summaryrefslogtreecommitdiffstats
path: root/sys/netpfil
Commit message (Collapse)AuthorAgeFilesLines
* Make create_object callback optional and return EOPNOTSUPP when it isn'tae2016-04-272-13/+10
| | | | | | | defined. Remove eaction_create_compat() and use designated initializers to initialize eaction_opcodes structure. Obtained from: Yandex LLC
* netpfil: for pointers replace 0 with NULL.pfg2016-04-153-4/+4
| | | | | | | | These are mostly cosmetical, no functional change. Found with devel/coccinelle. Reviewed by: ae
* Add External Actions KPI to ipfw(9).ae2016-04-145-16/+518
| | | | | | | | | | | | | It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Change the type of 'etlv' field in struct named_object to uint16_t.ae2016-04-142-4/+5
| | | | | | | It should match with the type field in struct ipfw_obj_tlv. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Adjust some comments and make ref_opcode_object() static.ae2016-04-141-4/+3
|
* o Teach opcode rewriting framework handle several rewriters forae2016-04-141-80/+107
| | | | | | | | | | | | | | | | | | the same opcode. o Reduce number of times classifier callback is called. It is redundant to call it just after find_op_rw(), since the last does call it already and can have all results. o Do immediately opcode rewrite in the ref_opcode_object(). This eliminates additional classifier lookup later on bulk update. For unresolved opcodes the behavior still the same, we save information from classifier callback in the obj_idx array, then perform automatic objects creation, then perform rewriting for opcodes using indeces from created objects. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Move several functions related to opcode rewriting framework fromae2016-04-143-140/+141
| | | | | | ip_fw_table.c into ip_fw_sockopt.c and make them static. Obtained from: Yandex LLC
* Cleanup unnecessary semicolons from the kernel.pfg2016-04-101-1/+1
| | | | Found with devel/coccinelle.
* pf: Improve forwarding detectionkp2016-03-161-4/+6
| | | | | | | | | | When we guess the nature of the outbound packet (output vs. forwarding) we need to take bridges into account. When bridging the input interface does not match the output interface, but we're not forwarding. Similarly, it's possible for the interface to actually be the bridge interface itself (and not a member interface). PR: 202351 MFC after: 2 weeks
* Use correct size for malloc.ae2016-03-031-1/+1
| | | | | Obtained from: Yandex LLC MFC after: 1 week
* Remove taskqueue_enqueue_fast().jhb2016-03-011-1/+1
| | | | | | | | | | taskqueue_enqueue() was changed to support both fast and non-fast taskqueues 10 years ago in r154167. It has been a compat shim ever since. It's time for the compat shim to go. Submitted by: Howard Su <howard0su@gmail.com> Reviewed by: sephe Differential Revision: https://reviews.freebsd.org/D5131
* pf: Fix possible out-of-bounds writekp2016-02-251-2/+3
| | | | | | | | | | | | | | | | | | In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs, which is processed in pfr_set_addrs(). At the users request we also provide feedback on the deleted addresses, by storing them after the new list ('bcopy(&ad, addr + size + i, sizeof(ad));' in pfr_set_addrs()). This means we write outside the bounds of the buffer we've just allocated. We need to look at pfrio_size2 instead (i.e. the size the user reserved for our feedback). That'd allow a malicious user to specify a smaller pfrio_size2 than pfrio_size though, in which case we'd still read outside of the allocated buffer. Instead we allocate the largest of the two values. Reported By: Paul J Murphy <paul@inetstat.net> PR: 207463 MFC after: 5 days Differential Revision: https://reviews.freebsd.org/D5426
* Fix bug in filling and handling ipfw's O_DSCP opcode.ae2016-02-241-1/+1
| | | | | | | Due to integer overflow CS4 token was handled as BE. PR: 207459 MFC after: 1 week
* in pf_print_state_parts, do not use skw->proto to print the protocol but ourkp2016-02-201-1/+1
| | | | | | | local copy proto that we very carefully set beforehands. skw being NULL is perfectly valid there. Obtained from: OpenBSD (henning)
* Fix obvious typo, that lead to incorrect sorting.glebius2016-02-181-1/+1
| | | | Found by: PVS-Studio
* These files were getting sys/malloc.h and vm/uma.h with header pollutionglebius2016-02-011-1/+2
| | | | via sys/mbuf.h
* cleanup and document in some detail the internals of the testing codeluigi2016-01-275-143/+199
| | | | for dummynet schedulers
* the _Static_assert was not supposed to be in the commit.luigi2016-01-271-1/+0
|
* bugfix: the scheduler template (dn_schk) for the round robin schedulerluigi2016-01-271-1/+2
| | | | | | | | | | | | is followed by another structure (rr_schk) whose size must be set in the schk_datalen field of the descriptor. Not allocating the memory may cause other memory to be overwritten (though dn_schk is 192 bytes and rr_schk only 12 so we may be lucky and end up in the padding after the dn_schk). This is a merge candidate for stable and 10.3 MFC after: 3 days
* fix various warnings to compile the test code with -Wextraluigi2016-01-263-3/+9
|
* fix various warnings (signed/unsigned, printf types, unused arguments)luigi2016-01-261-13/+16
|
* prevent warnings for signed/unsigned comparisons and unused arguments.luigi2016-01-261-6/+14
| | | | Add checks for parameters overflowing 32 bit.
* prevent warning for unused argumentluigi2016-01-261-0/+1
|
* avoid warnings for signed/unsigned comparison and unused argumentsluigi2016-01-261-1/+3
|
* Revert one chunk from commit 285362, which introduced an off-by-one errorluigi2016-01-261-2/+6
| | | | | | | | | in computing a shift index. The error was due to the use of mixed fls() / __fls() functions in another implementation of qfq. To avoid that the problem occurs again, properly document which incarnation of the function we need. Note that the bug only affects QFQ in FreeBSD head from last july, as the patch was not merged to other versions.
* MFP r287070,r287073: split radix implementation and route table structure.melifaro2016-01-252-54/+55
| | | | | | | | | | | | | | | | | | | | | | | There are number of radix consumers in kernel land (pf,ipfw,nfs,route) with different requirements. In fact, first 3 don't have _any_ requirements and first 2 does not use radix locking. On the other hand, routing structure do have these requirements (rnh_gen, multipath, custom to-be-added control plane functions, different locking). Additionally, radix should not known anything about its consumers internals. So, radix code now uses tiny 'struct radix_head' structure along with internal 'struct radix_mask_head' instead of 'struct radix_node_head'. Existing consumers still uses the same 'struct radix_node_head' with slight modifications: they need to pass pointer to (embedded) 'struct radix_head' to all radix callbacks. Routing code now uses new 'struct rib_head' with different locking macro: RADIX_NODE_HEAD prefix was renamed to RIB_ (which stands for routing information base). New net/route_var.h header was added to hold routing subsystem internal data. 'struct rib_head' was placed there. 'struct rtentry' will also be moved there soon.
* Fix panic on table/table entry delete. The panic could have happenedmelifaro2016-01-211-0/+1
| | | | | | | | | | | | | | if more than 64 distinct values had been used. Table value code uses internal objhash API which requires unique key for each object. For value code, pointer to the actual value data is used. The actual problem arises from the fact that 'actual' e.g. runtime data is stored in array and that array is auto-growing. There is special hook (update_tvalue() function) which is used to update the pointers after the change. For some reason, object 'key' was not updated. Fix this by adding update code to the update_tvalue(). Sponsored by: Yandex LLC
* Initialize error value ta_lookup_kfib() by default to please compiler.melifaro2016-01-101-3/+1
|
* Initialize error after r293626 in case neither INET nor INET6 isbz2016-01-101-0/+3
| | | | | | compiled into the kernel. Ideally lots more code would just not be called (or compiled in) in that case but that requires a lot more surgery. For now try to make IP-less kernels compile again.
* Make ipfw addr:kfib lookup algo use new routing KPI.melifaro2016-01-101-49/+72
|
* Use already pre-calculated number of entries instead of tc->count.melifaro2016-01-101-1/+1
|
* Remove sys/eventhandler.h from net/route.hmelifaro2016-01-091-0/+1
| | | | Reviewed by: ae
* Convert pf(4) to the new routing API.melifaro2016-01-071-42/+89
| | | | Differential Revision: https://reviews.freebsd.org/D4763
* Properly drain callouts in the IPFW subsystem to avoid use after freehselasky2015-12-153-6/+12
| | | | | | | | | | | | | | | | | panics when unloading the dummynet and IPFW modules: - The callout drain function can sleep and should not be called having a non-sleepable lock locked. Remove locks around "ipfw_dyn_uninit(0)". - Add a new "dn_gone" variable to prevent asynchronous restart of dummynet callouts when unloading the dummynet kernel module. - Call "dn_reschedule()" locked so that "dn_gone" can be set and checked atomically with regard to starting a new callout. Reviewed by: hiren MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D3855
* Merge helper fib* functions used for basic lookups.melifaro2015-12-081-59/+23
| | | | | | | | | | | | | | | | | | | | Vast majority of rtalloc(9) users require only basic info from route table (e.g. "does the rtentry interface match with the interface I have?". "what is the MTU?", "Give me the IPv4 source address to use", etc..). Instead of hand-rolling lookups, checking if rtentry is up, valid, dealing with IPv6 mtu, finding "address" ifp (almost never done right), provide easy-to-use API hiding all the complexity and returning the needed info into small on-stack structure. This change also helps hiding route subsystem internals (locking, direct rtentry accesses). Additionaly, using this API improves lookup performance since rtentry is not locked. (This is safe, since all the rtentry changes happens under both radix WLOCK and rtentry WLOCK). Sponsored by: Yandex LLC
* Add destroy_object callback to object rewriting framework.ae2015-11-232-2/+11
| | | | | | | | It is called when last reference to named object is going to be released and allows to do additional cleanup for implementation of named objects. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Fix dynamic IPv6 rules showing junk for non-specified address masks.bdrewery2015-11-171-0/+3
| | | | | | | | | | | | | | | | For example: 00002 0 0 (19s) PARENT 1 tcp 10.10.0.5 0 <-> 0.0.0.0 0 00002 4 412 (1s) LIMIT tcp 10.10.0.5 25848 <-> 10.10.0.7 22 00002 10 777 (1s) LIMIT tcp 2001:894:5a24:653::503:1 52023 <-> 2001:894:5a24:653:ca0a:a9ff:fe04:3978 22 00002 0 0 (17s) PARENT 1 tcp 2001:894:5a24:653::503:1 0 <-> 80f3:70d:23fe:ffff:1005:: 0 Fix this by zeroing the unused address, as is done for IPv4: 00002 0 0 (18s) PARENT 1 tcp 10.10.0.5 0 <-> 0.0.0.0 0 00002 36 14952 (1s) LIMIT tcp 10.10.0.5 25848 <-> 10.10.0.7 22 00002 0 0 (0s) PARENT 1 tcp 2001:894:5a24:653::503:1 0 <-> :: 0 00002 4 345 (274s) LIMIT tcp 2001:894:5a24:653::503:1 34131 <-> 2001:470:1f11:262:ca0a:a9ff:fe04:3978 22 MFC after: 2 weeks
* Bring back the ability of passing cached route via nd6_output_ifp().melifaro2015-11-151-1/+1
|
* This fixes several places where callout_stops return is examined. Therrs2015-11-131-2/+2
| | | | | | | | | | new return codes of -1 were mistakenly being considered "true". Callout_stop now returns -1 to indicate the callout had either already completed or was not running and 0 to indicate it could not be stopped. Also update the manual page to make it more consistent no non-zero in the callout_stop or callout_reset descriptions. MFC after: 1 Month with associated callout change.
* Print proper setfib values in ipfw log.melifaro2015-11-081-1/+1
| | | | Submitted by: Denis Schneider <v1ne2go at gmail>
* Fix setfib target.melifaro2015-11-082-3/+3
| | | | | | Problem was introduced in r272840 when converting tablearg value to 0. Submitted by: Denis Schneider <v1ne2go at gmail>
* pf: Fix broken rule skip calculationkp2015-11-071-2/+2
| | | | | | | | r289932 accidentally broke the rule skip calculation. The address family argument to PF_ANEQ() is now important, and because it was set to 0 the macro always evaluated to false. This resulted in incorrect skip values, which in turn broke the rule evaluations.
* Remove now obsolete KASSERT.ae2015-11-031-6/+0
| | | | | | | | Actually, object classify callbacks can skip some opcodes, that could be rewritten. We will deteremine real numbed of rewritten opcodes a bit later in this function. Reported by: David H. Wolfskill <david at catwhisker dot org>
* Eliminate any conditional increments of object_opcodes in theae2015-11-032-3/+9
| | | | | | | | | | | check_ipfw_rule_body() function. This function is intended to just determine that rule has some opcodes that can be rewrited. Then the ref_rule_objects() function will determine real number of rewritten opcodes using classify callback. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Add ipfw_check_object_name_generic() function to do basic checks for anae2015-11-034-30/+17
| | | | | | | | | object name correctness. Each type of object can do more strict checking in own implementation. Do such checks for tables in check_table_name(). Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Implement `ipfw internal olist` command to list named objects.ae2015-11-032-5/+63
| | | | | | Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
* pf: Fix IPv6 checksums with route-to.kp2015-10-291-0/+7
| | | | | | | | | | | | | | When using route-to (or reply-to) pf sends the packet directly to the output interface. If that interface doesn't support checksum offloading the checksum has to be calculated in software. That was already done in the IPv4 case, but not for the IPv6 case. As a result we'd emit packets with pseudo-header checksums (i.e. incorrect checksums). This issue was exposed by the changes in r289316 when pf stopped performing full checksum calculations for all packets. Submitted by: Luoqi Chen MFC after: 1 week
* Eliminate last rtalloc_ign() caller.melifaro2015-10-271-3/+0
| | | | Differential Revision: https://reviews.freebsd.org/D3927
* pf: Fix TSO issueskp2015-10-143-50/+88
| | | | | | | | | | | | | | | | | | | | | In certain configurations (mostly but not exclusively as a VM on Xen) pf produced packets with an invalid TCP checksum. The problem was that pf could only handle packets with a full checksum. The FreeBSD IP stack produces TCP packets with a pseudo-header checksum (only addresses, length and protocol). Certain network interfaces expect to see the pseudo-header checksum, so they end up producing packets with invalid checksums. To fix this stop calculating the full checksum and teach pf to only update TCP checksums if TSO is disabled or the change affects the pseudo-header checksum. PR: 154428, 193579, 198868 Reviewed by: sbruno MFC after: 1 week Relnotes: yes Sponsored by: RootBSD Differential Revision: https://reviews.freebsd.org/D3779
* Bump number of prefixes in O_IP_<SRC|DST> from 15 to 31 (max possible).melifaro2015-10-031-1/+1
| | | | | | PR: 203459 Submitted by: groos at xiplink.com MFC after: 2 weeks
OpenPOWER on IntegriCloud