| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
that allows us to get rid of the "tagid" global which stored the highest
tag ID in use.
when allocating a new ID scan the list for a free slot and only use
highest + 1 on failure instead of using highest + 1 from the beginning
scanning for a dup afterwards. this prevents ID space fragmentation better.
as a result this allows us do get rid of the pf_tag_purge() function
completely and let pf_tag_unref() remove an entry once the reference
counter reaches zero by itself.
after all it makes for easier code and is about 50% faster.
idea came up during a discussion on icb earlier today between cedric and
myself, which itself was particulary inspired by Darren Reed questioning the
need for pf_tag_purge on tech-net@netbsd.
ok dhartmei@ cedric@
|
|
from Jason Ackley, ok henning@, cedric@
|
|
cedric made me check
|
|
|
|
- length, jumbo payload option
- TTL ("hoplimit" in IPv6 terminology) rewrite
|
|
|
|
|
|
|
|
|
|
noticed by and ok cedric@
|
|
are still states for the given rule existant.
based on a very nice analysis from cedric@, that is so completely right that
I have nothing to add:
in pf_rm_rule(), the pf_tag_unref() calls are done *before*
the if (rule->states > 0 || rule->entries.tqe_prev != NULL) test.
That mean that the two pf_tag_unref() calls could occur *twice*
for a given rule: first when the rule is removed from the ruleset
and (if the rule was kept around because of a state) a second
time when the state refcount drops to zero and the rule gets
really deleted. Unless I'm mistaken, that breaks the refcounting.
...and cedric was not mistaken.
and, as daniel pointed out:
The breakage this causes is so subtle, I doubt anyone noticed it before, if it
did occur.
consensus on this between cedric, dhartmei and myself
|
|
on bridge rule load translate tagnames to pf tags using pf_tagname2tag etc
if packets match a bridge filter rule tag them using pf_tag_packet() with
the given tag
help dhartmei@
ok deraadt@ jason@ dhartmei@
|
|
from KOZUKA Masahiro <ma-kun@kozuka.jp> with a minor adjustment from itojun
ok itojun@ dhartmei@
|
|
|
|
without it "route change X" would change less-specific route by mistake.
reported by jinmei@kame, markus ok
|
|
This might just be a temporary fix, we're still looking for a better one.
ok dhartmei@
|
|
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
|
|
the server's MSS is guessed based on the routing table and interface MTU.
Fine patch entirely from Krists Krilovs <pow@pow.za.net>, ok frantzen@
Note: ABI change (new field in struct pf_state), requires a pfctl rebuild
(and tcpdump for pfsync).
|
|
addresses. ok mcbride@, cedric@
|
|
to userland instead.
fixes PRs 2235, 2236 and 2640
from Otto Moerbeek <otto@drijf.net>
ok frantzen@, tedu@, deraadt@
|
|
comparing ackskew, otherwise legitimate low acks can get blocked. Was
triggered when asymmetric scale factors where used in combination with
SACK. Report and logs provided by Peter Galbavy. ok frantzen@, henning@
|
|
ifq_head, to make altq work. prevents programs from spinning in non-blocking
select()/read() loops in case of queues hitting their limits.
This makes queueing on tun interfaces work. while it is still advised to
assign packets to queues on tunX and queue on the physical interface in
generic, this doesn't work in the PPPoE case with the userland pppoe process,
there the mbuf tags with the queue IDs don't survive obviously.
based on diff from Trevor Talbot, tested successfully by a lot of people
on the pf@benzedrine.cx list.
ok pb@ kjc@
|
|
rules create state. Truly hard to spot. Unless you run the code, of course.
|
|
- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()
NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
|
|
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
pf_tagname2tag, pf_tag2tagname, pf_tag_unref, pf_tag_packet
|
|
|
|
rescinded 22 July 1999. Proofed by myself and Theo.
|
|
|
|
|
|
o check timeout for negative values and overflow
ok tedu@ jason@
|
|
|
|
"tagged X" rule), and only get it when we really need it. simplifies code too.
ok dhartmei@ pb@
|
|
In the SYN proxy, generate ACKs with proper window sizes after the
handshakes.
|
|
|
|
the rule. Fixes rdr with address pools using bitmask and source-hash
address selection methods.
ok dhartmei@ henning@
|
|
ok dhartmei@ pb@
|
|
without causing EHOSTUNREACH to be delivered to local sockets, so it works
for outgoing connections originating on the same host. ok frantzen@
|
|
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
|
|
remote uptime determination
- scrub modifier "reassemble tcp" turns on stateful TCP normalizations
ok henning@ dhartmei@
|
|
idea from theo.
to speed that up the real mbuf tag is not written until we hit the last match
but an internal variable is used to track the tag.
this can be used to split classification and policy enforcement, for example.
and much much much more...
ok dhartmei@ frantzen@
|
|
|
|
With this change, the log header format also changes.
The new log format is extendible and allows logging
of the originating anchor and ruleset information.
ok henning@ dhartmei@ frantzen@
|
|
ok dhartmei@ frantzen@
|
|
deraadt ok
|
|
ok henning@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
