| Age | Commit message (Collapse) | Author |
|---|
|
|
|
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan
|
|
|
|
Notably, this fixes "(pppoe0)" in pf. ok markus@
|
|
|
|
ok markus@
|
|
dealing with a carp interface.
|
|
style as vlan(4). carp interfaces no longer require the physical interface
to be on the same subnet as the carp interface, or even that the physical
interface has an adress at all, so CARP can now be used on /30 networks.
ok deraadt@ henning@
|
|
|
|
|
|
pfvar.h. builds kernel and userland.
|
|
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.
ok deraadt@ henning@ dhartmei@
|
|
|
|
ok mcbride@
|
|
Also purge states with an empty ifname.
ok mcbride@
|
|
header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
the header chain. In the case where headers are skipped, the protocol
checksum verification used the wrong length (included the skipped headers),
leading to incorrectly mismatching checksums. Such IPv6 packets with
headers were silently dropped. Reported by Bernhard Schmidt. ok mcbride@
|
|
table is not visible/accessible when the rule is the only reference
(you don't HAVE to reference the table elsewhere).
|
|
|
|
the 3-way handshake. Allow limits on both total connections and connection
rate, put offenders in a table which can be used in the ruleset, and optionally
kill existing states. Rate tracking code from dhartmei@.
Adds a second pool for table entries using the default allocator, which
allows entries to be added at splsoftnet().
ok deraadt@ dhartmei@
|
|
a struct timeout to struct ifqueue so that each one has its own - it
is a per-queue thing. from chris pascoe
|
|
around the entire body. this resolves the (misleading) panics in
pf_tag_packet() during heavy ioctl operations (like when using authpf)
that occur because softclock can interrupt ioctl on i386 since SMP.
patch from camield@. ok mcbride@, henning@ and (presumably ;) bob@
|
|
|
|
ok otto jsg henning pat markus deraadt fgs
|
|
ok canacar markus millert
|
|
as for the ports, i could only find one. if there are more, they will be
fixed in the tree as discussed with peter.
deraadt@ pvalchev@ ok.
|
|
|
|
Initial porting from NetBSD by David Berghoff.
Modified/simplified to match our sppp implementation.
ok deraadt@
|
|
and use sysctl for 'ipsecadm show'; ok deraadt
|
|
'binat from ... to ... -> (if)' are used, where the interface
is dynamic. reported by kos(at)bastard(dot)net, analyzed by
Pyun YongHyeon
|
|
reported by Joerg Sonnenberger, ok henning@
|
|
ok myself markus@
|
|
|
|
- Add a new PFSTATE_STALE flag to uncompressed state updates sent as a result
of a stale state being detected, and prevent updates with this flag from
generating similar messages.
- For the specific case where the state->src in the recieved update is ok but
the state.dst is not, take the partial update, then "fail" to let the other
peers pick up the better data that we have. From Chris Pascoe.
ok dhartmei@
|
|
for ACKs. It should filter the ACK replayed to the server, instead of
of the one to the client. Thanks to Daniel Polak for testing.
|
|
ok henning, markus.
|
|
ok millert@
|
|
|
|
from "Alexey E. Suslikov" <cruel@texnika.com.ua> with a little help from itojun
|
|
th_flags TH_ACK and leave th_ack 0, just like the RST generated by
the stack in this case. Fixes the Raptor workaround. ok beck@, markus@
|
|
mode (set mode for multi-mode interfaces) and chan (set the radio channel).
some additional output will be printed by "ifconfig -m".
ok deraadt@ millert@ damien@
|
|
|
|
of hiding under IFT_PROPVIRTUAL, ryan daniel ok
|
|
ok millert@ miod@
|
|
now they abide to the same rules as anchor names referred to by rules:
- initial slashes (/) are stripped
- anchor names with characters after the terminating NUL byte are
considered invalid
ok dhartmei (and previously) beck henning
|
|
|
|
there is now a TAILQ with all interface groups as members, and
in struct ofnet there is only a pointer to the group structure stored
and not its name.
mostly hacked at c2k4 and somewhere over the atlantic ocean
ok markus mcbride
|
|
ok mcbride@
|
|
master provides the clock -- this is normally the switch, but if you
are doing back-to-back NICs, you need to tell one side to be the master).
ok mcbride@
|
|
fixes pflog attributing states wrongly to anchors and pfctl -vvsn/sr
showing wrong state counters for anchor rules. found by camield@,
ok henning@, -stable candidate
|
