git: pf - clear M_HASH in a few more places, cleanups, structure size change!
dillon at crater.dragonflybsd.org
Mon Sep 1 13:38:17 PDT 2014
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Mon Sep 1 13:30:46 2014 -0700
pf - clear M_HASH in a few more places, cleanups, structure size change!
* Clear the M_HASH flag in a few more places where headers get rewritten.
* bzero the key before populating it. Shouldn't be necessary but add as a
safety for possible future use cases.
* Add more fields to struct pfsync_state. This requires pfvar.h to be
reinstalled, the pf module and the pfctl program to be rebuilt.
(suggest buildworld + buildkernel).
pickup_mode and cpuid added. Also added reserved fields so future
additions can be made without changing the structure size again.
* Other minor cleanups.
* WARNING ON RDR, PASS IN / PASS OUT combinations. RDR rules create state
on the input path. Further packets on the input path match the RDR
state on input, but the *return* packet path will match the RDR state on
This means that if you have a PASS OUT rule that matches the RDR input path
on the output side of the translation, it will also create state, and if
you have a PASS IN rule that matches the RDR return packet path, it will
also create state on the input path for that packet.
PF users must be sure that if such rules exist, they are either specified
to not create keep state, use the default keep state (which allows pickups
and sloppy tcp tests), or explicitly specify keep state with sloppy tcp
tests. This is because these PASS rules will only see one side of the
TCP connection because the RDR state will suck up the other side.
Summary of changes:
sys/net/pf/if_pfsync.c | 2 ++
sys/net/pf/pf.c | 77 +++++++++++++++++++++++++++++++++++------
sys/net/pf/pfvar.h | 6 ++++
usr.sbin/pfctl/pf_print_state.c | 23 ++++++++++--
4 files changed, 95 insertions(+), 13 deletions(-)
DragonFly BSD source repository
More information about the Commits