summaryrefslogtreecommitdiffstats
path: root/sys/contrib/pf/net
Commit message (Collapse)AuthorAgeFilesLines
* o Create directory sys/netpfil, where all packet filters shouldglebius2012-09-1414-21780/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
* Merge the projects/pf/head branch, that was worked on for last six months,glebius2012-09-0815-9464/+4493
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
* Use M_NOWAIT while holding the pf giant lock.glebius2012-07-151-2/+1
|
* Merge revision 1.715 from OpenBSD:glebius2012-06-061-2/+2
| | | | | | | | | | | | date: 2010/12/24 20:12:56; author: henning; state: Exp; lines: +3 -3 in pf_src_connlimit, the indices to sk->addr were swapped. tracked down and diff sent by Robert B Mills <rbmills at sdf.lonestar.org> thanks, very good work! ok claudio Impact is that the "flush" keyword didn't work. Obtained from: OpenBSD MFC after: 1 week
* Correct table counter functionality to not panic.eri2012-05-313-2/+5
| | | | | | | | This was caused by not proper initialization of necessary parameters. PR: 168200 Reviewed by: bz@, glebius@ MFC after: 1 week
* Revert r234834 per luigi@ request.melifaro2012-05-031-0/+1
| | | | | | | | | | | Cleaner solution (e.g. adding another header) should be done here. Original log: Move several enums and structures required for L2 filtering from ip_fw_private.h to ip_fw.h. Remove ipfw/ip_fw_private.h header from non-ipfw code. Requested by: luigi Approved by: kib(mentor)
* Move several enums and structures required for L2 filtering from ↵melifaro2012-04-301-1/+0
| | | | | | | | | ip_fw_private.h to ip_fw.h. Remove ipfw/ip_fw_private.h header from non-ipfw code. Approved by: ae(mentor) MFC after: 2 weeks
* Fix VIMAGE build.ae2012-04-051-0/+4
|
* Merge from OpenBSD:glebius2012-04-041-11/+11
| | | | | | | | | | | | | | | revision 1.173 date: 2011/11/09 12:36:03; author: camield; state: Exp; lines: +11 -12 State expire time is a baseline time ("last active") for expiry calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future). Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates. This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger.
* Since pf 4.5 import pf(4) has a mechanism to deferglebius2012-04-032-5/+11
| | | | | | | | | | | | | | | | | | | forwarding a packet, that creates state, until pfsync(4) peer acks state addition (or 10 msec timeout passes). This is needed for active-active CARP configurations, which are poorly supported in FreeBSD and arguably a good idea at all. Unfortunately by the time of import this feature in OpenBSD was turned on, and did not have a switch to turn it off. This leaked to FreeBSD. This change make it possible to turn this feature off via ioctl() and turns it off by default. Obtained from: OpenBSD
* Merge from OpenBSD:glebius2012-03-081-2/+2
| | | | | | | | | | | | | | revision 1.146 date: 2010/05/12 08:11:11; author: claudio; state: Exp; lines: +2 -3 bzero() the full compressed update struct before setting the values. This is needed because pf_state_peer_hton() skips some fields in certain situations which could result in garbage beeing sent to the other peer. This seems to fix the pfsync storms seen by stephan@ and so dlg owes me a whiskey. I didn't see any storms, but this definitely fixes a useless memory allocation on the receiving side, due to non zero scrub_flags field in a pfsync_state_peer structure.
* Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:bz2012-02-175-53/+67
| | | | | | | | | | | | Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity. This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat. Sponsored by: Cisco Systems, Inc. Reviewed by: melifaro (basically) MFC after: 10 days
* Allocate our mbuf with m_get2().glebius2012-01-171-24/+10
|
* Revert to the old behavior of allocating table/table entries usingcsjp2012-01-141-12/+4
| | | | | | | | | | M_NOWAIT. Currently, the code allows for sleeping in the ioctl path to guarantee allocation. However code also handles ENOMEM gracefully, so propagate this error back to user-space, rather than sleeping while holding the global pf mutex. Reviewed by: glebius Discussed with: bz
* Redo r226660:glebius2012-01-111-35/+27
| | | | | | | | | - Define schednetisr() to swi_sched. - In the swi handler check if there is some data prepared, and if true, then call pfsync_sendout(), however tell it not to schedule swi again. - Since now we don't obtain the pfsync lock in the swi handler, don't use ifqueue mutex to synchronize queue access.
* Fix some spacing in code under __FreeBSD__.glebius2012-01-111-10/+10
|
* Add necessary locking in pfsync_in_ureq().glebius2012-01-111-6/+7
|
* Move PF_LOCK_ASSERT() under __FreeBSD__.glebius2012-01-111-1/+1
|
* Merge from OpenBSD:glebius2012-01-111-4/+1
| | | | | | | revision 1.128 date: 2009/08/16 13:01:57; author: jsg; state: Exp; lines: +1 -5 remove prototypes of a bunch of functions that had their implementations removed in pfsync v5.
* When running with INVARIANTS the mutex(9) code does all necessaryglebius2012-01-111-9/+2
| | | | asserts for non-recursive mutexes.
* Can't pass MSIZE to m_cljget(), an mbuf can't be attached as external storageglebius2012-01-091-2/+1
| | | | to another mbuf.
* Backout of backout: we need SI_SUB_PROTO_DOMAIN for pfsync, sinceglebius2012-01-091-1/+1
| | | | it needs existing inetdomain on startup.
* Revert sub argument of MODULE_DECLARE back to r226532.glebius2012-01-092-2/+2
| | | | Noticed by: bz
* In FreeBSD we determine presence of pfsync(4) at run-time, notglebius2012-01-093-36/+4
| | | | | at compile time, so define NPFSYNC to 1 always. While here, remove unused defines.
* Bunch of fixes to pfsync(4) module load/unload:glebius2012-01-091-146/+158
| | | | | | | | | | | | | | | | | | | | | o Make the pfsync.ko actually usable. Before this change loading it didn't register protosw, so was a nop. However, a module /boot/kernel did confused users. o Rewrite the way we are joining multicast group: - Move multicast initialization/destruction to separate functions. - Don't allocate memory if we aren't going to join a multicast group. - Use modern API for joining/leaving multicast group. - Now the utterly wrong pfsync_ifdetach() isn't needed. o Move module initialization from SYSINIT(9) to moduledata_t method. o Refuse to unload module, unless asked forcibly. o Improve a bit some FreeBSD porting code: - Use separate malloc type. - Simplify swi sheduling. This change is probably wrong from VIMAGE viewpoint, however pfsync wasn't VIMAGE-correct before this change, too. Glanced at by: bz
* o Fix panic on module unload, that happened due to mutex beingglebius2012-01-091-52/+27
| | | | | | | | | | | | | | destroyed prior to pfsync_uninit(). To do this, move all the initialization to the module_t method, instead of SYSINIT(9). o Fix another panic after module unload, due to not clearing the m_addr_chg_pf_p pointer. o Refuse to unload module, unless being unloaded forcibly. o Revert the sub argument to MODULE_DECLARE, to the stable/8 value. This change probably isn't correct from viewpoint of VIMAGE, but the module wasn't VIMAGE-correct before the change, as well. Glanced at by: bz
* Merge from OpenBSD:glebius2012-01-071-7/+7
| | | | | | | | | | | revision 1.170 date: 2011/10/30 23:04:38; author: mikeb; state: Exp; lines: +6 -7 Allow setting big MTU values on the pfsync interface but not larger than the syncdev MTU. Prompted by the discussion with and tested by Maxim Bourmistrov; ok dlg, mpf Consistently use sc_ifp->if_mtu in the MTU check throughout the module. This backs out r228813.
* Fix indentation.glebius2012-01-071-4/+3
|
* Fix LINT-VIMAGE build after r228814: use virtualized pf_pool_limits.pluknet2011-12-241-1/+1
|
* Merge from OpenBSD:glebius2011-12-221-3/+6
| | | | | | | | | | | | revision 1.122 date: 2009/05/13 01:01:34; author: dlg; state: Exp; lines: +6 -4 only keep track of the number of updates on tcp connections. state sync on all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over. keep track of updates on tcp still though, their windows need constant attention.
* Merge from OpenBSD:glebius2011-12-221-6/+7
| | | | | | | | | | | | | revision 1.120 date: 2009/04/04 13:09:29; author: dlg; state: Exp; lines: +5 -5 use time_uptime instead of time_second internally. time_uptime isnt affected by adjusting the clock. revision 1.175 date: 2011/11/25 12:52:10; author: dlg; state: Exp; lines: +3 -3 use time_uptime to set state creation values as time_second can be skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against.
* Merge couple more fixes from OpenBSD to bulk processing:glebius2011-12-221-6/+14
| | | | | | | | | | | | | | | | revision 1.118 date: 2009/03/23 06:19:59; author: dlg; state: Exp; lines: +8 -6 wait an appropriate amount of time before giving up on a bulk update, rather than giving up after a hardcoded 5 seconds (which is generally much too short an interval for a bulk update). pointed out by david@, eyeballed by mcbride@ revision 1.171 date: 2011/10/31 22:02:52; author: mikeb; state: Exp; lines: +2 -1 Don't forget to cancel bulk update failure timeout when destroying an interface. Problem report and fix from Erik Lax, thanks! Start a brief note of revisions merged from OpenBSD.
* We really mean MTU of the real interface here, not of our pseudo.glebius2011-12-221-1/+1
|
* In FreeBSD we always have bpf(4) API, either real or stub. No needglebius2011-12-221-6/+1
| | | | in detecting presense of 'device bpf'.
* Restore a feature that was present in 5.x and 6.x, and was cleared inglebius2011-12-201-39/+27
| | | | | | | | | | | | | | | | | | | | | | | 7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP preemption, while it is running its bulk update. However, reimplement the feature in more elegant manner, that is partially inspired by newer OpenBSD: - Rename term "suppression" to "demotion", to match with OpenBSD. - Keep a global demotion factor, that can be raised by several conditions, for now these are: - interface goes down - carp(4) has problems with ip_output() or ip6_output() - pfsync performs bulk update - Unlike in OpenBSD the demotion factor isn't a counter, but is actual value added to advskew. The adjustment values for particular error conditions are also configurable, and their defaults are maximum advskew value, so a single failure bumps demotion to maximum. This is for POLA compatibility, and should satisfy most users. - Demotion factor is a writable sysctl, so user can do foot shooting, if he desires to.
* - Cover pfsync callouts deletion with PF_LOCK().glebius2011-12-201-1/+9
| | | | - Cover setting up interface between pf and pfsync with PF_LOCK().
* Return value should be conditional on return value of pfsync_defer_ptr()glebius2011-11-301-2/+2
| | | | | PR: kern/162947 Submitted by: Matthieu Kraus <matthieu.kraus s2008.tu-chemnitz.de>
* Add missing PF_UNLOCK in pf_testkevlo2011-10-301-1/+5
| | | | Reviewed by: bz
* Utilize new IF_DEQUEUE_ALL(ifq, m) macro in pfsyncintr() to reduceglebius2011-10-271-5/+6
| | | | contention on ifqueue lock.
* Merge several fixes to bulk update processing from OpenBSD. Mergedglebius2011-10-231-27/+44
| | | | | revisions: 1.148, 1.149, 1.150. This makes number of states on master/slave to be of a sane value.
* Fix indentation, no code changed.glebius2011-10-231-2/+2
|
* - Fix a bad typo (FreeBSD specific) in pfsync_bulk_update(). Insteadglebius2011-10-231-3/+3
| | | | | | | | | | | | | | of scheduling next run pfsync_bulk_update(), pfsync_bulk_fail() was scheduled. This lead to instant 100% state leak after first bulk update request. - After above fix, it appeared that pfsync_bulk_update() lacks locking. To fix this, sc_bulk_tmo callout was converted to an mtx one. Eventually, all pf/pfsync callouts should be converted to mtx version, since it isn't possible to stop or drain a non-mtx callout without risk of race. - Add comment that callout_stop() in pfsync_clone_destroy() lacks locking. Since pfsync0 can't be destroyed (yet), let it be here.
* Fix from r226623 is not sufficient to close all races in pfsync(4).glebius2011-10-231-40/+59
| | | | | | | | | | | | | | | | | | | | | | The root of problem is re-locking at the end of pfsync_sendout(). Several functions are calling pfsync_sendout() holding pointers to pf data on stack, and these functions expect this data to be consistent. To fix this, the following approach was taken: - The pfsync_sendout() doesn't call ip_output() directly, but enqueues the mbuf on sc->sc_ifp's interfaces queue, that is currently unused. Then pfsync netisr is scheduled. PF_LOCK isn't dropped in pfsync_sendout(). - The netisr runs through queue and ip_output()s packets on it. Apart from fixing race, this also decouples stack, fixing potential issues, that may happen, when sending pfsync(4) packets on input path. Reviewed by: eri (a quick review)
* Absense of M_WAITOK in malloc flags for UMA doesn'tglebius2011-10-231-1/+1
| | | | | | equals presense of M_NOWAIT. Specify M_NOWAIT explicitly. This fixes sleeping with PF_LOCK().
* Correct flag for uma_zalloc() is M_WAITOK. M_WAIT is an old andglebius2011-10-231-1/+1
| | | | | | deprecated flag from historical mbuf(9) allocator. This is style only change.
* Fix a race: we should update sc_len before dropping the pf lock, otherwise aglebius2011-10-211-3/+1
| | | | | | number of packets can be queued on sc, while we are in ip_output(), and then we wipe the accumulated sc_len. On next pfsync_sendout() that would lead to writing beyond our mbuf cluster.
* In FreeBSD ip_output() expects ip_len and ip_off in host byte orderglebius2011-10-211-0/+8
| | | | PR: kern/159029
* Fix recursive pf locking leading to panics. Splatter PF_LOCK_ASSERT()sbz2011-10-191-20/+22
| | | | | | | | | | | | | to document where we are expecting to be called with a lock held to more easily catch unnoticed code paths. This does not neccessarily improve locking in pfsync, it just tries to avoid the panics reported. PR: kern/159390, kern/158873 Submitted by: pluknet (at least something that partly resembles my patch ignoring other cleanup, which I only saw too late on the 2nd PR) MFC After: 3 days
* De-virtualize the pf_task_mtx lock. At the current state of pf lockingbz2011-10-192-20/+14
| | | | | | | | | and virtualization it is not helpful but complicates things. Current state of art is to not virtualize these kinds of locks - inp_group/hash/info/.. are all not virtualized either. MFC after: 3 days
* Adjust the PF_ASSERT() macro to what we usually use in the network stack:bz2011-10-194-16/+18
| | | | | | PF_LOCK_ASSERT() and PF_UNLOCK_ASSERT(). MFC after: 3 days
OpenPOWER on IntegriCloud