| Age | Commit message (Collapse) | Author |
|---|
|
unbreaks RTM_GET. Problem reported by fkr@
|
|
By doing so we ensure that all the memory is initialised and we no longer
have to ensure that none of the structure elements is forgotten in
sysctl_iflist() and sysctl_dumpentry().
This solves the route flush issues seen by aanriot@
OK henning@
|
|
if.c.
|
|
been cached in pd->p_len.
ok henning@ markus@
|
|
to access uninitialised memory.
Set dst to 0 on error, the error path tries to access dst but dst is inited
later down the code. This fixes a kernel panic seen by aanriot@
OK henning@
|
|
|
|
|
|
will show input errors for packets received from any of the ports that
are part of a fail over interface but are not the "master" port at the
time. This fixes the problem by checking the error condition
correctly.
From brad at comstyle dot com
|
|
ok claudio@
|
|
Changes include 64bit counters instead of u_long, routing table id in the header
of most messages, reserved routing priority field, added a hdrlen field to skip
over the header so that binary compatibility becomes easier.
A minimal backward support for old binaries is included to ease upgrades but
don't expect anything more than ifconfig, route and dhclient to correctly work.
OK henning@ mglocker@
|
|
'badstate' everywhere.
ok henning@
|
|
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
|
version for i386
more architectures and ctob() replacement is being worked on
prodded by and ok miod
|
|
ok henning@
|
|
there is a 1:1 mapping between direction and the tree the states get
attached to. there is no need to have anything outside the state insertion/
deletion/lookup routinbes know about these internals. so just pass the
direction to the lookup functions and let them pick the right tree.
ok dhartmei markus
|
|
|
|
criteria. ok mcbride@
|
|
if (r != NULL && r->rtableid >= 0)
- m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid;
+ m->m_pkthdr.pf.rtableid = r->rtableid;
fortunately it is in pf_send_tcp and thus the effect is very limited, RSTs
sent due to "block return(-rst)" could be routed using the main routing
table instead of an alternate one specified on the block rule.
spotted by Janjaap van Velthooven <janjaap@stack.nl>
|
|
revert back to m_pullup2. Reported and tested by Enache Adrian
additional testing by naddy@ and claudio@
ok claudio@, deraadt@
|
|
messages, add 'dir=' part to 'loose state' message, ok henning@, markus@
|
|
header are required in the ICMP error). ok deraadt@, henning@
|
|
The earlier change was broken in sparc due to alignment problems.
reported and tested by nady@, ok deraadt@ claudio@
|
|
This is a bandaid solution, a better solution will go
in post 4.2. Reported and tested by Joerg Zinke.
ok claudio@, deraadt@
|
|
When sending a protocol reject. Prevents reading
past the mbuf in case the mbuf does not cover the
whole packet. ok claudio@, henning@
|
|
ok miod@ jmc@
|
|
needs to be allowed to export that information too. Thus, adjust
sadb_exts_allowed_out[] accordingly.
This fixes isakmpd not being able to get the in-kernel last-used-counters
of SAs, which are needed for DPD.
ok ho@
|
|
bug in the code, but as soon as I try to fix it, it seems to trigger
some other bugs. Instead of trying to figure out what's going on
while everyone suffers, it's better to back out and figure out
the bugs outside the tree.
|
|
replace a dead link while i'm here.
ok canacar@ reyk@
|
|
OK markus@, mcbride@, "sounds reasonable" henning@
|
|
|
|
table/state tail queue design. corrects ftp-proxy errors "server lookup
failed (no rdr?)" okay henning@
|
|
Makes bluetooth build again. ok uwe@
|
|
before it is removed from the multicast group in_delmulti() will try to
access the no longer available ifp.
We invalidate the ifa_ifp back pointer in the ifa in if_detach() now and use
the ifa_ifp in in_delmulti() instead of the internal inm_ifp. By doing it
this way we know if the interface was removed.
This fixes a kernel panic triggered by ospfd and gif(4) tunnels.
looks good henning@ reyk@
|
|
Fixes ICMP packet payload corruption on rdr.
OK henning@, markus@
|
|
the end of the array of rule pointers when attaching a pfsync'd state
to a rule. Reported in PR5508 by mayer@netlab.nec.de.
ok henning@
|
|
rx rings any more. forwarding boxes with many fast interfaces can still use
some more, but this is a saner default.
ok deraadt markus henric
|
|
keys that can map to multiple states (last not least for ifbound) we don't
need state tables hanging off each struct kif representing an interface
any more. use two globals for the two tables. ok markus ryan
|
|
unused ifname (this information is in struct pf_state_sync now).
Also a bit of KNF on the pf_state struct.
ok mpf@ henning@
|
|
|
|
check the logif when changing a rule
from max laier, ok ryan
|
|
previously, we had a set of state tables attached to each interface. so for
every packet we had to do a lookup in the tables for the interface, and
afterwards in the global tables.
since we split state keys and states now, use only the global tables, and
put the actual states in a tail queue attached to the state key. sort the
list so that ifbound states come before global ones. on lookup, we only
have to compare the interface pointer on the actual states and use the
first one where either the interface matches or the state is not interface
bound. thus, if you don't actually use ifbound states, and there is only
one state per state key, the overhead is close to zero, where we had extra
lookups before. in addition to a much cleaner design (that'll allow for more
goodies later) this gives us ~12.5% more forwarding performance.
mostly hacked at c2k7, lots of help, testing and ok mcbride & markus
|
|
OK henning@, ``passt scho'' markus@
|
|
spotted by Mike Belopuhov <mkb@crypt.org.ru>
|
|
the packet is of the expected address family (AF_INET / AF_INET6).
crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise.
misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing
with nmap; he also helped us big time debugging the problem. thanks!
ok ryan
|
|
which will be used for new interface routes. For example,
ifconfig em0 10.1.1.0 255.255.255.0 rtlabel RING_1
will set the new interface address and attach the route label RING_1 to
the corresponding route.
manpage bits from jmc@
ok claudio@ henning@
|
|
from mickey, ok me markus mickey
|
|
since we include the mbuf header parts for pf unconditionally, we should
be able to check them unconditionally as well. ok mcbride markus
|
|
(&ptr instead of ptr). should fix pflog breakage seen by bob
|
|
|
|
some I found afterwards, ok dlg
|
