| Age | Commit message (Collapse) | Author |
|---|
|
Since the ifp is not detached in the SIOCSIFRDOMAIN case remove the
clear there. With and OK deraadt@
|
|
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
|
Resurrect the rather silly "unplug my network device while I am
doing nfs diskless revarp" safety code which was disabled due to
a missing "ether.h" include, found by jsg
ok jsg
|
|
return anything but 0 anyways
From: "Michael W. Bombardieri" <mb at ii dot net>, ok camield
|
|
the syncdev gets set. this also makes sure we no longer leak hooks on
repeatet 'ifconfig syncdev' invocations.
ok mikeb@
|
|
is really needed, instead of an ethernet header and selector.
ok mikeb henning mpf
|
|
followed by ifconfig destroy; ok mikeb
|
|
include sys/mbuf.h in net/pfvar.h.
Flagged by and ok guenther@
|
|
|
|
routecache is full and the admin is making it smaller. It then does a
lame attempt at shrinking the routecache, something that a flush or flushall
can do better.
ok henning beck
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
|
|
that can be filled. OK dlg@, mikeb@
|
|
|
|
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
|
ok claudio@
|
|
it's cancelling the bulk update and can leave the machine in a
demoted state.
bug was noticed by benno, who was kind enough to verify that the
fix is working fine. ok mpf, benno
|
|
Even though this violates IEEE 802.1D, we'd rather avoid bridging loops
by not getting in the way of STP.
OK henning, camield, reyk
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
|
|
ok deraadt@ miod@
|
|
no functional changes.
|
|
to a radix_node struct.
The radix tree pushdown continues.
ok claudio@
|
|
to replace the list of them.
this actually makes vlan inherit the IPv6 CSUM flags from it's parent, that
had been commented out since this code was committed back in 2001.
ok benno mpf
|
|
ok camield mpf
|
|
returns radix_node pointers, inside a new rt_mpath_next, which accepts
and returns rtentry pointers, and start using that instead.
ok claudio@
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
|
as functions that modify routing information shouldn't be interruptable by
network traffic.
Also make sure that both of those functions assert that they are called
at softnet. I'm reasonably sure that there shouldn't be any, but if there
is any codepath that was missed, we're going to be here for another 4 days
to deal with any fallout.
While here, move the multitude of "int s" declarations inside ifioctl to
the beginning of the function.
okay claudio@
|
|
ok claudio@
|
|
missing on IPv6 path only.
From brad
|
|
From brad
|
|
Requested by jasper@, ok kettenis@
|
|
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
|
|
flag. It is now called IFXF_INET6_NOPRIVACY. So IPv6 privacy
addresses are on by default without resetting the flag during
ifconfig down/up.
OK stsp@, sperreault@ (who wrote the same diff)
|
|
to the 16 bit flags; reminded by claudio, ok henning
|
|
|
|
LEVAI Daniel, diagnosed by matthew@, original diff from RD Thrush, cleaned
up by me with feedback from mikeb@. OK mikeb dcoppa deraadt
|
|
L2TP packets.
ok markus henning
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
|
|
:dlg: the xxx can go
...and this time commit to the real repo and not the one on my laptop
|
|
packet within the icmp error packet was wrong. Fix this by using
the pd2.tot_len of the inner packet and substract the old header's
length.
OK mikeb@ henning@
|
|
exporting them to the outside world via radix.h.
ok claudio@ sthen@ henning@
|
|
and bound to break sooner or later.
|
|
load balancing case, this allows Weighted Least States (WLS).
Everything prepared on c2k11 with help from mcbride@.
This finally makes PF ready for the cloud.
ok henning@ mikeb@ pyr@
|
|
mostly by dynamically allocating pflogifs instead of making that a static
array. ok claudio zinke
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
when you kill states by IP, it is not all that clear which IP we're talking
about - before or after rewriting?
the old semantics were to always look at the "original" IP, i. e. before
rewriting. ever since the NAT rewrite we were unconditionally looking
at the wire side state key, which is the original address for PF_IN states,
but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case.
should fix "authpf doesn't remove NAT states" seen on misc a while ago
ok & testing & half of the analysis bob (he sez beck)
|
|
1) demote by 32 on the first bulk update to prevent failovers w/o having
a full state table;
2) don't do any demotion adjustments on the link up event and undemote
when bulk update finishes (or times out) preventing a race between
nodes getting a link state update asynchronously.
With phessler; tested by phessler and Kapetanakis Giannis. Thanks!
Looked through by henning and dlg. Now the correct version.
|
