| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2005-09-11 | when adding any IP addresses make sure to UP the interface. | Brad Smith | |
| ok reyk@ | |||
| 2005-09-10 | update the trunk(4) driver | Reyk Floeter | |
| - add multicast support by passing multicast addresses to the ports. this is a requirement for carp(4) over trunk(4). - support the smallest common interface capabilities. ie., this adds support for VLAN MTUs if all attached ports have this capability. - add a port_destroy callback to the trunk protocol. this fixes a potential crash if the master port has been detached while running. discussed with deraadt@, brad@ and some others. | |||
| 2005-09-05 | in DIOCCHANGERULE, properly initialize table, if used in NAT rule. | Daniel Hartmeier | |
| from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@ | |||
| 2005-08-22 | when nat'ing icmp 'connections', replace icmp id with proxy values | Daniel Hartmeier | |
| (similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@ | |||
| 2005-08-22 | fix rdr to bitmask replacement address pool. patch from Max Laier, | Daniel Hartmeier | |
| reported by Boris Polevoy, tested by Jean Debogue, ok henning@ | |||
| 2005-08-18 | Malloc temporary buffers in pfioctl rather than having several large | Christopher Pascoe | |
| pf_state buffers on the stack. ok henning mcbride | |||
| 2005-08-18 | Rearrange pf_state and pfi_kif so that the parts of the structure needed | Christopher Pascoe | |
| to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride | |||
| 2005-08-16 | Only send the PFSS_TIMESTAMP timestamp bit across the wire, in case we | Christopher Pascoe | |
| want to map the remaining bits to something else later on. | |||
| 2005-08-16 | Synchronise timestamp modulation and scrubbing min ttl information. | Christopher Pascoe | |
| ok henning mcbride, looks good frantzen | |||
| 2005-08-14 | don't require a valid route when configuring the tunnel; | Markus Friedl | |
| from Stephen Marley; ok deraadt@ | |||
| 2005-08-13 | Partial backout of previous revision, reinstates the ability to propagate | Christopher Pascoe | |
| a kill message for a state that was generated on another firewall. | |||
| 2005-08-12 | Use actual packet contents when sending protocol rejects. Fixes PR 4305. | Can Erkin Acar | |
| Different fix tested by the submitter, xiangbo3 at gmail com. ok claudio@ | |||
| 2005-08-12 | Fill out interface name and state creation time correctly in | Christopher Pascoe | |
| DIOCGETSTATE. ok dhartmei mcbride | |||
| 2005-08-11 | Remove bogus debug printf(). | Ryan Thomas McBride | |
| ok ho@ | |||
| 2005-08-11 | Only decrement the max-src-conn counter for tcp connections that reached | Joel Knight | |
| "established" state. Requires recompiling pfctl, etc. ok dhartmei@ | |||
| 2005-08-10 | kill spaces OK deraadt@ | Claudio Jeker | |
| 2005-08-10 | Add an additional media subtype IFM_TDM_E1_G704_CRC4 for TDM interfaces. | Claudio Jeker | |
| This makes it possible to distinguish between E1 G.704 mode with and without CRC4 checksum. Also add an operating mode IFM_TDM_MASTER to specify that the card has to provide the clock source for the line. OK deraadt@ canacar@ | |||
| 2005-08-07 | Do not blindly reset the state count to zero after a clear, as we may not | Christopher Pascoe | |
| have purged all states in the case when an interface name was specified. pf_purge_expired_states should decrease the count as appropriate. ok dhartmei | |||
| 2005-08-07 | verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@ | Daniel Hartmeier | |
| 2005-08-07 | Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar change | Christopher Pascoe | |
| to that in rev 1.40 for interface groups. ok henning | |||
| 2005-08-06 | correct some spellos | Christopher Pascoe | |
| 2005-08-05 | make three functions non-static (namespace is no issue, they might get | Daniel Hartmeier | |
| inlined), ok art@ | |||
| 2005-08-04 | instead of static locals, malloc/free. the goal is to reduce stack usage, | Daniel Hartmeier | |
| but statics are dangerous in case of concurrency. ok deraadt@ | |||
| 2005-08-03 | prevent unaligned memory access when processing LCP echo packets, | Can Erkin Acar | |
| making pppoe(4) work on sparc64. Fixes PR-4311 Reported and fix tested by David Coppa < dcoppa at gmail com > | |||
| 2005-08-03 | Do not send "deletion" messages for states created by other pfsync peers when | Christopher Pascoe | |
| they timeout. Any other hosts that have also learnt these states will already know that they are due to time out. ok henning | |||
| 2005-08-03 | Eliminate another case where pool routines are called without process context. | Christopher Pascoe | |
| Instead of purging immediately, let the state be purged at the purge interval. ok henning | |||
| 2005-08-03 | use flag macro instead of constant | Christopher Pascoe | |
| 2005-08-02 | pass the AF in network byte order to bpf | Markus Friedl | |
| 2005-08-02 | Instead of copying a table structure so we can mask off a bit before | Christopher Pascoe | |
| "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@ | |||
| 2005-08-01 | Minor whitespace cleanup. | Christopher Pascoe | |
| 2005-08-01 | Use a string directly rather than making a copy, save on stack space. | Christopher Pascoe | |
| Use a static buffer for another large variable, pending further analysis. prodded deraadt | |||
| 2005-07-31 | Perform pf state/rule/table expiry in a kernel thread instead of running | Christopher Pascoe | |
| it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@ | |||
| 2005-07-31 | Missed argument in previous commit, applied separately to ease merges. | Christopher Pascoe | |
| 2005-07-31 | Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain | Christopher Pascoe | |
| to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@ | |||
| 2005-07-31 | Change the API for icmp_do_error so that it takes the mtu directly, rather | Christopher Pascoe | |
| than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert | |||
| 2005-07-29 | Use one "struct pf_state key" declaration at top of pf_test_state_icmp, | Christopher Pascoe | |
| instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386). | |||
| 2005-07-28 | rev 1.18 | Brad Smith | |
| when there are multiple matches for the requested media, select the first matching instance rather than the last one. From chs NetBSD | |||
| 2005-07-26 | Add missing newline to error message. | Christopher Pascoe | |
| 2005-07-21 | account ipv4 packets with wrong tcp/udp/icmp checksums and udp | Markus Friedl | |
| packets with invalid uh_len; ok dhartmei | |||
| 2005-07-20 | need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it can | Henning Brauer | |
| notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this. | |||
| 2005-07-19 | Remove vlan_input_tag() since all four drivers that used it have been | Camiel Dobbelaar | |
| reworked to not strip vlan tags in hardware anymore. ok brad henning jason | |||
| 2005-07-18 | Use M_PREPEND to take advantage of any slack leading space in the mbuf. | Camiel Dobbelaar | |
| ok markus jason henning brad | |||
| 2005-07-12 | default mtu to no more than ETHERMTU to avoid fragmentation; henning@ ok | Michael Shalayeff | |
| 2005-07-11 | add missing {} around TAILQ_FOREACH block, found by David Hill | Daniel Hartmeier | |
| 2005-07-09 | ANSI protos | Brad Smith | |
| 2005-07-05 | - prototype must not have variable name. | Brad Smith | |
| From itojun NetBSD - Fix signed/unsigned comparison warnings. - Make ifm_data unsigned. - Make media and mask unsigned. From thorpej NetBSD ok deraadt@ | |||
| 2005-07-04 | in if_group_routechange(), when checking wether a default route was changed | Henning Brauer | |
| to trigger an if_group_egress_build() call, stop looking at the mask in the v4 case, at least until I figured out why we sometimes see masks full of crap. | |||
| 2005-07-04 | restrict the tcp.finwait timeout (45s) to state combinations where we have | Markus Friedl | |
| seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning. | |||
| 2005-07-03 | rev 1.13 | Brad Smith | |
| when changing to an unsupported media type, return EINVAL instead of ENXIO. From NetBSD | |||
| 2005-06-30 | in order for pfvar.h not to conflict with openssl's crypto.h, use | Nikolay Sturm | |
| PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@ | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |