summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2005-11-04crank pf_state and pf_src_node byte and packet counters to u_in64_t, sinceRyan Thomas McBride
we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
2005-11-03re-implement the bpf "filter drop" option that it actually works. theReyk Floeter
bpf FILDROP interface exists for about one year but the required interface to the drivers was missing - so it was useless. this new approach based on a design by henning@ uses a new mbuf flag to mark filtered packets and to drop them in the generic network stack input routines (like ether_input). for example; after some additional testing, this could be used by dhclient to filter everything except DHCP packets (track tech@ for a corresponding dhclient diff). the "filter dropped" packets won't reach the network stack. so it's probably some kind of a very basic application layer packet filter ;). ok canacar@, discussed with henning@ and others
2005-11-01Always sure that we have memory for the 'dst' scrub information, which mayChristopher Pascoe
not have been allocated at the initial state synchronisation time. ok henning@
2005-10-28s/rmatch/chksum_flag/ to clarify what's going on. Pointed out by dhartmei@Ryan Thomas McBride
Oh. and a KNF nit.
2005-10-27Basic support for attaching states from pfsync to the correct rules.Ryan Thomas McBride
Applies only to rules in the main ruleset (not anchors) if the ruleset checksum matches. Necessary to fix the following for pfsync'd states: - per-rule limits on number of states - altq - rule-based settings such as timeouts More work to do re: nat rules, src-nodes, etc. NOTE: This is modifies the pfsync header and version number. Tools which process pfsync packets must be recompiled, and firewalls with different versions will not sync. ok mpf@ henning@ dhartmei@
2005-10-26Instead of using arc4random() to modulate the TCP isn, call tcp_rndiss_next()Ryan Thomas McBride
and calculate the modulator. This ensures that modulated initial sequence numbers have the same properties regarding separation and non-repetition as those generated by our TCP stack. ok markus@ frantzen@
2005-10-25mtag in pf_route is now only used for IPSEC, so #ifdef itHenning Brauer
From: Mike Belopuhov <mkb@crypt.org.ru>
2005-10-23Rework of multicast deletion code for vlan(4) and trunk(4).Marco Pfatschbacher
The previous code could wrongly delete multicast groups on the parent interface. Now we forward only remembered delete requests. OK mcbride, mickey.
2005-10-17make pf use one mbuf tag instead of 6 distinct ones. use a little structHenning Brauer
in the data part for the data from the previously distinct tags. look up the tag early and carry a pointer to it around. makes the code easier and saves some tag lookups and thus helps performance, as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu> Initially hacked up somewhere over the atlantic ocean in an A330 early testing reyk and moritz, "put it in" theo
2005-10-12no need to call mfree() since m is always NULL; from Andrey MatveevMarkus Friedl
2005-10-09if the wireless hostap interface belongs to a bridge, learn the node'sReyk Floeter
address dynamically on this interface after successful association. this could speed wireless roaming to openbsd accesspoints. ok jason@, jsg@ can't see anything obectionable
2005-10-09use labelReyk Floeter
2005-10-08Prevent information leak by using a random hunique value instead ofCan Erkin Acar
the address of the softc. Reported by Peter Phillip via PR-4501.
2005-10-07Report interface link state changes in sppp layerCan Erkin Acar
Help and ok claudio@, ok brad@
2005-10-03add a simple active "failover" trunk mode. port priorities will beReyk Floeter
added later, currently the master port will always be the default (active) port and the the next active port will be used as the failover port. ok brad@
2005-09-30remove old unused NRL IPv6 code.Brad Smith
ok deraadt@
2005-09-28No part of the code defines UNALIGNED_ACCESS, use reverted tests forMiod Vallat
__STRICT_ALIGNMENT instead. Help pedro@ deraadt@, ok deraadt@
2005-09-28Improve the safety of pf IOCTLs, taking into account that some paths can sleep.Christopher Pascoe
- Introduces a rw_lock in pfioctl so that we can have concurrent readers but only one process performing updates at a time; - Separates state expiry into "unlink" and "free" parts; anyone can unlink a state/src node from the RB trees at any time, but a state can only be freed whilst the write lock is held; - Converts state_updates into list state_list containing all states, regardless of whether they are "linked" or "unlinked"; - Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states to signal that they can be freed; - Converts pf_purge_expired_state to an "unlink" state routine, which only unlinks the state from the RB trees. Freeing the state/src nodes is left to the purge thread, which runs whilst holding a write lock, such that all "next" references remain valid; - Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather than the RB trees; - Converts the purge thread to use the new state_list and perform a partial purge every second, with the target rate a full state table walk every PFTM_INTERVAL seconds. seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
2005-09-14correctly set IFF_RUNNING flag after device state changes.Reyk Floeter
ok brad@
2005-09-11when adding any IP addresses make sure to UP the interface.Brad Smith
ok reyk@
2005-09-10update the trunk(4) driverReyk Floeter
- add multicast support by passing multicast addresses to the ports. this is a requirement for carp(4) over trunk(4). - support the smallest common interface capabilities. ie., this adds support for VLAN MTUs if all attached ports have this capability. - add a port_destroy callback to the trunk protocol. this fixes a potential crash if the master port has been detached while running. discussed with deraadt@, brad@ and some others.
2005-09-05in DIOCCHANGERULE, properly initialize table, if used in NAT rule.Daniel Hartmeier
from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
2005-08-22when nat'ing icmp 'connections', replace icmp id with proxy valuesDaniel Hartmeier
(similar to proxy ports for tcp/udp). not all clients use per-invokation random ids, this allows multiple concurrent connections from such clients. thanks for testing to Rod Whitworth, "looks ok" markus@
2005-08-22fix rdr to bitmask replacement address pool. patch from Max Laier,Daniel Hartmeier
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
2005-08-18Malloc temporary buffers in pfioctl rather than having several largeChristopher Pascoe
pf_state buffers on the stack. ok henning mcbride
2005-08-18Rearrange pf_state and pfi_kif so that the parts of the structure neededChristopher Pascoe
to search for a particular entry in the RB trees are at the start of the structure. This permits us to place a much smaller structure on the stack in the interrupt paths that match packets against state entries. ok mcbride
2005-08-16Only send the PFSS_TIMESTAMP timestamp bit across the wire, in case weChristopher Pascoe
want to map the remaining bits to something else later on.
2005-08-16Synchronise timestamp modulation and scrubbing min ttl information.Christopher Pascoe
ok henning mcbride, looks good frantzen
2005-08-14don't require a valid route when configuring the tunnel;Markus Friedl
from Stephen Marley; ok deraadt@
2005-08-13Partial backout of previous revision, reinstates the ability to propagateChristopher Pascoe
a kill message for a state that was generated on another firewall.
2005-08-12Use actual packet contents when sending protocol rejects. Fixes PR 4305.Can Erkin Acar
Different fix tested by the submitter, xiangbo3 at gmail com. ok claudio@
2005-08-12Fill out interface name and state creation time correctly inChristopher Pascoe
DIOCGETSTATE. ok dhartmei mcbride
2005-08-11Remove bogus debug printf().Ryan Thomas McBride
ok ho@
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-08-10kill spaces OK deraadt@Claudio Jeker
2005-08-10Add an additional media subtype IFM_TDM_E1_G704_CRC4 for TDM interfaces.Claudio Jeker
This makes it possible to distinguish between E1 G.704 mode with and without CRC4 checksum. Also add an operating mode IFM_TDM_MASTER to specify that the card has to provide the clock source for the line. OK deraadt@ canacar@
2005-08-07Do not blindly reset the state count to zero after a clear, as we may notChristopher Pascoe
have purged all states in the case when an interface name was specified. pf_purge_expired_states should decrease the count as appropriate. ok dhartmei
2005-08-07verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@Daniel Hartmeier
2005-08-07Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changeChristopher Pascoe
to that in rev 1.40 for interface groups. ok henning
2005-08-06correct some spellosChristopher Pascoe
2005-08-05make three functions non-static (namespace is no issue, they might getDaniel Hartmeier
inlined), ok art@
2005-08-04instead of static locals, malloc/free. the goal is to reduce stack usage,Daniel Hartmeier
but statics are dangerous in case of concurrency. ok deraadt@
2005-08-03prevent unaligned memory access when processing LCP echo packets,Can Erkin Acar
making pppoe(4) work on sparc64. Fixes PR-4311 Reported and fix tested by David Coppa < dcoppa at gmail com >
2005-08-03Do not send "deletion" messages for states created by other pfsync peers whenChristopher Pascoe
they timeout. Any other hosts that have also learnt these states will already know that they are due to time out. ok henning
2005-08-03Eliminate another case where pool routines are called without process context.Christopher Pascoe
Instead of purging immediately, let the state be purged at the purge interval. ok henning
2005-08-03use flag macro instead of constantChristopher Pascoe
2005-08-02pass the AF in network byte order to bpfMarkus Friedl
2005-08-02Instead of copying a table structure so we can mask off a bit beforeChristopher Pascoe
"validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
2005-08-01Minor whitespace cleanup.Christopher Pascoe
2005-08-01Use a string directly rather than making a copy, save on stack space.Christopher Pascoe
Use a static buffer for another large variable, pending further analysis. prodded deraadt