#
e8d81675 |
| 10-May-2023 |
sashan <sashan@openbsd.org> |
nat-to may fail to insert state due to conflict on chosen source port number. This is typically indicated by 'wire key attach failed on...' message when pf(4) debugging is enabled. The problem is cau
nat-to may fail to insert state due to conflict on chosen source port number. This is typically indicated by 'wire key attach failed on...' message when pf(4) debugging is enabled. The problem is caused by glitch in pf_get_sport() which fails to discover conflict in advance. In order to fix it we must also calculate toeplitz hash in pf_get_sport() to initialize look up key properly.
the bug has been kindly reported by joosepm _von_ gmail _dot_ com
OK dlg@
show more ...
|
#
e9311d0b |
| 04-Jan-2023 |
dlg <dlg@openbsd.org> |
move the pf_state_tree_id type from pfvar.h to pfvar_priv.h.
the pf_state_tree_id type is private to the kernel.
while here, move it from being an RB tree to an RBT tree. this saves about 12k in pf
move the pf_state_tree_id type from pfvar.h to pfvar_priv.h.
the pf_state_tree_id type is private to the kernel.
while here, move it from being an RB tree to an RBT tree. this saves about 12k in pf.o on amd64.
ok sashan@
show more ...
|
#
56efcf3b |
| 31-Aug-2022 |
benno <benno@openbsd.org> |
make kernel build without INET6 again ok sashan@
|
#
c2364f2a |
| 03-Aug-2022 |
sashan <sashan@openbsd.org> |
Bug was reported by Chriss Cappucio. It has turned out my earlier change to pf_lb.c was not complete. We must add a test to determine number of addresses defined by pool, so we don't treat pool defin
Bug was reported by Chriss Cappucio. It has turned out my earlier change to pf_lb.c was not complete. We must add a test to determine number of addresses defined by pool, so we don't treat pool definition 172.16.0.0/16 as a single IP address in pool. If pool is defined as 172.16.0.0/16, then we don't want to fall back to PF_POOL_NONE. Missing this measure in pf_map_addr() may cause pf_get_sport() to enter infinite loop when source ports translation become depleted for the first address found in pool (like 172.16.0.1), because the bug prevents pf_map_addr() to move to next address in pool (like 172.16.0.2).
while investigating issue I've also noticed an oddity for small random pools such as 192.168.1.32/28. One would expect the addresses for nat will be randomly picked from range .32 - .47 in this case. however the random selection yield significantly more (like 20%) addresses ending by .32 In order to fix it we make random pool to use arc4random_uniform(~mask + 1) instead of current arc4random().
feedback by claudio@ tested by hrvoje@
show more ...
|
#
308aaa40 |
| 16-Feb-2022 |
sashan <sashan@openbsd.org> |
nat-to round-robin without a pool should fallback to POOL_NONE bug reported by giovanni@
OK giovanni@
|
#
38bfd041 |
| 16-Dec-2021 |
sashan <sashan@openbsd.org> |
fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2
fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else.
OK gnezdo@
Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com
show more ...
|
#
4bd0ce1d |
| 12-Dec-2020 |
jan <jan@openbsd.org> |
Correct wrong type of variable and remove useless casts.
OK bluhm@
|
#
511c53b1 |
| 29-Jul-2020 |
yasuoka <yasuoka@openbsd.org> |
Fix previous commit which referred wrong address and returned wrong value.
ok sashan
|
#
26b62979 |
| 28-Jul-2020 |
yasuoka <yasuoka@openbsd.org> |
Use the table on root always if current table is not active.
ok sashan
|
#
4cb186b8 |
| 24-Jul-2020 |
yasuoka <yasuoka@openbsd.org> |
Increase state counter for least-states when the address is selected by sticky-address. Also fix the problem that the interface which is specified by the selected table entry is not used properly.
Increase state counter for least-states when the address is selected by sticky-address. Also fix the problem that the interface which is specified by the selected table entry is not used properly.
ok jung sashan
show more ...
|
#
b4470a7b |
| 02-Jul-2019 |
yasuoka <yasuoka@openbsd.org> |
When source address tracking record is used for "route-to", the next hop interface configured with "route-to" was not used. Keep the interface within the pf_src_node and use it when the record is us
When source address tracking record is used for "route-to", the next hop interface configured with "route-to" was not used. Keep the interface within the pf_src_node and use it when the record is used.
OK sashan
show more ...
|
#
492cf661 |
| 10-Dec-2018 |
kn <kn@openbsd.org> |
Remove useless macros
These are just unhelpful case conversion.
OK sashan henning
|
#
568ff528 |
| 06-Feb-2018 |
henning <henning@openbsd.org> |
some finger muscle workout: bzero -> memset and (very few) bcopy -> memcpy/memmove
|
#
425f1cf2 |
| 12-Jul-2017 |
bluhm <bluhm@openbsd.org> |
Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK
Use a 32 bit variable to detect integer overflow when searching for an unused nat port. Prevents a possible endless loop if high port is 65535 or low port is 0. report and analysis Jingmin Zhou; OK sashan@ visa@
show more ...
|
#
c50ff513 |
| 23-Apr-2017 |
sthen <sthen@openbsd.org> |
Some of the LOG_NOTICE messages from PF were seen in normal operations with certain rulesets and excessively noisy; move them to LOG_INFO (which was previously unused). ok benno@
|
#
56a5bba3 |
| 08-Feb-2017 |
jsg <jsg@openbsd.org> |
Remove an uneeded NULL test which was after a deref. ok mpi@ henning@ sashan@
|
#
ab417b3a |
| 26-Oct-2016 |
bluhm <bluhm@openbsd.org> |
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this fi
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
show more ...
|
#
342c264f |
| 27-Sep-2016 |
dlg <dlg@openbsd.org> |
roll back turning RB into RBT until i get better at this process.
|
#
367432d6 |
| 27-Sep-2016 |
dlg <dlg@openbsd.org> |
move pf from the RB macros to the RBT functions.
|
#
4f8cfed0 |
| 19-Jul-2016 |
henning <henning@openbsd.org> |
remove wrong and misleading comment, ok phessler
|
#
4af3c109 |
| 24-Jun-2016 |
bluhm <bluhm@openbsd.org> |
The function pf_get_sport() did work for out rules only. Make it aware of the direction of the packet. Now nat-to can be used by in rules and together with divert-to. Collisions with existing stat
The function pf_get_sport() did work for out rules only. Make it aware of the direction of the packet. Now nat-to can be used by in rules and together with divert-to. Collisions with existing states are found and produce a "NAT proxy port allocation failed" message. OK henning@ mikeb@
show more ...
|
#
367b0410 |
| 15-Jun-2016 |
mikeb <mikeb@openbsd.org> |
There's no need to convert values returned by arc4random to the network byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks!
ok tedu
|
#
c8d41900 |
| 24-Nov-2015 |
mpi <mpi@openbsd.org> |
No need for <net/if_types.h>
As a bonus this removes a "#if NCARP > 0", say yeah!
|
#
6d03c693 |
| 15-Oct-2015 |
bluhm <bluhm@openbsd.org> |
When using a pf rule with both nat-to and rdr-to, it could happen that the nated source port was reused as destination port. Do not initialize nport at the beginning of the function, but where it is
When using a pf rule with both nat-to and rdr-to, it could happen that the nated source port was reused as destination port. Do not initialize nport at the beginning of the function, but where it is needed. OK sashan@
show more ...
|
#
614a62ad |
| 13-Oct-2015 |
sashan <sashan@openbsd.org> |
- pf_insert_src_node(): global argument (arg6) is useless, function always gets pointer to rule.
- pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.
- pf_insert_src_node(): global argument (arg6) is useless, function always gets pointer to rule.
- pf_remove_src_node(): function should always remove matching src node, regardless the sn->rule.ptr being NULL or valid rule
- sn->rule.ptr is never NULL, spotted by mpi and Richard Procter _von_ gmail.com
OK mpi@, OK mikeb@
show more ...
|