| Age | Commit message (Collapse) | Author |
|---|
|
ok pascoe@ mpf@
|
|
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
|
|
consistent style in sys/net/bpf.c.
ok henning@, "looks fine" canacar@
|
|
matching in the bridge receive path to make CARP operate correctly
on physical interfaces that are participating in a bridge.
ok mcbride@ henning@ dlg@
|
|
ok pascoe@
|
|
|
|
prevents a possible endless loop in pf_get_sport() with 'static-port'
Reported by adm at celeritystorm dot com in FreeBSD PR74930, debugging
by dhartmei@
ok dhartmei@
|
|
from Max Laier.
|
|
more than a second old.
ok mcbride@ henning@
|
|
|
|
|
|
|
|
Proposed by mcbride.
ok henning@, mcbride@
|
|
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
|
|
Notably, this fixes "(pppoe0)" in pf. ok markus@
|
|
|
|
ok markus@
|
|
dealing with a carp interface.
|
|
style as vlan(4). carp interfaces no longer require the physical interface
to be on the same subnet as the carp interface, or even that the physical
interface has an adress at all, so CARP can now be used on /30 networks.
ok deraadt@ henning@
|
|
|
|
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
ok mcbride@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
|
|
table is not visible/accessible when the rule is the only reference
(you don't HAVE to reference the table elsewhere).
|
|
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
a struct timeout to struct ifqueue so that each one has its own - it
is a per-queue thing. from chris pascoe
|
|
around the entire body. this resolves the (misleading) panics in
pf_tag_packet() during heavy ioctl operations (like when using authpf)
that occur because softclock can interrupt ioctl on i386 since SMP.
patch from camield@. ok mcbride@, henning@ and (presumably ;) bob@
|
|
|
|
ok otto jsg henning pat markus deraadt fgs
|
|
ok canacar markus millert
|
|
as for the ports, i could only find one. if there are more, they will be
fixed in the tree as discussed with peter.
deraadt@ pvalchev@ ok.
|
|
|
|
Initial porting from NetBSD by David Berghoff.
Modified/simplified to match our sppp implementation.
ok deraadt@
|
|
and use sysctl for 'ipsecadm show'; ok deraadt
|
|
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon
|
|
reported by Joerg Sonnenberger, ok henning@
|
|
ok myself markus@
|
|
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client. Thanks to Daniel Polak for testing.
|
|
ok henning, markus.
|
|
ok millert@
|
