| Age | Commit message (Collapse) | Author |
|---|
|
- pull the route-to ifp from the current pf_pooladdr (not the last one)
with stateful rules
- remove unnecessary PF_ACPY and PF_AZERO
ok dhartme@ on pf_route version, pf_route6 is the same.
|
|
redirection target address. Reported by Michael Lucas. ok mcbride@
|
|
Solves the crashes in pf_route() with -current.
Reports from Michael Lucas and Bjorn Runaker.
|
|
|
|
panics should occur. ok mcbride@
|
|
back in tcpdump, worked fine (; from bdd@ieee.org
|
|
we don't need the second list of addresses for DIOCCHANGE* operations)
Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0]
is the one being used.
ok henning@ dhartmei@
|
|
referenced by number in DIOCCHANGEALTQ (like rule and pooladdress)
"go for it" henning@
|
|
print the port number in pf_print_host if it's 0 (like when
pf_print_host is called from pf_map_addr)
ok dhartmei@
|
|
ok dhartmei@
|
|
ok; fixes unaligned trap on alpha from pr3037
|
|
Unlike with filter rules, nat rules inside anchors might be pointed to.
|
|
Loading large rulesets consists of two phases. First, the rules are
parsed and added, one by one, to the inactive ruleset. The machine
remains responsive during that phase. Then, the new ruleset is
activated, and the skip steps are calculated. The machine locks up
during that phase. This second phase is greatly reduced with the new
algorithm. With the old one, calculation could take 30s for 12k rules,
with the new one, 100k rules take less than 1s. For small rulesets
(less than 1000 rules), the gain is insignificant.
ok mcbride@, henning@
|
|
|
|
Found by markus@
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
|
|
|
|
(in the main set) number, not the number of the rule within the anchor.
Eventually, both will get logged. But as long as we only log one number,
this makes more sense.
|
|
|
|
|
|
main purpose is making them regress-testable.
|
|
|
|
tcp. A silly copy/paste error by yours truly located by deraadt@
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
ok henning@ dhartmei@
|
|
this allows for a second queue on pf_rule.
assign packets with tos 0x10 (lowdelay) to this one.
if the second queue isn't specified set pqid = qid
idea dhartmei@
ok dhartmei@ frantzen@ deraadt@
|
|
|
|
|
|
incrementing its reference. Fixes a m_zero panic reported by markus@ when
pfdatatopacket returns a cluster.
Tested by markus@, jason@ ok.
|
|
|
|
the O versions since these are debugging only and should not affect normal functionality; deraadt@ ok
|
|
|
|
filtered); Darren Reed <avalon@coombs.anu.edu.au>
|
|
|
|
port/path to root bridge among several LANs. unlike ifpriority, which
allows you to select designated port if serveral interfaces belong
to the same LAN; ok jason@
|
|
Approved by original author. Julian.Onions@nexor.co.uk
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
blocking or disabled state. send packets only if interface is the
forwarding state; comment from netbsd; with and ok jason@
|
|
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
|
|
|
|
PF_CHANGE_REMOVE from dereferencing a NULL pointer.
Noticed by dhartmei@
ok dhartmei@
|
|
- Always fold the key in
Many fixes & suggestions from camield@
ok mickey@ camield@ henning@
|
|
|
|
rather than struct pfioc_pooladdr
an obvious fix from dhartmei@
|
|
- More technically correct
- Matches FreeBSD and NetBSD
- Preserved #define for 1000baseTX for backwards compatibility
ok jason@
|
