HardenedBSD still has SEGVGUARD in opt-in mode by default. OPNsense
needs to have this as opt-out by default.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
pf: Replace rwlock on PF_RULES_LOCK with rmlock
Given that PF_RULES_LOCK is a mostly read lock, replace the rwlock with rmlock.
This change improves packet processing rate in high pps environments.
Benchmarking by olivier@ shows a 65% improvement in pps.
While here, also eliminate all appearances of "sys/rwlock.h" includes since it
is not used anymore.
Submitted by: farrokhi@
pf: Limit the maximum number of fragments per packet
Similar to the network stack issue fixed in r337782 pf did not limit the number
of fragments per packet, which could be exploited to generate high CPU loads
with a crafted series of packets.
Limit each packet to no more than 64 fragments. This should be sufficient on
typical networks to allow maximum-sized IP frames.
This addresses the issue for both IPv4 and IPv6.
Security: CVE-2018-5391
Sponsored by: Klara Systems
pfsync: Fix state sync during initial bulk update
States learned via pfsync from a peer with the same ruleset checksum were not
getting assigned to rules like they should because pfsync_in_upd() wasn't
passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import.
PR: 229092
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
Obtained from: OpenBSD
Sponsored by: InnoGames GmbH
Make dhclient(8) verify if new MTU (option 26) differs from current one
and skip unneeded MTU change. This check eliminates infinite loop
of MTU change / link flap / lease verification / MTU change / link flap etc.
in case of some NIC drivers like em(4) or igb(4).
PR: 229432
Approved by: mav (mentor)
Currently, the per-queue limit is a function of the receive buffer
size and the MSS. In certain cases (such as connections with large
receive buffers), the per-queue segment limit can be quite large.
Because we process segments as a linked list, large queues may not
perform acceptably.
The better long-term solution is to make the queue more efficient.
But, in the short-term, we can provide a way for a system
administrator to set the maximum queue size.
We set the default queue limit to 100. This is an effort to balance
performance with a sane resource limit. Depending on their
environment, goals, etc., an administrator may choose to modify this
limit in either direction.
Approved by: so
Security: FreeBSD-SA-18:08.tcp
Security: CVE-2018-6922
pf will unconditionally "set prio", so this will fail if the
sysctl is off. The sysctl, however, introduces a side-effect
so we would rather keep the default behaviour. The allocation
slowdown is already taking place, so this in the worst case
only adds a list traversal / lookup.
PR: https://forum.opnsense.org/index.php?topic=6714.0
Based on feedback by countless users, this removes the if_output
calls in the pf code that escape pfil processing in IPv4 by going
the long way.
In our 11.1 iteration ip_tryforward() is easy to port and while
we are at it we shall also tackle IPv6. :)
11.2 update adds all recent fixes into this single commit.
Many thanks to Andrey V. Elsukov (ae@) for giving this direction
and review.
Also see: https://reviews.freebsd.org/D8877
(intentionally) deleted first and then completely added again (so all the
events, announces and hooks are given a chance to run).
This cause an issue with CARP where the existing CARP data structure is
removed together with the last address for a given VHID, which will cause
a subsequent fail when the address is later re-added.
This change fixes this issue by adding a new flag to keep the CARP data
structure when an address is not being removed.
There was an additional issue with IPv6 CARP addresses, where the CARP data
structure would never be removed after a change and lead to VHIDs which
cannot be destroyed.
Reviewed by: glebius
Obtained from: pfSense
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (Netgate)
These changes are based on the dhclient used in pfSense 2.3, which
seems not to have made it into FreeBSD 11 as used in pfSense 2.4.
To be able to add a VLAN priority to a DHCP request the following
must be added to the config:
interface "em1_vlan123" {
vlan-parent "em1";
vlan-id 123;
vlan-pcp 6;
}
Extensive (and annoying) care has been taken WRT keeping the BPF
write filter functional for security reasons.
Based on a submission by Martin Wasley <martin@queens-park.com>.
LuaJIT creates 32-bit memory maps in a 64-bit execution environment,
which is disabled by default in HardenedBSD. We never ported the
MAP_32BIT disallow logic over from HardenedBSD to OPNsense prior to
18.1. The merge of HardenedBSD's ASLR implementation for 18.1 also
brought in the new logic.
Instead of removing disallow_map32bit, simply set it to 1 by default.
This will allow those who don't use LuaJIT applications to set it to 2
in /boot/loader.conf.local.
Note that this commit is specific to OPNsense. OPNsense ships without
the PAX_SYSCTLS kernel option, thus it's impossible to toggle via
sysctl.conf(5) and must be set via loader.conf.local.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
github-issue: opnsense/plugins#466
By adding it to the option priorities table.
PR: 184117
Submitted by: Lowell Gilbert <freebsd-bugs-local at be-well.ilk.org>
Reported by: Tomek CEDRO <cederom at tlen.pl>
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D7911
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
DCSP names instead of having to embed their TOS equivalents
as plain numbers.
Obtained from: OpenBSD
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D8165
convention for interfaces, because only one stf(4) interface can exist
in the system.
This disallow the use of unit numbers different than 0, however, it is
possible to create the clone without specify the unit number (wildcard).
In the wildcard case we must update the interface name before return.
This fix an infinite recursion in pf code that keeps track of network
interfaces and groups:
1 - a group for the cloned type of the interface is added (stf in this
case);
2 - the system will now try to add an interface named stf (instead of
stf0) to stf group;
3 - when pfi_kif_attach() tries to search for an already existing 'stf'
interface, the 'stf' group is returned and thus the group is added
as an interface of itself;
This will now cause a crash at the first attempt to traverse the groups
which the stf interface belongs (which loops over itself).
Obtained from: pfSense
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (Netgate)
o use less(1) as the default pager (inspired by DragonFlyBSD)
o add more key bindings to .cshrc (contributed by Thomas Siegmund)
o add .vimrc to base installation
In order to provide a smooth transition, remove support for shared
library load order randomization. This also removes the ABI breakage
(the ELF auxvec) to allow per-application opt-in of shlibrandom.
Signed-off-by: Shawn Webb <shawn@opnsense.org>
