| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by: glebius, wblock(manpage)
Approved by: gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate
Notes:
svn path=/head/; revision=284777
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use the direction of the fragments for anything. The frc_direction
field is assigned, but never read.
Just remove it.
Differential Revision: https://reviews.freebsd.org/D2773
Approved by: philip (mentor)
Notes:
svn path=/head/; revision=284280
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we try to look up a pf_fragment with pf_find_fragment() we compare (see
pf_frag_compare()) addresses (and family), id but also protocol. We failed to
save the protocol to the pf_fragment in pf_fragcache(), resulting in failing
reassembly.
Differential Revision: https://reviews.freebsd.org/D2772
Notes:
svn path=/head/; revision=284260
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a panic when handling fragmented ip4 packets with 'drop-ovl' set.
In that scenario we take a different branch in pf_normalize_ip(), taking us to
pf_fragcache() (rather than pf_reassemble()). In pf_fragcache() we create a
pf_fragment, but do not set the address family. This leads to a panic when we
try to insert that into pf_frag_tree because pf_addr_cmp(), which is used to
compare the pf_fragments doesn't know what to do if the address family is not
set.
Simply ensure that the address family is set correctly (always AF_INET in this
path).
PR: 200330
Differential Revision: https://reviews.freebsd.org/D2769
Approved by: philip (mentor), gnn (mentor)
Notes:
svn path=/head/; revision=284222
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
years for head. However, it is continuously misused as the mpsafe argument
for callout_init(9). Deprecate the flag and clean up callout_init() calls
to make them more consistent.
Differential Revision: https://reviews.freebsd.org/D2613
Reviewed by: jhb
MFC after: 2 weeks
Notes:
svn path=/head/; revision=283291
|
|
|
|
|
|
|
|
|
|
| |
from associated structures initialization. The mutexes are global, while
the structures are per-vnet.
Submitted by: Nikos Vassiliadis <nvass gmx.com>
Notes:
svn path=/head/; revision=283107
|
|
|
|
|
|
|
|
|
|
| |
may sleep in uma_drain(). It is safe to unlock here, since we are already
dehooked from pfil(9) and all pf threads had quit.
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=283106
|
|
|
|
|
|
|
|
| |
PR: 200222
Submitted by: Franco Fichtner <franco opnsense.org>
Notes:
svn path=/head/; revision=283063
|
|
|
|
|
|
|
|
| |
PR: 200222
Submitted by: Franco Fichtner <franco opnsense.org>
Notes:
svn path=/head/; revision=283061
|
|
|
|
|
|
|
|
|
|
|
|
| |
discontinued by its initial authors. In FreeBSD the code was already
slightly edited during the pf(4) SMP project. It is about to be edited
more in the projects/ifnet. Moving out of contrib also allows to remove
several hacks to the make glue.
Reviewed by: net@
Notes:
svn path=/head/; revision=281613
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the direction is not PF_OUT we can never be forwarding. Some input packets
have rcvif != ifp (looped back packets), which lead us to ip6_forward() inbound
packets, causing panics.
Equally, we need to ensure that packets were really received and not locally
generated before trying to ip6_forward() them.
Differential Revision: https://reviews.freebsd.org/D2286
Approved by: gnn(mentor)
Notes:
svn path=/head/; revision=281536
|
|
|
|
|
|
|
|
|
|
|
|
| |
set past this point in the code. The packet should be dropped and
not massaged as it is here.
Differential Revision: https://reviews.freebsd.org/D2266
Submitted by: eri
Sponsored by: Rubicon Communications (Netgate)
Notes:
svn path=/head/; revision=281529
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cases where we scrub (fragment reassemble) on both input and output
we risk ending up in infinite loops when forwarding packets.
Fragmented packets come in and get collected until we can defragment. At
that point the defragmented packet is handed back to the ip stack (at
the pfil point in ip6_input(). Normal processing continues.
Eventually we figure out that the packet has to be forwarded and we end
up at the pfil hook in ip6_forward(). After doing the inspection on the
defragmented packet we see that the packet has been defragmented and
because we're forwarding we have to refragment it.
In pf_refragment6() we split the packet up again and then ip6_forward()
the individual fragments. Those fragments hit the pfil hook on the way
out, so they're collected until we can reconstruct the full packet, at
which point we're right back where we left off and things continue until
we run out of stack.
Break that loop by marking the fragments generated by pf_refragment6()
as M_SKIP_FIREWALL. There's no point in processing those packets in the
firewall anyway. We've already filtered on the full packet.
Differential Revision: https://reviews.freebsd.org/D2197
Reviewed by: glebius, gnn
Approved by: gnn (mentor)
Notes:
svn path=/head/; revision=281164
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.
Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes
Notes:
svn path=/head/; revision=280971
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Ethernet packets have a minimal length, so very short packets get padding
appended to them. This padding is not stripped off in ip6_input() (due to
support for IPv6 Jumbograms, RFC2675).
That means PF needs to be careful when reassembling fragmented packets to not
include the padding in the reassembled packet.
While here also remove the 'Magic from ip_input.' bits. Splitting up and
re-joining an mbuf chain here doesn't make any sense.
Differential Revision: https://reviews.freebsd.org/D2189
Approved by: gnn (mentor)
Notes:
svn path=/head/; revision=280956
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When forwarding fragmented IPv6 packets and filtering with PF we
reassemble and refragment. That means we generate new fragment headers
and a new fragment ID.
We already save the fragment IDs so we can do the reassembly so it's
straightforward to apply the incoming fragment ID on the refragmented
packets.
Differential Revision: https://reviews.freebsd.org/D2188
Approved by: gnn (mentor)
Notes:
svn path=/head/; revision=280955
|
|
|
|
|
|
|
| |
Missed in 278925.
Notes:
svn path=/head/; revision=280690
|
|
|
|
|
|
|
|
| |
PR: 182401
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=280169
|
|
|
|
|
|
|
|
|
|
|
| |
consumed by filter. This fixes several panics due to accessing to mbuf
after free.
Submitted by: Kristof Provost
MFC after: 1 week
Notes:
svn path=/head/; revision=279910
|
|
|
|
|
|
|
| |
In collaboration with: pluknet
Notes:
svn path=/head/; revision=278925
|
|
|
|
|
|
|
|
| |
- style(9) declarations.
- Make couple of local functions static.
Notes:
svn path=/head/; revision=278874
|
|
|
|
| |
Notes:
svn path=/head/; revision=278868
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
size as they arrived in. This allows the sender to determine the optimal
fragment size by Path MTU Discovery.
Roughly based on the OpenBSD work by Alexander Bluhm.
Submitted by: Kristof Provost
Differential Revision: D1767
Notes:
svn path=/head/; revision=278843
|
|
|
|
|
|
|
|
|
|
|
|
| |
That partially fixes IPv6 fragment handling. Thanks to Kristof for
working on that.
Submitted by: Kristof Provost
Tested by: peter
Differential Revision: D1765
Notes:
svn path=/head/; revision=278831
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
very questionable, since it makes vimages more dependent on each other. But
the reason for the backout is that it screwed up shutting down the pf purge
threads, and now kernel immedially panics on pf module unload. Although module
unloading isn't an advertised feature of pf, it is very important for
development process.
I'd like to not backout r276746, since in general it is good. But since it
has introduced numerous build breakages, that later were addressed in
r276841, r276756, r276747, I need to back it out as well. Better replay it
in clean fashion from scratch.
Notes:
svn path=/head/; revision=277519
|
|
|
|
|
|
|
|
|
| |
They are already initialized by MTX_SYSINIT.
Submitted by: Nikos Vassiliadis <nvass@gmx.com>
Notes:
svn path=/head/; revision=276841
|
|
|
|
|
|
|
| |
PR: 194515
Notes:
svn path=/head/; revision=276756
|
|
|
|
|
|
|
|
|
|
|
| |
a single purge thread and clean up all vnets from this thread.
PR: 194515
Differential Revision: D1315
Submitted by: Nikos Vassiliadis <nvass@gmx.com>
Notes:
svn path=/head/; revision=276747
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split functions that initialize various pf parts into their
vimage parts and global parts.
Since global parts appeared to be only mutex initializations, just
abandon them and use MTX_SYSINIT() instead.
Kill my incorrect VNET_FOREACH() iterator and instead use correct
approach with VNET_SYSINIT().
PR: 194515
Differential Revision: D1309
Submitted by: glebius, Nikos Vassiliadis <nvass@gmx.com>
Reviewed by: trociny, zec, gnn
Notes:
svn path=/head/; revision=276746
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calculate checksums for the IPv6 path when needed before
delving into pf(4) code as required.
PR: 172648, 179392
Reviewed by: glebius@
Approved by: gnn@
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Netgate
Notes:
svn path=/head/; revision=274709
|
|
|
|
|
|
|
| |
Suggested by: kib
Notes:
svn path=/head/; revision=274320
|
|
|
|
| |
Notes:
svn path=/head/; revision=274315
|
|
|
|
|
|
|
| |
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=274225
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Wrong integer type was specified.
- Wrong or missing "access" specifier. The "access" specifier
sometimes included the SYSCTL type, which it should not, except for
procedural SYSCTL nodes.
- Logical OR where binary OR was expected.
- Properly assert the "access" argument passed to all SYSCTL macros,
using the CTASSERT macro. This applies to both static- and dynamically
created SYSCTLs.
- Properly assert the the data type for both static and dynamic
SYSCTLs. In the case of static SYSCTLs we only assert that the data
pointed to by the SYSCTL data pointer has the correct size, hence
there is no easy way to assert types in the C language outside a
C-function.
- Rewrote some code which doesn't pass a constant "access" specifier
when creating dynamic SYSCTL nodes, which is now a requirement.
- Updated "EXAMPLES" section in SYSCTL manual page.
MFC after: 3 days
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=273377
|
|
|
|
|
|
|
|
|
|
| |
so they match the established idiom. Document them in hash(9).
MFC after: 1 month
MFC with: r272906
Notes:
svn path=/head/; revision=273268
|
|
|
|
|
|
|
|
|
|
|
|
| |
this showed a conservative 3% incrase in PPS.
Differential Revision: https://reviews.freebsd.org/D461
Submitted by: des
Reviewed by: emaste
MFC after: 1 month
Notes:
svn path=/head/; revision=272906
|
|
|
|
|
|
|
|
|
| |
Radix has never managed its locking itself.
The only consumer using radix with embeded rwlock
is system routing table. Move per-AF lock inits there.
Notes:
svn path=/head/; revision=272361
|
|
|
|
|
|
|
| |
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=272358
|
|
|
|
| |
Notes:
svn path=/head/; revision=271857
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct ifnet if_oqdrops.
Some netgraph modules used ifqueue w/o ifnet. Accounting of queue drops
is simply removed from them. There were no API to read this statistic.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=271856
|
|
|
|
|
|
|
|
|
|
|
| |
- Use the new lock to protect against simultaneous DIOCSTART and/or
DIOCSTOP ioctls.
Reported & tested by: jmallett
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=271458
|
|
|
|
|
|
|
| |
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=271006
|
|
|
|
|
|
|
|
|
|
|
| |
"route-to" may still forward it.
PR: 177808
Submitted by: Kajetan Staszkiewicz <kajetan.staszkiewicz innogames.de>
Sponsored by: InnoGames GmbH
Notes:
svn path=/head/; revision=270928
|
|
|
|
|
|
|
|
|
| |
PR: 184003
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by: InnoGames GmbH
Notes:
svn path=/head/; revision=270023
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
otherwise bad consequences including a routing loop can occur.
Move pf_set_rt_ifp() earlier in state creation sequence and
inline it, cutting some extra code.
PR: 183997
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by: InnoGames GmbH
Notes:
svn path=/head/; revision=270022
|
|
|
|
|
|
|
|
|
| |
PR: 127920
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by: InnoGames GmbH
Notes:
svn path=/head/; revision=270010
|
|
|
|
|
|
|
|
|
|
| |
This is a follow up to r269699.
Phabric: D564
Reviewed by: jhb
Notes:
svn path=/head/; revision=270008
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Do not count global number of states and of src_nodes,
use uma_zone_get_cur() to obtain values.
- Struct pf_status becomes merely an ioctl API structure,
and moves to netpfil/pf/pf.h with its constants.
- V_pf_status is now of type struct pf_kstatus.
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
Sponsored by: InnoGames GmbH
Notes:
svn path=/head/; revision=269998
|
|
|
|
|
|
|
|
|
|
| |
only one protocol switch structure that is shared between ipv4 and ipv6.
Phabric: D476
Reviewed by: jhb
Notes:
svn path=/head/; revision=269699
|
|
|
|
|
|
|
|
|
|
| |
on stack to avoid unaligned access.
PR: 187381
Submitted by: Lytochkin Boris <lytboris gmail.com>
Notes:
svn path=/head/; revision=268492
|