Author: kp
Date: Mon Aug 20 15:43:08 2018
New Revision: 338106
URL: https://svnweb.freebsd.org/changeset/base/338106
Log:
MFC r337969:
pf: Limit the maximum number of fragments per packet
Similar to the network stack issue fixed in r337782 pf did not limit the
number
of fragments
Author: kp
Date: Sat Jun 16 11:42:27 2018
New Revision: 335252
URL: https://svnweb.freebsd.org/changeset/base/335252
Log:
MFC r334876:
pf: Fix deadlock with route-to
If a locally generated packet is routed (with route-to/reply-to/dup-to) out of
a different interface it's passed
Author: kp
Date: Wed May 2 22:36:10 2018
New Revision: 333187
URL: https://svnweb.freebsd.org/changeset/base/333187
Log:
MFC r333084:
pfctl: Don't break connections on skipped interfaces on reload
On reload we used to first flush everything, including the list of skipped
Author: kp
Date: Sat Apr 14 00:20:47 2018
New Revision: 332497
URL: https://svnweb.freebsd.org/changeset/base/332497
Log:
MFC r332142:
pf: Improve ioctl validation
Ensure that multiplications for memory allocations cannot overflow, and
that we'll not try to allocate M_WAITOK for
Author: kp
Date: Fri Apr 13 22:33:18 2018
New Revision: 332494
URL: https://svnweb.freebsd.org/changeset/base/332494
Log:
MFC r332107:
pf: Improve ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS,
DIOCRCLRTSTATS and DIOCRSETTFLAGS
These ioctls can process a number of items at a
Author: kp
Date: Fri Apr 13 21:19:06 2018
New Revision: 332492
URL: https://svnweb.freebsd.org/changeset/base/332492
Log:
MFC r332136:
pf: Improve ioctl validation for DIOCIGETIFACES and DIOCXCOMMIT
These ioctls can process a number of items at a time, which puts us at
risk of
Author: kp
Date: Fri Apr 13 19:23:06 2018
New Revision: 332487
URL: https://svnweb.freebsd.org/changeset/base/332487
Log:
MFC r332101:
pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES
The DIOCRADDTABLES and DIOCRDELTABLES ioctls can process a number of
tables at a
Author: kp
Date: Mon Apr 9 15:29:14 2018
New Revision: 332330
URL: https://svnweb.freebsd.org/changeset/base/332330
Log:
MFC r331225:
pf: Fix memory leak in DIOCRADDTABLES
If a user attempts to add two tables with the same name the duplicate table
will not be added, but we forgot
Author: kp
Date: Wed Mar 21 09:57:29 2018
New Revision: 331289
URL: https://svnweb.freebsd.org/changeset/base/331289
Log:
MFC 330105:
pf: Do not flush on reload
pfctl only takes the last '-F' argument into account, so this never did what
was intended.
Moreover, there is no
Author: kp
Date: Wed Mar 21 09:55:49 2018
New Revision: 331287
URL: https://svnweb.freebsd.org/changeset/base/331287
Log:
MFC r330108:
pf: Apply $pf_flags when verifying the pf.conf file
When checking the validity of the pf.conf file also include the user supplied
pf_flags. These
Author: kp
Date: Sun Mar 18 11:26:07 2018
New Revision: 331117
URL: https://svnweb.freebsd.org/changeset/base/331117
Log:
MFC r329950:
pf: Cope with overly large net.pf.states_hashsize
If the user configures a states_hashsize or source_nodes_hashsize value we may
not have enough
Author: kp
Date: Tue Jan 23 05:03:26 2018
New Revision: 328277
URL: https://svnweb.freebsd.org/changeset/base/328277
Log:
MFC r327675
pf: Avoid integer overflow issues by using mallocarray() iso. malloc()
pfioctl() handles several ioctl that takes variable length input, these
Author: kp
Date: Tue Jan 23 04:37:31 2018
New Revision: 328276
URL: https://svnweb.freebsd.org/changeset/base/328276
Log:
MFC r327674, r327796
Introduce mallocarray() in the kernel
Similar to calloc() the mallocarray() function checks for integer
overflows before allocating memory.
Author: kp
Date: Thu Nov 30 21:32:28 2017
New Revision: 326414
URL: https://svnweb.freebsd.org/changeset/base/326414
Log:
MFC r325850: pfctl: teach route-to to deal with interfaces with multiple
addresses
The route_host parsing code set the interface name, but only for the first
Author: kp
Date: Sat Sep 30 10:16:15 2017
New Revision: 324116
URL: https://svnweb.freebsd.org/changeset/base/324116
Log:
MFC r323864
bridge: Set module version
This ensures that the loader will not load the module if it's also built in to
the kernel.
PR: 220860
Author: kp
Date: Sun Apr 23 08:59:57 2017
New Revision: 317335
URL: https://svnweb.freebsd.org/changeset/base/317335
Log:
MFC r317186
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments
Author: kp
Date: Sat Apr 8 09:49:21 2017
New Revision: 316641
URL: https://svnweb.freebsd.org/changeset/base/316641
Log:
MFC r316355
pf: Fix leak of pf_state_keys
If we hit the state limit we returned from pf_create_state() without cleaning
up.
PR: 217997
Submitted
Author: kp
Date: Sun Mar 26 18:12:50 2017
New Revision: 316000
URL: https://svnweb.freebsd.org/changeset/base/316000
Log:
MFC 315529
pf: Fix rule evaluation after inet6 route-to
In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
of a different interface.
Author: kp
Date: Thu Mar 9 03:20:20 2017
New Revision: 314940
URL: https://svnweb.freebsd.org/changeset/base/314940
Log:
MFC r314810:
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e.
there's
no more memory for it) it
Author: kp
Date: Wed Feb 1 21:44:50 2017
New Revision: 313066
URL: https://svnweb.freebsd.org/changeset/base/313066
Log:
MFC 312782
bridge: Release the bridge lock when calling bridge_set_ifcap()
This calls ioctl() handlers for the different interfaces in the bridge.
These handlers
Author: kp
Date: Wed Dec 14 21:30:35 2016
New Revision: 310094
URL: https://svnweb.freebsd.org/changeset/base/310094
Log:
MFC r309563: pflog: Correctly initialise subrulenr
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c
Author: kp
Date: Sun Oct 2 21:11:25 2016
New Revision: 306594
URL: https://svnweb.freebsd.org/changeset/base/306594
Log:
MFC r306289:
bridge: Fix fragment handling and memory leak
Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling
feature (like pf'scrub)
Author: kp
Date: Fri Aug 19 11:36:00 2016
New Revision: 304463
URL: https://svnweb.freebsd.org/changeset/base/304463
Log:
MFC r304152:
pf: Add missing byte-order swap to pf_match_addr_range
Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not
match addresses
Author: kp
Date: Wed Aug 17 15:14:21 2016
New Revision: 304293
URL: https://svnweb.freebsd.org/changeset/base/304293
Log:
MFC r289932, r289940:
PF_ANEQ() macro will in most situations returns TRUE comparing two identical
IPv4 packets (when it should return FALSE). It happens because
Author: kp
Date: Wed Aug 17 09:21:55 2016
New Revision: 304281
URL: https://svnweb.freebsd.org/changeset/base/304281
Log:
MFC r303663:
pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero.
This allows users to enforce TOS == 0
Author: kp
Date: Mon Aug 8 19:44:13 2016
New Revision: 303850
URL: https://svnweb.freebsd.org/changeset/base/303850
Log:
MFC r290521:
pf: Fix broken rule skip calculation
r289932 accidentally broke the rule skip calculation. The address family
argument to PF_ANEQ() is now
Author: kp
Date: Mon May 30 01:21:44 2016
New Revision: 300979
URL: https://svnweb.freebsd.org/changeset/base/300979
Log:
MFC 300501, 300508
pf: Fix ICMP translation
Fix ICMP source address rewriting in rdr scenarios.
pf: Fix more ICMP mistranslation
In the default case fix
Author: kp
Date: Fri Apr 29 20:19:41 2016
New Revision: 298799
URL: https://svnweb.freebsd.org/changeset/base/298799
Log:
MFC r298664
msdosfs: Prevent buffer overflow when expanding win95 names
In win2unixfn() we expand Windows 95 style long names. In some cases that
requires moving
Author: kp
Date: Wed Mar 30 18:45:18 2016
New Revision: 297429
URL: https://svnweb.freebsd.org/changeset/base/297429
Log:
MFC 296932:
pf: Improve forwarding detection
When we guess the nature of the outbound packet (output vs. forwarding) we
need
to take bridges into account. When
Author: kp
Date: Sun Mar 6 08:52:03 2016
New Revision: 296425
URL: https://svnweb.freebsd.org/changeset/base/296425
Log:
MFC r295836:
ifconfig(8): can't use 'name' or 'description' when creating interface with
auto numbering
If one does 'ifconfig tap create name blah', it will return
Author: kp
Date: Thu Mar 3 07:16:35 2016
New Revision: 296340
URL: https://svnweb.freebsd.org/changeset/base/296340
Log:
MFC: r296025:
pf: Fix possible out-of-bounds write
In the DIOCRSETADDRS ioctl() handler we allocate a table for struct pfr_addrs,
which is processed in
Author: kp
Date: Mon Dec 21 20:29:55 2015
New Revision: 292566
URL: https://svnweb.freebsd.org/changeset/base/292566
Log:
MFC r292219:
inet6: Do not assume every interface has ip6 enabled.
Certain interfaces (e.g. pfsync0) do not have ip6 addresses (in other words,
Author: kp
Date: Tue Dec 15 21:02:53 2015
New Revision: 292288
URL: https://svnweb.freebsd.org/changeset/base/292288
Log:
MFC r290236
pfctl: Fix uninitialised veriable
In pfctl_set_debug() we used 'level' without ever initialising it.
We correctly parsed the option, but them failed
Author: kp
Date: Wed Nov 11 12:36:42 2015
New Revision: 290669
URL: https://svnweb.freebsd.org/changeset/base/290669
Log:
MFC r290161:
pf: Fix IPv6 checksums with route-to.
When using route-to (or reply-to) pf sends the packet directly to the output
interface. If that interface
Author: kp
Date: Wed Oct 21 15:32:21 2015
New Revision: 289703
URL: https://svnweb.freebsd.org/changeset/base/289703
Log:
MFC r289316:
pf: Fix TSO issues
In certain configurations (mostly but not exclusively as a VM on Xen) pf
produced packets with an invalid TCP checksum.
The
Author: kp
Date: Fri Sep 11 17:19:24 2015
New Revision: 287680
URL: https://svnweb.freebsd.org/changeset/base/287680
Log:
MFC r287376
pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
If net.link.bridge.pfil_bridge is set we can end up thinking we're
Author: kp
Date: Thu Jun 18 20:21:02 2015
New Revision: 284568
URL: https://svnweb.freebsd.org/changeset/base/284568
Log:
Merge r278828, r278832
- Factor out ip6_deletefraghdr() function, to be shared between IPv6 stack
and pf(4).
- Move ip6_deletefraghdr() to frag6.c. (Suggested by
Author: kp
Date: Thu Jun 18 20:57:21 2015
New Revision: 284576
URL: https://svnweb.freebsd.org/changeset/base/284576
Log:
Merge r281234
Evaluate packet size after the firewall had its chance
Defer the packet size check until after the firewall has had a look at it.
This
means that
Author: kp
Date: Thu Jun 18 21:21:52 2015
New Revision: 284579
URL: https://svnweb.freebsd.org/changeset/base/284579
Log:
Merge r278874, r278925, r278868
- Improve INET/INET6 scope.
- style(9) declarations.
- Make couple of local functions static.
- Even more fixes to !INET and
Author: kp
Date: Thu Jun 18 20:45:37 2015
New Revision: 284575
URL: https://svnweb.freebsd.org/changeset/base/284575
Log:
Merge r281165
Remove duplicate code
We'll just fall into the same local delivery block under the
'if (m-m_flags M_FASTFWD_OURS)'.
Suggested by: ae
Author: kp
Date: Thu Jun 18 21:23:41 2015
New Revision: 284580
URL: https://svnweb.freebsd.org/changeset/base/284580
Log:
Merge r284222, r284260
pf: address family must be set when creating a pf_fragment
Fix a panic when handling fragmented ip4 packets with 'drop-ovl' set.
In that
Author: kp
Date: Thu Jun 18 20:32:53 2015
New Revision: 284570
URL: https://svnweb.freebsd.org/changeset/base/284570
Log:
Merge r278842
Factor out ip6_fragment() function, to be used in IPv6 stack and pf(4).
Differential Revision:https://reviews.freebsd.org/D2815
Reviewed
Author: kp
Date: Thu Jun 18 20:40:36 2015
New Revision: 284572
URL: https://svnweb.freebsd.org/changeset/base/284572
Log:
Merge r280955
Preserve IPv6 fragment IDs accross reassembly and refragmentation
When forwarding fragmented IPv6 packets and filtering with PF we
reassemble and
Author: kp
Date: Thu Jun 18 20:43:16 2015
New Revision: 284574
URL: https://svnweb.freebsd.org/changeset/base/284574
Log:
Merge r281164
pf: Skip firewall for refragmented ip6 packets
In cases where we scrub (fragment reassemble) on both input and output
we risk ending up in infinite
Author: kp
Date: Thu Jun 18 20:59:48 2015
New Revision: 284577
URL: https://svnweb.freebsd.org/changeset/base/284577
Log:
Merge r281536
pf: Fix forwarding detection
If the direction is not PF_OUT we can never be forwarding. Some input packets
have rcvif != ifp (looped back packets),
Author: kp
Date: Thu Jun 18 21:25:07 2015
New Revision: 284581
URL: https://svnweb.freebsd.org/changeset/base/284581
Log:
Merge r284280
pf: Remove frc_direction
We don't use the direction of the fragments for anything. The frc_direction
field is assigned, but never read.
Just
46 matches
Mail list logo
