summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Expand)Author
2004-12-10allow pf to filter on route labelsHenning Brauer
2004-12-07KNFRyan Thomas McBride
2004-12-07re-commit mcbride@'s 'flush global', this time without the breakage inDaniel Hartmeier
2004-12-07tree does not compile, spotted by dlg (not obvious how to fix)Theo de Raadt
2004-12-07Change the default for 'overload <table> flush' to flush only states from theRyan Thomas McBride
2004-12-06support max-src-conn-rate with synproxy, ok mcbride@Daniel Hartmeier
2004-12-05IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6Daniel Hartmeier
2004-12-04Add kernel code to keep track of tcp connections which have completedRyan Thomas McBride
2004-11-24fix a bug that leads to a crash when binat rules of the formDaniel Hartmeier
2004-11-19remove superfluous m_tag_copy/m_tag_prepend, already covered by m_copym2()Daniel Hartmeier
2004-11-12The flag to re-filter pf-generated packets was set wrong by synproxyDaniel Hartmeier
2004-11-07For RST generated due to state mismatch during handshake, don't setDaniel Hartmeier
2004-09-29reset anchor pointer to NULL when stepping back into the main ruleset,Daniel Hartmeier
2004-09-20pf_routable(), used for the no-route keyword, was a v4 only implementation,Henning Brauer
2004-09-17Clean up reference counting wrt state creation and destruction. FixesRyan Thomas McBride
2004-07-11backout IPv6 reass-on-scrub patch (more work needs to be done).Jun-ichiro itojun Hagino
2004-06-25correct "scrub in" behavior for IPv6.Jun-ichiro itojun Hagino
2004-06-25IPv6 reassembly on "scrub" directive.Jun-ichiro itojun Hagino
2004-06-22Pull the plug on source-based routing until remaining bugs are eradicated.Cedric Berger
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
2004-06-21Get rid of pf_test_eh() wrapper.Ryan Thomas McBride
2004-06-10rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reservedDaniel Hartmeier
2004-06-06extend routing table to be able to match and route packets based onCedric Berger
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
2004-05-11pf_cksum_fixup() was called without last argument from normalization,Daniel Hartmeier
2004-05-11change pf_route() loop detection: introduce a counter (number of timesDaniel Hartmeier
2004-05-05Use RFC1323 PAWS timestamps as a logical extension to the conventional TCPMike Frantzen
2004-04-28make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@Cedric Berger
2004-04-28Dont step into INET6 code, just because af != AF_INETPhilipp Buehler
2004-04-27validate the sequence numbers on TCP resets are an exact match. check is onlyMike Frantzen
2004-04-26Prevent biases in arc4random() from disclosing the byte order of the firewall.Ryan Thomas McBride
2004-04-26anchor refcounting. ok dhartmei@ mcbride@Cedric Berger
2004-04-25prevent an endless loop with route-to lo0, fixes PR 3736,Daniel Hartmeier
2004-04-25get rid of a complete state tree walk at state expire while in splnet()Philipp Buehler
2004-04-25sync 'other' in test6, too.Philipp Buehler
2004-04-25don't add PF_GENERATED tag to synproxy generated packets for the secondDaniel Hartmeier
2004-04-24Add "probability xxx" rule modifier. ok deraadt@Cedric Berger
2004-04-17when the input queue congestion flag is set stop evaluating the rulesetHenning Brauer
2004-04-05make pftag ** (pass pointer by reference), otherwise it's never updated.Daniel Hartmeier
2004-03-26Properly m_copyback() modified TCP sequence number after demodulationDaniel Hartmeier
2004-03-25Fix icmp checksum when sequence number modlation is being used.Ryan Thomas McBride
2004-03-22Support for best effort bulk transfers of states when pfsync syncif isRyan Thomas McBride
2004-03-11Don't call pf_src_tree_remove_state() on error in pf_insert_state(),Ryan Thomas McBride
2004-03-09KNF, ok cedric@ deraadt@Ryan Thomas McBride
2004-02-24Remove redundant logging from pf_test_other().Ryan Thomas McBride
2004-02-24KNFRyan Thomas McBride
2004-02-20Make pfsync deal with clearing states bound to a group or interface (egRyan Thomas McBride
2004-02-19the 2nd round of the qid assignment change.Kenjiro Cho
2004-02-10KNFDaniel Hartmeier
2004-02-10plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric,Jun-ichiro itojun Hagino