| Age | Commit message (Collapse) | Author |
|---|
|
who decided to just do it on their own. henning, mcbride, jsing -- shame
on you -- if you had shown this diff to just 1 other network developer,
the astounding mistake in it would have been noticed. Start practicing
inclusionary development instead of going alone.
ok claudio
|
|
by mcbride@.
ok mcbride@ henning@
|
|
only get messages that are for the rtable the process is bound to.
Depending on the rtm_type the rdomain or rtable id are used for
comparison. It is possible to change the filter with a setsockopt(s,
AF_ROUTE, ROUTE_TABLEFILTER,...) and if set to RTABLE_ANY the filter
is deactivated. Additionally set the tableid in struct if_msghdr
to the rdomain id and use the process rtableid in the sysctl if no
table was specified.
OK henning@
|
|
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
fingerprinting on little endian systems work. People using the osfp
feature need to update /etc/pf.os or -current will be blocked.
OK deraadt@, jsg@, jsing@, millert@, sthen@
|
|
ok dlg
|
|
GRE message. But when npppd send a ack-only GRE message, the message
will be only 12 bytes, so the m_pullup() will fail. call m_pullup()
with proper length.
|
|
sure if all protocols work.
|
|
OK djm@ claudio@ dlg@
|
|
ok claudio@ guenther@
|
|
|
|
|
|
|
|
ok deraadt@
|
|
We can use IPv6 address as outer header of L2TP.
Kernel ABI is changed. You must update npppd.
OK @claudio, yasuoka@, dlg@
|
|
OK deraadt@, millert@
|
|
reason to question himself by adding an XXX
|
|
hardcoding 0.
roughly almost a bit equivalent to what pf_test_rule does. changing the
rdomain for not reassembled fragments is not going to work ever, so the
full dance pf_test_rule does doesn't make sense here.
speaking of sense, I don't see anything remotely resembling sense in
pf filtering on fragments without reassembling them first.
with/ok claudio
|
|
pf_test_rule will have done it already, as correctly XXX-comment noted by
claudio almost a year ago.
pf_test6 (which is scarily different there) didn't have that at all.
|
|
/* XXX This does NOT affect pass rules! */
SLIST_FOREACH(ri, &s->match_rules, entry) {
...
delete that comment, entirely superfluous
|
|
pf_compare_state_keys will stay, we play safe.
|
|
|
|
ok henning@
|
|
behaviour consistent between IPv4 and IPv6.
From martin.pelikan@gmail.com
|
|
ok claudio@
|
|
instead of letting hardware rings grow on every interrupt, restrict
it so it can only grow once per softclock tick. we can only punish
the rings on softclock ticks, so it make sense to only grow on
softclock tick boundaries too.
the rings are now punished after >1 lost softclock tick rather than
>2. mclgeti is now more aggressive at detecting livelock.
the rings get punished by an 8th, rather than by half.
we now allow the rings to be punished again even if the system is
already considered in livelock.
without this diff a livelocked system will have its rx ring sizes
scale up and down very rapidly, while holding the rings low for too
long. this affected throughput significantly.
discussed and tested heavily at j2k10. there are still some games
with softnet we can play, but this is a good first step.
"put it in" and ok deraadt@
ok claudio@ krw@ henning@ mcbride@
if we find out that it sucks we can pull it out again later. till then
we'll run with it and see how it goes.
|
|
"yup" deraadt@
|
|
and pipex. pppx(4) creates an interface whenever a session is created
so that altq and pf can work on these.
Started by dlg@ debugged and made usable by myself
OK dlg@ yasuoka@ deraadt@
|
|
RFC 4106 and 4543.
Please note that although IKEv1 and IKEv2 identifiers are
different for ESP_NULL_AUTH_AES-GMAC (SADB_X_EALG_AESGMAC),
we use the IKEv2 one only (which is 21). ipsecctl(8) will
be taught to handle exported SA correctly.
|
|
forces logging on all subsequent matching rules
real ok theo assumed oks ryan and dlg bikeshedding everyone in the room
implementation time ~ 1 minute
|
|
"Sure" deraadt@
|
|
else and an unneeded if (r)
|
|
From henning@, fixed pflog_bgpcopy crashes.
|
|
|
|
to struct pflog. ok gcc
|
|
address fields in the pflog header, same for ports, and add a "rewritten"
indicator. ok ryan dlg
|
|
pass or block rule, not the last matching rule. triggered by pr6401.
this means that, for example, a rdr-to on a pass rule can override an
rdr-to on a match rule that comes later in the ruleset. but that's the
semantics: for block and pass rules, the last matching one wins, aka
actions are applied after we're done with ruleset eval, and match rules'
actions are applied on the fly. discussion with dlg and claudio, ok dlg ryan
|
|
value is used in verbose "show rules" output as "states creations", but
match rules never create state. states_cur aka "States" is needed and
correct, match rules are being associated with states. ok ryan
|
|
- use rn_inithead0() instead of rn_inithead() to avoid failures on memory
shortage.
- delete a needless failure handling for malloc(,M_WAITOK) in
pipex_add_session().
pointed out by blambert@. ok hsuenaga@
|
|
as it is in the very same moment pf hits that match rule. really awesome
with multiple rdr-to and the like. ok dlg - ryan would ok it too if he was
here right now
|
|
protocols to EPFNOSUPPORT.
|
|
|
|
pflog was logging the "wrong" as in not yet rewritten (nat/rdr) addresses.
to address this without making an extra copy of the mbuf chain:
-introduce bpf_mtap_pflog, which is a 1:1 copy of bpf_mtap_hdr, except that
it supplies bpf_catchpacket with pflog_bpfcopy as copy function instead of
plain bcopy
-said new shiny pflog_bpfcopy knows what a pflog packet looks like, copies
everything into bpf's buffer, contructs a fake mbuf (which is allocated once
at attach time and reused over and over) which points to the bpf buffer
as data storage
-call pf_setup_pdesc on said fake mbuf
-then call pf_translate to rewrite the addresses as needed right in the
bpf buffer
this changes the pflog header as we have to pass the new addresses/ports
around. relies on canacar's awesome work in libpcap to work olrite with the
new, longer pflog header as well as with the old, shorter one.
almost completely written at c2k10 in canada, finished here at j2k10 in
japan. ok ryan dlg
|
|
and 0 if it didn't so we know wether we have to rewrite or not.
ok ryan dlg
and in just an hour from now on this might have reached cvs eventually
from njetwork challenged j2k10 in japan
|
|
information about the packet we're currently dealing with, into its own
function. ok ryan dlg and additional testing sthen
|
|
devices is a bad idea. The problem is that the default route per se works
but PMTU is unable to clone host routes because the gateway is unreachable.
Fix sppp(4) so that it walks the routing table and fixes the gateways.
This makes PMTU work again. Diff tested by weerd@ and markus@ (older version)
for a long time.
|
|
we can pass M_WAITOK to malloc(9) (which was already done a few lines
down, which set off my aesthetic alarm).
While here, include malloc.h, since we're calling malloc.
ok dlg@
|
|
information if the gateway changes, since real MPLS routes need to
change gateway and outgoing label on topology changes. So if there is
MPLS information and an outgoing label do a proper change but if the
gateway of a non-MPLS route is changed remove the MPLS path since it is
no longer valid.
OK michele@
|
|
ok claudio@
|
