| Age | Commit message (Collapse) | Author |
|---|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
ok claudio
|
|
it if we have it.
Requested by dlg, ok henning.
|
|
incorrect error handling
|
|
happy and went to use after free instead. ryan and I think we found the
reason - just freeing that state keys in the error path is wrong as well,
since pf_state_key_setup could have found existing, identical state keys
and linked our state to these. if we now free them the other state that
hung of these state keys would point back to the freed state keys. so
instead of manually trying to free the state keys just call
pf_state_key_detach which has all the magic checks.
with and ok ryan
|
|
is not null, to be safe and to be able to call this with half setup
states. with and ok ryan
|
|
|
|
to nothing. this lets us see functions in ddb, while not hurting the
ability to share the code with other projects.
idea borrowed from the usb stack.
ok yasuoka@
|
|
is set whenever we changing the rcvif. It is still not possible to pass traffic
between two vether but works now form outside.
OK deraadt@
|
|
the list of all interfaces and traversing the list of all addresses on each
interface.
if bugs show up with addressing this is the #1 backout candidate, something
i missed might fuck with ifaddrs behind our back, although i looked &
tested hard. 10x to naddy for inet6 testing.
ok theo ryan dlg
|
|
includes AF_LINK addresses (aka mac addresses in the ethernet case). for
inet this also includes the broadcast addresses.
depends on ifinit() called earlier so we have a chance to pool_init before
autoconf assigns the AF_LINK addresses, the v6 fix, and the ifa_add/del
abstraction i just committed.
this is a change in semantics, it is now illegal to change the actual
address in an ifaddr struct because then the RB tree becomes unbalanced.
nothing using this tree yet.
ok theo ryan dlg
|
|
many places create a proper API (ifa_add / ifa_del) and use it.
ok theo ryan dlg
|
|
which no longer exists. Makes gcc4 kernels compile again.
ok henning@
|
|
that it knows how big the messages are.
rework the message handlers to use the pfsync_subheader.len value to
iterate over the message regions.
deprecate the EOF subheader since trying to pulldown a 0 byte buffer is
fail.
ok mcbride@ sperreault@
|
|
|
|
|
|
|
|
|
|
this makes sure there is enough of the message to try and parse it, and
allows implementations to skip past regions prefixed by unknown subheaders.
based on discussion with mcbride@ deraadt@ and simon perreault
|
|
ok mcbride@
|
|
splx().
|
|
ok henning
|
|
is safe for both hardware devices and virtual devices
ok mpf, kettenis, moaning and groaning and slow acceptance from mcbride
XXX should loop checking for uniqueness after new henning diff goes in
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
bpfdetach() will be called in if_detach(). Diff by Gleydson Soares
|
|
ok mcbride@
|
|
ok mcbride@
|
|
this prevents the ultimate length of the queue of the underlying interface
from being artificially inflated while hte vlan/trunk queue is filled and
then dumped wholesale on the underlying interface, which will dump its
massive queue wholesale on the chip.
tx mitigation is only triggered on real interfaces now (which is where the
cost is)
ok beck@ original diff ok kjc@ henning@
|
|
the route messages so that people and compilers will not get
confused.
ok claudio
|
|
need two state keys (NAT case), and we succeed allocating the first one
but fail getting the second we'd leak the first one. obvious and thus ok'd
by dlg ryan and theo within seconds
|
|
over the last couple of weeks (ever since I found it): when we are out of
memory for the state keys we leak the state. oh the irony.
instead of just fixing that one case rework the error handling in the entire
function. verified painfully by yours truly by forcefully exercising each
and every error path in there. ryan ok
|
|
acceleration for PPP access concentrator.
ok mcbride@ dlg@ deraadt@ reyk@.
|
|
|
|
length of its message in dwords. multiply that by the count of the messages
to figure out how to skip to the next subheader.
"old" code still thinks the len field is a pad, which it doesnt look at, so
new messages with a filled in len are still parsed correctly by "old" code.
input and ok mcbride@
sounds good! Simon Perreault
|
|
if_detach() which is called right afterwards.
Found by Gleydson Soares (gleydson (at) trusted.com.br)
|
|
interface is marked down, and wrap interface detach/attach in splnet().
ok henning@ todd@, "I like the idea" deraadt@
|
|
rdomain 0 for now. OK michele@
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
ok claudio@
|
|
instead of MISC. "makes a little bit more sense" henning@
|
|
ok claudio@ dlg@
|
|
not having sks and sks set to NULL causes random memory to be pool_put().
ok deraadt@ jsing@
|
|
|
|
and thus had to get rid of them if we didn't create state. this is no
longer the case, kill dead code. ok claudio
|
|
|
|
to pf_test6 (where it is wrong in some edge cases, for match rules and
logs a packet twice in some cases). ok claudio
|
|
if action != PF_PASS. same was changed in pf_test_rule a while back
but the fragment case was forgotten. since everybody reassembles nobody
ran into this.
|
|
|
|
the NAT rewrite and ever since then only checked in a couple of plaes
but never set. same for nat_src_node on pf_state.
with this the NAT rewrite made pf over 1000 lines shorter.
|
