Commit Graph

52 Commits

Author SHA1 Message Date
Daniel Hartmeier
d4f925e4df Use the packet's address family instead of the rule's when selecting a
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.

Found by:	Gustavo A. Baratto
2005-01-20 18:07:35 +00:00
Daniel Hartmeier
9624b04d64 Prohibit ruleset changes at securelevel > 2, not > 1. It's documented
like this in init(8), but the code didn't match the documentation.

Submitted by:	Juraj Lutter <otis at sk dot FreeBSD dot org>
Agrees:		mlaier
2005-01-19 21:37:00 +00:00
Daniel Hartmeier
2726bbe221 Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.

PR:			kern/74930
Reported and tested by:	Hugo Silva, Srebrenko Sehic
MFC after:		3 days
2004-12-19 19:43:04 +00:00
Max Laier
7cadbe4109 Compile pfsync w/o bpf.
Noticed by:	"Jayel Villamin" <jarthel operamail com>
2004-12-10 17:42:47 +00:00
Daniel Hartmeier
8092705059 IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.

Discovered by:	Bernhard Schmidt
MFC after:	1 week
2004-12-05 12:15:43 +00:00
Daniel Hartmeier
1a4a376387 fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.

Discovered by:	kos(at)bastard(dot)net
Analyzed by:	Pyun YongHyeon
Approved by:	mlaier (mentor)
MFC after:	1 week
2004-11-24 00:43:34 +00:00
Ruslan Ermilov
9528cdfa6e Removed the remnants of gx(4). 2004-11-08 20:24:52 +00:00
Max Laier
a9052a1691 Improved interface handling. This should fix the use of renamed interfaces
(ifconfig xl0 name foo) as well as some special interfaces such as the 6to4
tunnel.

Reported by:	Ed Schouten <ed (at) il ! fontys , nl>
Tested by:	freebsd-pf
PR:		kern/72444
MFC after:	3 weeks
2004-11-03 17:21:12 +00:00
Max Laier
b6b3698c8e Fix a panic discovered with some apache2 configure test (that seemed to
trigger a socket creation race some some kind). Checking for non-NULL socket
and credential is not a bad idea anyway. Unfortunatly too late for the
release.

Reported & tested by:	Gilbert Cao
MFC after:		2 weeks
2004-10-24 19:35:02 +00:00
Max Laier
d6a8d58875 Add an additional struct inpcb * argument to pfil(9) in order to enable
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.

This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.

Suggested by:		rwatson
A lot of work by:	csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by:		rwatson, csjp
Tested by:		-pf, -ipfw, LINT, csjp and myself
MFC after:		3 days

LOR IDs:		14 - 17 (not fixed yet)
2004-09-29 04:54:33 +00:00
Max Laier
7ea7663ca4 Protect sockaddr_union definitions with a protecting define. This allows to
build kernels with FAST_IPSEC and PF. This is the least disruptive fix.

PR:		kern/71836
Reviewed by:	bms, various mailing lists
MFC after:	3 days
2004-09-23 12:44:40 +00:00
Max Laier
abd627ebb7 Break out altq_enable/disable from DIOC{START,STOP}ALTQ into seprate
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.

PR:		kern/71746
Tested by:	Aurilien "beorn" Rougemont (PR submitter)
MFC after:	3 days
2004-09-17 02:15:05 +00:00
Max Laier
4758aa2bd4 Reactivate skipping over bogus IPCP addresses on ppp interfaces. Be more
careful with the skip condition this time. Addresses are only not taken into
account if:
	- The interface is POINTTOPOINT
	- There is no route installed for the address
	- The user specified noalias (:0)
and	- We are looking at an IPv4 address.

This should be enough paranoia to not cause any false positives.

PR:	 	misc/69954
Discussed with:	yongari
MFC after:	4 days
2004-09-14 15:20:24 +00:00
Max Laier
f78086efb6 Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.

Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.

Requested by:			rwatson
Discussed with and tested by:	yongari (a while ago)
PR:				kern/70393
MFC after:			5 days
2004-09-14 03:12:01 +00:00
Max Laier
c9f6794e2e One more round on the H/W supported checksum code: Fix NICs that can't do
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.

Submitted by:	yongari
Tested by:	Nicolas Linard, yongari (sparc64 + hme)
MFC after:	5 days
2004-09-11 11:18:25 +00:00
Max Laier
7fff37fc15 Use securelevel_gt instead of reading global securelevel unprotected.
Submitted by:	yongari
MFC after:	3 days
2004-08-22 15:23:48 +00:00
Max Laier
e89d8405c7 Comment out rev. 1.4 after problems w/ IPv6, a better solution must be
found.
2004-08-16 17:58:12 +00:00
David Malone
1f44b0a1b5 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
Max Laier
571065e55f Loopback fix from Mathieu Sauve-Frankel:
Add missing check for NULL in DIOCCHANGERULE. This prevents a crash
	in certain rare cases.
2004-08-12 14:15:42 +00:00
Max Laier
01105bbf3b Loopback fix from Daniel Hartmeier:
pf_cksum_fixup() was called without last argument from
	normalization, also fixup checksum when random-id modifies ip_id.
	This would previously lead to incorrect checksums for packets
	modified by scrub random-id.

(Originally) Submitted by:	yongari
2004-08-12 13:59:44 +00:00
Max Laier
91a9e0b42b Loopback fix from Henning Brauer:
skip over interface addresses without IFA_ROUTE, fixes some issue
	with pppd

PR:	misc/69954
2004-08-12 13:54:50 +00:00
Max Laier
8de5b6f306 Use in_cksum_skip() to calculate in4_cksum instead of doing handrolled magic
(that does not compile with !gcc). Moreover we get the benefit for all archs
that have a hand optimized in_cksum_skip().

Submitted by:	yongari
Tested by:	me (i386, extensivly), pf4freebsd ML (various)
2004-08-05 20:41:38 +00:00
Alexander Kabaev
7e86873d5c Initialize s variable early to shut up GCC warnings.
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.

Glanced over by:	dhartmei
2004-07-28 06:14:44 +00:00
Max Laier
c99c1da589 Fix the following LOR on pf module unload:
1st ifnet (ifnet) @/usr/src/sys/contrib/pf/net/pf_if.c:191
2nd pf task mtx (pf task mtx) @/usr/src/sys/contrib/pf/net/pf_if.c:197

Reported by:	Pyun YongHyeon (a long time ago)
2004-07-23 03:37:05 +00:00
Max Laier
bb73d87a1e Refine pf_check_proto_cksum() a bit in order to avoid additional in_pseudo()
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.

Submitted by:	Pyun YongHyeon
2004-07-23 03:31:42 +00:00
Max Laier
e89865e516 Fix a stupid attemp to apply host arithmetics to network byte ordered data.
This fixes checksum for some drivers with partial H/W ckcsum offloads.

Reported by:	Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by:	Pyun YongHyeon
2004-07-18 14:25:48 +00:00
Max Laier
a9ce8750b6 m_tag_copy takes an additional "how" parameter in FreeBSD.
Submitted by:	rwatson
2004-07-18 00:51:56 +00:00
Max Laier
0ad9506fab Merge in a stable fix from OpenBSD:
MFC:
  Fix by dhartmei@

  change pf_route() loop detection: introduce a counter (number of times
  a packet is routed already) in the mbuf tag, allow at most four times.
  Fixes some legitimate cases broken by the previous change.

Reviewed by:	dhartmei
2004-07-17 17:15:15 +00:00
Max Laier
c550f2206d Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.

Discussed with:	juli
2004-07-17 05:10:06 +00:00
Brooks Davis
f889d2ef8d Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch].
 - Locked struct if_clone. [1]
 - Add a per-cloner match function rather then simply matching names of
   the form <name><unit> and <name>.
 - Use the match function to allow creation of <interface>.<tag>
   vlan interfaces.  The old way is preserved unchanged!
 - Also the match function to allow creation of stf(4) interfaces named
   stf0, stf, or 6to4.  This is the only major user visible change in
   that "ifconfig stf" creates the interface stf rather then stf0 and
   does not print "stf0" to stdout.
 - Allow destroy functions to fail so they can refuse to delete
   interfaces.  Currently, we forbid the deletion of interfaces which
   were created in the init function, particularly lo0, pflog0, and
   pfsync0.  In the case of lo0 this was a panic implementation so it
   does not count as a user visiable change. :-)
 - Since most interfaces do not need the new functionality, an family of
   wrapper functions, ifc_simple_*(), were created to wrap old style
   cloner functions.
 - The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
   IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
   instead.

Submitted by:   Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by:    andre, mlaier
Discussed on:	net
2004-06-22 20:13:25 +00:00
Max Laier
c0d431fe31 Import two fixes from the OpenBSD stable branch:
- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
 - The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
   this fixes corruption of the address pools with large rulesets.
   (mcbride@, pb@)

Reviewed-by:	dhartmei
2004-06-17 16:59:47 +00:00
Max Laier
7c1fe95333 Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...
2004-06-16 23:24:02 +00:00
Max Laier
779616355a This commit was generated by cvs2svn to compensate for changes in r130610,
which included commits to RCS files with non-trunk default branches.
2004-06-16 23:03:14 +00:00
Max Laier
32b3098356 Import pf from OpenBSD 3.5 (OPENBSD_3_5_BASE) 2004-06-16 23:03:14 +00:00
Poul-Henning Kamp
89c9c53da0 Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
Max Laier
4e6d06effe Remove some more leftover from the old pfaltq_module hack to allow for
kernels w/ pf, but w/o altq.

Reported-by:	 Xin LI
2004-06-14 16:13:05 +00:00
Max Laier
cc4dbc7c7d Prepare pf for building with ALTQ:
- remove old pfaltq module linkage
 - move pfaltq_running to pf_ioctl.c It is protected by PF_LOCK()
2004-06-13 01:36:31 +00:00
Max Laier
1fb675e712 "Get rid of the nested include of <sys/module.h> from <sys/kernel.h>" or
better do no longer depend on it.

Requested-by:	phk
Approved-by:	bms(mentor)
2004-05-31 22:48:19 +00:00
Daniel Hartmeier
01044eaadc Commit three imported bugfixes from OpenBSD 3.4-stable:
- change pf_get_pool() argument rule_number type from u_int32_t
    to u_int8_t, fixes corruption of address pools with large
    rulesets (mcbride@)
  - prevent endless loops with route-to (dhartmei@)
  - limit option length to 2 octets max (frantzen@)

Obtained from:	OpenBSD
Approved by:	mlaier(mentor), bms(mentor)
2004-05-02 20:47:24 +00:00
Daniel Hartmeier
ac529e0479 Import OpenBSD 3.4-stable fixes 2004-05-02 19:43:28 +00:00
Brooks Davis
bb2bfb4fa9 Staticize <if>_clone_{create,destroy} functions.
Reviewed by:	mlaier
2004-04-14 00:57:49 +00:00
Max Laier
00e7fbfb60 Commit import of OpenBSD-stable fix:
Fix by dhartmei@ and mcbride@
 1.433
 Properly m_copyback() modified TCP sequence number after demodulation
 1.432
 Fix icmp checksum when sequence number modlation is being used.
 Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.

 Fixes PR 3724

Obtained from:	OpenBSD
Reviewed by:	dhartmei
Approved by:	rwatson
2004-04-11 17:35:40 +00:00
Max Laier
f43690eb9e Import another fix from the OpenBSD-Stable branch:
Fix by dhartmei@ and mcbride@
 1.433
 Properly m_copyback() modified TCP sequence number after demodulation
 1.432
 Fix icmp checksum when sequence number modlation is being used.
 Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.

 Fixes PR 3724
2004-04-11 17:28:22 +00:00
Max Laier
eaa7035b13 Shut up a couple of annoying gcc warnings. Do not enclose the fixes with
#ifdefs in order to loop it back to OpenBSD after the next import. There are
a some implicit asserts involved which might be better spelled out
explicitly (af == AF_INET ...)

Approved by:	bms(mentor)
2004-03-30 18:28:30 +00:00
Max Laier
cf5011b74a Commit two fixes from OpenBSD's stable branch:
- Fix binat for incoming connections when a netblock (not just a single
  address) is used for source in the binat rule. closes PR 3535, reported by
  Karl O.Pinc. ok henning@, cedric@

- Fix a problem related to empty anchor rulesets, which could cause a kernel
  panic.

Approved by:	bms(mentor)
2004-03-28 20:04:12 +00:00
Max Laier
b855d39384 Import two fixes from OpenBSD's stable branch:
- Fix binat for incoming connections when a netblock (not just a single
  address) is used for source in the binat rule. closes PR 3535, reported by
  Karl O.Pinc. ok henning@, cedric@

- Fix a problem related to empty anchor rulesets, which could cause a kernel
  panic.

Approved by:	bms(mentor)
2004-03-28 19:31:37 +00:00
Max Laier
cc7e902276 Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdef
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the
hooks in the kernel this was missed during the merge from the port.

Noticed by:	Amir S.	(for the HOOK_HACK part)
Approved by:	bms(mentor)
2004-03-17 21:11:02 +00:00
Max Laier
7b3832e8d6 Remove `$Name$' leftovers from the port version reporting.
Noticed by:	Craig Rodrigues
Approved by:	bms(mentor)
2004-03-10 15:08:21 +00:00
Max Laier
01315efca3 Remove __inline keyword from functions that can't be inlined according to
LINT. This fixes LINT compliation for now, but needs to be revised.
Changes do not affect the objects.

Approved by:	bms(mentor)
2004-02-29 16:34:43 +00:00
Max Laier
cc5934f5af Tweak existing header and other build infrastructure to be able to build
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).

Approved by: bms(mentor)
2004-02-26 03:53:54 +00:00