Age | Commit message (Collapse) | Author |
|
we had to put this workaround in since /etc/rc used to use the exit code
if "ifconfig pflog0" to decide wether we run on a kernel with pflog support.
rc has been fixed to explicitely create pflog0 when pf and pflogd are
enabled in November 2006, so now is the time to remove this compat hack.
pplz who haven't updated rc since 2006/11/16 lose pflogd. ok ryan theo
|
|
This provides a similar functionality as ARP balancing,
but also works for traffic that comes across routers.
IPv6 is supported as well.
The configuration scheme will change as soon we have sth better.
Also add support for changing the MAC address on carp(4)
interfaces. (code from mcbride)
Tested by pyr@ and reyk@
OK mcbride@
|
|
Previously the descriptor was locked only after
an interface is set, leading to a race condition.
Reported by Jon Steel < jon.steel at esentire com >
tested by otto@, looks correct deraadt@
|
|
need uvm/uvm_extern.h to get at uvmexp. oops.
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
tunnels.
Additional testing by Marc Winiger. OK kjc@ mbalmer@
|
|
ok claudio@
|
|
Don't allow the userland to fiddle with flags reserved by the driver.
Noticed by Ingo Schwarze.
|
|
ok dharthmei@, henning@
|
|
via TUNSIFINFO. ppp(8) was happily clearing the RUNNING flag and so all
incomming packets where dropped. Issue reported by irix <at> ukr <dot> net.
While there check that the mtu is in a valid range -- stolen from SIOCSIFMTU
case.
|
|
From FreeBSD
|
|
ok kettenis@ cloder@ tom@ henning@
|
|
OK tedu@
|
|
|
|
and passed around but never used. OK mglocker@
|
|
this allows an atomic read and reset counters, instead of read, reset in a
later ioctl and lose everything in between.
use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR,
the ioctl requires write permissions and counters are reset after they have
been copied out to userland.
obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not
within anchors (yeah, that's how it all started)
ok dhartmei, mcbride and theo agree as well
|
|
|
|
ip6_dst (i'm bit skeptical about checksumming when the box is not the
final destination).
drop IPv6 jumbograms, as it could cause various funny symptoms due to
ip6_plen being 0 (yup, we should properly handle it instead).
ok by deraadt, naddy, hshoexer
|
|
- if the interface was auto-created by opening a /dev/tun* device it will
auto-destroy on close. This is comparable to ifconfig tun0 destroy and
will remove all routes and addresses associated with the interface.
- if the interface was created by ifconfig(8) or hostname.if(5) the interface
is persistent -- it is just marked as not running. Especially routes are no
longer removed when the interface is closed. This is useful for static
setups like the server side of a ssh vpn or static qemu session.
This behaviour is more logic then the half done cleanup that is currently done.
OK mpf@
|
|
with at least two ports are always handled as full fuplex links. this
change will allow trunks as edge ports in a rstp bridge(4).
ok brad@ pyr@
|
|
these flags on close. OK mpf@
|
|
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo
|
|
|
|
this fix PR 5056
discussed with camield@
OK camield@ claudio@ henning@
|
|
Requested by brad@
|
|
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
|
ok brad@, deraadt@
|
|
unicast reverse path forwarding (URPF) check drops packets coming in
on an interface other than that which holds the route back to the
packet's source address. this caused problems with routes bound to a
carp interface instead of the underlying interface. this diff
validates the underlying carpdev if the route is bound to a carp
interface.
from Pierre-Yves Ritschard (pyr at spootnik.org)
ok henning@
|
|
initialized, it might equal &iproute by chance, causing a panic
when rtfree() is then mistakenly called.
|
|
|
|
number, it can differ from the sequence number being tested (for packets
without payload), and both matter in explaining why a packet mismatched.
|
|
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6).
mcbride ok.
|
|
ok otto@
|
|
P2P is commonly used in relation to peer to peer networks, PTP is used
in various protocols for layer 2 point to point links (ie., full
duplex ethernet links).
note that the newly added brconfig commands [-]p2p and [-]autop2p will
change to [-]ptp and [-]autoptp.
suggested by Andrew Thompson (thompsa@freebsd.org)
|
|
ifp0->if_link_state == LINK_STATE_UP to handle the new half/full
duplex link states. i forgot to commit these snippets before.
ok jsg@
|
|
ok canacar@
|
|
by Andrew Thompson (thompsa@freebsd.org). The local changes include
adoption to our bridge code, reduced stack usage and many other bits.
If stp is enabled, RSTP will now be used by default.
Thanks for help from Andrew.
This code has been in snaps for while now, commit encouraged by deraadt@
|
|
From: Genadijus Paleckis <lsd@nnt.lt>
but the really bad description of the diff made this way more complicated
then needed. pls plz, when sending in diffs, describe properly what they
do and why!
|
|
state, if known by the driver. this is required to check the full
duplex state without depending on the ifmedia ioctl which can't be
called in the kernel without process context.
ok henning@, brad@
|
|
an interface. Fixes a double free panic.
ok claudio@, looks fine henning@
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe
in timeouts without process context and allows to use bridge stp with
usb ethernet devices now.
figured out and tested by Stuart Henderson, closes pr 5304.
|
|
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
|
|
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that
part was missing) when rtableid on the rule is nonzero.
problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the
multiple routing tables enabling diff, ok mcbride
|
|
|
|
code factored out from if_addgroup(), previously a group always had to have
members. ok mpf mcbride
|
|
|