| Age | Commit message (Collapse) | Author |
|---|
|
flag. It is now called IFXF_INET6_NOPRIVACY. So IPv6 privacy
addresses are on by default without resetting the flag during
ifconfig down/up.
OK stsp@, sperreault@ (who wrote the same diff)
|
|
to the 16 bit flags; reminded by claudio, ok henning
|
|
|
|
LEVAI Daniel, diagnosed by matthew@, original diff from RD Thrush, cleaned
up by me with feedback from mikeb@. OK mikeb dcoppa deraadt
|
|
L2TP packets.
ok markus henning
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
|
|
:dlg: the xxx can go
...and this time commit to the real repo and not the one on my laptop
|
|
packet within the icmp error packet was wrong. Fix this by using
the pd2.tot_len of the inner packet and substract the old header's
length.
OK mikeb@ henning@
|
|
exporting them to the outside world via radix.h.
ok claudio@ sthen@ henning@
|
|
and bound to break sooner or later.
|
|
load balancing case, this allows Weighted Least States (WLS).
Everything prepared on c2k11 with help from mcbride@.
This finally makes PF ready for the cloud.
ok henning@ mikeb@ pyr@
|
|
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
when you kill states by IP, it is not all that clear which IP we're talking
about - before or after rewriting?
the old semantics were to always look at the "original" IP, i. e. before
rewriting. ever since the NAT rewrite we were unconditionally looking
at the wire side state key, which is the original address for PF_IN states,
but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case.
should fix "authpf doesn't remove NAT states" seen on misc a while ago
ok & testing & half of the analysis bob (he sez beck)
|
|
1) demote by 32 on the first bulk update to prevent failovers w/o having
a full state table;
2) don't do any demotion adjustments on the link up event and undemote
when bulk update finishes (or times out) preventing a race between
nodes getting a link state update asynchronously.
With phessler; tested by phessler and Kapetanakis Giannis. Thanks!
Looked through by henning and dlg. Now the correct version.
|
|
|
|
|
|
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
|
1) demote by 32 on the first bulk update to prevent failovers w/o having
a full state table;
2) don't do any demotion adjustments on the link up event and undemote
when bulk update finishes (or times out) preventing a race between
nodes getting a link state update asynchronously.
With phessler; tested by phessler and Kapetanakis Giannis. Thanks!
Looked through by henning and dlg.
|
|
from david hill; ok henning
|
|
The lower 2 bits of the tos-header are used for ECN.
(http://tools.ietf.org/html/rfc2474#section-3)
OK henning@, haesbaert@
|
|
bpf_mtap() needs to be called without the etherip_header.
Idea to use a forward declaration for struct tdb by claudio.
OK claudio@
|
|
ok blambert@ sthen@ henning@ claudio@
|
|
diff from blambert
|
|
values in () for consistency.
diff from Michael W. Bombardieri.
ok sthen dlg mikeb
|
|
Byte order adjustment for bpf was hidden behind bpf_mtap_af() and
sizeof(u_int32_t) is used for length of the bpf header.
tested by sebastia and mxb at alumni.chalmers.se.
ok claudio
|
|
figured out by and ok guenther
|
|
compatibility with FreeBSD/NetBSD.
Also rename SIMPLEQ_REMOVE_NEXT to SIMPLEQ_REMOVE_AFTER.
ok mikeb@ guenther@
|
|
|
|
It could not use the destination address properly, so it failed to
find the pipex session. This bug caused LCP keepalive failures on some
clients.
found and tested by sebastia@ and mxb at alumni.chalmers.se.
ok sthen
|
|
moving the state export functionality from pfsync code into pf.
Based on the initial diff diff by guenther, ok henning.
|
|
|
|
OK deraadt@, guenther@
|
|
|
|
userland a chance to compare the value against getpid().
This unbreaks transmission for me. OK deraadt@, guenther@
|
|
generate such packets but it helps porting applications that assume that
these are available on any system.
Requested by dhill long time ago.
|
|
no objection from mcbride@ krw@ markus@ deraadt@
|
|
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
|
|
pf to fix that.
- add #ifdef INET6 in obvious places
- af translation is only possible with both INET and INET6
- interleave #endif /* INET6 */ and closing brace correctly
- it is not necessary to #ifdef function prototypes
- do not compile af translate functions at all instead of empty stub,
then the linker will report inconsistencies
- pf_poolmask() actually takes an sa_family_t not an u_int8_t argument
No binary change for GENERIC compiled with -O2 and -UDIAGNOSTIC.
reported by Olivier Cochard-Labbe; ok mikeb@ henning@
|
|
large parts written by Florian Obser (florian -at- narrans -dot- de).
feedback from sperreault@ gollo@ sthen@
ok from gollo@ dlg@ henning@
|
|
|
|
pointed out / ok mikeb@
|
|
two consecutive host addresses won't generate the same value which
is used as a port number in state entries; ok bluhm, sperreault
|
|
ok bluhm, henning
|
|
You should use the proper queues via pf instead. ok phessler@ henning@
|
|
returned early. As a result tcpdump -i pflog0 printed uninitialized
kernel memory for short packets. Fix this by copying the mbuf data
we have if we cannot decode the packet.
ok mikeb@ henning@
|
|
- Let pf_normalize_ip() and pf_normalize_ip6() take the struct
pf_pdesc pd as argument.
- Always check wether the mbuf got NULL after normalization to make
the code more robust.
- Make the code structure of pf_normalize_ip6() more like
pf_normalize_ip() to make the differences obvious.
ok henning@
|
|
- Fragment offset is in network byte order.
- Check for legal short fragments before calling pf_pull_hdr() to
avoid bogus reason accounting.
- When checking wether the protocol header is within the fragment,
count the IPv6 payload length relative to the end of the IPv6 header.
ok henning@
|
|
to the initial value and do not use the counter;
reported by Sebastian Benoit and Daniel Krambrock,
tested by Sebastian Benoit, ok henning zinke
|
