summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
AgeCommit message (Expand)Author
2002-05-05Instead of returning a useless kernel space pointer for the rule thatDaniel Hartmeier
2002-04-24Add dynamic (in-kernel) interface name -> address translation. Instead ofDaniel Hartmeier
2002-04-23Allow explicit filtering of fragments when they are not reassembled.Daniel Hartmeier
2002-04-20All calls to pool_get(9) should use PR_xx flags, not M_xx.Federico G. Schwindt
2002-04-08Credit DARPA/USAF appropriately.Jason Wright
2002-03-31Use ip_defttl as ttl for return-rst instead of an arbitrary hardcodedDaniel Hartmeier
2002-03-30Initialize sequence number high limit from 1 to the real value with theDaniel Hartmeier
2002-03-27implement a "no-route" keyword.Michael Shalayeff
2002-03-26Change default logging level from none to urgent. Should never printDaniel Hartmeier
2002-03-25Ignore 'keep state' for ICMP errors whose inner headers mismatch stateDaniel Hartmeier
2002-03-25add ioctl DIOCKILLSTATES to shootdown a subset of the state table. allowsMike Frantzen
2002-03-08Fix arc4random() usage; add more randomness to pf_get_sport().Mike Pechkin
2002-02-26Add optional pool memory hard limits, mainly as temporary solutionDaniel Hartmeier
2002-02-23Pools that are only used in the ioctls can use the nointr allocator.Artur Grabowski
2002-02-17Calculate IP checksum and copyback modified headers before logging aDaniel Hartmeier
2002-02-15pf only uses seconds for time measuring. There is no need to call microtimeArtur Grabowski
2002-02-14KNFTheo de Raadt
2002-02-14Add skip steps for rule action (pass/block vs. scrub) and directionDaniel Hartmeier
2002-02-11Remove unused function prototype, from Jason IshDaniel Hartmeier
2002-02-11Remove ancient comment regarding memcmp(), from Jason IshDaniel Hartmeier
2002-01-23Pool deals fairly well with physical memory shortage, but it doesn't dealArtur Grabowski
2002-01-12- Only apply fastroute and route-to if we are going in the samejasoni
2002-01-09Add labels to rules. These are arbitrary names (not to be confused withDaniel Hartmeier
2002-01-08Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.Daniel Hartmeier
2001-12-31only require write mode for modifying ioctls; dhartmei@, frantzen@, deraadt@ okMichael Shalayeff
2001-12-18Update rt_ifp in DIOCCHANGERULE.jasoni
2001-12-11- Log packet while mbuf is still valid.jasoni
2001-12-10Add an ioctl to add state entries (DIOCADDSTATE) for proxies.Daniel Hartmeier
2001-12-10Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based onDaniel Hartmeier
2001-12-03Don't reset pf_status.debug and .since on DIOCCLRSTATUS.Daniel Hartmeier
2001-12-01217 lines of diff for KNF, dhartmei, you are evilTheo de Raadt
2001-11-30only make a copy of the mbuf if the route rule is dup-tojasoni
2001-11-27typo - use correct mbufjasoni
2001-11-27do pf_route() before logging in case the logging created a bogus ruleMike Frantzen
2001-11-26add fastroute options similar to what is found in ipfjasoni
2001-11-21Use pf_pull_hdr() instead of manual mbuf traversal. Fixes potential crashesDaniel Hartmeier
2001-11-20don't allow CHANGEBINAT ioctl in securelevel > 1Mike Pechkin
2001-11-16yes, signed substraction does not work because of underflows, revert the prev...Michael Shalayeff
2001-11-14use substract when comparing keys, for ip addrs as well.Michael Shalayeff
2001-11-13fix pf from going off into the weeds on an ipv6 icmp packet with certain optionMike Frantzen
2001-11-06Use #defines for skip step values. From dgregor@net.ohio-state.edu.Daniel Hartmeier
2001-10-24Reset states counter when clearing states.Daniel Hartmeier
2001-10-15Add 'allow-opts' to rules. Packets with IP options will be blocked byDaniel Hartmeier
2001-10-13Patch from Ryan McBride, fixes IPv6 return-rst problem, found byDaniel Hartmeier
2001-10-02Convert ip_off of the inner IP header to host order in pf_test_state_icmp().Daniel Hartmeier
2001-09-30Tune TCP fsm (99.7% - 99.9% accuracy over 1e6 connections)Mike Frantzen
2001-09-27The skip steps array was one element short (since adding steps for af).Daniel Hartmeier
2001-09-27switch without break. This caused the 'ICMP too short' messages, sinceDaniel Hartmeier
2001-09-27Fix th_ack calculation in pf_send_reset(). return-rst didn't work sinceDaniel Hartmeier
2001-09-23Bump up the tcp half closed timeout (single FIN) to an hourMike Frantzen