Age | Commit message (Collapse) | Author |
|
them being there.
diff & ok deraadt
|
|
from alexandre ratchov. ok claudio
|
|
|
|
|
|
without trying to free the (in that case nonexistant) tdb mbuf
found out the hard way by pedro
|
|
|
|
beeing created for now - much more work would be required to change that
input & ok ryan
|
|
it's "special" case in ether_input(). Based on similiar idea in FreeBSD.
ok brad
|
|
ok henning@ deraadt@ canacar@
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
|
|
logs go. ok mcbride
|
|
for now, only allow pflog0 to be created.
keep an array of ifps to the pflog interfaces with the unit # as index for
fast access.
if pflog0 does not exist, no logging is done (just like if it is down).
on machines without pf enabled, this makes the pflog0 interface go away,
on machines with pf, rc sets up pflog0 and starts pflogd, no change there.
idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
|
|
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
|
|
ok henning@ dhartmei@ deraadt@
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
ok frantzen, dhartmei, henning
|
|
for equality (ip_tos == x). for priority queue assignment, compare AND-wise
(ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved
bits in ip_tos are used (RFC791, 1349) and more than a single bit is set.
from Steve Welham, closes PR5226 and PR5227.
|
|
numbers, reported by Raja Subramanian; ok henning@
|
|
as the resulting demotion counter value is in range. previously, we only
allowed +/- 1. ok mpf mcbride deraadt
|
|
and drop such bad packets. Also remove some redundant mallocs.
This fixes possible heap overflows when forming replys to such bad
packets as discovered by Martin Husemann and Pavel Cahyna.
reported by NetBSD, initial diff from markus@,
additional comments by claudio@, ok markus@
|
|
|
|
but third-party tools). a rule must have a non-empty replacement address
list when it's a translation rule but not an anchor call (i.e. "nat ... ->"
needs a replacement address, but "nat-anchor ..." doesn't). the check
confused "rule is an anchor call" with "rule is defined within an anchor".
report from Michal Mertl, Max Laier.
|
|
code. however, it is still cluttering up the kernel namespace a bit. it is
better gone.
ok claudio@
|
|
|
|
Affects devices using the sppp layer (pppoe, art, san, lmc)
ok deraadt@
|
|
Also cleanup error message device name printing.
Based on diff from NetBSD via Andrey Matveev
Also, use log when printing error messages, and syslog will
handle any nonprintable characters, discussed with deraadt@
|
|
|
|
matching that rule so that the forwarding code later can use the
alternate routing table fo lookups (not implemented yet).
the tagging is "sticky", every matching rule modifies, just like the
regular "tag". ok claudio hshoexer, hacked at r2k6
|
|
dmesg printf everytime they came up, would that be a better world?
|
|
the "pppoe0: up" message is annoying when one is on console and the
system has been configured to recall the ISP every minute or so.
Moving the printf() to a log() fixes this and the "pppoe0: up"
message is still seen in logs and dmesg.
ok canacar@
|
|
|
|
|
|
of 1Gbps, until the size of the baudrate field has been increased.
|
|
routes did not carefully check if the route lookup succeded or not and so
rn_mpath_next(rn) blowed up because rn was NULL. Check if rnh_lookup succeded
before touching rn in anyway. OK norby@ initial diff by hshoexer@
|
|
|
|
To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.
To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1
testing norby@
ok claudio@ henning@ hshoexer@
|
|
previous route that may not have been inserted with the -mpath flag.
Similarly, when removing a multipath route and leaving only one route,
clear the RTF_MPATH flag so this is clear.
ok claudio@
|
|
|
|
|
|
(NET_RT_DUMP & friends) too. keep supporting the old form (and imply id 0)
of course. claudio ok
|
|
manipulate alternate tables from userland. new tables are created
implicitely when an RTM_ADD for that table is seen.
ok norby claudio hshoexer
|
|
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer
|
|
remove the ugly routed hacks. OK henning@, hshoexer@
|
|
problem before: with this, we are no longer using the address family as
array index directly, since only 3 of 31 address fanilies actually attach
a table, but we're using an address family to array index translation (just
another array). there, 0 meant "does not attach a table", thus rt_gettable
has to return a null pointer. unfortunately we were using array index 0 for
whatever af attaches first, and since the list is backwards,, that used to
be ipsec - execpt on ipsec-less ramdisks, where it was inet6, and since
route show blindly iterates over all address families, and all those
without a table pointed to index 0, we got 28 or 29 copies of the v6 table.
i had that right initally, and then i borked it later... re-spotted by
claudio.
ok norby hshoexer claudio
|
|
'route show' dump out repeated copies of the v6 routing table on ramdisks.
on some architectures it spins forever doing this, on others it just
goes for a long time printing the v6 routes over and over before terminating.
spotted by jmc and krw, backout diff tested by beck.
|
|
As a first user, move the global carp(4) demotion counter
into the interface group. Thus we have the possibility
to define which carp interfaces are demoted together.
Put the demotion counter into the reserved field of the carp header.
With this, we can have carp act smarter if multiple errors occur.
It now always takes over other carp peers, that are advertising
with a higher demote count. As a side effect, we can also have
group failovers without the need of running in preempt mode.
The protocol change does not break compability with older
implementations.
Collaborative work with mcbride@
OK mcbride@, henning@
|
|
.. fixes proto display for the non zero case
ok claudio@
|
|
we trade higher memory consumption if the user doesn't use continous table
IDs, but in the worst case (table IDs 0 and 255, 64bit machine) that is 2KB
ok claudio ryan
|