summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2003-08-25if_init support, required by ieee80211.Federico G. Schwindt
deraadt@ ok.
2003-08-25add DLT_IEEE802_11; deraadt@ ok.Federico G. Schwindt
2003-08-24defines and struct for the ieee80211 framework; deraadt@ ok.Federico G. Schwindt
2003-08-22pf spelling policeDavid Krause
ok dhartmei@ jmc@
2003-08-22KNFHenning Brauer
2003-08-22don't expose pf_osfp_fingerprint() to ! _KERNEL. tcpdump et al useMike Frantzen
pf_osfp_fingerprint_hdr() which doesn't work on mbufs. pointed out by Max Laier
2003-08-21Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.Mike Frantzen
Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
2003-08-18prevent looutput() feedback of broadcast/multicast packets if they areDaniel Hartmeier
pf routed. prevents a kernel lockup with some (non-sensical) route-to rules. report and debugging by mpech@. ok itojun@, henning@, mpech@.
2003-08-17Missing break, change NULL -> 0 for int parameter (no functionalDaniel Hartmeier
changes), from Andrey Matveev
2003-08-15change arguments to suser. suser now takes the process, and a flagsTed Unangst
argument. old cred only calls user suser_ucred. this will allow future work to more flexibly implement the idea of a root process. looks like something i saw in freebsd, but a little different. use of suser_ucred vs suser in file system code should be looked at again, for the moment semantics remain unchanged. review and input from art@ testing and further review miod@
2003-08-14m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.Jason Wright
2003-08-11Fix DIOCCHANGEADDR, use the supplied ticket instead of 0.Daniel Hartmeier
2003-08-09This patch remove the restriction that tables cannot be used in routing orCedric Berger
redirection rules... The advantage of using tables in redirection/routing rules is not efficiency, in fact it will run slower than straight address pools. However, this brings a lot of flexibility to PF, allowing simple scripts/daemons to add/remove addresses from redirection/routing pools easily. This implementation support all table features, including cidr blocks and negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6. Tables can also be combined with simple addresses, so the following rule will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }" ok henning@ mcbride@
2003-08-07make pf_match take u_int32_t instead of u_int16_tHenning Brauer
it's not only used to ,atch on ports any more but uid/gid as well, and uid_t/gid_t are u_int32_t. found by aaron@ ok cedric@
2003-07-31Make table tickets per-ruleset instead of global.Cedric Berger
Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
2003-07-29avoid stack smash on FDDI case. found by kernel propolice.Jun-ichiro itojun Hagino
markus ok. miod/paul confirmed
2003-07-29Set pf_state->rt_ifp when creating the state entry, instead of doing itDaniel Hartmeier
later on, when another packet matches the state. ok mcbride@
2003-07-29More aggressive and easier to understand skip steps for addresses.Cedric Berger
Help daniel@ mcbride@ Ok henning@ mcbride@
2003-07-28typo. from cedricJun-ichiro itojun Hagino
2003-07-25do not flip ip_len/ip_off. pechkin and henning okJun-ichiro itojun Hagino
2003-07-25%lu for u_long argJason Wright
2003-07-24conform to RFC2367 on SADB_xx naming (local name must be prefixed withJun-ichiro itojun Hagino
SADB_X_xx)
2003-07-24hmac-sha2-{256,384,512} support in AH/ESP auth. markus okJun-ichiro itojun Hagino
2003-07-23remove packets in queues (like ipintrq) with m->m_pkthdr.rcvif pointingJun-ichiro itojun Hagino
to detached if. deraadt ok
2003-07-19Simplify struct pf_pooladdr to include struct pf_addr_wrap directlyCedric Berger
instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
2003-07-18add missing includesDavid Krause
ok tedu@
2003-07-17fix scrub frag reassembly after the stack's ip_len/ip_off flip correctionMike Frantzen
ok itojun@ and dhartmei@. heckling from henning@
2003-07-15Adjust pflog after recent byte order changes, fixes the 'truncated-ip'Daniel Hartmeier
errors on pflog0. Reported and tested by Ben Lovett. ok frantzen@, cedric@
2003-07-15no named args in prototypesJason Wright
2003-07-12Remove two htons(), which were meant as ntohs(), and are wrong sinceDaniel Hartmeier
ip_ouput() flipped byte order. From Pyun YongHyeon. ok itojun@
2003-07-12Prevent u_int16_t variable from overflowing and get rid of the compilerDaniel Hartmeier
warning. From Pyun YongHyeon. ok itojun@
2003-07-10correct another incorrect comparison in ip6 normalization.Jun-ichiro itojun Hagino
don't use m->m_pkthdr.len for checking, as it is not reliable
2003-07-10wrong comparison of IPv6 packetsizeJun-ichiro itojun Hagino
2003-07-09check if m->m_pkthdr.len is too shortJun-ichiro itojun Hagino
2003-07-09don't check exact ip6_plen and m->m_pkthdr.len match, as ip6_input()Jun-ichiro itojun Hagino
does the m_adj() only after filtering. reported by marc
2003-07-09do not flip ip_len/ip_off in netinet stack. deraadt ok.Jun-ichiro itojun Hagino
(please test, especially PF portion)
2003-07-09KNFDaniel Hartmeier
2003-07-05backout 1.29; problem reported by Rukh w/ userland ppp.Jun-ichiro itojun Hagino
2003-07-04cosmetic changes to keep the different code paths in sync; ok henningMarkus Friedl
2003-07-04-add a "natpass" field to pf_ruleHenning Brauer
-if natpass is nonzero on nat/rdr/binat rules, do not evaluate the filter ruleset, but set the rulepointer to the default rule (which is a pass rule) in cooperation with daniel. ok dhartmei@ cedric@ markus@
2003-07-04bad redundant copy; ok danielMarkus Friedl
2003-07-03unused global. dhartmei okJun-ichiro itojun Hagino
2003-07-01wrap pf_normalize_ip6() by #ifdef INET6. pointed out by Wouter ClarieJun-ichiro itojun Hagino
2003-06-30change that queue ID allocator so it always has the queues sorted by ID.Henning Brauer
that allows us to get rid of the "tagid" global which stored the highest tag ID in use. when allocating a new ID scan the list for a free slot and only use highest + 1 on failure instead of using highest + 1 from the beginning scanning for a dup afterwards. this prevents ID space fragmentation better. as a result this allows us do get rid of the pf_tag_purge() function completely and let pf_tag_unref() remove an entry once the reference counter reaches zero by itself. after all it makes for easier code and is about 50% faster. idea came up during a discussion on icb earlier today between cedric and myself, which itself was particulary inspired by Darren Reed questioning the need for pf_tag_purge on tech-net@netbsd. ok dhartmei@ cedric@
2003-06-30reset interface statistics when loginterface is changed, closes pr3332,Daniel Hartmeier
from Jason Ackley, ok henning@, cedric@
2003-06-30missing pf_tag_purge()Henning Brauer
cedric made me check
2003-06-30move prototype for pf_tag_purge() to pfvar.hHenning Brauer
2003-06-29normalize IPv6 packet (no reass, but it is a start). dhartmei & henning okJun-ichiro itojun Hagino
- length, jumbo payload option - TTL ("hoplimit" in IPv6 terminology) rewrite
2003-06-29unused global. dhartmei okJun-ichiro itojun Hagino
2003-06-28redundant (pfvar.h already have it)Jun-ichiro itojun Hagino
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-22 12:18:58 +0000