#
6aa338e1 |
| 01-May-2022 |
Aaron LI <aly@aaronly.me> |
pf: Make ":0" (noalias) also ignore link-local IPv6 addresses
When users mark an interface to not use aliases they likely also don't want to use the link-local IPv6 address there.
For example, with
pf: Make ":0" (noalias) also ignore link-local IPv6 addresses
When users mark an interface to not use aliases they likely also don't want to use the link-local IPv6 address there.
For example, with the following rule to NAT IPv6:
nat on $ext_if inet6 from $int_if:network to !$int_if:network -> ($ext_if:0)
PF was selecting the link-local address (which comes the first) for the NAT'ed IPv6 address, which was wrong and broke the NAT setup.
This commit makes PF to ignore the link-local IPv6 addresses so that the above NAT setup would work.
Obtained-from: FreeBSD (revision 339835, review D17633) See also: https://lists.freebsd.org/pipermail/freebsd-pf/2014-September/007441.html
show more ...
|
#
1f464430 |
| 01-May-2022 |
Aaron LI <aly@aaronly.me> |
pf: Fix 'set skip on' for interface groups
Previously if an interface type (without number), e.g. "set skip on vlan" or "set skip on em" was used, it would have the *undocumented* behavior of matchi
pf: Fix 'set skip on' for interface groups
Previously if an interface type (without number), e.g. "set skip on vlan" or "set skip on em" was used, it would have the *undocumented* behavior of matching *any* interface of that type.
Now it will only match an interface which is a member of the named group. And thus it works with interface groups of arbitrary names, e.g., one can "set skip on home" with "home" being the group containing interfaces "em1" and "tun0".
This results in some changed behavior:
If you currently use "set skip" with a physical interface type (e.g. "set skip on ix") you will need to add the interface to a group of that name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0.
Interfaces cloned at runtime (e.g. lo, tap, tun, vlan) default to being in a group named after the interface type, so for these interfaces there will be no change in the behavior unless you have deliberately changed groups.
Obtained-from: FreeBSD (revision 337643) Obtained-from: OpenBSD (pf_if.c,v 1.62, 1.63)
show more ...
|
Revision tags: v6.2.1, v6.2.0, v6.3.0, v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2, v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1 |
|
#
d15093b9 |
| 09-Aug-2018 |
Aaron LI <aly@aaronly.me> |
Revert "pf: Allow disappearing or not yet existing interfaces for ALTQ"
This reverts commit 0a887f91f9633448c99b9a5b7c6116a0a22d25d6.
1. It's incorrect to change the ifnet_unlock(). The original p
Revert "pf: Allow disappearing or not yet existing interfaces for ALTQ"
This reverts commit 0a887f91f9633448c99b9a5b7c6116a0a22d25d6.
1. It's incorrect to change the ifnet_unlock(). The original protection range is used to make sure that the ifp does not get ripped out behind our back.
2. We don't suffer from the issue that that commit was intended to fix.
Thanks-to: sephe
show more ...
|
#
2949c680 |
| 21-Jun-2018 |
Aaron LI <aly@aaronly.me> |
net: Tweak some styles and comments
|
#
0a887f91 |
| 16-Jun-2018 |
Aaron LI <aly@aaronly.me> |
pf: Allow disappearing or not yet existing interfaces for ALTQ
Make ALTQ cope with disappearing interfaces (particularly common with net/mpd4 and netgraph in general). This also allows to add queue
pf: Allow disappearing or not yet existing interfaces for ALTQ
Make ALTQ cope with disappearing interfaces (particularly common with net/mpd4 and netgraph in general). This also allows to add queues for an interface that is not yet existing, however, you have to provide the bandwidth for the interface.
Meanwhile, simplify the ifnet_unlock() calls for ifunit() use.
Taken-from: FreeBSD (r177700)
show more ...
|
#
c686757e |
| 16-Jun-2018 |
Aaron LI <aly@aaronly.me> |
pf: Fix and improve interface group support
The old PF code has broken partial support of the interface group. Without this patch, loading the 'pf.ko' module will panic the system.
* Add event hand
pf: Fix and improve interface group support
The old PF code has broken partial support of the interface group. Without this patch, loading the 'pf.ko' module will panic the system.
* Add event handlers of pfi_{attach,detach,change}_group_event() to support the interface groups. Meanwhile, add event handler of pfi_ifaddr_event() that is called when an address is set up on an interface, and update pfi_{attach,detach}_event() handlers. (Based on FreeBSD)
* Remove function pfi_kifaddr_update() as it is merged into pfi_ifaddr_event() handler.
* Update pfi_initialize() and pfi_cleanup() functions (Based on FreeBSD).
* Split function pfi_kif_find() out of pfi_kif_get(). (Based on OpenBSD)
* The PF module will be properly initialized on module load, so remove extra pfi_initialize() calls.
* Rename malloc type 'PFI_MTYPE' to 'M_PFI', and merge with malloc type 'M_PFIADDRPL'.
* Staticize internal functions and variables.
* Some cleanups and style updates.
Thanks to sephe for the guidance.
show more ...
|
Revision tags: v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0, v5.0.0rc2, v5.1.0, v5.0.0rc1 |
|
#
5204e13c |
| 07-Aug-2017 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
netisr: Simplify assertion related bits
|
Revision tags: v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1, v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4 |
|
#
9a74b592 |
| 18-Feb-2015 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
ifnet: Make blocking operation in if_addrheads iteration MPSAFE
Two methods are used: - Dispatch blocking operation in if_addrheads iteration to netisr0 to run for functions which do not copy data
ifnet: Make blocking operation in if_addrheads iteration MPSAFE
Two methods are used: - Dispatch blocking operation in if_addrheads iteration to netisr0 to run for functions which do not copy data into user space. - Use ifaddr marker to make sure that the ifaddr list is not broken if the ifaddr list is changed during the blocking operation. And reference the ifaddr being used so it will not be destroyed during the blocking operation.
show more ...
|
#
b4051e25 |
| 22-Jan-2015 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
ifnet: Make ifnet and ifindex2ifnet MPSAFE
- Accessing to these two global variables from non-netisr threads uses ifnet lock. This kind of accessing is from - Accessing to ifindex2ifnet from neti
ifnet: Make ifnet and ifindex2ifnet MPSAFE
- Accessing to these two global variables from non-netisr threads uses ifnet lock. This kind of accessing is from - Accessing to ifindex2ifnet from netisrs are lockless MPSAFE. - Netisrs no longer access ifnet, instead they access ifnet array as of this commit, which is lockless MPSAFE.
Rules for accessing ifnet and ifindex2ifnet is commented near the declaration of the related global variables/functions in net/if_var.h.
show more ...
|
Revision tags: v4.0.3, v4.0.2, v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2 |
|
#
5dfbf41e |
| 07-Apr-2014 |
Antonio Huete Jimenez <tuxillo@quantumachine.net> |
network/pf - Avoid a possible bad pointer access.
- Make sure new pfi_kif structures are zeroed on allocation. - A panic was hit when pfi_instance_add() tried to access a bad ifp pointer (i.e. whe
network/pf - Avoid a possible bad pointer access.
- Make sure new pfi_kif structures are zeroed on allocation. - A panic was hit when pfi_instance_add() tried to access a bad ifp pointer (i.e. when using non-existing iface names in pf.conf)
show more ...
|
Revision tags: v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3, v3.4.2, v3.4.0, v3.4.1, v3.4.0rc, v3.5.0, v3.2.2, v3.2.1, v3.2.0, v3.3.0, v3.0.3, v3.0.2, v3.0.1, v3.1.0, v3.0.0 |
|
#
b6c57ceb |
| 05-Dec-2011 |
Sascha Wildner <saw@online.de> |
kernel: Remove some unneeded NULL checks after kmalloc() with M_WAITOK.
|
#
86d7f5d3 |
| 26-Nov-2011 |
John Marino <draco@marino.st> |
Initial import of binutils 2.22 on the new vendor branch
Future versions of binutils will also reside on this branch rather than continuing to create new binutils branches for each new version.
|
Revision tags: v2.12.0, v2.13.0, v2.10.1, v2.11.0, v2.10.0 |
|
#
1186cbc0 |
| 06-Jan-2011 |
Jan Lentfer <Jan.Lentfer@web.de> |
pf: convert to use kmalloc instead of zalloc
|
Revision tags: v2.9.1, v2.8.2, v2.8.1, v2.8.0, v2.9.0, v2.6.3, v2.7.3, v2.6.2, v2.7.2, v2.7.1, v2.6.1, v2.7.0, v2.6.0, v2.5.1, v2.4.1, v2.5.0, v2.4.0, v2.3.2, v2.3.1, v2.2.1, v2.2.0, v2.3.0 |
|
#
5bd4422e |
| 26-Dec-2008 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
Rework carp(4) IPv4 support.
Generic layer changes: - Pass more detailed information to ifaddr_event handler. o The ifaddr which triggers the event is passed in o The action (add/delete/change
Rework carp(4) IPv4 support.
Generic layer changes: - Pass more detailed information to ifaddr_event handler. o The ifaddr which triggers the event is passed in o The action (add/delete/change) performed upon the ifaddr is passed in - Add ifa_prflags field in ifaddr_container. This field should be used to hold protocol specific flags. For inet addresses, IA_PRF_RTEXISTOK is defined to ignore rtinit() EEXIST error in in_ifinit().
carp(4) changes: - Add virtual address struct, which holds corresponding carp(4) inet address and backing address of a "real" interface (backing interface). - The list holding virtual address struct is sorted. This is mainly used to fix the bug in following case: host1: ifconfig carp0 192.168.5.1 ifconfig carp0 alias 192.168.5.2 host2: ifconfig carp0 192.168.5.2 ifconfig carp0 alias 192.168.5.1 Before this change, the inet addresses sha1 calculated for these two host will be different, thus CARP fails. Based-on: OpenBSD - Allow inet addresses to be added to carp(4) interface, even if no backing interface could be found or the backing interface is not running. - Don't abuse IFF_UP, which is administrative flag; use IFF_RUNNING instead. - Factor out carp_stop(). - Handle ifaddr_event; most of the carp(4) inet address configuration happens in this event handler. In carp_ioctl(), we just mark the carp(4) interface IFF_UP|IFF_RUNNING and set IA_PRF_RTEXISTOK on the inet address. - Fix the ifdetach_event handler: o Don't sit on the branch while we are sawing it off. o We always need to leave the joined multicast group. - Free carp_if to the proper kmalloc pool. - Simplify the carp_if struct; except the TAILQ_HEAD, rest of the fields are not used; nuke them. - Use 'void *' as ifnet.if_carp's type. This could ease upcoming carp(4) MPSAFE work. - M_NOWAIT -> MB_DONTWAIT - Throw in assertions - Cleanup: o Nuke SC2IFP o Nuke carp_softc.sc_ifp compat shim o Constify function parameters o ...
show more ...
|
Revision tags: v2.1.1, v2.0.1 |
|
#
b2632176 |
| 07-Mar-2008 |
Sepherosa Ziehau <sephe@dragonflybsd.org> |
Parallelize ifnet.if_addrhead accessing by duplicating the list itself on each CPU, each list element points to ifaddr: - Add SI_SUB_PRE_DRIVERS before SI_SUB_DRIVERS, so action could be taken befo
Parallelize ifnet.if_addrhead accessing by duplicating the list itself on each CPU, each list element points to ifaddr: - Add SI_SUB_PRE_DRIVERS before SI_SUB_DRIVERS, so action could be taken before drivers' initialization (mainly before NIC driver's if_attach()) - Move netisr_init() to the FIRST of SI_SUB_PRE_DRIVERS, so that netmsg_service_port_init() could be called in earlier stage of system initialization. - Create one thread on each CPU to propagate changes to ifnet.if_addrhead. Their thread ports are registered with netmsg_service_port_init() for port syncing operation. - Change to ifnet.if_addrhead begins in netisr0, i.e. serial of changes to ifnet.if_addrhead are serialized by netisr0 - ifaddr's refcnt is moved to its list elements, i.e. per-CPU refcnt. They are initialized to 1 instead of 0. - A magic field is added to ifaddr list element to make sure that IFAREF and IFAFREE are called on valid ifaddr list element. This field is initialized to a magic value and is wiped out once the list element's refcnt drops to 0 - To close the gap between testing and freeing, once the ifaddr list element's refcnt drops to 0, ifa_portfn(0) (a thread's port on CPU0) is poked to check whether ifaddr is referenced on other CPUs, if not, then ifaddr is freed on ifa_portfn(0)
Reviewed-by: dillon@ (earlier version)
show more ...
|
#
e7b4468c |
| 05-Jan-2008 |
Sascha Wildner <swildner@dragonflybsd.org> |
For kmalloc(), MALLOC() and contigmalloc(), use M_ZERO instead of explicitly bzero()ing.
Reviewed-by: sephe
|
#
4b1cf444 |
| 22-Dec-2006 |
Sascha Wildner <swildner@dragonflybsd.org> |
Rename printf -> kprintf in sys/ and add some defines where necessary (files which are used in userland, too).
|
#
f8c7a42d |
| 20-Dec-2006 |
Matthew Dillon <dillon@dragonflybsd.org> |
Rename sprintf -> ksprintf Rename snprintf -> knsprintf
Make allowances for source files that are compiled for both userland and the kernel.
|
#
77652cad |
| 05-Sep-2006 |
Matthew Dillon <dillon@dragonflybsd.org> |
Rename malloc->kmalloc, free->kfree, and realloc->krealloc. Pass 2
|
#
efda3bd0 |
| 05-Sep-2006 |
Matthew Dillon <dillon@dragonflybsd.org> |
Rename malloc->kmalloc, free->kfree, and realloc->krealloc. Pass 1
|
#
cc6e5672 |
| 15-Jun-2005 |
Joerg Sonnenberger <joerg@dragonflybsd.org> |
Convert to critical sections.
|
#
519f2076 |
| 28-Sep-2004 |
Joerg Sonnenberger <joerg@dragonflybsd.org> |
EVENTHANDLER_REGISTER uses the name of the event as string and therefore the compiler couldn't detect the wrong event names. I used ifnet_attach_event and ifnet_detach_event instead of ifnet_arrival_
EVENTHANDLER_REGISTER uses the name of the event as string and therefore the compiler couldn't detect the wrong event names. I used ifnet_attach_event and ifnet_detach_event instead of ifnet_arrival_event and ifnet_departure_event. This seemed to work for PF as module because all existing interfaces are added by hand first.
Problem-reported-by: Aggelos Economopoulos <aoiko@cc.ece.ntua.gr>
show more ...
|
#
e4fc90e8 |
| 19-Sep-2004 |
Matthew Dillon <dillon@dragonflybsd.org> |
Add a missing #include and add a missing semicolon.
|
#
02742ec6 |
| 19-Sep-2004 |
Joerg Sonnenberger <joerg@dragonflybsd.org> |
Kernel part of PF
Ported-by: - Max Layer (original patch set, FreeBSD PF maintainer) - Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific changes)
In contrast to FreeBSD
Kernel part of PF
Ported-by: - Max Layer (original patch set, FreeBSD PF maintainer) - Devon O'Dell, Simon 'corecode' Schubert (integration and DragonFly specific changes)
In contrast to FreeBSD and OpenBSD, use direct flags in pkthdr instead of m_tags. This reduces allocation and processing overhead.
Keep the IP header in Host Byte Order like the rest of the tree assumes.
Module support has a memory leak for vm_zones when unloading pf.ko.
show more ...
|
#
ed1f0be2 |
| 11-Oct-2010 |
Jan Lentfer <Jan.Lentfer@web.de> |
pf: Update packetfilter to OpenBSD 4.4
* As correct pf function depends directly on pfsync now compile if_pfsyn.c into pf.ko. pflog is already part of pf.ko.
* A
pf: Update packetfilter to OpenBSD 4.4
* As correct pf function depends directly on pfsync now compile if_pfsyn.c into pf.ko. pflog is already part of pf.ko.
* Activate pfsync function by default. It's not a kernel option anymore, but pfsync is very unlikley to work. Anyway our ifconfig is missing all pfsync related options. I will try to make pfsync working again after upgrading to pf from OpenBSD 4.5 as pfsync changes completley then and is not compatible anymore with prior versions.
* Also make the module unloading sane in if_pflog.c
Thanks to Alex Hornung and Aggelos Economopoulos for debugging.
show more ...
|