| Age | Commit message (Collapse) | Author |
|---|
|
DIOCRINABEGIN, DIOCRINACOMMIT ioctls.
Use DIOCXBEGIN/DIOCXCOMMIT/DIOCXROLLBACK instead.
ok beck@ dhartmei@ henning@
|
|
|
|
|
|
table is destroyed in pfr_setflags_ktable.
Fix from Chris Pascoe
|
|
keyword in C++. ok henning@, cedric@
|
|
|
|
their *source* IP address in addition to their destination address.
routing table "destination" now contains a "struct sockaddr_rtin"
for IPv4 instead of a "struct sockaddr_in".
the routing socket has been extended in a backward-compatible way.
todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
|
|
|
|
pool allocator, _nointr. testing/ok beck@ cedric@
|
|
|
|
|
|
descriptions, configurable with ifconfig
help from various, ok deraadt@
|
|
Now to have more bpf devices just add device nodes in /dev,
no need to recompile kernel anymore.
Code from form@pdp-11.org.ru, some help from markus@.
ok markus@ canacar@ deraadt@
|
|
interface is detached, and wakeup any polling processes when the
bpf descriptor is closed. ok henning@, tedu@
|
|
the parser now needs quotes around paths containing separators.
ok mcbride@
|
|
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
add ETHER_MAX_LEN_JUMBO, ETHER_VLAN_ENCAP_LEN, ETHER_ALIGN, and
ETHERMTU_JUMBO constants.
if.h
add a few more interface capabilities flags.
Some from NetBSD, some from FreeBSD.
ok markus@
|
|
the ruleset and invalidate the pointer. ok cedric@
|
|
|
|
From NetBSD
ok deraadt@
|
|
RTM_CHANGE/LOCK only work on perfect matching routes. ppp and bgpd got
broken because of this. Most of the code in the "grotty" block is already
done by rn_lookup() only host routes need some special treatment.
OK cedric@
|
|
also fixup checksum when random-id modifies ip_id. This would previously
lead to incorrect checksums for packets modified by scrub random-id.
From Pyun YongHyeon. ok cedric@
|
|
a packet is routed already) in the mbuf tag, allow at most four times.
Fixes some legitimate cases broken by the previous change. ok cedric@
|
|
Marc Huber. ok deraadt@
|
|
while asleep in read. ok deraadt@
|
|
This moves md5.c out of libkern and into sys/crypto where it belongs (as
requested by markus@). Note that md5.c is still mandatory (dev/rnd.c uses it).
Verified with IPsec + hmac-md5 and tcp md5sig. OK henning@ and hshoexer@
|
|
sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound
on the timestamp. Typically gains 10 to 18 bits of additional security against
blind data insertion attacks. More if the TS Echo wasn't optional :-(
Enabled with: scrub on !lo0 all reassemble tcp
ok dhartmei@. documentation help from jmc@
|
|
table from these metrics. struct rt_msghdr used by the routing socket is not
affected and so most userland apps don't need to be changed.
some man page polishing by jmc@
OK henning@ markus@ theo@
|
|
Allows tagging of the incoming packets, and a single interface bridge to
be actually useful for MAC level filtering/tagging.
ok henning@
|
|
This matches our SLIST behaviour and NetBSD's SIMPLEQ as well.
ok millert krw deraadt
|
|
"if (error == 0)" should be "if (error != 0)".
|
|
|
|
|
|
|
|
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
|
|
- convert counters to 64 bits
- add dedicated counters for sanity checks added right before release
- clean up netstat output
|
|
- If the physical interface goes down or the link goes down,
the carp interface goes down as well.
- We treat this like the preemption holdoff with pfsync.
So if one of the carp interfaces is known to be bad (because the
physical interface it's associated with is bad), all the other carp
interfaces back off: they won't preempt, and their advskew goes to 240.
ok cedric@
|
|
ok mcbride@
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
reload rules.
this fixes an altq problem that, if you reload pf rules not containing
queues while running altq, the interface shaper is not properly removed.
make pf_altq_running local to pf_ioctl.c since it is no longer used in
altq_subr.c.
ok henning@
|
|
manual page.
- more strict bpf code validation, preventing arbitrary kernel memory
read and writes.
Some help from frantzen@ and canacar@; testing jmc@ markus@;
ok canacar@ henning@ franzen@
|
|
to the mbuf and free the cluster when it contains a small packet.
ok deraadt@
|
|
ok deraadt@
|
|
this fixes corruption of the address pools with large rulesets.
This is a candidate for -stable.
Reported by Zbigniew Kossowski <zk@openbsd.com.pl>, hours of braintwisting
debugging by pb@
|
|
|
|
|
|
needed; these are slightly different so that we cannot use the new
IF_INPUT_ENQUEUE macro
deraadt ok
|
