summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2003-12-15sc_sp is a #define on some architectures, use a different nameTheo de Raadt
2003-12-15ryan left a few for me ;-)Henning Brauer
2003-12-15Fix whitespace screwups before henning wakes up.Ryan Thomas McBride
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-12-13initial support ifconfig destroy; ok deraadt@Markus Friedl
2003-12-12Move PF interface code to new net/pf_if.cCedric Berger
Expect improvements in this area soon. ok dhartmei@ mcbride@
2003-12-12small compiler warning cleanup (#error instead of bailing out)Hans-Joerg Hoexer
ok henning@ grange@
2003-12-11Fix PR3587 and other related problems with NAT and table stats.Cedric Berger
PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
2003-12-10de-register. deraadt okJun-ichiro itojun Hagino
2003-12-10use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULLJun-ichiro itojun Hagino
to check if interface exists, as (1) if_index will have different meaning (2) ifindex2ifnet could become NULL when interface gets destroyed, when we introduce dynamically-created interfaces. markus ok
2003-12-08ip_output expects network byte order; report Bob Kitella; ok deraadtMarkus Friedl
2003-12-08add IOCIFGCLONERS; ifconfig -C; from netbsd; ok henning, deraadtMarkus Friedl
2003-12-08Mbuf tag tcp and udp packets which are translated to localhost, andRyan Thomas McBride
use the the presence of this tag to reverse the match order in in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double bind, binding to both * and localhost in order to differentiate local from non-local connections, and potentially granting more privilege to local ones. This change ensures that redirected connections to localhost do not appear local to such a daemon. Bulk of changes from dhartmei@, some changes markus@ ok dhartmei@ deraadt@
2003-12-07support ifconfig create; ok deraadtMarkus Friedl
2003-12-06u_int8_t variable can't be > 255; pointed out by Mr. GCC3.Alexander Yurchenko
ok millert@
2003-12-06support destroy; ok henningMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03support for network interface "cloning", e.g. gif(4) via ifconfig(8)Markus Friedl
2003-12-03protect against if_index wrap; similar to what netbsd does; ok henning deraadtMarkus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-12-02add kq support from wayne@epipe.com.au and cmaxwell@themanor.net (now that ↵Michael Shalayeff
regress test is there too)
2003-11-28More pf stats fixups:Ryan Thomas McBride
- Don't double count double count icmp packets. - We only want to increment rule and state counters if we're passing the packet, unless it's a 'drop' rule. ok dhartmei@ henning@
2003-11-21Remove redundant arguments to pf_sockaddr_lookup(); proto and af are alreadyRyan Thomas McBride
included in pd. ok dhartmei@ henning@
2003-11-21Remove unused "ipoff" arguments.Ryan Thomas McBride
ok dhartmei@ henning@
2003-11-16pf_test() and pf_test6() consistency:Ryan Thomas McBride
- Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols. - Make stateful connections work for generic protocols on IPv6. ok henning@ dhartmei@
2003-11-16convert __attribute__((__packed__)) to __packed so that parsers unawareAnil Madhavapeddy
of gcc extensions have more of a chance. ok mcbride@, no objections from millert@, deraadt@
2003-11-09remove stale forward declarationDaniel Hartmeier
2003-11-08Return proper anchor rule number in correct byte order.Daniel Hartmeier
From Pyun YongHyeon. ok henning@, canacar@
2003-11-08Add 'no-sync' state option to prevent state transition messages for statesRyan Thomas McBride
created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
2003-11-07adress -> address, and a few more; all from Jonathon Gray;Jason McIntyre
(mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok ho@
2003-11-06move netisr definition into md code to allow arch provide suitable ↵Michael Shalayeff
allocation; tested on most archs
2003-11-04add in(6)_pcblookup_listen() and replace all calls to in_pcblookup()Markus Friedl
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen(); in_pcblookup is now only used by bind(2); speeds up pcb lookup for listening sockets; from Claudio Jeker
2003-11-03pf_route() can change output NIC, so we need to check its capabilities.Cedric Berger
good candidate for 3.X errata. ok dhartmei@ henning@ mcbride@
2003-11-02Don't zero the debug level when we enable pf.Ryan Thomas McBride
ok henning@ dhartmei@
2003-10-31Remove remenants of pf_tree stuff that I missed.Ryan Thomas McBride
2003-10-29fix binat for incoming connections when a netblock (not just a singleDaniel Hartmeier
address) is used for source in the binat rule. closes PR 3535, reported by Karl O.Pinc. ok henning@, cedric@
2003-10-25Build state search indexes directly on pf_state instead of pf_tree_node.Ryan Thomas McBride
This saves more than 30% memory on state entries, and simplifies the state insertion and removal code as well. NOTE: This changes the pf API; userland tools must be updated to match. ok henning@ dhartmei@
2003-10-25"goto bad" on error with carp_input, instead of simply returning.Ryan Thomas McBride
Fixes leakage of mbufs on error. Pointed out by Max Laier.
2003-10-24Fix write filter blocking when no filter was set. FixesCan Erkin Acar
problems with dhcp. ok frantzen@ krw@ deraadt@
2003-10-22Add locking and write filtering to bpf descriptors.Can Erkin Acar
Locking prevents dangerous ioctls such as changing the interface and sending signals to be executed by an unprivileged process. A filter can also be applied to packets injected through a bpf descriptor. These features allow programs using bpf descriptors to safely drop/seperate privileges. ok frantzen@ henning@ mcbride@
2003-10-20tyopJason Wright
2003-10-19Add missing "#ifdef ALTQ"'s in the ioctl transacions code.Ryan Thomas McBride
Allows non-ALTQ kernel compile. Pointed out by tedu@ ok itojun@, "works here" tedu@
2003-10-19more typosDavid Krause
2003-10-17Common Address Redundancy ProtocolRyan Thomas McBride
Allows multiple hosts to share an IP address, providing high availability and load balancing. Based on code by mickey@, with additional help from markus@ and Marco_Pfatschbacher@genua.de ok deraadt@
2003-10-10make sure pd is initialized before use (or byte counters may increaseDaniel Hartmeier
by random values). ok mcbride@, cedric@, henning@
2003-10-08obviously i'm on drugs, revertHenning Brauer
2003-10-08missing DIOCX* in the securelevel > 1 caseHenning Brauer
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-29 00:50:12 +0000