| Age | Commit message (Collapse) | Author |
|---|
|
ok sashan@, visa@
|
|
of calling rtalloc() again.
OK mpi@
|
|
not valid. This did not work as the value of pkt_sk must be used
later to establish the link. So discard the packet statekey only
if it is invalid itself and use it to establish the reverse link.
From Christiano Haesbaert; OK sashan@
|
|
route-to by calling rtisvalid(). Make pf_route() and pf_route6()
similar and move the rtalloc() call to the same place.
OK mpi@
|
|
happy.
|
|
|
|
specific part of pf_test_state_icmp(). This worked by accident on LP64
archs as the struct is eight bytes long.
ok mikeb@ bluhm@ krw@ jca@
|
|
If an incoming packet is directly put into the output path, sending
the icmp error packet is never done. As this is basically forwarding,
calling ip_forward() for such packets does everything that is needed.
OK mikeb@
|
|
parser cannot handle that correctly and is is unclear wether the
kernel code would work. Remove the feature until someone needs it
and properly implements and tests it.
OK mike@ sashan@ mpi@
|
|
Prevent pf_socket_lookup() reading uninitialised header buffers on fragments.
OK blum@ sashan@
|
|
af-to. pf_route6() called ip6_output() to do the work while
pf_route() had some custom implementation for that. It is simpler
to call ip_output() or ip6_output() from pf_test() directly.
OK procter@ sashan@
|
|
after fragment headers. Add an extra check that the hop-by-hop
header is always the first extension header after the IPv6 header.
Found by Antonios Atlasis; OK sthen@ mpi@
|
|
just use pd->m. Then pf_test() can also operate on pd.m and set
the *m0 value in the caller just before it returns.
OK sashan@
|
|
each counter is identified by an enum value which correspond to the
original members of the ipstat struct.
ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates.
ipstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the ipstat struct for now.
ok mpi@ mikeb@
|
|
(problem pointed out by Petr, fix proposed by Dilli) _at_ oracle
|
|
pf functions. That means less parameters, more consistency and
later we can call functions that need a pd from pf_route().
OK sashan@
|
|
pfvar_priv.h. The pf_headers had to be defined in multiple .c files
before. In pfvar.h it would have unknown storage size, this file
is included in too many places. The idea is to have a private pf
header that is only included in the pf part of the kernel. For now
it contains pf_pdesc and pf_headers, it may be extended later.
discussion, input and OK henning@ procter@ sashan@
|
|
state. Extra thanks goes to bluhm@ for careful testing and fixing patch I've
sent to tech@
O.K. henning@ bluhm@
|
|
sending, needed soon. ok sashan mikeb lteo
|
|
declare both with the correct sign in pf_change_icmp_af().
OK henning@
|
|
created from a ICMP6 "too big" packet. The function pf_change_icmp_af()
has code to adjust the pseudo-header checksum in the ICMP6 case,
but pf_test_state_icmp() changed the proto before the case was
entered.
So call pf_change_icmp_af() before the pd->proto is converted in
the TCP and UDP payload case like it was already done for ICMP and
ICMP6 payload.
Found by sys/net/pf_forward regress test; OK henning@
|
|
|
|
splsoftnet() if the function does a splsoftassert(IPL_SOFTNET)
anyway.
|
|
|
|
|
|
|
|
reference count.
rtable_iterate() frees the passed ``rt'' and returns the next one on the
multipath list or NULL if there's none.
ok dlg@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
optimise pf_patch_32(); simplify pf_match_addr()
OK mikeb@
|
|
OK mpi@ mikeb@
|
|
when fiddling with packets but without the mess that motivated Henning to
remove it. Affects only this one aspect of Henning's checksum work. Also tweak
the basic algorithm and supply a correctness argument.
OK dlg@ deraadt@ sthen@; no objection henning@
|
|
OK mpi@ sashan@
|
|
existing log in pf_state_key_attach() from the failed to the reuse
case.
OK mikeb@
|
|
has been moved to nd6_resolve().
ok visa@, millert@, florian@, sthen@
|
|
byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks!
ok tedu
|
|
ok mglocker
|
|
ok sthen@, bluhm@
|
|
pf_test calls pf_refragment6 with dst=NULL, which is passed down to
rtable_match which attempts to dereference it.
|
|
ok bluhm@
|
|
This refactoring aims to reduce the number of places where a route entry is
inserted in the routing table.
ok bluhm@
|
|
Apparently nobody can hit this condition anymore or people do not
report bugs if their kernel do not panic.
ok dlg@, sashan@
|
|
note that this uses max_linkhdr as the adjustment arg. this follows
what the ip stack does when generating packets as it provides space
for link headers (like ethernet headers) to be prepended on the new
packet.
ok henning@
|
|
content and unlink the statekey.
This should allow us to find the reminding corner cases of packets
looped back in the stack.
ok dlg@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
|
We don't expect inbound packets to come to PF with statekey attached.
- I've also found missing call to pf_pkt_addr_changed() at various
places, which needs to get fixed to prevent KASSERT() from firing.
OK mpi@, sthen@
|
|
OK sthen@
|
|
OK mpi@ dlg@ sthen@
|
|
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix
makes sure we grab reference in m_dup_pkthdr()
OK bluhm@
|
|
----------------------------------------------------------------------
revision 1.961
date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44;
commitid: oBRhtWcDV0ThviVT;
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
----------------------------------------------------------------------
there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being
triggered without much effort, so back this out for now.
|
|
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
|
