| Age | Commit message (Collapse) | Author |
|---|
|
on the parent interface. This is similar to what bridge(4), trunk(4)
or carp(4) are doing and allows us to get rid of the detachhook.
ok reyk@, mikeb@
|
|
checksum. Since no one seems to have a use case for sending flows from
INADDR_ANY disallow this.
Pointed out by Nathanael Rensen on tech@, thanks.
While there make the SIOCSIFFLAGS and SIOCSETPFLOW cases symmetric by
only sending templates if the interface is running.
OK benno@
|
|
depends on this feature, discussed with claudio@.
|
|
ok bluhm@
|
|
the possible races related to unscheduled task relying on an unique index.
I say "limit" here because a race can still occurs if you run out of
indexes and jump back to 1.
ok krw@, mikeb@
|
|
ok krw@, mikeb@
|
|
|
|
alternative to bcopy since noone uses it.
while there use memcpy instead of bcopy because we know the memory cannot
overlap.
ok henning@ matthew@ mikeb@ deraadt@
|
|
ok mikeb@, sthen@, tedu@ (implied), doc bits ok jmc@
|
|
flag to decide wether to abort ruleset eval instead of the last matching rule's
one. makes "match quick" abort ruleset evaluation with the current block/pass
state. from Maxim Khitrov <max at mxcrypt.com>, ok bluhm mikeb
|
|
This is another ABI break but no port rely on them as verified by naddy@.
ok claudio@, mikeb@, henning@
|
|
are two differents ioctls manipulating structures of a different
size.
In particular this prevents vlan(4) to handle pppoe(4)-specific
ioctls and vice versa, that could lead to smashing the stack of
the caller.
Issue originally found by David Hill when compiling ifconfig
with clang.
Note that this is an ABI break but we're riding a biger dragon
right now.
ok mikeb@, kettenis@, sthen@
|
|
time values for version 10.
While there mark places which will blow up in 2038.
OK benno@
|
|
OK benno@
|
|
ok mikeb@, henning@
|
|
not getting assigned to rules like they should cos pfsync_in_upd() wasnt
passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import.
found and fixed by pedro
|
|
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
Start the expire counter when the queue is created by the first
fragment and drop it if the packet could not be reassembled within
60 seconds.
Reported by Antonios Atlasis; OK henning@ deraadt@
|
|
|
|
to only include what is really needed. In particular stop including
a "struct ifnet" and move kernel-only definition into the proper #if
dance.
While here remove the unused spppinfo() from ifconfig.
ok guenther@, sthen@, mikeb@
|
|
ok benno@
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
change for pf, but that's fine at this time. You'll need to rebuild
pf userland after updating your kernel.
change to 'since' member ok henning@
rest ok henning@ deraadt@
|
|
ok mpi@ deraadt@
|
|
an ABI change involved.
|
|
type**, so no ABI change.
ok henning@ deraadt@
** ...yet
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
Fixes an issue seen by reyk@
ok henning@ reyk@
|
|
stuff to userland, especially the "struct ifnet".
ok sthen@, henning@, uebayasi@
|
|
to the global list, until the issue with carp is addressed.
|
|
Reported by naddy@
|
|
structure rather than doing various M_WAITOK allocations during
the *attach() functions, we always rely on them anyway.
ok mikeb@, uebayasi@
|
|
succeed, and it's always called in sleepable context.
OK mikeb@ yasuoka@
|
|
IPv4 addresses consistently from the global list and tree, in.c r1.78
ok bluhm@, mikeb@
|
|
additional length check in pf_modulate_sack() and pf_normalize_mss().
Overflow cannot happen due to the restricted values in the length
calculation. As this is not obvious, be better safe than sorry.
OK henning@
|
|
assign with = and compare with == . This way the compiler will
check deeper wether the cast is correct. Alignment is fine,
tested on sparc64.
OK claudio@
|
|
No functional change. From David Hill; OK claudio@
|
|
ok otto
|
|
counters.
ok guenther, feedback jmc
|
|
No binary change. OK henning@
|
|
ok sha256
|
|
ok deraadt@
|
|
udp and the default case are 100% identical, tcp does a little more, but
that is easier to add w/ two "if tcp" blocks in the default case, so the
udp and tcp cases die. ok bluhm
|
|
the _icmp variant stays because it is completely different.
factor out the synproxy code into a new pf_synproxy() for readability.
pf_setup_pdesc sets us up with access to ports, cksum etc in a protocol
independent matter, so we don't need many protocol switches here.
tcp and udp were almost identical, the _other case changes significantly -
not too unlikely this fixes a subtle bug or two in that case.
ok ryan benno bluhm mikeb
|
|
it up in pf_setup_pdesc(). ok ryan benno mikeb bluhm
|
|
just return after being done with the address. ok bluhm ryan mikeb
|
|
was only done when a packet traveled up the stack from pf to
tcp_input(). Now also link the state and inpcb when the packet is
going down from tcp_output() to pf. As a consequence, divert-reply
states where the initial SYN does not get an answer, can be handled
more correctly.
This change is part of a larger diff that has been backed out in
2011. Bring the feature back in small steps to see when bad things
start to happen.
OK henning deraadt
|
|
regression introduced with pf.c 1.827 and allows us to create icmp
states again.
OK henning@
|
|
uses it. that is so incedibly wrong...
sorry for the breakage, folks. found by tedu, SMSing me out of my breakfast
bob
|
