| Age | Commit message (Collapse) | Author |
|---|
|
ok henning
|
|
key1->reverse = key2; and key2->reverse = key1;
ok ryan
|
|
to not hurt performance while passing the 20 args (sigh)
ok theo ryan, ok + feedback jsing
|
|
impossible that m is NULL here since all callers dereference it
unconditionally beforehands, and find state without and mbuf doesn't
make sense in the first place
|
|
in the header so it cannot get used again in case of somewhat weird
reflection + mbuf-reuse-without-pkthdr-clearing cases. it looks like
gif falls into the latter category.
discussed with and ok theo
|
|
1) only set the state key in the mbuf header in the inbound case
2) only use it in the outbound case
discussed with and ok theo
|
|
|
|
header inbound. on the outbound side, we take that and look for the key
that is the exact opposite, and store that mapping in the state key. on
subsequent packets we don't have to do the lookup on outbound any more.
almost unable to get real benchmarks going here, we know for sure this
gives a more than 5% increase in forwarding performance.
many thanks to ckuethe for stress- and performance-testing.
ok ryan theo
|
|
bidirectional FIN/ACK+ACK handshake.
ok henning@
|
|
ok mpf henning
|
|
|
|
connection. If there is a ACK after the initial SYN without ever
seeing a packet from the destination, set the connection to
established.
ok henning@
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
the tailq instead of the rb tree. pt out by kjell some time ago, ok ryan
|
|
place
|
|
into one 8 bit flags field.
shrinks the state structure by 4 bytes on 32bit archs
ryan ok
|
|
do not verify the sequence number against the state if the state is sloppy
and thus doesn't have that information.
independently pointed out by frantzen and ryan, ok ryan
|
|
numbers at all. scary consequences; only tobe used in very specific
situations where you don't see all packets of a connection, e. g.
asymmetric routing. ok ryan reyk theo
|
|
ok deraadt@
|
|
ok mcbride
|
|
OK henning@
|
|
rtrequest1() everywhere now. OK henning@
|
|
full mbuf chain is being free'd.
ok reyk@
|
|
almost nobody ran into that because it is ipv6 only
|
|
OK canacar@ some time ago
|
|
Bug report and testing from Otto Bretz.
ok henning@
|
|
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
complete the split off of the layer 3/4 adressing information from the extra
information in the actual state. a state key holds a list of states, and a
state points to two state keys - they're only different in the NAT case.
More specificially, it deprecates the (often difficult to understand)
concept of lan, ext, and gwy addresses, replacing them with WIRE and
STACK side address tuples. (af, proto, saddr, daddr, sport, dport).
Concept first brought up some years ago on a ferry ride in bc by ryan and
me, I spent some time over the last year getting closer, and finally
got it completed in japan with ryan. dlg also took part, helped a lot,
and saved us 8 bytes.
This commit removes support for any kind of NAT as well as pfsync.
It also paves the road for some code simplification and some very cool
future stuff.
ok ryan beck, tested by many
|
|
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.
OK markus@, blambert@.
"go ahead" deraadt@.
Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.
|
|
(timeout_add()) anyway.
ok brad claudio
|
|
unscheduled/already triggered timeouts.
ok brad claudio
|
|
|
|
Prevents hangs as reported and tested by James Stark, PR:5795, ok henning@
|
|
|
|
ok dlg@
|
|
From NetBSD
ok canacar@
|
|
they point to the same address, this is more readable. ok claudio@
|
|
|
|
OK henning@
|
|
Fix printing of the state id in pfctl -ss -vv.
Remove the psnk_af hack to return the number of killed states.
OK markus, beck. "I like it" henning, deraadt.
Manpage help from jmc.
|
|
mpls its own bit in netisr instead of accidentally sharing one with tx
mit.
"do it" claudio@
|
|
specific routes. OK henning@
|
|
claudio ok
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
No need to preload the arp table anymore. hai norby@
|
|
|
|
shows that 3 developers screwed this up. look carefully at this diff
and learn how to avoid wasting memory. on a 64 bit architecture, each
of these was using 40 bytes instead of 32.
ok henning
|
|
splnet.
The DLT_MPLS will not go away and will be used for display in tcpdump -y
mpls when the code is there, as suggested by reyk.
|
|
MPLS. Still a bit hackish but getting closer. hai norby@
|
