| Age | Commit message (Collapse) | Author |
|---|
|
inputs & ok visa@
|
|
Routing domain must always have an existing lo(4).
Problem reported and fix tested by multiplexd at gmx.com.
|
|
- MSS and WSCALE option candidates must now meet their min type length.
- 'max-mss' is now more tolerant of malformed option lists.
These changes were immaterial to the live traffic I've examined.
OK sashan@ mpi@
|
|
pppx_ifs earlier not to overlap the protected section for ifnet. Also
introduce pxi_ready flag to protect pxi not to be used before
initialization.
ok bluhm
|
|
ok claudio@
|
|
ok visa@, tb@
|
|
ok tb@
|
|
ok visa@, tb@
|
|
locking.
ok visa@, bluhm@
|
|
of calling sofree(), when its PCB is detached.
This is different from TCP which does not always detach `inpcb's from
sockets. In the pfkey & routing case caling sofree() there is a noop
whereas for TCP it's needed to free closed connections.
Having fewer sofree() makes it easier to understand the code and move
the locks down.
ok visa@
|
|
pf_state_insert(), so the state key has not been set. When inlining,
the compiler recognized the NULL pointer dereference in
s->key[PF_SK_STACK]->proto and optimized it away. But if pf.c was
compiled with -fno-inline, the system crashed during boot. Add a
NULL check in pf_set_protostate() to handle the situation when the
function is called.
OK sashan@ henning@
|
|
goto unlock when leaving this block.
OK sashan@ henning@
|
|
previously the ioctl code checked that prio was an int less than
UCHAR_MAX, but the rest of the kernel (and priq code in particular)
expects it to be between 0 and 7 inclusive.
ok krw@ tb@
|
|
From Jan Klemkow, ok mpi@ tb@, ok/bugfix bluhm@
|
|
it is sort of like egre(4), but different enough to warrant separate
handling. more specifically, eoip sits under gre 1, not 0, and has
it's own protocol id (0x6400). the gre key field is mandantory (the
rest cannot be set) which is split into a 16 bit length field and
a 16 bit tunnel id. lastly, it has a keepalive mechanism where peers
send 0 length packets as hellos to each other periodically, which
has no equivalent in egre(4) and is different to the gre(4) keepalives.
ok sthen@
|
|
or kernel lock when accessing a socket. For pf key sockets it is
kernel lock, so add its protection in pfkey_sendup(). Fixes a
kernel lock assertion panic reported by Peter J. Philipp.
OK mpi@ visa@
|
|
&if_clone list and the if_cloners_count are currently protected by the
KERNEL_LOCK(). Introduce the ifclonerslk rwlock to serialize access to
these two globals as a small step towards removing the KERNEL_LOCK() from
the ioctl path. While there, separate the two codepaths in if_clone_list()
more clearly and replace a ternary operator with MIN().
guidance & ok mpi, ok visa
|
|
OK mikeb@
|
|
ok mpi
|
|
The tty layer still relies on it to serialize access to its data.
Fixes crashes reported & tested by form@ via mikeb@.
ok mikeb@
|
|
grab the KERNEL_LOCK() when delivering messages.
This is the same solution already used by routing sockets.
ok claudio@, visa@
|
|
Update ifconfig to display LACP State (Actor and Partner) on
each trunk port
Ok benno@, phessler@, and tb@
|
|
to the network. This is necessary for locally generated icmp packets
that would be dropped otherwise. Refine this check to modify only
the source address of packets that go to the external network. This
allows route-to tricks on loopback interface.
OK sashan@
|
|
socket receive buffer.
It is modelled after pfkey_sendup() as both will need the same MP
treatment.
ok tb@, bluhm@, visa@
|
|
this gets rid of the source annotation which doesn't really add
anything other than adding complexitiy. randomess is generally
good enough that the few extra bits that the source type would
add are not worth it.
ok mikeb@ deraadt@
|
|
|
|
might be shutting the session down
|
|
|
|
noticed by clang
|
|
|
|
Puts us in line with Free/NetBSD and Linux and will get us rid of
pointless patches in the ports tree. ok guenther@ deraadt@
|
|
the rule created in pf_rule_copyin(). Plugs a potential kif memory
leak in pf(4) ioctl.
OK sashan@
|
|
|
|
For the PRU_CONTROL bit the NET_LOCK surrounds in[6]_control() and
on the ENOTSUPP case we guard the driver if_ioctl functions.
OK mpi@
|
|
Input bluhm
OK benno, kn, claudio
|
|
this is the same check that's done when adding normal members to
the bridge. it prevents things like gif(4) being added to the bridge,
which in turn prevents panics when shoving ethernet packets down a
layer 3 interface.
reported and tested by jasper@
|
|
pointer in the IP protocol loop. Reset the loop's mbuf when the
mbuf is freed. The latter is not necessary, but clearing a pointer
to freed data is safer.
OK dlg@
|
|
No objections from henning, OK visa
|
|
found by and diff from peter j philip
ok jca@
|
|
this is to suppress loops over the interface, and avoids a leak of
the tag on every packet.
found and fix testd by christian barthel
also tested by job snijders
ok bluhm@
|
|
So this macro does not make much sense, just call pflog_packet().
OK sashan@ henning@
|
|
Note: Remember to "make includes" and recompile the following programs together
with the kernel:
sbin/pfctl
usr.sbin/authpf
usr.sbin/ftp-proxy
usr.sbin/relayd
usr.sbin/tftp-proxy
Thanks to sthen@ for checking the ports tree.
ok bluhm@ sashan@ visa@
|
|
ok bluhm@ sashan@ visa@
|
|
some ISPs now provide services over vlans, but require vlan packets
going to the internet have their priority set to 1 (ie, 0 on the
wire) or they will be dropped. configuring this on openbsd requires
config in several places, eg, pf rules to set the prio on ip packets,
llprio on the pppoe interface for it's management frames, and the
llprio on the vlan interface if you're using dhclient on it. this
has the side effect that you can no longer use priority queuing,
and can be error prone to get right.
using link0 to flatteng the priority for isp transit is simple to
configure, and allows priority queuing.
a man page update is coming.
ok henning@
|
|
ok dlg@ mpi@
|
|
(tj found fix in FreeBSD repo for us)
OK @bluhm, @henning
|
|
Prevents a rwlock recursion found by stsp@.
ok stsp@, deraadt@, visa@
|
|
The check prevents incomming multicast packages from arriving at the gif
interface (eg. OSPF) when the traffic is protected by IPsec in transport
mode.
ok dlg@
|
|
if the mac address is not for the interface, it must be multicast
or broadcast. this is instead of if the packet is not
multicast/broadcast, it must be for the interface.
this allows ethernet interfaces to have multicast mac addresses
without having to special case it themselves. eg, carp load balancing
should become easier with this.
ok mpi@
|
|
ok jsg@
|
