Updated to OpenBSD 3.7 pf:
* Support limiting TCP connections by establishment rate, automatically
adding flooding IP addresses to tables and flushing states
(max-src-conn-rate, overload <table>, flush global).
* Improved functionality of tags (tag and tagged for translation rules,
tagging of all packets matching state entries).
* Improved diagnostics (error messages and additional counters from pfctl -si).
* New keyword set skip on to skip filtering on arbitrary interfaces,
like loopback.
* Several bugfixes improving stability.
ALTQ is now also supported by using the option 'altq', see the homepage
for information about how to apply the kernel patch.
Approved by: Thomas Klausner <wiz@NetBSD.org>
Changes:
* Updated the ALTQ patch, now works correctly on NetBSD 2.0 release.
Thanks to Miles Nordin for helping and testing.
* Write struct "pcap_sf_pkthdr" instead of "pcap_pkthdr". Fixes
an LP64 specific problem with reading the pflog with tcpdump(8).
* Applied patch to pf.c from OPENBSD_3_6 branch:
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
* Applied patch to pf_lkm.c from NetBSD HEAD:
pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
* Applied patch to pf_ioctl.c from OPENBSD_3_6 branch:
replace finer-grained spl locking in pfioctl() with a single broad lock
around the entire body. this resolves the (misleading) panics in
pf_tag_packet() during heavy ioctl operations (like when using authpf)
that occur because softclock can interrupt ioctl on i386 since SMP.
* Applied patch to pf.c from OPENBSD_3_6 branch:
IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt.
* Applied patch to pfctl_optimize.c from OPENBSD_3_6 branch:
&&/|| inversion would try to merge IP addresses with non-addresses into a
single table causing a ruleset load error and eventually a double-free.
* Applied patch to pf.c from OPENBSD_3_6 branch:
Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
prevents a possible endless loop in pf_get_sport() with 'static-port'
* Fix to if_events.diff from Miles Nordin <carton at Ivy dot NET>:
Call free after removing the element from the list, not before.
Fixes panic with "unaligned access" on Alpha.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
* improved cleanup routines to make sure that no memory is leaking.
* applied patch to pf.c from OPENBSD_3_6 branch:
fix a bug that leads to a crash when binat rules of the form
'binat from ... to ... -> (if)' are used, where the interface is dynamic.
* added (unsigned char) casts to ctype functions.
* added experimental patch for ALTQ support.
* applied patch to pfctl_parser.c from OPENBSD_3_6 branch:
do not assume entries in pf_timeouts[] are ordererd like PFTM_* in pfvar.h
* applied patch to pf.c from OPENBSD_3_6 branch:
The flag to re-filter pf-generated packets was set wrong by synproxy
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client.
* applied patch to pf.c from OPENBSD_3_6 branch:
For RST generated due to state mismatch during handshake, don't set
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround.
* applied patch to pf_lkm.c from NetBSD HEAD:
pfil4_wrapper, pfil6_wrapper:
ensure that mbufs are writable beforehand as pf assumes it.
* applied patch to pf.c from OPENBSD_3_6 branch:
reset anchor pointer to NULL when stepping back into the main ruleset,
fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr
showing wrong state counters for anchor rules.
Packet Filter (from here on referred to as PF) is OpenBSD's system for
filtering TCP/IP traffic and doing Network Address Translation. PF is also
capable of normalizing and conditioning TCP/IP traffic.
PF was originally developed by Daniel Hartmeier and is now maintained and
developed by Daniel and the rest of the OpenBSD team.
This package includes a complete port (LKM and userland utilities) from
OpenBSD 3.6 to NetBSD 2.0.
