This fixes kernel panics which occur when the firewall sends out a packet.
This can happen for keep alives, or instances when the firewall is
configured to return RST or ICMP unreach packets. These panics occured
only if MLS, BIBA or LOMAC security policies were loaded.
Approved by: re@ (kensmith)
Submitted by: mlaier (with changes)
Fix stateful filtering of loopback IPv6 traffic to an address not
configured on lo0. While here fix a comment.
PR: kern/102647
Reported by: Frank Steinborn
Submitted by: suz (earlier version)
Import from OpenBSD 1.168, dhartmei:
fix a bug in the input sanity check of DIOCCHANGERULE (not used by
pfctl, but third-party tools). a rule must have a non-empty replacement
address list when it's a translation rule but not an anchor call (i.e.
"nat ... ->" needs a replacement address, but "nat-anchor ..." doesn't).
the check confused "rule is an anchor call" with "rule is defined within
an anchor". report from Michal Mertl, Max Laier.
Loopback pf_norm.c rev. 1.106 from OpenBSD:
fixup IP checksum when modifying IP header fields
PR: kern/93849
Obtained from: OpenBSD
Approved by: re (kensmith)
Make pflog a seperate module. As a result pflog_packet() becomes a
function pointer that is declared in pf_ioctl.c
Requested by: yar (as part of the module build reorg)
Approved by: re (scottl)
them to userland. [1]
MFC rev. 1.16 of sys/contrib/pf/net/pf_norm.c: Correct an error in pf
handling of IP packet fragments which could result in a kernel panic.
[2]
Security: FreeBSD-SA-06:06.kmem [1]
Security: FreeBSD-SA-06:07.pf [2]
Move PFSTATE_EXPIRING from sync_flags to a new local_flags. sync_flags
has special handling when zero. This caused no PFSYNC_ACT_DEL message and
thus disfunction of pfflowd and state synchronisation in general.
Discovered by: thompsa
Good catch by: thompsa
and
Only decrement the max-src-conn counter for tcp connections that reached
"established" state.
Similar to OpenBSD's rev. 1.499 by joel but not breaking ABI.
Obtained from: OpenBSD (with changes)
Reported by: Bruno Afonso
ok reyk@
Stop leaking a lock. This used to cause a propagate_priority() page fault
when setting syncdev and syncpeer.
Reported by: Dominic Marks
Approved by: re (scottl)
pf_ioctl.c Revision 1.153 Sun Aug 7 11:37:33 2005 UTC by dhartmei
| verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@
pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei
| in DIOCCHANGERULE, properly initialize table, if used in NAT rule.
| from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei
| when nat'ing icmp 'connections', replace icmp id with proxy values
| (similar to proxy ports for tcp/udp). not all clients use
| per-invokation random ids, this allows multiple concurrent
| connections from such clients.
| thanks for testing to Rod Whitworth, "looks ok" markus@
pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei
| fix rdr to bitmask replacement address pool. patch from Max Laier,
| reported by Boris Polevoy, tested by Jean Debogue, ok henning@
Approved by: re (scottl)
Prevent a race condition. As pf_send_tcp() - called for expired synproxy
states - has to drop the lock when calling back to ip_output(), the state
purge timeout might run and gc the state. This results in a rb-tree
inconsistency. With this change we flag expiring states while holding the
lock and back off if the flag is already set.
Reported by: glebius
Approved by: re (kensmith)
Export pfsyncstats via sysctl "net.inet.pfsync" in order to print them
with netstat (seperate commit).
Requested by: glebius
Approved by: re (kensmith)
actually work. Also use the right semantics for IF_HANDOFF to get correct
stats.
Reported and tested by: Sascha Luck <sascha at c4inet dot net>
Approved by: re (blanket)
of just dropping the lock around the ip_output call. This used to cause
corrupted state tree walks for some call-paths.
In a second stage all callouts will be marked MPSAFE according to the
setting of mpsafenet.
Reported and tested by: Matthew Grooms <mgrooms at seton dot org>
MFC after: 3 days
X-MFC after: Marking callouts MPSAFE + 1 week
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.
This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.
Other changes of note:
- Struct arpcom is no longer referenced in normal interface code.
Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
To enforce this ac_enaddr has been renamed to _ac_enaddr.
- The second argument to ether_ifattach is now always the mac address
from driver private storage rather than sometimes being ac_enaddr.
Reviewed by: sobomax, sam
missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org
Obtained from: OpenBSD
X-MFC after: never (breaks API/ABI)
destination windows were confused, one instead of other.
This error was masked, because first segment of just
established connection is usually smaller than initially
announced window, and it was successfully passed. First
window reannouncement corrected erroneous 'seqhi' value.
The error showed up when client connected to synproxy
with zero initial window, and reannounced it after
session establishment.
In collaboration with: dhartmei [we came to same patch independtly]
Reviewed by: mlaier
Sponsored by: Rambler
MFC after: 3 days
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.
Found by: Gustavo A. Baratto
prevents a possible endless loop in pf_get_sport() with 'static-port'
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.
PR: kern/74930
Reported and tested by: Hugo Silva, Srebrenko Sehic
MFC after: 3 days
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.
Discovered by: Bernhard Schmidt
MFC after: 1 week
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.
Discovered by: kos(at)bastard(dot)net
Analyzed by: Pyun YongHyeon
Approved by: mlaier (mentor)
MFC after: 1 week
(ifconfig xl0 name foo) as well as some special interfaces such as the 6to4
tunnel.
Reported by: Ed Schouten <ed (at) il ! fontys , nl>
Tested by: freebsd-pf
PR: kern/72444
MFC after: 3 weeks
trigger a socket creation race some some kind). Checking for non-NULL socket
and credential is not a bad idea anyway. Unfortunatly too late for the
release.
Reported & tested by: Gilbert Cao
MFC after: 2 weeks
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.
Suggested by: rwatson
A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by: rwatson, csjp
Tested by: -pf, -ipfw, LINT, csjp and myself
MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
functions that can be called from enable/disable pf as well. This improves
switching from non-altq ruleset to altq ruleset (and the other way 'round)
by a great deal and makes pfctl act like the user would except it to.
PR: kern/71746
Tested by: Aurilien "beorn" Rougemont (PR submitter)
MFC after: 3 days
careful with the skip condition this time. Addresses are only not taken into
account if:
- The interface is POINTTOPOINT
- There is no route installed for the address
- The user specified noalias (:0)
and - We are looking at an IPv4 address.
This should be enough paranoia to not cause any false positives.
PR: misc/69954
Discussed with: yongari
MFC after: 4 days
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.
Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.
Requested by: rwatson
Discussed with and tested by: yongari (a while ago)
PR: kern/70393
MFC after: 5 days
the pseudo header. We really need the TCP packet length here. This happens
to end up in ip->ip_len in tcp_input.c, but here we should get it from the
len function variable instead.
Submitted by: yongari
Tested by: Nicolas Linard, yongari (sparc64 + hme)
MFC after: 5 days
have already done this, so I have styled the patch on their work:
1) introduce a ip_newid() static inline function that checks
the sysctl and then decides if it should return a sequential
or random IP ID.
2) named the sysctl net.inet.ip.random_id
3) IPv6 flow IDs and fragment IDs are now always random.
Flow IDs and frag IDs are significantly less common in the
IPv6 world (ie. rarely generated per-packet), so there should
be smaller performance concerns.
The sysctl defaults to 0 (sequential IP IDs).
Reviewed by: andre, silby, mlaier, ume
Based on: NetBSD
MFC after: 2 months