summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2001-08-19compile w/out INETJason Wright
2001-08-19Loosened TCP state code which should allow stupid stacks to shotgun theirMike Frantzen
SYNs and provide better handling for pre-existing connections.
2001-08-18Add new ioctl for adding/removing individual rules to/from the active rule set.Daniel Hartmeier
2001-08-18make pfctl -s state SCREAM; frantzen is now happyTheo de Raadt
2001-08-12now, that kernel compiles, i can go get an ash tray somewhereMichael Shalayeff
2001-08-11Add support for ICMP errors referring to ICMP queries/replies. FixesDaniel Hartmeier
'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
2001-08-05Actually, move the check inside the switch.Angelos D. Keromytis
2001-08-05Only flush the policies if the message type is UNSPEC.Angelos D. Keromytis
2001-08-03Use IFCAP_VLAN_MTU and IFCAP_VLAN_HWTAGGING capabilities:Chris Cappuccio
LINK0 disappears; we now set IFCAP_VLAN_HWTAGGING at ifnet->if_capabilities in the Ethernet driver for cards/drivers which support hardware tagging. MTU ambiguity disppears; we now set IFCAP_VLAN_MTU in the Ethernet driver when we know the chip will not truncate/discard vlan-sized frames. Only allow the MTU to be changed within the scope of the parent interface's MTU. (Here we also take into account IFCAP_VLAN_MTU) Propagate hardware-assisted IP/TCP/UDP checksumming flags to the vlan interface if the card supports hardware tagging (from NetBSD)
2001-08-03simplify previous fix (0-length mbuf in mbuf chain). from freebsdJun-ichiro itojun Hagino
2001-08-02do not exit loop even if m_len == 0. it is legal to have an mbuf withJun-ichiro itojun Hagino
m_len == 0 in mbuf chain.
2001-08-02KNFTheo de Raadt
2001-08-01stateless tcp normalization along the lines of the normalization paper byNiels Provos
handley, paxon and kreibich; okay deraadt@
2001-07-30never before has a file so often deviated from KNFTheo de Raadt
2001-07-30use queue.h macrosJason Wright
2001-07-29Implement rule skipping. This is a transparent evaluation optimization,Daniel Hartmeier
which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl.
2001-07-27PF_IN/PF_OUT aren't defined if NPF <= 0, deal with it.Jason Wright
2001-07-27variable name "gif" is way too generic - use "gif_softc". sync with kameJun-ichiro itojun Hagino
2001-07-25nat proxy port randomization by ben fleis.Daniel Hartmeier
2001-07-25Make sure pkthdr.rcvif is correct before calling pf_test()Jason Wright
2001-07-25- unconditionalize call to bridge_input() (fewer #ifdef's and NPF>0 is ↵Jason Wright
default case anyway). - add support for filtering on interface output (and call pf_test() appropriately) What all this means: nonstateful and stateful PF filtering now works with the bridge.
2001-07-25Initialization of arpcom * based on ifp was too soon: ifp can change asJason Wright
a result of a call to bridge_input().
2001-07-21print additional debugging information for 'insert invalid' messages. occurs ↵Daniel Hartmeier
for some people (never for me), and I need more information. will be removed after the issue is resolved. please report these, if you get them.
2001-07-21missing \n in a log() callJun-ichiro itojun Hagino
2001-07-21repair validation on RTAX_GENMASK insertion. has been broken since 44bsd.Jun-ichiro itojun Hagino
(freebsd3 has a fix since 1999, but has insufficient validation on sa_len)
2001-07-20use a variable, not it's default value from constantMichael Shalayeff
2001-07-20make equal() macro to check sa_len match, otherwise we will touchJun-ichiro itojun Hagino
the content of a2 beyond a2->sa_len mistakenly. sync with kame
2001-07-19Fix/complete the handling of the binary ops >< and <> to behaveKenneth R Westerback
like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
2001-07-18fix pf_get_rdr() for single port (dport2 == 0) rules. found by lebel@.Daniel Hartmeier
2001-07-17support min-ttl, okay dhartmei@Niels Provos
2001-07-17normalize ip_off, make IP_DF stripping optional, return rst is a flag now.Niels Provos
okay markus@
2001-07-17ip normalization codeNiels Provos
2001-07-17split ip normalization out into a separate file, okay dhartmei@Niels Provos
2001-07-15increase src->state to 1 when creating state from intermediate (non-SYN) ↵Daniel Hartmeier
packets. this fixes one class of BAD state messages (where seqlo=0, seqhi=1).
2001-07-14use int instead of signed char. doesn't use more memory (padding occurs) and ↵Daniel Hartmeier
is actually faster.
2001-07-13indent.Federico G. Schwindt
2001-07-13everytime i clean in here, i get a 250 line diff...Theo de Raadt
2001-07-11Simplify pf_pull_hdr(), don't use inner IP header's ip_len or ip_offDaniel Hartmeier
in case of pf_test_state_icmp(). This solves the "ICMP error message too short" problems. Reported by ycchang and heko.
2001-07-10Missing breaks.Marc Espie
Case labels must be integral values for deterministic behavior.
2001-07-10another lame OpenBSD tag.Federico G. Schwindt
2001-07-09do compare in host order. found by millert@.Daniel Hartmeier
2001-07-09More lame OpenBSD tags.Federico G. Schwindt
2001-07-09Extend nat/rdr syntax. Add source/destination selection. MakeDaniel Hartmeier
interface optional. Suggested by rdump@river.com. nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)] rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any | [!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*] [proto (tcp | udp | icmp)]
2001-07-07get rid of compiler warningMarco S Hyman
2001-07-06style change #2, avoid (a == b) == cDaniel Hartmeier
2001-07-06style change #1, avoid ternary operatorDaniel Hartmeier
2001-07-06theo requests less archaic styleChris Cappuccio
2001-07-06don't evaluate rules for packets that have state but mismatch seq range ↵Daniel Hartmeier
(could create duplicate state)
2001-07-06Allow negative match on interface name for nat and rdrChris Cappuccio
ok dhartmei@
2001-07-06some cleanup, okay dhartmei@Niels Provos