| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a user.
This caused incorrect pflog output (tcpdump -n -e -ttt -i pflog0):
rule 0..16777216(match)
instead of the correct output of
rule 0/0(match)
PR: 214832
Submitted by: andywhite@gmail.com
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Add missing byte-order swap to pf_match_addr_range
Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not
match addresses correctly on little-endian systems.
PR: 211796
Obtained from: OpenBSD (sthen)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Map hook returns onto the correct error values
pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers
expect to get E<foo> error codes.
Map the returns values. A pass is 0 (everything is OK), anything else means
pf ate the packet, so return EACCES, which tells the stack not to emit an ICMP
error message.
PR: 207598
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix broken rule skip calculation
r289932 accidentally broke the rule skip calculation. The address family
argument to PF_ANEQ() is now important, and because it was set to 0 the macro
always evaluated to false.
This resulted in incorrect skip values, which in turn broke the rule
evaluations.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix ICMP translation
Fix ICMP source address rewriting in rdr scenarios.
pf: Fix more ICMP mistranslation
In the default case fix the substitution of the destination address.
PR: 201519
Submitted by: Max <maximos@als.nnov.ru>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix fragment timeout
We were inconsistent about the use of time_second vs. time_uptime.
Always use time_uptime so the value can be meaningfully compared.
Submitted by: "Max" <maximos@als.nnov.ru>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the default case fix the substitution of the destination address.
PR: 201519
Submitted by: Max <maximos@als.nnov.ru>
MFC after: 1 week
(cherry picked from commit 7ddccc27cd3b8cf9bef3dd5b7b71c8b82e914386)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix ICMP source address rewriting in rdr scenarios.
PR: 201519
Submitted by: Max <maximos@als.nnov.ru>
MFC after: 1 week
(cherry picked from commit e155a36ec0418be0b8147484b0644e5e50ab7d25)
|
| | |
| |
| |
| | |
Found during the patch reviews for 2.4.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add ALTQ(9) support for the CoDel algorithm.
CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.
It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
|
| | |
| |
| |
| |
| |
| |
| |
| | |
ALTQ FAIRQ discipline import from DragonFLY.
Differential Revision: https://reviews.freebsd.org/D2847
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Improve forwarding detection
When we guess the nature of the outbound packet (output vs. forwarding) we need
to take bridges into account. When bridging the input interface does not match
the output interface, but we're not forwarding. Similarly, it's possible for the
interface to actually be the bridge interface itself (and not a member interface).
|
| | |
| |
| |
| |
| |
| | |
This reverts commit c548a571ceaeae698d02b862b4170d015a265ba7.
TAG: FAIRQ
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 9622cc803af75551a6623d5d9c5311f1e0af1cb5.
TAG: CODEL
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in pfr_set_addrs(). At the users request we also provide
feedback on the deleted addresses, by storing them after the new list
('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()).
This means we write outside the bounds of the buffer we've just allocated.
We need to look at pfrio_size2 instead (i.e. the size the user reserved for our
feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than
pfrio_size though, in which case we'd still read outside of the allocated
buffer. Instead we allocate the largest of the two values.
Reported By: Paul J Murphy <paul@inetstat.net>
PR: 207463
Approved by: re (marius)
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use correct src/dst ports when removing states.
Submitted by: Milosz Kaniewski <m.kaniewski@wheelsystems.com>,
UMEZAWA Takeshi <umezawa@iij.ad.jp> (orginal)
Reviewed by: glebius
Approved by: re (marius)
Obtained from: OpenBSD
Sponsored by: Rubicon Communications (Netgate)
Differential revision: https://reviews.freebsd.org/D5392
|
| | |
| |
| |
| |
| |
| |
| | |
DIOCADDADDR and DIOCADDRULE.
PR: 206933
Approved by: re (marius)
|
| | |
| |
| |
| | |
This reverts commit b8ac7a6968caff799a8f2b7eaa7b50a44102e35f.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There was a mistake when code was imported that lead us to end up with
duplicated block of code on IPv6 code path while one of these blocks
belong to IPv4.
Whithout this patch pf wouldn't apply vlan pcp value correctly to
outbound IPv4 traffic.
Patch: pf_802.1p.diff
Submitted by: Matthew Grooms <mgrooms@shrew.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use correct src/dst ports when removing states.
Submitted by: Milosz Kaniewski <m.kaniewski@wheelsystems.com>,
UMEZAWA Takeshi <umezawa@iij.ad.jp> (original)
Reviewed by: glebius
Approved by: pjd (mentor)
Obtained from: OpenBSD
|
| | |
| |
| |
| | |
This version fixes the issue with 'State Creations' in pfctl -vvsr.
|
| | |
| |
| |
| | |
This reverts commit 9068fb423dfecae0f8b611d4bc558dd6cb2e2bd7.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a problem where v6 multicast packets are forwarded instead of bridged.
Kristof is working in a better fix for this whole issue, but meanwhile we are safe with these fixes.
Ticket #5428
Obtained from: kp@FreeBSD.org
|
| | |
| |
| |
| |
| |
| |
| |
| | |
pf_test6 can detect if the packet needs to be forwarded.
Fixes an issue where the output state is not created when a packet is routed to a specific interface (with route-to).
Issue: #5424
|
| | |
| |
| |
| |
| |
| | |
Fix a crash in ip6_forward() caused by a NULL m->m_pkthdr.rcvif.
Issue: #5428
|
| | |
| |
| |
| | |
https://github.com/freebsd/freebsd/commit/56bf96006a33d46114e9cee6977f9dad3a78f9c4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add ALTQ(9) support for the CoDel algorithm.
CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.
It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
Differential Revision: https://reviews.freebsd.org/D3272
Reviewd by: rpaulo, gnn (previous version)
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
TAG: CODEL
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ALTQ FAIRQ discipline import from DragonFLY
Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by: glebius, wblock(manpage)
Approved by: gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate
TAG: FAIRQ
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 570dae5561e54cd2703f546b04a3fa029c92dc62.
TAG: FAIRQ
|
| | |
| |
| |
| |
| |
| | |
This reverts commit cf3bb1a7166bec431631defe01c8d4e706a99638.
TAG: CODEL
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix IPv6 checksums with route-to.
When using route-to (or reply-to) pf sends the packet directly to the output
interface. If that interface doesn't support checksum offloading the checksum
has to be calculated in software.
That was already done in the IPv4 case, but not for the IPv6 case. As a result
we'd emit packets with pseudo-header checksums (i.e. incorrect checksums).
This issue was exposed by the changes in r289316 when pf stopped performing full
checksum calculations for all packets.
Submitted by: Luoqi Chen
|
| | |
| |
| |
| |
| | |
After r289703, pf_change_ap has a new 1at parameter. Adjust code
introduced by this patch to work with new stable/10
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix TSO issues
In certain configurations (mostly but not exclusively as a VM on Xen) pf
produced packets with an invalid TCP checksum.
The problem was that pf could only handle packets with a full checksum. The
FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only
addresses, length and protocol).
Certain network interfaces expect to see the pseudo-header checksum, so they
end up producing packets with invalid checksums.
To fix this stop calculating the full checksum and teach pf to only update TCP
checksums if TSO is disabled or the change affects the pseudo-header checksum.
PR: 154428, 193579, 198868
Relnotes: yes
Sponsored by: RootBSD
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding
in pf_test6() because the rcvif and the ifp (output interface) are different.
In that case we're bridging though, and the rcvif the the bridge member on
which the packet was received and ifp is the bridge itself.
If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is
incorrect.
Instead check if the rcvif is a member of the ifp bridge. (In other words, the
if_bridge is the ifp's softc). If that's the case we're not forwarding but
bridging.
PR: 202351
|
| |\ \
| |/
| |
| | |
Catch up with proper fix for pf_increase_self_table_size.diff (r287207)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reapply r196551 which was accidentally reverted by r223637 (update to
OpenBSD pf 4.5).
Fix argument ordering to memcpy as well as the size of the copy in the
(theoretical) case that pfi_buffer_cnt should be greater than ~_max.
This fix the failure when you hit the self table size and force it to be
resized.
Sponsored by: Rubicon Communications (Netgate)
|
| | |
| |
| |
| |
| |
| | |
A proper fix reached stable/10 - r287207
This reverts commit 74b3c6d4762659d5014ccefb21e6657f673ab443.
|
| | |
| |
| |
| |
| |
| | |
There are too many changes on pf that depends on this change.
This reverts commit 0ab5a7411ff94100549aa771f2085ffdc71f22e7.
|
| |\ \
| |/ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix the copy of addresses passed from userland in table replace command.
The size2 is the maximum userland buffer size (used when the addresses are
copied back to userland).
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
|
