| Age | Commit message (Collapse) | Author |
|---|
|
router so back out the routing stuff to pre-eurobsdcon where my machine
doesn't crash immediately.
i am happy to test diffs and report success/failures but i am not happy
to have instantaneous crashes when i reboot with a new kernel that was
compiled from pristine sources.
if you are going to be an elitist asshole then you could at least make
sure your code works.
ok and "be crass towards them" deraadt@
|
|
|
|
|
|
|
|
but go through a provided wrapper.
also provide rt_lookup() instead of doing the lookup manually in many places.
ryan ok
|
|
copy of the packet with bpf.
ok reyk@
|
|
Makes trunk usable with hubs or switches which don't have actual trunk support.
ok reyk@
|
|
ok reyk@
|
|
trunkports (link is UP as long as at least one of the trunkports is up)
ok reyk@
|
|
when the interface is deleted to a function in route.c, and replace
the copies of that code by calls to that function
from basel almost-hackathon
|
|
|
|
|
|
How do we code while our eyes are bleeding
|
|
userland-visible sys/select.h. Consistent with what Net and Free do.
OK deraadt@, tested with full ports build by naddy@.
|
|
the code took a shortcut which results in the new device not beeing added
to its interface class group as it should.
call the regular if_clone_create() instead of taking shortcuts, and all is
fine.
ok markus, tested Mike Belopuhov <mkb@crypt.org.ru>
|
|
|
|
|
|
we're breaking pfsync compatibility this cycle anyways.
Requested by djm@, ok henning@, 'wheee!' deraadt@
|
|
bpf FILDROP interface exists for about one year but the required
interface to the drivers was missing - so it was useless. this new
approach based on a design by henning@ uses a new mbuf flag to mark
filtered packets and to drop them in the generic network stack input
routines (like ether_input).
for example; after some additional testing, this could be used by
dhclient to filter everything except DHCP packets (track tech@
for a corresponding dhclient diff). the "filter dropped" packets won't
reach the network stack. so it's probably some kind of a very basic
application layer packet filter ;).
ok canacar@, discussed with henning@ and others
|
|
not have been allocated at the initial state synchronisation time.
ok henning@
|
|
Oh. and a KNF nit.
|
|
Applies only to rules in the main ruleset (not anchors) if the ruleset
checksum matches. Necessary to fix the following for pfsync'd states:
- per-rule limits on number of states
- altq
- rule-based settings such as timeouts
More work to do re: nat rules, src-nodes, etc.
NOTE: This is modifies the pfsync header and version number.
Tools which process pfsync packets must be recompiled, and firewalls with
different versions will not sync.
ok mpf@ henning@ dhartmei@
|
|
and calculate the modulator. This ensures that modulated initial sequence
numbers have the same properties regarding separation and non-repetition as
those generated by our TCP stack.
ok markus@ frantzen@
|
|
From: Mike Belopuhov <mkb@crypt.org.ru>
|
|
The previous code could wrongly delete multicast groups
on the parent interface. Now we forward only remembered
delete requests.
OK mcbride, mickey.
|
|
in the data part for the data from the previously distinct tags.
look up the tag early and carry a pointer to it around.
makes the code easier and saves some tag lookups and thus helps performance,
as proven by tests run by Schberle Dniel <Schoeberle.Daniel@aamtech.hu>
Initially hacked up somewhere over the atlantic ocean in an A330
early testing reyk and moritz, "put it in" theo
|
|
|
|
address dynamically on this interface after successful association.
this could speed wireless roaming to openbsd accesspoints.
ok jason@, jsg@ can't see anything obectionable
|
|
|
|
the address of the softc. Reported by Peter Phillip via PR-4501.
|
|
Help and ok claudio@, ok brad@
|
|
added later, currently the master port will always be the default
(active) port and the the next active port will be used as the
failover port.
ok brad@
|
|
ok deraadt@
|
|
__STRICT_ALIGNMENT instead.
Help pedro@ deraadt@, ok deraadt@
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
ok brad@
|
|
ok reyk@
|
|
- add multicast support by passing multicast addresses to the ports.
this is a requirement for carp(4) over trunk(4).
- support the smallest common interface capabilities. ie., this adds
support for VLAN MTUs if all attached ports have this capability.
- add a port_destroy callback to the trunk protocol. this fixes a
potential crash if the master port has been detached while running.
discussed with deraadt@, brad@ and some others.
|
|
from Boris Polevoy <vapcom at mail dot ru>, ok mcbride@
|
|
(similar to proxy ports for tcp/udp). not all clients use per-invokation
random ids, this allows multiple concurrent connections from such clients.
thanks for testing to Rod Whitworth, "looks ok" markus@
|
|
reported by Boris Polevoy, tested by Jean Debogue, ok henning@
|
|
pf_state buffers on the stack.
ok henning mcbride
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
want to map the remaining bits to something else later on.
|
|
ok henning mcbride, looks good frantzen
|
|
from Stephen Marley; ok deraadt@
|
|
a kill message for a state that was generated on another firewall.
|
|
Different fix tested by the submitter, xiangbo3 at gmail com.
ok claudio@
|
|
DIOCGETSTATE.
ok dhartmei mcbride
|
|
ok ho@
|
