kernel - Fix pf-based NAT

* NAT may not always be able to select a translated addr/port that is
compatible with the source addr/port. In this situation return packets
from the translated target

kernel - Fix pf-based NAT

* NAT may not always be able to select a translated addr/port that is
compatible with the source addr/port. In this situation return packets
from the translated target won't be able to find the state structure.

This occurs if static-port is used or if the port range is insufficent
for PF to be able to find a hash-compatible addr/port.

This also occurs for UDP because the toeplitz hash does not appear to
include a port (so there's nothing PF NAT can do to make it
hash-compatible).

* In situations where PF believes a translation is not hash-compatible,
the pf_state_key will be placed on a global RBTREE instead of the
cpu-localized RBTREE. This tree is checked and modified with a separate
lock (shared when doing lookups, exclusive when doing adjustments).

The nominal pf_find_state*() code will now check the global RBTREE if the
state cannot be found in the localized tree.

* Modifications to the pf_state structure are now exclusively locked to
handle the case where a state structure might be used by multiple cpu's
at the same time. This can only occur for translations such as NAT.

* The TCP code is not allowed to destroy state on connection reuse unless
the state is cpu-local. If it is not cpu-local the TCP code will mark
the state for an immediate purge (within the next second).

* Add a TSO flag check to pf_route(), which is called via NAT. Locally
originated packets may have been built with TSO. For PF NAT, we can
only assume that the target interface will be compatible and allow the
packet through (not try to fragment it, which won't work well anyway for
TCP packets).

show more ...

pf - make the bulk of PF concurrent under normal operation

* state and ip fragment tables are now per-cpu.

* packet paths acquire pf_token shared instead of exclusive. Packet
processing runs con

pf - make the bulk of PF concurrent under normal operation

* state and ip fragment tables are now per-cpu.

* packet paths acquire pf_token shared instead of exclusive. Packet
processing runs concurrently.

* Any dynamic rules updates will run synchronously for now.

* State expiration from the pfpurge thread runs synchronously for now.
More work can be done here.

* ioctl (and also pfsync) paths acquire pf_token exclusively. That is,
primarily pfctl commands. This includes rules updates and state scans.
More work can be done here.

show more ...

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

Fix the way <sys/ioccom.h> is included throughout our tree.

The original intention was to include it only in header files which
define ioctl codes and not in .c or .h files which include headers
tha

Fix the way <sys/ioccom.h> is included throughout our tree.

The original intention was to include it only in header files which
define ioctl codes and not in .c or .h files which include headers
that define ioctl codes.

Adjust the tree to follow this idea.

Pointed-out-by: Guy Harris <guy@alum.mit.edu>
Dragonfly-bug: <http://bugs.dragonflybsd.org/issue1334>

show more ...

if_pfsync.h needs pfvar.h for struct pf_addr. The ioctl header collection
code for kdump collects the two header files in the wrong order. The easiest
solution for now is to hack if_pfsync.h to inc

if_pfsync.h needs pfvar.h for struct pf_addr. The ioctl header collection
code for kdump collects the two header files in the wrong order. The easiest
solution for now is to hack if_pfsync.h to include pfvar.h.

show more ...

Kernel part of PF

Ported-by:
- Max Layer (original patch set, FreeBSD PF maintainer)
- Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific
changes)

In contrast to FreeBSD

Kernel part of PF

Ported-by:
- Max Layer (original patch set, FreeBSD PF maintainer)
- Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific
changes)

In contrast to FreeBSD and OpenBSD, use direct flags in pkthdr instead of
m_tags. This reduces allocation and processing overhead.

Keep the IP header in Host Byte Order like the rest of the tree assumes.

Module support has a memory leak for vm_zones when unloading pf.ko.

show more ...

pf: Update packetfilter to OpenBSD 4.4

* As correct pf function depends directly on pfsync now
compile if_pfsyn.c into pf.ko. pflog is already part
of pf.ko.

* A

pf: Update packetfilter to OpenBSD 4.4

* As correct pf function depends directly on pfsync now
compile if_pfsyn.c into pf.ko. pflog is already part
of pf.ko.

* Activate pfsync function by default. It's not a kernel
option anymore, but pfsync is very unlikley to work.
Anyway our ifconfig is missing all pfsync related options.
I will try to make pfsync working again after upgrading to
pf from OpenBSD 4.5 as pfsync changes completley then
and is not compatible anymore with prior versions.

* Also make the module unloading sane in if_pflog.c

Thanks to Alex Hornung and Aggelos Economopoulos for debugging.

show more ...

pf: Update to OpenBSD 4.2

All sorts of informations is now stored directly in
the mbuf header instead of a seperate mbuf tag. This
brings in a 100% performance increase in comparison
to OpenBSD

pf: Update to OpenBSD 4.2

All sorts of informations is now stored directly in
the mbuf header instead of a seperate mbuf tag. This
brings in a 100% performance increase in comparison
to OpenBSD 4.1. For DragonFly this basically means
this is the same performance as in 2.6, but we are
equal again with OpenBSD's pf data structures.

Necesary additions:

sys/net: add more interface groups related functions

if_creategroup()
if_addgroup()
if_delgroup()
if_getgroup()
if_getgroupmembers()

Imported from OpenBSD

carp: add carp_group_demote_adj()

altq: re-add check of packet tagging

fairq & red support, UDP nat'ing, reassembly fixed by Matthew Dillon

show more ...

pf: Fix if_pfsync to compile

if_pfsync has to be enabled in the
kernel config file.
It passed the last update unattended.
This patch let's it compile, but function
is untested, also tdb functio

pf: Fix if_pfsync to compile

if_pfsync has to be enabled in the
kernel config file.
It passed the last update unattended.
This patch let's it compile, but function
is untested, also tdb functioniality
has been removed.

show more ...

pf: Update packet filter to the version that comes with OpenBSD 4.1

The original OpenBSD 4.1 defaults to "keep state flags S/SA" for
all pass rules. In contrast to that we default to "no sta

pf: Update packet filter to the version that comes with OpenBSD 4.1

The original OpenBSD 4.1 defaults to "keep state flags S/SA" for
all pass rules. In contrast to that we default to "no state". As
in earlier verions of pf in DragonFly the default keep-state
policy can still be set with the keep-policy option (e.g. "set
keep-policy keep state (pickups)").

DragonFly additions to pf have been kept: fairq support,
pickups.

Detailed Info on changes/additions:
* ALTQ: Fix altq to work with pf_mtag
Patch by Matthew Dillon
* libkern: Revert commit e104539
strchr was added to libkern.h together with strrch
* net/if.h: add interface groups
Imported from FreeBSD.
* netinet6/in6.h: add macros
IN6_IS_ADDR_MC_INTFACELOCAL
IN6_IS_SCOPE_EMBED
PV6_ADDR_SCOPE_INTFACELOCAL
* sys/libkern.h: Add strchr and strrchr as inline functions
Brought in from FreeBSD
* sys/net/if_var.h: Import interface groups
Import interface groups and event handlers from FreeBSD
* sys/net/if_var.h: add if_pf_kif, if_groups to struct ifnet
obtained from: Open/FreeBSD
* net/if_types.h: add IFT_ENC to non-IATA-assignments
obtained from Open/FreeBSD
* net/bpf.c: add bpf_mtap_hdr from OpenBSD
Con up a minimal dummy header to pacify bpf. Allocate
(only) a struct m_hdr on the stack.

show more ...