| Age | Commit message (Collapse) | Author |
|---|
|
- Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols.
- Make stateful connections work for generic protocols on IPv6.
ok henning@ dhartmei@
|
|
of gcc extensions have more of a chance.
ok mcbride@, no objections from millert@, deraadt@
|
|
|
|
From Pyun YongHyeon. ok henning@, canacar@
|
|
created by this rule from appearing on the pfsync(4) interface. e.g.
pass in proto tcp to self flags S/SA keep state (no-sync)
ok cedric@ henning@ dhartmei@
|
|
(mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@
isakmpd ones ok ho@
|
|
allocation; tested on most archs
|
|
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen();
in_pcblookup is now only used by bind(2); speeds up pcb lookup for
listening sockets; from Claudio Jeker
|
|
good candidate for 3.X errata.
ok dhartmei@ henning@ mcbride@
|
|
ok henning@ dhartmei@
|
|
|
|
address) is used for source in the binat rule. closes PR 3535, reported
by Karl O.Pinc. ok henning@, cedric@
|
|
This saves more than 30% memory on state entries, and simplifies the state
insertion and removal code as well.
NOTE: This changes the pf API; userland tools must be updated to match.
ok henning@ dhartmei@
|
|
Fixes leakage of mbufs on error.
Pointed out by Max Laier.
|
|
problems with dhcp.
ok frantzen@ krw@ deraadt@
|
|
Locking prevents dangerous ioctls such as changing the
interface and sending signals to be executed by an
unprivileged process. A filter can also be applied
to packets injected through a bpf descriptor.
These features allow programs using bpf descriptors to
safely drop/seperate privileges.
ok frantzen@ henning@ mcbride@
|
|
|
|
Allows non-ALTQ kernel compile.
Pointed out by tedu@
ok itojun@, "works here" tedu@
|
|
|
|
Allows multiple hosts to share an IP address, providing high availability
and load balancing.
Based on code by mickey@, with additional help from markus@
and Marco_Pfatschbacher@genua.de
ok deraadt@
|
|
by random values). ok mcbride@, cedric@, henning@
|
|
|
|
|
|
none of us can test this, but that does not mean it has to sit in the pr
database
|
|
(behavior change from 4.4bsd).
dhartmei ok
|
|
do not try to send incomplete fragments on ENOBUFS case
(behavior change from 4.4bsd).
dhartmei ok
|
|
which ends up in the pflog pcap file. From dhartmei@
ok dhartmei@, frantzen@, henning@
|
|
|
|
OK krw@, deraadt@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
pf_test_state_<proto>() to pf_test() and pf_test6(). Reduce
code redundancy, and fix the following bugs:
- ICMP packets were not being accounted for correctly (missing
statistics code in pf_test_state_icmp()
- Some packets were not being counted in the loginterface statistics
NOTE: Under some situations with route-to, packets may get counted
once on the original interface, and once on the pf-routed interface.
This can be dealt with by rules which specify the each interface
explicitly.
ok cedric@, henning@
|
|
ok cedric@ frantzen@ henning@
|
|
now call the poll backend. With this change we implement greater
poll(2) functionality instead of emulating it via the select backend.
Adapted from NetBSD and including some changes from FreeBSD.
Tested by many, deraadt@ OK
|
|
ok markus deraadt
|
|
|
|
|
|
This is mostly to support the new "nat pass" rule.
ok dhartmei@ henning@
|
|
them could be used to panic pf with scrub rules remotely. Found by
Rob Pickering. ok frantzen@, henning
|
|
ok henning@
|
|
|
|
by setting it to whatever is suitable for the link type. so we try a guessed
1460 MTU and 1500 MSS if the primary check fails.
algorithm tweak from Michal Zalewski
name a few constants too while I'm in there
|
|
makes routing lookups slightly more expensive, and serves no useful
purpose.
ok itojun@ tedu@
|
|
|
|
disappers. deraadt ok
|
|
deraadt@ ok.
|
|
|
|
|
|
ok dhartmei@ jmc@
|
|
|
|
pf_osfp_fingerprint_hdr() which doesn't work on mbufs.
pointed out by Max Laier
|
