summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2006-12-15make pflog(4) count; ok hennig@ deraadt@Otto Moerbeek
2006-12-14in "BAD/loose state" messages, also print the packet's original sequenceDaniel Hartmeier
number, it can differ from the sequence number being tested (for packets without payload), and both matter in explaining why a packet mismatched.
2006-12-13wrap ipv6 portion with #ifdef INET6. from cmetzJun-ichiro itojun Hagino
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
(s6_addr16[1] filled) ok dhartmei
2006-12-13IPv6 passive OS fingerprinting.Jun-ichiro itojun Hagino
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
2006-12-12ansify the enc codeReyk Floeter
ok otto@
2006-12-11refer to the RSTP point to point option as "PTP" instead of "P2P".Reyk Floeter
P2P is commonly used in relation to peer to peer networks, PTP is used in various protocols for layer 2 point to point links (ie., full duplex ethernet links). note that the newly added brconfig commands [-]p2p and [-]autop2p will change to [-]ptp and [-]autoptp. suggested by Andrew Thompson (thompsa@freebsd.org)
2006-12-07use LINK_STATE_IS_UP(ifp0->if_link_state) instead ofReyk Floeter
ifp0->if_link_state == LINK_STATE_UP to handle the new half/full duplex link states. i forgot to commit these snippets before. ok jsg@
2006-12-06Missing newline in printf.Bernd Ahlers
ok canacar@
2006-12-03Add Rapid Spanning Tree Protocol support (802.1d-2004) based on workReyk Floeter
by Andrew Thompson (thompsa@freebsd.org). The local changes include adoption to our bridge code, reduced stack usage and many other bits. If stp is enabled, RSTP will now be used by default. Thanks for help from Andrew. This code has been in snaps for while now, commit encouraged by deraadt@
2006-11-30no need for #if NPF > 0 inside #if NPF > 0Henning Brauer
From: Genadijus Paleckis <lsd@nnt.lt> but the really bad description of the diff made this way more complicated then needed. pls plz, when sending in diffs, describe properly what they do and why!
2006-11-28add additional link states to report the half duplex / full duplexReyk Floeter
state, if known by the driver. this is required to check the full duplex state without depending on the ifmedia ioctl which can't be called in the kernel without process context. ok henning@, brad@
2006-11-24Check the reference count for interface addresses when detachingCan Erkin Acar
an interface. Fixes a double free panic. ok claudio@, looks fine henning@
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24never call an ioctl without process context! this diffs checks theReyk Floeter
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe in timeouts without process context and allows to use bridge stp with usb ethernet devices now. figured out and tested by Stuart Henderson, closes pr 5304.
2006-11-20ioctl to explicitly remove source tracking nodes,Ryan Thomas McBride
diff from Berk D. Demir <bdd@mindcast.org> ok henning dhartmei
2006-11-16conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong,Henning Brauer
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that part was missing) when rtableid on the rule is nonzero. problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the multiple routing tables enabling diff, ok mcbride
2006-11-16no need to always attach pfsync0 any more. ok mpf mcbrideHenning Brauer
2006-11-16introduce if_creategroup() to create an empty interface group.Henning Brauer
code factored out from if_addgroup(), previously a group always had to have members. ok mpf mcbride
2006-11-16knfJun-ichiro itojun Hagino
2006-11-10Fix an mbuf leak in an error path. OK brad@Claudio Jeker
2006-11-01Attach pfsync0 and pflog0 by default like they used to, /etc/rc depends onRyan Thomas McBride
them being there. diff & ok deraadt
2006-11-01poll errors should be POLLERR, not some random E valueTed Unangst
from alexandre ratchov. ok claudio
2006-11-01remove redundant null check, ok ryanHenning Brauer
2006-10-31slightly improve consustency and readability, no functional changeHenning Brauer
2006-10-31in pfsync_update_tdb, when there is no pfsync interface, we must returnHenning Brauer
without trying to free the (in that case nonexistant) tdb mbuf found out the hard way by pedro
2006-10-31hard to believe people still manage to commit non-compiling code once in a whileTheo de Raadt
2006-10-31make pfsync a clonable too, but prevent more than one instance fromHenning Brauer
beeing created for now - much more work would be required to change that input & ok ryan
2006-10-31ether_input_mbuf() isn't necessary, turn it into a macro and deal withJason Wright
it's "special" case in ether_input(). Based on similiar idea in FreeBSD. ok brad
2006-10-28Fix handling of errors wrt to MINDEX. From NetBSD bpf_filter 1.32;Otto Moerbeek
ok henning@ deraadt@ canacar@
2006-10-27Split ruleset manipulation functions out into pf_ruleset.c to allow them toRyan Thomas McBride
be imported into pfctl. This is a precursor to separating ruleset parsing from loading in pfctl, and tons of good things will come from it. 2 minor changes aside from cut-n-paste and #define portability magic: - instead of defining the global pf_main_ruleset, define pf_main_anchor (which contains the pf_main_ruleset) - allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's passed an empty anchor name. ok henning dhartmei
2006-10-25allow up to 16 pflog interfaces, ok mcbrideHenning Brauer
2006-10-25add a "u_int8_t logif" to struct pfrule to select to which pflog interfaceHenning Brauer
logs go. ok mcbride
2006-10-23make the pflog interface clonable.Henning Brauer
for now, only allow pflog0 to be created. keep an array of ifps to the pflog interfaces with the unit # as index for fast access. if pflog0 does not exist, no logging is done (just like if it is down). on machines without pf enabled, this makes the pflog0 interface go away, on machines with pf, rc sets up pflog0 and starts pflogd, no change there. idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
2006-10-21the create and destroy functions for clonable interfaces return 0 onHenning Brauer
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
2006-10-17increase max pf tag name size from 16 to 64 characters.Reyk Floeter
ok henning@ dhartmei@ deraadt@
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
2006-09-26Fix compilation, okay henning@ mpf@Pedro Martelletto
2006-09-18allow RST from TCP client, even if client does not send data after SYN;Markus Friedl
ok frantzen, dhartmei, henning
2006-09-18fix tos (type-of-service) comparisons. for rules which use 'tos x', compareDaniel Hartmeier
for equality (ip_tos == x). for priority queue assignment, compare AND-wise (ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved bits in ip_tos are used (RFC791, 1349) and more than a single bit is set. from Steve Welham, closes PR5226 and PR5227.
2006-08-30allow DIOCNATLOOK to look up NAT states for protocols without portDamien Miller
numbers, reported by Raja Subramanian; ok henning@
2006-08-29allow the carp demotion counter to be changed by arbitary values as longHenning Brauer
as the resulting demotion counter value is in range. previously, we only allowed +/- 1. ok mpf mcbride deraadt
2006-08-28Check for illegal option lengths when parsing LCP packetsCan Erkin Acar
and drop such bad packets. Also remove some redundant mallocs. This fixes possible heap overflows when forming replys to such bad packets as discovered by Martin Husemann and Pavel Cahyna. reported by NetBSD, initial diff from markus@, additional comments by claudio@, ok markus@
2006-08-20if_tun.c also has this comment so remove duplicate; ok jmc@ krw@Kevin Steves
2006-07-21fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,Daniel Hartmeier
but third-party tools). a rule must have a non-empty replacement address list when it's a translation rule but not an anchor call (i.e. "nat ... ->" needs a replacement address, but "nat-anchor ..." doesn't). the check confused "rule is an anchor call" with "rule is defined within an anchor". report from Michal Mertl, Max Laier.
2006-07-18get rid of arc network support. we have no users of it so this is deadDavid Gwynne
code. however, it is still cluttering up the kernel namespace a bit. it is better gone. ok claudio@
2006-07-18typoMichael Shalayeff
2006-07-11Only print link state changes if interface is in debug mode.Can Erkin Acar
Affects devices using the sppp layer (pppoe, art, san, lmc) ok deraadt@
2006-07-11Error messages from remote may not be '\0' terminated.Can Erkin Acar
Also cleanup error message device name printing. Based on diff from NetBSD via Andrey Matveev Also, use log when printing error messages, and syslog will handle any nonprintable characters, discussed with deraadt@
2006-07-06argh, again i forgot a file. sorryHenning Brauer