Age | Commit message (Collapse) | Author | |
---|---|---|---|
2001-09-14 | binat non icmp/udp/tcp protocols as well; ok dhartmei@ | jasoni | |
2001-09-11 | Undo BINAT translation when blocking with return-rst/-icmp. | Daniel Hartmeier | |
Translate at most once. From Ryan McBride. | |||
2001-09-08 | initialize variable and more careful bounts checking; okay frantzen@ | Niels Provos | |
2001-09-06 | Reflect skip step changes. Spotted by Ryan McBride. | Daniel Hartmeier | |
2001-09-06 | 1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@ | jasoni | |
2001-09-05 | Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums were | Daniel Hartmeier | |
broken by NAT/RDR when unset by the sender. Fixes ntpdate behind NAT. | |||
2001-09-05 | s/pf_natlook/pfioc_natlook (ioctl parameter struct) | Daniel Hartmeier | |
2001-09-04 | Add skip steps for interface (ifp). | Daniel Hartmeier | |
2001-09-04 | #define empty PFLOG_PACKET correctly (no side effects). Closes PR2044. | Daniel Hartmeier | |
From Claus Assmann. | |||
2001-09-01 | Inherit baudrate from parent. Now MRTG will show vlan interfaces ;) | Chris Cappuccio | |
2001-08-31 | Forgot to commit frag expire tuning before | Mike Frantzen | |
Check for a short ip_hl. Could have caused proto headers to overlap IP header. | |||
2001-08-28 | Add new ioctls to securelevel check, from Can Erkin Acar | Daniel Hartmeier | |
<canacar@eee.metu.edu.tr> | |||
2001-08-28 | Bump state timeouts and allow tweaking them from pfctl. | Mike Frantzen | |
(The state timeouts need some _serious_ tuning) | |||
2001-08-26 | 2nd uninitialized variable that bit me today | Niklas Hallqvist | |
2001-08-25 | PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation. | Mike Frantzen | |
2001-08-22 | Correct the setup of the intial TCP state window and pre-validate th_ack | Mike Frantzen | |
on an FIN|ACK close if the client has never responded. | |||
2001-08-22 | Fix panic in pf (was my fault) caused by a bad key compare optimization | Mike Frantzen | |
Add debug output to track loose state matches | |||
2001-08-21 | KNF | Theo de Raadt | |
2001-08-21 | cut/pasto in rule flushing code (using wrong list); base on patch from Henk ↵ | Jason Wright | |
van Lingen <henk@vanlingen.net> | |||
2001-08-21 | Add support for SIOCADDMULTI & SIOCDELMULTI; NetBSD | brian | |
2001-08-21 | Pass closing TCP connections through looser state machine (handle Solaris' | Mike Frantzen | |
stupid spurious ACK|FINs after a close) | |||
2001-08-19 | Add new ioctls for adding/removing RDR and NAT rules to/from the active | Daniel Hartmeier | |
rule sets. | |||
2001-08-19 | Quick optimization of pf_tree_key_compare (should half the instruction count) | Mike Frantzen | |
2001-08-19 | Make more money for mickey (count entire IP packets for statistics, not just | Daniel Hartmeier | |
inner data). | |||
2001-08-19 | Yet another batch of improvements and un-fuckups to the TCP state code. | Mike Frantzen | |
Improved the state miss debug messages to cover the new checks. | |||
2001-08-19 | Add per-rule byte counter, so mickey can do accounting. We're counting the | Daniel Hartmeier | |
data part (without IP and TCP/UDP/ICMP headers), like the state counter does. | |||
2001-08-19 | Add per-rule statistics (number of evaluations and number of packets). | Daniel Hartmeier | |
Packets passed statefully will be counted using the rule that created the state. | |||
2001-08-19 | Unfuck some TCP state stuff that would drop the SYN|ACK. | Mike Frantzen | |
Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5 | |||
2001-08-19 | compile w/out INET | Jason Wright | |
2001-08-19 | Loosened TCP state code which should allow stupid stacks to shotgun their | Mike Frantzen | |
SYNs and provide better handling for pre-existing connections. | |||
2001-08-18 | Add new ioctl for adding/removing individual rules to/from the active rule set. | Daniel Hartmeier | |
2001-08-18 | make pfctl -s state SCREAM; frantzen is now happy | Theo de Raadt | |
2001-08-12 | now, that kernel compiles, i can go get an ash tray somewhere | Michael Shalayeff | |
2001-08-11 | Add support for ICMP errors referring to ICMP queries/replies. Fixes | Daniel Hartmeier | |
'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'. | |||
2001-08-05 | Actually, move the check inside the switch. | Angelos D. Keromytis | |
2001-08-05 | Only flush the policies if the message type is UNSPEC. | Angelos D. Keromytis | |
2001-08-03 | Use IFCAP_VLAN_MTU and IFCAP_VLAN_HWTAGGING capabilities: | Chris Cappuccio | |
LINK0 disappears; we now set IFCAP_VLAN_HWTAGGING at ifnet->if_capabilities in the Ethernet driver for cards/drivers which support hardware tagging. MTU ambiguity disppears; we now set IFCAP_VLAN_MTU in the Ethernet driver when we know the chip will not truncate/discard vlan-sized frames. Only allow the MTU to be changed within the scope of the parent interface's MTU. (Here we also take into account IFCAP_VLAN_MTU) Propagate hardware-assisted IP/TCP/UDP checksumming flags to the vlan interface if the card supports hardware tagging (from NetBSD) | |||
2001-08-03 | simplify previous fix (0-length mbuf in mbuf chain). from freebsd | Jun-ichiro itojun Hagino | |
2001-08-02 | do not exit loop even if m_len == 0. it is legal to have an mbuf with | Jun-ichiro itojun Hagino | |
m_len == 0 in mbuf chain. | |||
2001-08-02 | KNF | Theo de Raadt | |
2001-08-01 | stateless tcp normalization along the lines of the normalization paper by | Niels Provos | |
handley, paxon and kreibich; okay deraadt@ | |||
2001-07-30 | never before has a file so often deviated from KNF | Theo de Raadt | |
2001-07-30 | use queue.h macros | Jason Wright | |
2001-07-29 | Implement rule skipping. This is a transparent evaluation optimization, | Daniel Hartmeier | |
which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl. | |||
2001-07-27 | PF_IN/PF_OUT aren't defined if NPF <= 0, deal with it. | Jason Wright | |
2001-07-27 | variable name "gif" is way too generic - use "gif_softc". sync with kame | Jun-ichiro itojun Hagino | |
2001-07-25 | nat proxy port randomization by ben fleis. | Daniel Hartmeier | |
2001-07-25 | Make sure pkthdr.rcvif is correct before calling pf_test() | Jason Wright | |
2001-07-25 | - unconditionalize call to bridge_input() (fewer #ifdef's and NPF>0 is ↵ | Jason Wright | |
default case anyway). - add support for filtering on interface output (and call pf_test() appropriately) What all this means: nonstateful and stateful PF filtering now works with the bridge. | |||
2001-07-25 | Initialization of arpcom * based on ifp was too soon: ifp can change as | Jason Wright | |
a result of a call to bridge_input(). |