| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@
|
|
ok henning
|
|
we are mostly documenting that fragment reassembly has nothing to do
with scrubbing anymore; there is room for a lot of improvements yet.
"commit it and we work on it in-tree. it is certainly well,
better than what there is now" henning@
|
|
input from and ok henning@
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
ok jasper@
|
|
Fix prodded and checked by jmc@, thanks.
|
|
Pointed by jmc@.
|
|
|
|
That way, you can edit the new domain Makefile before using it,
in particular to change variables like DIR and UNSECURE.
from ajacoutot@ with message tweaks and documentation updates by myself
"I like this" otto@
|
|
ok jmc@
|
|
|
|
|
|
|
|
-ROUTE_SETFILTER(rtfilter, RTM_IFINFO);
-ROUTE_SETFILTER(rtfilter, RTM_IFANNOUNCE);
+rtfilter = ROUTE_FILTER(RTM_IFINFO) |
+ ROUTE_FILTER(RTM_IFANNOUNCE);
poked by claudio@
|
|
|
|
|
|
|
|
Reported by Kenji Aoyama
|
|
|
|
|
|
|
|
5862 Broadcom CryptoNetX IPSec/SSL Security Processors. The 5825 is a
faster version of the already supported 5823, and the even faster 586x
series is a bit different and needed some more changes. The RNG
engine on the 586x is not supported yet but I hope to fix it soon...
ubsec0 at pci4 dev 0 function 0 "Broadcom 5862" rev 0x01: 3DES MD5 SHA1 AES PK, apic 10 int 10 (irq 11)
tested by phessler@ and me
ok deraadt@
|
|
|
|
|
|
|
|
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.
Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.
Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.
|
|
|
|
|
|
ok mglocker@
|
|
|
|
|
|
``just have the balls and commit it'' deraadt
|
|
Input from deraadt, grange, and kettenis.
|
|
|
|
ok jsg@, fgsch@
|
|
|
|
variants yet).
ok deraadt@ dlg@
|
|
|
|
ago.
ok blambert (who had a similar diff a few days ago)
|
|
i have absolutely no idea what this new firmware is supposed to fix.
actually, even the Intel people have no idea according to this thread:
http://marc.info/?l=linux-wireless&m=123791786426974&w=2
|
|
|
|
ok jmc@
|
|
spare drive with the first volume but the drives can be used for
rebuilding any degraded volume.
ok jmc@
|
|
|
|
more work is required but basic operations work.
requires a non-free firmware to operate.
partly based on source code released under the ISC by Atheros
Communications for Linux, although I had to rewrite almost everything
(actually I only used some .h files from the Atheros driver.)
there also exists a rewrite of the Atheros driver for Linux (ar9170)
but the guy decided to make the code less free by wrapping the GPL
around the ISC.
committed over a NETGEAR WNDA3100.
ok deraadt@
|
|
|
|
|
|
|
|
|
