Commit Graph

75 Commits

Author SHA1 Message Date
mlaier
ae191726d9 Stop leaking a lock. This used to cause a propagate_priority() page fault
when setting syncdev and syncpeer.

Reported by:	Dominic Marks
2005-09-11 11:55:39 +00:00
mlaier
df3bd6cde3 Unbreak the build. Committed from the wrong directory. 2005-09-08 17:42:42 +00:00
mlaier
aa70783c83 Commit imported changes to HEAD:
pf_ioctl.c Revision 1.153 Sun Aug 7 11:37:33 2005 UTC by dhartmei
 | verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@

 pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei
 | in DIOCCHANGERULE, properly initialize table, if used in NAT rule.
 | from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@

 pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei
 | when nat'ing icmp 'connections', replace icmp id with proxy values
 | (similar to proxy ports for tcp/udp). not all clients use
 | per-invokation random ids, this allows multiple concurrent
 | connections from such clients.
 | thanks for testing to Rod Whitworth, "looks ok" markus@

 pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei
 | fix rdr to bitmask replacement address pool. patch from Max Laier,
 | reported by Boris Polevoy, tested by Jean Debogue, ok henning@

Obtained from:	OpenBSD
MFC after:	3 days
2005-09-08 15:06:52 +00:00
mlaier
022c2a093b Wrap the new world order in __FreeBSD__ to ease future imports. 2005-08-09 11:59:02 +00:00
rwatson
5d770a09e8 Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and
IFF_DRV_RUNNING, as well as the move from ifnet.if_flags to
ifnet.if_drv_flags.  Device drivers are now responsible for
synchronizing access to these flags, as they are in if_drv_flags.  This
helps prevent races between the network stack and device driver in
maintaining the interface flags field.

Many __FreeBSD__ and __FreeBSD_version checks maintained and continued;
some less so.

Reviewed by:	pjd, bz
MFC after:	7 days
2005-08-09 10:20:02 +00:00
mlaier
e0e4afff1d Prevent a race condition. As pf_send_tcp() - called for expired synproxy
states - has to drop the lock when calling back to ip_output(), the state
purge timeout might run and gc the state. This results in a rb-tree
inconsistency.  With this change we flag expiring states while holding the
lock and back off if the flag is already set.

Reported by:	glebius
MFC after:	2 weeks
2005-07-20 18:58:27 +00:00
ume
c8f443708b move RFC3542 related definitions into ip6.h.
Submitted by:	Keiichi SHIMA <keiichi__at__iijlab.net>
Reviewed by:	mlaier
Obtained from:	KAME
2005-07-20 10:30:52 +00:00
mlaier
a390027dcd Export pfsyncstats via sysctl "net.inet.pfsync" in order to print them with
netstat (seperate commit).

Requested by:	glebius
MFC after:	1 week
2005-07-14 22:22:51 +00:00
mlaier
79ac1f3888 Properly initialize ifq_maxlen for the defered send queue and make it
actually work.  Also use the right semantics for IF_HANDOFF to get correct
stats.

Reported and tested by:	Sascha Luck <sascha at c4inet dot net>
Approved by:		re (blanket)
2005-06-26 21:00:52 +00:00
mlaier
e15084485c Mark pf callouts as NET_MPSAFE.
Requested by:	yongari (serveral times)
Approved by:	re (blanket)
MFC after:	1 week
2005-06-12 16:46:20 +00:00
mlaier
2f60aac277 Defer ip_output of pfsync updates to an independent callout thread instead
of just dropping the lock around the ip_output call.  This used to cause
corrupted state tree walks for some call-paths.

In a second stage all callouts will be marked MPSAFE according to the
setting of mpsafenet.

Reported and tested by:	Matthew Grooms <mgrooms at seton dot org>
MFC after:		3 days
X-MFC after:		Marking callouts MPSAFE + 1 week
2005-06-10 17:23:49 +00:00
brooks
567ba9b00a Stop embedding struct ifnet at the top of driver softcs. Instead the
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.

This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.

Other changes of note:
 - Struct arpcom is no longer referenced in normal interface code.
   Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
   To enforce this ac_enaddr has been renamed to _ac_enaddr.
 - The second argument to ether_ifattach is now always the mac address
   from driver private storage rather than sometimes being ac_enaddr.

Reviewed by:	sobomax, sam
2005-06-10 16:49:24 +00:00
mlaier
896129e0f9 if_mtu not ifp_mtu. 2005-05-04 19:51:06 +00:00
mlaier
eba8487d85 Bring back fix from rev. 1.28 which was lost during the import. 2005-05-04 16:03:01 +00:00
mlaier
587ccf7938 Combine rev. 1.29 and 1.30 to something that will make sense for future
imports.
2005-05-04 15:55:29 +00:00
mlaier
2383ca5b3c Make LINT happy. 2005-05-04 15:29:28 +00:00
andre
e6d10efc2a Pass icmp_error() the MTU argument directly instead of
an interface pointer.  This simplifies a couple of uses
and removes some XXX workarounds.
2005-05-04 13:09:19 +00:00
mlaier
b14e72073d Resolve conflicts created during the import of pf 3.7 Some features are
missing and will be implemented in a second step.  This is functional as is.

Tested by:	freebsd-pf, pfsense.org
Obtained from:	OpenBSD
X-MFC after:	never (breaks API/ABI)
2005-05-03 16:43:32 +00:00
glebius
1268b440dc Fix error in synproxy connection completion. Source and
destination windows were confused, one instead of other.
This error was masked, because first segment of just
established connection is usually smaller than initially
announced window, and it was successfully passed. First
window reannouncement corrected erroneous 'seqhi' value.
The error showed up when client connected to synproxy
with zero initial window, and reannounced it after
session establishment.

In collaboration with:	dhartmei [we came to same patch independtly]
Reviewed by:		mlaier
Sponsored by:		Rambler
MFC after:		3 days
2005-04-22 09:53:46 +00:00
glebius
70458efe87 Fix mss byte order, only affects synproxy code path.
Submitted by:	John L. Scarfone via OpenBSD
Reviewed by:	mlaier
Obtained from:	OpenBSD, rev. 1.483
MFC after:	2 days
2005-04-13 21:05:55 +00:00
mlaier
1ad7875704 Fix a terrible braino in pfi_maybe_destroy() and unbreak "$pfctl -Fall" with
renamed interfaces.

PR:		kern/77645
Reported by:	Harald Schmalzbauer <harryNOschmalzbauerSPAMde>
Reviewed by:	yongari
MFC after:	3 days
2005-02-21 17:20:00 +00:00
yongari
13ffa2fe13 Fix inteface clear time. pf printed "Thu Jan 1 09:00:01 1970"
in "pfctl -vvsI" output when pf was statically linked to kernel.

Discussed with:	mlaier
2005-02-17 03:36:31 +00:00
mlaier
d43f99469a Access softc embedded struct ifnet via function macro to make it easier to
untangle struct ifnet and softc/arpcom in the future.

Requested by:	brooks
2005-02-09 19:29:13 +00:00
dhartmei
77598c300e Use the packet's address family instead of the rule's when selecting a
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.

Found by:	Gustavo A. Baratto
2005-01-20 18:07:35 +00:00
dhartmei
82659e8246 Prohibit ruleset changes at securelevel > 2, not > 1. It's documented
like this in init(8), but the code didn't match the documentation.

Submitted by:	Juraj Lutter <otis at sk dot FreeBSD dot org>
Agrees:		mlaier
2005-01-19 21:37:00 +00:00
dhartmei
b61c49cccc Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.

PR:			kern/74930
Reported and tested by:	Hugo Silva, Srebrenko Sehic
MFC after:		3 days
2004-12-19 19:43:04 +00:00
mlaier
5a1a81dd99 Compile pfsync w/o bpf.
Noticed by:	"Jayel Villamin" <jarthel operamail com>
2004-12-10 17:42:47 +00:00
dhartmei
de7cd2f92a IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.

Discovered by:	Bernhard Schmidt
MFC after:	1 week
2004-12-05 12:15:43 +00:00
dhartmei
f808618fbd fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.

Discovered by:	kos(at)bastard(dot)net
Analyzed by:	Pyun YongHyeon
Approved by:	mlaier (mentor)
MFC after:	1 week
2004-11-24 00:43:34 +00:00
ru
f4dd946343 Removed the remnants of gx(4). 2004-11-08 20:24:52 +00:00
mlaier
829a2496de Improved interface handling. This should fix the use of renamed interfaces
(ifconfig xl0 name foo) as well as some special interfaces such as the 6to4
tunnel.

Reported by:	Ed Schouten <ed (at) il ! fontys , nl>
Tested by:	freebsd-pf
PR:		kern/72444
MFC after:	3 weeks
2004-11-03 17:21:12 +00:00
mlaier
a18af33877 Fix a panic discovered with some apache2 configure test (that seemed to
trigger a socket creation race some some kind). Checking for non-NULL socket
and credential is not a bad idea anyway. Unfortunatly too late for the
release.

Reported & tested by:	Gilbert Cao
MFC after:		2 weeks
2004-10-24 19:35:02 +00:00
mlaier
b65eae4c19 Add an additional struct inpcb * argument to pfil(9) in order to enable
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.

This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.

Suggested by:		rwatson
A lot of work by:	csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by:		rwatson, csjp
Tested by:		-pf, -ipfw, LINT, csjp and myself
MFC after:		3 days

LOR IDs:		14 - 17 (not fixed yet)
2004-09-29 04:54:33 +00:00
mlaier
83e80bafba Protect sockaddr_union definitions with a protecting define. This allows to
build kernels with FAST_IPSEC and PF. This is the least disruptive fix.

PR:		kern/71836
Reviewed by:	bms, various mailing lists
MFC after:	3 days
2004-09-23 12:44:40 +00:00
mlaier
69a40e03c1 Break out altq_enable/disable from DIOC{START,STOP}ALTQ into seprate
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.

PR:		kern/71746
Tested by:	Aurilien "beorn" Rougemont (PR submitter)
MFC after:	3 days
2004-09-17 02:15:05 +00:00
mlaier
23fe0c08ee Reactivate skipping over bogus IPCP addresses on ppp interfaces. Be more
careful with the skip condition this time. Addresses are only not taken into
account if:
	- The interface is POINTTOPOINT
	- There is no route installed for the address
	- The user specified noalias (:0)
and	- We are looking at an IPv4 address.

This should be enough paranoia to not cause any false positives.

PR:	 	misc/69954
Discussed with:	yongari
MFC after:	4 days
2004-09-14 15:20:24 +00:00
mlaier
de866b234b Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.

Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.

Requested by:			rwatson
Discussed with and tested by:	yongari (a while ago)
PR:				kern/70393
MFC after:			5 days
2004-09-14 03:12:01 +00:00
mlaier
431ad26757 One more round on the H/W supported checksum code: Fix NICs that can't do
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.

Submitted by:	yongari
Tested by:	Nicolas Linard, yongari (sparc64 + hme)
MFC after:	5 days
2004-09-11 11:18:25 +00:00
mlaier
9c209cbf17 Use securelevel_gt instead of reading global securelevel unprotected.
Submitted by:	yongari
MFC after:	3 days
2004-08-22 15:23:48 +00:00
mlaier
c6cd25836d Comment out rev. 1.4 after problems w/ IPv6, a better solution must be
found.
2004-08-16 17:58:12 +00:00
dwmalone
5df13d37b2 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
mlaier
939573c38d Loopback fix from Mathieu Sauve-Frankel:
Add missing check for NULL in DIOCCHANGERULE. This prevents a crash
	in certain rare cases.
2004-08-12 14:15:42 +00:00
mlaier
625a88ed36 Loopback fix from Daniel Hartmeier:
pf_cksum_fixup() was called without last argument from
	normalization, also fixup checksum when random-id modifies ip_id.
	This would previously lead to incorrect checksums for packets
	modified by scrub random-id.

(Originally) Submitted by:	yongari
2004-08-12 13:59:44 +00:00
mlaier
79a496b7d4 Loopback fix from Henning Brauer:
skip over interface addresses without IFA_ROUTE, fixes some issue
	with pppd

PR:	misc/69954
2004-08-12 13:54:50 +00:00
mlaier
3e1b10ae60 Use in_cksum_skip() to calculate in4_cksum instead of doing handrolled magic
(that does not compile with !gcc). Moreover we get the benefit for all archs
that have a hand optimized in_cksum_skip().

Submitted by:	yongari
Tested by:	me (i386, extensivly), pf4freebsd ML (various)
2004-08-05 20:41:38 +00:00
kan
81bb3b51b0 Initialize s variable early to shut up GCC warnings.
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.

Glanced over by:	dhartmei
2004-07-28 06:14:44 +00:00
mlaier
06a62be24a Fix the following LOR on pf module unload:
1st ifnet (ifnet) @/usr/src/sys/contrib/pf/net/pf_if.c:191
2nd pf task mtx (pf task mtx) @/usr/src/sys/contrib/pf/net/pf_if.c:197

Reported by:	Pyun YongHyeon (a long time ago)
2004-07-23 03:37:05 +00:00
mlaier
fcf16798bf Refine pf_check_proto_cksum() a bit in order to avoid additional in_pseudo()
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.

Submitted by:	Pyun YongHyeon
2004-07-23 03:31:42 +00:00
mlaier
446479e8a1 Fix a stupid attemp to apply host arithmetics to network byte ordered data.
This fixes checksum for some drivers with partial H/W ckcsum offloads.

Reported by:	Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by:	Pyun YongHyeon
2004-07-18 14:25:48 +00:00
mlaier
d420de60b6 m_tag_copy takes an additional "how" parameter in FreeBSD.
Submitted by:	rwatson
2004-07-18 00:51:56 +00:00