| Age | Commit message (Collapse) | Author |
|---|
|
"tagged X" rule), and only get it when we really need it. simplifies code too.
ok dhartmei@ pb@
|
|
In the SYN proxy, generate ACKs with proper window sizes after the
handshakes.
|
|
|
|
the rule. Fixes rdr with address pools using bitmask and source-hash
address selection methods.
ok dhartmei@ henning@
|
|
ok dhartmei@ pb@
|
|
without causing EHOSTUNREACH to be delivered to local sockets, so it works
for outgoing connections originating on the same host. ok frantzen@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
idea from theo.
to speed that up the real mbuf tag is not written until we hit the last match
but an internal variable is used to track the tag.
this can be used to split classification and policy enforcement, for example.
and much much much more...
ok dhartmei@ frantzen@
|
|
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
ok dhartmei@ frantzen@
|
|
deraadt ok
|
|
ok henning@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
|
to some developers, but include files are not just used by the kernel.
there are applications that pull them in as well. this change broke
tcpdump, and who knows what else. i've been talking for 24 hours now
about tree breakage and let this be official: I am prepared to lock the
tree entirely if need be. YOU WILL GET OK PERMISSION FROM EVERYONE, NOT
JUST FROM ONE PERSON
|
|
(FDDI, ieee1394, ...). follows netbsd practice.
2 jasons, dhartmei, thierry ok
|
|
|
|
|
|
initial maximum window by the scaling factor. otherwise our view of the
allowable sequence window is too big. back out the scaling factor adjustment
from the max window if the other endpoint rejects window scaling
- window scale the forward ACK skew check
ok dhartmei@
|
|
|
|
first. The least significant portions of the IPv6 address are more
likely to differ than the more significant ones, since in most
situations half the addresses (either the source or the destination)
will be in the local subnet.
ok dhartmei@ henning@
|
|
ok henning@ frantzen@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
|
|
|
|
each side of the TCP connection and prevent it from being reduced
ok pb@ dhartmei@
|
|
8 bytes, but the former is more appropriate. ok frantzen@
|
|
instead of just dropping them. ok frantzen@, henning@, pb@
|
|
stock OpenBSD stack returns 'protocol unreachable'.
ok frantzen@, henning@, pb@
|
|
ok frantzen@, henning@, pb@
|
|
other than TCP, UDP and ICMP (for instance GRE).
Reported by Gunnar Helliesen. ok henning@
|
|
|
|
|
|
dhartmei ok
|
|
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
|
|
ports outside that range could be used with a probability inversely
proportional to the size of the specified range (occured often with
very small, rarely with larger ranges).
Reported by Gopakumar Pillai, ok henning@
|
|
|
|
tun with ipv6 only to actually send/recv packets. itojun "looks ok to me"
(after helping correct several iterations =)
|
|
-DIOCCHANGERULE (just the affected rule)
-DIOCCOMMITRULES (all filter rules that get committed - one anchor or main rs)
-DIOCCOMMITALTQS (all filter rules, main set plus all anchors)
This fixes a whole bunch of issues.
previously, this was done in userland at load time. This worked fine for the
usual case, full ruleset load. It did not work inside anchors, as the queue
name <-> queue ID mapping is unknown there. Also, if the queue definitions
were changed without reloading the rules too (pfctl -A), the queue IDs on
the rules were not updated.
The three ioctls mentioned above are all entry points where the mapping is
touched.
helpful discussion with dhartmei@ and cedric@ helped verifying my approach
for this fix was right.
ok dhartmei@ cedric@
|
|
|
|
so states created by rules in anchors correctly use rule options like
routing and (soon) queues...
Rule number bumped to 32 bit value.
USERLAND NEED TO BE RECOMPILED.
ok dhartmei@ henning@
|
|
|
|
implicit "pass all" first rule match and remove all "r == NULL"
tests which are now useless.
ok dhartmei@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
ok dhartmei@
|
|
|
|
States can still be created without a rule for people who have only
NAT rules, for example.
|
