| Age | Commit message (Collapse) | Author |
|---|
|
|
|
bgpd and ospfd use this information to track the availability of a route.
Discussed with dlg@, OK henning@
|
|
show a correct expire time in route(8). OK and idea mpf@ looks good henning@
|
|
ok dhartmei@ and beck@. help + testing from kpfaff AT palloys.com.pl
|
|
pass to (ifgroup)
style notation.
instead of walking the list of associated dynaddrs with a pf-abstracted
interface which might not be present when there is no reference
to them in the rulset, and checking their pointer back to the interface
for group memberships, walk the groups an interface is member of
directly. even makes the code easier.
tests & ok bob ryan markus + tested moritz
|
|
|
|
but not 'fragment reassemble'), which can cause some fragments to get
inserted into the cache twice, thereby violating an invariant, and panic-
ing the system subsequently. ok deraadt@
|
|
m->m_data directly. This fixes the tun(4) / bridge(4) crash reported in
PR4963. OK djm@ mpf@ markus@
|
|
read-only operation (looking up one state entry), so allow it when /dev/pf
is opened read-only (allows squid to work read-only). from Andrey Matveev.
|
|
computations of change rates. unfortunately, I don't remember who suggested
this.
|
|
ok claudio@ brad@
|
|
into them, if you are gonna copy it out to userland
some ok dhartmei, some ok tedu
|
|
|
|
copy of the packet with bpf.
From mcbride@
some testing by todd@, ok reyk@
|
|
ok brad@
|
|
to the driver that there is a listener. Somehow I assumed that it was
a handle, and was trying to figure out why it was becoming zero.
Corrected by and ok claudio@
|
|
|
|
|
|
|
|
of bpf_mtap().
|
|
by lint.
ok deraadt@
|
|
not appear in a function whose return type is void." Lint agrees.
ok (and C99 spec info) cloder@
|
|
Also change another cast, for the sake of consistency, as prompted by djm@
ok deraadt@ djm@ canacar@
|
|
|
|
router so back out the routing stuff to pre-eurobsdcon where my machine
doesn't crash immediately.
i am happy to test diffs and report success/failures but i am not happy
to have instantaneous crashes when i reboot with a new kernel that was
compiled from pristine sources.
if you are going to be an elitist asshole then you could at least make
sure your code works.
ok and "be crass towards them" deraadt@
|
|
|
|
|
|
|
|
but go through a provided wrapper.
also provide rt_lookup() instead of doing the lookup manually in many places.
ryan ok
|
|
copy of the packet with bpf.
ok reyk@
|
|
Makes trunk usable with hubs or switches which don't have actual trunk support.
ok reyk@
|
|
ok reyk@
|
|
trunkports (link is UP as long as at least one of the trunkports is up)
ok reyk@
|
|
when the interface is deleted to a function in route.c, and replace
the copies of that code by calls to that function
from basel almost-hackathon
|
|
|
|
|
|
How do we code while our eyes are bleeding
|
|
userland-visible sys/select.h. Consistent with what Net and Free do.
OK deraadt@, tested with full ports build by naddy@.
|
|
the code took a shortcut which results in the new device not beeing added
to its interface class group as it should.
call the regular if_clone_create() instead of taking shortcuts, and all is
fine.
ok markus, tested Mike Belopuhov <mkb@crypt.org.ru>
|
|
|
|
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
bpf FILDROP interface exists for about one year but the required
interface to the drivers was missing - so it was useless. this new
approach based on a design by henning@ uses a new mbuf flag to mark
filtered packets and to drop them in the generic network stack input
routines (like ether_input).
for example; after some additional testing, this could be used by
dhclient to filter everything except DHCP packets (track tech@
for a corresponding dhclient diff). the "filter dropped" packets won't
reach the network stack. so it's probably some kind of a very basic
application layer packet filter ;).
ok canacar@, discussed with henning@ and others
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
and calculate the modulator. This ensures that modulated initial sequence
numbers have the same properties regarding separation and non-repetition as
those generated by our TCP stack.
ok markus@ frantzen@
|
|
From: Mike Belopuhov <mkb@crypt.org.ru>
|
|
The previous code could wrongly delete multicast groups
on the parent interface. Now we forward only remembered
delete requests.
OK mcbride, mickey.
|
|
in the data part for the data from the previously distinct tags.
look up the tag early and carry a pointer to it around.
makes the code easier and saves some tag lookups and thus helps performance,
as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu>
Initially hacked up somewhere over the atlantic ocean in an A330
early testing reyk and moritz, "put it in" theo
|
