summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Expand)Author
2002-03-08Fix arc4random() usage; add more randomness to pf_get_sport().Mike Pechkin
2002-02-26Add optional pool memory hard limits, mainly as temporary solutionDaniel Hartmeier
2002-02-23Pools that are only used in the ioctls can use the nointr allocator.Artur Grabowski
2002-02-17Calculate IP checksum and copyback modified headers before logging aDaniel Hartmeier
2002-02-15pf only uses seconds for time measuring. There is no need to call microtimeArtur Grabowski
2002-02-14KNFTheo de Raadt
2002-02-14Add skip steps for rule action (pass/block vs. scrub) and directionDaniel Hartmeier
2002-02-11Remove unused function prototype, from Jason IshDaniel Hartmeier
2002-02-11Remove ancient comment regarding memcmp(), from Jason IshDaniel Hartmeier
2002-01-23Pool deals fairly well with physical memory shortage, but it doesn't dealArtur Grabowski
2002-01-12- Only apply fastroute and route-to if we are going in the samejasoni
2002-01-09Add labels to rules. These are arbitrary names (not to be confused withDaniel Hartmeier
2002-01-08Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.Daniel Hartmeier
2001-12-31only require write mode for modifying ioctls; dhartmei@, frantzen@, deraadt@ okMichael Shalayeff
2001-12-18Update rt_ifp in DIOCCHANGERULE.jasoni
2001-12-11- Log packet while mbuf is still valid.jasoni
2001-12-10Add an ioctl to add state entries (DIOCADDSTATE) for proxies.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
2001-12-03Don't reset pf_status.debug and .since on DIOCCLRSTATUS.Daniel Hartmeier
2001-12-01217 lines of diff for KNF, dhartmei, you are evilTheo de Raadt
2001-11-30only make a copy of the mbuf if the route rule is dup-tojasoni
2001-11-27typo - use correct mbufjasoni
2001-11-27do pf_route() before logging in case the logging created a bogus ruleMike Frantzen
2001-11-26add fastroute options similar to what is found in ipfjasoni
2001-11-21Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashesDaniel Hartmeier
2001-11-20don't allow CHANGEBINAT ioctl in securelevel > 1Mike Pechkin
2001-11-16yes, signed substraction does not work because of underflows, revert the prev...Michael Shalayeff
2001-11-14use substract when comparing keys, for ip addrs as well.Michael Shalayeff
2001-11-13fix pf from going off into the weeds on an ipv6 icmp packet with certain optionMike Frantzen
2001-11-06Use #defines for skip step values. From dgregor@net.ohio-state.edu.Daniel Hartmeier
2001-10-24Reset states counter when clearing states.Daniel Hartmeier
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
2001-10-13Patch from Ryan McBride, fixes IPv6 return-rst problem, found byDaniel Hartmeier
2001-10-02Convert ip_off of the inner IP header to host order in pf_test_state_icmp().Daniel Hartmeier
2001-09-30Tune TCP fsm (99.7% - 99.9% accuracy over 1e6 connections)Mike Frantzen
2001-09-27The skip steps array was one element short (since adding steps for af).Daniel Hartmeier
2001-09-27switch without break. This caused the 'ICMP too short' messages, sinceDaniel Hartmeier
2001-09-27Fix th_ack calculation in pf_send_reset(). return-rst didn't work sinceDaniel Hartmeier
2001-09-23Bump up the tcp half closed timeout (single FIN) to an hourMike Frantzen
2001-09-21Fix natlook (broke ftp-proxy) and a memory leak.Daniel Hartmeier
2001-09-19Patch from Ryan McBride. Compile without INET6, remove unnecessaryDaniel Hartmeier
2001-09-17icmpv6 nat fix, from Ryan McBrideDaniel Hartmeier
2001-09-15The inner protocol of IPv4 ICMP error messages was ignored, leading toDaniel Hartmeier
2001-09-15Don't use m_pkthdr.rcvif in pflog_packet(), it doesn't work for outgoingDaniel Hartmeier
2001-09-15IPv6 support from Ryan McBride (mcbride@countersiege.com)Mike Frantzen
2001-09-14binat non icmp/udp/tcp protocols as well; ok dhartmei@jasoni
2001-09-11Undo BINAT translation when blocking with return-rst/-icmp.Daniel Hartmeier
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-05Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums wereDaniel Hartmeier
2001-09-05s/pf_natlook/pfioc_natlook (ioctl parameter struct)Daniel Hartmeier