| Age | Commit message (Collapse) | Author |
|---|
|
it after the fact.
ok henning@, claudio@
|
|
intended.
ok claudio@, henning@
|
|
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.
Man page help from jmc, testing by weerd, arc4random API hints from djm.
ok deraadt, claudio
|
|
|
|
|
|
Makes IPv6 work with if_vether.
ok deraadt
|
|
|
|
Found out the hard way by Laurent ``bucky'' Lavaud and myself.
Input by claudio@, ok dlg@
|
|
OK michele@
|
|
looked up. can vether get any smaller?
ok deraadt@ claudio@
|
|
ok claudio@
|
|
|
|
|
|
get used at all. turns out this needs more work - after release.
|
|
balancing issue from wrong order of operations (change after insert is
illegal with RB). and apparently there are cases left. to be revisited
after release
|
|
also protect the flushing of the deferred packet queue in clone_destroy
with the right spls. noticed by claudio@
|
|
tracked down by Dan Harnett <daniel at harnett.name>
|
|
ok sthen@ henning@
|
|
rt_newaddrmsg(). Makes the routing daemons a bit less confused when
interfaces are reconfigured.
|
|
rt_if_linkstate_change() needs to be rerun for this route and the
resulting rt_flags need to copied to the rtm_flags for userland.
Problem found and diagnosed by Doran Mori. OK henning@, jsing@
|
|
cables. OK jsg@, krw@, sthen@
|
|
Another thing found by Gleydson Soares.
|
|
nat rule. It should check to see if it's in-use (i.e. matches an existing
PF state), if it is, it cycles sequentially through other ports until
it finds a free one. However the check was being done with the state
keys the wrong way round so it was never actually finding the state
to be in-use.
- switch the keys to correct this, avoiding random state collisions
with nat. Fixes PR 6300 and problems reported by robert@ and viq.
- check pf_get_sport() return code in pf_test(); if port allocation
fails the packet should be dropped rather than sent out untranslated.
Help/ok claudio@.
|
|
ok otto
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
ok claudio
|
|
it if we have it.
Requested by dlg, ok henning.
|
|
incorrect error handling
|
|
happy and went to use after free instead. ryan and I think we found the
reason - just freeing that state keys in the error path is wrong as well,
since pf_state_key_setup could have found existing, identical state keys
and linked our state to these. if we now free them the other state that
hung of these state keys would point back to the freed state keys. so
instead of manually trying to free the state keys just call
pf_state_key_detach which has all the magic checks.
with and ok ryan
|
|
is not null, to be safe and to be able to call this with half setup
states. with and ok ryan
|
|
|
|
to nothing. this lets us see functions in ddb, while not hurting the
ability to share the code with other projects.
idea borrowed from the usb stack.
ok yasuoka@
|
|
is set whenever we changing the rcvif. It is still not possible to pass traffic
between two vether but works now form outside.
OK deraadt@
|
|
the list of all interfaces and traversing the list of all addresses on each
interface.
if bugs show up with addressing this is the #1 backout candidate, something
i missed might fuck with ifaddrs behind our back, although i looked &
tested hard. 10x to naddy for inet6 testing.
ok theo ryan dlg
|
|
includes AF_LINK addresses (aka mac addresses in the ethernet case). for
inet this also includes the broadcast addresses.
depends on ifinit() called earlier so we have a chance to pool_init before
autoconf assigns the AF_LINK addresses, the v6 fix, and the ifa_add/del
abstraction i just committed.
this is a change in semantics, it is now illegal to change the actual
address in an ifaddr struct because then the RB tree becomes unbalanced.
nothing using this tree yet.
ok theo ryan dlg
|
|
many places create a proper API (ifa_add / ifa_del) and use it.
ok theo ryan dlg
|
|
which no longer exists. Makes gcc4 kernels compile again.
ok henning@
|
|
that it knows how big the messages are.
rework the message handlers to use the pfsync_subheader.len value to
iterate over the message regions.
deprecate the EOF subheader since trying to pulldown a 0 byte buffer is
fail.
ok mcbride@ sperreault@
|
|
|
|
|
|
|
|
|
|
this makes sure there is enough of the message to try and parse it, and
allows implementations to skip past regions prefixed by unknown subheaders.
based on discussion with mcbride@ deraadt@ and simon perreault
|
|
ok mcbride@
|
|
splx().
|
|
ok henning
|
|
is safe for both hardware devices and virtual devices
ok mpf, kettenis, moaning and groaning and slow acceptance from mcbride
XXX should loop checking for uniqueness after new henning diff goes in
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
bpfdetach() will be called in if_detach(). Diff by Gleydson Soares
|
|
ok mcbride@
|
