| Age | Commit message (Collapse) | Author |
|---|
|
OK benno@
|
|
ok mikeb@, henning@
|
|
not getting assigned to rules like they should cos pfsync_in_upd() wasnt
passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import.
found and fixed by pedro
|
|
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
Start the expire counter when the queue is created by the first
fragment and drop it if the packet could not be reassembled within
60 seconds.
Reported by Antonios Atlasis; OK henning@ deraadt@
|
|
|
|
to only include what is really needed. In particular stop including
a "struct ifnet" and move kernel-only definition into the proper #if
dance.
While here remove the unused spppinfo() from ifconfig.
ok guenther@, sthen@, mikeb@
|
|
ok benno@
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
change for pf, but that's fine at this time. You'll need to rebuild
pf userland after updating your kernel.
change to 'since' member ok henning@
rest ok henning@ deraadt@
|
|
ok mpi@ deraadt@
|
|
an ABI change involved.
|
|
type**, so no ABI change.
ok henning@ deraadt@
** ...yet
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
Fixes an issue seen by reyk@
ok henning@ reyk@
|
|
stuff to userland, especially the "struct ifnet".
ok sthen@, henning@, uebayasi@
|
|
to the global list, until the issue with carp is addressed.
|
|
Reported by naddy@
|
|
structure rather than doing various M_WAITOK allocations during
the *attach() functions, we always rely on them anyway.
ok mikeb@, uebayasi@
|
|
succeed, and it's always called in sleepable context.
OK mikeb@ yasuoka@
|
|
IPv4 addresses consistently from the global list and tree, in.c r1.78
ok bluhm@, mikeb@
|
|
additional length check in pf_modulate_sack() and pf_normalize_mss().
Overflow cannot happen due to the restricted values in the length
calculation. As this is not obvious, be better safe than sorry.
OK henning@
|
|
assign with = and compare with == . This way the compiler will
check deeper wether the cast is correct. Alignment is fine,
tested on sparc64.
OK claudio@
|
|
No functional change. From David Hill; OK claudio@
|
|
ok otto
|
|
counters.
ok guenther, feedback jmc
|
|
No binary change. OK henning@
|
|
ok sha256
|
|
ok deraadt@
|
|
udp and the default case are 100% identical, tcp does a little more, but
that is easier to add w/ two "if tcp" blocks in the default case, so the
udp and tcp cases die. ok bluhm
|
|
the _icmp variant stays because it is completely different.
factor out the synproxy code into a new pf_synproxy() for readability.
pf_setup_pdesc sets us up with access to ports, cksum etc in a protocol
independent matter, so we don't need many protocol switches here.
tcp and udp were almost identical, the _other case changes significantly -
not too unlikely this fixes a subtle bug or two in that case.
ok ryan benno bluhm mikeb
|
|
it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
|
|
just return after being done with the address. ok bluhm ryan mikeb
|
|
was only done when a packet traveled up the stack from pf to
tcp_input(). Now also link the state and inpcb when the packet is
going down from tcp_output() to pf. As a consequence, divert-reply
states where the initial SYN does not get an answer, can be handled
more correctly.
This change is part of a larger diff that has been backed out in
2011. Bring the feature back in small steps to see when bad things
start to happen.
OK henning deraadt
|
|
regression introduced with pf.c 1.827 and allows us to create icmp
states again.
OK henning@
|
|
uses it. that is so incedibly wrong...
sorry for the breakage, folks. found by tedu, SMSing me out of my breakfast
bob
|
|
compiler that source and destination are not overlapping, allowing for more
aggressive optimization, leading to a significant performance improvement
on busy firewalls. Reworking of a diff by dlg@, who did the hard work of
benchmarking this.
ok deraadt@, mikeb@, henning@, mcbride@, tedu@, matthew@
|
|
we stepped into a child anchor.
simplify the logic, get rid of the match flag in the anchor stack, just
use the match variable we already had (and used in a boolean style) to track
the nest level we had a match at. when a child anchor had a match we also
have a match in the current anchor, so update the match level accordingly,
and thus correctly honour the quick flag.
reported by, along with the right idea on how to fix this, by Sean Gallagher
\sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno
|
|
of late in pf_test_rule - need that for upcoming changes. ok ryan
|
|
these days, so:
-move the prototypes from pfvar.h to pf.c
-remove the now useless null point checks for *match, it is always provided
ok ryan
|
|
inspired by benno@'s previous diff for nat-to
tests/ok benno@
|
|
unconditionally for SIOCSIFADDR.
ok bluhm@, henning@
|
|
ok florian@ henning@
|
|
IFF_LINK0 flag has been added; from form, ok deraadt claudio
|
|
Discovered & fix tested by Peter J Philip.
ok claudio@ blambert@
|
|
Thanks to Brian Poole <pooleb @ gmail ! com> for noticing this.
|
|
jumbo/baby-jumbo frames. To avoid problems with mismatches between trunkports,
any additional ports must have the same MTU as already set on the trunk(4).
Based on changes made in FreeBSD. Tested by myself and jj@, ok reyk@
|
|
key we need to sync our state key pointers with whatever values
the function will pick. Not doing so will produce wrong results
if address translation must be applied afterwards and we happen
to have a state key collision. Then pf_translate will follow an
old pointer and punch in garbage addresses into the packet.
Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru>
ok tedu, henning
|
|
Report that this is needed for some netflow collector and tests by
Chris Ivancic & Colin Ligertwood.
OK mikeb@, benno@
|
