Age | Commit message (Collapse) | Author |
|
for picking states to unlink as the tailq may contain unlinked states.
|
|
Fixes stateful filtering on enc0.
Problem report, testing, and ok david@
|
|
shielded twisted pair cables. this is an upcoming standard.
ok brad@
|
|
Problem report and testing by david@
|
|
state table reorg.
discussed with deraadt and henning, reminded by david
|
|
sk2 and reset sk2's link back to sk1
|
|
- we prefer u_int*_t over uint_*t.
- static is bad for debugging.
- header files should not contain functions.
|
|
Implementation from NetBSD. Ported via FreeBSD's version in trunk^Wlagg(4).
This is still work in progress. Tested with a HP ProCurve 3500.
OK reyk@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
<net/bpf.h> header is not required here.
ok henning@
|
|
ok henning@
|
|
because it conflicted with the change he did in pf_if.c earlier.
He finally woke up to ok (well, ``yes'', really) this version now.
|
|
the allocations in uvm_km_thread, as long as they are PR_WAITOK and
all the memory hogs should be WAITOK in pf now.
"following your explaination, it's ok" henning@
|
|
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
|
|
This makes it easier to add trunk protocols that consume some packets.
Add a special case for the failover protocol, to prevent shoving
duplicates to bpf. (Not beautiful, but it has to do for the moment).
OK reyk@, claudio@
|
|
from ether_input() into trunk_input() where it can be handled in a smarter way.
OK claudio@ and reyk@ on an earlier version.
|
|
can not supply the correct nexthop if the nexthop is changed. So if the
route we want to change is a non-multipath one allow the change to succeed.
This unbreaks RTM_CHANGE in most situations. Found by jsing@ Ok henning@
|
|
system for the bridge ID for stp. That worksfine unless you have
two bridges in the system that talkto the same neighboring systems
(switches), because the two bridges on the openbsd system would have the
same ID.
fix by only looking at interfaces part of the bridge and using the lowest
mac address of these. works fine because stpcan only be enabled on
IFT_ETHER interfaces so there is always at least one and we re-evaluate
every time an interface is added or deleted from the bridge.
diff was rotting in my tree for at least a year, I have no idea what
triggered it really.
ok reyk mk djm
|
|
This restores the old behaviour where we were checking for != LINK_STATE_DOWN.
Fixes the ethernet to wireless failover feature and also allows trunk(4)
to be used within qemu.
Tested by sturm@.
OK reyk@. "grumble, we should fix more drivers' link state handling" brad@
|
|
it once at start instead.
|
|
the factored out pf_create_state() could return PF_PASS, _DROP, and
_SYNPROXY_DROP. We were treating the latter the same as _PASS and thus
passing the original SYN which we of course don't want in the synproxy
case.
breakage reported by sakurai-san, headscratching with and ok ryan
|
|
loud, spilling out hundreds of lines on ruleset reloads is disturbing when
you're hacking over cereal console, ryan ok
|
|
network mask. For some reasons some parts set sa->sa_len to 0 to specify
a /0 netmask so check fot that too. tested by david@ OK henning@
|
|
ok henning
|
|
key1->reverse = key2; and key2->reverse = key1;
ok ryan
|
|
to not hurt performance while passing the 20 args (sigh)
ok theo ryan, ok + feedback jsing
|
|
impossible that m is NULL here since all callers dereference it
unconditionally beforehands, and find state without and mbuf doesn't
make sense in the first place
|
|
in the header so it cannot get used again in case of somewhat weird
reflection + mbuf-reuse-without-pkthdr-clearing cases. it looks like
gif falls into the latter category.
discussed with and ok theo
|
|
1) only set the state key in the mbuf header in the inbound case
2) only use it in the outbound case
discussed with and ok theo
|
|
|
|
header inbound. on the outbound side, we take that and look for the key
that is the exact opposite, and store that mapping in the state key. on
subsequent packets we don't have to do the lookup on outbound any more.
almost unable to get real benchmarks going here, we know for sure this
gives a more than 5% increase in forwarding performance.
many thanks to ckuethe for stress- and performance-testing.
ok ryan theo
|
|
bidirectional FIN/ACK+ACK handshake.
ok henning@
|
|
ok mpf henning
|
|
|
|
connection. If there is a ACK after the initial SYN without ever
seeing a packet from the destination, set the connection to
established.
ok henning@
|
|
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.
ok henning mpf deraadt
|
|
the tailq instead of the rb tree. pt out by kjell some time ago, ok ryan
|
|
place
|
|
into one 8 bit flags field.
shrinks the state structure by 4 bytes on 32bit archs
ryan ok
|
|
do not verify the sequence number against the state if the state is sloppy
and thus doesn't have that information.
independently pointed out by frantzen and ryan, ok ryan
|
|
numbers at all. scary consequences; only tobe used in very specific
situations where you don't see all packets of a connection, e. g.
asymmetric routing. ok ryan reyk theo
|
|
ok deraadt@
|
|
ok mcbride
|
|
OK henning@
|
|
rtrequest1() everywhere now. OK henning@
|
|
full mbuf chain is being free'd.
ok reyk@
|
|
almost nobody ran into that because it is ipv6 only
|
|
OK canacar@ some time ago
|
|
Bug report and testing from Otto Bretz.
ok henning@
|
|
|