summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2005-10-03add a simple active "failover" trunk mode. port priorities will beReyk Floeter
added later, currently the master port will always be the default (active) port and the the next active port will be used as the failover port. ok brad@
2005-09-30remove old unused NRL IPv6 code.Brad Smith
ok deraadt@
2005-09-28No part of the code defines UNALIGNED_ACCESS, use reverted tests forMiod Vallat
__STRICT_ALIGNMENT instead. Help pedro@ deraadt@, ok deraadt@
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-09-14correctly set IFF_RUNNING flag after device state changes.Reyk Floeter
ok brad@
2005-09-11when adding any IP addresses make sure to UP the interface.Brad Smith
ok reyk@
2005-09-10update the trunk(4) driverReyk Floeter
- add multicast support by passing multicast addresses to the ports. this is a requirement for carp(4) over trunk(4). - support the smallest common interface capabilities. ie., this adds support for VLAN MTUs if all attached ports have this capability. - add a port_destroy callback to the trunk protocol. this fixes a potential crash if the master port has been detached while running. discussed with deraadt@, brad@ and some others.
2005-09-05in DIOCCHANGERULE, properly initialize table, if used in NAT rule.Daniel Hartmeier
from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
2005-08-22when nat'ing icmp 'connections', replace icmp id with proxy valuesDaniel Hartmeier
(similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@
2005-08-22fix rdr to bitmask replacement address pool. patch from Max Laier,Daniel Hartmeier
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
2005-08-18Malloc temporary buffers in pfioctl rather than having several largeChristopher Pascoe
pf_state buffers on the stack. ok henning mcbride
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-16Only send the PFSS_TIMESTAMP timestamp bit across the wire, in case weChristopher Pascoe
want to map the remaining bits to something else later on.
2005-08-16Synchronise timestamp modulation and scrubbing min ttl information.Christopher Pascoe
ok henning mcbride, looks good frantzen
2005-08-14don't require a valid route when configuring the tunnel;Markus Friedl
from Stephen Marley; ok deraadt@
2005-08-13Partial backout of previous revision, reinstates the ability to propagateChristopher Pascoe
a kill message for a state that was generated on another firewall.
2005-08-12Use actual packet contents when sending protocol rejects. Fixes PR 4305.Can Erkin Acar
Different fix tested by the submitter, xiangbo3 at gmail com. ok claudio@
2005-08-12Fill out interface name and state creation time correctly inChristopher Pascoe
DIOCGETSTATE. ok dhartmei mcbride
2005-08-11Remove bogus debug printf().Ryan Thomas McBride
ok ho@
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-08-10kill spaces OK deraadt@Claudio Jeker
2005-08-10Add an additional media subtype IFM_TDM_E1_G704_CRC4 for TDM interfaces.Claudio Jeker
This makes it possible to distinguish between E1 G.704 mode with and without CRC4 checksum. Also add an operating mode IFM_TDM_MASTER to specify that the card has to provide the clock source for the line. OK deraadt@ canacar@
2005-08-07Do not blindly reset the state count to zero after a clear, as we may notChristopher Pascoe
have purged all states in the case when an interface name was specified. pf_purge_expired_states should decrease the count as appropriate. ok dhartmei
2005-08-07verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@Daniel Hartmeier
2005-08-07Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changeChristopher Pascoe
to that in rev 1.40 for interface groups. ok henning
2005-08-06correct some spellosChristopher Pascoe
2005-08-05make three functions non-static (namespace is no issue, they might getDaniel Hartmeier
inlined), ok art@
2005-08-04instead of static locals, malloc/free. the goal is to reduce stack usage,Daniel Hartmeier
but statics are dangerous in case of concurrency. ok deraadt@
2005-08-03prevent unaligned memory access when processing LCP echo packets,Can Erkin Acar
making pppoe(4) work on sparc64. Fixes PR-4311 Reported and fix tested by David Coppa < dcoppa at gmail com >
2005-08-03Do not send "deletion" messages for states created by other pfsync peers whenChristopher Pascoe
they timeout. Any other hosts that have also learnt these states will already know that they are due to time out. ok henning
2005-08-03Eliminate another case where pool routines are called without process context.Christopher Pascoe
Instead of purging immediately, let the state be purged at the purge interval. ok henning
2005-08-03use flag macro instead of constantChristopher Pascoe
2005-08-02pass the AF in network byte order to bpfMarkus Friedl
2005-08-02Instead of copying a table structure so we can mask off a bit beforeChristopher Pascoe
"validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
2005-08-01Minor whitespace cleanup.Christopher Pascoe
2005-08-01Use a string directly rather than making a copy, save on stack space.Christopher Pascoe
Use a static buffer for another large variable, pending further analysis. prodded deraadt
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe
it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
2005-07-31Missed argument in previous commit, applied separately to ease merges.Christopher Pascoe
2005-07-31Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chainChristopher Pascoe
to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@
2005-07-31Change the API for icmp_do_error so that it takes the mtu directly, ratherChristopher Pascoe
than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
2005-07-29Use one "struct pf_state key" declaration at top of pf_test_state_icmp,Christopher Pascoe
instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386).
2005-07-28rev 1.18Brad Smith
when there are multiple matches for the requested media, select the first matching instance rather than the last one. From chs NetBSD
2005-07-26Add missing newline to error message.Christopher Pascoe
2005-07-21account ipv4 packets with wrong tcp/udp/icmp checksums and udpMarkus Friedl
packets with invalid uh_len; ok dhartmei
2005-07-20need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it canHenning Brauer
notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this.
2005-07-19Remove vlan_input_tag() since all four drivers that used it have beenCamiel Dobbelaar
reworked to not strip vlan tags in hardware anymore. ok brad henning jason
2005-07-18Use M_PREPEND to take advantage of any slack leading space in the mbuf.Camiel Dobbelaar
ok markus jason henning brad
2005-07-12default mtu to no more than ETHERMTU to avoid fragmentation; henning@ okMichael Shalayeff
2005-07-11add missing {} around TAILQ_FOREACH block, found by David HillDaniel Hartmeier
2005-07-09ANSI protosBrad Smith