summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2002-12-18KNFHenning Brauer
2002-12-18big KNF roundHenning Brauer
2002-12-18Pass skip step values through ioctl interface, pfctl -vvsr shows them,Daniel Hartmeier
main purpose is making them regress-testable.
2002-12-18KNFHenning Brauer
2002-12-18Match the rule protocol against the actual protocol of the packet, not justRyan Thomas McBride
tcp. A silly copy/paste error by yours truly located by deraadt@
2002-12-17Merge pf_nat/pf_binat/pf_rdr structs into pf_rule. Simplifies code, allowsRyan Thomas McBride
skip steps on translation rules. Also: - Require a ticket for DIOCCHANGERULE operations to prevent races. - Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations use a rule number, and comparisons happen in userland. Testing and fixes from dhartmei@ and frantzen@ ok dhartmei@ henning@
2002-12-16add options for 2 more queueing disciplines, PRIQ and HFSC.Kenjiro Cho
ok henning@ dhartmei@
2002-12-13add pqueue and pqid to pf_rule.Henning Brauer
this allows for a second queue on pf_rule. assign packets with tos 0x10 (lowdelay) to this one. if the second queue isn't specified set pqid = qid idea dhartmei@ ok dhartmei@ frantzen@ deraadt@
2002-12-12Pastos in pf_compare_pool(); dhartmei@, mcbride@ ok.Aaron Campbell
2002-12-12minor KNFHenning Brauer
2002-12-11Use m_copym2 to copy the whole mbuf (cluster included) and notFederico G. Schwindt
incrementing its reference. Fixes a m_zero panic reported by markus@ when pfdatatopacket returns a cluster. Tested by markus@, jason@ ok.
2002-12-11unpeeMichael Shalayeff
2002-12-10renumber the get/set debug ioctls for they conflict w/ ppp, we do not keep ↵Michael Shalayeff
the O versions since these are debugging only and should not affect normal functionality; deraadt@ ok
2002-12-10check IFF_RUNNING early in bstp_transmit_tcn; from netbsd; ok jason@Markus Friedl
2002-12-09NPF, not NFP (prevented outgoing bridge_ipsec() packets from being ↵Jason Wright
filtered); Darren Reed <avalon@coombs.anu.edu.au>
2002-12-09knfTheo de Raadt
2002-12-09allow setting of ifcost with brconfig. enables selection of preferredMarkus Friedl
port/path to root bridge among several LANs. unlike ifpriority, which allows you to select designated port if serveral interfaces belong to the same LAN; ok jason@
2002-12-06Replace license with something that's actually free.Nathan Binkert
Approved by original author. Julian.Onions@nexor.co.uk
2002-12-06Introduce anchors and named rule sets, allowing to load additional ruleDaniel Hartmeier
sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
2002-12-04spanning tree: flush dynamic mac cache if interface goes to theMarkus Friedl
blocking or disabled state. send packets only if interface is the forwarding state; comment from netbsd; with and ok jason@
2002-12-03no need to mh_align (while it's wrong), cleaner mtu setting; dhartmei@ okMichael Shalayeff
2002-12-01KNFHenning Brauer
2002-12-01- Clean up pf_ioctl mainly by adding new functions to handle cleaning andRyan Thomas McBride
freeing rules. Fixes a number of potential memory leaks and other bugs. - Add new pool_ticket to insure that address pools don't get messed with by someone else while we add rules. - Add a second address pool buffer, so that DIOCCHANGE* operations which use pf_compare* will work correctly. Excellent bug report and anaylsis from DJ Gregor. ok dhartmei@ henning@
2002-12-01pfsync currently causes kernel faults, so we don't want to call these functionsRyan Thomas McBride
ok dhartmei@
2002-11-29minor KNFHenning Brauer
2002-11-29expose state table changesMichael Shalayeff
2002-11-29Get the address pool in DIOCCHANGEADDR for all operations, preventsRyan Thomas McBride
PF_CHANGE_REMOVE from dereferencing a NULL pointer. Noticed by dhartmei@ ok dhartmei@
2002-11-28- MD5 too slow, replace with pf_hash (based on hash from if_bridge.c)Ryan Thomas McBride
- Always fold the key in Many fixes & suggestions from camield@ ok mickey@ camield@ henning@
2002-11-26Call the enable function, don't set the variable directly.Jason Wright
2002-11-26pass struct pfioc_changeaddr to DIOCCHANGEADDRRyan Thomas McBride
rather than struct pfioc_pooladdr an obvious fix from dhartmei@
2002-11-261000baseTX -> 1000baseTNathan Binkert
- More technically correct - Matches FreeBSD and NetBSD - Preserved #define for 1000baseTX for backwards compatibility ok jason@
2002-11-26fix "pfctl -Fq".Kenjiro Cho
after altq gets flushed, altq forgot that it was enabled since altq is actually detached with an empty ruleset. so, add a variable, pfaltq_running, to remember the running state and re-enable altq when a new ruleset is loaded. noticed, tested, and oked by henning@
2002-11-24move } outside #ifdef INET6Ryan Thomas McBride
unbreaks compiling kernel without IPv6 support. how embarassing, spotted by Chris Kuethe
2002-11-23KNFTheo de Raadt
2002-11-23pass a pointer to the hash, not the first chunk of itRyan Thomas McBride
2002-11-23kernel code to allow multiple redirection addresses to be specified for natRyan Thomas McBride
and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
2002-11-22on block rules, let queue apply to the RST packets in the return-rst caseHenning Brauer
and the returned icmp packets in the return-icmp case ok dhartmei@
2002-11-20KNFTheo de Raadt
2002-11-12Missing splx.Mike Pechkin
dhartmei@ ok
2002-11-07Short-circuit evaluation can leave invalid pointers, closes PR2874.Daniel Hartmeier
2002-11-02Compare dynamic addresses correctly in pf_compare_*: check the interface nameRyan Thomas McBride
rather than the ip address if it exists. ok dhartmei@ henning@
2002-11-02Make PF_ANEQ(), PF_ANEQ() and PF_AZERO() check the whole address if afRyan Thomas McBride
is not set to AF_INET6 or AF_INET ok dhartmei@ henning@
2002-10-29keep all pflog goodies in pflog sources, avoids code duplications; okski ↵Michael Shalayeff
frantzen@ and dhartmei@
2002-10-25Compare pf_rule->label in pf_compare_rules(), too.Daniel Hartmeier
Found by DJ Gregor.
2002-10-22Convert "int af" and "u_int8_t af" declarations and function argumentsRyan Thomas McBride
to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
2002-10-22check the correct return value from ifunit()Ryan Thomas McBride
(returns ifp, not ifname) ok dhartmei@ ish@ camield@ henning@
2002-10-20Move pf_compare_(rules|nats|binats|rdrs) to pf_ioctl.c. Simplifies andRyan Thomas McBride
reduces cross-file dependancies. ok dhartmei@ ish@ henning@
2002-10-14Allow one to specify a netblock in a binat rule:Henning Brauer
binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
2002-10-10Missing m_pullup() and mbuf corruption. This potentially causedDaniel Hartmeier
panic: m_copym0: m == 0 and not COPYALL and/or panic: m_copydata: null muf on bridges running pf with scrubbing enabled. Bug report, test vector and confirmation by Jon Morby. ok jason@, jasoni@
2002-10-10padd pf_state; dhartmei@ okMichael Shalayeff