src - OpenBSD base system

Age	Commit message (Collapse)	Author
2002-12-12	Pastos in pf_compare_pool(); dhartmei@, mcbride@ ok.	Aaron Campbell

2002-12-12	minor KNF	Henning Brauer

2002-12-11	Use m_copym2 to copy the whole mbuf (cluster included) and not	Federico G. Schwindt
	incrementing its reference. Fixes a m_zero panic reported by markus@ when pfdatatopacket returns a cluster. Tested by markus@, jason@ ok.
2002-12-11	unpee	Michael Shalayeff

2002-12-10	renumber the get/set debug ioctls for they conflict w/ ppp, we do not keep ↵	Michael Shalayeff
	the O versions since these are debugging only and should not affect normal functionality; deraadt@ ok
2002-12-10	check IFF_RUNNING early in bstp_transmit_tcn; from netbsd; ok jason@	Markus Friedl

2002-12-09	NPF, not NFP (prevented outgoing bridge_ipsec() packets from being ↵	Jason Wright
	filtered); Darren Reed <avalon@coombs.anu.edu.au>
2002-12-09	knf	Theo de Raadt

2002-12-09	allow setting of ifcost with brconfig. enables selection of preferred	Markus Friedl
	port/path to root bridge among several LANs. unlike ifpriority, which allows you to select designated port if serveral interfaces belong to the same LAN; ok jason@
2002-12-06	Replace license with something that's actually free.	Nathan Binkert
	Approved by original author. Julian.Onions@nexor.co.uk
2002-12-06	Introduce anchors and named rule sets, allowing to load additional rule	Daniel Hartmeier
	sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
2002-12-04	spanning tree: flush dynamic mac cache if interface goes to the	Markus Friedl
	blocking or disabled state. send packets only if interface is the forwarding state; comment from netbsd; with and ok jason@
2002-12-03	no need to mh_align (while it's wrong), cleaner mtu setting; dhartmei@ ok	Michael Shalayeff

2002-12-01	KNF	Henning Brauer

2002-12-01	- Clean up pf_ioctl mainly by adding new functions to handle cleaning and	Ryan Thomas McBride
	freeing rules. Fixes a number of potential memory leaks and other bugs. - Add new pool_ticket to insure that address pools don't get messed with by someone else while we add rules. - Add a second address pool buffer, so that DIOCCHANGE* operations which use pf_compare* will work correctly. Excellent bug report and anaylsis from DJ Gregor. ok dhartmei@ henning@
2002-12-01	pfsync currently causes kernel faults, so we don't want to call these functions	Ryan Thomas McBride
	ok dhartmei@
2002-11-29	minor KNF	Henning Brauer

2002-11-29	expose state table changes	Michael Shalayeff

2002-11-29	Get the address pool in DIOCCHANGEADDR for all operations, prevents	Ryan Thomas McBride
	PF_CHANGE_REMOVE from dereferencing a NULL pointer. Noticed by dhartmei@ ok dhartmei@
2002-11-28	- MD5 too slow, replace with pf_hash (based on hash from if_bridge.c)	Ryan Thomas McBride
	- Always fold the key in Many fixes & suggestions from camield@ ok mickey@ camield@ henning@
2002-11-26	Call the enable function, don't set the variable directly.	Jason Wright

2002-11-26	pass struct pfioc_changeaddr to DIOCCHANGEADDR	Ryan Thomas McBride
	rather than struct pfioc_pooladdr an obvious fix from dhartmei@
2002-11-26	1000baseTX -> 1000baseT	Nathan Binkert
	- More technically correct - Matches FreeBSD and NetBSD - Preserved #define for 1000baseTX for backwards compatibility ok jason@
2002-11-26	fix "pfctl -Fq".	Kenjiro Cho
	after altq gets flushed, altq forgot that it was enabled since altq is actually detached with an empty ruleset. so, add a variable, pfaltq_running, to remember the running state and re-enable altq when a new ruleset is loaded. noticed, tested, and oked by henning@
2002-11-24	move } outside #ifdef INET6	Ryan Thomas McBride
	unbreaks compiling kernel without IPv6 support. how embarassing, spotted by Chris Kuethe
2002-11-23	KNF	Theo de Raadt

2002-11-23	pass a pointer to the hash, not the first chunk of it	Ryan Thomas McBride

2002-11-23	kernel code to allow multiple redirection addresses to be specified for nat	Ryan Thomas McBride
	and rdr, as well as route-to, dup-to and reply-to. Addresses can be allocated in a number of ways: - masking out the network portion of the address and replacing it - randomly assigning an address in the block - hashing the source address and a key to determine the redirection address - iterating through the addresses sequentially (this is the only allocation scheme which works when a list of addresses is specified) ok dhartmei@ henning@
2002-11-22	on block rules, let queue apply to the RST packets in the return-rst case	Henning Brauer
	and the returned icmp packets in the return-icmp case ok dhartmei@
2002-11-20	KNF	Theo de Raadt

2002-11-12	Missing splx.	Mike Pechkin
	dhartmei@ ok
2002-11-07	Short-circuit evaluation can leave invalid pointers, closes PR2874.	Daniel Hartmeier

2002-11-02	Compare dynamic addresses correctly in pf_compare_*: check the interface name	Ryan Thomas McBride
	rather than the ip address if it exists. ok dhartmei@ henning@
2002-11-02	Make PF_ANEQ(), PF_ANEQ() and PF_AZERO() check the whole address if af	Ryan Thomas McBride
	is not set to AF_INET6 or AF_INET ok dhartmei@ henning@
2002-10-29	keep all pflog goodies in pflog sources, avoids code duplications; okski ↵	Michael Shalayeff
	frantzen@ and dhartmei@
2002-10-25	Compare pf_rule->label in pf_compare_rules(), too.	Daniel Hartmeier
	Found by DJ Gregor.
2002-10-22	Convert "int af" and "u_int8_t af" declarations and function arguments	Ryan Thomas McBride
	to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
2002-10-22	check the correct return value from ifunit()	Ryan Thomas McBride
	(returns ifp, not ifname) ok dhartmei@ ish@ camield@ henning@
2002-10-20	Move pf_compare_(rules\|nats\|binats\|rdrs) to pf_ioctl.c. Simplifies and	Ryan Thomas McBride
	reduces cross-file dependancies. ok dhartmei@ ish@ henning@
2002-10-14	Allow one to specify a netblock in a binat rule:	Henning Brauer
	binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
2002-10-10	Missing m_pullup() and mbuf corruption. This potentially caused	Daniel Hartmeier
	panic: m_copym0: m == 0 and not COPYALL and/or panic: m_copydata: null muf on bridges running pf with scrubbing enabled. Bug report, test vector and confirmation by Jon Morby. ok jason@, jasoni@
2002-10-10	padd pf_state; dhartmei@ ok	Michael Shalayeff

2002-10-08	the first step of pf/altq merge.	Kenjiro Cho
	this commit is to allow further development in both userland and kernel. the goal is to replace altq's classifier by pf(4). - make pf tag a queue id to mbuf and make altq read the queue id - merge altq config into pf.conf(5) ok dhartmei@, henning@
2002-10-07	-Wsign-compare clean	Daniel Hartmeier

2002-10-07	set block-policy [drop\|return]	Henning Brauer
	drop is default, same behaviour as before support block drop to override a return policy
2002-10-07	support a generic return	Henning Brauer
	block return in\|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
2002-10-07	make return-icmp work for rules covering both v4 and v6	Henning Brauer
	-new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
2002-10-07	use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or not	Henning Brauer
	instead of just testing return_icmp > 0 ok dhartmei@
2002-10-07	Add 'reply-to' to filter rules, similar to route-to, but applying to	Daniel Hartmeier
	replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
2002-10-05	Allow filtering based on IP header's tos field.	Daniel Hartmeier