aboutsummaryrefslogtreecommitdiff
path: root/sys/netpfil/pf
Commit message (Collapse)AuthorAgeFilesLines
* ALTQ FAIRQ discipline import from DragonFLYErmal Luçi2015-06-243-0/+34
| | | | | | | | | | | Differential Revision: https://reviews.freebsd.org/D2847 Reviewed by: glebius, wblock(manpage) Approved by: gnn(mentor) Obtained from: pfSense Sponsored by: Netgate Notes: svn path=/head/; revision=284777
* pf: Remove frc_directionKristof Provost2015-06-111-7/+3
| | | | | | | | | | | | We don't use the direction of the fragments for anything. The frc_direction field is assigned, but never read. Just remove it. Differential Revision: https://reviews.freebsd.org/D2773 Approved by: philip (mentor) Notes: svn path=/head/; revision=284280
* pf: Save the protocol number in the pf_fragmentKristof Provost2015-06-111-0/+1
| | | | | | | | | | | | When we try to look up a pf_fragment with pf_find_fragment() we compare (see pf_frag_compare()) addresses (and family), id but also protocol. We failed to save the protocol to the pf_fragment in pf_fragcache(), resulting in failing reassembly. Differential Revision: https://reviews.freebsd.org/D2772 Notes: svn path=/head/; revision=284260
* pf: address family must be set when creating a pf_fragmentKristof Provost2015-06-101-0/+1
| | | | | | | | | | | | | | | | | | | | Fix a panic when handling fragmented ip4 packets with 'drop-ovl' set. In that scenario we take a different branch in pf_normalize_ip(), taking us to pf_fragcache() (rather than pf_reassemble()). In pf_fragcache() we create a pf_fragment, but do not set the address family. This leads to a panic when we try to insert that into pf_frag_tree because pf_addr_cmp(), which is used to compare the pf_fragments doesn't know what to do if the address family is not set. Simply ensure that the address family is set correctly (always AF_INET in this path). PR: 200330 Differential Revision: https://reviews.freebsd.org/D2769 Approved by: philip (mentor), gnn (mentor) Notes: svn path=/head/; revision=284222
* CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than tenJung-uk Kim2015-05-221-1/+1
| | | | | | | | | | | | | years for head. However, it is continuously misused as the mpsafe argument for callout_init(9). Deprecate the flag and clean up callout_init() calls to make them more consistent. Differential Revision: https://reviews.freebsd.org/D2613 Reviewed by: jhb MFC after: 2 weeks Notes: svn path=/head/; revision=283291
* Use MTX_SYSINIT() instead of mtx_init() to separate mutex initializationGleb Smirnoff2015-05-193-17/+9
| | | | | | | | | | from associated structures initialization. The mutexes are global, while the structures are per-vnet. Submitted by: Nikos Vassiliadis <nvass gmx.com> Notes: svn path=/head/; revision=283107
* During module unload unlock rules before destroying UMA zones, whichGleb Smirnoff2015-05-191-1/+1
| | | | | | | | | | may sleep in uma_drain(). It is safe to unlock here, since we are already dehooked from pfil(9) and all pf threads had quit. Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=283106
* A miss from r283061: don't dereference NULL is pf_get_mtag() fails.Gleb Smirnoff2015-05-181-2/+4
| | | | | | | | PR: 200222 Submitted by: Franco Fichtner <franco opnsense.org> Notes: svn path=/head/; revision=283063
* Don't dereference NULL is pf_get_mtag() fails.Gleb Smirnoff2015-05-181-12/+14
| | | | | | | | PR: 200222 Submitted by: Franco Fichtner <franco opnsense.org> Notes: svn path=/head/; revision=283061
* Move ALTQ from contrib to net/altq. The ALTQ code is for many yearsGleb Smirnoff2015-04-161-1/+1
| | | | | | | | | | | | discontinued by its initial authors. In FreeBSD the code was already slightly edited during the pf(4) SMP project. It is about to be edited more in the projects/ifnet. Moving out of contrib also allows to remove several hacks to the make glue. Reviewed by: net@ Notes: svn path=/head/; revision=281613
* pf: Fix forwarding detectionKristof Provost2015-04-141-1/+1
| | | | | | | | | | | | | | | If the direction is not PF_OUT we can never be forwarding. Some input packets have rcvif != ifp (looped back packets), which lead us to ip6_forward() inbound packets, causing panics. Equally, we need to ensure that packets were really received and not locally generated before trying to ip6_forward() them. Differential Revision: https://reviews.freebsd.org/D2286 Approved by: gnn(mentor) Notes: svn path=/head/; revision=281536
* I can find no reason to allow packets with both SYN and FIN bitsGeorge V. Neville-Neil2015-04-141-1/+1
| | | | | | | | | | | | set past this point in the code. The packet should be dropped and not massaged as it is here. Differential Revision: https://reviews.freebsd.org/D2266 Submitted by: eri Sponsored by: Rubicon Communications (Netgate) Notes: svn path=/head/; revision=281529
* pf: Skip firewall for refragmented ip6 packetsKristof Provost2015-04-061-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In cases where we scrub (fragment reassemble) on both input and output we risk ending up in infinite loops when forwarding packets. Fragmented packets come in and get collected until we can defragment. At that point the defragmented packet is handed back to the ip stack (at the pfil point in ip6_input(). Normal processing continues. Eventually we figure out that the packet has to be forwarded and we end up at the pfil hook in ip6_forward(). After doing the inspection on the defragmented packet we see that the packet has been defragmented and because we're forwarding we have to refragment it. In pf_refragment6() we split the packet up again and then ip6_forward() the individual fragments. Those fragments hit the pfil hook on the way out, so they're collected until we can reconstruct the full packet, at which point we're right back where we left off and things continue until we run out of stack. Break that loop by marking the fragments generated by pf_refragment6() as M_SKIP_FIREWALL. There's no point in processing those packets in the firewall anyway. We've already filtered on the full packet. Differential Revision: https://reviews.freebsd.org/D2197 Reviewed by: glebius, gnn Approved by: gnn (mentor) Notes: svn path=/head/; revision=281164
* o Use new function ip_fillid() in all places throughout the kernel,Gleb Smirnoff2015-04-012-3/+3
| | | | | | | | | | | | | | | | | | | | where we want to create a new IP datagram. o Add support for RFC6864, which allows to set IP ID for atomic IP datagrams to any value, to improve performance. The behaviour is controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by default. o In case if we generate IP ID, use counter(9) to improve performance. o Gather all code related to IP ID into ip_id.c. Differential Revision: https://reviews.freebsd.org/D2177 Reviewed by: adrian, cy, rpaulo Tested by: Emeric POUPON <emeric.poupon stormshield.eu> Sponsored by: Netflix Sponsored by: Nginx, Inc. Relnotes: yes Notes: svn path=/head/; revision=280971
* pf: Deal with runt packetsKristof Provost2015-04-011-4/+4
| | | | | | | | | | | | | | | | | On Ethernet packets have a minimal length, so very short packets get padding appended to them. This padding is not stripped off in ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That means PF needs to be careful when reassembling fragmented packets to not include the padding in the reassembled packet. While here also remove the 'Magic from ip_input.' bits. Splitting up and re-joining an mbuf chain here doesn't make any sense. Differential Revision: https://reviews.freebsd.org/D2189 Approved by: gnn (mentor) Notes: svn path=/head/; revision=280956
* Preserve IPv6 fragment IDs accross reassembly and refragmentationKristof Provost2015-04-011-1/+7
| | | | | | | | | | | | | | | | When forwarding fragmented IPv6 packets and filtering with PF we reassemble and refragment. That means we generate new fragment headers and a new fragment ID. We already save the fragment IDs so we can do the reassembly so it's straightforward to apply the incoming fragment ID on the refragmented packets. Differential Revision: https://reviews.freebsd.org/D2188 Approved by: gnn (mentor) Notes: svn path=/head/; revision=280955
* Static'ize pf_fillup_fragment body to match its declaration.Sergey Kandaurov2015-03-261-1/+1
| | | | | | | Missed in 278925. Notes: svn path=/head/; revision=280690
* Always lock the hash row of a source node when updating its 'states' counter.Gleb Smirnoff2015-03-172-66/+59
| | | | | | | | PR: 182401 Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=280169
* Reset mbuf pointer to NULL in fastroute case to indicate that mbuf wasAndrey V. Elsukov2015-03-121-0/+1
| | | | | | | | | | | consumed by filter. This fixes several panics due to accessing to mbuf after free. Submitted by: Kristof Provost MFC after: 1 week Notes: svn path=/head/; revision=279910
* Even more fixes to !INET and !INET6 kernels.Gleb Smirnoff2015-02-171-17/+14
| | | | | | | In collaboration with: pluknet Notes: svn path=/head/; revision=278925
* - Improve INET/INET6 scope.Gleb Smirnoff2015-02-161-34/+31
| | | | | | | | - style(9) declarations. - Make couple of local functions static. Notes: svn path=/head/; revision=278874
* Toss declarations to fix regular build and NO_INET6 build.Gleb Smirnoff2015-02-161-3/+5
| | | | Notes: svn path=/head/; revision=278868
* In the forwarding case refragment the reassembled packets with the sameGleb Smirnoff2015-02-164-2/+93
| | | | | | | | | | | | | size as they arrived in. This allows the sender to determine the optimal fragment size by Path MTU Discovery. Roughly based on the OpenBSD work by Alexander Bluhm. Submitted by: Kristof Provost Differential Revision: D1767 Notes: svn path=/head/; revision=278843
* Update the pf fragment handling code to closer match recent OpenBSD.Gleb Smirnoff2015-02-162-286/+552
| | | | | | | | | | | | That partially fixes IPv6 fragment handling. Thanks to Kristof for working on that. Submitted by: Kristof Provost Tested by: peter Differential Revision: D1765 Notes: svn path=/head/; revision=278831
* Back out r276841, r276756, r276747, r276746. The change in r276747 is veryGleb Smirnoff2015-01-225-93/+145
| | | | | | | | | | | | | | | | very questionable, since it makes vimages more dependent on each other. But the reason for the backout is that it screwed up shutting down the pf purge threads, and now kernel immedially panics on pf module unload. Although module unloading isn't an advertised feature of pf, it is very important for development process. I'd like to not backout r276746, since in general it is good. But since it has introduced numerous build breakages, that later were addressed in r276841, r276756, r276747, I need to back it out as well. Better replay it in clean fashion from scratch. Notes: svn path=/head/; revision=277519
* Do not initialize pfi_unlnkdkifs_mtx and pf_frag_mtx.Craig Rodrigues2015-01-082-8/+0
| | | | | | | | | They are already initialized by MTX_SYSINIT. Submitted by: Nikos Vassiliadis <nvass@gmx.com> Notes: svn path=/head/; revision=276841
* Reapply previous patch to fix build.Craig Rodrigues2015-01-064-39/+23
| | | | | | | PR: 194515 Notes: svn path=/head/; revision=276756
* Instead of creating a purge thread for every vnet, createCraig Rodrigues2015-01-061-58/+24
| | | | | | | | | | | a single purge thread and clean up all vnets from this thread. PR: 194515 Differential Revision: D1315 Submitted by: Nikos Vassiliadis <nvass@gmx.com> Notes: svn path=/head/; revision=276747
* Merge: r258322 from projects/pf branchCraig Rodrigues2015-01-065-47/+53
| | | | | | | | | | | | | | | | | Split functions that initialize various pf parts into their vimage parts and global parts. Since global parts appeared to be only mutex initializations, just abandon them and use MTX_SYSINIT() instead. Kill my incorrect VNET_FOREACH() iterator and instead use correct approach with VNET_SYSINIT(). PR: 194515 Differential Revision: D1309 Submitted by: glebius, Nikos Vassiliadis <nvass@gmx.com> Reviewed by: trociny, zec, gnn Notes: svn path=/head/; revision=276746
* pf(4) needs to have a correct checksum during its processing.Ermal Luçi2014-11-191-6/+6
| | | | | | | | | | | | | | | Calculate checksums for the IPv6 path when needed before delving into pf(4) code as required. PR: 172648, 179392 Reviewed by: glebius@ Approved by: gnn@ Obtained from: pfSense MFC after: 1 week Sponsored by: Netgate Notes: svn path=/head/; revision=274709
* Finish r274315: remove union 'u' from struct pf_send_entry.Alexander V. Chernikov2014-11-091-16/+11
| | | | | | | Suggested by: kib Notes: svn path=/head/; revision=274320
* Remove unused 'struct route' fields.Alexander V. Chernikov2014-11-091-2/+0
| | | | Notes: svn path=/head/; revision=274315
* Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed.Gleb Smirnoff2014-11-071-1/+1
| | | | | | | Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=274225
* Fix multiple incorrect SYSCTL arguments in the kernel:Hans Petter Selasky2014-10-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Wrong integer type was specified. - Wrong or missing "access" specifier. The "access" specifier sometimes included the SYSCTL type, which it should not, except for procedural SYSCTL nodes. - Logical OR where binary OR was expected. - Properly assert the "access" argument passed to all SYSCTL macros, using the CTASSERT macro. This applies to both static- and dynamically created SYSCTLs. - Properly assert the the data type for both static and dynamic SYSCTLs. In the case of static SYSCTLs we only assert that the data pointed to by the SYSCTL data pointer has the correct size, hence there is no easy way to assert types in the C language outside a C-function. - Rewrote some code which doesn't pass a constant "access" specifier when creating dynamic SYSCTL nodes, which is now a requirement. - Updated "EXAMPLES" section in SYSCTL manual page. MFC after: 3 days Sponsored by: Mellanox Technologies Notes: svn path=/head/; revision=273377
* Add a complete implementation of MurmurHash3. Tweak both implementationsDag-Erling Smørgrav2014-10-181-7/+7
| | | | | | | | | | so they match the established idiom. Document them in hash(9). MFC after: 1 month MFC with: r272906 Notes: svn path=/head/; revision=273268
* Change the PF hash from Jenkins to Murmur3. In forwarding testsGeorge V. Neville-Neil2014-10-101-7/+7
| | | | | | | | | | | | this showed a conservative 3% incrase in PPS. Differential Revision: https://reviews.freebsd.org/D461 Submitted by: des Reviewed by: emaste MFC after: 1 month Notes: svn path=/head/; revision=272906
* Remove lock init from radix.c.Alexander V. Chernikov2014-10-011-6/+2
| | | | | | | | | Radix has never managed its locking itself. The only consumer using radix with embeded rwlock is system routing table. Move per-AF lock inits there. Notes: svn path=/head/; revision=272361
* Use rn_detachhead() instead of direct free(9) for radix tables.Gleb Smirnoff2014-10-011-2/+2
| | | | | | | Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=272358
* Mechanically convert to if_inc_counter().Gleb Smirnoff2014-09-192-8/+8
| | | | Notes: svn path=/head/; revision=271857
* Remove ifq_drops from struct ifqueue. Now queue drops are accounted inGleb Smirnoff2014-09-192-2/+1
| | | | | | | | | | | | | struct ifnet if_oqdrops. Some netgraph modules used ifqueue w/o ifnet. Accounting of queue drops is simply removed from them. There were no API to read this statistic. Sponsored by: Netflix Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=271856
* - Provide a sleepable lock to protect against ioctl() vs ioctl() races.Gleb Smirnoff2014-09-121-10/+7
| | | | | | | | | | | - Use the new lock to protect against simultaneous DIOCSTART and/or DIOCSTOP ioctls. Reported & tested by: jmallett Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=271458
* Clean up unused CSUM_FRAGMENT.Gleb Smirnoff2014-09-031-2/+1
| | | | | | | Sponsored by: Nginx, Inc. Notes: svn path=/head/; revision=271006
* Explicitly free packet on PF_DROP, otherwise a "quick" rule withGleb Smirnoff2014-09-011-0/+8
| | | | | | | | | | | "route-to" may still forward it. PR: 177808 Submitted by: Kajetan Staszkiewicz <kajetan.staszkiewicz innogames.de> Sponsored by: InnoGames GmbH Notes: svn path=/head/; revision=270928
* Do not lookup source node twice when pf_map_addr() is used.Gleb Smirnoff2014-08-152-13/+19
| | | | | | | | | PR: 184003 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Notes: svn path=/head/; revision=270023
* pf_map_addr() can fail and in this case we should drop the packet,Gleb Smirnoff2014-08-152-29/+16
| | | | | | | | | | | | | | otherwise bad consequences including a routing loop can occur. Move pf_set_rt_ifp() earlier in state creation sequence and inline it, cutting some extra code. PR: 183997 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Notes: svn path=/head/; revision=270022
* Fix synproxy with IPv6. pf_test6() was missing a check for M_SKIP_FIREWALL.Gleb Smirnoff2014-08-151-0/+3
| | | | | | | | | PR: 127920 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Notes: svn path=/head/; revision=270010
* Change pr_output's prototype to avoid the need for explicit casts.Kevin Lo2014-08-151-1/+1
| | | | | | | | | | This is a follow up to r269699. Phabric: D564 Reviewed by: jhb Notes: svn path=/head/; revision=270008
* - Count global pf(4) statistics in counter(9).Gleb Smirnoff2014-08-143-23/+120
| | | | | | | | | | | | | | - Do not count global number of states and of src_nodes, use uma_zone_get_cur() to obtain values. - Struct pf_status becomes merely an ioctl API structure, and moves to netpfil/pf/pf.h with its constants. - V_pf_status is now of type struct pf_kstatus. Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> Sponsored by: InnoGames GmbH Notes: svn path=/head/; revision=269998
* Merge 'struct ip6protosw' and 'struct protosw' into one. Now we haveKevin Lo2014-08-081-4/+7
| | | | | | | | | | only one protocol switch structure that is shared between ipv4 and ipv6. Phabric: D476 Reviewed by: jhb Notes: svn path=/head/; revision=269699
* On machines with strict alignment copy pfsync_state_key from packetGleb Smirnoff2014-07-101-15/+26
| | | | | | | | | | on stack to avoid unaligned access. PR: 187381 Submitted by: Lytochkin Boris <lytboris gmail.com> Notes: svn path=/head/; revision=268492
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-12 13:06:11 +0000