summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Expand)Author
2007-06-24Save some bytes and make code more readable by removing junk union andRyan Thomas McBride
2007-06-21reimplement interface bound states in a non-retarded way.Henning Brauer
2007-06-20Allow "log" for nat rules without "pass".Marco Pfatschbacher
2007-06-15in pf_test_rule, before handling IPPROTO_ICMP / IPPROTO_ICMPV6, check thatHenning Brauer
2007-06-09fix wrong argument passing to m_copyback for the log caseHenning Brauer
2007-06-09sizeof(ptr) is no good if you want sizeof(*ptr). icmp/icmpv6.Henning Brauer
2007-06-02pf_set_rt_ifp accesses state key data, so must be called laterHenning Brauer
2007-06-01factor out duplicated code to allocate state key and cross-reference itHenning Brauer
2007-06-01fold pf_test_tcp(), pf_test_udp(), pf_test_icmp(), pf_test_other() intoHenning Brauer
2007-06-01apply the "skip ipsec if there are no flows" speedup diff to IPv6 too.Henning Brauer
2007-05-31Move the state id and creatorid (used mainly by pfsync) into struct pf_state.Ryan Thomas McBride
2007-05-31Unbreak pf.c compilation on gcc 2.95 architectures. Found by todd@Ryan Thomas McBride
2007-05-31First step of rearranging pf's state table internals...Ryan Thomas McBride
2007-05-29gain us another 10+% of performance.Henning Brauer
2007-05-28double pf performance.Henning Brauer
2007-05-27get rid of static.David Gwynne
2007-05-27clarify things by passing kif->pfik_ifp around in pf_test{,6} insteadPierre-Yves Ritschard
2007-05-26add comments indicating why we do m = *m0; again after pf_normalize, ryan okHenning Brauer
2007-05-08block ALL packets with rthdr0 in pf_test6(). We already do thisRyan Thomas McBride
2007-05-08Routing headers are dangerous. Deal with them the same way as IPv4 options:Ryan Thomas McBride
2007-02-22make urpf-failed work with multipath routes.Pierre-Yves Ritschard
2007-02-19add handling of skip steps for urpf-failed addresses.Pierre-Yves Ritschard
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
2007-02-08compute pseudo-header checksum based on flnal destination asJun-ichiro itojun Hagino
2006-12-22add special handling for "urpf-failed" with carp interfaces. theReyk Floeter
2006-12-21in pf_route(), initialize ro to NULL at the beginning. if left un-Daniel Hartmeier
2006-12-14in "BAD/loose state" messages, also print the packet's original sequenceDaniel Hartmeier
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
2006-11-16conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong,Henning Brauer
2006-10-31make pfsync a clonable too, but prevent more than one instance fromHenning Brauer
2006-10-27Split ruleset manipulation functions out into pf_ruleset.c to allow them toRyan Thomas McBride
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
2006-09-18allow RST from TCP client, even if client does not send data after SYN;Markus Friedl
2006-09-18fix tos (type-of-service) comparisons. for rules which use 'tos x', compareDaniel Hartmeier
2006-07-06allow rules to point to an alternate routing table, and tag packetsHenning Brauer
2006-05-17missing rtlabel support in pf_addr_wrap_neq()Henning Brauer
2006-03-14implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)Damien Miller
2006-02-07mention source of pf_modulate_sack() in comment, no code change,Daniel Hartmeier
2006-01-31the TCP SACK option needs sequence number modulationMike Frantzen
2005-11-14fix spelloChristopher Pascoe
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
2005-10-26Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next()Ryan Thomas McBride
2005-10-25mtag in pf_route is now only used for IPSEC, so #ifdef itHenning Brauer
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
2005-08-22when nat'ing icmp 'connections', replace icmp id with proxy valuesDaniel Hartmeier
2005-08-22fix rdr to bitmask replacement address pool. patch from Max Laier,Daniel Hartmeier
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe