summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2003-12-28Add a new PFSYNC_ACT_UREQ message type.Ryan Thomas McBride
A pfsync system which recieves a partial update for a state it cannot find can now request a full version of the update, and insert it. pfsync'd firewalls now converge more gracefully if one is missing some states (due to reset, lost insert packets, etc).
2003-12-22pasto in pf_status.src_nodes backup, from 'kirash'Daniel Hartmeier
2003-12-19more const-correctness, ok mcbride@Daniel Hartmeier
2003-12-19i wrote much of these, assert my copyrightHenning Brauer
2003-12-19rn_satsifies_leaf -> rn_satisfies_leafBrad Smith
from itojun@netbsd rev 1.15 ok deraadt@
2003-12-18Save pf_status.hostid and pf_status.stateid in the DIOCCLRSTATUSRyan Thomas McBride
ioctl. Pointed out by dhartmei@ ok dhartmei@
2003-12-18Unbreak compile with no pfsync(4) device.Ryan Thomas McBride
patch from Max Laier
2003-12-18TCP timestamp modulation (scrub reassemble tcp) fix from frantzen@Daniel Hartmeier
2003-12-18resolve compiler warnings, from Pyun YongHyeon, ok cedric@, mcbride@Daniel Hartmeier
2003-12-17start spanning tree on ifconfig up; from Marco Pfatschbacher; ok jason@Markus Friedl
2003-12-16when a bridge filter rule specifies both src and dst mac address, we do notHenning Brauer
want to compare both against the packet's source address. works much better when we compare the dst address to the packet's dst address. ok camield@ canacar@ markus@ jason@
2003-12-16return error in ifc_destroy; ok deraadt, itojun, cedric, hshoexerMarkus Friedl
2003-12-16Don't do all the heavy pfsync processing if there are no bpf listenersRyan Thomas McBride
and no network synchronization is happening.
2003-12-15sc_sp is a #define on some architectures, use a different nameTheo de Raadt
2003-12-15ryan left a few for me ;-)Henning Brauer
2003-12-15Fix whitespace screwups before henning wakes up.Ryan Thomas McBride
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-15Add support to track stateful connections by source ip. This allows usRyan Thomas McBride
to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
2003-12-13initial support ifconfig destroy; ok deraadt@Markus Friedl
2003-12-12Move PF interface code to new net/pf_if.cCedric Berger
Expect improvements in this area soon. ok dhartmei@ mcbride@
2003-12-12small compiler warning cleanup (#error instead of bailing out)Hans-Joerg Hoexer
ok henning@ grange@
2003-12-11Fix PR3587 and other related problems with NAT and table stats.Cedric Berger
PPL that have that problem and cannot upgrade to -current could just comment out the assertion in pfr_update_stats(). ok dhartmei@ henning@
2003-12-10de-register. deraadt okJun-ichiro itojun Hagino
2003-12-10use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULLJun-ichiro itojun Hagino
to check if interface exists, as (1) if_index will have different meaning (2) ifindex2ifnet could become NULL when interface gets destroyed, when we introduce dynamically-created interfaces. markus ok
2003-12-08ip_output expects network byte order; report Bob Kitella; ok deraadtMarkus Friedl
2003-12-08add IOCIFGCLONERS; ifconfig -C; from netbsd; ok henning, deraadtMarkus Friedl
2003-12-08Mbuf tag tcp and udp packets which are translated to localhost, andRyan Thomas McBride
use the the presence of this tag to reverse the match order in in{6}_pcblookup_listen(). Some daemons (such as portmap) do a double bind, binding to both * and localhost in order to differentiate local from non-local connections, and potentially granting more privilege to local ones. This change ensures that redirected connections to localhost do not appear local to such a daemon. Bulk of changes from dhartmei@, some changes markus@ ok dhartmei@ deraadt@
2003-12-07support ifconfig create; ok deraadtMarkus Friedl
2003-12-06u_int8_t variable can't be > 255; pointed out by Mr. GCC3.Alexander Yurchenko
ok millert@
2003-12-06support destroy; ok henningMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03add support for ifconfig clone/destroy; ok henning deraadtMarkus Friedl
2003-12-03support for network interface "cloning", e.g. gif(4) via ifconfig(8)Markus Friedl
2003-12-03protect against if_index wrap; similar to what netbsd does; ok henning deraadtMarkus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-12-02add kq support from wayne@epipe.com.au and cmaxwell@themanor.net (now that ↵Michael Shalayeff
regress test is there too)
2003-11-28More pf stats fixups:Ryan Thomas McBride
- Don't double count double count icmp packets. - We only want to increment rule and state counters if we're passing the packet, unless it's a 'drop' rule. ok dhartmei@ henning@
2003-11-21Remove redundant arguments to pf_sockaddr_lookup(); proto and af are alreadyRyan Thomas McBride
included in pd. ok dhartmei@ henning@
2003-11-21Remove unused "ipoff" arguments.Ryan Thomas McBride
ok dhartmei@ henning@
2003-11-16pf_test() and pf_test6() consistency:Ryan Thomas McBride
- Fix anchor anchor accounting for IPv4 TCP and all IPv6 protocols. - Make stateful connections work for generic protocols on IPv6. ok henning@ dhartmei@
2003-11-16convert __attribute__((__packed__)) to __packed so that parsers unawareAnil Madhavapeddy
of gcc extensions have more of a chance. ok mcbride@, no objections from millert@, deraadt@
2003-11-09remove stale forward declarationDaniel Hartmeier
2003-11-08Return proper anchor rule number in correct byte order.Daniel Hartmeier
From Pyun YongHyeon. ok henning@, canacar@
2003-11-08Add 'no-sync' state option to prevent state transition messages for statesRyan Thomas McBride
created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
2003-11-07adress -> address, and a few more; all from Jonathon Gray;Jason McIntyre
(mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok ho@
2003-11-06move netisr definition into md code to allow arch provide suitable ↵Michael Shalayeff
allocation; tested on most archs
2003-11-04add in(6)_pcblookup_listen() and replace all calls to in_pcblookup()Markus Friedl
with either in(6)_pcbhashlookup() or in(6)_pcblookup_listen(); in_pcblookup is now only used by bind(2); speeds up pcb lookup for listening sockets; from Claudio Jeker
2003-11-03pf_route() can change output NIC, so we need to check its capabilities.Cedric Berger
good candidate for 3.X errata. ok dhartmei@ henning@ mcbride@
2003-11-02Don't zero the debug level when we enable pf.Ryan Thomas McBride
ok henning@ dhartmei@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 03:05:07 +0000