summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2006-11-24Check the reference count for interface addresses when detachingCan Erkin Acar
an interface. Fixes a double free panic. ok claudio@, looks fine henning@
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24never call an ioctl without process context! this diffs checks theReyk Floeter
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe in timeouts without process context and allows to use bridge stp with usb ethernet devices now. figured out and tested by Stuart Henderson, closes pr 5304.
2006-11-20ioctl to explicitly remove source tracking nodes,Ryan Thomas McBride
diff from Berk D. Demir <bdd@mindcast.org> ok henning dhartmei
2006-11-16conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong,Henning Brauer
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that part was missing) when rtableid on the rule is nonzero. problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the multiple routing tables enabling diff, ok mcbride
2006-11-16no need to always attach pfsync0 any more. ok mpf mcbrideHenning Brauer
2006-11-16introduce if_creategroup() to create an empty interface group.Henning Brauer
code factored out from if_addgroup(), previously a group always had to have members. ok mpf mcbride
2006-11-16knfJun-ichiro itojun Hagino
2006-11-10Fix an mbuf leak in an error path. OK brad@Claudio Jeker
2006-11-01Attach pfsync0 and pflog0 by default like they used to, /etc/rc depends onRyan Thomas McBride
them being there. diff & ok deraadt
2006-11-01poll errors should be POLLERR, not some random E valueTed Unangst
from alexandre ratchov. ok claudio
2006-11-01remove redundant null check, ok ryanHenning Brauer
2006-10-31slightly improve consustency and readability, no functional changeHenning Brauer
2006-10-31in pfsync_update_tdb, when there is no pfsync interface, we must returnHenning Brauer
without trying to free the (in that case nonexistant) tdb mbuf found out the hard way by pedro
2006-10-31hard to believe people still manage to commit non-compiling code once in a whileTheo de Raadt
2006-10-31make pfsync a clonable too, but prevent more than one instance fromHenning Brauer
beeing created for now - much more work would be required to change that input & ok ryan
2006-10-31ether_input_mbuf() isn't necessary, turn it into a macro and deal withJason Wright
it's "special" case in ether_input(). Based on similiar idea in FreeBSD. ok brad
2006-10-28Fix handling of errors wrt to MINDEX. From NetBSD bpf_filter 1.32;Otto Moerbeek
ok henning@ deraadt@ canacar@
2006-10-27Split ruleset manipulation functions out into pf_ruleset.c to allow them toRyan Thomas McBride
be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
2006-10-25allow up to 16 pflog interfaces, ok mcbrideHenning Brauer
2006-10-25add a "u_int8_t logif" to struct pfrule to select to which pflog interfaceHenning Brauer
logs go. ok mcbride
2006-10-23make the pflog interface clonable.Henning Brauer
for now, only allow pflog0 to be created. keep an array of ifps to the pflog interfaces with the unit # as index for fast access. if pflog0 does not exist, no logging is done (just like if it is down). on machines without pf enabled, this makes the pflog0 interface go away, on machines with pf, rc sets up pflog0 and starts pflogd, no change there. idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
2006-10-21the create and destroy functions for clonable interfaces return 0 onHenning Brauer
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
2006-10-17increase max pf tag name size from 16 to 64 characters.Reyk Floeter
ok henning@ dhartmei@ deraadt@
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
2006-09-26Fix compilation, okay henning@ mpf@Pedro Martelletto
2006-09-18allow RST from TCP client, even if client does not send data after SYN;Markus Friedl
ok frantzen, dhartmei, henning
2006-09-18fix tos (type-of-service) comparisons. for rules which use 'tos x', compareDaniel Hartmeier
for equality (ip_tos == x). for priority queue assignment, compare AND-wise (ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved bits in ip_tos are used (RFC791, 1349) and more than a single bit is set. from Steve Welham, closes PR5226 and PR5227.
2006-08-30allow DIOCNATLOOK to look up NAT states for protocols without portDamien Miller
numbers, reported by Raja Subramanian; ok henning@
2006-08-29allow the carp demotion counter to be changed by arbitary values as longHenning Brauer
as the resulting demotion counter value is in range. previously, we only allowed +/- 1. ok mpf mcbride deraadt
2006-08-28Check for illegal option lengths when parsing LCP packetsCan Erkin Acar
and drop such bad packets. Also remove some redundant mallocs. This fixes possible heap overflows when forming replys to such bad packets as discovered by Martin Husemann and Pavel Cahyna. reported by NetBSD, initial diff from markus@, additional comments by claudio@, ok markus@
2006-08-20if_tun.c also has this comment so remove duplicate; ok jmc@ krw@Kevin Steves
2006-07-21fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,Daniel Hartmeier
but third-party tools). a rule must have a non-empty replacement address list when it's a translation rule but not an anchor call (i.e. "nat ... ->" needs a replacement address, but "nat-anchor ..." doesn't). the check confused "rule is an anchor call" with "rule is defined within an anchor". report from Michal Mertl, Max Laier.
2006-07-18get rid of arc network support. we have no users of it so this is deadDavid Gwynne
code. however, it is still cluttering up the kernel namespace a bit. it is better gone. ok claudio@
2006-07-18typoMichael Shalayeff
2006-07-11Only print link state changes if interface is in debug mode.Can Erkin Acar
Affects devices using the sppp layer (pppoe, art, san, lmc) ok deraadt@
2006-07-11Error messages from remote may not be '\0' terminated.Can Erkin Acar
Also cleanup error message device name printing. Based on diff from NetBSD via Andrey Matveev Also, use log when printing error messages, and syslog will handle any nonprintable characters, discussed with deraadt@
2006-07-06argh, again i forgot a file. sorryHenning Brauer
2006-07-06allow rules to point to an alternate routing table, and tag packetsHenning Brauer
matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
2006-07-04logging should be in debug mode only. if every network driver did aTheo de Raadt
dmesg printf everytime they came up, would that be a better world?
2006-07-02diff from peter phillip at freenet dot de:Reyk Floeter
the "pppoe0: up" message is annoying when one is on console and the system has been configured to recall the ISP every minute or so. Moving the printf() to a log() fixes this and the "pppoe0: up" message is still seen in logs and dmesg. ok canacar@
2006-06-28Another unused function bites the dust -- this time pflogrtrequest(). OK markus@Claudio Jeker
2006-06-28Kill unused encrtrequest(). OK markus@Claudio Jeker
2006-06-21add media types for 10Gb Ethernet, though only using a baudrateBrad Smith
of 1Gbps, until the size of the baudrate field has been increased.
2006-06-19Unbreak the tree. The code to set and unset the RTF_MPATH bit on all multipathClaudio Jeker
routes did not carefully check if the route lookup succeded or not and so rn_mpath_next(rn) blowed up because rn was NULL. Check if rnh_lookup succeded before touching rn in anyway. OK norby@ initial diff by hshoexer@
2006-06-18Whitespace, oops.Christopher Pascoe
2006-06-18Add support for equal-cost multipath IP.Christopher Pascoe
To minimise path disruptions, this implements recommendations made in RFC2992 - the hash-threshold mechanism to select paths based on source/destination IP address pairs, and inserts multipath routes in the middle of the route table. To enable multipath distribution, use: sysctl net.inet.ip.multipath=1 and/or: sysctl net.inet6.ip6.multipath=1 testing norby@ ok claudio@ henning@ hshoexer@
2006-06-17When multipath routes are inserted, ensure that RTF_MPATH is set for anyChristopher Pascoe
previous route that may not have been inserted with the -mpath flag. Similarly, when removing a multipath route and leaving only one route, clear the RTF_MPATH flag so this is clear. ok claudio@
2006-06-17adopt to extended rtrequest / rtalloc1 apiHenning Brauer
2006-06-17unbreak; from theoHenning Brauer