summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2001-09-14binat non icmp/udp/tcp protocols as well; ok dhartmei@jasoni
2001-09-11Undo BINAT translation when blocking with return-rst/-icmp.Daniel Hartmeier
Translate at most once. From Ryan McBride.
2001-09-08initialize variable and more careful bounts checking; okay frantzen@Niels Provos
2001-09-06Reflect skip step changes. Spotted by Ryan McBride.Daniel Hartmeier
2001-09-061:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@jasoni
2001-09-05Handle uh_sum == 0x0000 correctly. Before, UDP packet checksums wereDaniel Hartmeier
broken by NAT/RDR when unset by the sender. Fixes ntpdate behind NAT.
2001-09-05s/pf_natlook/pfioc_natlook (ioctl parameter struct)Daniel Hartmeier
2001-09-04Add skip steps for interface (ifp).Daniel Hartmeier
2001-09-04#define empty PFLOG_PACKET correctly (no side effects). Closes PR2044.Daniel Hartmeier
From Claus Assmann.
2001-09-01Inherit baudrate from parent. Now MRTG will show vlan interfaces ;)Chris Cappuccio
2001-08-31Forgot to commit frag expire tuning beforeMike Frantzen
Check for a short ip_hl. Could have caused proto headers to overlap IP header.
2001-08-28Add new ioctls to securelevel check, from Can Erkin AcarDaniel Hartmeier
<canacar@eee.metu.edu.tr>
2001-08-28Bump state timeouts and allow tweaking them from pfctl.Mike Frantzen
(The state timeouts need some _serious_ tuning)
2001-08-262nd uninitialized variable that bit me todayNiklas Hallqvist
2001-08-25PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.Mike Frantzen
2001-08-22Correct the setup of the intial TCP state window and pre-validate th_ackMike Frantzen
on an FIN|ACK close if the client has never responded.
2001-08-22Fix panic in pf (was my fault) caused by a bad key compare optimizationMike Frantzen
Add debug output to track loose state matches
2001-08-21KNFTheo de Raadt
2001-08-21cut/pasto in rule flushing code (using wrong list); base on patch from Henk ↵Jason Wright
van Lingen <henk@vanlingen.net>
2001-08-21Add support for SIOCADDMULTI & SIOCDELMULTI; NetBSDbrian
2001-08-21Pass closing TCP connections through looser state machine (handle Solaris'Mike Frantzen
stupid spurious ACK|FINs after a close)
2001-08-19Add new ioctls for adding/removing RDR and NAT rules to/from the activeDaniel Hartmeier
rule sets.
2001-08-19Quick optimization of pf_tree_key_compare (should half the instruction count)Mike Frantzen
2001-08-19Make more money for mickey (count entire IP packets for statistics, not justDaniel Hartmeier
inner data).
2001-08-19Yet another batch of improvements and un-fuckups to the TCP state code.Mike Frantzen
Improved the state miss debug messages to cover the new checks.
2001-08-19Add per-rule byte counter, so mickey can do accounting. We're counting theDaniel Hartmeier
data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
2001-08-19Add per-rule statistics (number of evaluations and number of packets).Daniel Hartmeier
Packets passed statefully will be counted using the rule that created the state.
2001-08-19Unfuck some TCP state stuff that would drop the SYN|ACK.Mike Frantzen
Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5
2001-08-19compile w/out INETJason Wright
2001-08-19Loosened TCP state code which should allow stupid stacks to shotgun theirMike Frantzen
SYNs and provide better handling for pre-existing connections.
2001-08-18Add new ioctl for adding/removing individual rules to/from the active rule set.Daniel Hartmeier
2001-08-18make pfctl -s state SCREAM; frantzen is now happyTheo de Raadt
2001-08-12now, that kernel compiles, i can go get an ash tray somewhereMichael Shalayeff
2001-08-11Add support for ICMP errors referring to ICMP queries/replies. FixesDaniel Hartmeier
'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
2001-08-05Actually, move the check inside the switch.Angelos D. Keromytis
2001-08-05Only flush the policies if the message type is UNSPEC.Angelos D. Keromytis
2001-08-03Use IFCAP_VLAN_MTU and IFCAP_VLAN_HWTAGGING capabilities:Chris Cappuccio
LINK0 disappears; we now set IFCAP_VLAN_HWTAGGING at ifnet->if_capabilities in the Ethernet driver for cards/drivers which support hardware tagging. MTU ambiguity disppears; we now set IFCAP_VLAN_MTU in the Ethernet driver when we know the chip will not truncate/discard vlan-sized frames. Only allow the MTU to be changed within the scope of the parent interface's MTU. (Here we also take into account IFCAP_VLAN_MTU) Propagate hardware-assisted IP/TCP/UDP checksumming flags to the vlan interface if the card supports hardware tagging (from NetBSD)
2001-08-03simplify previous fix (0-length mbuf in mbuf chain). from freebsdJun-ichiro itojun Hagino
2001-08-02do not exit loop even if m_len == 0. it is legal to have an mbuf withJun-ichiro itojun Hagino
m_len == 0 in mbuf chain.
2001-08-02KNFTheo de Raadt
2001-08-01stateless tcp normalization along the lines of the normalization paper byNiels Provos
handley, paxon and kreibich; okay deraadt@
2001-07-30never before has a file so often deviated from KNFTheo de Raadt
2001-07-30use queue.h macrosJason Wright
2001-07-29Implement rule skipping. This is a transparent evaluation optimization,Daniel Hartmeier
which reduces evaluation cost for sorted rules of similar parameters. Preparation for rule duplication for parameter lists from pfctl.
2001-07-27PF_IN/PF_OUT aren't defined if NPF <= 0, deal with it.Jason Wright
2001-07-27variable name "gif" is way too generic - use "gif_softc". sync with kameJun-ichiro itojun Hagino
2001-07-25nat proxy port randomization by ben fleis.Daniel Hartmeier
2001-07-25Make sure pkthdr.rcvif is correct before calling pf_test()Jason Wright
2001-07-25- unconditionalize call to bridge_input() (fewer #ifdef's and NPF>0 is ↵Jason Wright
default case anyway). - add support for filtering on interface output (and call pf_test() appropriately) What all this means: nonstateful and stateful PF filtering now works with the bridge.
2001-07-25Initialization of arpcom * based on ifp was too soon: ifp can change asJason Wright
a result of a call to bridge_input().