build if INVARIANTS is not set r340061 included a number of assertions pf_frent_remove(), but these assertions were the only use of the 'prev' variable. As a result builds without INVARIANTS had an unused variable, and failed. Reported by: vangyzen@
|
#
790194cd |
|
02-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Limit the fragment entry queue length to 64 per bucket. So we have a global limit of 1024 fragments, but it is fine grained to the region of the packet. Smaller packets may have less fragments. This costs another 16 bytes of memory per reassembly and devides the worst case for searching by 8. Obtained from: OpenBSD Differential Revision: https://reviews.freebsd.org/D17734
|
#
fd2ea405 |
|
02-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Split the fragment reassembly queue into smaller parts Remember 16 entry points based on the fragment offset. Instead of a worst case of 8196 list traversals we now check a maximum of 512 list entries or 16 array elements. Obtained from: OpenBSD Differential Revision: https://reviews.freebsd.org/D17733
|
#
2b1c354e |
|
02-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Count holes rather than fragments for reassembly Avoid traversing the list of fragment entris to check whether the pf(4) reassembly is complete. Instead count the holes that are created when inserting a fragment. If there are no holes left, the fragments are continuous. Obtained from: OpenBSD Differential Revision: https://reviews.freebsd.org/D17732
|
#
19a22ae3 |
|
02-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
Revert "pf: Limit the maximum number of fragments per packet" This reverts commit r337969. We'll handle this the OpenBSD way, in upcoming commits.
|
#
d4702323 |
|
17-Aug-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Limit the maximum number of fragments per packet Similar to the network stack issue fixed in r337782 pf did not limit the number of fragments per packet, which could be exploited to generate high CPU loads with a crafted series of packets. Limit each packet to no more than 64 fragments. This should be sufficient on typical networks to allow maximum-sized IP frames. This addresses the issue for both IPv4 and IPv6. MFC after: 3 days Security: CVE-2018-5391 Sponsored by: Klara Systems
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
455969d3 |
|
30-May-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Replace rwlock on PF_RULES_LOCK with rmlock Given that PF_RULES_LOCK is a mostly read lock, replace the rwlock with rmlock. This change improves packet processing rate in high pps environments. Benchmarking by olivier@ shows a 65% improvement in pps. While here, also eliminate all appearances of "sys/rwlock.h" includes since it is not used anymore. Submitted by: farrokhi@ Differential Revision: https://reviews.freebsd.org/D15502
|
#
5d0020d6 |
|
31-Dec-2017 |
Kristof Provost <kp@FreeBSD.org> |
pf: Clean all fragments on shutdown When pf is unloaded, or a vnet jail using pf is stopped we need to ensure we clean up all fragments, not just the expired ones.
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
00eab743 |
|
20-Apr-2017 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments based on this size. It failed to ensure that this size was a multiple of 8 (as is required for all but the last fragment), so it could end up generating incorrect fragments. For example, if we received an 8 byte and 12 byte fragment pf would emit a first fragment with 12 bytes of payload and the final fragment would claim to be at offset 8 (not 12). We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so other users won't make the same mistake. Reported by: Antonios Atlasis <aatlasis at secfu net> MFC after: 3 days
|
#
1f495578 |
|
13-Oct-2016 |
Kristof Provost <kp@FreeBSD.org> |
pf: port extended DSCP support from OpenBSD Ignore the ECN bits on 'tos' and 'set-tos' and allow to use DCSP names instead of having to embed their TOS equivalents as plain numbers. Obtained from: OpenBSD Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D8165
|
#
d9f4fce5 |
|
20-May-2016 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix fragment timeout We were inconsistent about the use of time_second vs. time_uptime. Always use time_uptime so the value can be meaningfully compared. Submitted by: "Max" <maximos@als.nnov.ru> MFC after: 4 days
|
#
a4641f4e |
|
03-May-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/net*: minor spelling fixes. No functional change.
|
#
c110fc49 |
|
14-Oct-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix TSO issues In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Reviewed by: sbruno MFC after: 1 week Relnotes: yes Sponsored by: RootBSD Differential Revision: https://reviews.freebsd.org/D3779
|
#
64b3b4d6 |
|
27-Aug-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Remove support for 'scrub fragment crop|drop-ovl' The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse users into making poor choices. It's also a fairly large amount of complex code, so just remove the support altogether. Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be implicitly converted to 'scrub fragment reassemble'. Reviewed by: gnn, eri Relnotes: yes Differential Revision: https://reviews.freebsd.org/D3466
|
#
48c29b11 |
|
29-Jul-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Always initialise pf_fragment.fr_flags When we allocate the struct pf_fragment in pf_fillup_fragment() we forgot to initialise the fr_flags field. As a result we sometimes mistakenly thought the fragment to not be a buffered fragment. This resulted in panics because we'd end up freeing the pf_fragment but not removing it from V_pf_fragqueue (believing it to be part of V_pf_cachequeue). The next time we iterated V_pf_fragqueue we'd use a freed object and panic. While here also fix a pf_fragment use after free in pf_normalize_ip(). pf_reassemble() frees the pf_fragment, so we can't use it any more. PR: 201879, 201932 MFC after: 5 days
|
#
06ba348d |
|
11-Jun-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Remove frc_direction We don't use the direction of the fragments for anything. The frc_direction field is assigned, but never read. Just remove it. Differential Revision: https://reviews.freebsd.org/D2773 Approved by: philip (mentor)
|
#
837b925a |
|
11-Jun-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Save the protocol number in the pf_fragment When we try to look up a pf_fragment with pf_find_fragment() we compare (see pf_frag_compare()) addresses (and family), id but also protocol. We failed to save the protocol to the pf_fragment in pf_fragcache(), resulting in failing reassembly. Differential Revision: https://reviews.freebsd.org/D2772
|
#
0b7eba6a |
|
10-Jun-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: address family must be set when creating a pf_fragment Fix a panic when handling fragmented ip4 packets with 'drop-ovl' set. In that scenario we take a different branch in pf_normalize_ip(), taking us to pf_fragcache() (rather than pf_reassemble()). In pf_fragcache() we create a pf_fragment, but do not set the address family. This leads to a panic when we try to insert that into pf_frag_tree because pf_addr_cmp(), which is used to compare the pf_fragments doesn't know what to do if the address family is not set. Simply ensure that the address family is set correctly (always AF_INET in this path). PR: 200330 Differential Revision: https://reviews.freebsd.org/D2769 Approved by: philip (mentor), gnn (mentor)
|
#
3dd01a88 |
|
19-May-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Use MTX_SYSINIT() instead of mtx_init() to separate mutex initialization from associated structures initialization. The mutexes are global, while the structures are per-vnet. Submitted by: Nikos Vassiliadis <nvass gmx.com>
|
#
916e17fd |
|
14-Apr-2015 |
George V. Neville-Neil <gnn@FreeBSD.org> |
I can find no reason to allow packets with both SYN and FIN bits set past this point in the code. The packet should be dropped and not massaged as it is here. Differential Revision: https://reviews.freebsd.org/D2266 Submitted by: eri Sponsored by: Rubicon Communications (Netgate)
|
#
1873dcc8 |
|
06-Apr-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Skip firewall for refragmented ip6 packets In cases where we scrub (fragment reassemble) on both input and output we risk ending up in infinite loops when forwarding packets. Fragmented packets come in and get collected until we can defragment. At that point the defragmented packet is handed back to the ip stack (at the pfil point in ip6_input(). Normal processing continues. Eventually we figure out that the packet has to be forwarded and we end up at the pfil hook in ip6_forward(). After doing the inspection on the defragmented packet we see that the packet has been defragmented and because we're forwarding we have to refragment it. In pf_refragment6() we split the packet up again and then ip6_forward() the individual fragments. Those fragments hit the pfil hook on the way out, so they're collected until we can reconstruct the full packet, at which point we're right back where we left off and things continue until we run out of stack. Break that loop by marking the fragments generated by pf_refragment6() as M_SKIP_FIREWALL. There's no point in processing those packets in the firewall anyway. We've already filtered on the full packet. Differential Revision: https://reviews.freebsd.org/D2197 Reviewed by: glebius, gnn Approved by: gnn (mentor)
|
#
6d947416 |
|
01-Apr-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Use new function ip_fillid() in all places throughout the kernel, where we want to create a new IP datagram. o Add support for RFC6864, which allows to set IP ID for atomic IP datagrams to any value, to improve performance. The behaviour is controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by default. o In case if we generate IP ID, use counter(9) to improve performance. o Gather all code related to IP ID into ip_id.c. Differential Revision: https://reviews.freebsd.org/D2177 Reviewed by: adrian, cy, rpaulo Tested by: Emeric POUPON <emeric.poupon stormshield.eu> Sponsored by: Netflix Sponsored by: Nginx, Inc. Relnotes: yes
|
#
7dce9b51 |
|
31-Mar-2015 |
Kristof Provost <kp@FreeBSD.org> |
pf: Deal with runt packets On Ethernet packets have a minimal length, so very short packets get padding appended to them. This padding is not stripped off in ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That means PF needs to be careful when reassembling fragmented packets to not include the padding in the reassembled packet. While here also remove the 'Magic from ip_input.' bits. Splitting up and re-joining an mbuf chain here doesn't make any sense. Differential Revision: https://reviews.freebsd.org/D2189 Approved by: gnn (mentor)
|
#
79831849 |
|
31-Mar-2015 |
Kristof Provost <kp@FreeBSD.org> |
Preserve IPv6 fragment IDs accross reassembly and refragmentation When forwarding fragmented IPv6 packets and filtering with PF we reassemble and refragment. That means we generate new fragment headers and a new fragment ID. We already save the fragment IDs so we can do the reassembly so it's straightforward to apply the incoming fragment ID on the refragmented packets. Differential Revision: https://reviews.freebsd.org/D2188 Approved by: gnn (mentor)
|
#
a4879be4 |
|
26-Mar-2015 |
Sergey Kandaurov <pluknet@FreeBSD.org> |
Static'ize pf_fillup_fragment body to match its declaration. Missed in 278925.
|
#
4ac6485c |
|
17-Feb-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Even more fixes to !INET and !INET6 kernels. In collaboration with: pluknet
|
#
0324938a |
|
16-Feb-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
- Improve INET/INET6 scope. - style(9) declarations. - Make couple of local functions static.
|
#
8dc98c2a |
|
16-Feb-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Toss declarations to fix regular build and NO_INET6 build.
|
#
39a58828 |
|
16-Feb-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
In the forwarding case refragment the reassembled packets with the same size as they arrived in. This allows the sender to determine the optimal fragment size by Path MTU Discovery. Roughly based on the OpenBSD work by Alexander Bluhm. Submitted by: Kristof Provost Differential Revision: D1767
|
#
f5ceb22b |
|
15-Feb-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Update the pf fragment handling code to closer match recent OpenBSD. That partially fixes IPv6 fragment handling. Thanks to Kristof for working on that. Submitted by: Kristof Provost Tested by: peter Differential Revision: D1765
|
#
efc6c51f |
|
21-Jan-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Back out r276841, r276756, r276747, r276746. The change in r276747 is very very questionable, since it makes vimages more dependent on each other. But the reason for the backout is that it screwed up shutting down the pf purge threads, and now kernel immedially panics on pf module unload. Although module unloading isn't an advertised feature of pf, it is very important for development process. I'd like to not backout r276746, since in general it is good. But since it has introduced numerous build breakages, that later were addressed in r276841, r276756, r276747, I need to back it out as well. Better replay it in clean fashion from scratch.
|
#
7259906e |
|
08-Jan-2015 |
Craig Rodrigues <rodrigc@FreeBSD.org> |
Do not initialize pfi_unlnkdkifs_mtx and pf_frag_mtx. They are already initialized by MTX_SYSINIT. Submitted by: Nikos Vassiliadis <nvass@gmx.com>
|
#
8d665c6b |
|
06-Jan-2015 |
Craig Rodrigues <rodrigc@FreeBSD.org> |
Reapply previous patch to fix build. PR: 194515
|
#
c75820c7 |
|
06-Jan-2015 |
Craig Rodrigues <rodrigc@FreeBSD.org> |
Merge: r258322 from projects/pf branch Split functions that initialize various pf parts into their vimage parts and global parts. Since global parts appeared to be only mutex initializations, just abandon them and use MTX_SYSINIT() instead. Kill my incorrect VNET_FOREACH() iterator and instead use correct approach with VNET_SYSINIT(). PR: 194515 Differential Revision: D1309 Submitted by: glebius, Nikos Vassiliadis <nvass@gmx.com> Reviewed by: trociny, zec, gnn
|
#
0e4f18aa |
|
16-May-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o In pf_normalize_ip() we don't need mtag in !(PFRULE_FRAGCROP|PFRULE_FRAGDROP) case. o In the (PFRULE_FRAGCROP|PFRULE_FRAGDROP) case we should allocate mtag if we don't find any. Tested by: Ian FREISLICH <ianf cloudseed.co.za>
|
#
f053058c |
|
18-Nov-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
- Split functions that initialize various pf parts into their vimage parts and global parts. - Since global parts appeared to be only mutex initializations, just abandon them and use MTX_SYSINIT() instead. - Kill my incorrect VNET_FOREACH() iterator and instead use correct approach with VNET_SYSINIT(). Submitted by: Nikos Vassiliadis <nvass gmx.com> Reviewed by: trociny
|
#
75bf2db3 |
|
27-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Move new pf includes to the pf directory. The pfvar.h remain in net, to avoid compatibility breakage for no sake. The future plan is to split most of non-kernel parts of pfvar.h into pf.h, and then make pfvar.h a kernel only include breaking compatibility. Discussed with: bz
|
#
d8aa10cc |
|
28-Dec-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
In netpfil/pf: - Add my copyright to files I've touched a lot this year. - Add dash in front of all copyright notices according to style(9). - Move $OpenBSD$ down below copyright notices. - Remove extra line between cdefs.h and __FBSDID.
|
#
f5002be6 |
|
17-Dec-2012 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Warn about reaching various PF limits. Reviewed by: glebius Obtained from: WHEEL Systems
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|