summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2006-10-23make the pflog interface clonable.Henning Brauer
for now, only allow pflog0 to be created. keep an array of ifps to the pflog interfaces with the unit # as index for fast access. if pflog0 does not exist, no logging is done (just like if it is down). on machines without pf enabled, this makes the pflog0 interface go away, on machines with pf, rc sets up pflog0 and starts pflogd, no change there. idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
2006-10-21the create and destroy functions for clonable interfaces return 0 onHenning Brauer
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
2006-10-17increase max pf tag name size from 16 to 64 characters.Reyk Floeter
ok henning@ dhartmei@ deraadt@
2006-10-11Allow the 'quick' keyword on an anchor. IFF there is a matching rule insideRyan Thomas McBride
the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
2006-09-26Fix compilation, okay henning@ mpf@Pedro Martelletto
2006-09-18allow RST from TCP client, even if client does not send data after SYN;Markus Friedl
ok frantzen, dhartmei, henning
2006-09-18fix tos (type-of-service) comparisons. for rules which use 'tos x', compareDaniel Hartmeier
for equality (ip_tos == x). for priority queue assignment, compare AND-wise (ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved bits in ip_tos are used (RFC791, 1349) and more than a single bit is set. from Steve Welham, closes PR5226 and PR5227.
2006-08-30allow DIOCNATLOOK to look up NAT states for protocols without portDamien Miller
numbers, reported by Raja Subramanian; ok henning@
2006-08-29allow the carp demotion counter to be changed by arbitary values as longHenning Brauer
as the resulting demotion counter value is in range. previously, we only allowed +/- 1. ok mpf mcbride deraadt
2006-08-28Check for illegal option lengths when parsing LCP packetsCan Erkin Acar
and drop such bad packets. Also remove some redundant mallocs. This fixes possible heap overflows when forming replys to such bad packets as discovered by Martin Husemann and Pavel Cahyna. reported by NetBSD, initial diff from markus@, additional comments by claudio@, ok markus@
2006-08-20if_tun.c also has this comment so remove duplicate; ok jmc@ krw@Kevin Steves
2006-07-21fix a bug in the input sanity check of DIOCCHANGERULE (not used by pfctl,Daniel Hartmeier
but third-party tools). a rule must have a non-empty replacement address list when it's a translation rule but not an anchor call (i.e. "nat ... ->" needs a replacement address, but "nat-anchor ..." doesn't). the check confused "rule is an anchor call" with "rule is defined within an anchor". report from Michal Mertl, Max Laier.
2006-07-18get rid of arc network support. we have no users of it so this is deadDavid Gwynne
code. however, it is still cluttering up the kernel namespace a bit. it is better gone. ok claudio@
2006-07-18typoMichael Shalayeff
2006-07-11Only print link state changes if interface is in debug mode.Can Erkin Acar
Affects devices using the sppp layer (pppoe, art, san, lmc) ok deraadt@
2006-07-11Error messages from remote may not be '\0' terminated.Can Erkin Acar
Also cleanup error message device name printing. Based on diff from NetBSD via Andrey Matveev Also, use log when printing error messages, and syslog will handle any nonprintable characters, discussed with deraadt@
2006-07-06argh, again i forgot a file. sorryHenning Brauer
2006-07-06allow rules to point to an alternate routing table, and tag packetsHenning Brauer
matching that rule so that the forwarding code later can use the alternate routing table fo lookups (not implemented yet). the tagging is "sticky", every matching rule modifies, just like the regular "tag". ok claudio hshoexer, hacked at r2k6
2006-07-04logging should be in debug mode only. if every network driver did aTheo de Raadt
dmesg printf everytime they came up, would that be a better world?
2006-07-02diff from peter phillip at freenet dot de:Reyk Floeter
the "pppoe0: up" message is annoying when one is on console and the system has been configured to recall the ISP every minute or so. Moving the printf() to a log() fixes this and the "pppoe0: up" message is still seen in logs and dmesg. ok canacar@
2006-06-28Another unused function bites the dust -- this time pflogrtrequest(). OK markus@Claudio Jeker
2006-06-28Kill unused encrtrequest(). OK markus@Claudio Jeker
2006-06-21add media types for 10Gb Ethernet, though only using a baudrateBrad Smith
of 1Gbps, until the size of the baudrate field has been increased.
2006-06-19Unbreak the tree. The code to set and unset the RTF_MPATH bit on all multipathClaudio Jeker
routes did not carefully check if the route lookup succeded or not and so rn_mpath_next(rn) blowed up because rn was NULL. Check if rnh_lookup succeded before touching rn in anyway. OK norby@ initial diff by hshoexer@
2006-06-18Whitespace, oops.Christopher Pascoe
2006-06-18Add support for equal-cost multipath IP.Christopher Pascoe
To minimise path disruptions, this implements recommendations made in RFC2992 - the hash-threshold mechanism to select paths based on source/destination IP address pairs, and inserts multipath routes in the middle of the route table. To enable multipath distribution, use: sysctl net.inet.ip.multipath=1 and/or: sysctl net.inet6.ip6.multipath=1 testing norby@ ok claudio@ henning@ hshoexer@
2006-06-17When multipath routes are inserted, ensure that RTF_MPATH is set for anyChristopher Pascoe
previous route that may not have been inserted with the -mpath flag. Similarly, when removing a multipath route and leaving only one route, clear the RTF_MPATH flag so this is clear. ok claudio@
2006-06-17adopt to extended rtrequest / rtalloc1 apiHenning Brauer
2006-06-17unbreak; from theoHenning Brauer
2006-06-16support passing the desired routing table ID via the sysctl interfaceHenning Brauer
(NET_RT_DUMP & friends) too. keep supporting the old form (and imply id 0) of course. claudio ok
2006-06-16pass the routing table ID over the routing socket, so we can start toHenning Brauer
manipulate alternate tables from userland. new tables are created implicitely when an RTM_ADD for that table is seen. ok norby claudio hshoexer
2006-06-16adjust functions dealing with the routing table to take a table ID asHenning Brauer
parameter so they can work on alternate tables. table 0 hardcoded for many callers yet, that will be adapted step by step. input + ok claudio norby hshoexer
2006-06-16Cleanup radix.c, remove unused stuff, use nicer prototype definitions andClaudio Jeker
remove the ugly routed hacks. OK henning@, hshoexer@
2006-06-15put the multiple routing tables support back in, fixed.Henning Brauer
problem before: with this, we are no longer using the address family as array index directly, since only 3 of 31 address fanilies actually attach a table, but we're using an address family to array index translation (just another array). there, 0 meant "does not attach a table", thus rt_gettable has to return a null pointer. unfortunately we were using array index 0 for whatever af attaches first, and since the list is backwards,, that used to be ipsec - execpt on ipsec-less ramdisks, where it was inet6, and since route show blindly iterates over all address families, and all those without a table pointed to index 0, we got 28 or 29 copies of the v6 table. i had that right initally, and then i borked it later... re-spotted by claudio. ok norby hshoexer claudio
2006-06-06back out multiple routing table diffs (3 of 'em) because this makesTheo de Raadt
'route show' dump out repeated copies of the v6 routing table on ramdisks. on some architectures it spins forever doing this, on others it just goes for a long time printing the v6 routes over and over before terminating. spotted by jmc and krw, backout diff tested by beck.
2006-06-02Introduce attributes to interface groups.Marco Pfatschbacher
As a first user, move the global carp(4) demotion counter into the interface group. Thus we have the possibility to define which carp interfaces are demoted together. Put the demotion counter into the reserved field of the carp header. With this, we can have carp act smarter if multiple errors occur. It now always takes over other carp peers, that are advertising with a higher demote count. As a side effect, we can also have group failovers without the need of running in preempt mode. The protocol change does not break compability with older implementations. Collaborative work with mcbride@ OK mcbride@, henning@
2006-06-01observed by Naddy, found by claudio, strange constructs require strange definesTodd T. Fries
.. fixes proto display for the non zero case ok claudio@
2006-06-01use the table ID as array index directly, faster in the forwarding pathHenning Brauer
we trade higher memory consumption if the user doesn't use continous table IDs, but in the worst case (table IDs 0 and 255, 64bit machine) that is 2KB ok claudio ryan
2006-05-31add comment indictation that rtable_add must be called at splsoftnetHenning Brauer
2006-05-31move us to multiple routing table heads.Henning Brauer
-instead of staticaly declaring the heads, allocate memory for them -add second dimension to the routing table head array, table ID -space saver: do not use the AF as array index directly, but have an AF->index translation array and only account for AFs actually attaching a routing table note that whil ethat allows for multiple routing table heads, nothing uses taht yet. tested by many, ok claudio reyk norby mcbride
2006-05-30Export the route labels via sysctl interface not only via RTM_GET.Claudio Jeker
OK henning@ norby@
2006-05-30with Naddy prodding, claudio's peril sensitive glasses turning black, andTodd T. Fries
msf@'s assistance with hexdumping, this bug was found. do NOT access the wrong union member (sockaddr_in) when using v6 addresses this fixes output errors when displaying v6 encap routes for ipsecctl, route, and recently netstat ok hshoexer@ markus@ claudio@ naddy@
2006-05-28Fix multicast and broadcast over gre(4) tunnels. Clear the M_MCAST and M_BCASTClaudio Jeker
mbuf flags so that the packet is sent out with a normal link local address instead of a multicast or broadcast address. OK brad@
2006-05-28Enable adaptive timeouts by default, with adaptive.start of 60% of theRyan Thomas McBride
state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
2006-05-28Only preemptively increase the replay counter for outbound TDBs.Ryan Thomas McBride
Another ipsec failover fix from nathanael at polymorpheus dot com. ok hshoexer@
2006-05-28check if the interface is active and UP. some, but not all, networkReyk Floeter
drivers report an active link state even if the interface is DOWN. this should fix trunk with various ethernet devices. ok brad@
2006-05-28fix a whitespace error causing confusionHenning Brauer
2006-05-27remove IFCAP_JUMBO_MTU interface capabilities flag and set if_hardmtu in a fewBrad Smith
more drivers. ok reyk@
2006-05-26rename jumbo mtu to if_hardmtu; ok brad reykTheo de Raadt
2006-05-23knf and remove an unneeded debug messageReyk Floeter