30 Commits

Author SHA1 Message Date
kan
81bb3b51b0 Initialize s variable early to shut up GCC warnings.
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.

Glanced over by:	dhartmei
2004-07-28 06:14:44 +00:00
mlaier
06a62be24a Fix the following LOR on pf module unload:
1st ifnet (ifnet) @/usr/src/sys/contrib/pf/net/pf_if.c:191
2nd pf task mtx (pf task mtx) @/usr/src/sys/contrib/pf/net/pf_if.c:197

Reported by:	Pyun YongHyeon (a long time ago)
2004-07-23 03:37:05 +00:00
mlaier
fcf16798bf Refine pf_check_proto_cksum() a bit in order to avoid additional in_pseudo()
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.

Submitted by:	Pyun YongHyeon
2004-07-23 03:31:42 +00:00
mlaier
446479e8a1 Fix a stupid attemp to apply host arithmetics to network byte ordered data.
This fixes checksum for some drivers with partial H/W ckcsum offloads.

Reported by:	Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by:	Pyun YongHyeon
2004-07-18 14:25:48 +00:00
mlaier
d420de60b6 m_tag_copy takes an additional "how" parameter in FreeBSD.
Submitted by:	rwatson
2004-07-18 00:51:56 +00:00
mlaier
8206972537 Merge in a stable fix from OpenBSD:
MFC:
  Fix by dhartmei@

  change pf_route() loop detection: introduce a counter (number of times
  a packet is routed already) in the mbuf tag, allow at most four times.
  Fixes some legitimate cases broken by the previous change.

Reviewed by:	dhartmei
2004-07-17 17:15:15 +00:00
mlaier
512e25ff0c Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.

Discussed with:	juli
2004-07-17 05:10:06 +00:00
brooks
e1dd867b55 Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch].
 - Locked struct if_clone. [1]
 - Add a per-cloner match function rather then simply matching names of
   the form <name><unit> and <name>.
 - Use the match function to allow creation of <interface>.<tag>
   vlan interfaces.  The old way is preserved unchanged!
 - Also the match function to allow creation of stf(4) interfaces named
   stf0, stf, or 6to4.  This is the only major user visible change in
   that "ifconfig stf" creates the interface stf rather then stf0 and
   does not print "stf0" to stdout.
 - Allow destroy functions to fail so they can refuse to delete
   interfaces.  Currently, we forbid the deletion of interfaces which
   were created in the init function, particularly lo0, pflog0, and
   pfsync0.  In the case of lo0 this was a panic implementation so it
   does not count as a user visiable change. :-)
 - Since most interfaces do not need the new functionality, an family of
   wrapper functions, ifc_simple_*(), were created to wrap old style
   cloner functions.
 - The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
   IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
   instead.

Submitted by:   Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by:    andre, mlaier
Discussed on:	net
2004-06-22 20:13:25 +00:00
mlaier
9acfe1e733 Import two fixes from the OpenBSD stable branch:
- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
 - The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
   this fixes corruption of the address pools with large rulesets.
   (mcbride@, pb@)

Reviewed-by:	dhartmei
2004-06-17 16:59:47 +00:00
mlaier
5eba798674 Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...
2004-06-16 23:24:02 +00:00
mlaier
27ecf76342 This commit was generated by cvs2svn to compensate for changes in r130610,
which included commits to RCS files with non-trunk default branches.
2004-06-16 23:03:14 +00:00
mlaier
e31d6b9346 Import pf from OpenBSD 3.5 (OPENBSD_3_5_BASE) 2004-06-16 23:03:14 +00:00
phk
dfd1f7fd50 Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.
2004-06-16 09:47:26 +00:00
mlaier
0633de661d Remove some more leftover from the old pfaltq_module hack to allow for
kernels w/ pf, but w/o altq.

Reported-by:	 Xin LI
2004-06-14 16:13:05 +00:00
mlaier
b173c880aa Prepare pf for building with ALTQ:
- remove old pfaltq module linkage
 - move pfaltq_running to pf_ioctl.c It is protected by PF_LOCK()
2004-06-13 01:36:31 +00:00
mlaier
03517ac71a "Get rid of the nested include of <sys/module.h> from <sys/kernel.h>" or
better do no longer depend on it.

Requested-by:	phk
Approved-by:	bms(mentor)
2004-05-31 22:48:19 +00:00
dhartmei
56d46e84bd Commit three imported bugfixes from OpenBSD 3.4-stable:
- change pf_get_pool() argument rule_number type from u_int32_t
    to u_int8_t, fixes corruption of address pools with large
    rulesets (mcbride@)
  - prevent endless loops with route-to (dhartmei@)
  - limit option length to 2 octets max (frantzen@)

Obtained from:	OpenBSD
Approved by:	mlaier(mentor), bms(mentor)
2004-05-02 20:47:24 +00:00
dhartmei
f3b4bd55ea Import OpenBSD 3.4-stable fixes 2004-05-02 19:43:28 +00:00
brooks
6a86b01672 Staticize <if>_clone_{create,destroy} functions.
Reviewed by:	mlaier
2004-04-14 00:57:49 +00:00
mlaier
d2fa2c987e Commit import of OpenBSD-stable fix:
Fix by dhartmei@ and mcbride@
 1.433
 Properly m_copyback() modified TCP sequence number after demodulation
 1.432
 Fix icmp checksum when sequence number modlation is being used.
 Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.

 Fixes PR 3724

Obtained from:	OpenBSD
Reviewed by:	dhartmei
Approved by:	rwatson
2004-04-11 17:35:40 +00:00
mlaier
3ec847e868 Import another fix from the OpenBSD-Stable branch:
Fix by dhartmei@ and mcbride@
 1.433
 Properly m_copyback() modified TCP sequence number after demodulation
 1.432
 Fix icmp checksum when sequence number modlation is being used.
 Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.

 Fixes PR 3724
2004-04-11 17:28:22 +00:00
mlaier
640f7d2a9b Shut up a couple of annoying gcc warnings. Do not enclose the fixes with
#ifdefs in order to loop it back to OpenBSD after the next import. There are
a some implicit asserts involved which might be better spelled out
explicitly (af == AF_INET ...)

Approved by:	bms(mentor)
2004-03-30 18:28:30 +00:00
mlaier
3709170070 Commit two fixes from OpenBSD's stable branch:
- Fix binat for incoming connections when a netblock (not just a single
  address) is used for source in the binat rule. closes PR 3535, reported by
  Karl O.Pinc. ok henning@, cedric@

- Fix a problem related to empty anchor rulesets, which could cause a kernel
  panic.

Approved by:	bms(mentor)
2004-03-28 20:04:12 +00:00
mlaier
9a8a4d8edb Import two fixes from OpenBSD's stable branch:
- Fix binat for incoming connections when a netblock (not just a single
  address) is used for source in the binat rule. closes PR 3535, reported by
  Karl O.Pinc. ok henning@, cedric@

- Fix a problem related to empty anchor rulesets, which could cause a kernel
  panic.

Approved by:	bms(mentor)
2004-03-28 19:31:37 +00:00
mlaier
01e7b3342e Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdef
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the
hooks in the kernel this was missed during the merge from the port.

Noticed by:	Amir S.	(for the HOOK_HACK part)
Approved by:	bms(mentor)
2004-03-17 21:11:02 +00:00
mlaier
08af5a76fe Remove `$Name$' leftovers from the port version reporting.
Noticed by:	Craig Rodrigues
Approved by:	bms(mentor)
2004-03-10 15:08:21 +00:00
mlaier
bc8fb96519 Remove __inline keyword from functions that can't be inlined according to
LINT. This fixes LINT compliation for now, but needs to be revised.
Changes do not affect the objects.

Approved by:	bms(mentor)
2004-02-29 16:34:43 +00:00
mlaier
428f1c9a0f Tweak existing header and other build infrastructure to be able to build
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).

Approved by: bms(mentor)
2004-02-26 03:53:54 +00:00
mlaier
4733577ea0 Bring diff from the security/pf port. This has code been tested as a port
for a long time and is run in production use. This is the code present in
portversion 2.03 with some additional tweaks.

The rather extensive diff accounts for:
 - locking (to enable pf to work with a giant-free netstack)
 - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off
 - conversion from pool(9) to zone(9)
 - api differences etc.

Approved by: bms(mentor) (in general)
2004-02-26 02:34:12 +00:00
mlaier
d5e9ee3f6d Vendor import of OpenBSD's packet filter (pf) as of OpenBSD 3.4
Approved by: bms(mentor), core (in general)
2004-02-26 02:04:28 +00:00