OpenBSD pf ported to FreeBSD 5.x
Known problems
PENDING version 2.03:
IPv6 normalization needs more real
life testing!
ALTQ for FreeBSD 5.x is "work in progress", please check our mailinglist
for updates!
If you are testing it please share your experience!
FIXED in version 2.03:
Avoid modification of invalid memory after mbuf modification.
Fix ALTQ related WITNESS messages "malloc"
FIXED in version 2.02:
Byte order and locking issues with icmp_error() - used
with "block-policy return" to report closed UDP-ports - were resolved.
Note: Due to mbuf tag handling it is still necessary to allow these icmp error messages explicitly.
FIXED in version 2.01:
With help from Joris Vandalon, we were finally able to
track down the "route-to"-Problem and fix it.
tcpdump supports -w option for if_pfsync input.
FIXED in version 2.00-RC1 == 2.00:
One major problem related to byte order differences was reported by
Mark Bojara.
We believe that it was fixed with this release, though Mark wasn't able to confirm - yet.
Two changes in FreeBSD-Current needed fixup:
- mbuf tags can now have a "persistent" bit set, which is not desired for pf.
- if_xname finally made its way into FreeBSD (after two years in Net- and OpenBSD).
Additionally some superfluous LOCKS were removed from pf_ioctl.
FIXED in version 1.67:
No real problems but many minor issues were addressed:
- libpcap and tcpdump were updated to respect pf filters again (lost in 1.5x)
- pftcpdump.1 manpage is installed now
- pfstat was added to the contrib tree
In addition two bigger tasks were completed:
- Addressed the locking (for tables) once more to gain performance (pfctl -Tshow)
- Started a first round of code cleanup to reduce diffs against OpenBSD and remove unused code.
FIXED in version 1.66:
Fixed problem which lead to disfunctional pf after $pfctl -d
(port)
Add patch to build after __FreeBSD_version 501110
FIXED in version 1.65:
Fixed possible memory leak on MOD_UNLOAD
Add experimental patch to make dynamic address changes work (see patches)
New sync with OpenBSD-current brings:
- Only minor documentation improvements as OpenBSD is about to release 3.4
FIXED in version 1.64:
Fixed possible race on MOD_UNLOAD
Fixed possible double free on mbuf in bridge-code
Add experimental patch to bridge.c to make PFIL_HOOKS working (see patches)
New sync with OpenBSD-current brings:
- pfctl improvment on tables in anchor handling
- proper counting for new "nat pass" rules
FIXED in version 1.63:
New sync with OpenBSD-current brings:
- Passiv OS fingerprinting tweaks.
- Spell correction in various places.
- pfctl sync and minors
- FIXUP for a remote DoS w/ srcub rules!!!
(port)
Big mutex round (part two)
Reworked way of useing PFIL_HOOKS
rn_walktree fixup
Makefile glue
Fixes regarding route options
FIXED in version 1.62:
New sync with OpenBSD-current brings:
- Passive OS fingerprinting:
block in from any os "Windows" to any port smtp
Big mutex round to be prepared once Giant is not held by pf_test() executeing
thread.
FIXED in version 1.61:
New sync with OpenBSD-current brings:
- Tables in pools:
nat from a to b -> <foo>
Fixed if_pflog and if_pfsync. These devices make no use of ALTQ, so don't use
IFQ_SET_READY.
FIXED in version 1.60:
New sync with OpenBSD-current brings:
- Fix ftp-proxy (OpenBSD PR3378)
- Better skip steps => New Regress!
- Better state handling
Fixed a critical mbuf handling bug in byte order hack
FIXED in version 1.59:
New sync with OpenBSD-current brings:
- pf's ip_len/ip_off byte ordering changed to network byte order
- better parsing and -v support for tables
- allow for a "pass" modifier on translation rules:
nat pass on $ext_if from $a to $b -> $ext_if
- Fix nat proxy port allocation
- Fix u_int16_t variable overflow (port)
- Fix 'truncated-ip' errors on pflog0 interface
- Fix scrub reassembly after ip_len/ip_off byte ordering changes
Enable experimental ALTQ on FreeBSD 5.1R with Dennis
Berger's patch.
FIXED in version 1.58:
Fixed critical mbuf handling bug
in normalization! (port)
New sync with OpenBSD-current brings:
- IPv6 Normalization (not tested!)
- Cleanups in various places: authpf, pfctl ...
- Improved tagid assignment (Henning claims +50% speedup)
FIXED in version 1.56:
Intermediat SF-Release ... changes are reflected in 1.58.
FIXED in version 1.56:
Replaced %llu / %lld by <inttypes.h>
macros to build authpf on 64bit platforms (port)
New sync with OpenBSD-current brings:
- MSS support for synproxy (testing required)
- pfctl/parser "eyecandy"
- per direction counters + reporting of those via pfsync (needed for pfflowd)
- fix for an early free() introduced in 1.53 (found & analysed by us, fixed
by Cedric)
Added contrib which holds testing ports for some supportiv applications. If
you know anything in connection with pf let us know!
FIXED in version 1.55:
Fixed wrong ackskew correction in
connection with SACK (port)
Fixed quite flag for pfctl with anchors.
Fixed state removal on MOD_UNLOAD
Added debug output to shutdown procedure (pfctl -xm to activate)
Fixed conflicting mbuf TAG definitions (port)
Updated README files
FIXED in version 1.54:
Fixed masking bug (see pf77.in) from
OpenBSD henning@
Fixed altqsupport-testing in pfctl to avoid unsupported DIOCs on /dev/pf
Fixed a problem in print-pflog.c when makeing with NOINET6 turned on. (port)
Pulled in new versions of libpcap and tcpdump from 5.1-release and made them
fit for 5.0 as well.
MLD6_xxx is now MDL_xxx from OpenBSD. FreeBSD has done conversion pre 5.0
FIXED in version 1.53:
Pyun identified a problem with netmasks
on multicast hosts. A solution has been send to FreeBSD pr-system: http://www.freebsd.org/cgi/query-pr.cgi?pr=53151
Workaround (from earlier version in OpenBSD) has been reused. If FreeBSD gets
proper inet_net_pton() function you should edit pfctl/Makefile to reflect that.
Fixed missing variables in pf_commitaltqs(). Compiles WITH_ALTQ=yes again.
New sync with OpenBSD-current brings:
- tables in anchors.
- better documentation.
- updated licences.
- Fix for "pfctl -vvss" output bug (/128 on IPv4)
FIXED in version 1.52:
Added some missing initialisations and fixed WITH_RANDOM_ID=yes make FLAG
PENDING version 0.63: (continues in 1.5x)
Needs optimized version of in4_cksum
for architectures other than i386.
There might still be some bugs in ATLQ-Support. Send in
your report
FIXED in version 0.63:
Even more speed up in the checksum
calculation (with i386 assembler). We need people with other architectures to
test and supply optimized versions of in4_cksum for thier architecture.
Fixed a minor problem with bge NIC's hardware checksum handling.
FIXED in version 0.62:
Reworked pf_check_proto_cksum() to
avoid multipel checksum calculation. This should give a notable performance
gain on older boxes. This needs testing! Esp. with NICs that support
hardware cksuming. We have not discovered any problems with it, but 0.61 is
yet the safer choice.
0.62a fixes a problem with IPv6 introduced
with verison 0.62
FIXED in version 0.61:
Fixed ping
fragment DoS-Attack Please update!
Some changes in the Makefiles have been made to make portbuilding easier.
FIXED in version 0.60:
Fixed pfsync unload problem.
We belive that is version is ready for production use (without ATLQ)
FIXED in version 0.56:
Added ALTQ-Support based on the work
at http://www.rofug.ro/projects/freebsd-altq/
FIXED in version 0.55:
Daniel Hartmeier fixed IPv6 problem.
FIXED in version 0.54:
Fixed missing locks for various structures. Great work by Pyun YongHyeon to support -current.
FIXED in version 0.53:
Some smaller changes to build with -current. Seems to work with -current, but needs testing!
FIXED in version 0.52:
Fixed cleanup code on module removal. (I messed the package build, so this change was not in the tarball)
FIXED in version 0.51:
Daniel Hartmeier fixed a missing initialization of tables. Tablesupport seems to work now. Please test!
FIXED in version 0.50:
None. Only resynced with OpenBSD
src-tree. This resync, however, adds the following new features:
- Loading new ruleset without stateflush.
- Nicer error messages on syntax.
- Some smaller/internal changes.
FIXED in version 0.45:
Changed Makefiles in order to be
able to do a make install, please read Installation-
and Testguide first!
Fixed checksums on fragments.
FIXED in version 0.44:
Changed pfil_hook wrapper functions
in order to create less overhead.
Fixed check before freeing mbuf in pf_check to avoid freeing a NULL pointer.
FIXED in version 0.43:
Daniel Hartmeier made us aware of
a major problem with our port, causeing various trouble. That problem should
be fixed in version 0.43.
As a result, some skip-steps were miscalculated (some rules never were performed)
and some valid rules didn't work at all.
Please upgrade.
FIXED in version 0.42:
rdr messes
up the tcp checksum when redirecting to a local source.
That is why currently ftp-proxy and alike won't work.
If you happen to be a genius in checksum arithmetric, take a look and send
your patches ;)
The packet is not yet tested widely, but works stable on my gateway, performing NAT and stateful filtering for my lan. If you come across any problem or error, please do not wait to send in your report!
...powered
by
|