| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch
introduced a number of entry points which were programmatically
equivalent. So I introduced only one. Instead, we should leverage
mac_create_mbuf_netlayer() which is used for similar situations,
an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1]
MFC after: 1 week
This is a RELENG_6 candidate
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
on lo0. While here fix a comment.
PR: kern/102647
Reported by: Frank Steinborn
Submitted by: suz (earlier version)
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,
but third-party tools). a rule must have a non-empty replacement address
list when it's a translation rule but not an anchor call (i.e. "nat ...
->" needs a replacement address, but "nat-anchor ..." doesn't). the check
confused "rule is an anchor call" with "rule is defined within an anchor".
report from Michal Mertl, Max Laier.
Obtained from: OpenBSD
MFC after: 2 weeks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
parameter that can specify configuration parameters:
o rev cloner api's to add optional parameter block
o add SIOCCREATE2 that accepts parameter data
o rev vlan support to use new api (maintain old code)
Reviewed by: arch@
|
| | |
| |
| |
| |
| |
| |
| |
| | |
dynamic resizing of multicast membership array.
Reported and testing by: Maxim Konovalov, Scott Ullrich
Reminded by: thompsa
MFC after: 2 weeks
|
| | |
| |
| |
| | |
Submitted by: yar
|
| | |
| |
| |
| |
| | |
Submitted by: glebius
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| | |
wrap it __FreeBSD__ specific as I couldn't figure out which version of
OpenBSD I got it from.
Reported by: Scott Ullrich
|
| | |
| |
| |
| |
| |
| |
| |
| | |
fixup IP checksum when modifying IP header fields
PR: kern/93849
Obtained from: OpenBSD
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| | |
the structs pflog_packet() takes pointers to.
Approved by: mlaier
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| | |
pointer that is declared in pf_ioctl.c
Requested by: yar (as part of the module build reorg)
MFC after: 1 week
X-MFC with: yar's module reorg
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
but not 'fragment reassemble'), which can cause some fragments to get
inserted into the cache twice, thereby violating an invariant, and panic-
ing the system subsequently.
Reviewed by: mlaier
MFC after: 1 day
|
| | |
| |
| |
| |
| | |
Found with: Coverity Prevent(tm)
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
"established" state.
Similar to OpenBSD's rev. 1.499 by joel but not breaking ABI.
Obtained from: OpenBSD (with changes)
Reported by: Bruno Afonso
MFC after: 3 days
X-MFC: together with local_flags
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
special handling when zero. This caused no PFSYNC_ACT_DEL message and thus
disfunction of pfflowd and state synchronisation in general.
Discovered by: thompsa
Good catch by: thompsa
MFC after: 7 days
|
| | |
| |
| |
| | |
custom kernels.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
softc lists and associated mutex are now unused so these have been removed.
Calling if_clone_detach() will now destroy all the cloned interfaces for the
driver and in most cases is all thats needed to unload.
Idea by: brooks
Reviewed by: brooks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
cloner. This ensures that ifc->ifc_units is not prematurely freed in
if_clone_detach() before the clones are destroyed, resulting in memory modified
after free. This could be triggered with if_vlan.
Assert that all cloners have been destroyed when freeing the memory.
Change all simple cloners to destroy their clones with ifc_simple_destroy() on
module unload so the reference count is properly updated. This also cleans up
the interface destroy routines and allows future optimisation.
Discussed with: brooks, pjd, -current
Reviewed by: brooks
|
| | |
| |
| |
| |
| |
| | |
when setting syncdev and syncpeer.
Reported by: Dominic Marks
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf_ioctl.c Revision 1.153 Sun Aug 7 11:37:33 2005 UTC by dhartmei
| verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@
pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei
| in DIOCCHANGERULE, properly initialize table, if used in NAT rule.
| from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei
| when nat'ing icmp 'connections', replace icmp id with proxy values
| (similar to proxy ports for tcp/udp). not all clients use
| per-invokation random ids, this allows multiple concurrent
| connections from such clients.
| thanks for testing to Rod Whitworth, "looks ok" markus@
pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei
| fix rdr to bitmask replacement address pool. patch from Max Laier,
| reported by Boris Polevoy, tested by Jean Debogue, ok henning@
Obtained from: OpenBSD
MFC after: 3 days
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
IFF_DRV_RUNNING, as well as the move from ifnet.if_flags to
ifnet.if_drv_flags. Device drivers are now responsible for
synchronizing access to these flags, as they are in if_drv_flags. This
helps prevent races between the network stack and device driver in
maintaining the interface flags field.
Many __FreeBSD__ and __FreeBSD_version checks maintained and continued;
some less so.
Reviewed by: pjd, bz
MFC after: 7 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
states - has to drop the lock when calling back to ip_output(), the state
purge timeout might run and gc the state. This results in a rb-tree
inconsistency. With this change we flag expiring states while holding the
lock and back off if the flag is already set.
Reported by: glebius
MFC after: 2 weeks
|
| | |
| |
| |
| |
| |
| | |
Submitted by: Keiichi SHIMA <keiichi__at__iijlab.net>
Reviewed by: mlaier
Obtained from: KAME
|
| | |
| |
| |
| |
| |
| |
| | |
netstat (seperate commit).
Requested by: glebius
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| | |
actually work. Also use the right semantics for IF_HANDOFF to get correct
stats.
Reported and tested by: Sascha Luck <sascha at c4inet dot net>
Approved by: re (blanket)
|
| | |
| |
| |
| |
| |
| | |
Requested by: yongari (serveral times)
Approved by: re (blanket)
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
of just dropping the lock around the ip_output call. This used to cause
corrupted state tree walks for some call-paths.
In a second stage all callouts will be marked MPSAFE according to the
setting of mpsafenet.
Reported and tested by: Matthew Grooms <mgrooms at seton dot org>
MFC after: 3 days
X-MFC after: Marking callouts MPSAFE + 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.
This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.
Other changes of note:
- Struct arpcom is no longer referenced in normal interface code.
Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
To enforce this ac_enaddr has been renamed to _ac_enaddr.
- The second argument to ether_ifattach is now always the mac address
from driver private storage rather than sometimes being ac_enaddr.
Reviewed by: sobomax, sam
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
imports.
|
| | | |
|
| | |
| |
| |
| |
| | |
an interface pointer. This simplifies a couple of uses
and removes some XXX workarounds.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org
Obtained from: OpenBSD
X-MFC after: never (breaks API/ABI)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
destination windows were confused, one instead of other.
This error was masked, because first segment of just
established connection is usually smaller than initially
announced window, and it was successfully passed. First
window reannouncement corrected erroneous 'seqhi' value.
The error showed up when client connected to synproxy
with zero initial window, and reannounced it after
session establishment.
In collaboration with: dhartmei [we came to same patch independtly]
Reviewed by: mlaier
Sponsored by: Rambler
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| | |
Submitted by: John L. Scarfone via OpenBSD
Reviewed by: mlaier
Obtained from: OpenBSD, rev. 1.483
MFC after: 2 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
renamed interfaces.
PR: kern/77645
Reported by: Harald Schmalzbauer <harryNOschmalzbauerSPAMde>
Reviewed by: yongari
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| | |
in "pfctl -vvsI" output when pf was statically linked to kernel.
Discussed with: mlaier
|
| | |
| |
| |
| |
| |
| | |
untangle struct ifnet and softc/arpcom in the future.
Requested by: brooks
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
replacement address for an rdr rule. Some rdr rules have no address family
(when the replacement is a table and no other criterion implies one AF).
In this case, pf would fail to select a replacement address and drop the
packet due to translation failure.
Found by: Gustavo A. Baratto
|
| | |
| |
| |
| |
| |
| |
| | |
like this in init(8), but the code didn't match the documentation.
Submitted by: Juraj Lutter <otis at sk dot FreeBSD dot org>
Agrees: mlaier
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
prevents a possible endless loop in pf_get_sport() with 'static-port'
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop,
possibly allowing a NATed LAN client to lock up the kernel.
PR: kern/74930
Reported and tested by: Hugo Silva, Srebrenko Sehic
MFC after: 3 days
|
| | |
| |
| |
| | |
Noticed by: "Jayel Villamin" <jarthel operamail com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped.
Discovered by: Bernhard Schmidt
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'binat from ... to ... -> (if)' are used, where the interface
is dynamic.
Discovered by: kos(at)bastard(dot)net
Analyzed by: Pyun YongHyeon
Approved by: mlaier (mentor)
MFC after: 1 week
|
| | | |
|
