| Age | Commit message (Collapse) | Author |
|---|
|
From Abel Abraham Camarillo Ojeda, reminded by Brad.
|
|
calculations, and does _not_ denote the time when to expire. So
it should never be added to (set into the future).
Try to reconstruct it with an educated guess on state import and
just set it to the current time on state updates.
This fixes a problem on pfsync listeners where the expiry time
could be double the expected value and cause a lot more states
to linger.
Timeout code from mikeb.
Found and testing by Maxim Bourmistrov.
ok mikeb dlg
|
|
an icmp<->icmp6 state (nat64); ok henning, mcbride, dlg
|
|
device hardware features.
Tune ifconfig to show them with 'hwfeatures' argument.
While here, kill some old unused capabilities and respect 80 columns
in brconfig.h.
ok mcbride@, henning@, mpf@.
|
|
interface. Problem report and fix from Erik Lax, thanks!
|
|
than the syncdev MTU. Prompted by the discussion with and tested
by Maxim Bourmistrov; ok dlg, mpf
|
|
tr_linkstate() was not initialized in trunk_rr_attach(), and
tr_init() and tr_stop() were missing in trunk_lb_attach().
Fixes crash triggered by changing trunkproto, reported by Anders
Berggren on bugs@.
ok mpf henning
|
|
by pedro/gcc.
|
|
if_detach() handles this ok. carpdetach() can now lower the demote
count on the carp group correctly.
ok henning mpf
|
|
on mbuf chains of insufficient length; prevents crashes seen by
dhill. also bring in some chunks omitted in the nat64 commit and
are essential for correct packet interpretation.
tested by dhill and me, ok henning
|
|
|
|
mcbride agrees, ok mpf, dlg
|
|
reorder packets to pass to the upper layer without reorder. It
will improve performance (throughput or loss rate) for PPTP or
L2TP(/IPesc) on networks that latency is unstable such as mobile
network.
As our test environment (bandwidth: 6Mbps, latency: 50ms for 97% of
traffic and 52ms for rest of traffic), throughput has changed from
0.76MB to 2.17MB on file upload by PPTP connected Windows Vista
ftp.exe.
Developed by UMEZAWA Takeshi at IIJ.
ok jmatthew@
tested jmatthew@ and myself.
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
unfortunately altq is one giant namespace violation. rename just those that
conflict with new stuff for now only to be found on my laptop. reduce pain,
the diff is huge already. ok ryan
|
|
just one and the variable name is clear enough. ryan ok
|
|
|
|
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
|
KNF, no binary change.
|
|
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
|
AF_INET6. So remove useless af switch defaults here and there.
Always use "switch(af)" instead of "if (af) else" for af dependent
code. Always use AF_ defines instead of PF_ when checking af values.
ok claudio mpf henning
|
|
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
|
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
|
some IPv4 and IPv6 code. Make sure that both code paths set the
same fields in the same order.
ok mpf henning
|
|
variables being processed.
ok bluhm@ henning@
|
|
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the paramter list of pf_setup_pdesc() as it can
concentrate on its job filling the pf_pdesc struct.
ok henning mpf
|
|
the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by
a local variable. Remove ip_sum and proto_sum from struct pf_pdesc.
ok claudio henning
|
|
pf_setup_pdesc. fixes logging of packets passed statefully. ok bluhm
|
|
been reassembled by normalization.
ok henning claudio
|
|
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
|
inefficient but doesn't matter with reasonable numbers of interfaces.
ok dlg@
|
|
From Christiano F. Haesbaert.
|
|
It's already in pfvar.h
OK mcbride@
|
|
without growing it in pfsync_state too.
to keep the wire format compat this uses some of the pad bytes to send
all the state flags on the wire as well as maintaining the old state_flags
field. after 5.0 we'll deprecate the original field and only use the new
one.
discussed with mcbride and deraadt and based on a diff from deraadt.
tested against an "old" pfsync locally.
ok mcbride@ henning@ deraadt@
|
|
Reject states with pfsync_state->af == 0 in pfsync_state_import(), in
preparation for states which specify an address family in each state key
instead (change will take place post-5.0).
ok dlg henning mikeb
|
|
improved debugging for error cases inside the weighted round-robin loop.
original diff from claudio, ok henning
|
|
lo' must not match a group 'local'. diff from sthen who is not around for a
few days, ok me and mpf. I can't find the mail of the guy who initially
ran into this problem, sorry for that, thanks for reporting!
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
former anymore. OK miod@.
|
|
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
|
|
the common function pf_walk_header6(). For that, pf_walk_header6()
can now extract both the information wether it is a fragment and
the final protocol if it is the first fragment. This allows to
match the icmp6 too big packet of a first fragment to the reassembled
packet's state. This is neccesary if a refragmented fragment is
to big for the Path-MTU.
Note that pd.proto contains the real protocol number for the first
fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol
is set to PF_VPROTO_FRAGMENT for all fragments.
ok mcbride@
|
|
from Martin Pelikan
|
|
Rather than silently dropping ALL icmp packets, return icmp/icmp6 error
for 'informational' message types (but continue dropping ICMP errors
unconditionally).
ok markus sthen henning
|
|
|
|
with input and ok from bluhm and claudio
|
|
so it evaluates in the order we want.
ok claudio@
|
|
payload, we missed to drop them. While there, also add a reason
to the corresponding check in pf_test().
ok mcbride@ claudio@
|
|
|
|
|
|
ok claudio henning yasuoka
|
