| Age | Commit message (Collapse) | Author |
|---|
|
route-to and friends were introduced making it obsolete. one even
has to look it up int the ipf manual to get and idea what it's
supposed to do. reuse some kernel bits for the upcoming nat64
stuff. "kill it with fire" from mcbride, "what mcbride said"
from mpf, "kill kill kill" and ok henning.
|
|
instead of coming at it sideways to detect failure.
ok claudio@
|
|
we don't need 7 f***ing copies of the same code to do the protocol checksums
(or not, depending on hw capabilities). claudio ok
|
|
leads to corrupted memory; backout to await a better fix
|
|
of the gre(4) tunnel. Instead just us a RT_NOCLONING route lookup
and be done with it. Makes gre(4) work between systems in the same
LAN. This diff was enough long on tech@ and nobody complained.
|
|
decision here too, just like in ip_output, pointless.
|
|
in all output pathes anyway.
even worse than in the rest of pf, here we ran circles to update the ip
cksum every time we flip a tiny bit in the header...
pretty sure dlg claudio ok'd it and it is damn obvious anyway
|
|
malloc/bcopy/free, the way He Who Must Not Be Named intended.
"yes please" claudio@
|
|
recalculated in all output pathes anyway (why did it take us 10 years to
notice?). ok claudio definate ok dlg
|
|
chekcsum. turned out is always recalculates it as long as your kernel does
have pf compiled in, as in, always, since compilation of GENERIC without
pf explodes in about a hundred ways.
so rename bridge_filter -> bridge_ip and always compile it, pf or not,
just make the pf_test calls #if NPF, and sync the ip fuckery code with
ip_output. as a bonus this lets us use the checksum offloading to the NIC
if it is capable of that.
ok claudio dlg sthen
|
|
a desync to be appended when the socket buffer becomes full, rather than
continuall retrying until space becomes available (which may be never).
ok claudio@
|
|
was done earlier for routing sockets.
ok claudio@
|
|
|
|
session id.
ok claudio@ yasuoka@ as part of a larger diff
code from jonathan matthew
|
|
it is immediately functional.
ok claudio@ yasuoka@ as part of a larger diff
code by jonathan matthew
|
|
to the kernel.
ok yasuoka@ claudio@ as part of a larger diff
|
|
ok claudio@
|
|
to establish cross rdomain proxy sessions.
OK henning@, mpf@
|
|
the packets with the same maximum size. This allows the sender to
determine the optimal fragment size by Path MTU Discovery.
testing sthen@ matthieu@
ok claudio@
|
|
reassembly code. This makes it possible to reuse them for IPv6.
ok claudio@
|
|
ok dlg@
tested by jono
|
|
patch from Gleydson Soares
ok dlg@
|
|
ok deraadt
|
|
to make it reusable by pf fragment reassembly. No functional change.
discussed with henning@, claudio@, deraadt@, kettenis@
ok guenther@
|
|
and make it void.
ok henning@, markus@, mcbride@
|
|
blindly assuming everything is v4 to be sent with ip_output.
problem originally reported by Marco Fretz.
fix verified locally.
ok henning@ mcbride@
|
|
the protocol.
|
|
problem was reported by babut at yandex dot ru in the pr 6564, tested by
the pr originator and me, ok henning mcbride. shaves off a bunch of XXXs.
|
|
move the configured multicast addresses and preserve the promisc mode
settings of the parent. this fixes an issue when carp stopped working on
a vlan after the vlandev was manually changed.
ok naddy@ phessler@
|
|
|
|
using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses
correctly on little-endian systems. ok henning@
|
|
Noticed by robert at openbsd pap st, thanks.
|
|
|
|
leak previous kernel stack contents through a malicioius BPF filter.
Reported by Dan Rosenberg via Alistair Crooks. ok deraadt@, krw@,
claudio@
|
|
IPv4-ICMP6 and IPv6-ICMP packets are not rewritten in case they are
dropped and logged.
spotted by mikeb@; ok henning@
|
|
not do the same check in pf_test_rule() again.
ok henning
|
|
header lenght was uninitialized. This resulted in a panic in
m_clget(). Initialize hdrlen with 0 and call m_copyback() only if
necessary.
ok henning@
|
|
wrong. As an effect small valid fragmented packets got dropped and
some invalid fragmented packets were passed. plen is the payload
lenght of the ipv6 packet without the ipv6 header. off is relative
to the whole packet including the ipv6 header. Add sizeof(struct
ip6_hdr) in the calculation.
ok henning@ markus@
|
|
ok gollo@
|
|
broadcast mode.
ok blambert@ mikeb@
|
|
a possible memory leak with bpf's BIOCSFILDROP option which is currently
used by dhcpd and dhclient.
Found by gollo@
|
|
make sense, not just the family.
from jonathan matthew
ok yasuoka@
|
|
|
|
ok henning@ markus@
|
|
diff from form@ who's too busy drinking vodka with pelmeni to commit this;
ok claudio
|
|
pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the
reassembled packet. In case of PF_DROP, the mbuf must be valid,
e.g. for logging, and will be freed later. In case the reassembled
packet is too big, use the reassembled mbuf for PF_DROP.
ok henning@ markus@
|
|
- PF_DROP, the packet is bad, the mbuf still exists and must be freed.
- PF_PASS and *m0 is NULL, the packet has been processed, not an error.
- PF_PASS and *m0 is not NULL, continue with packet processing.
This fixes a potential mbuf use after free.
ok henning@ markus@ mpf@
|
|
copied the pointer to the sockaddr instead of the content of
sockaddr_in. As the source of the data resides on the stack, the
pointer got invalid later and the kernel crashed. As only addresses
with fixed size are used, sa_len bytes of the sockaddr can be
coppied.
ok krw@ markus@ mpf@ claudio@ henning@
|
|
passphrase or an RSA key) in the reply message. There's
nothing that justifies this behavior and PF_KEY RFC prefers
to exclude keys and other sensitive material from replies.
Discussed with reyk, no objections from deraadt.
|
|
explicit_bzero() where required
ok markus mikeb
|
