Age | Commit message (Collapse) | Author |
|
1) at least one match rule matched the packet and
2) we do not create state
found by me while fixing the pool_get problem, ok dlg
|
|
introduced by yours truly (no idea how that could happpen), problem
found by sthen the hard way, fix by me. ok dlg
|
|
ok claudio@
|
|
|
|
Change to void function.
Also, no need to have global tty stats pointer, so just return it
from clalloc, as the caller frees it immediately anyway.
ok miod@
|
|
Changes in those revision limited the send queue to one slot.
This breaks NFS over vlan(4) has discovered by sthen@.
"just plain back it out." deraadt@
|
|
Encapsulated pppoe packets are moved into the rdomain of the physical interface
because it is possible that a pppoe(4) interface is in a different rdomain
then the physical interface.
OK reyk@
|
|
IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen).
the first was deprecated by the use of IFQ_SET_MAXLEN.
|
|
interfaces down to the queue on the physical interface immediately.
this avoids having the tx mitigation code wasting cpu time dicking around
with simply shuffling packets off virtual interface queues and lets it
do its job of ammortising the cost of calling a real interfaces start
routine.
it also prevents an artificial inflation of the physical interfaces queue
length where packets could hide on the virtual interfaces queues during
softnet before being dumped en masse onto the hardware. this will smooth
out the rate at which packets are submitted to the hardware.
kjc@ says this has no impact on altq. ya henning@
|
|
ok claudio@, henning@
|
|
protocols as it is currently in if_ethersubr.c. OK reyk@
|
|
routing message. We can then rely on that flag to spot out
MPLS routes coming from routing socket.
ok claudio@
|
|
ok henning, jsing
|
|
of code between cases, so stop pretending otherwise, and move the
if() dance to a switch, as is done in every other pr_usrreq I'm aware of.
ok claudio@ michele@
|
|
"reassemble tcp" state option failed to work correctly. Increasing this
to u_int16_t fixes kernel/6178. ok deraadt@ henning@
|
|
ok henning@
|
|
malloc()ing it and calling that macro.
No functional change, just tightening things up a bit.
ok claudio@ michele@
|
|
ICMPv6 messages.
ok henning@
|
|
Suggested by Max Laier.
ok henning@
|
|
spotted by naddy@
ok henning@
|
|
While here, fix whitespace (spaces -> tabs) issue spotted by michele@
ok michele@, claudio@
|
|
OK: sthen@, henning@
|
|
windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to
produce, and therefore makes it possible to do usable active-active
statuful firewalls with pf.
lots of testing locally on the production firewalls, also tested by sthen@
|
|
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
|
|
and the conditions on which pfsync will notify its peers on a stale update.
each side (ie, the sending and receiving side) of the state update is
compared separately. any side that is further along than the local state
tree is merged. if any side is further along in the local state table, an
update is sent out telling the peers about it.
this has been flogged to death on my firewalls.
|
|
most obvious problem.
if the state table is empty, we'd deref a null pointer.
tested on my firewalls with big state tables, so existing use cases still
work.
|
|
but our local copy proto that we very carefully set beforehands. skw
being NULL is perfectly valid there.
|
|
found by sthen and fixed, all other callers of these macros checked by both
of us
|
|
steps found with the recent pfvar.h commit to check address families.
from & commit req by henning.
|
|
by backing out the macro fix. something must rely on the broken behaviour
|
|
was added in 2001. yes i got bitten by inet6 shit again.
in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0]
is false when the adresses ARE equal. now it goes right in the
intended-for-v6 case and starts to compare the other addr32 fields -
in the v4 case I have garbage in them, so it reports all v4 as different
when they are in fact the same. fix by adding explicit af == INET6 test
before going on to compare the rest.
found the really hard way (many hours wasted, thought the bug was in my
new code) by me. ok sthen markus claudio
|
|
ok henning@
|
|
Makes non-IPv6 kernels build again
blame and ok henning@
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
ifconfig em0 -inet6
deletes all v6 addresses including link-local and prevents new ones from
being added.
ifconfig em0 inet6 <addr>
re-enables v6, brings the link local back and adds optional <addr>
ok theo reyk
|
|
opened and goes down when the device fd is closed. Makes working with qemu
a bit nicer when routing to tun(4) interfaces.
dlg@ "diff reads good"
|
|
priority 0. while we are in here make sure we add wi interfaces to group "wlan"
in the same way the net80211 stuff already is.
this makes dhcp multiple default routes useful on laptops.
ok claudio@
|
|
tested by Manuel Rodriguez Morales <marodriguez at grupogdt.com>
|
|
No binary change.
|
|
to save some space in the kernel. Although there are deeper issues with
interface attachment, this diff was not meant to address those, just to
shave some space ;)
ok henning@, claudio@
|
|
transactional. sanity checked claudio, requested by theo for some time
|
|
not smart enough to handle it in a sensible way. Make sure the kernel
selected routing priority is actually exported to userland or to help
daemons like bgpd to keep correctly track of the routes. This should fix
some of the rather strange errors seen by people having multipath routes
on their bgpd boxes. While there make the interface priority inheritance
on static routes work again.
OK henning@
|
|
the rtfree panic seen by some people.
|
|
refcnt bump caused the panic to be triggered. While there also make the
priority so that the compare is working a bit better.
henning@ cries in agony (I already gave up)
|
|
ok claudio@
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
the splnet calls and the extra splx(s)s necessary for it to be safe.
bug found by sthen@
|
|
all the other protocols is simply pushing the timeouts along which has a
resolution of 1 second, so it isnt going to be hurt by pfsync taking up
to a second to send it over.
keep track of updates on tcp still though, their windows need constant
attention.
tested by sthen@
|
|
us relying on where we are setting it. ok ryan dlg
|
|
turned up in pf_icmp_state_lookup.
ok sthen@
|