#
293896 |
|
14-Jan-2016 |
glebius |
o Fix invalid TCP checksums with pf(4). [EN-16:02.pf] o Fix YP/NIS client library critical bug. [EN-16:03.yplib] o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp] o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp] o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux] o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux] o Fix TCP MD5 signature denial of service. [SA-16:05.tcp] o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Errata: FreeBSD-EN-16:02.pf Errata: FreeBSD-EN-16:03.yplib Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879 Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300 Security: FreeBSD-SA-16:03.linux, CVE-2016-1880 Security: FreeBSD-SA-16:04.linux, CVE-2016-1881 Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882 Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677 Approved by: so
|
#
267654 |
|
19-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
243401 |
|
22-Nov-2012 |
glebius |
Partially merge r240494, which moved netinet/ipfw to netpfil/ipfw, to make it easier to merge ipfw commits back to stable/9.
|
#
237053 |
|
14-Jun-2012 |
glebius |
Merge r236671 from head: Merge revision 1.715 from OpenBSD:
date: 2010/12/24 20:12:56; author: henning; state: Exp; lines: +3 -3 in pf_src_connlimit, the indices to sk->addr were swapped. tracked down and diff sent by Robert B Mills <rbmills at sdf.lonestar.org> thanks, very good work! ok claudio
Impact is that the "flush" keyword didn't work.
Obtained from: OpenBSD
|
#
232292 |
|
29-Feb-2012 |
bz |
MFC r231852,232127:
Merge multi-FIB IPv6 support.
Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity.
This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat.
Sponsored by: Cisco Systems, Inc.
|
#
230868 |
|
01-Feb-2012 |
glebius |
Merge some cleanups and bugfixes to pfsync(4) and pf(4) from head. Merged revisions: r229773,229777,229849-229853,229857,229959,229961-229964,229976.
r229777: Merge from OpenBSD: revision 1.170 date: 2011/10/30 23:04:38; author: mikeb; state: Exp; lines: +6 -7 Allow setting big MTU values on the pfsync interface but not larger than the syncdev MTU. Prompted by the discussion with and tested by Maxim Bourmistrov; ok dlg, mpf
Consistently use sc_ifp->if_mtu in the MTU check throughout the module. This backs out r228813.
r229849: o Fix panic on module unload, that happened due to mutex being destroyed prior to pfsync_uninit(). To do this, move all the initialization to the module_t method, instead of SYSINIT(9). o Fix another panic after module unload, due to not clearing the m_addr_chg_pf_p pointer. o Refuse to unload module, unless being unloaded forcibly. o Revert the sub argument to MODULE_DECLARE, to the stable/8 value.
r229850: Bunch of fixes to pfsync(4) module load/unload:
o Make the pfsync.ko actually usable. Before this change loading it didn't register protosw, so was a nop. However, a module /boot/kernel did confused users. o Rewrite the way we are joining multicast group: - Move multicast initialization/destruction to separate functions. - Don't allocate memory if we aren't going to join a multicast group. - Use modern API for joining/leaving multicast group. - Now the utterly wrong pfsync_ifdetach() isn't needed. o Move module initialization from SYSINIT(9) to moduledata_t method. o Refuse to unload module, unless asked forcibly. o Improve a bit some FreeBSD porting code: - Use separate malloc type. - Simplify swi sheduling.
r229857: Can't pass MSIZE to m_cljget(), an mbuf can't be attached as external storage to another mbuf.
r229963: Add necessary locking in pfsync_in_ureq().
r229976: Redo r226660: - Define schednetisr() to swi_sched. - In the swi handler check if there is some data prepared, and if true, then call pfsync_sendout(), however tell it not to schedule swi again. - Since now we don't obtain the pfsync lock in the swi handler, don't use ifqueue mutex to synchronize queue access.
r229773, r229851, r229959, r229961, r229962, r229964 - minor cleanups.
|
#
228182 |
|
01-Dec-2011 |
glebius |
MFhead r228150:
Return value should be conditional on return value of pfsync_defer_ptr()
PR: kern/162947 Submitted by: Matthieu Kraus <matthieu.kraus s2008.tu-chemnitz.de>
Approved by: re (kib)
|
#
227898 |
|
23-Nov-2011 |
bz |
MFC r226938 (by kevlo):
Add missing PF_UNLOCK in pf_test
Approved by: re (kib)
|
#
226796 |
|
26-Oct-2011 |
bz |
MFC r226527:
Fix indentation in a loop and a tiny maze of #ifdefs for just the __FreeBSD__ parts that had it wrong.
MFC r226530:
Fix a bug when NPFSYNC > 0 that on FreeBSD we would always return and never remove state.
This fixes the problem some people are seeing that state is removed when pf is loaded as a module but not in situations when compiled into the kernel.
Approved by: re (kib)
|
#
225736 |
|
22-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
#
225171 |
|
25-Aug-2011 |
bz |
Use the correct byte order for the ip_divert(4) mbuf tag port meta information in pf(4).
Submitted by: Yaocl (chunlinyao gmail.com), forum post 145106 Approved by: re (kib)
|
#
223637 |
|
28-Jun-2011 |
bz |
Update packet filter (pf) code to OpenBSD 4.5.
You need to update userland (world and ports) tools to be in sync with the kernel.
Submitted by: mlaier Submitted by: eri
|
#
222691 |
|
04-Jun-2011 |
rwatson |
Add _mbuf() variants of various inpcb-related interfaces, including lookup, hash install, etc. For now, these are arguments are unused, but as we add RSS support, we will want to use hashes extracted from mbufs, rather than manually calculated hashes of header fields, due to the expensive of the software version of Toeplitz (and similar hashes).
Add notes that it would be nice to be able to pass mbufs into lookup routines in pf(4), optimising firewall lookup in the same way, but the code structure there doesn't facilitate that currently.
(In principle there is no reason this couldn't be MFCed -- the change extends rather than modifies the KBI. However, it won't be useful without other previous possibly less MFCable changes.)
Reviewed by: bz Sponsored by: Juniper Networks, Inc.
|
#
222529 |
|
31-May-2011 |
bz |
Remove some further INET related symbols from pf to allow the module to not only compile bu load as well for testing with IPv6-only kernels. For the moment we ignore the csum change in pf_ioctl.c given the pending update to pf45.
Reported by: dru Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 20 days
|
#
222488 |
|
30-May-2011 |
rwatson |
Decompose the current single inpcbinfo lock into two locks:
- The existing ipi_lock continues to protect the global inpcb list and inpcb counter. This lock is now relegated to a small number of allocation and free operations, and occasional operations that walk all connections (including, awkwardly, certain UDP multicast receive operations -- something to revisit).
- A new ipi_hash_lock protects the two inpcbinfo hash tables for looking up connections and bound sockets, manipulated using new INP_HASH_*() macros. This lock, combined with inpcb locks, protects the 4-tuple address space.
Unlike the current ipi_lock, ipi_hash_lock follows the individual inpcb connection locks, so may be acquired while manipulating a connection on which a lock is already held, avoiding the need to acquire the inpcbinfo lock preemptively when a binding change might later be required. As a result, however, lookup operations necessarily go through a reference acquire while holding the lookup lock, later acquiring an inpcb lock -- if required.
A new function in_pcblookup() looks up connections, and accepts flags indicating how to return the inpcb. Due to lock order changes, callers no longer need acquire locks before performing a lookup: the lookup routine will acquire the ipi_hash_lock as needed. In the future, it will also be able to use alternative lookup and locking strategies transparently to callers, such as pcbgroup lookup. New lookup flags are, supplementing the existing INPLOOKUP_WILDCARD flag:
INPLOOKUP_RLOCKPCB - Acquire a read lock on the returned inpcb INPLOOKUP_WLOCKPCB - Acquire a write lock on the returned inpcb
Callers must pass exactly one of these flags (for the time being).
Some notes:
- All protocols are updated to work within the new regime; especially, TCP, UDPv4, and UDPv6. pcbinfo ipi_lock acquisitions are largely eliminated, and global hash lock hold times are dramatically reduced compared to previous locking. - The TCP syncache still relies on the pcbinfo lock, something that we may want to revisit. - Support for reverting to the FreeBSD 7.x locking strategy in TCP input is no longer available -- hash lookup locks are now held only very briefly during inpcb lookup, rather than for potentially extended periods. However, the pcbinfo ipi_lock will still be acquired if a connection state might change such that a connection is added or removed. - Raw IP sockets continue to use the pcbinfo ipi_lock for protection, due to maintaining their own hash tables. - The interface in6_pcblookup_hash_locked() is maintained, which allows callers to acquire hash locks and perform one or more lookups atomically with 4-tuple allocation: this is required only for TCPv6, as there is no in6_pcbconnect_setup(), which there should be. - UDPv6 locking remains significantly more conservative than UDPv4 locking, which relates to source address selection. This needs attention, as it likely significantly reduces parallelism in this code for multithreaded socket use (such as in BIND). - In the UDPv4 and UDPv6 multicast cases, we need to revisit locking somewhat, as they relied on ipi_lock to stablise 4-tuple matches, which is no longer sufficient. A second check once the inpcb lock is held should do the trick, keeping the general case from requiring the inpcb lock for every inpcb visited. - This work reminds us that we need to revisit locking of the v4/v6 flags, which may be accessed lock-free both before and after this change. - Right now, a single lock name is used for the pcbhash lock -- this is undesirable, and probably another argument is required to take care of this (or a char array name field in the pcbinfo?).
This is not an MFC candidate for 8.x due to its impact on lookup and locking semantics. It's possible some of these issues could be worked around with compatibility wrappers, if necessary.
Reviewed by: bz Sponsored by: Juniper Networks, Inc.
|
#
221132 |
|
27-Apr-2011 |
bz |
Make pf compile without INET support by adding #ifdef INETs and correcting few #includes.
Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
|
#
212403 |
|
09-Sep-2010 |
bz |
When using pf routing options, properly handle IP fragmentation for interfaces with TSO enabled, otherwise one would see an extra ICMP unreach, frag needed pre matching packet on lo0. This syncs pf code to ip_output.c r162084.
PR: kern/144311 Submitted by: yongari via mlaier Reviewed by: eri Tested by: kib MFC after: 8 days
|
#
200930 |
|
23-Dec-2009 |
delphij |
Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct Server Return mode, where not all packets would be visible to the load balancer or gateway.
This commit should be reverted when we merge future pf versions. The benefit it would provide is that this version does not break any existing public interface and thus won't be a problem if we want to MFC it to earlier FreeBSD releases.
Discussed with: mlaier Obtained from: OpenBSD Sponsored by: iXsystems, Inc. MFC after: 1 month
|
#
196372 |
|
18-Aug-2009 |
mlaier |
If we cannot immediately get the pf_consistency_lock in the purge thread, restart the scan after acquiring the lock the hard way. Otherwise we might end up with a dead reference.
Reported by: pfsense Reviewed by: eri Initial patch by: eri Tested by: pfsense Approved by: re (kib)
|
#
196039 |
|
02-Aug-2009 |
rwatson |
Many network stack subsystems use a single global data structure to hold all pertinent statatistics for the subsystem. These structures are sometimes "borrowed" by kernel modules that require a place to store statistics for similar events.
Add KPI accessor functions for statistics structures referenced by kernel modules so that they no longer encode certain specifics of how the data structures are named and stored. This change is intended to make it easier to move to per-CPU network stats following 8.0-RELEASE.
The following modules are affected by this change:
if_bridge if_cxgb if_gif ip_mroute ipdivert pf
In practice, most of these statistics consumers should, in fact, maintain their own statistics data structures rather than borrowing structures from the base network stack. However, that change is too agressive for this point in the release cycle.
Reviewed by: bz Approved by: re (kib)
|
#
196019 |
|
01-Aug-2009 |
rwatson |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes.
Reviewed by: bz Approved by: re (vimage blanket)
|
#
195699 |
|
14-Jul-2009 |
rwatson |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables.
Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker.
Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided.
This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS.
Bump __FreeBSD_version and update UPDATING.
Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
193511 |
|
05-Jun-2009 |
rwatson |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include.
Discussed with: pjd
|
#
191148 |
|
16-Apr-2009 |
kmacy |
Change if_output to take a struct route as its fourth argument in order to allow passing a cached struct llentry * down to L2
Reviewed by: rwatson
|
#
190964 |
|
12-Apr-2009 |
rwatson |
Update stats in struct icmpstat and icmp6stat using four new macros: ICMPSTAT_ADD(), ICMPSTAT_INC(), ICMP6STAT_ADD(), and ICMP6STAT_INC(), rather than directly manipulating the fields of these structures across the kernel. This will make it easier to change the implementation of these statistics, such as using per-CPU versions of the data structures.
In on case, icmp6stat members are manipulated indirectly, by icmp6_errcount(), and this will require further work to fix for per-CPU stats.
MFC after: 3 days
|
#
190962 |
|
12-Apr-2009 |
rwatson |
Update stats in struct udpstat using two new macros, UDPSTAT_ADD() and UDPSTAT_INC(), rather than directly manipulating the fields across the kernel. This will make it easier to change the implementation of these statistics, such as using per-CPU versions of the data structures.
MFC after: 3 days
|
#
190951 |
|
11-Apr-2009 |
rwatson |
Update stats in struct ipstat using four new macros, IPSTAT_ADD(), IPSTAT_INC(), IPSTAT_SUB(), and IPSTAT_DEC(), rather than directly manipulating the fields across the kernel. This will make it easier to change the implementation of these statistics, such as using per-CPU versions of the data structures.
MFC after: 3 days
|
#
190948 |
|
11-Apr-2009 |
rwatson |
Update stats in struct tcpstat using two new macros, TCPSTAT_ADD() and TCPSTAT_INC(), rather than directly manipulating the fields across the kernel. This will make it easier to change the implementation of these statistics, such as using per-CPU versions of the data structures.
MFC after: 3 days
|
#
186119 |
|
15-Dec-2008 |
qingli |
This main goals of this project are: 1. separating L2 tables (ARP, NDP) from the L3 routing tables 2. removing as much locking dependencies among these layers as possible to allow for some parallelism in the search operations 3. simplify the logic in the routing code,
The most notable end result is the obsolescent of the route cloning (RTF_CLONING) concept, which translated into code reduction in both IPv4 ARP and IPv6 NDP related modules, and size reduction in struct rtentry{}. The change in design obsoletes the semantics of RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland applications such as "arp" and "ndp" have been modified to reflect those changes. The output from "netstat -r" shows only the routing entries.
Quite a few developers have contributed to this project in the past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and Andre Oppermann. And most recently:
- Kip Macy revised the locking code completely, thus completing the last piece of the puzzle, Kip has also been conducting active functional testing - Sam Leffler has helped me improving/refactoring the code, and provided valuable reviews - Julian Elischer setup the perforce tree for me and has helped me maintaining that branch before the svn conversion
|
#
185571 |
|
02-Dec-2008 |
bz |
Rather than using hidden includes (with cicular dependencies), directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files.
For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h.
Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
|
#
183606 |
|
04-Oct-2008 |
bz |
Cache so_cred as inp_cred in the inpcb. This means that inp_cred is always there, even after the socket has gone away. It also means that it is constant for the lifetime of the inp. Both facts lead to simpler code and possibly less locking.
Suggested by: rwatson Reviewed by: rwatson MFC after: 6 weeks X-MFC Note: use a inp_pspare for inp_cred
|
#
183550 |
|
02-Oct-2008 |
zec |
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
181803 |
|
17-Aug-2008 |
bz |
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course of the next few weeks.
Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
|
#
181295 |
|
04-Aug-2008 |
mlaier |
Merge state reuse for tcp.
PR: kern/125261 Obtained from: OpenBSD MFC after: 1 week
|
#
178888 |
|
09-May-2008 |
julian |
Add code to allow the system to handle multiple routing tables. This particular implementation is designed to be fully backwards compatible and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4 Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I have some time to work on is "policy based routing", which allows different packet streams to be routed by more than just the destination address.
Constraints: ------------
I want to make some form of this available in the 6.x tree (and by extension 7.x) , but FreeBSD in general needs it so I might as well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to instantiate multiple kernel routing tables (which I will now refer to as "Forwarding Information Bases" or "FIBs" for political correctness reasons). Which FIB a particular packet uses to make the next hop decision can be decided by a number of mechanisms. The policies these mechanisms implement are the "Policies" referred to in "Policy based routing".
One of the constraints I have if I try to back port this work to 6.x is that it must be implemented as a EXTENSION to the existing ABIs in 6.x so that third party applications do not need to be recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that will come with later versions. It will, for example, be limited to 16 tables in the first commit. Implementation method, Compatible version. (part 1) ------------------------------- For this reason I have implemented a "sufficient subset" of a multiple routing table solution in Perforce, and back-ported it to 6.x. (also in Perforce though not always caught up with what I have done in -current/P4). The subset allows a number of FIBs to be defined at compile time (8 is sufficient for my purposes in 6.x) and implements the changes needed to allow IPV4 to use them. I have not done the changes for ipv6 simply because I do not need it, and I do not have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be users with proprietary protocol families, they should continue to work and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB code starts everything off with a single dimensional array of pointers to FIB head structures (One per protocol family), each of which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to extent that array to be a 2 dimensional array, so that instead of protocol family X looking at rt_tables[X] for the table it needs, it looks at rt_tables[Y][X] when for all protocol families except ipv4 Y is always 0. Code that is unaware of the change always just sees the first row of the table, which of course looks just like the one dimensional array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign() are all maintained, but refer only to the first row of the array, so that existing callers in proprietary protocols can continue to do the "right thing". Some new entry points are added, for the exclusive use of ipv4 code called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(), which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called rtalloc_fib() and friends) that check the Address family being looked up and call either rtalloc() (and friends) if the protocol is not IPv4 forcing the action to row 0 or to the appropriate row if it IS IPv4 (and that info is available). These are for calling from code that is not specific to any particular protocol. The way these are implemented would change in the non ABI preserving code to be added later.
One feature of the first version of the code is that for ipv4, the interface routes show up automatically on all the FIBs, so that no matter what FIB you select you always have the basic direct attached hosts available to you. (rtinit() does this automatically).
You CAN delete an interface route from one FIB should you want to but by default it's there. ARP information is also available in each FIB. It's assumed that the same machine would have the same MAC address, regardless of which FIB you are using to get to it.
This brings us as to how the correct FIB is selected for an outgoing IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing has been done to change it, it will be FIB 0. The FIB is changed in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB. Such packets select a FIB from a number associated with the socket/PCB. This in turn is inherited from the process, but can be changed by a socket option. The process in turn inherits it on fork. I have written a utility call setfib that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail but I have not done so. It can be achieved by combining the setfib and jail commands.
2/ packets received on an interface for forwarding. By default these packets would use table 0, (or possibly a number settable in a sysctl(not yet)). but prior to routing the firewall can inspect them (see below). (possibly in the future you may be able to associate a FIB with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily associate a fib with it on a packet by packet basis. A fib assigned to a packet by a packet classifier (such as ipfw) would over-ride a fib associated by a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset or icmp packets). These should use the FIB associated with the packet being reponded to.
6/ Packets generated during encapsulation. gif, tun and other tunnel interfaces will encapsulate using the FIB that was in effect withthe proces that set up the tunnel. thus setfib 1 ifconfig gif0 [tunnel instructions] will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their process, and thus select one FIB or another. messages from the kernel would be associated with the fib they refer to and would only be received by a routing socket associated with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the fact that the array is now 2 dimensional. (It looks in system memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give: a) the number of FIBs compiled in (active) b) the default FIB of the calling process.
Early testing experience: -------------------------
Basically our (IronPort's) appliance does this functionality already using ipfw fwd but that method has some drawbacks.
For example, It can't fully simulate a routing table because it can't influence the socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been remarkably smooth so far. Multiple tables have co-existed with no notable side effects, and packets have been routes accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs in Cisco parlance. it will be interesting to see how that handles it when it suddenly actually does something.
Where to next: --------------------
After committing the ABI compatible version and MFCing it, I'd like to proceed in a forward direction in -current. this will result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per protocol family, all of the same format, and pointed to by the 1 dimensional array is a bit silly. Especially when one considers that there is code that makes assumptions about every protocol having the same internal structures there. Some protocols don't WANT that sort of structure. (for example the whole idea of a netmask is foreign to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the 'domain' structure, along with information pointing the data. instead of having an array of pointers to uniform structures, there would be an array pointing to the 'domain' structures for each protocol address domain (protocol family), and the methods this reached would be called. The methods would have an argument that gives FIB number, but the protocol would be free to ignore it.
When the ABI can be changed it raises the possibilty of the addition of a fib entry into the "struct route". Currently, the structure contains the sockaddr of the desination, and the resulting fib entry. To make this work fully, one could add a fib number so that given an address and a fib, one can find the third element, the fib entry.
Interaction with the ARP layer/ LL layer would need to be revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each) Obtained from: Ironport systems/Cisco
|
#
178325 |
|
19-Apr-2008 |
rwatson |
Teach pf and ipfw to use read locks in inpcbs write than write locks when reading credential data from sockets.
Teach pf to unlock the pcbinfo more quickly once it has acquired an inpcb lock, as the inpcb lock is sufficient to protect the reference.
Assert locks, rather than read locks or write locks, on inpcbs in subroutines--this is necessary as the inpcb may be passed down with a write lock from the protocol, or may be passed down with a read lock from the firewall lookup routine, and either is sufficient.
MFC after: 3 months
|
#
178285 |
|
17-Apr-2008 |
rwatson |
Convert pcbinfo and inpcb mutexes to rwlocks, and modify macros to explicitly select write locking for all use of the inpcb mutex. Update some pcbinfo lock assertions to assert locked rather than write-locked, although in practice almost all uses of the pcbinfo rwlock main exclusive, and all instances of inpcb lock acquisition are exclusive.
This change should introduce (ideally) little functional change. However, it lays the groundwork for significantly increased parallelism in the TCP/IP code.
MFC after: 3 months Tested by: kris (superset of committered patch)
|
#
173815 |
|
21-Nov-2007 |
mlaier |
Reloop OpenBSD rev. 1.563: In pf_test_fragment(), ignore protocol-specific criteria for packets of different protocols.
Reported by: des Obtained from: OpenBSD MFC after: 3 days
|
#
173102 |
|
28-Oct-2007 |
rwatson |
Continue to move from generic network entry points in the TrustedBSD MAC Framework by moving from mac_mbuf_create_netlayer() to more specific entry points for specific network services:
- mac_netinet_firewall_reply() to be used when replying to in-bound TCP segments in pf and ipfw (etc).
- Rename mac_netinet_icmp_reply() to mac_netinet_icmp_replyinplace() and add mac_netinet_icmp_reply(), reflecting that in some cases we overwrite a label in place, but in others we apply the label to a new mbuf.
Obtained from: TrustedBSD Project
|
#
173018 |
|
26-Oct-2007 |
rwatson |
Rename 'mac_mbuf_create_from_firewall' to 'mac_netinet_firewall_send' as we move towards netinet as a pseudo-object for the MAC Framework.
Rename 'mac_create_mbuf_linklayer' to 'mac_mbuf_create_linklayer' to reflect general object-first ordering preference.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172930 |
|
24-Oct-2007 |
rwatson |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms:
mac_<object>_<method/action> mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names.
All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
172836 |
|
20-Oct-2007 |
julian |
Rename the kthread_xxx (e.g. kthread_create()) calls to kproc_xxx as they actually make whole processes. Thos makes way for us to add REAL kthread_create() and friends that actually make theads. it turns out that most of these calls actually end up being moved back to the thread version when it's added. but we need to make this cosmetic change first.
I'd LOVE to do this rename in 7.0 so that we can eventually MFC the new kthread_xxx() calls.
|
#
171929 |
|
23-Aug-2007 |
dhartmei |
When checking the sequence number of a TCP header embedded in an ICMP error message, do not access th_flags. The field is beyond the first eight bytes of the header that are required to be present and were pulled up in the mbuf.
A random value of th_flags can have TH_SYN set, which made the sequence number comparison not apply the window scaling factor, which led to legitimate ICMP(v6) packets getting blocked with "BAD ICMP" debug log messages (if enabled with pfctl -xm), thus breaking PMTU discovery.
Triggering the bug requires TCP window scaling to be enabled (sysctl net.inet.tcp.rfc1323, enabled by default) on both end- points of the TCP connection. Large scaling factors increase the probability of triggering the bug.
PR: kern/115413: [ipv6] ipv6 pmtu not working Tested by: Jacek Zapala Reviewed by: mlaier Approved by: re (kensmith)
|
#
171168 |
|
03-Jul-2007 |
mlaier |
Commit resolved import of OpenBSD 4.1 pf from perforce.
Approved by: re (kensmith)
|
#
169843 |
|
21-May-2007 |
dhartmei |
From OpenBSD, rev. 1.524, 1.528, 1.529 Deal with IPv6 routing headers (see FreeBSD-SA-07:03.ipv6 for background) Block IPv6 packets with routing headers by default, unless 'allow-opts' is specified. Block RH0 unconditionally. Deal with ip6_plen 0.
MFC after: 1 week Discussed with: mlaier
|
#
165631 |
|
29-Dec-2006 |
mlaier |
Work around a long standing LOR with user/group rules by doing the socket lookup early. This has some performance implications and should not be enabled by default, but might help greatly in certain setups. After some more testing this could be turned into a sysctl.
Tested by: avatar LOR ids: 17, 24, 32, 46, 191 (conceptual) MFC after: 6 weeks
|
#
163606 |
|
22-Oct-2006 |
rwatson |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
162238 |
|
12-Sep-2006 |
csjp |
Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point exists to allow the mandatory access control policy to properly initialize mbufs generated by the firewall. An example where this might happen is keep alive packets, or ICMP error packets in response to other packets.
This takes care of kernel panics associated with un-initialize mbuf labels when the firewall generates packets.
[1] I modified this patch from it's original version, the initial patch introduced a number of entry points which were programmatically equivalent. So I introduced only one. Instead, we should leverage mac_create_mbuf_netlayer() which is used for similar situations, an example being icmp_error()
This will minimize the impact associated with the MFC
Submitted by: mlaier [1] MFC after: 1 week
This is a RELENG_6 candidate
|
#
153725 |
|
25-Dec-2005 |
mlaier |
Only decrement the max-src-conn counter for tcp connections that reached "established" state.
Similar to OpenBSD's rev. 1.499 by joel but not breaking ABI.
Obtained from: OpenBSD (with changes) Reported by: Bruno Afonso MFC after: 3 days X-MFC: together with local_flags
|
#
153545 |
|
19-Dec-2005 |
mlaier |
Move PFSTATE_EXPIRING from sync_flags to a new local_flags. sync_flags has special handling when zero. This caused no PFSYNC_ACT_DEL message and thus disfunction of pfflowd and state synchronisation in general.
Discovered by: thompsa Good catch by: thompsa MFC after: 7 days
|
#
153110 |
|
05-Dec-2005 |
ru |
Fix -Wundef warnings found when compiling i386 LINT, GENERIC and custom kernels.
|
#
149893 |
|
08-Sep-2005 |
mlaier |
Unbreak the build. Committed from the wrong directory.
|
#
149884 |
|
08-Sep-2005 |
mlaier |
Commit imported changes to HEAD: pf_ioctl.c Revision 1.153 Sun Aug 7 11:37:33 2005 UTC by dhartmei | verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@
pf_ioctl.c Revision 1.158 Mon Sep 5 14:51:08 2005 UTC by dhartmei | in DIOCCHANGERULE, properly initialize table, if used in NAT rule. | from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
pf.c Revision 1.502 Mon Aug 22 11:54:25 2005 UTC by dhartmei | when nat'ing icmp 'connections', replace icmp id with proxy values | (similar to proxy ports for tcp/udp). not all clients use | per-invokation random ids, this allows multiple concurrent | connections from such clients. | thanks for testing to Rod Whitworth, "looks ok" markus@
pf.c Revision 1.501 Mon Aug 22 09:48:05 2005 UTC by dhartmei | fix rdr to bitmask replacement address pool. patch from Max Laier, | reported by Boris Polevoy, tested by Jean Debogue, ok henning@
Obtained from: OpenBSD MFC after: 3 days
|
#
148196 |
|
20-Jul-2005 |
mlaier |
Prevent a race condition. As pf_send_tcp() - called for expired synproxy states - has to drop the lock when calling back to ip_output(), the state purge timeout might run and gc the state. This results in a rb-tree inconsistency. With this change we flag expiring states while holding the lock and back off if the flag is already set.
Reported by: glebius MFC after: 2 weeks
|
#
145886 |
|
04-May-2005 |
mlaier |
if_mtu not ifp_mtu.
|
#
145875 |
|
04-May-2005 |
mlaier |
Bring back fix from rev. 1.28 which was lost during the import.
|
#
145874 |
|
04-May-2005 |
mlaier |
Combine rev. 1.29 and 1.30 to something that will make sense for future imports.
|
#
145873 |
|
04-May-2005 |
mlaier |
Make LINT happy.
|
#
145863 |
|
04-May-2005 |
andre |
Pass icmp_error() the MTU argument directly instead of an interface pointer. This simplifies a couple of uses and removes some XXX workarounds.
|
#
145836 |
|
03-May-2005 |
mlaier |
Resolve conflicts created during the import of pf 3.7 Some features are missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org Obtained from: OpenBSD X-MFC after: never (breaks API/ABI)
|
#
145398 |
|
22-Apr-2005 |
glebius |
Fix error in synproxy connection completion. Source and destination windows were confused, one instead of other. This error was masked, because first segment of just established connection is usually smaller than initially announced window, and it was successfully passed. First window reannouncement corrected erroneous 'seqhi' value. The error showed up when client connected to synproxy with zero initial window, and reannounced it after session establishment.
In collaboration with: dhartmei [we came to same patch independtly] Reviewed by: mlaier Sponsored by: Rambler MFC after: 3 days
|
#
145030 |
|
13-Apr-2005 |
glebius |
Fix mss byte order, only affects synproxy code path.
Submitted by: John L. Scarfone via OpenBSD Reviewed by: mlaier Obtained from: OpenBSD, rev. 1.483 MFC after: 2 days
|
#
140518 |
|
20-Jan-2005 |
dhartmei |
Use the packet's address family instead of the rule's when selecting a replacement address for an rdr rule. Some rdr rules have no address family (when the replacement is a table and no other criterion implies one AF). In this case, pf would fail to select a replacement address and drop the packet due to translation failure.
Found by: Gustavo A. Baratto
|
#
139045 |
|
19-Dec-2004 |
dhartmei |
Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN, prevents a possible endless loop in pf_get_sport() with 'static-port'
ICMP state entries use the ICMP ID as port for the unique state key. When checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop, possibly allowing a NATed LAN client to lock up the kernel.
PR: kern/74930 Reported and tested by: Hugo Silva, Srebrenko Sehic MFC after: 3 days
|
#
138387 |
|
05-Dec-2004 |
dhartmei |
IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6 header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing the header chain. In the case where headers are skipped, the protocol checksum verification used the wrong length (included the skipped headers), leading to incorrectly mismatching checksums. Such IPv6 packets with headers were silently dropped.
Discovered by: Bernhard Schmidt MFC after: 1 week
|
#
138041 |
|
23-Nov-2004 |
dhartmei |
fix a bug that leads to a crash when binat rules of the form 'binat from ... to ... -> (if)' are used, where the interface is dynamic.
Discovered by: kos(at)bastard(dot)net Analyzed by: Pyun YongHyeon Approved by: mlaier (mentor) MFC after: 1 week
|
#
137413 |
|
08-Nov-2004 |
ru |
Removed the remnants of gx(4).
|
#
136925 |
|
24-Oct-2004 |
mlaier |
Fix a panic discovered with some apache2 configure test (that seemed to trigger a socket creation race some some kind). Checking for non-NULL socket and credential is not a bad idea anyway. Unfortunatly too late for the release.
Reported & tested by: Gilbert Cao MFC after: 2 weeks
|
#
135920 |
|
29-Sep-2004 |
mlaier |
Add an additional struct inpcb * argument to pfil(9) in order to enable passing along socket information. This is required to work around a LOR with the socket code which results in an easy reproducible hard lockup with debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do so later. The missing piece is to turn the filter locking into a leaf lock and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in forseeable future.
Suggested by: rwatson A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;) Reviewed by: rwatson, csjp Tested by: -pf, -ipfw, LINT, csjp and myself MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
|
#
135078 |
|
11-Sep-2004 |
mlaier |
One more round on the H/W supported checksum code: Fix NICs that can't do the pseudo header. We really need the TCP packet length here. This happens to end up in ip->ip_len in tcp_input.c, but here we should get it from the len function variable instead.
Submitted by: yongari Tested by: Nicolas Linard, yongari (sparc64 + hme) MFC after: 5 days
|
#
133574 |
|
12-Aug-2004 |
mlaier |
Loopback fix from Daniel Hartmeier: pf_cksum_fixup() was called without last argument from normalization, also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id.
(Originally) Submitted by: yongari
|
#
132767 |
|
28-Jul-2004 |
kan |
Initialize s variable early to shut up GCC warnings. Do not declare inline functions without body as this is useless in general and generates a warning with GCC 3.4.x.
Glanced over by: dhartmei
|
#
132566 |
|
23-Jul-2004 |
mlaier |
Refine pf_check_proto_cksum() a bit in order to avoid additional in_pseudo() calls further down the stack. If we find the cksum to be okay we pretend that the hardware did all the work and hence keep the upper layers from checking again.
Submitted by: Pyun YongHyeon
|
#
132350 |
|
18-Jul-2004 |
mlaier |
Fix a stupid attemp to apply host arithmetics to network byte ordered data. This fixes checksum for some drivers with partial H/W ckcsum offloads.
Reported by: Simon 'corecode' Schubert, Devon H. O'Dell, hmp Reviewed by: Pyun YongHyeon
|
#
132321 |
|
17-Jul-2004 |
mlaier |
m_tag_copy takes an additional "how" parameter in FreeBSD.
Submitted by: rwatson
|
#
132303 |
|
17-Jul-2004 |
mlaier |
Merge in a stable fix from OpenBSD: MFC: Fix by dhartmei@
change pf_route() loop detection: introduce a counter (number of times a packet is routed already) in the mbuf tag, allow at most four times. Fixes some legitimate cases broken by the previous change.
Reviewed by: dhartmei
|
#
132280 |
|
17-Jul-2004 |
mlaier |
Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should speed up things a bit as we get rid of the tag allocations.
Discussed with: juli
|
#
130639 |
|
17-Jun-2004 |
mlaier |
Import two fixes from the OpenBSD stable branch: - prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@) - The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 - this fixes corruption of the address pools with large rulesets. (mcbride@, pb@)
Reviewed-by: dhartmei
|
#
130613 |
|
16-Jun-2004 |
mlaier |
Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings: - Atomic commits of ruleset changes (reduce the chance of ending up in an inconsistent state). - A 30% reduction in the size of state table entries. - Source-tracking (limit number of clients and states per client). - Sticky-address (the flexibility of round-robin with the benefits of source-hash). - Significant improvements to interface handling. - and many more ...
|
#
130397 |
|
12-Jun-2004 |
mlaier |
Prepare pf for building with ALTQ: - remove old pfaltq module linkage - move pfaltq_running to pf_ioctl.c It is protected by PF_LOCK()
|
#
128846 |
|
02-May-2004 |
dhartmei |
Commit three imported bugfixes from OpenBSD 3.4-stable:
- change pf_get_pool() argument rule_number type from u_int32_t to u_int8_t, fixes corruption of address pools with large rulesets (mcbride@) - prevent endless loops with route-to (dhartmei@) - limit option length to 2 octets max (frantzen@)
Obtained from: OpenBSD Approved by: mlaier(mentor), bms(mentor)
|
#
128129 |
|
11-Apr-2004 |
mlaier |
Commit import of OpenBSD-stable fix:
Fix by dhartmei@ and mcbride@ 1.433 Properly m_copyback() modified TCP sequence number after demodulation 1.432 Fix icmp checksum when sequence number modlation is being used. Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
Obtained from: OpenBSD Reviewed by: dhartmei Approved by: rwatson
|
#
127629 |
|
30-Mar-2004 |
mlaier |
Shut up a couple of annoying gcc warnings. Do not enclose the fixes with #ifdefs in order to loop it back to OpenBSD after the next import. There are a some implicit asserts involved which might be better spelled out explicitly (af == AF_INET ...)
Approved by: bms(mentor)
|
#
127531 |
|
28-Mar-2004 |
mlaier |
Commit two fixes from OpenBSD's stable branch: - Fix binat for incoming connections when a netblock (not just a single address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@
- Fix a problem related to empty anchor rulesets, which could cause a kernel panic.
Approved by: bms(mentor)
|
#
127145 |
|
17-Mar-2004 |
mlaier |
Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdef
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the hooks in the kernel this was missed during the merge from the port.
Noticed by: Amir S. (for the HOOK_HACK part) Approved by: bms(mentor)
|
#
126409 |
|
29-Feb-2004 |
mlaier |
Remove __inline keyword from functions that can't be inlined according to LINT. This fixes LINT compliation for now, but needs to be revised. Changes do not affect the objects.
Approved by: bms(mentor)
|
#
126261 |
|
26-Feb-2004 |
mlaier |
Bring diff from the security/pf port. This has code been tested as a port for a long time and is run in production use. This is the code present in portversion 2.03 with some additional tweaks.
The rather extensive diff accounts for: - locking (to enable pf to work with a giant-free netstack) - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off - conversion from pool(9) to zone(9) - api differences etc.
Approved by: bms(mentor) (in general)
|
#
126259 |
|
26-Feb-2004 |
mlaier |
This commit was generated by cvs2svn to compensate for changes in r126258, which included commits to RCS files with non-trunk default branches.
|
#
126258 |
|
26-Feb-2004 |
mlaier |
Vendor import of OpenBSD's packet filter (pf) as of OpenBSD 3.4
Approved by: bms(mentor), core (in general)
|