CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Jan 27 17:39:13 UTC 2021 Modified Files: src/sys/net/npf: npf_os.c Log Message: Don't silently ignore the errors from npfctl_run_op. We end up returning packets to userland that are missing required fields (like in rule_add the id of the rule) and npfctl aborts. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Jan 25 17:18:55 UTC 2021 Modified Files: src/sys/net/npf: npf_conn.c npf_tableset.c Log Message: s/npf_config_lock/npf->config_lock/ in the comments To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Jan 25 17:17:19 UTC 2021 Modified Files: src/sys/net/npf: npf_os.c Log Message: Fix locking issue: npf_default_pass needs to be called with the config lock held. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Fri Aug 28 06:35:51 UTC 2020 Modified Files: src/sys/net/npf: npf_portmap.c Log Message: npf: Remove harmless vestiges of debugging hacks. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_portmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Thu Aug 27 18:49:36 UTC 2020 Modified Files: src/sys/net/npf: npf_worker.c Log Message: npf: Don't stop early after sleeping and before processing instances. We already check winfo->exit below, after processing instances and before sleeping again. Candidate fix for: panic: kernel diagnostic assertion "LIST_EMPTY(&winfo->instances)" failed: file "/home/riastradh/netbsd/current/src/sys/rump/net/lib/libnpf/../../../..//net/npf/npf_worker.c", line 300 NPF instances must be discharged before the npfk_sysfini() call To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_worker.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Aug 18 07:53:24 UTC 2020 Modified Files: src/sys/net/npf: npf_os.c Log Message: Add missing cases, to prevent memory corruption. Reported-by: syzbot+f8b8a689a3560dda2...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src
Committed By: rmind
Date: Sat May 30 20:54:54 UTC 2020
Modified Files:
src/sys/net/npf: npf_worker.c
Log Message:
npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_worker.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Feb 12 01:34:55 UTC 2020 Modified Files: src/sys/net/npf: npf_ruleset.c Log Message: PR/54950: Lloyd Parkes: Avoid NULL deref. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: riastradh Date: Sat Dec 14 15:21:51 UTC 2019 Modified Files: src/sys/net/npf: npf_conndb.c Log Message: Skip npf_config_sync if nothing to do. Saves an unnecessary pserialize_perform every second. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conndb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mrg Date: Wed Feb 27 21:37:24 UTC 2019 Modified Files: src/sys/net/npf: npf_os.c Log Message: work around a GCC 7 vs sparc (32 bit) issue i haven't figured out the real cause of yet. mark npf_init() as non-static. for a yet-unknown reason, when this function is inlined by the compiler (or a human!) into the single caller, some CPUs end up in a hung state that can't be interrupted eventually leading to system hang. eg: [ 8.9693040] root on hme0 [ 8.9862690] nfs_boot: trying DHCP/BOOTP xcall(cpu2,0xf0240ac8) from 0xf0241170: couldn't ping cpus: cpu1 is the symptom though sometimes nfs_boot is actually able to complete mountroot before it hangs. this may be a compiler bug but the symptom and the trigger are far removed and my so-far reading of the "broken" npf_init inlining has shown no issues, however, i haven't completed a full scan of this asm in the past month so i'm commiting this workaround for now. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Oct 29 15:37:07 UTC 2018 Modified Files: src/sys/net/npf: npf_ctl.c npf_state.c Log Message: We need to have rump tests work in two modes: 1. npf unit tests. In this case only the npf subsystem is created and dictionaries are passed directly. 2. kernel system tests (like the ipsec natt test). In this case, npf is instantiated regularly as part of the kernel and dictionaries are passed via ioctl. We differentiate between the two cases by checking the "mbufops" member which is NULL, regularly and non-NULL in the npf unit tests. Previously this was done using an ifdef which obviously can't work for both cases. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Fri Oct 26 23:35:06 UTC 2018 Modified Files: src/sys/net/npf: npf_state.c Log Message: enable the sampling function for _NPF_RUMP To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_state.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Sep 29 18:00:36 UTC 2018 Modified Files: src/sys/net/npf: npf_sendpkt.c Log Message: npf_return_tcp: fix no-INET6 case. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Sep 12 21:58:38 UTC 2018 Modified Files: src/sys/net/npf: npf.c npf_alg.c npf_impl.h Log Message: Fix lockdebug diagnostic error of trying to acquire an rw_lock from a pserialized active context. From riastradh@ To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf.c cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_alg.c cvs rdiff -u -r1.71 -r1.72 src/sys/net/npf/npf_impl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri Aug 31 14:16:07 UTC 2018 Modified Files: src/sys/net/npf: npf_ext_normalize.c npf_impl.h npf_inet.c Log Message: Introduce npf_set_mss(). When the MSS is not 16bit-aligned, it sets: 0 8 16 2432 +--+---+---+--+ | data | MSS (low) | MSS (hig) | data | +--+---+---+--+ ^ ^ old[0] old[1] And sets new[0,1] accordingly with the new value. The MSS-clamping code then adjusts twice the checksum on a 16bit boundary: from old[0] to new[0] from old[1] to new[1] Fixes PR/53479, opened by myself. Tested with wireshark and kASan. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_ext_normalize.c cvs rdiff -u -r1.70 -r1.71 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.50 -r1.51 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src
Committed By: maxv
Date: Tue Jul 10 16:49:09 UTC 2018
Modified Files:
src/sys/net/npf: npf_handler.c
Log Message:
Modify the logic in npf_reassembly. Don't call nbuf_reset, we don't need
it since we don't read the IPv4 header anymore.
If ip{6}_reass_packet fails, always free 'm', and always clear the nbuf.
We want to avoid the case where
'm' was reallocated
the nbuf pointer was not updated accordingly
the caller tried to use the nbuf pointer
This case doesn't happen right now, but the code is fragile, so strengthen
it.
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/sys/net/npf/npf_handler.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Jul 10 15:25:01 UTC 2018 Modified Files: src/sys/net/npf: npf_handler.c Log Message: Simplify the pointer handling. Set *mp = NULL at the beginning of the function. In npf_reassembly, pass a simple boolean instead of a ** mbuf pointer. Add a KASSERT for IPv4, we don't want (error && !m). Remove the 'fastout' label, use 'out'. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Jul 10 14:04:07 UTC 2018 Modified Files: src/sys/net/npf: npf_handler.c Log Message: Update the pointer when fast-kicking, because it may have been freed. Before my changes the nonsensical pointer ininitialization held, but when I started introducing sanity checks the whole thing collapsed. Need pullup-8. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Jul 10 12:31:46 UTC 2018 Modified Files: src/sys/net/npf: npf_handler.c Log Message: Set con = NULL just once, instead of doing it in each branch. To generate a diff of this commit: cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri May 11 13:52:49 UTC 2018 Modified Files: src/sys/net/npf: npf_nat.c Log Message: Improve comment, it's not just IPv4. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Apr 23 15:36:30 UTC 2018 Modified Files: src/sys/net/npf: npf_nat.c Log Message: PR/53207: David Binderman: Use logical and To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mrg Date: Tue Apr 10 04:29:57 UTC 2018 Modified Files: src/sys/net/npf: npf_sendpkt.c Log Message: apply some INET6 so this compiles in INET6-less kernels again. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Sun Apr 8 05:51:46 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Fix bug I introduced in previous commit. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src
Committed By: maxv
Date: Sat Apr 7 09:20:25 UTC 2018
Modified Files:
src/sys/net/npf: npf_ext_normalize.c
Log Message:
Fix an inverted logic.
nbuf_cksum_barrier returns true when the direction is PFIL_OUT and TSO is
active; that is to say, it returns true when the checksum was already
recomputed by the function.
The check should be !nbuf_cksum_barrier, because otherwise we're wrongfully
checksumming twice, and it causes the packet to be kicked later in
tcp_input.
This can be seen with a configuration of the type:
procedure "norm" {
normalize: "max-mss" 15000
}
group default {
pass all apply "norm"
}
The packets systematically get dropped because the checksum validation in
tcp_input fails. With this patch in place, it works.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_ext_normalize.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Sat Apr 7 09:06:27 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Rewrite npf_fetch_tcpopts: * Instead of doing several nbuf_advance/nbuf_ensure_contig and playing with gotos, fetch the TCP options only once, and iterate over the (safe) area. The code is similar to tcp_dooptions. * When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is the one we're expecting. If it isn't, then skip the option. This wasn't done before, and not doing it allowed a packet to bypass the max-mss clamping procedure. Discussed on tech-net@. To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri Apr 6 14:50:55 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: If we're trying to read the mss on a packet that for some reason has two MAXSEG options, we find ourselves patching the second option with the value of the first one. Fix that by using a local variable. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri Mar 23 08:34:57 UTC 2018 Modified Files: src/sys/net/npf: npf_alg_icmp.c Log Message: In addition to checking L4 in the cache, here we also need to check the protocol. The NPF entry point does not ensure that ICMPv6 can be set only in IPv6 ICMPv4 can be set only in IPv4 So we could have ICMPv6 in IPv4. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_alg_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri Mar 23 08:28:54 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: If we fail to advance inside TCP/UDP/ICMPv4/ICMPv6, stop pretending L4 is unknown, and error out right away. This prevents bugs in machinery, if a place looks for L4 in 'npc_proto' without checking the cache too. I've seen a ~similar problem already. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 22 12:16:11 UTC 2018 Modified Files: src/sys/net/npf: npf_alg_icmp.c Log Message: Ah, fix compilation. I tested my previous change by loading the kernel module from the filesystem, but the Makefile didn't have DIAGNOSTIC enabled, and the two KASSERTs I added did not compile properly. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_alg_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 22 09:04:25 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Retrieve the complete IPv4 header right away, and make sure we did retrieve the IPv6 option header we were iterating on. To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 22 08:57:47 UTC 2018 Modified Files: src/sys/net/npf: npf_alg_icmp.c npf_inet.c Log Message: Change npf_cache_all so that it ensures the potential ICMP Query Id is in the nbuf. In such a way that we don't need to ensure that later. Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither the nbuf nor npc. Adapt their callers accordingly. In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave right away, without recaching npc (not needed since we didn't touch the nbuf). This fixes the handling of Query Id packets (that I broke in my previous commit), and also fixes another possible use-after-free. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.44 -r1.45 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 22 07:32:07 UTC 2018 Modified Files: src/sys/net/npf: npf_alg_icmp.c Log Message: Fix use-after-free. The nbuf can be reallocated as a result of caching 'enpc', so it is necessary to recache 'npc', otherwise it contains pointers to the freed mbuf - pointers which are then used in the ruleset machinery. We recache 'npc' when we are sure we won't use 'enpc' anymore, because 'enpc' can be clobbered as a result of caching 'npc' (in other words, only one of the two can be cached at the same time). Also, we recache 'npc' unconditionally, because there is no way to know whether the nbuf got clobbered relatively to it. We can't use the NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the cache. Discussed with rmind@. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/sys/net/npf/npf_alg_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Wed Mar 21 15:36:28 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Add XXX (we don't handle IPv6 Jumbograms), and whitespace. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Wed Mar 21 10:08:16 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Don't read the L4 payload after IPPROTO_AH when handling IPv6 packets. AH must be considered as the payload, otherwise a block all pass in proto ah from any pass out proto ah from any configuration will actually block everything, because NPF checks the protocol against the one found after AH, and not AH itself. In addition it may have been a problem for stateful connections; an AH packet sent by an attacker with an incorrect authentication and a correct TCP/UDP/whatever payload from an active connection could manage to change NPF's FSM state, which would perhaps have altered the legitimate connection with the authenticated remote IPsec host. Note that IPv4 already doesn't go beyond AH, which is the correct behavior. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Sat Mar 17 10:42:24 UTC 2018 Modified Files: src/sys/net/npf: npf_sendpkt.c Log Message: Set the scopes before calling icmp6_error(). This fixes a bug similar to the one I fixed in rev1.17: since the scopes were not set the packet was never actually sent. Tested with wireshark, now the ICMPv6 reply is correctly sent, as expected. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Sat Mar 17 10:21:09 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Fix the IPv6 payload computation in npf_tcpsaw. It was incorrect, and this caused the "return-rst" rules to send back an RST with the wrong ACK when the received SYN had an IPv6 option. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Wed Mar 14 09:32:04 UTC 2018 Modified Files: src/sys/net/npf: npf_sendpkt.c Log Message: Fix the "return-rst" rule on IPv6 packets. The scopes needed to be set on the addresses before invoking ip6_output, because ip6_output needs them. The reason they are not here already is because pfil_run_hooks (in ip6_input) is called _before_ the kernel initializes the scopes. Until now ip6_output was always failing, and the IPv6-TCP-RST packet was never actually sent. Perhaps it would be better to have the kernel initialize the scopes before invoking pfil_run_hooks, but several things will need to be fixed in several places. Tested with a simple TCPv6 server. Until now the client would block waiting for an answer that never came; now it receives an RST right away and closes the connection, as expected. I believe that the same problem exists in the "return-icmp" rules, but I can't investigate this right now (some problems with wireshark). To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_sendpkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Mar 13 16:23:40 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Mmh, put back the RFC6946 check (about dummy fragments), otherwise NPF is not happy in npf_reassembly, because NPC_IPFRAG is again returned after the packet was reassembled. I'm wondering whether it would not be better to just remove the fragment header in frag6_input directly. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Tue Mar 13 09:04:03 UTC 2018 Modified Files: src/sys/net/npf: npf_handler.c npf_inet.c Log Message: Fix two consecutive mistakes. The first mistake was npf_inet.c rev1.37: "Don't reassemble ipv6 fragments, instead treat the first fragment as a regular packet (subject to filtering rules), and pass subsequent fragments in the same group unconditionally." Doing this was entirely wrong, because then a packet just had to push the L4 payload in a secondary fragment, and NPF wouldn't apply rules on it - meaning any IPv6 packet could bypass >=L4 filtering. This mistake was supposed to be a fix for the second mistake. The second mistake was that ip6_reass_packet (in npf_reassembly) was getting called with npc->npc_hlen. But npc_hlen pointed to the last encountered header in the IPv6 chain, which was not necessarily the fragment header. So ip6_reass_packet was given garbage, and would fail, resulting in the packet getting kicked. So basically IPv6 was broken by NPF. The first mistake is reverted, and the second one is fixed by doing: - hlen = sizeof(struct ip6_frag); + hlen = 0; Now the iteration stops on the fragment header, and the call to ip6_reass_packet is valid. My npf_inet.c rev1.38 is partially reverted: we don't need to worry about failing properly to advance; once the packet is reassembled npf_cache_ip gets called again, and this time the whole chain should be there. Tested with a simple UDPv6 server - send a 3000-byte-sized buffer, the packet gets correctly reassembled by NPF now. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_handler.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Mon Mar 12 12:45:26 UTC 2018 Modified Files: src/sys/net/npf: npf_alg_icmp.c Log Message: Remove dead branches, 'npc' can't be NULL (and it is dereferenced earlier). To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/sys/net/npf/npf_alg_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 8 07:54:14 UTC 2018 Modified Files: src/sys/net/npf: npf_inet.c Log Message: Switch nptr to uint8_t, and use nbuf_ensure_contig. Makes us use fewer magic values. To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Thu Mar 8 07:06:13 UTC 2018 Modified Files: src/sys/net/npf: npf.h npf_handler.c npf_inet.c Log Message: Declare NPC_FMTERR, and use it to kick malformed packets. Several sanity checks are added in IPv6; after we see the first IPPROTO_FRAGMENT header, we are allowed to fail to advance, otherwise we kick the packet. Sent on tech-net@ a few days ago, no response, but I'm committing it now anyway. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/sys/net/npf/npf.h cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: maxv Date: Fri Dec 15 21:00:26 UTC 2017 Modified Files: src/sys/net/npf: npf.h Log Message: Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to bypass a certain number of filtering rules. Basically there is an integer overflow in npf_cache_ip: npc_hlen is a 8bit unsigned int, and can wrap to zero if the IPv6 packet being processed has large extensions. As a result of an overflow, (mbuf + npc_hlen) won't point at the real protocol header, but instead at some garbage within the packet. That garbage, is what NPF applies its rules on. If these filtering rules allow the packet to enter, that packet is given to the main IPv6 entry point. This entry point, however, is not subject to an integer overflow, so it will actually parse the correct protocol header. The result is: NPF read a wrong header, allowed the packet to enter, the kernel read the correct header, and delivered the packet depending on this correct header. So the offending packet was supposed to be kicked, but still went through the firewall. Simple example, a packet with: packet + 0 = IP6 Header packet + 40 = IP6 Routing header (ip6r_len = 31) packet + 48 = Crafted UDP header (uh_dport = ) packet + 296 = IP6 Dest header (ip6e_len = 0) packet + 304 = Real UDP header (uh_dport = ) Will bypass a rule of the kind "block port ". Here NPF reads the crafted UDP header, sees , lets the packet in; later the kernel reads the real UDP header, and delivers it on port . Fix this by using uint32_t. While here, it seems to me there is also a memory overflow: still in npf_cache_ip, npc_hlen may be incremented with a value that goes beyond the mbuf. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Dec 10 01:18:21 UTC 2017 Modified Files: src/sys/net/npf: npf_ctl.c npf_impl.h npf_ruleset.c npf_worker.c Log Message: - npf_mk_rules: enforce unique names for the dynamic rulesets. - npf_worker_unregister: merge fix for the standalone NPF. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.69 -r1.70 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.45 -r1.46 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_worker.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Dec 10 00:07:36 UTC 2017 Modified Files: src/sys/net/npf: npf_alg_icmp.c npf_bpf.c npf_conn.c npf_conn.h npf_ext_normalize.c Log Message: - npf_cop_table: handle non-IP packets in the ether (fixes PR/52290). - npfa_icmp_nat: do not recompute the checksum if no port translation. - npf_normalize (MSS clamping): fix the checksum handling on PFIL_OUT. - npflog: report the packet direction correctly. To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf_alg_icmp.c cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_bpf.c \ src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.23 -r1.24 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_ext_normalize.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: ozaki-r Date: Mon Oct 30 03:02:35 UTC 2017 Modified Files: src/sys/net/npf: npf_ctl.c Log Message: Fix npfclt reload on rump kernels It fails because npfctl cannot get an errno when it calls ioctl to the (rump) kernel; npfctl (libnpf) expects that an errno is returned via proplib, however, the rump library of npf doesn't so. It happens because of mishandlings of complicate npf kernel options. PR kern/52643 To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: pgoyette Date: Thu Jul 20 23:37:56 UTC 2017 Modified Files: src/sys/net/npf: npf_os.c Log Message: The nof module depends on some stuff from the bpf module, so set the required modules list accordingly. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed May 17 18:56:12 UTC 2017 Modified Files: src/sys/net/npf: npf_ctl.c Log Message: Allow npf to be used "normally" from a rump kernel, not just from the test harness (problem reported by Frank Kardel) To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Fri Mar 10 02:21:37 UTC 2017 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: fix MIN/MAX confusion. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sun Feb 19 20:27:22 UTC 2017 Modified Files: src/sys/net/npf: npf_handler.c npf_inet.c Log Message: Don't reassemble ipv6 fragments, instead treat the first fragment as a regular packet (subject to filtering rules), and pass subsequent fragments in the same group unconditionally. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_handler.c \ src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sun Feb 19 02:11:19 UTC 2017 Modified Files: src/sys/net/npf: npf_impl.h Log Message: forgot to commit this (new prototype) To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/sys/net/npf/npf_impl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sat Feb 18 23:27:32 UTC 2017 Modified Files: src/sys/net/npf: npf_ext_log.c npf_if.c Log Message: provide a copy function used for logging that does not lock, but can return trash. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_ext_log.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_if.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mlelstv Date: Sat Feb 18 18:08:16 UTC 2017 Modified Files: src/sys/net/npf: npf_ext_log.c Log Message: npf_ifmap_getname requires the config to be locked. For now, just prevent the crash. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_ext_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sun Jan 29 00:15:54 UTC 2017 Modified Files: src/sys/net/npf: if_npflog.c npf.h npf_conn.c npf_conn.h npf_ctl.c npf_ext_log.c npf_ext_normalize.c npf_ext_rndblock.c npf_handler.c npf_impl.h npf_rproc.c npf_ruleset.c Added Files: src/sys/net/npf: if_npflog.h Log Message: - Increase copyin buffer size to 4M - Change log output format to be like the OpenBSD's pf including in the header the matching rule etc, and fill in the matching info. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/if_npflog.c \ src/sys/net/npf/npf_ext_normalize.c cvs rdiff -u -r0 -r1.1 src/sys/net/npf/if_npflog.h cvs rdiff -u -r1.53 -r1.54 src/sys/net/npf/npf.h cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.46 -r1.47 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_ext_log.c cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_ext_rndblock.c cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_handler.c cvs rdiff -u -r1.67 -r1.68 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.44 -r1.45 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: ryo Date: Fri Jan 27 17:25:34 UTC 2017 Modified Files: src/sys/net/npf: npf_os.c Log Message: Don't hold softnet_lock if NET_MPSAFE. Some functions lock softnet_lock while waiting in pserialize_perform() in pfil_add_hook(). (e.g. key_timehandler(), etc) To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Tue Jan 3 00:58:05 UTC 2017 Modified Files: src/sys/net/npf: npf_conf.c npf_ifaddr.c npf_impl.h npf_os.c Log Message: NPF: fix the interface table initialisation on load. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_ifaddr.c cvs rdiff -u -r1.66 -r1.67 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Jan 2 23:02:04 UTC 2017 Modified Files: src/sys/net/npf: npf_os.c Log Message: make this compile as a module. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Dec 28 21:55:04 UTC 2016 Modified Files: src/sys/net/npf: npf_impl.h npf_rproc.c npf_ruleset.c Log Message: export rprocs too so we don't lose them. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.43 -r1.44 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:59:48 UTC 2016 Modified Files: src/sys/net/npf: npf_os.c Log Message: Convert NPF to the latest pfil(9) changes. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/npf_os.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:39:18 UTC 2016 Modified Files: src/sys/net/npf: npf.h Log Message: Bump NPF_VERSION to 19. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 23:10:46 UTC 2016 Modified Files: src/sys/net/npf: npf_state_tcp.c Log Message: npf_tcp_fsm: fix for the NPF_TCPS_SYN_RECEIVED state. SYN re-transmission after SYN-ACK was seen by NPF should not terminate the connection. Thanks to: Alexander Kiselev To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_state_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 21:16:06 UTC 2016 Modified Files: src/sys/net/npf: lpm.c Log Message: Fix kmem_free() in hashmap_remove(). To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Dec 26 12:44:10 UTC 2016 Modified Files: src/sys/net/npf: lpm.c Log Message: Fix kmem_free() sizes in hashmap_rehash() and lpm_clear(). To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/sys/net/npf/lpm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sat Dec 10 22:09:50 UTC 2016 Modified Files: src/sys/net/npf: npf_conn.c Log Message: revert dir hack. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sat Dec 10 19:05:46 UTC 2016 Modified Files: src/sys/net/npf: npf.h npf_conn.c npf_conn.h Log Message: Welcome to version 18: - Connection state keys are not stored and loaded using the logical key contents. - connection finder key is stored in a map that contains the key and the direction. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.51 src/sys/net/npf/npf.h cvs rdiff -u -r1.19 -r1.20 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.9 -r1.10 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sat Dec 10 19:02:18 UTC 2016 Modified Files: src/sys/net/npf: npf_rproc.c Log Message: Add missing extcalls array. This is currently a no-op, but this is what userland does too. Allows npfctl save; npfctl load to work again. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_rproc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: kre Date: Sat Dec 10 09:26:16 UTC 2016 Modified Files: src/sys/net/npf: npf_conn.c Log Message: Remove what looks like remnant (partly removed already) debug code, which could not possibly compile as it was. To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sat Dec 10 05:41:10 UTC 2016 Modified Files: src/sys/net/npf: npf.c npf.h npf_conn.c npf_conn.h npf_ctl.c npf_impl.h Log Message: add functionality to lookup a nat entry from the connection list. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 src/sys/net/npf/npf.c cvs rdiff -u -r1.49 -r1.50 src/sys/net/npf/npf.h cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.43 -r1.44 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.62 -r1.63 src/sys/net/npf/npf_impl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Fri Dec 9 02:40:38 UTC 2016 Modified Files: src/sys/net/npf: files.npf npf_impl.h npf_tableset.c Added Files: src/sys/net/npf: lpm.c lpm.h Removed Files: src/sys/net/npf: npf_tableset_ptree.c Log Message: This patches ditches the ptree(3) library, because it is broken (you can get missing entries!). Instead, as a temporary solution, we switch to a simple linear scan of the hash tables for the longest-prefix-match (lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set, on modern hardware this simple algorithm is pretty fast anyway! To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/sys/net/npf/files.npf cvs rdiff -u -r0 -r1.1 src/sys/net/npf/lpm.c src/sys/net/npf/lpm.h cvs rdiff -u -r1.61 -r1.62 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.23 -r1.24 src/sys/net/npf/npf_tableset.c cvs rdiff -u -r1.1 -r0 src/sys/net/npf/npf_tableset_ptree.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Fri Dec 9 02:26:36 UTC 2016 Modified Files: src/sys/net/npf: npf.h Log Message: make this compile again To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/sys/net/npf/npf.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Dec 8 23:07:12 UTC 2016 Modified Files: src/sys/net/npf: npf.h npf_conn.c npf_handler.c npf_mbuf.c Log Message: NPF: adjust the 'stateful-ends' mechanism to tag the packets and thus pass-through them on other interfaces. Per discussion with christos@. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/sys/net/npf/npf.h cvs rdiff -u -r1.16 -r1.17 src/sys/net/npf/npf_conn.c \ src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_handler.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: jnemeth Date: Mon Nov 7 18:16:07 UTC 2016 Modified Files: src/sys/net/npf: npf_inet.c Log Message: fixup misplaced #endif To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Apr 20 15:46:08 UTC 2016 Modified Files: src/sys/net/npf: npf_tableset.c Log Message: /32 and /128 are valid netmasks. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mrg Date: Fri Mar 18 10:09:46 UTC 2016 Modified Files: src/sys/net/npf: npf_inet.c npf_mbuf.c npf_nat.c Log Message: minimal changes necessary to link into an INET6-less kernel. To generate a diff of this commit: cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_inet.c cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_mbuf.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mlelstv Date: Thu Dec 17 12:17:13 UTC 2015 Modified Files: src/sys/net/npf: npf_inet.c Log Message: make DDB print ipv6 addresses too To generate a diff of this commit: cvs rdiff -u -r1.32 -r1.33 src/sys/net/npf/npf_inet.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: mlelstv Date: Thu Dec 17 12:16:21 UTC 2015 Modified Files: src/sys/net/npf: npf_mbuf.c Log Message: handle delayed cksums also for ipv6 To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Thu Oct 29 15:19:43 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: Simplify even further and fix non-modular kernels: We cannot use the init at attach() trick, because other npf ext modules will load before the attach function is called on non modular kernels. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Wed Oct 28 01:54:10 UTC 2015 Modified Files: src/sys/net/npf: npf_ctl.c Log Message: remove bogus KASSERT, there are error paths that don't satisfy this. XXX: should improve error reporting to userland. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Oct 27 19:58:09 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: modules don't define MODULAR. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Oct 27 19:31:55 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: simplify (and fix) logic. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: martin Date: Mon Oct 19 09:28:25 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: Ifdef npf_init() the same way as all it's callers are protected. To generate a diff of this commit: cvs rdiff -u -r1.27 -r1.28 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Mon Oct 19 00:29:57 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: Fix the code so that it works in all 3 cases: non-modular, modular/builtin, modular/filesystem. In the non-modular case we initialize through attach. In the modular/builtin case we define the module to be class misc so it attaches late (after percpu is initialized) since driver modules attach too early. In the modular/filesystem case we define it to be a driver module since we autoload it via /dev/npf open. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: jmcneill Date: Sun Oct 18 20:39:53 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: Defer initialization of built-in npf module until other pseudo-devices are initialized. MODULE_CLASS_DRIVER modules are now initialized before autoconfiguration starts, but npf_init has a dependency on percpu(9) which doesn't work until CPUs have attached (at least on ARM). To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Sun Oct 18 18:48:01 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: needs to be driver, otherwise it will not load! To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: jmcneill Date: Sat Oct 17 13:53:40 UTC 2015 Modified Files: src/sys/net/npf: npf.c Log Message: mark this MODULE_CLASS_MISC as npf_init cannot run when builtin driver modules are initialized To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/sys/net/npf/npf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Jul 12 23:51:53 UTC 2015 Modified Files: src/sys/net/npf: npf_if.c npf_mbuf.c Log Message: npfkern: eliminate INACTIVE_ID and use 0 for unregistered interfaces. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_if.c cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_mbuf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Mar 20 23:36:28 UTC 2015 Modified Files: src/sys/net/npf: npf_ctl.c npf_ruleset.c Log Message: NPF: replace the TAILQ of the dynamic rules with a linked list and fix the inheriting of the active dynamic rules during the reload; also, fix a bug in the insert path by putting a memory barrier in the right place. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.41 -r1.42 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Thu Feb 5 22:04:03 UTC 2015 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf_conn_establish: fix the previous change - drop the reference on error. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Feb 1 22:41:22 UTC 2015 Modified Files: src/sys/net/npf: npf_conn.c Log Message: - npf_conn_establish: remove a rare race condition when we might destroy a connection when it is still referenced by another thread. - npf_conn_destroy: remove the backwards entry using the saved key, PR/49488. - Sprinkle some asserts. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: christos Date: Tue Dec 30 19:11:44 UTC 2014 Modified Files: src/sys/net/npf: npf_nat.c Log Message: Don't forget to destroy the mutex before freeing the nat struct on a failed load. XXX: pullup -7 To generate a diff of this commit: cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Dec 20 16:19:43 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c Log Message: NPF: set the connection flags atomically in the post-creation logic and fix a tiny race condition window. Might fix PR/49488. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Nov 30 01:37:53 UTC 2014 Modified Files: src/sys/net/npf: npf_conf.c npf_impl.h npf_nat.c npf_ruleset.c Log Message: - npf_config_load: if loading the connections, do not perform any actice NAT policy take over or or portmap sharing - just replace them all. - npf_config_fini: flush with the empty connection database. - npf_nat_import: fix the stat counter. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.59 -r1.60 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Nov 30 00:40:55 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_nat.c npf_ruleset.c Log Message: NPF: - npf_nat_import: take the port only if using the portmap. - Sprinkle some comments and asserts. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.38 -r1.39 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Wed Nov 26 21:25:35 UTC 2014 Modified Files: src/sys/net/npf: npf_nat.c npf_ruleset.c Log Message: NPF: fix the reference counting and share the active NAT portmap correctly when performing the reload. Should fixes PR/49412, reported by kardel@. To generate a diff of this commit: cvs rdiff -u -r1.34 -r1.35 src/sys/net/npf/npf_nat.c cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ruleset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sun Aug 24 20:36:30 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_ctl.c npf_nat.c Log Message: - npf_conn_import: add a missing stat counter increment. - npf_nat_import: add a missing reference and make a comment. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.39 -r1.40 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.33 -r1.34 src/sys/net/npf/npf_nat.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Mon Aug 11 01:54:13 UTC 2014 Modified Files: src/sys/net/npf: npf_conf.c npf_ctl.c npf_impl.h npf_rproc.c npf_ruleset.c npf_tableset.c Log Message: NPF: finish up the rework of npfctl_save() mechanism. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conf.c cvs rdiff -u -r1.37 -r1.38 src/sys/net/npf/npf_ctl.c cvs rdiff -u -r1.57 -r1.58 src/sys/net/npf/npf_impl.h cvs rdiff -u -r1.11 -r1.12 src/sys/net/npf/npf_rproc.c cvs rdiff -u -r1.36 -r1.37 src/sys/net/npf/npf_ruleset.c cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/npf_tableset.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Sat Jul 26 16:42:03 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c Log Message: npf_conn_conkey: fix a comment. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/sys/net/npf/npf_conn.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 23:21:46 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h Log Message: npf_conn_conkey: adjust to return the key length and add a comment describing the key layout. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.4 -r1.5 src/sys/net/npf/npf_conn.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 23:07:21 UTC 2014 Modified Files: src/sys/net/npf: npf_conn.c npf_conn.h npf_ctl.c Log Message: npf_mk_connlist: destroy the connections on error path. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/sys/net/npf/npf_conn.c cvs rdiff -u -r1.3 -r1.4 src/sys/net/npf/npf_conn.h cvs rdiff -u -r1.35 -r1.36 src/sys/net/npf/npf_ctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/net/npf
Module Name:src Committed By: rmind Date: Fri Jul 25 20:07:32 UTC 2014 Modified Files: src/sys/net/npf: npf_state_tcp.c Log Message: npf_tcp_inwindow: enable strict RST check by default. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_state_tcp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
