| Age | Commit message (Collapse) | Author |
|---|
|
It's already in pfvar.h
OK mcbride@
|
|
without growing it in pfsync_state too.
to keep the wire format compat this uses some of the pad bytes to send
all the state flags on the wire as well as maintaining the old state_flags
field. after 5.0 we'll deprecate the original field and only use the new
one.
discussed with mcbride and deraadt and based on a diff from deraadt.
tested against an "old" pfsync locally.
ok mcbride@ henning@ deraadt@
|
|
Reject states with pfsync_state->af == 0 in pfsync_state_import(), in
preparation for states which specify an address family in each state key
instead (change will take place post-5.0).
ok dlg henning mikeb
|
|
improved debugging for error cases inside the weighted round-robin loop.
original diff from claudio, ok henning
|
|
lo' must not match a group 'local'. diff from sthen who is not around for a
few days, ok me and mpf. I can't find the mail of the guy who initially
ran into this problem, sorry for that, thanks for reporting!
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
former anymore. OK miod@.
|
|
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
|
|
the common function pf_walk_header6(). For that, pf_walk_header6()
can now extract both the information wether it is a fragment and
the final protocol if it is the first fragment. This allows to
match the icmp6 too big packet of a first fragment to the reassembled
packet's state. This is neccesary if a refragmented fragment is
to big for the Path-MTU.
Note that pd.proto contains the real protocol number for the first
fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol
is set to PF_VPROTO_FRAGMENT for all fragments.
ok mcbride@
|
|
from Martin Pelikan
|
|
Rather than silently dropping ALL icmp packets, return icmp/icmp6 error
for 'informational' message types (but continue dropping ICMP errors
unconditionally).
ok markus sthen henning
|
|
|
|
with input and ok from bluhm and claudio
|
|
so it evaluates in the order we want.
ok claudio@
|
|
payload, we missed to drop them. While there, also add a reason
to the corresponding check in pf_test().
ok mcbride@ claudio@
|
|
|
|
|
|
ok claudio henning yasuoka
|
|
|
|
|
|
an address pool. problem found and solution tested by claudio.
ok claudio, henning, "reads fine" to zinke
|
|
Integrate them into pipex_common_input().
ok hsuenaga@
|
|
implementation. ok ryan mpf sthen and also testing pea and halex looked
at it and commented as well
|
|
unconditional, always on. 8 priority levels, as every better switch, the
vlan header etc etc. ok ryan mpf sthen, pea tested as well
|
|
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
|
Additionally round the sizeof(struct sockaddr_dl) to a power of 2.
OK guenther@ deraadt@
|
|
(in this case it's unnecessary, bss is initialized to zero at boot)
ok henning
|
|
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@
|
|
with this nothing in the tree fiddles if ifqueue internals any more, of
course except if.c and if.h (and some altq)
|
|
|
|
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
|
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
|
this in my monster diff and wondered that i hadn't put that in already...
claudio ryan ok
|
|
one tree less in my forest (for a few seconds)! ok claudio
|
|
the same, ok'd with IFQ_PURGE with happens to break on altq kernels by
claudio, ryan and bluhm
|
|
|
|
and not IFQ_IS_EMPTY, the former doesn't get overloaded with altq-specific
stuffz. original oks from claudio and ryan and bluhm, i take the liberty
to assume the oks for this fixed version
|
|
|
|
it was done for pf_headers in pf.c.
ok mcbride@ henning@
|
|
the header address in the mbuf.
ok henning@
|
|
|
|
isn't it awesome that 5 out of 6 cases of this crap were in the various ppp
implementations? ok claudio ryan
the 6th to be fixed when we return from MEC
|
|
make sppp_flush use IFQ_PURGE instead of handrolling the same making
assumptions about ifqueue internals. ok ryan claudio
|
|
ones that make assumptions about ifqueue internals... ok ryan claudio
|
|
why bother with APIs when you can muck with internals directly, it's obvious
there'll NEVER be changes, right. ok claudio ryan
|
|
|
|
adjusting it to the new world order in my tree... remove it, ok ryan claudio
|
|
OK dlg@ henning@
|
|
|
|
no change in binary
"Sure" claudio@
|
