| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
|
|
- convert counters to 64 bits
- add dedicated counters for sanity checks added right before release
- clean up netstat output
|
|
- If the physical interface goes down or the link goes down,
the carp interface goes down as well.
- We treat this like the preemption holdoff with pfsync.
So if one of the carp interfaces is known to be bad (because the
physical interface it's associated with is bad), all the other carp
interfaces back off: they won't preempt, and their advskew goes to 240.
ok cedric@
|
|
ok mcbride@
|
|
enabled when we're doing full frag reassembly and thus have full seq info
ok markus@
|
|
reload rules.
this fixes an altq problem that, if you reload pf rules not containing
queues while running altq, the interface shaper is not properly removed.
make pf_altq_running local to pf_ioctl.c since it is no longer used in
altq_subr.c.
ok henning@
|
|
manual page.
- more strict bpf code validation, preventing arbitrary kernel memory
read and writes.
Some help from frantzen@ and canacar@; testing jmc@ markus@;
ok canacar@ henning@ franzen@
|
|
to the mbuf and free the cluster when it contains a small packet.
ok deraadt@
|
|
ok deraadt@
|
|
this fixes corruption of the address pools with large rulesets.
This is a candidate for -stable.
Reported by Zbigniew Kossowski <zk@openbsd.com.pl>, hours of braintwisting
debugging by pb@
|
|
|
|
|
|
needed; these are slightly different so that we cannot use the new
IF_INPUT_ENQUEUE macro
deraadt ok
|
|
ok pb@, henning@, markus@
|
|
ok mcbride@ henning@
|
|
pointed at by Joris Vink who was baffeled how this should work anyway
ok mcbride@ henning@
|
|
user visible changes:
- you can add multiple routes with same key (route add A B then route add A C)
- you have to specify gateway address if there are multiple entries on the table
(route delete A B, instead of route delete A)
kernel change:
- radix_node_head has an extra entry
- rnh_deladdr takes extra argument
TODO:
- actually take advantage of multipath (rtalloc -> rtalloc_mpath)
|
|
ok dhartmei@ mcbride@
|
|
ok itojun@
|
|
handshake, so they can match rules (and create state) on another interface.
ok cedric@
|
|
|
|
|
|
|
|
|
|
|
|
and block unconditionally.
when the inout queue is full, newly arriving packets are dropped anyway,
and while the input queue is full we obviously have a CPU laod problem.
with this change, we allow the machine to recover gracefully, dropping a few
packets fast instead of a lot slowly over a long time while processing rather
old stuff in the input queue, giving somebody a chance to log in on the
console and fix stuff instead of going completely unresponsive, and as a nice
side effect, let established connections alone.
ok kjc@ markus@ beck@
|
|
is full, along with a timer that unsets it again after 10ms.
The input queue beeing full is a reliable indicator for CPU overload, and
this flag allows other subsystems to cope with the situation.
hacked with beck
ok kjc@ markus@ beck@
|
|
larger kernel map
|
|
the parameter serves only as optimization to cache m_tag_get() results.
ok henning@
|
|
the local state.
Tricky state comparisons from frantzen@ ok cedric@ dhartmei@
Post-ok addition of code to broadcast an update with the better local version
when this happens. Torture tested by beck@
|
|
ok markus@
|
|
to arbitrary values. Invalid state->timeout can hit a KASSERT in pf, the other
ones should be ok but we check them just to make sure.
ok dhartmei@ deraadt@
|
|
|
|
ok mcbride@, henning@, cedric@, deraadt@
|
|
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
From dhartmei@
ok deraadt@
|
|
until mono_time.tv_sec advances past the time the bulk transfer request
was recieved.
ok cedric@ deraadt@
|
|
configured. This this allows pfsync+carp clusters to come up gracefully
without killing active connections. pfsync now prevents carp from
preempting to become master until the state table has sync'd.
ABI change, any application which use struct pf_state must be recompiled.
Reminded about this by Christian Gut. Thanks to beck@ cedric@ and dhartmei@
for testing and comments.
ok deraadt@
|
|
|
|
|
|
|
|
missing break; in error case
from patrick latifi, cedric ok
|
|
it's also called in the function which calls pf_insert_state().
Pointed out by Patrick Latifi, ok cedric@ dhartmei@
|
|
|
|
ok henning, cedric, claudio, deraadt
|
|
from otto@
- Fix signedness issue with unit numbers. Bug report from Thorsten Glaser
ok millert@ otto@
|
|
ok canacar@ deraadt@ mcbride@
|
