git: pf - clear M_HASH in a few more places, cleanups, structure size change!

Matthew Dillon dillon at crater.dragonflybsd.org
Mon Sep 1 13:38:17 PDT 2014


commit 5f2a38e8757a109e3c29d889a17cd802d61e7a8d
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Mon Sep 1 13:30:46 2014 -0700

    pf - clear M_HASH in a few more places, cleanups, structure size change!
    
    * Clear the M_HASH flag in a few more places where headers get rewritten.
    
    * bzero the key before populating it.  Shouldn't be necessary but add as a
      safety for possible future use cases.
    
    * Add more fields to struct pfsync_state.  This requires pfvar.h to be
      reinstalled, the pf module and the pfctl program to be rebuilt.
      (suggest buildworld + buildkernel).
    
      pickup_mode and cpuid added.  Also added reserved fields so future
      additions can be made without changing the structure size again.
    
    * Other minor cleanups.
    
    * WARNING ON RDR, PASS IN / PASS OUT combinations.  RDR rules create state
      on the input path.  Further packets on the input path match the RDR
      state on input, but the *return* packet path will match the RDR state on
      output.
    
      This means that if you have a PASS OUT rule that matches the RDR input path
      on the output side of the translation, it will also create state, and if
      you have a PASS IN rule that matches the RDR return packet path, it will
      also create state on the input path for that packet.
    
      PF users must be sure that if such rules exist, they are either specified
      to not create keep state, use the default keep state (which allows pickups
      and sloppy tcp tests), or explicitly specify keep state with sloppy tcp
      tests.  This is because these PASS rules will only see one side of the
      TCP connection because the RDR state will suck up the other side.

Summary of changes:
 sys/net/pf/if_pfsync.c          |  2 ++
 sys/net/pf/pf.c                 | 77 +++++++++++++++++++++++++++++++++++------
 sys/net/pf/pfvar.h              |  6 ++++
 usr.sbin/pfctl/pf_print_state.c | 23 ++++++++++--
 4 files changed, 95 insertions(+), 13 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/5f2a38e8757a109e3c29d889a17cd802d61e7a8d


-- 
DragonFly BSD source repository



More information about the Commits mailing list