| Age | Commit message (Collapse) | Author |
|---|
|
Bug report and testing from Otto Bretz.
ok henning@
|
|
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
complete the split off of the layer 3/4 adressing information from the extra
information in the actual state. a state key holds a list of states, and a
state points to two state keys - they're only different in the NAT case.
More specificially, it deprecates the (often difficult to understand)
concept of lan, ext, and gwy addresses, replacing them with WIRE and
STACK side address tuples. (af, proto, saddr, daddr, sport, dport).
Concept first brought up some years ago on a ferry ride in bc by ryan and
me, I spent some time over the last year getting closer, and finally
got it completed in japan with ryan. dlg also took part, helped a lot,
and saved us 8 bytes.
This commit removes support for any kind of NAT as well as pfsync.
It also paves the road for some code simplification and some very cool
future stuff.
ok ryan beck, tested by many
|
|
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.
OK markus@, blambert@.
"go ahead" deraadt@.
Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.
|
|
(timeout_add()) anyway.
ok brad claudio
|
|
unscheduled/already triggered timeouts.
ok brad claudio
|
|
|
|
Prevents hangs as reported and tested by James Stark, PR:5795, ok henning@
|
|
|
|
ok dlg@
|
|
From NetBSD
ok canacar@
|
|
they point to the same address, this is more readable. ok claudio@
|
|
|
|
OK henning@
|
|
Fix printing of the state id in pfctl -ss -vv.
Remove the psnk_af hack to return the number of killed states.
OK markus, beck. "I like it" henning, deraadt.
Manpage help from jmc.
|
|
mpls its own bit in netisr instead of accidentally sharing one with tx
mit.
"do it" claudio@
|
|
specific routes. OK henning@
|
|
claudio ok
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
No need to preload the arp table anymore. hai norby@
|
|
|
|
shows that 3 developers screwed this up. look carefully at this diff
and learn how to avoid wasting memory. on a 64 bit architecture, each
of these was using 40 bytes instead of 32.
ok henning
|
|
splnet.
The DLT_MPLS will not go away and will be used for display in tcpdump -y
mpls when the code is there, as suggested by reyk.
|
|
MPLS. Still a bit hackish but getting closer. hai norby@
|
|
ok claudio@
|
|
calls to ifp->if_start to if_start(). these are the obviously right cases
where we can do that, the less obvious ones may follow as theyre figured
out.
deraadt@ said to go for it
|
|
Makes it possible to do evil tricks locally.
ok claudio@
|
|
|
|
no consumers yet, they should come soon.
ok norby@
|
|
Make the mtu user definable.
ok claudio@
|
|
|
|
While there bump MTU to 1500 and set the receiving interface before
calling mpls_input. mpestart will eventually call mpls_output when it
exists.
``yaaaaayyy'' and ok claudio@ and norby@
|
|
|
|
|
|
Also move the sampling into ether_input() where it can happen
at the interrupt and not within splnet() processing, which might
be less random. Discussed with mickey.
OK markus@, mcbride@
|
|
and the one route with the lowest number wins. This will be used by the
routing daemons to resolve the synchronisations issue in case of conflicts.
The nasty bits of this are in the multipath code. If no priority is specified
the kernel will choose an appropriate priority.
Looked at by a few people at n2k8 code is much older
|
|
seen by krw. This is a prerequisite for upcomming routing priorities:
Always compare the nexthop if one is specified even if it is a non-multipath
route. This mostly affects "route delete" and it will not remove the last
route if previous delete is redone. OK henning@
|
|
route MTU to the interface MTU. By default if no route MTU is set it will
fall back to the interface MTU anyway. OK henning@
|
|
in progress and some bits need to be cleaned up but will be in-tree for
convenience.
ok claudio@, norby@
|
|
ok henning@
|
|
using M_PREPEND checks for NULL after the invocation. So check
here too and return ENOBUFS if NULL is detected.
ok henning@
|
|
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
|
|
ok kettenis@
|
|
|
|
before returning rt_tables[id][af2rtafidx[af]. when you created tables
and left a hole (0 and 2 exist, 1 does not) it is possible to hit that
case. issue found & ok claudio
|
|
when it is in fact only used to delete the state key when the number of
attached states (in a tailq) drops to zero, we can as well test for the
queue beeing empty.
this is a leftover from some early version that did things differently.
ok ryan
|
|
|
|
it by reading the queues head pointer. if that pointer is not null
then it takes splnet and dequeues a packet for handling. this is
bad because the ifqueue head is modified at splnet and the sofnet
handlers read it without holding splnet.
this removes that check of the head pointer and simply checks if
the dequeue gave us a packet or not before proceeding.
found while reading mpls code.
discussed with norby@ and henning@
ok mcbride@ henning@
|
|
MPLS support partly based on the (abandoned?) AYAME project.
Basic LSR (Label Switch Router) functionality is present, but not fully
functional yet.
It is currently possible to insert entries in the LIB (Label Information Base)
with route(8), but setting the operation type is not supported yet.
Imported to allow more people to work on this in the coming weeks.
ok claudio@ laurent@ dlg@
|
