| Age | Commit message (Collapse) | Author |
|---|
|
after fragment headers. Add an extra check that the hop-by-hop
header is always the first extension header after the IPv6 header.
Found by Antonios Atlasis; OK sthen@ mpi@
|
|
just use pd->m. Then pf_test() can also operate on pd.m and set
the *m0 value in the caller just before it returns.
OK sashan@
|
|
each counter is identified by an enum value which correspond to the
original members of the ipstat struct.
ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates.
ipstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the ipstat struct for now.
ok mpi@ mikeb@
|
|
(problem pointed out by Petr, fix proposed by Dilli) _at_ oracle
|
|
pf functions. That means less parameters, more consistency and
later we can call functions that need a pd from pf_route().
OK sashan@
|
|
pfvar_priv.h. The pf_headers had to be defined in multiple .c files
before. In pfvar.h it would have unknown storage size, this file
is included in too many places. The idea is to have a private pf
header that is only included in the pf part of the kernel. For now
it contains pf_pdesc and pf_headers, it may be extended later.
discussion, input and OK henning@ procter@ sashan@
|
|
state. Extra thanks goes to bluhm@ for careful testing and fixing patch I've
sent to tech@
O.K. henning@ bluhm@
|
|
sending, needed soon. ok sashan mikeb lteo
|
|
declare both with the correct sign in pf_change_icmp_af().
OK henning@
|
|
created from a ICMP6 "too big" packet. The function pf_change_icmp_af()
has code to adjust the pseudo-header checksum in the ICMP6 case,
but pf_test_state_icmp() changed the proto before the case was
entered.
So call pf_change_icmp_af() before the pd->proto is converted in
the TCP and UDP payload case like it was already done for ICMP and
ICMP6 payload.
Found by sys/net/pf_forward regress test; OK henning@
|
|
|
|
splsoftnet() if the function does a splsoftassert(IPL_SOFTNET)
anyway.
|
|
|
|
|
|
|
|
reference count.
rtable_iterate() frees the passed ``rt'' and returns the next one on the
multipath list or NULL if there's none.
ok dlg@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
optimise pf_patch_32(); simplify pf_match_addr()
OK mikeb@
|
|
OK mpi@ mikeb@
|
|
when fiddling with packets but without the mess that motivated Henning to
remove it. Affects only this one aspect of Henning's checksum work. Also tweak
the basic algorithm and supply a correctness argument.
OK dlg@ deraadt@ sthen@; no objection henning@
|
|
OK mpi@ sashan@
|
|
existing log in pf_state_key_attach() from the failed to the reuse
case.
OK mikeb@
|
|
has been moved to nd6_resolve().
ok visa@, millert@, florian@, sthen@
|
|
byte order. Spotted by Gleb Smirnoff (glebius@FreeBSD.org), thanks!
ok tedu
|
|
ok mglocker
|
|
ok sthen@, bluhm@
|
|
pf_test calls pf_refragment6 with dst=NULL, which is passed down to
rtable_match which attempts to dereference it.
|
|
ok bluhm@
|
|
This refactoring aims to reduce the number of places where a route entry is
inserted in the routing table.
ok bluhm@
|
|
Apparently nobody can hit this condition anymore or people do not
report bugs if their kernel do not panic.
ok dlg@, sashan@
|
|
note that this uses max_linkhdr as the adjustment arg. this follows
what the ip stack does when generating packets as it provides space
for link headers (like ethernet headers) to be prepended on the new
packet.
ok henning@
|
|
content and unlink the statekey.
This should allow us to find the reminding corner cases of packets
looped back in the stack.
ok dlg@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
|
We don't expect inbound packets to come to PF with statekey attached.
- I've also found missing call to pf_pkt_addr_changed() at various
places, which needs to get fixed to prevent KASSERT() from firing.
OK mpi@, sthen@
|
|
OK sthen@
|
|
OK mpi@ dlg@ sthen@
|
|
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
this time I'm also bringing fix contributed by Stefan Kempf. Stefan's fix
makes sure we grab reference in m_dup_pkthdr()
OK bluhm@
|
|
----------------------------------------------------------------------
revision 1.961
date: 2015/12/22 13:33:26; author: sashan; state: Exp; lines: +153 -44;
commitid: oBRhtWcDV0ThviVT;
- yet another tiny step towards MP PF. This time we need to make sure
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
----------------------------------------------------------------------
there have been multiple reports of KASSERT(!pf_state_key_isvalid(sk)) being
triggered without much effort, so back this out for now.
|
|
statekey attached to packet stays around, while accepted packet is
routed through IP stack.
OK mpi@, henning@
|
|
NULL. inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on
tech from Aug 17, but redone. ok sashan vgross
|
|
both af and naf (af-to case) are in the pf_pdesc
some code shuffling to actually set these before calling pf_change_ap/_icmp
inspired by Richard Procter <richard.n.procter@gmail.com>'s mail on tech
from Aug 17, but redone
ok bluhm vgross
|
|
local one. While we always intended to keep the logging in pf_test_rule
and pf_test so seperate that we don't end up with a wrong reason, this
is just too fragile and I can't even convince myself that it still is
right. pointed out by markus, ok bluhm benno
|
|
this avoids current recursion to pf_test() function. the change also
switches icmp_error()/icmp6_error() to use ip_send()/ip6_send() so
they are safe for PF.
The idea comes from Markus Friedl. bluhm, mikeb and mpi helped me
a lot to get it into shape.
OK bluhm@, mpi@
|
|
pf_inp_...() lookup, link and unlink functions as an interface.
Locking can be added to them later. Remove the first linking at
the beginning of tcp_input() and udp_input() as it is not necessary.
It will be done later anyway. That code was a relict, from the
time before I had added the second linking.
Input from mikeb@ and sashan@; OK sashan@
|
|
collide with the statekey to inp unlinking.
OK sashan@ mpi@
|
|
OK mpi@, bluhm@
|
|
for failed route lookups. This is something that was maybe useful in the
90is but in this modern times it is just annoying and nothing expect it
anyway. OK mpi@, sthen@
|
|
requested by sashan@
|
|
While here keep carp(4) bits under NCARP.
Tested by and ok sthen@, ok visa@
|
|
ok dlg@
|
