| Age | Commit message (Collapse) | Author |
|---|
|
only called from pppx_del_session); lets an amd64 pppx kernel build
(otherwise we hit excessive stack use warnings with -Werror).
if this ends up being called more frequently in future, then dlg
suggests making it static instead. ok claudio@
|
|
ok deraadt henning
|
|
uncommenting it is intentional.
ok deraadt@
|
|
ok from the m guild: mikeb@ miod@ mpf@
|
|
walking. make the function shorter, easier and faster with many addresses
while still being at least as fast as the old one with a common "on real IP"
setup. tested by many, ok claudio sthen dlg krw
|
|
ddb>, ok claudio dlg krw sthen
|
|
the latter is also the dest addr on P2P interfaces) for faster lookups in
the future. walking the linked list of all interfaces in the system to walk
the linked list of addresses on each of them isn't particularily fast,
especially with many interfaces and addresses.
written at n2k10 in australia in january, but had to be backed
out. the offenders have been fixed:
-ipvshit rtsol code calling these functions in interrupt context
(surprised this hasn't caused more havoc)
-various places in the stack added empty ifaddr structs, filling them in later
-sloppy recycling of ifaddrs in some places
finished at j2k10 in japan in september
tested by many, ok sthen krw dlg claudio
|
|
is new or an already existing one. for existing ones, call ifa_del first
tested by many as part of a larger diff, ok claudio dlg krw sthen
|
|
trivial for the moment, more needed soon
tested by many as part of a larger diff, ok sthen claudio dlg krw
|
|
to an interface any more, the kernel crashed with a null pointer
dereference. This situation could be created by a strange sequence
of route and ifconfig commands.
Now when a cloning route references a stale interface address and
rtrequest1(RTM_RESOLVE) has to create a cloned route, it does a
lookup for a valid interface address with the same ip address. The
new interface address and its interface are used for the new cloned
route and they replace the old ones at the cloning route.
ok claudio@, henning@
|
|
no change in .o
ok claudio
|
|
per the 802.1D-2004 spec. With lots of help and guidance (and some
nagging) from claudio. Tested with net/ladvd port on i386 and amd64.
'be a man' claudio@, ok mpf@
|
|
OK blambert, claudio.
|
|
practical value of aligning things to 64-bit and waste more space then
necessary on some architectures. ok deraadt@
|
|
interface is destroyed while in the bridge. Fixed by using
bridge_delete() which includes the missing bstp_delete() call: Less
code and more consistency. Also fix SIOCBRDGDEL to return an error
if an interface can not be found.
OK claudio, markus.
|
|
rejects because of bad encoding. Userland processes trust that the
messages on the rtsock are correctly encoded. Moved some checks up
to do the suser() check as soon as possible.
After discussion with deraadt@, OK deraadt@ and sthen@ (earlier version)
|
|
bstp_input() always consumes the packet so remove the mbuf handling
dance around it.
|
|
fixes a race-based kernel crash under rare circumstances
reported and fix tested by chefren att pi daht net
ok claudio@ henning@
|
|
ok henning
|
|
who decided to just do it on their own. henning, mcbride, jsing -- shame
on you -- if you had shown this diff to just 1 other network developer,
the astounding mistake in it would have been noticed. Start practicing
inclusionary development instead of going alone.
ok claudio
|
|
by mcbride@.
ok mcbride@ henning@
|
|
only get messages that are for the rtable the process is bound to.
Depending on the rtm_type the rdomain or rtable id are used for
comparison. It is possible to change the filter with a setsockopt(s,
AF_ROUTE, ROUTE_TABLEFILTER,...) and if set to RTABLE_ANY the filter
is deactivated. Additionally set the tableid in struct if_msghdr
to the rdomain id and use the process rtableid in the sysctl if no
table was specified.
OK henning@
|
|
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
fingerprinting on little endian systems work. People using the osfp
feature need to update /etc/pf.os or -current will be blocked.
OK deraadt@, jsg@, jsing@, millert@, sthen@
|
|
ok dlg
|
|
GRE message. But when npppd send a ack-only GRE message, the message
will be only 12 bytes, so the m_pullup() will fail. call m_pullup()
with proper length.
|
|
sure if all protocols work.
|
|
OK djm@ claudio@ dlg@
|
|
ok claudio@ guenther@
|
|
|
|
|
|
|
|
ok deraadt@
|
|
We can use IPv6 address as outer header of L2TP.
Kernel ABI is changed. You must update npppd.
OK @claudio, yasuoka@, dlg@
|
|
OK deraadt@, millert@
|
|
reason to question himself by adding an XXX
|
|
hardcoding 0.
roughly almost a bit equivalent to what pf_test_rule does. changing the
rdomain for not reassembled fragments is not going to work ever, so the
full dance pf_test_rule does doesn't make sense here.
speaking of sense, I don't see anything remotely resembling sense in
pf filtering on fragments without reassembling them first.
with/ok claudio
|
|
pf_test_rule will have done it already, as correctly XXX-comment noted by
claudio almost a year ago.
pf_test6 (which is scarily different there) didn't have that at all.
|
|
/* XXX This does NOT affect pass rules! */
SLIST_FOREACH(ri, &s->match_rules, entry) {
...
delete that comment, entirely superfluous
|
|
pf_compare_state_keys will stay, we play safe.
|
|
|
|
ok henning@
|
|
behaviour consistent between IPv4 and IPv6.
From martin.pelikan@gmail.com
|
|
ok claudio@
|
|
instead of letting hardware rings grow on every interrupt, restrict
it so it can only grow once per softclock tick. we can only punish
the rings on softclock ticks, so it make sense to only grow on
softclock tick boundaries too.
the rings are now punished after >1 lost softclock tick rather than
>2. mclgeti is now more aggressive at detecting livelock.
the rings get punished by an 8th, rather than by half.
we now allow the rings to be punished again even if the system is
already considered in livelock.
without this diff a livelocked system will have its rx ring sizes
scale up and down very rapidly, while holding the rings low for too
long. this affected throughput significantly.
discussed and tested heavily at j2k10. there are still some games
with softnet we can play, but this is a good first step.
"put it in" and ok deraadt@
ok claudio@ krw@ henning@ mcbride@
if we find out that it sucks we can pull it out again later. till then
we'll run with it and see how it goes.
|
|
"yup" deraadt@
|
|
and pipex. pppx(4) creates an interface whenever a session is created
so that altq and pf can work on these.
Started by dlg@ debugged and made usable by myself
OK dlg@ yasuoka@ deraadt@
|
|
RFC 4106 and 4543.
Please note that although IKEv1 and IKEv2 identifiers are
different for ESP_NULL_AUTH_AES-GMAC (SADB_X_EALG_AESGMAC),
we use the IKEv2 one only (which is 21). ipsecctl(8) will
be taught to handle exported SA correctly.
|
|
forces logging on all subsequent matching rules
real ok theo assumed oks ryan and dlg bikeshedding everyone in the room
implementation time ~ 1 minute
|
