| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keep state incorrectly assumes keep frags. This is counter to the
ipfilter man pages. This also currently restricts keep frags to only when
keep state is used, which is redundant because keep state currently
assumes keep frags. This commit fixes this.
To the user this change means that to maintain the current behaviour
one must add keep frags to any ipfilter keep state rule (as documented
in the man pages).
This patch also allows the flexability to specify and use keep frags
separate from keep state, as documented in an example in ipf.conf.5,
instead of the currently broken behaviour.
MFC suggested by: rgrimes
Relnotes: yes
|
|
|
|
|
|
|
| |
Add missing free()'s after calls to randomize().
PR: NetBSD PR/50559
Obtained from: Netbsd radix_ipf.c r1.6
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a use after free panic in ipfilter's fragment processing.
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.
A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().
|
|
|
|
|
|
|
| |
Fix lookup of original destination address when using a redirect rule.
Transparent proxying, e.g. to squid, is an example of this.
Obtained from: NetBSD ip_nat.c r1.17, ip_nat6.c r1.10
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the fragment info is placed at the top of the linked list
under a shared read lock. This patch attempts to upgrade the lock to
an exclusive write lock. If the exclusive write lock fails to be
obtained, the current fragment is not placed at the head of the list.
This portion of the patch was inspired by NetBSD ip_frag.c r1.4 (which
effectively removed the section of code that performed the reordering).
The patch to sys/contrib/ipfilter/netinet/ip_compat.h adds the
MUTEX_TRY_UPGRADE macro to support the patch to ip_frag.c.
The patch to contrib/ipfilter/lib/rwlock_emul.c supports this patch
by emulating the mutex in userspace when exercised by ipftest(1).
Inspired by: NetBSD ip_frag.c r1.4
|
|
|
|
|
|
|
|
| |
Get rid of a compiler warning which I saw too often.
Include netinet/in.h before ip_compat.t which will then check if
IPPROTO_IPIP is defined or not. Doing it the other way round,
ip_compat.h would not find it defined and netinet/in.h then
redefine it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define ipfilter's SOLARIS macro in a defined and portable way.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D7671
MFC r304959 (by kib):
Complete r304953.
Sponsored by: The FreeBSD Foundation
MFC r304964:
Follow-up to r304953, in which I broke the build: apparently the SOLARIS
macro is defined in lots of different places in ipfilter, so replace all
of the nonportable definitions with portable ones.
Pointy hat to: dim
|
|
|
|
|
|
|
|
|
|
|
| |
doing the teardown. ipf_destroy_all() may free ipfmain in case
of ipf_dynamic_softc being true, thus we are avoiding a possible
memory modified after free as well.
Reported by: Coverity
Coverity CID: 1357320
Approved by: re (hrs)
MFC after: 10 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split initializzation an teardown into module (global state) and VNET
(per virtual network stack) parts. Virtualise global state, which is
not "const".
Cleanup eventhandlers, so that we can make use of the passed in argument
to get the vnet state from the ifp; disable the "cloner" event as it is
too early, has no state, and can fire before initialisation (see comment
in the source).
Handle the dynamic sysctls specially. The problem is that "ipmain"
is the virtualized struct, but the fields used for the sysctls are
hanging off memory allocated and attached to the virtualized "ipmain"
thus standard VNET macros and sysctl handling do not work.
We still say it is VNET sysctls to get the proper protection checks
in the VIMAGE case; to solve the problem of accessing the right bit
of memory hanging of each per-VNET ipmain, we use a dedicated handler
function wrapping around sysctl_ipf_int() undoing the base calculation
from kern_sysctl.c and then adding the passed-in offset into the right
struct depending on handler. A bit of a mess exposing VNET-internals
this way but the only way to keep the code without having to massively
restructure ipf internals.
Approved by: re (hrs)
Sponsored by: The FreeBSD Foundation
Obtained from: projects/vnet
MFC after: 2 weeks
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D7000
|
|
|
|
|
|
|
|
|
| |
allocations from ipfilter in preparation for VNET support.
Suggested by: cy (see D7000)
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Approved by: re (gjb)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
than removing the network interfaces first. This change is rather larger
and convoluted as the ordering requirements cannot be separated.
Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and
related modules to their own SI_SUB_PROTO_FIREWALL.
Move initialization of "physical" interfaces to SI_SUB_DRIVERS,
move virtual (cloned) interfaces to SI_SUB_PSEUDO.
Move Multicast to SI_SUB_PROTO_MC.
Re-work parts of multicast initialisation and teardown, not taking the
huge amount of memory into account if used as a module yet.
For interface teardown we try to do as many of them as we can on
SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling
over a higher layer protocol such as IP. In that case the interface
has to go along (or before) the higher layer protocol is shutdown.
Kernel hhooks need to go last on teardown as they may be used at various
higher layers and we cannot remove them before we cleaned up the higher
layers.
For interface teardown there are multiple paths:
(a) a cloned interface is destroyed (inside a VIMAGE or in the base system),
(b) any interface is moved from a virtual network stack to a different
network stack ("vmove"), or (c) a virtual network stack is being shut down.
All code paths go through if_detach_internal() where we, depending on the
vmove flag or the vnet state, make a decision on how much to shut down;
in case we are destroying a VNET the individual protocol layers will
cleanup their own parts thus we cannot do so again for each interface as
we end up with, e.g., double-frees, destroying locks twice or acquiring
already destroyed locks.
When calling into protocol cleanups we equally have to tell them
whether they need to detach upper layer protocols ("ulp") or not
(e.g., in6_ifdetach()).
Provide or enahnce helper functions to do proper cleanup at a protocol
rather than at an interface level.
Approved by: re (hrs)
Obtained from: projects/vnet
Reviewed by: gnn, jhb
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D6747
|
|
|
|
|
| |
MFC after: 1 month
X-MFC with: r300259
|
|
|
|
|
|
|
|
| |
ip_frag tuneables aren't registered in the ipf_tuners linked list.
This commmit enables the two existing ip_frag tuneables by registering
them.
MFC after: 1 month
|
|
|
|
|
| |
Reported by: Coverity CID 1354625
MFC after: 3 days
|
|
|
|
| |
MFC after: 4 weeks
|
|
|
|
|
|
|
|
| |
for bad packets are named ipf_fi_bad_*. An example of its use might be:
dtrace -n 'sdt:::ipf_fi_bad_* { stack(); }'
Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>
|
|
|
|
|
| |
Reported by: PVS-Studio (V595) in D5245
Differential Revision: D5245
|
|
|
|
| |
via sys/mbuf.h
|
|
|
|
| |
Differential Revision: D4764
|
|
|
|
| |
MFC after: 3 days
|
|
|
|
|
|
|
| |
enabled (by default in r290383).
PR: 72210
MFC after: 1 week
|
|
|
|
|
| |
Obtained from: ipfilter cvs repo r1.48.2.25, r1.72 and NetBSD repo r1.4
MFC after: 3 days
|
|
|
|
|
|
|
|
|
| |
This commit fixes that.
PR: 166372
Submitted by: mk@neon1.net
Reviewed by: Darren Reed <darrenr@reed.wattle.id.au>
MFC after: 1 week
|
|
|
|
|
|
|
| |
if the malloc succeeded.
Spotted by: reading kernel compile time log
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
Obtained from: ipfilter cvs repo r1.48.2.25
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
Obtained from: NetBSD r1.4.
MFC after: 1 week
|
|
|
|
|
| |
Obtained from: NetBSD r1.4.
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
| |
years for head. However, it is continuously misused as the mpsafe argument
for callout_init(9). Deprecate the flag and clean up callout_init() calls
to make them more consistent.
Differential Revision: https://reviews.freebsd.org/D2613
Reviewed by: jhb
MFC after: 2 weeks
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipfilter code as userland application. To reduce kernel structure knowledge
include if_var.h only if a file is compiled with _KERNEL defined.
In !_KERNEL case, provide our own definition of struct ifnet, that will
satisfy ipftest(1). This was already done earlier to struct ifaddr in
r279029. Protect the definition with _NET_IF_VAR_H_, since kernel part
of ipfilter may include if_var.h and ip_compat.h.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.
Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
socket-buffer implementations, introduce a return value for MCLGET()
(and m_cljget() that underlies it) to allow the caller to avoid testing
M_EXT itself. Update all callers to use the return value.
With this change, very few network device drivers remain aware of
M_EXT; the primary exceptions lie in mbuf-chain pretty printers for
debugging, and in a few cases, custom mbuf and cluster allocation
implementations.
NB: This is a difficult-to-test change as it touches many drivers for
which I don't have physical devices. Instead we've gone for intensive
review, but further post-commit review would definitely be appreciated
to spot errors where changes could not easily be made mechanically,
but were largely mechanical in nature.
Differential Revision: https://reviews.freebsd.org/D1440
Reviewed by: adrian, bz, gnn
Sponsored by: EMC / Isilon Storage Division
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this fix, the vnet was NULL and would crash.
This fix is similar to what was done inside the ioctl handler for PF.
Tested by:
(1) Boot a kernel with "options VIMAGE" enabled
(2) Type:
echo "map lo0 from 10.0.0.0/24 to ! 10.0.0.0/24 -> 127.0.0.1/32" > /etc/ipnat.rules ; service ipnat onerestart
PR: 176992
Differential Revision: https://reviews.freebsd.org/D1191
Reviewed by: cy
|
|
|
|
|
|
|
| |
This fixes when an IP address mapping is put in the hostmap table for
sticky NAT rules, it ends up having the wrong byte order.
Obtained from: ipfilter CVS repo (r1.102), NetBSD CVS repo (r1.12)
|
|
|
|
| |
Obtained from: ipfilter CVS repo (r1.26), NetBSD CVS repo (r1.8)
|
|
|
|
| |
Obtained from: ipfilter cvs repo (r1.8)
|
|
|
|
|
|
| |
ipfilter rule compare with new ipf_rule_compare() function.
Obtained from: ipfilter CVS rep (r1.129)
|
|
|
|
| |
Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)
|
|
|
|
|
| |
Approved by: glebius (mentor)
Obtained from: ipfilter CVS repo (r1.36)
|
|
|
|
|
|
|
| |
in the default case, and then couple of lines down we do sel->
Approved by: glebius (mentor)
Obtained from: NetBSD CVS repo (r1.5)
|
|
|
|
|
| |
Approved by: glebius (mentor)
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
regardless of the setting in make.conf.
PR: 190964
Approved by: glebius (mentor)
MFC after: 1 week
|
|
|
|
|
|
|
| |
PR: 183065
Submitted by: p-freebsd-bugs@ziemba.us
Approved by: glebius
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
to be consistent with mutex destruction in ipf_log_soft_destroy(). As a
result mutex destruction in ipf_log_soft_fini() is redundant.
Approved by: glebius (mentor)
Obtained from: darrenr (author)
|
|
|
|
|
|
|
|
|
| |
ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to
ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks
that are dynamically created when IP Filter is loaded. This necessitated
creating them on-the-fly rather than statically at compile time.
Approved by: glebius (mentor)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use counter(9) for rt_pksent (former rt_rmx.rmx_pksent). This
removes another cache trashing ++ from packet forwarding path.
- Create zini/fini methods for the rtentry UMA zone. Via initialize
mutex and counter in them.
- Fix reporting of rmx_pksent to routing socket.
- Fix netstat(1) to report "Use" both in kvm(3) and sysctl(3) mode.
The change is mostly targeted for stable/10 merge. For head,
rt_pksent is expected to just disappear.
Discussed with: melifaro
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
| |
Sponsored by: Nginx, Inc.
|
|
|
|
| |
Pointy hat to: glebius
|