| Age | Commit message (Collapse) | Author |
|---|
|
on bridge rule load translate tagnames to pf tags using pf_tagname2tag etc
if packets match a bridge filter rule tag them using pf_tag_packet() with
the given tag
help dhartmei@
ok deraadt@ jason@ dhartmei@
|
|
from KOZUKA Masahiro <ma-kun@kozuka.jp> with a minor adjustment from itojun
ok itojun@ dhartmei@
|
|
|
|
without it "route change X" would change less-specific route by mistake.
reported by jinmei@kame, markus ok
|
|
This might just be a temporary fix, we're still looking for a better one.
ok dhartmei@
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
the server's MSS is guessed based on the routing table and interface MTU.
Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@
Note: ABI change (new field in struct pf_state), requires a pfctl rebuild
(and tcpdump for pfsync).
|
|
addresses. ok mcbride@, cedric@
|
|
to userland instead.
fixes PRs 2235, 2236 and 2640
from Otto Moerbeek <otto@drijf.net>
ok frantzen@, tedu@, deraadt@
|
|
comparing ackskew, otherwise legitimate low acks can get blocked. Was
triggered when asymmetric scale factors where used in combination with
SACK. Report and logs provided by Peter Galbavy. ok frantzen@, henning@
|
|
ifq_head, to make altq work. prevents programs from spinning in non-blocking
select()/read() loops in case of queues hitting their limits.
This makes queueing on tun interfaces work. while it is still advised to
assign packets to queues on tunX and queue on the physical interface in
generic, this doesn't work in the PPPoE case with the userland pppoe process,
there the mbuf tags with the queue IDs don't survive obviously.
based on diff from Trevor Talbot, tested successfully by a lot of people
on the pf@benzedrine.cx list.
ok pb@ kjc@
|
|
rules create state. Truly hard to spot. Unless you run the code, of course.
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
|
|
|
|
rescinded 22 July 1999. Proofed by myself and Theo.
|
|
|
|
|
|
o check timeout for negative values and overflow
ok tedu@ jason@
|
|
|
|
"tagged X" rule), and only get it when we really need it. simplifies code too.
ok dhartmei@ pb@
|
|
In the SYN proxy, generate ACKs with proper window sizes after the
handshakes.
|
|
|
|
the rule. Fixes rdr with address pools using bitmask and source-hash
address selection methods.
ok dhartmei@ henning@
|
|
ok dhartmei@ pb@
|
|
without causing EHOSTUNREACH to be delivered to local sockets, so it works
for outgoing connections originating on the same host. ok frantzen@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
idea from theo.
to speed that up the real mbuf tag is not written until we hit the last match
but an internal variable is used to track the tag.
this can be used to split classification and policy enforcement, for example.
and much much much more...
ok dhartmei@ frantzen@
|
|
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
ok dhartmei@ frantzen@
|
|
deraadt ok
|
|
ok henning@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
|
to some developers, but include files are not just used by the kernel.
there are applications that pull them in as well. this change broke
tcpdump, and who knows what else. i've been talking for 24 hours now
about tree breakage and let this be official: I am prepared to lock the
tree entirely if need be. YOU WILL GET OK PERMISSION FROM EVERYONE, NOT
JUST FROM ONE PERSON
|
|
(FDDI, ieee1394, ...). follows netbsd practice.
2 jasons, dhartmei, thierry ok
|
|
|
|
|
|
initial maximum window by the scaling factor. otherwise our view of the
allowable sequence window is too big. back out the scaling factor adjustment
from the max window if the other endpoint rejects window scaling
- window scale the forward ACK skew check
ok dhartmei@
|
|
|
|
first. The least significant portions of the IPv6 address are more
likely to differ than the more significant ones, since in most
situations half the addresses (either the source or the destination)
will be in the local subnet.
ok dhartmei@ henning@
|
|
ok henning@ frantzen@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
|
|
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
8 bytes, but the former is more appropriate. ok frantzen@
|
