summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2004-02-13Do an explicit pf_update_anchor_rules() after an anchor gets removed.Marco Pfatschbacher
In some situations not all anchor rules got updated properly, so they still refered to already freed anchors. OK dhartmei@ mcbride@ cedric@ henning@
2004-02-12from camield:Henning Brauer
se hash instead of linked list to speed up tag to vlan interface mapping ok markus@ and myself
2004-02-10KNFDaniel Hartmeier
2004-02-10plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric,Jun-ichiro itojun Hagino
dhartmei ok
2004-02-10KNFHenning Brauer
2004-02-10Make pfsync work correctly with IP options on 64-bit alignmentRyan Thomas McBride
sensitive CPUs. Pointed out by deraadt@.
2004-02-09Repair "set loginterface". Don't flush stats on pfctl -e. pf_status.sinceCedric Berger
is the time of last "pf -e" or "pf -d". ok dhartmei@ henning@
2004-02-08if_detach_rtdelete(): abort and restart rn_walktree() if a cloning routeMarkus Friedl
gets deleted; fixes pr 3649; ok henning, deraadt, dhartmei
2004-02-08Fix kernel panic which occurs under very high load:Ryan Thomas McBride
- Make sure we calculate the correct maximum size for PFSYNC_ACT_UREQ. - Make pfsync_sendout() return immediately if there is nothing to send.
2004-02-07Use the offset provided to us by m_pulldown(), rather than using size ofRyan Thomas McBride
ip and pfsync headers. This makes us behave correctly if the packet is spread across multiple mbufs (which does not appear to happen in practice).
2004-02-06as seen in netbsd. crank bpf sizes to adapt to faster networks.Ted Unangst
max size goes to 2MB, default goes to 32k. ok canacar@ mcbride@
2004-02-04Fix a number of bugs with setting pool limits which I introduced withRyan Thomas McBride
source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
2004-02-02missing #if NPF > 0. ok henning@Cedric Berger
2004-02-02Do not evaluate pfi_index2kif[ifp->if_index] if PF is disabled.Cedric Berger
Safer and faster since we know that ifp->if_index can potentially be garbage. ok dhartmei@
2004-01-27drop packet if kif == NULL; ok henning deraadtMarkus Friedl
2004-01-27don't convert tcpmd5 to ip-over-ip in SADB_X_GETSPROTO; from hshoexerMarkus Friedl
2004-01-26- use SIOC[GS]WAVELAN.Federico G. Schwindt
- fill ac_enaddr correctly. - put ic_myaddr back.
2004-01-22- Include the value of pf_state.timeout in pfsync messagesRyan Thomas McBride
- Fix the expiry time calculations, for real - Unbreak the collapsing of multiple updates into one And a little KNF for good measure.
2004-01-20the pfsync interface does not have a baudrate, so don't claim 100 MBit/sHenning Brauer
ok mcbride@
2004-01-20Ignore pfsync packets if pf is not running.Ryan Thomas McBride
2004-01-19Update comment; handling PFSYNC_ACT_UPD in pfsync_input() is no longerRyan Thomas McBride
optional.
2004-01-19Clean up creation and expiry timestamp calculations.Ryan Thomas McBride
2004-01-18Port is already stored in network byte order, no need to convert.Ryan Thomas McBride
2004-01-16Fix IPv6 stateful tcp scrubbing by not dereferencing a null pointer.Ryan Thomas McBride
ok dhartmei@ frantzen@
2004-01-15add a RTM_IFANNOUNCE message; from netbsd; ok itojun, henningMarkus Friedl
2004-01-12use klist_invalidate to permit destroy while kqueued. ok mpf@Ted Unangst
2004-01-09fix leak ether_deatch(): if if_free_sadl() is called before if_detach()Markus Friedl
then ifnet_addrs[ifp->if_index] leaks; if it's called after if_detach() then if_free_sadl() does nothing; ok itojun
2004-01-07PFI_MTYPE leak; ok cedric@Markus Friedl
2004-01-07ieee80211 framework from NetBSD; ok'd by several people some time ago.Federico G. Schwindt
more fixes comming.
2004-01-06Drop UDP packets with destination port 0, or zero or oversized payloadDaniel Hartmeier
length (same as udp_input() does, if pf is not enabled). Found by Pyun YongHyeon. ok cedric@, ho@, henning@ and markus@.
2004-01-05stop ifc_destroy() if there are still knotes registered.Marco Pfatschbacher
ok mcbride@ markus@
2004-01-050 -> (void *)NULL for last argument of icmp_error(), which is of typeDaniel Hartmeier
struct ifnet *, from Pyun YongHyeon
2004-01-05Repair my merging error, simplify DIOCCLRSTATUS code. ok dhartmei@Cedric Berger
2004-01-05Repair merge errors. Thanks Pyun YongHyeon, Sorry Henning :)Cedric Berger
2004-01-04oops... string.h ended up being included twice; pointed out by espiePeter Valchev
2004-01-04better macro name (IF_LOCKED -> BOUND_IFACE). from markus.Cedric Berger
2004-01-04include proper protos for userland; deraadtPeter Valchev
2004-01-03make sure userland sees memcmp and friends (gcc3)Marc Espie
okay frantzen@
2004-01-03put an mi wrapper around stdarg.h/varargs.h. gcc3 moved stdarg/varargs macrosMarc Espie
to built-ins, so eventually we will have one version of these files. Special adjustments for the kernel to cope: machine/stdarg.h -> sys/stdarg.h and machine/ansi.h needs to have a _BSD_VA_LIST_ for syslog* prototypes. okay millert@, drahn@, miod@.
2003-12-31spacing. note this, cedricTheo de Raadt
2003-12-31delay interfaces attach until "self" has been created; ok cedric@Markus Friedl
2003-12-31Many improvements to the handling of interfaces in PF.Cedric Berger
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
2003-12-28Add a new PFSYNC_ACT_UREQ message type.Ryan Thomas McBride
A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now converge more gracefully if one is missing some states (due to reset, lost insert packets, etc).
2003-12-22pasto in pf_status.src_nodes backup, from 'kirash'Daniel Hartmeier
2003-12-19more const-correctness, ok mcbride@Daniel Hartmeier
2003-12-19i wrote much of these, assert my copyrightHenning Brauer
2003-12-19rn_satsifies_leaf -> rn_satisfies_leafBrad Smith
from itojun@netbsd rev 1.15 ok deraadt@
2003-12-18Save pf_status.hostid and pf_status.stateid in the DIOCCLRSTATUSRyan Thomas McBride
ioctl. Pointed out by dhartmei@ ok dhartmei@
2003-12-18Unbreak compile with no pfsync(4) device.Ryan Thomas McBride
patch from Max Laier
2003-12-18TCP timestamp modulation (scrub reassemble tcp) fix from frantzen@Daniel Hartmeier