| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments based on this size.
It failed to ensure that this size was a multiple of 8 (as is required for all
but the last fragment), so it could end up generating incorrect fragments.
For example, if we received an 8 byte and 12 byte fragment pf would emit a first
fragment with 12 bytes of payload and the final fragment would claim to be at
offset 8 (not 12).
We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
other users won't make the same mistake.
Reported by: Antonios Atlasis <aatlasis at secfu net>
MFC after: 3 days
(cherry picked from commit 4f3397263b95a45dd58e2be3a566029f8841cace)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's
no more memory for it) it frees skp. This is wrong, because skp is a
pf_state_key **, so we need to free *skp, as is done later in the function.
Getting it wrong means we try to free a stack variable of the calling
pf_test_rule() function, and we panic.
(cherry picked from commit 9c6c619e748c0e1da35441d443ddf41cd4c4f30d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pf: Map hook returns onto the correct error values
pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers
expect to get E<foo> error codes.
Map the returns values. A pass is 0 (everything is OK), anything else means
pf ate the packet, so return EACCES, which tells the stack not to emit an ICMP
error message.
PR: 207598
(cherry picked from commit 26d31e281678303d3071eb6fbac74b22036f44c5)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
In the default case fix the substitution of the destination address.
PR: 201519
Submitted by: Max <maximos@als.nnov.ru>
MFC after: 1 week
(cherry picked from commit 7ddccc27cd3b8cf9bef3dd5b7b71c8b82e914386)
|
| |
|
|
|
|
|
|
|
|
| |
Fix ICMP source address rewriting in rdr scenarios.
PR: 201519
Submitted by: Max <maximos@als.nnov.ru>
MFC after: 1 week
(cherry picked from commit e155a36ec0418be0b8147484b0644e5e50ab7d25)
|
| |
|
|
|
|
| |
Found during the patch reviews for 2.4.
(cherry picked from commit ea9ba1a51b165fe4540662a900bb800f501bdf74)
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).
This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.
Reported By: Paul J Murphy <paul@inetstat.net>
PR: 207463
Approved by: re (marius)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use correct src/dst ports when removing states.
Submitted by: Milosz Kaniewski <m.kaniewski@wheelsystems.com>,
UMEZAWA Takeshi <umezawa@iij.ad.jp> (orginal)
Reviewed by: glebius
Approved by: re (marius)
Obtained from: OpenBSD
Sponsored by: Rubicon Communications (Netgate)
Differential revision: https://reviews.freebsd.org/D5392
|
| | |
| |
| |
| |
| |
| |
| | |
DIOCADDADDR and DIOCADDRULE.
PR: 206933
Approved by: re (marius)
|
| | |
| |
| |
| | |
This reverts commit b8ac7a6968caff799a8f2b7eaa7b50a44102e35f.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There was a mistake when code was imported that lead us to end up with
duplicated block of code on IPv6 code path while one of these blocks
belong to IPv4.
Whithout this patch pf wouldn't apply vlan pcp value correctly to
outbound IPv4 traffic.
Patch: pf_802.1p.diff
Submitted by: Matthew Grooms <mgrooms@shrew.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use correct src/dst ports when removing states.
Submitted by: Milosz Kaniewski <m.kaniewski@wheelsystems.com>,
UMEZAWA Takeshi <umezawa@iij.ad.jp> (original)
Reviewed by: glebius
Approved by: pjd (mentor)
Obtained from: OpenBSD
|
| | |
| |
| |
| | |
This version fixes the issue with 'State Creations' in pfctl -vvsr.
|
| | |
| |
| |
| | |
This reverts commit 9068fb423dfecae0f8b611d4bc558dd6cb2e2bd7.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a problem where v6 multicast packets are forwarded instead of bridged.
Kristof is working in a better fix for this whole issue, but meanwhile we are safe with these fixes.
Ticket #5428
Obtained from: kp@FreeBSD.org
|
| | |
| |
| |
| |
| |
| |
| |
| | |
pf_test6 can detect if the packet needs to be forwarded.
Fixes an issue where the output state is not created when a packet is routed to a specific interface (with route-to).
Issue: #5424
|
| | |
| |
| |
| |
| |
| | |
Fix a crash in ip6_forward() caused by a NULL m->m_pkthdr.rcvif.
Issue: #5428
|
| | |
| |
| |
| | |
https://github.com/freebsd/freebsd/commit/56bf96006a33d46114e9cee6977f9dad3a78f9c4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add ALTQ(9) support for the CoDel algorithm.
CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.
It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
Differential Revision: https://reviews.freebsd.org/D3272
Reviewd by: rpaulo, gnn (previous version)
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
TAG: CODEL
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ALTQ FAIRQ discipline import from DragonFLY
Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by: glebius, wblock(manpage)
Approved by: gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate
TAG: FAIRQ
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 570dae5561e54cd2703f546b04a3fa029c92dc62.
TAG: FAIRQ
|
| | |
| |
| |
| |
| |
| | |
This reverts commit cf3bb1a7166bec431631defe01c8d4e706a99638.
TAG: CODEL
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix IPv6 checksums with route-to.
When using route-to (or reply-to) pf sends the packet directly to the output
interface. If that interface doesn't support checksum offloading the checksum
has to be calculated in software.
That was already done in the IPv4 case, but not for the IPv6 case. As a result
we'd emit packets with pseudo-header checksums (i.e. incorrect checksums).
This issue was exposed by the changes in r289316 when pf stopped performing full
checksum calculations for all packets.
Submitted by: Luoqi Chen
|
| | |
| |
| |
| |
| | |
After r289703, pf_change_ap has a new 1at parameter. Adjust code
introduced by this patch to work with new stable/10
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix TSO issues
In certain configurations (mostly but not exclusively as a VM on Xen) pf
produced packets with an invalid TCP checksum.
The problem was that pf could only handle packets with a full checksum. The
FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
addresses, length and protocol).
Certain network interfaces expect to see the pseudo-header checksum, so they
end up producing packets with invalid checksums.
To fix this stop calculating the full checksum and teach pf to only update TCP
checksums if TSO is disabled or the change affects the pseudo-header checksum.
PR: 154428, 193579, 198868
Relnotes: yes
Sponsored by: RootBSD
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding
in pf_test6() because the rcvif and the ifp (output interface) are different.
In that case we're bridging though, and the rcvif the the bridge member on
which the packet was received and ifp is the bridge itself.
If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is
incorrect.
Instead check if the rcvif is a member of the ifp bridge. (In other words, the
if_bridge is the ifp's softc). If that's the case we're not forwarding but
bridging.
PR: 202351
|
| |\ \
| |/
| |
| | |
Catch up with proper fix for pf_increase_self_table_size.diff (r287207)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reapply r196551 which was accidentally reverted by r223637 (update to
OpenBSD pf 4.5).
Fix argument ordering to memcpy as well as the size of the copy in the
(theoretical) case that pfi_buffer_cnt should be greater than ~_max.
This fix the failure when you hit the self table size and force it to be
resized.
Sponsored by: Rubicon Communications (Netgate)
|
| | |
| |
| |
| |
| |
| | |
A proper fix reached stable/10 - r287207
This reverts commit 74b3c6d4762659d5014ccefb21e6657f673ab443.
|
| | |
| |
| |
| |
| |
| | |
There are too many changes on pf that depends on this change.
This reverts commit 0ab5a7411ff94100549aa771f2085ffdc71f22e7.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the copy of addresses passed from userland in table replace command.
The size2 is the maximum userland buffer size (used when the addresses are
copied back to userland).
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
|
| | |
| |
| |
| |
| |
| | |
This reverts commit e47eb2084d73bd81025b9eb23683a704ec9e16e1.
This is now on stable/10, r286961
|
| | |
| |
| |
| |
| |
| |
| | |
This reverts commit b74b5b434292ee1c1c1de56c45c21632d0316f68.
This patch is no longer necessary, if something is broken without this we
will fix the offending code.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
