pf: Fix 4 uses of PF_ANEQ The uses were depending on the old broken behavior of always checking against IPv6 unless the family was specifically AF_INET. In 2 cases, the AF argument was 0 seeking for a full comparison. Pass AF_INET6 instead for these two cases to restore the intended behavior of a full comparison. The other two cases appear to just be uncaught typos. They are inside of an AF_INET6 case, and there is no obvious reason why you would want an AF_INET comparison in this case.
network - Remove ip_len header-length adjustment * This should remove the last main code path modifications to packet mbuf contents. The IP header in the mbuf is now basically left alone whenever possible, bringing us in-line with FreeBSD and Linux and removing cache-line bounces between cpus and between a cpu and the related PCIe DMA. * Do not adjust ip_len to remove the IP header length. * Various protocol stacks do the subtraction themselves, when needed. * Various bits of code that added the length back in to execute a function then removed it again cleaned up. * IP reassembly (in ip_input.c and pf_norm.c) cleaned up.
pf - Fix a few edge cases when the state table gets big * Currently when the state table gets big the state timeout can be reduced all the way to 0. This can totally mess up legitimate connections. Change the algorithm. First calculate a reduction in the timeout from 0% to 100%, then claw-back up to 50% of the reduction based on the number of packets impacting the state. This gives the system the chance to reject bad state over good state or otherwise requires an attacker to DOS the state table based on packet rate, which is much harder to do. * When sloppy state tracking is specified use a timeout of PFTM_TCP_FIRST_PACKET instead of PFTM_TCP_ESTABLISHED for any tcp state that has only received SYN or SYN+ACK packets. That is, do not use the full PFTM_TCP_ESTABLISHED timeout until some data actually flows. This reduces state bloat from redirect traffic where PF might see SYN or SYN+ACK and then never sees a packet again while in SLOPPY mode.
pf - Improve SMP counter performance, static array MAXCPU -> kmalloc * Change the global counters to pcpu counters. Counters are now incremented in a cache-friendly state and will be aggregated in the status ioctl. * Change all static declarations of MAXCPU arrays into kmalloc()d arrays to reduce kernel bss size.