Age | Commit message (Collapse) | Author |
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
bpf FILDROP interface exists for about one year but the required
interface to the drivers was missing - so it was useless. this new
approach based on a design by henning@ uses a new mbuf flag to mark
filtered packets and to drop them in the generic network stack input
routines (like ether_input).
for example; after some additional testing, this could be used by
dhclient to filter everything except DHCP packets (track tech@
for a corresponding dhclient diff). the "filter dropped" packets won't
reach the network stack. so it's probably some kind of a very basic
application layer packet filter ;).
ok canacar@, discussed with henning@ and others
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
and calculate the modulator. This ensures that modulated initial sequence
numbers have the same properties regarding separation and non-repetition as
those generated by our TCP stack.
ok markus@ frantzen@
|
|
From: Mike Belopuhov <mkb@crypt.org.ru>
|
|
The previous code could wrongly delete multicast groups
on the parent interface. Now we forward only remembered
delete requests.
OK mcbride, mickey.
|
|
in the data part for the data from the previously distinct tags.
look up the tag early and carry a pointer to it around.
makes the code easier and saves some tag lookups and thus helps performance,
as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu>
Initially hacked up somewhere over the atlantic ocean in an A330
early testing reyk and moritz, "put it in" theo
|
|
|
|
address dynamically on this interface after successful association.
this could speed wireless roaming to openbsd accesspoints.
ok jason@, jsg@ can't see anything obectionable
|
|
|
|
the address of the softc. Reported by Peter Phillip via PR-4501.
|
|
Help and ok claudio@, ok brad@
|
|
added later, currently the master port will always be the default
(active) port and the the next active port will be used as the
failover port.
ok brad@
|
|
ok deraadt@
|
|
__STRICT_ALIGNMENT instead.
Help pedro@ deraadt@, ok deraadt@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
ok brad@
|
|
ok reyk@
|
|
- add multicast support by passing multicast addresses to the ports.
this is a requirement for carp(4) over trunk(4).
- support the smallest common interface capabilities. ie., this adds
support for VLAN MTUs if all attached ports have this capability.
- add a port_destroy callback to the trunk protocol. this fixes a
potential crash if the master port has been detached while running.
discussed with deraadt@, brad@ and some others.
|
|
from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
|
|
(similar to proxy ports for tcp/udp). not all clients use per-invokation
random ids, this allows multiple concurrent connections from such clients.
thanks for testing to Rod Whitworth, "looks ok" markus@
|
|
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
|
|
pf_state buffers on the stack.
ok henning mcbride
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
want to map the remaining bits to something else later on.
|
|
ok henning mcbride, looks good frantzen
|
|
from Stephen Marley; ok deraadt@
|
|
a kill message for a state that was generated on another firewall.
|
|
Different fix tested by the submitter, xiangbo3 at gmail com.
ok claudio@
|
|
DIOCGETSTATE.
ok dhartmei mcbride
|
|
ok ho@
|
|
"established" state. Requires recompiling pfctl, etc.
ok dhartmei@
|
|
|
|
This makes it possible to distinguish between E1 G.704 mode with and without
CRC4 checksum. Also add an operating mode IFM_TDM_MASTER to specify that
the card has to provide the clock source for the line.
OK deraadt@ canacar@
|
|
have purged all states in the case when an interface name was specified.
pf_purge_expired_states should decrease the count as appropriate.
ok dhartmei
|
|
|
|
to that in rev 1.40 for interface groups.
ok henning
|
|
|
|
inlined), ok art@
|
|
but statics are dangerous in case of concurrency. ok deraadt@
|
|
making pppoe(4) work on sparc64. Fixes PR-4311
Reported and fix tested by David Coppa < dcoppa at gmail com >
|
|
they timeout. Any other hosts that have also learnt these states will already
know that they are due to time out.
ok henning
|
|
Instead of purging immediately, let the state be purged at the purge interval.
ok henning
|
|
|
|
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
|
|
Use a static buffer for another large variable, pending further analysis.
prodded deraadt
|