| Age | Commit message (Collapse) | Author |
|---|
|
ok mpi@
|
|
ok mcbride@
|
|
ok mcbride@
|
|
|
|
there instead of pf_ioctl.c.
ok henning@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
code scanner. Changing return to break also fixes a failure to unlock.
Also fix a NULL check for that variable noticed by bluhm.
ok bluhm henning millert
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
long live the one true internet.
ok henning mikeb
|
|
ok deraadt@ tedu@
|
|
ok mikeb@, krw@, bluhm@, tedu@
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched." Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.
OK henning
|
|
start with a ruleset pointer assigned to pf_main_ruleset so that
pf_purge_rule doesn't get called with a NULL.
Prompted by the discussion with Alexandr Nedvedicky <alexandr !
nedvedicky at oracle ! com>.
OK henning
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
ok pelikan@, henning@
|
|
while there, get rid of the altq ioctls and assciated now obsolete code
|
|
struct ucred; struct process then directly links to the ucred
Based on a discussion at c2k10 or so before noting that FreeBSD and
NetBSD did this too.
ok matthew@
|
|
|
|
|
|
ok henning, "looks fine" mikeb, input from guenther.
|
|
ok henning
|
|
ok benno
|
|
ok henning benno
|
|
ok henning pelikan
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
uses hfsc behind the scenes; altq stays in parallel for a migration phase.
if.h even more messy for the transition, but eventuelly it should become
readable...
looked over & tested by many, ok phessler sthen
|
|
behaves like before and creates the mapping if needed. if 0, lookup only.
looked over by many, ok phessler sthen
|
|
|
|
wrong in each direction).
Report and fix from UMEZAWA Takeshi <umezawa@iij.ad.jp>
|
|
Reported by Wesley M.A. on misc@, ok deraadt
|
|
runtime while time_uptime is monotonic. Prevent underflows in
pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem
pointed out by camield.
Diff originally by dlg, frag and pflow bits by me.
feedback dlg
man page tweak jmc
Various versions of the pflow bits tested by Hrvoje Popovski
(hrvoje AT srce DOT hr), thanks!
ok benno, henning, dlg
|
|
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
when you kill states by IP, it is not all that clear which IP we're talking
about - before or after rewriting?
the old semantics were to always look at the "original" IP, i. e. before
rewriting. ever since the NAT rewrite we were unconditionally looking
at the wire side state key, which is the original address for PF_IN states,
but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case.
should fix "authpf doesn't remove NAT states" seen on misc a while ago
ok & testing & half of the analysis bob (he sez beck)
|
|
moving the state export functionality from pfsync code into pf.
Based on the initial diff diff by guenther, ok henning.
|
|
OK deraadt@, guenther@
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
with every other thing that stores the state id (including other pfsync
messages).
includes improvements to the systat code to consider the creatorid as well
as the state id in its cache to avoid collisions between states created on
different hosts.
tested by me in production and on amd64 talking to sparc64.
ok henning@
|
|
pf_state_expires() handled it incorrectly.
discussed with mikeb@
ok henning@
|
|
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.
ok deraadt@ mikeb@
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
unfortunately altq is one giant namespace violation. rename just those that
conflict with new stuff for now only to be found on my laptop. reduce pain,
the diff is huge already. ok ryan
|
|
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
|
implementation. ok ryan mpf sthen and also testing pea and halex looked
at it and commented as well
|
|
a crash if max-src-* options are triggered both before and after a ruleset
reload, when the rules are overloading to a non-persistent table.
Discovered by and fix from Martin Pelikan.
|
