| Age | Commit message (Collapse) | Author |
|---|
|
ok ho@ markus@
|
|
Reported long time ago by Marc Huber and more recently by Steffen Schutz.
|
|
from pf's perspective.
ok pascoe@ dhartmei@ henning@
|
|
ok canacar@, fgsch@, tested by some other people
|
|
- instead of erroring on an attempt to set hostid to 0, just set it
with arc4random()
ok henning@ dhartmei@
|
|
and userland.
ok henning@ dhartmei@
|
|
ok deraadt@, henning@, krw@
|
|
ok mickey@ henning@, "looks good" markus@ jason@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
list than physical interfaces. This makes ifa_ifwith* prefer a physical
interface over a CARP one.
This addresses the problem where a CARP interface in BACKUP state is
selected after a route change, resulting in a loss of communications
despite there being another interface available which is perfectly usable.
ok mcbride@ mpf@
|
|
ok pascoe@ mpf@
|
|
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
|
|
consistent style in sys/net/bpf.c.
ok henning@, "looks fine" canacar@
|
|
matching in the bridge receive path to make CARP operate correctly
on physical interfaces that are participating in a bridge.
ok mcbride@ henning@ dlg@
|
|
ok pascoe@
|
|
|
|
prevents a possible endless loop in pf_get_sport() with 'static-port'
Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@
ok dhartmei@
|
|
from Max Laier.
|
|
more than a second old.
ok mcbride@ henning@
|
|
|
|
|
|
|
|
Proposed by mcbride.
ok henning@, mcbride@
|
|
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
|
|
Notably, this fixes "(pppoe0)" in pf. ok markus@
|
|
|
|
ok markus@
|
|
dealing with a carp interface.
|
|
style as vlan(4). carp interfaces no longer require the physical interface
to be on the same subnet as the carp interface, or even that the physical
interface has an adress at all, so CARP can now be used on /30 networks.
ok deraadt@ henning@
|
|
|
|
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
ok mcbride@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
|
|
table is not visible/accessible when the rule is the only reference
(you don't HAVE to reference the table elsewhere).
|
|
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
a struct timeout to struct ifqueue so that each one has its own - it
is a per-queue thing. from chris pascoe
|
|
around the entire body. this resolves the (misleading) panics in
pf_tag_packet() during heavy ioctl operations (like when using authpf)
that occur because softclock can interrupt ioctl on i386 since SMP.
patch from camield@. ok mcbride@, henning@ and (presumably ;) bob@
|
|
|
|
ok otto jsg henning pat markus deraadt fgs
|
|
ok canacar markus millert
|
|
as for the ports, i could only find one. if there are more, they will be
fixed in the tree as discussed with peter.
deraadt@ pvalchev@ ok.
|
|
|
