Age | Commit message (Collapse) | Author |
|
an interface. Fixes a double free panic.
ok claudio@, looks fine henning@
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe
in timeouts without process context and allows to use bridge stp with
usb ethernet devices now.
figured out and tested by Stuart Henderson, closes pr 5304.
|
|
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
|
|
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that
part was missing) when rtableid on the rule is nonzero.
problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the
multiple routing tables enabling diff, ok mcbride
|
|
|
|
code factored out from if_addgroup(), previously a group always had to have
members. ok mpf mcbride
|
|
|
|
|
|
them being there.
diff & ok deraadt
|
|
from alexandre ratchov. ok claudio
|
|
|
|
|
|
without trying to free the (in that case nonexistant) tdb mbuf
found out the hard way by pedro
|
|
|
|
beeing created for now - much more work would be required to change that
input & ok ryan
|
|
it's "special" case in ether_input(). Based on similiar idea in FreeBSD.
ok brad
|
|
ok henning@ deraadt@ canacar@
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
|
|
logs go. ok mcbride
|
|
for now, only allow pflog0 to be created.
keep an array of ifps to the pflog interfaces with the unit # as index for
fast access.
if pflog0 does not exist, no logging is done (just like if it is down).
on machines without pf enabled, this makes the pflog0 interface go away,
on machines with pf, rc sets up pflog0 and starts pflogd, no change there.
idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
|
|
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
|
|
ok henning@ dhartmei@ deraadt@
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
ok frantzen, dhartmei, henning
|
|
for equality (ip_tos == x). for priority queue assignment, compare AND-wise
(ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved
bits in ip_tos are used (RFC791, 1349) and more than a single bit is set.
from Steve Welham, closes PR5226 and PR5227.
|
|
numbers, reported by Raja Subramanian; ok henning@
|
|
as the resulting demotion counter value is in range. previously, we only
allowed +/- 1. ok mpf mcbride deraadt
|
|
and drop such bad packets. Also remove some redundant mallocs.
This fixes possible heap overflows when forming replys to such bad
packets as discovered by Martin Husemann and Pavel Cahyna.
reported by NetBSD, initial diff from markus@,
additional comments by claudio@, ok markus@
|
|
|
|
but third-party tools). a rule must have a non-empty replacement address
list when it's a translation rule but not an anchor call (i.e. "nat ... ->"
needs a replacement address, but "nat-anchor ..." doesn't). the check
confused "rule is an anchor call" with "rule is defined within an anchor".
report from Michal Mertl, Max Laier.
|
|
code. however, it is still cluttering up the kernel namespace a bit. it is
better gone.
ok claudio@
|
|
|
|
Affects devices using the sppp layer (pppoe, art, san, lmc)
ok deraadt@
|
|
Also cleanup error message device name printing.
Based on diff from NetBSD via Andrey Matveev
Also, use log when printing error messages, and syslog will
handle any nonprintable characters, discussed with deraadt@
|
|
|
|
matching that rule so that the forwarding code later can use the
alternate routing table fo lookups (not implemented yet).
the tagging is "sticky", every matching rule modifies, just like the
regular "tag". ok claudio hshoexer, hacked at r2k6
|
|
dmesg printf everytime they came up, would that be a better world?
|
|
the "pppoe0: up" message is annoying when one is on console and the
system has been configured to recall the ISP every minute or so.
Moving the printf() to a log() fixes this and the "pppoe0: up"
message is still seen in logs and dmesg.
ok canacar@
|
|
|
|
|
|
of 1Gbps, until the size of the baudrate field has been increased.
|
|
routes did not carefully check if the route lookup succeded or not and so
rn_mpath_next(rn) blowed up because rn was NULL. Check if rnh_lookup succeded
before touching rn in anyway. OK norby@ initial diff by hshoexer@
|
|
|
|
To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.
To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1
testing norby@
ok claudio@ henning@ hshoexer@
|
|
previous route that may not have been inserted with the -mpath flag.
Similarly, when removing a multipath route and leaving only one route,
clear the RTF_MPATH flag so this is clear.
ok claudio@
|
|
|
|
|