Age | Commit message (Collapse) | Author |
|
triggered for a reply-to rule. It turns out this case has been using
uninitialised memory as if it were a valid pf pool.
As the rest of the function assumes a valid pool for now just return.
Problem reported by RD Thrush.
ok jung@ mikeb@
|
|
directly. Also protect non mp-safe functions while at it.
ok mpi@.
|
|
|
|
|
|
|
|
pointed out by and OK bluhm@
|
|
reported by rpe@
|
|
ok mpi@
|
|
packets directly into the network stack with ip_output().
The locking is intentionally left as is and will be improved in
another commit.
Input / OK bluhm@, OK benno@
|
|
if_input() has been designed to be able to safely handle a batch of
packets from physical drivers to the network stack. Most of these
drivers have an interrupt routine executed at IPL_NET and the check
made sense during the conversion. However we also want to re-enqueue
packets with if_input() from the network stack currently running at
IPL_SOFTNET.
ok claudio@
|
|
ok mpi@, claudio@.
|
|
with MPLS packets.
ok mpi@, claudio@
|
|
path was taken. This both prevents warnings from clang and acts as a
sanity check.
ok mcbride@ henning@
|
|
to optimize for an INET-only kernel, as well as the fantasy unicorn
INET6-only kernel. (INET-only kernel still works)
prompted by deraadt
ok bluhm sashan
|
|
OK @mcbride
|
|
ok mcbride@
|
|
ok mcbride@
|
|
OK deraadt.
|
|
ok jsg@, ok mpi@
|
|
ok reyk@ mpi@
|
|
of a given rtable if none is specified. In this case do not return an
error if a table is missing for one of the ~30 funky AF defines we
have in <sys/socket.h>
Breakage found by and fix discussed with claudio@
|
|
|
|
- PF should always use unhandled_af()
- 0 is lame, AF_UNSPEC is profi
ok bluhm@
|
|
in the &ifnet list of interfaces.
carp(4) is slowly becoming less special. Should keep the carp interfaces
in the correct order in ifconfig output as reported by Johan Huldtgren.
ok florian@, claudio@, benno@
|
|
Code abusing the radix internals for the routing table should now
includes <net/rtable.h> and only deal with "struct rtentry".
Code using a radix tree for another purpose can still include
<net/radix.h>.
Inputs from and ok claudio@, mikeb@
|
|
rt_mpath_next() to document the difference in behavior between the
multipath and non-multipath routing code.
No that the same pattern is present in if_group_egress_build().
ok claudio@
|
|
it also adds af_unhandled(), where it is currently missing.
ok mcbride@
|
|
vlan(4) clears M_VLANTAG when a tag matches but if the tag is still there
it means that the vlan is not configured on the interface.
Found with mpi@ and rzalamena@ while discussing various vlan troubles.
|
|
look at the routes with a priority, or to display all routes that do not
have a specific priority (normally, don't show bgp).
OK mpi@ benno@
previous versions OK deraadt@ sthen@
|
|
in promiscuous mode.
The long story is that claudio@ had his ssh session reset multiple
times in the hackroom because czarkoff@'s machine was sending reset.
We figured out that the packet was reaching pf because of this missing
check. pf would then not find any state and sent a reset.
Analyzed with and ok phessler@, claudio@
|
|
|
|
ok claudio@, phessler@, mpi@
|
|
ok deraadt@, ok floarian@
|
|
ok mikeb@ some time ago
|
|
reaching around through the routing table
original diff by myself, much improved by mikeb@ and mpi@
ok and testing mikeb@ mpi@
|
|
Problem found and fix provided by Ryota Ozaki, thanks!
ok deraadt@, yasuoka@
|
|
The way gif(4) and bridge(4) are plugged together is disgusting but at
least this makes the layer violation obvious.
Fix a regression introduced by the M_PROTO1 loop prevention cleaning
because gif(4) was abusing this flag to figure out if the packet was
coming from a bridge(4).
Thanks to goda@ for finding this!
ok goda@, claudio@
|
|
|
|
This pseudo-option is a hack to support return-rst on bridge(4). It
passes Ethernet information via a "struct route" through ip_output().
"struct route" is slowly dying...
ok claudio@, benno@
|
|
OK benno@
|
|
to never return the internal RNF_ROOT nodes. This removes the checks
in the callee to verify that not an RNF_ROOT node was returned.
OK mpi@
|
|
ok guenther@, henning@
|
|
Tweak and ok florian@
|
|
ok stsp mpi
|
|
involved. For outgoing packets the IPsec layer did not clear the
sending socket from the mbuf when the address changed. This resulted
in strange state match and create behavior in pf. So clear the pf
statekey and inp in the packet header for both directions when the
address changes.
Mark Patruck reported the bug, identified my problematic commit and
tested the fix.
OK mikeb@
|
|
Recent changes to support multiple interface routes broke the
assumption made by all our userland routing daemons concerning
interface routes. Historically such routes had a "gateway"
sockaddr of type AF_LINK. But to be able to support multiple
interface routes as any other multipath routes, they now have
a unique "gateway" sockaddr containing their corresponding IP
address.
This self-describing flag should avoid ambiguity when dealing
with interface routes.
Issue reported by <mxb AT alumni DOT chalmers DOT se> and benno@
ok claudio@, benno@
|
|
Note that current code is safe because an explicit check exists
in route_output().
Pointed out by claudio@ while reviewing another diff.
|
|
ok bluhm@, claudio@, dlg@
|
|
The limit between the radix layer and the route layer is somewhat
vague, if it exists at all. This changes prevent rtrequest1(9) to
find and delete the root node (RNF_ROOT) when trying to delete a
non-existing default route:
# route delete 0.0.0.0
delete host 0.0.0.0
# route delete 0.0.0.0
route: writing to routing socket: No such process
delete host 0.0.0.0: not in table
Historically rn_delete() was a no-op when called with an internal
node as argument. But there's no reason to manipulate such node.
In a better world rn_match() would contain such check, but let's
change the perfect-match function for the moment as this fixes a
bug and many dragons are lurking in there.
Fix a regression introduced by the big refactoring of r1.40 and
reported by tobias@.
ok tobias@, claudio@, pelikan@
|
|
pipex and bridge. this puts KERNEL_LOCK/KERNEL_UNLOCK around the pipex
chunk till we can give it some mp love.
ok yasuoka@ mpi@
|