summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2004-02-07Use the offset provided to us by m_pulldown(), rather than using size ofRyan Thomas McBride
ip and pfsync headers. This makes us behave correctly if the packet is spread across multiple mbufs (which does not appear to happen in practice).
2004-02-06as seen in netbsd. crank bpf sizes to adapt to faster networks.Ted Unangst
max size goes to 2MB, default goes to 32k. ok canacar@ mcbride@
2004-02-04Fix a number of bugs with setting pool limits which I introduced withRyan Thomas McBride
source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
2004-02-02missing #if NPF > 0. ok henning@Cedric Berger
2004-02-02Do not evaluate pfi_index2kif[ifp->if_index] if PF is disabled.Cedric Berger
Safer and faster since we know that ifp->if_index can potentially be garbage. ok dhartmei@
2004-01-27drop packet if kif == NULL; ok henning deraadtMarkus Friedl
2004-01-27don't convert tcpmd5 to ip-over-ip in SADB_X_GETSPROTO; from hshoexerMarkus Friedl
2004-01-26- use SIOC[GS]WAVELAN.Federico G. Schwindt
- fill ac_enaddr correctly. - put ic_myaddr back.
2004-01-22- Include the value of pf_state.timeout in pfsync messagesRyan Thomas McBride
- Fix the expiry time calculations, for real - Unbreak the collapsing of multiple updates into one And a little KNF for good measure.
2004-01-20the pfsync interface does not have a baudrate, so don't claim 100 MBit/sHenning Brauer
ok mcbride@
2004-01-20Ignore pfsync packets if pf is not running.Ryan Thomas McBride
2004-01-19Update comment; handling PFSYNC_ACT_UPD in pfsync_input() is no longerRyan Thomas McBride
optional.
2004-01-19Clean up creation and expiry timestamp calculations.Ryan Thomas McBride
2004-01-18Port is already stored in network byte order, no need to convert.Ryan Thomas McBride
2004-01-16Fix IPv6 stateful tcp scrubbing by not dereferencing a null pointer.Ryan Thomas McBride
ok dhartmei@ frantzen@
2004-01-15add a RTM_IFANNOUNCE message; from netbsd; ok itojun, henningMarkus Friedl
2004-01-12use klist_invalidate to permit destroy while kqueued. ok mpf@Ted Unangst
2004-01-09fix leak ether_deatch(): if if_free_sadl() is called before if_detach()Markus Friedl
then ifnet_addrs[ifp->if_index] leaks; if it's called after if_detach() then if_free_sadl() does nothing; ok itojun
2004-01-07PFI_MTYPE leak; ok cedric@Markus Friedl
2004-01-07ieee80211 framework from NetBSD; ok'd by several people some time ago.Federico G. Schwindt
more fixes comming.
2004-01-06Drop UDP packets with destination port 0, or zero or oversized payloadDaniel Hartmeier
length (same as udp_input() does, if pf is not enabled). Found by Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
2004-01-05stop ifc_destroy() if there are still knotes registered.Marco Pfatschbacher
ok mcbride@ markus@
2004-01-050 -> (void *)NULL for last argument of icmp_error(), which is of typeDaniel Hartmeier
struct ifnet *, from Pyun YongHyeon
2004-01-05Repair my merging error, simplify DIOCCLRSTATUS code. ok dhartmei@Cedric Berger
2004-01-05Repair merge errors. Thanks Pyun YongHyeon, Sorry Henning :)Cedric Berger
2004-01-04oops... string.h ended up being included twice; pointed out by espiePeter Valchev
2004-01-04better macro name (IF_LOCKED -> BOUND_IFACE). from markus.Cedric Berger
2004-01-04include proper protos for userland; deraadtPeter Valchev
2004-01-03make sure userland sees memcmp and friends (gcc3)Marc Espie
okay frantzen@
2004-01-03put an mi wrapper around stdarg.h/varargs.h. gcc3 moved stdarg/varargs macrosMarc Espie
to built-ins, so eventually we will have one version of these files. Special adjustments for the kernel to cope: machine/stdarg.h -> sys/stdarg.h and machine/ansi.h needs to have a _BSD_VA_LIST_ for syslog* prototypes. okay millert@, drahn@, miod@.
2003-12-31spacing. note this, cedricTheo de Raadt
2003-12-31delay interfaces attach until "self" has been created; ok cedric@Markus Friedl
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-28Add a new PFSYNC_ACT_UREQ message type.Ryan Thomas McBride
A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now converge more gracefully if one is missing some states (due to reset, lost insert packets, etc).
2003-12-22pasto in pf_status.src_nodes backup, from 'kirash'Daniel Hartmeier
2003-12-19more const-correctness, ok mcbride@Daniel Hartmeier
2003-12-19i wrote much of these, assert my copyrightHenning Brauer
2003-12-19rn_satsifies_leaf -> rn_satisfies_leafBrad Smith
from itojun@netbsd rev 1.15 ok deraadt@
2003-12-18Save pf_status.hostid and pf_status.stateid in the DIOCCLRSTATUSRyan Thomas McBride
ioctl. Pointed out by dhartmei@ ok dhartmei@
2003-12-18Unbreak compile with no pfsync(4) device.Ryan Thomas McBride
patch from Max Laier
2003-12-18TCP timestamp modulation (scrub reassemble tcp) fix from frantzen@Daniel Hartmeier
2003-12-18resolve compiler warnings, from Pyun YongHyeon, ok cedric@, mcbride@Daniel Hartmeier
2003-12-17start spanning tree on ifconfig up; from Marco Pfatschbacher; ok jason@Markus Friedl
2003-12-16when a bridge filter rule specifies both src and dst mac address, we do notHenning Brauer
want to compare both against the packet's source address. works much better when we compare the dst address to the packet's dst address. ok camield@ canacar@ markus@ jason@
2003-12-16return error in ifc_destroy; ok deraadt, itojun, cedric, hshoexerMarkus Friedl
2003-12-16Don't do all the heavy pfsync processing if there are no bpf listenersRyan Thomas McBride
and no network synchronization is happening.
2003-12-15sc_sp is a #define on some architectures, use a different nameTheo de Raadt
2003-12-15ryan left a few for me ;-)Henning Brauer
2003-12-15Fix whitespace screwups before henning wakes up.Ryan Thomas McBride
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@