summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2003-02-16KNFTheo de Raadt
2003-02-16KNFJason Wright
2003-02-15skeleton support for LZS compressionJason Wright
2003-02-15s/LSZ/LZS (consistent with linux and isakmpd *.cst)Jason Wright
2003-02-12Address the NFS problems recently discussed in various threads.Daniel Hartmeier
Change semantics of scrub option 'no-df' slightly: if the option is used, it now also applies to _fragments_ with IP_DF set, not just to complete packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble' allows to clear IP_DF from fragments, so they don't get dropped but reassembled. This affects several UDP protocols that used PMTU discovery, mostly Linux' NFS implementation. In short, if you have 'scrub in all' now, you probably want to change that to 'scrub in all no-df', unless you want to drop fragments with IP_DF set (some people have good reasons to do the latter, hence the non-default option). ok frantzen@, henning@, cedric@
2003-02-12Labels should be followed by statements (fix gcc3 warning).Henric Jungheim
ok cedric, jason, theo
2003-02-12Remove commons; inspired by netbsd.Jason Wright
2003-02-12Make r.rpool.proxy_port[] a consistent byte order to match cleanup inRyan Thomas McBride
pfctl. ok dhartmei@
2003-02-12Fix a bunch of pf_route() bugs:Ryan Thomas McBride
- pass back a pointer to state created in pf_test_{tcp|udp|icmp|other}() so that pf_route()/pf_route6() can peek at it. - put the PACKET_TAG_PF_ROUTED tag onto the packets _before_ we call pf_test()/pf_test6() again to prevent looping. - Call pf_test6() in pf_route6() instead of pf_test() for obvious reasons. ok dhartmei@
2003-02-09Slightly less noisy debug printf from pf_map_addr(), ok mcbride@Daniel Hartmeier
2003-02-08Add scrub option 'random-id', which replaces IP IDs with random valuesDaniel Hartmeier
for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
2003-02-05Remove the confusing and more-or-less unnecessary temporaryRyan Thomas McBride
struct pf_pooladdr *cur. It was being used incorrectly in the round-robin case, which meant that the previous address was being selected, rather than the reall current one. ok dhartmei@
2003-02-01Make it build without INET6 again.Daniel Hartmeier
2003-02-01from Chris Pascoe <c.pascoe@itee.uq.edu.au>:Chris Cappuccio
Fix multicast bug; internal multicast members' list was not initialized correctly. Also, begin to make vlan less ether specific - TR and FDDI could also be supported.
2003-01-31The fix introduced with 1.294 to solve issues with route-to inDaniel Hartmeier
combination with translations was too broad and broke some more complex setups (creating two states for one connection on two interfaces, using modulate state for each, and additionally using route-to/reply-to on one of them), so narrow it to the cases where it's needed. Reported by henric@.
2003-01-31Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,Daniel Hartmeier
and drop packets with invalid checksums. Without such a check, pf would return RST/ICMP errors even for packets with invalid checksums, which could be used to detect the presence of the firewall, reported by "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. To minimize the cost of checksum calculations, mbuf flags set by network interfaces capable of hardware checksumming are honoured, and set when pf performs the calculation, so the TCP/IP stack itself will not repeat the calculation for the same packet later on. ok mcbride@ and henning@
2003-01-31Send a RST when an invalid packet matches a TCP state during theDaniel Hartmeier
handshake. Solves the issues with the "ACK+1000000 cookie scheme", which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized state, "reset is sent"). ok henning@, camield@ and (I guess ;) frantzen@
2003-01-25Fix the behaviour of rdr rules which redirect to a range of ports;Ryan Thomas McBride
Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and makes the port mapping more flexble, allows mapping a destination port range of one size to an other of a different size. Fixes and additional testing courtesy of dhartmei@ ok dhartmei@
2003-01-25Fix a bug that potentially caused fragments to be dropped when theDaniel Hartmeier
overlap calculation got negative. Found by Baruch Even. ok henning@
2003-01-24Sigh, pf_pull_hdr (aka pf_pull_hair) doesn't do an m_pullup, it merelyDaniel Hartmeier
copies the data to the specified buffer. So, for TCP options, provide an sufficiently large buffer and copy to there.
2003-01-24Move the mbuf pullup for TCP options to the beginning of TCP handling,Daniel Hartmeier
doing it later can invalidate pointers to mbuf data. This fixes subtle breakage just introduced (with 1.306).
2003-01-24Fix wscale support, the first version didn't really work right.Daniel Hartmeier
Interestingly, our own stack uses wscale 1 quite regularly, and I now suspect that this is what caused most of the state failures I've seen. They were quite rare, but with working wscale support, they are reduced even more. ok henning@
2003-01-23Fix a bug where the kernel crashes when translating IPv6 ICMP packets.Daniel Hartmeier
This only happens when using nat/rdr/binat on IPv6 connections, which hasn't been used before, obviously. But it does work now. Reported and confirmed by evilted@efnet, ok mcbride@
2003-01-21Support for TCP window scaling (RFC 1323). ok frantzen@Daniel Hartmeier
2003-01-20It's difficult to create a table by changing its flags.Cedric Berger
2003-01-20just for safety. from http://templeofhate.com/tglaser/pub/obsd.diffJun-ichiro itojun Hagino
2003-01-19format string fixesHenning Brauer
inspired by Thorsten Glaser via fries@ ok theo
2003-01-18Argh! KNF.Ryan Thomas McBride
pointed out in advance by dhartmei@
2003-01-18Make nat behave the way it used to by copying back the random source portRyan Thomas McBride
correctly. Also remove some extra cruft in pf_get_sport related to the "static-port" behaviour. bug report from mpech@ and form@ testing cedric@ "looks sane to me" henning@ ok dhartmei@
2003-01-17typo: bandwith -> bandwidthCamiel Dobbelaar
2003-01-15Fix another buglet with inactive sets.Cedric Berger
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 } Was causing the kernel to become noisy. Now duplicates are silently rejected.
2003-01-15Fix a buglet when one "creates" a table which is already in theCedric Berger
referenced or inactive set. Flags were not updated correctly. Tested on i386, sparc64. More regression tests coming.
2003-01-15Cleanup NULL tests in and around pfr_destroy_ktable().Cedric Berger
Makes code more readable.
2003-01-15Kill stupid leaks when using FLAG_DUMMY option.Cedric Berger
Removes "_" from pool names. Regression tests for memory allocation coming soon....
2003-01-13Improve robustness & error handling. More thorough checks of user data.Cedric Berger
- Reject invalid CIDR networks (1.2.3.4/16 & friends). - Only allow values 0 or 1 for the "neg" flag. - Require all unused data to be set to 0 in pfr_addr and pfr_table. - Always check the return value of pfr_route_entry(). - Remove redundant kernel messages. Tested on i386, sparc64. Pass my (uncommited) regression tests.
2003-01-10Fix adding and deleting addresses in a table when there is a conflict withCedric Berger
the "negated" attribute of an address. The previous behaviour was incorrect in both cases (too strict for the add command and too permissive for the delete command). ok dhartmei@
2003-01-10Cosmetic change, makes code a bit easier to understand.Cedric Berger
2003-01-09minor KNFHenning Brauer
2003-01-09(whitespace) KNF, re-fold -w 80Daniel Hartmeier
2003-01-09Add support for active/inactive tablesets in the kernel.Cedric Berger
Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
2003-01-07apply the discover rule to bridge_output() as wellJason Wright
2003-01-07remove the altq classifier code which is replaced by pf and no longer used.Kenjiro Cho
ok henning@, deraadt@
2003-01-07Remove table name hashing (pass the name in each ioctl instead), andDaniel Hartmeier
introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
2003-01-06Move initialisation of radix table globals in pfr_initialize()Cedric Berger
ok dhartmei@
2003-01-06knfTheo de Raadt
2003-01-05Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for tableDaniel Hartmeier
name. ok henning@, mcbride@, cedric@
2003-01-04spellingTheo de Raadt
2003-01-04move noroute from flag in pf_rule_addr into type in pf_addr_wrap.Daniel Hartmeier
ok henning@, mcbride@
2003-01-04Honour noroute in skip step calculation, found by cedric@Daniel Hartmeier
2003-01-04Remove unused pf_add_addr(), ok mcbride@Daniel Hartmeier