Commit Graph

30 Commits

Author SHA1 Message Date
peter 41ea7e91a7 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> replace finer-grained spl locking in pfioctl() with a single broad lock
> around the entire body. this resolves the (misleading) panics in
> pf_tag_packet() during heavy ioctl operations (like when using authpf)
> that occur because softclock can interrupt ioctl on i386 since SMP.
> patch from camield@.
2005-02-14 21:28:33 +00:00
peter 1b4e743b06 Merge in a fix from OPENBSD_3_6.
ok yamt@

> MFC:
> Fix by dhartmei@
>
> ICMP state entries use the ICMP ID as port for the unique state key. When
> checking for a usable key, construct the key in the same way. Otherwise,
> a colliding key might be missed or a state insertion might be refused even
> though it could be inserted. The second case triggers the endless loop
> fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
> Report and test data by Srebrenko Sehic.
2005-02-14 21:27:26 +00:00
yamt de965c0ed7 pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf. 2005-01-01 09:13:14 +00:00
peter dd544baa78 Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by dhartmei@

IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.

ok deraadt@ dhartmei@ mcbride@
2004-12-21 12:06:37 +00:00
peter e71187380f Apply a patch from OPENBSD_3_6 branch (ok yamt).
MFC:
Fix by mcbride@

Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'

Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@

ok mcbride@ dhartmei@ deraadt@ henning@
2004-12-21 12:05:34 +00:00
yamt 21a48a296e pf_check_proto_cksum: use {tcp,udp}_input_checksum so that we can:
- handle loopback checksum omission properly.
- profit from h/w checksum offloading.
2004-12-21 05:55:23 +00:00
peter e6a70f95cf Apply a patch from OpenBSD 3.6 branch (ok yamt@).
MFC:
Fix by dhartmei@

fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon.
2004-12-05 13:32:17 +00:00
peter fd3bd491c0 Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
2004-12-04 14:26:01 +00:00
peter 3cfd10be8b Don't put the hook definitions into #ifdef _KERNEL.
(needed to compile pf programs because of the previous change)
2004-12-04 14:21:23 +00:00
yamt 0a7a28fcc4 plug pfik_ifaddrhooks leaks by embedding it to pfi_kif. 2004-12-04 10:35:54 +00:00
peter c7f5faeaa9 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

The flag to re-filter pf-generated packets was set wrong by synproxy
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client.
2004-11-21 17:59:24 +00:00
peter a3452e6de2 Apply a patch from the OPENBSD_3_6 branch, ok itojun.
MFC:
Fix by dhartmei@

For RST generated due to state mismatch during handshake, don't set
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround.
2004-11-21 17:57:52 +00:00
yamt da18614102 resolve conflicts. (pf from OpenBSD 3.6, kernel part) 2004-11-14 11:12:16 +00:00
yamt 3d5ba5bca1 backout whitespace changes to make further import easier. 2004-11-13 21:13:07 +00:00
dyoung 34a3fbf64e "RB_PROTOTYPE();" does not lint because you end up with two
consecutive semicolons, so let's use RB_PROTOTYPE() alone.
2004-09-28 00:14:02 +00:00
yamt d37ce14181 pflog_packet: use bpf_mtap2().
(our bpf_mtap() is more "strict" about mbufs
than openbsd's one is.  eg. M_PKTHDR should be set properly.)
2004-09-10 08:48:32 +00:00
yamt c3b066f850 pull following fixes from openbsd. ok'ed by itojun.
> ----------------------------
> revision 1.58
> date: 2004/06/23 04:34:17;  author: mcbride;  state: Exp;  lines: +5 -3
> pfr_commit_ktable calls functions that can result in the current
> ktable being destroyed, which makes it unsafe in a SLIST_FOREACH.
>
> Fix from Chris Pascoe
> ----------------------------
> revision 1.56
> date: 2004/06/11 05:21:20;  author: mcbride;  state: Exp;  lines: +5 -3
> Eliminate a dereference after pool_put when an inactive/no-longer referenced
> table is destroyed in pfr_setflags_ktable.
>
> Fix from Chris Pascoe
> ----------------------------
2004-09-09 14:56:00 +00:00
yamt 31715f4eb9 remove no longer needed caddr_t casts to reduce diffs from openbsd. 2004-09-08 12:11:25 +00:00
yamt 421ffa4969 pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
PR/26433.
2004-09-06 10:01:39 +00:00
yamt 0370fc7128 - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma.  PR/26403.
2004-07-27 12:22:59 +00:00
yamt 46abcaebe4 fix dynaddr tracking.
from Peter Postma, PR/26369.
ok'ed by itojun.
2004-07-26 13:46:43 +00:00
yamt 4f755d07b4 ANSIfy. (inside #ifdef __NetBSD__)
from Peter Postma.
ok'ed by itojun.
2004-07-26 13:45:40 +00:00
yamt 48d156e320 call PFIL_NEWIF hooks at a correct place.
(on SIOCAIFADDR rather than SIOCGIFALIAS.)

from Peter Postma, PR/26402.
ok'ed by itojun.
2004-07-26 13:43:14 +00:00
itojun 0407dd42ae make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
2004-06-29 04:42:54 +00:00
itojun ce0e658ff3 PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma 2004-06-25 13:17:01 +00:00
martin 149fa38cf4 Make it compile on non-IPv6 kernels. 2004-06-22 18:59:14 +00:00
martin be9dcae132 Fix formatting for 64 bit archs. This fixes PR port-sparc64/26010.
While there, make it compile for non-INET6 aware kernels.
2004-06-22 18:37:49 +00:00
christos 6ecf0e2cbe add a pfdetach() method to be used by lkm's 2004-06-22 18:04:32 +00:00
itojun bfcdaa5766 PF from openbsd 3.5. missing features:
- pfsync (due to protocol # assignment issues)
- carp (not really a PF portion, but thought important to mention)
- PF and ALTQ are mutually-exclusive.  this will be sorted out when
  kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)

reviewed by matt, christos, perry

torture-test is very welcomed.
2004-06-22 14:17:07 +00:00
itojun 6adffbf983 PF from OpenBSD 3.5 2004-06-22 13:52:05 +00:00