summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2007-02-19add handling of skip steps for urpf-failed addresses.Pierre-Yves Ritschard
ok dharthmei@, henning@
2007-02-16Unbreak ppp(8) over tun(4) by restriciting the flags that can be changedClaudio Jeker
via TUNSIFINFO. ppp(8) was happily clearing the RUNNING flag and so all incomming packets where dropped. Issue reported by irix <at> ukr <dot> net. While there check that the mtu is in a valid range -- stolen from SIOCSIFMTU case.
2007-02-15Set topology change propagation on all ports _except_ the caller.Reyk Floeter
From FreeBSD
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
ok kettenis@ cloder@ tom@ henning@
2007-02-12Don't pass random flags to SIOIFFLAGS when changing the lladdr.Marco Pfatschbacher
OK tedu@
2007-02-11Remove _KERNEL_OPT leftovers.Miod Vallat
2007-02-10Cleanup, kill dead code and unused arguments. Mostly stuff that is computedClaudio Jeker
and passed around but never used. OK mglocker@
2007-02-09allow counters to be reset with DIOCGETRULES.Henning Brauer
this allows an atomic read and reset counters, instead of read, reset in a later ioctl and lose everything in between. use the previously unused of pr->action. When it is set to PF_GET_CLR_CNTR, the ioctl requires write permissions and counters are reset after they have been copied out to userland. obsoletes DIOCCLRRULECTRS, which only works for the main ruleset, but not within anchors (yeah, that's how it all started) ok dhartmei, mcbride and theo agree as well
2007-02-09grammar fix from bret lambert;Jason McIntyre
2007-02-08compute pseudo-header checksum based on flnal destination asJun-ichiro itojun Hagino
ip6_dst (i'm bit skeptical about checksumming when the box is not the final destination). drop IPv6 jumbograms, as it could cause various funny symptoms due to ip6_plen being 0 (yup, we should properly handle it instead). ok by deraadt, naddy, hshoexer
2007-02-06Change the behaviour of tun(4) on close.Claudio Jeker
- if the interface was auto-created by opening a /dev/tun* device it will auto-destroy on close. This is comparable to ifconfig tun0 destroy and will remove all routes and addresses associated with the interface. - if the interface was created by ifconfig(8) or hostname.if(5) the interface is persistent -- it is just marked as not running. Especially routes are no longer removed when the interface is closed. This is useful for static setups like the server side of a ssh vpn or static qemu session. This behaviour is more logic then the half done cleanup that is currently done. OK mpf@
2007-01-31handle the full duplex link state in trunk(4). load sharing trunksReyk Floeter
with at least two ports are always handled as full fuplex links. this change will allow trunks as edge ports in a rstp bridge(4). ok brad@ pyr@
2007-01-26When switching mode inherit the TUN_NBIO and TUN_ASYNC flags and clearClaudio Jeker
these flags on close. OK mpf@
2007-01-18allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC toHenning Brauer
compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
2007-01-08add round brackets around return valuesMichele Marchetto
2007-01-08discard packet and return if ifp is not a member of the bridgeMichele Marchetto
this fix PR 5056 discussed with camield@ OK camield@ claudio@ henning@
2006-12-29Add IFM_ETH_FMASK. From NetBSD.Mark Kettenis
Requested by brad@
2006-12-28knf, from bred@Todd T. Fries
2006-12-28check if ifqueue has anything queued before doing the dance ofTheo de Raadt
splnet/IF_DEQUEUE/splx; ok various people
2006-12-27Add IFM_ETH_RXPAUSE and IFM_ETH_TXPAUSE. From NetBSD.Mark Kettenis
ok brad@, deraadt@
2006-12-22add special handling for "urpf-failed" with carp interfaces. theReyk Floeter
unicast reverse path forwarding (URPF) check drops packets coming in on an interface other than that which holds the route back to the packet's source address. this caused problems with routes bound to a carp interface instead of the underlying interface. this diff validates the underlying carpdev if the route is bound to a carp interface. from Pierre-Yves Ritschard (pyr at spootnik.org) ok henning@
2006-12-21in pf_route(), initialize ro to NULL at the beginning. if left un-Daniel Hartmeier
initialized, it might equal &iproute by chance, causing a panic when rtfree() is then mistakenly called.
2006-12-15make pflog(4) count; ok hennig@ deraadt@Otto Moerbeek
2006-12-14in "BAD/loose state" messages, also print the packet's original sequenceDaniel Hartmeier
number, it can differ from the sequence number being tested (for packets without payload), and both matter in explaining why a packet mismatched.
2006-12-13wrap ipv6 portion with #ifdef INET6. from cmetzJun-ichiro itojun Hagino
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
(s6_addr16[1] filled) ok dhartmei
2006-12-13IPv6 passive OS fingerprinting.Jun-ichiro itojun Hagino
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6). mcbride ok.
2006-12-12ansify the enc codeReyk Floeter
ok otto@
2006-12-11refer to the RSTP point to point option as "PTP" instead of "P2P".Reyk Floeter
P2P is commonly used in relation to peer to peer networks, PTP is used in various protocols for layer 2 point to point links (ie., full duplex ethernet links). note that the newly added brconfig commands [-]p2p and [-]autop2p will change to [-]ptp and [-]autoptp. suggested by Andrew Thompson (thompsa@freebsd.org)
2006-12-07use LINK_STATE_IS_UP(ifp0->if_link_state) instead ofReyk Floeter
ifp0->if_link_state == LINK_STATE_UP to handle the new half/full duplex link states. i forgot to commit these snippets before. ok jsg@
2006-12-06Missing newline in printf.Bernd Ahlers
ok canacar@
2006-12-03Add Rapid Spanning Tree Protocol support (802.1d-2004) based on workReyk Floeter
by Andrew Thompson (thompsa@freebsd.org). The local changes include adoption to our bridge code, reduced stack usage and many other bits. If stp is enabled, RSTP will now be used by default. Thanks for help from Andrew. This code has been in snaps for while now, commit encouraged by deraadt@
2006-11-30no need for #if NPF > 0 inside #if NPF > 0Henning Brauer
From: Genadijus Paleckis <lsd@nnt.lt> but the really bad description of the diff made this way more complicated then needed. pls plz, when sending in diffs, describe properly what they do and why!
2006-11-28add additional link states to report the half duplex / full duplexReyk Floeter
state, if known by the driver. this is required to check the full duplex state without depending on the ifmedia ioctl which can't be called in the kernel without process context. ok henning@, brad@
2006-11-24Check the reference count for interface addresses when detachingCan Erkin Acar
an interface. Fixes a double free panic. ok claudio@, looks fine henning@
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24never call an ioctl without process context! this diffs checks theReyk Floeter
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe in timeouts without process context and allows to use bridge stp with usb ethernet devices now. figured out and tested by Stuart Henderson, closes pr 5304.
2006-11-20ioctl to explicitly remove source tracking nodes,Ryan Thomas McBride
diff from Berk D. Demir <bdd@mindcast.org> ok henning dhartmei
2006-11-16conditional for appending the pf mbuf tag in pf_test/pf_test6 was wrong,Henning Brauer
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that part was missing) when rtableid on the rule is nonzero. problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the multiple routing tables enabling diff, ok mcbride
2006-11-16no need to always attach pfsync0 any more. ok mpf mcbrideHenning Brauer
2006-11-16introduce if_creategroup() to create an empty interface group.Henning Brauer
code factored out from if_addgroup(), previously a group always had to have members. ok mpf mcbride
2006-11-16knfJun-ichiro itojun Hagino
2006-11-10Fix an mbuf leak in an error path. OK brad@Claudio Jeker
2006-11-01Attach pfsync0 and pflog0 by default like they used to, /etc/rc depends onRyan Thomas McBride
them being there. diff & ok deraadt
2006-11-01poll errors should be POLLERR, not some random E valueTed Unangst
from alexandre ratchov. ok claudio
2006-11-01remove redundant null check, ok ryanHenning Brauer
2006-10-31slightly improve consustency and readability, no functional changeHenning Brauer
2006-10-31in pfsync_update_tdb, when there is no pfsync interface, we must returnHenning Brauer
without trying to free the (in that case nonexistant) tdb mbuf found out the hard way by pedro
2006-10-31hard to believe people still manage to commit non-compiling code once in a whileTheo de Raadt
2006-10-31make pfsync a clonable too, but prevent more than one instance fromHenning Brauer
beeing created for now - much more work would be required to change that input & ok ryan