missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org
Obtained from: OpenBSD
X-MFC after: never (breaks API/ABI)
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c: In function `fr_ipid_newfrag':
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c:397: warning: cast to pointer from integer of different size
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c: In function `fr_ipid_knownfrag':
/usr/src/sbin/ipf/ipftest/../../../sys/contrib/ipfilter/netinet/ip_frag.c:582: warning: cast from pointer to integer of different size
destination windows were confused, one instead of other.
This error was masked, because first segment of just
established connection is usually smaller than initially
announced window, and it was successfully passed. First
window reannouncement corrected erroneous 'seqhi' value.
The error showed up when client connected to synproxy
with zero initial window, and reannounced it after
session establishment.
In collaboration with: dhartmei [we came to same patch independtly]
Reviewed by: mlaier
Sponsored by: Rambler
MFC after: 3 days
than defaulting the cmode argument to vn_open() to 0. Supply a default
argument of ALQ_DEFAULT_CMODE (0600) in current callers.
Discussed with/pointed out by: hmp
Reveiwed by: jeff, hmp
MFC after: 3 days
was a bad idea, but since it is done like this in the vendor source we keep
it around for older versions. As a safe guard against future misuse we don't
even define CALLOUT_INITIALIZER anymore.
This fixes ALTQ after callout_init_mtx() and takes altq_var.h off the vendor
branch.
Submitted by: Divacky Roman <xdivac02NOstud.fit.vutbrSPAMcz> (w/ changes)
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.
Found by: Gustavo A. Baratto
external source (i.e., _STA). The previous case only handled calls
occurring within AML. This should fix Toshibas, among others. Thanks
to Robert Moore of Intel for the fix.
MFC after: 2 days
prevents a possible endless loop in pf_get_sport() with 'static-port'
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.
PR: kern/74930
Reported and tested by: Hugo Silva, Srebrenko Sehic
MFC after: 3 days
[Changes listed only since last public release 0.9.12.14; for changes
prior to that consult the CVS logs at http://madwifi.sourceforge.net]
o reorg directory structure to have a single set of public binary builds
shared by all systems
o support for new parts (all shipping pci/cardbus parts to this date work)
o new capabilities for identifying various chip features
o set/get tx power cap for supporting 802.11h information element
o revised api for set/get tx queue properties
o support for updating CTS in frames when doing packet bursting
o support for querying which tx queues have pending interrupts
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.
Discovered by: Bernhard Schmidt
MFC after: 1 week
instead for the time being. Intel should fix this.
Note that if this commit is correct, it is made on the vendor branch.
We expect the Intel folks to fix it, and we don't want to unnecessarily
take files off the vendor branch.
Approved by: njl
MFC after: 1 week
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.
Discovered by: kos(at)bastard(dot)net
Analyzed by: Pyun YongHyeon
Approved by: mlaier (mentor)
MFC after: 1 week
(ifconfig xl0 name foo) as well as some special interfaces such as the 6to4
tunnel.
Reported by: Ed Schouten <ed (at) il ! fontys , nl>
Tested by: freebsd-pf
PR: kern/72444
MFC after: 3 weeks
trigger a socket creation race some some kind). Checking for non-NULL socket
and credential is not a bad idea anyway. Unfortunatly too late for the
release.
Reported & tested by: Gilbert Cao
MFC after: 2 weeks
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.
Suggested by: rwatson
A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by: rwatson, csjp
Tested by: -pf, -ipfw, LINT, csjp and myself
MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.
PR: kern/71746
Tested by: Aurilien "beorn" Rougemont (PR submitter)
MFC after: 3 days
careful with the skip condition this time. Addresses are only not taken into
account if:
- The interface is POINTTOPOINT
- There is no route installed for the address
- The user specified noalias (:0)
and - We are looking at an IPv4 address.
This should be enough paranoia to not cause any false positives.
PR: misc/69954
Discussed with: yongari
MFC after: 4 days
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.
Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.
Requested by: rwatson
Discussed with and tested by: yongari (a while ago)
PR: kern/70393
MFC after: 5 days
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.
Submitted by: yongari
Tested by: Nicolas Linard, yongari (sparc64 + hme)
MFC after: 5 days
ACPI_DEBUG case. Without this, use of allocated memory is unaligned and
causes a trap on ia64. Intel may fix this differently in a subsequent
release but this is adequate for now.
Submitted by: marcel
MFC after: 2 days
have already done this, so I have styled the patch on their work:
1) introduce a ip_newid() static inline function that checks
the sysctl and then decides if it should return a sequential
or random IP ID.
2) named the sysctl net.inet.ip.random_id
3) IPv6 flow IDs and fragment IDs are now always random.
Flow IDs and frag IDs are significantly less common in the
IPv6 world (ie. rarely generated per-packet), so there should
be smaller performance concerns.
The sysctl defaults to 0 (sequential IP IDs).
Reviewed by: andre, silby, mlaier, ume
Based on: NetBSD
MFC after: 2 months
pf_cksum_fixup() was called without last argument from
normalization, also fixup checksum when random-id modifies ip_id.
This would previously lead to incorrect checksums for packets
modified by scrub random-id.
(Originally) Submitted by: yongari
(that does not compile with !gcc). Moreover we get the benefit for all archs
that have a hand optimized in_cksum_skip().
Submitted by: yongari
Tested by: me (i386, extensivly), pf4freebsd ML (various)
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.
Submitted by: Pyun YongHyeon
This fixes checksum for some drivers with partial H/W ckcsum offloads.
Reported by: Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by: Pyun YongHyeon
MFC:
Fix by dhartmei@
change pf_route() loop detection: introduce a counter (number of times
a packet is routed already) in the mbuf tag, allow at most four times.
Fixes some legitimate cases broken by the previous change.
Reviewed by: dhartmei
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.
Discussed with: juli
- Split the code out into if_clone.[ch].
- Locked struct if_clone. [1]
- Add a per-cloner match function rather then simply matching names of
the form <name><unit> and <name>.
- Use the match function to allow creation of <interface>.<tag>
vlan interfaces. The old way is preserved unchanged!
- Also the match function to allow creation of stf(4) interfaces named
stf0, stf, or 6to4. This is the only major user visible change in
that "ifconfig stf" creates the interface stf rather then stf0 and
does not print "stf0" to stdout.
- Allow destroy functions to fail so they can refuse to delete
interfaces. Currently, we forbid the deletion of interfaces which
were created in the init function, particularly lo0, pflog0, and
pfsync0. In the case of lo0 this was a panic implementation so it
does not count as a user visiable change. :-)
- Since most interfaces do not need the new functionality, an family of
wrapper functions, ifc_simple_*(), were created to wrap old style
cloner functions.
- The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
instead.
Submitted by: Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by: andre, mlaier
Discussed on: net
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.
MFC after: 1 week
- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
- The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
this fixes corruption of the address pools with large rulesets.
(mcbride@, pb@)
Reviewed-by: dhartmei
Version 3.5 brings:
- Atomic commits of ruleset changes (reduce the chance of ending up in an
inconsistent state).
- A 30% reduction in the size of state table entries.
- Source-tracking (limit number of clients and states per client).
- Sticky-address (the flexibility of round-robin with the benefits of
source-hash).
- Significant improvements to interface handling.
- and many more ...
ALTQ enabled versions of IFQ_* macros by default, as requested by serveral
others. This is a follow-up to the quick fix I committed yesterday which
turned off the ALTQ checks for non-ALTQ kernels.
rig a PREPEND macro for ALTQ as the POLL/DEQUEUE semantic is very bad in
terms of locking. We make this a full functional queue to allow "bulk
dequeue" which will further reduce the locking overhead (for non-altq
enabled devices). Drivers will access this via the following macros, which
will show up in <net/if_var.h> once we expose ALTQ to the build:
IFQ_DRV_DEQUEUE(ifq, m) - takes a mbuf off the queue (driver queue first)
IFQ_DRV_PREPEND(ifq, m) - pushes a mbuf back to the driver queue
IFQ_DRV_PURGE(ifq) - drops all packets in both queues
IFQ_DRV_IS_EMPTY(ifq) - checks for pending mbufs in either queue
One has to make sure that the first three are protected by a driver mutex.
At the moment most network drivers still require Giant, so this is not an
issue. Even those that have thier own mutex usually hold it in if_start and
the like, so this requirement is almost always satisfied.
This evolved from a discussion with Andrew Gallatin.
- add locking
- disable ALTQ3_COMPAT by default (do not remove the code to keep the diff
towards KAME small)
- put some more code under ALTQ3 conditional compilation as it should be
- account for if_xname
- some more minor compile fixes
As people started wondering:
The strange path layout "altq/altq" is there to avoid "-Isys/contrib" and
make it "-Isys/contrib/altq" instead, as we will need at least <altq/altq.h>
and <altq/if_altq.h> for kernel compilation.
The "freebsd4_..." in the privious commit is just the best tag name in the
KAME tree I could find to classify this in order to track its history. It
does *not* mean that this will go to 4-STABLE or anything of that kind.
HEAD at this point). This will not exactly live in a vendor branch, but have
the vendor backing to make it easier to exchange diffs.
This will be followed by a diff which takes most of the .c files off the
vendor branch in order to:
- add locking
- disable ALTQ3_COMPAT code (which is outdated and "un-lockable")
There is work in progress to refine the configuration API. Import this "as
is" now to have more exposure time before 5-STABLE.
This is only the import, it will be some more days until you will actually
be able to compile ALTQ support into your kernel so don't hold your breath.
HEADUPs will be posted on current@ and net@ before this is actually enabled.
No-objection: re(scottl), core(rwatson)
- change pf_get_pool() argument rule_number type from u_int32_t
to u_int8_t, fixes corruption of address pools with large
rulesets (mcbride@)
- prevent endless loops with route-to (dhartmei@)
- limit option length to 2 octets max (frantzen@)
Obtained from: OpenBSD
Approved by: mlaier(mentor), bms(mentor)
* In the resume path, give up after waiting for a while
for WAK_STS to be set. Some BIOSs never set it.
* Allow access to the field if it is within the region size rounded
up to a multiple of the access byte width. This overcomes "off-by-one"
programming errors in the AML often found in Toshiba laptops.
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
Obtained from: OpenBSD
Reviewed by: dhartmei
Approved by: rwatson
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724