summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2006-01-06DIOCNATLOOK was forgotten in the second access control switch. it's aDaniel Hartmeier
read-only operation (looking up one state entry), so allow it when /dev/pf is opened read-only (allows squid to work read-only). from Andrey Matveev.
2006-01-06for DIOCCLRSTATUS (pfctl -Fi), reset 'Enabled for x' time, too. simplifiesDaniel Hartmeier
computations of change rates. unfortunately, I don't remember who suggested this.
2006-01-05Make it possible to set a default vlan priority for vlan interfaces.Esben Norby
ok claudio@ brad@
2006-01-05bzero buffers after malloc, or clear string buffer before strlcpy'ingTheo de Raadt
into them, if you are gonna copy it out to userland some ok dhartmei, some ok tedu
2006-01-05bzero after malloc; ok dhartmeiTheo de Raadt
2006-01-04Move bpf_mtap_hdr() after trunk_*_input() so that we hopefully see only oneBrad Smith
copy of the packet with bpf. From mcbride@ some testing by todd@, ok reyk@
2006-01-04Remove redundant calls to bpfdetach.Can Erkin Acar
ok brad@
2005-12-22Do not check ifp->if_bpf before detaching from bpf. It is only a signalCan Erkin Acar
to the driver that there is a listener. Somehow I assumed that it was a handle, and was trying to figure out why it was becoming zero. Corrected by and ok claudio@
2005-12-21knfReyk Floeter
2005-12-21fix possible NULL pointer, thanks to Marco MolteniReyk Floeter
2005-12-18Update my e-mail address in the copyright statement, no binary changes.Reyk Floeter
2005-12-17revert last commit as it introduced system panics due to improper useBrad Smith
of bpf_mtap().
2005-12-10m_pullup() the whole header, not the number of bytes in an int. FoundKenneth R Westerback
by lint. ok deraadt@
2005-12-10C99 section 6.8.6.4 says "A return statement with an expression shallKenneth R Westerback
not appear in a function whose return type is void." Lint agrees. ok (and C99 spec info) cloder@
2005-12-08Avoid sign extend by casting to u_char *; from NetBSD via Guy Harris.Otto Moerbeek
Also change another cast, for the sake of consistency, as prompted by djm@ ok deraadt@ djm@ canacar@
2005-12-06export ipip flows, too; ok hshoexerMarkus Friedl
2005-11-29something in the eurobsdcon route-a-thon broke my simple home networkJolan Luff
router so back out the routing stuff to pre-eurobsdcon where my machine doesn't crash immediately. i am happy to test diffs and report success/failures but i am not happy to have instantaneous crashes when i reboot with a new kernel that was compiled from pristine sources. if you are going to be an elitist asshole then you could at least make sure your code works. ok and "be crass towards them" deraadt@
2005-11-28more breakageMarkus Friedl
2005-11-28unbreak route deletion (from revision 1.55; obviously too much eyebleeding)Markus Friedl
2005-11-27repair builds. ramdisk kernels forgotten about again.Theo de Raadt
2005-11-27don't let anything outside route.c access the routing table heads directly,Henning Brauer
but go through a provided wrapper. also provide rt_lookup() instead of doing the lookup manually in many places. ryan ok
2005-11-27Move bpf_mtap() after trunk_*_input() so that we hopefull see only oneRyan Thomas McBride
copy of the packet with bpf. ok reyk@
2005-11-27Attempt to accept a packet only once when operating in failover mode.Ryan Thomas McBride
Makes trunk usable with hubs or switches which don't have actual trunk support. ok reyk@
2005-11-27Fix dereference of uninitialised pointer in trunk_input() error path.Ryan Thomas McBride
ok reyk@
2005-11-27Make the trunk interface link state depend on the link states of theRyan Thomas McBride
trunkports (link is UP as long as at least one of the trunkports is up) ok reyk@
2005-11-25move the code to delete routes having a specific interface as outputHenning Brauer
when the interface is deleted to a function in route.c, and replace the copies of that code by calls to that function from basel almost-hackathon
2005-11-25KNFHenning Brauer
2005-11-25reduce eyebleeding, since we only borrow the code from our childrenHenning Brauer
2005-11-25How can we dance when our humppa is feedingHenning Brauer
How do we code while our eyes are bleeding
2005-11-21Move contents of sys/select.h to sys/selinfo.h in preparation for aTodd C. Miller
userland-visible sys/select.h. Consistent with what Net and Free do. OK deraadt@, tested with full ports build by naddy@.
2005-11-17tun devices get created (cloned) automagically when the device is opened.Henning Brauer
the code took a shortcut which results in the new device not beeing added to its interface class group as it should. call the regular if_clone_create() instead of taking shortcuts, and all is fine. ok markus, tested Mike Belopuhov <mkb@crypt.org.ru>
2005-11-16small doses of KNFHenning Brauer
2005-11-14fix spelloChristopher Pascoe
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-11-03re-implement the bpf "filter drop" option that it actually works. theReyk Floeter
bpf FILDROP interface exists for about one year but the required interface to the drivers was missing - so it was useless. this new approach based on a design by henning@ uses a new mbuf flag to mark filtered packets and to drop them in the generic network stack input routines (like ether_input). for example; after some additional testing, this could be used by dhclient to filter everything except DHCP packets (track tech@ for a corresponding dhclient diff). the "filter dropped" packets won't reach the network stack. so it's probably some kind of a very basic application layer packet filter ;). ok canacar@, discussed with henning@ and others
2005-11-01Always sure that we have memory for the 'dst' scrub information, which mayChristopher Pascoe
not have been allocated at the initial state synchronisation time. ok henning@
2005-10-28s/rmatch/chksum_flag/ to clarify what's going on. Pointed out by dhartmei@Ryan Thomas McBride
Oh. and a KNF nit.
2005-10-27Basic support for attaching states from pfsync to the correct rules.Ryan Thomas McBride
Applies only to rules in the main ruleset (not anchors) if the ruleset checksum matches. Necessary to fix the following for pfsync'd states: - per-rule limits on number of states - altq - rule-based settings such as timeouts More work to do re: nat rules, src-nodes, etc. NOTE: This is modifies the pfsync header and version number. Tools which process pfsync packets must be recompiled, and firewalls with different versions will not sync. ok mpf@ henning@ dhartmei@
2005-10-26Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next()Ryan Thomas McBride
and calculate the modulator. This ensures that modulated initial sequence numbers have the same properties regarding separation and non-repetition as those generated by our TCP stack. ok markus@ frantzen@
2005-10-25mtag in pf_route is now only used for IPSEC, so #ifdef itHenning Brauer
From: Mike Belopuhov <mkb@crypt.org.ru>
2005-10-23Rework of multicast deletion code for vlan(4) and trunk(4).Marco Pfatschbacher
The previous code could wrongly delete multicast groups on the parent interface. Now we forward only remembered delete requests. OK mcbride, mickey.
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
2005-10-12no need to call mfree() since m is always NULL; from Andrey MatveevMarkus Friedl
2005-10-09if the wireless hostap interface belongs to a bridge, learn the node'sReyk Floeter
address dynamically on this interface after successful association. this could speed wireless roaming to openbsd accesspoints. ok jason@, jsg@ can't see anything obectionable
2005-10-09use labelReyk Floeter
2005-10-08Prevent information leak by using a random hunique value instead ofCan Erkin Acar
the address of the softc. Reported by Peter Phillip via PR-4501.
2005-10-07Report interface link state changes in sppp layerCan Erkin Acar
Help and ok claudio@, ok brad@
2005-10-03add a simple active "failover" trunk mode. port priorities will beReyk Floeter
added later, currently the master port will always be the default (active) port and the the next active port will be used as the failover port. ok brad@
2005-09-30remove old unused NRL IPv6 code.Brad Smith
ok deraadt@
2005-09-28No part of the code defines UNALIGNED_ACCESS, use reverted tests forMiod Vallat
__STRICT_ALIGNMENT instead. Help pedro@ deraadt@, ok deraadt@