summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2003-03-13Plug slow memory leak (radix_mask structure).Cedric Berger
tested on i386 by me and Daniel on macppc. ok dhartmei@ henning@
2003-03-11forward 8021Q packets with vlan header if the destination interface hasMarkus Friedl
IFCAP_VLAN_MTU capability. allows forwarding of vlan traffic over bridge(4) since these packets are larger then the mtu; ok jason@
2003-03-11Missing break, unintentional fall-through. Found by Kimmo Mösö.Daniel Hartmeier
2003-03-09tighten the TCP state code in relation to a FIN before any server responsesMike Frantzen
ok dhartmei@ henning@
2003-03-09use MGETHDR instead of MGET for the first mbuf.Kenjiro Cho
altq expects struct pkthdr in a mbuf chain. this fixes a panic caused by uninitialized m_pkthdr.tags when altq is enabled on ppp. also, initialize m_pkthdr.len and m_pkthdr.rcvif as a caller of MGETHDR is supposed to do. report and test by matthieu@ ok deraadt@, henning@, dhartmei@
2003-03-05Small fixes after code review, mostly on error path.Cedric Berger
ok dhartmei@ henning@ pb@
2003-03-04(really) support user/group rules with 'inet6'Philipp Buehler
pointed out by hugh ok dhartmei@, henning@
2003-03-03Make "pfctl -ss" output easier to parse. NO TRAFFIC -> NO_TRAFFIC.Cedric Berger
ok dhartmei@ henning@
2003-03-02Use priority queue for TCP ACKs that have no payload. Very useful onDaniel Hartmeier
asymmetric links. ok henning@, cedric@
2003-02-28splsoftnet() around rn_lookup() which is not thread-safe.Cedric Berger
ok dhartmei@ henning@
2003-02-27make packet classification for altq work in the IPv6 caseHenning Brauer
ok dhartmei@ cedric@ + "looks good" mcbride@
2003-02-27Repair IPv6 support for tables.Cedric Berger
ok dhartmei@ henning@
2003-02-25- Handle src and dst comparisons correctly for binat so that it worksRyan Thomas McBride
properly in _both_ directions. - Handle skip steps properly with binat. (since we're swapping around src and dst comparisons, we can't use them in all cases) fix from dhartmei@ ok dhartmei@ henning@ cedric@
2003-02-24SADB_X_CALG_MAX is supposed to be the highest numbered supported algorithmJason Wright
(prevents a crash in the debugging code in pfkeyv2_parsemessage.c)
2003-02-23typo in export_auth; ok ho@Markus Friedl
2003-02-21Plug two mbuf leak on error bugs, one from dhartmei one from me.Jason Wright
2003-02-18Enforce min-ttl and random-id on inbound scrub as well as outbound.Camiel Dobbelaar
ok dhartmei@
2003-02-17enqueue the copy that was just made, not the original (probably fixes ↵Jason Wright
kernel/3097, waiting to hear).
2003-02-16KNFTheo de Raadt
2003-02-16KNFJason Wright
2003-02-15skeleton support for LZS compressionJason Wright
2003-02-15s/LSZ/LZS (consistent with linux and isakmpd *.cst)Jason Wright
2003-02-12Address the NFS problems recently discussed in various threads.Daniel Hartmeier
Change semantics of scrub option 'no-df' slightly: if the option is used, it now also applies to _fragments_ with IP_DF set, not just to complete packets. Hence, adding 'no-df' to 'scrub in all fragment reassemble' allows to clear IP_DF from fragments, so they don't get dropped but reassembled. This affects several UDP protocols that used PMTU discovery, mostly Linux' NFS implementation. In short, if you have 'scrub in all' now, you probably want to change that to 'scrub in all no-df', unless you want to drop fragments with IP_DF set (some people have good reasons to do the latter, hence the non-default option). ok frantzen@, henning@, cedric@
2003-02-12Labels should be followed by statements (fix gcc3 warning).Henric Jungheim
ok cedric, jason, theo
2003-02-12Remove commons; inspired by netbsd.Jason Wright
2003-02-12Make r.rpool.proxy_port[] a consistent byte order to match cleanup inRyan Thomas McBride
pfctl. ok dhartmei@
2003-02-12Fix a bunch of pf_route() bugs:Ryan Thomas McBride
- pass back a pointer to state created in pf_test_{tcp|udp|icmp|other}() so that pf_route()/pf_route6() can peek at it. - put the PACKET_TAG_PF_ROUTED tag onto the packets _before_ we call pf_test()/pf_test6() again to prevent looping. - Call pf_test6() in pf_route6() instead of pf_test() for obvious reasons. ok dhartmei@
2003-02-09Slightly less noisy debug printf from pf_map_addr(), ok mcbride@Daniel Hartmeier
2003-02-08Add scrub option 'random-id', which replaces IP IDs with random valuesDaniel Hartmeier
for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
2003-02-05Remove the confusing and more-or-less unnecessary temporaryRyan Thomas McBride
struct pf_pooladdr *cur. It was being used incorrectly in the round-robin case, which meant that the previous address was being selected, rather than the reall current one. ok dhartmei@
2003-02-01Make it build without INET6 again.Daniel Hartmeier
2003-02-01from Chris Pascoe <c.pascoe@itee.uq.edu.au>:Chris Cappuccio
Fix multicast bug; internal multicast members' list was not initialized correctly. Also, begin to make vlan less ether specific - TR and FDDI could also be supported.
2003-01-31The fix introduced with 1.294 to solve issues with route-to inDaniel Hartmeier
combination with translations was too broad and broke some more complex setups (creating two states for one connection on two interfaces, using modulate state for each, and additionally using route-to/reply-to on one of them), so narrow it to the cases where it's needed. Reported by henric@.
2003-01-31Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,Daniel Hartmeier
and drop packets with invalid checksums. Without such a check, pf would return RST/ICMP errors even for packets with invalid checksums, which could be used to detect the presence of the firewall, reported by "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt. To minimize the cost of checksum calculations, mbuf flags set by network interfaces capable of hardware checksumming are honoured, and set when pf performs the calculation, so the TCP/IP stack itself will not repeat the calculation for the same packet later on. ok mcbride@ and henning@
2003-01-31Send a RST when an invalid packet matches a TCP state during theDaniel Hartmeier
handshake. Solves the issues with the "ACK+1000000 cookie scheme", which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized state, "reset is sent"). ok henning@, camield@ and (I guess ;) frantzen@
2003-01-25Fix the behaviour of rdr rules which redirect to a range of ports;Ryan Thomas McBride
Stop overloading PF_OP_RRG as a flag where it doesn't make sense, and makes the port mapping more flexble, allows mapping a destination port range of one size to an other of a different size. Fixes and additional testing courtesy of dhartmei@ ok dhartmei@
2003-01-25Fix a bug that potentially caused fragments to be dropped when theDaniel Hartmeier
overlap calculation got negative. Found by Baruch Even. ok henning@
2003-01-24Sigh, pf_pull_hdr (aka pf_pull_hair) doesn't do an m_pullup, it merelyDaniel Hartmeier
copies the data to the specified buffer. So, for TCP options, provide an sufficiently large buffer and copy to there.
2003-01-24Move the mbuf pullup for TCP options to the beginning of TCP handling,Daniel Hartmeier
doing it later can invalidate pointers to mbuf data. This fixes subtle breakage just introduced (with 1.306).
2003-01-24Fix wscale support, the first version didn't really work right.Daniel Hartmeier
Interestingly, our own stack uses wscale 1 quite regularly, and I now suspect that this is what caused most of the state failures I've seen. They were quite rare, but with working wscale support, they are reduced even more. ok henning@
2003-01-23Fix a bug where the kernel crashes when translating IPv6 ICMP packets.Daniel Hartmeier
This only happens when using nat/rdr/binat on IPv6 connections, which hasn't been used before, obviously. But it does work now. Reported and confirmed by evilted@efnet, ok mcbride@
2003-01-21Support for TCP window scaling (RFC 1323). ok frantzen@Daniel Hartmeier
2003-01-20It's difficult to create a table by changing its flags.Cedric Berger
2003-01-20just for safety. from http://templeofhate.com/tglaser/pub/obsd.diffJun-ichiro itojun Hagino
2003-01-19format string fixesHenning Brauer
inspired by Thorsten Glaser via fries@ ok theo
2003-01-18Argh! KNF.Ryan Thomas McBride
pointed out in advance by dhartmei@
2003-01-18Make nat behave the way it used to by copying back the random source portRyan Thomas McBride
correctly. Also remove some extra cruft in pf_get_sport related to the "static-port" behaviour. bug report from mpech@ and form@ testing cedric@ "looks sane to me" henning@ ok dhartmei@
2003-01-17typo: bandwith -> bandwidthCamiel Dobbelaar
2003-01-15Fix another buglet with inactive sets.Cedric Berger
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 } Was causing the kernel to become noisy. Now duplicates are silently rejected.
2003-01-15Fix a buglet when one "creates" a table which is already in theCedric Berger
referenced or inactive set. Flags were not updated correctly. Tested on i386, sparc64. More regression tests coming.