| Age | Commit message (Collapse) | Author |
|---|
|
this is a step toward better rfc6040 support
ok claudio@
|
|
ok claudio@
|
|
the network mask. This saves converting the prefixlen to a mask and back.
OK phessler@, benno@
|
|
that the mask is contiguous and not longer then the prefixlen is not
bigger then the maximum. Make the function behave a bit more like the
similar netmask handling code in the old patricia codebase.
Fixes a problem reyk@ reported regarding IPv6 masks and the fact that
sin6_scope_id is after sin6_addr.
OK mpi@
|
|
It was used by the original patricia tree.
OK mpi@
|
|
|
|
if you're using llprio and link0, you'll need to update your config.
ok claudio@
|
|
|
|
dir make debugging much easier than the if alone.
|
|
no functional change.
|
|
previously the gif code would patch the tos field and not recalc
the cksum, which would cause ip input code to drop the packet due
to a cksum failure. the ipip code patched ip_tos and unconditionally
recalculated the cksum, making it correct, but also wiping out any
errors that may have been present before the recalculation. updating
the cksum rather than replacing it lets cksum failures still fire.
ip_tos_patch() is provided in the ecn code since it's because of ecn
propagation that we need to update the tos field. internally it
works like pf_patch_8 and pf_cksum_fixup, but since pf is optional
it rolls its own code. procter may fix that in the future...
ok claudio@
|
|
Tested by Hrvoje Popovski, inputs and ok visa@
|
|
it works less well when you look before the adj
|
|
|
|
|
|
the mbuf prio will still be set according to the llprio value, but the
tos on the packet may be forced to a specific number by txprio
|
|
rfc1853 is about IP in IP Tunneling. rfc2003 about IP Encapsulation
within IP agrees.
|
|
|
|
for l3 interfaces (gre and mgre), allow txprio from the payload,
the mbuf, or a hardcoded value. for l2 interfaces (egre, ngre, and
eoip), get txprio from the mbuf or a hardcoded value.
ok claudio@
|
|
gif encaps l3, so it can get a prio from the payload, as well as
from the mbuf itself, or a hardcoded value.
ok claudio@
|
|
etherip puts the prio in the encapsulating ip header, and supports
using hardcoded prio values or the prio from the mbuf. it encapsulates
ethernet, which doesnt have a prio field unelss you parse the ether
payload, which is not worth it.
ok claudio@
|
|
ok claudio@
|
|
a tx header prio can set to a fixed value from 0 to 7, or magic
values to represent populating the prio field from the encapsulated
packet, or from the mbuf prio value.
ok claudio@
|
|
802.11 interface state changes (e.g. SSID) to interested parties.
Original diff from phessler@. Many suggestions and tweaks from
claudio@, stsp@, anton@.
ok claudio@ stsp@ anton@ phessler@
|
|
|
|
this prevents creation of tap and tun devices that you cannot open
from userland because of the limit on the number of dev_t minor
numbers.
the lack of limit was pointed out by Greg Steuck
ok deraadt@ guenther@
|
|
|
|
|
|
the llprio is already used to set the gre and eoip packet tos/tclass,
but it was queued at the default prio before this.
|
|
llprios are valued 0 to 7, while the ip tos/dscp/tclass is an 8 bit
value. fortunately the high 3 bits map nicely to the llprio values,
so we shift the llprio into place when generating the keepalive
frames. the llprio is defaulted to the value that cisco uses for
their gre keepalives.
|
|
m_leadingspace() and m_trailingspace(). Convert all callers to call
directly the functions and remove the defines.
OK krw@, mpi@
|
|
|
|
by making all handlers consistent.
ok bluhm@, visa@
|
|
the timeout gets configured instead of gre_up().
this avoids complex gre_ioctl() ordering rules and
enables the sc_ka_hold timeout before the first packet
is received.
from markus@
|
|
OK bluhm@ kn@
|
|
HFSC on a vlan(4) (or similar) interface caused all packets over
that interface to get marked with the highest packet priority, no
matter what the rest of the system said about it. Leaving
the prio alone lets the rest of the network still do something
useful, not matter whether the local system queues packets in a
particular way.
Reported by and fix tested by Adrian Close
ok claudio@ kn@ mikeb@
|
|
|
|
from markus@
|
|
|
|
check sc_tunnel.t_af for AF_UNSPEC, otherwise we panic in gre_encap()
from markus@
|
|
gre_keepalive_send() should re-schedule immediately, otherwise we
stop sending keepalive on temporary mbuf shortage or if the
configuration is incomplete.
from markus@
|
|
The packet processing done after the protocol detection effectively
gets thrown away by the keepalive handling, so this saves some time,
and avoids confusing tcpdump on the interface. Keepalives the driver
transmits aren't made available for bpf, so taking it away from the
receive side is consistent.
discussed with and tested by markus@
|
|
Regression has been introduced in version 1.1024 (a 6.2 time frame).
It's been discovered and reported by Fabian Mueller-Knapp. Fair amount
of credit goes to kn@, benno@ and henning@ for pointing me to releveant
section of pf.conf(5). Fabian and kn@ also did test the patch.
OK kn@, henning@
|
|
this gives ipv6 handling equivalent the tos stuff in ipv4.
ok visa@ benno@
|
|
Replace hardcoded 0 and implicit checks with enum as done in all other
use cases of `pfra_fback'. No object change.
OK sashan
|
|
When evaluating the anchor's ruleset, prevent clobbering it's very own
`quick' test result by blindly setting it.
This makes the following pf.conf work as intended (packets would be blocked
since `quick' had no effect):
anchor quick {
pass
}
block
Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks!
OK henning sashan
|
|
When a pfsync interface is being deleted, all its timeout handlers and
pfsync_send_dispatch() have to stop accessing the software context
before the context is freed. Ensure sufficient synchronization by
acquiring NET_LOCK() and clearing `pfsyncif' inside the critical
section in pfsync_clone_destroy(). When a timeout handler has entered
the critical section, it has to check `pfsyncif' and bail out if the
value is NULL. pfsync_send_dispatch() already does this check.
Issue reported and fix tested by Hrvoje Popovski.
OK mpi@ bluhm@
|
|
OK bluhm@
|
|
This fixes certain operations such as `pfctl -t foo -T show' when the
system is in "Highly secure mode". `pfctl -t foo -T show -v' would already
work due to a different ioctl (DIOCRGETASTATS) being used.
Reported by Zbyszek ŻóÅkiewski, thanks!
OK sthen sashan
|
|
Wireless drivers call if_enqueue() out of the NET_LOCK() so it cannot
be used to serialize bridge(4) states.
Found by stsp@, ok visa@
|
