summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2005-08-16Only send the PFSS_TIMESTAMP timestamp bit across the wire, in case weChristopher Pascoe
want to map the remaining bits to something else later on.
2005-08-16Synchronise timestamp modulation and scrubbing min ttl information.Christopher Pascoe
ok henning mcbride, looks good frantzen
2005-08-14don't require a valid route when configuring the tunnel;Markus Friedl
from Stephen Marley; ok deraadt@
2005-08-13Partial backout of previous revision, reinstates the ability to propagateChristopher Pascoe
a kill message for a state that was generated on another firewall.
2005-08-12Use actual packet contents when sending protocol rejects. Fixes PR 4305.Can Erkin Acar
Different fix tested by the submitter, xiangbo3 at gmail com. ok claudio@
2005-08-12Fill out interface name and state creation time correctly inChristopher Pascoe
DIOCGETSTATE. ok dhartmei mcbride
2005-08-11Remove bogus debug printf().Ryan Thomas McBride
ok ho@
2005-08-11Only decrement the max-src-conn counter for tcp connections that reachedJoel Knight
"established" state. Requires recompiling pfctl, etc. ok dhartmei@
2005-08-10kill spaces OK deraadt@Claudio Jeker
2005-08-10Add an additional media subtype IFM_TDM_E1_G704_CRC4 for TDM interfaces.Claudio Jeker
This makes it possible to distinguish between E1 G.704 mode with and without CRC4 checksum. Also add an operating mode IFM_TDM_MASTER to specify that the card has to provide the clock source for the line. OK deraadt@ canacar@
2005-08-07Do not blindly reset the state count to zero after a clear, as we may notChristopher Pascoe
have purged all states in the case when an interface name was specified. pf_purge_expired_states should decrease the count as appropriate. ok dhartmei
2005-08-07verify ticket in DIOCADDADDR, from Boris Polevoy, ok deraadt@Daniel Hartmeier
2005-08-07Reset kif->pfik_ifp to NULL before calling pfi_kif_unref(), similar changeChristopher Pascoe
to that in rev 1.40 for interface groups. ok henning
2005-08-06correct some spellosChristopher Pascoe
2005-08-05make three functions non-static (namespace is no issue, they might getDaniel Hartmeier
inlined), ok art@
2005-08-04instead of static locals, malloc/free. the goal is to reduce stack usage,Daniel Hartmeier
but statics are dangerous in case of concurrency. ok deraadt@
2005-08-03prevent unaligned memory access when processing LCP echo packets,Can Erkin Acar
making pppoe(4) work on sparc64. Fixes PR-4311 Reported and fix tested by David Coppa < dcoppa at gmail com >
2005-08-03Do not send "deletion" messages for states created by other pfsync peers whenChristopher Pascoe
they timeout. Any other hosts that have also learnt these states will already know that they are due to time out. ok henning
2005-08-03Eliminate another case where pool routines are called without process context.Christopher Pascoe
Instead of purging immediately, let the state be purged at the purge interval. ok henning
2005-08-03use flag macro instead of constantChristopher Pascoe
2005-08-02pass the AF in network byte order to bpfMarkus Friedl
2005-08-02Instead of copying a table structure so we can mask off a bit beforeChristopher Pascoe
"validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
2005-08-01Minor whitespace cleanup.Christopher Pascoe
2005-08-01Use a string directly rather than making a copy, save on stack space.Christopher Pascoe
Use a static buffer for another large variable, pending further analysis. prodded deraadt
2005-07-31Perform pf state/rule/table expiry in a kernel thread instead of runningChristopher Pascoe
it out of a timeout handler. This means we will have process context, required when using the oldnointr pool allocator. Addresses pr4186, pr4273. ok dhartmei@ henning@ tedu@
2005-07-31Missed argument in previous commit, applied separately to ease merges.Christopher Pascoe
2005-07-31Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chainChristopher Pascoe
to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@
2005-07-31Change the API for icmp_do_error so that it takes the mtu directly, ratherChristopher Pascoe
than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
2005-07-29Use one "struct pf_state key" declaration at top of pf_test_state_icmp,Christopher Pascoe
instead of allocating it as a temp var in six mutually exclusive code paths. Saves 784 bytes of kernel stack (on i386).
2005-07-28rev 1.18Brad Smith
when there are multiple matches for the requested media, select the first matching instance rather than the last one. From chs NetBSD
2005-07-26Add missing newline to error message.Christopher Pascoe
2005-07-21account ipv4 packets with wrong tcp/udp/icmp checksums and udpMarkus Friedl
packets with invalid uh_len; ok dhartmei
2005-07-20need to reset kif->pfik_group to NULL before calling pfi_kif_unref() so it canHenning Brauer
notice that this kif is not referenced and not attached to an interface or a group and actually deletes it. plugs a memleak, PR 4267 is caused by this.
2005-07-19Remove vlan_input_tag() since all four drivers that used it have beenCamiel Dobbelaar
reworked to not strip vlan tags in hardware anymore. ok brad henning jason
2005-07-18Use M_PREPEND to take advantage of any slack leading space in the mbuf.Camiel Dobbelaar
ok markus jason henning brad
2005-07-12default mtu to no more than ETHERMTU to avoid fragmentation; henning@ okMichael Shalayeff
2005-07-11add missing {} around TAILQ_FOREACH block, found by David HillDaniel Hartmeier
2005-07-09ANSI protosBrad Smith
2005-07-05- prototype must not have variable name.Brad Smith
From itojun NetBSD - Fix signed/unsigned comparison warnings. - Make ifm_data unsigned. - Make media and mask unsigned. From thorpej NetBSD ok deraadt@
2005-07-04in if_group_routechange(), when checking wether a default route was changedHenning Brauer
to trigger an if_group_egress_build() call, stop looking at the mask in the v4 case, at least until I figured out why we sometimes see masks full of crap.
2005-07-04restrict the tcp.finwait timeout (45s) to state combinations where we haveMarkus Friedl
seen a FIN from both sides (whether ACKed or not) and use tcp.closing (900s) for half closed connections. otherwise half closed connections will time out within 45s. ok dhartmei, henning.
2005-07-03rev 1.13Brad Smith
when changing to an unsupported media type, return EINVAL instead of ENXIO. From NetBSD
2005-06-30in order for pfvar.h not to conflict with openssl's crypto.h, useNikolay Sturm
PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@
2005-06-25hide name2id prototypes in #ifdef _KERNEL, claudio okHenning Brauer
2005-06-23update if_lastchange for evey IFF_UP change not only SIOCSIFFLAGS; henning@ okMichael Shalayeff
2005-06-16no need for NVLAN; ok jason, brad, camielMarkus Friedl
2005-06-14rename function and define to reflect the external -> egress name changeHenning Brauer
so it is clear what it is all about
2005-06-14use "egress" instead of "external" for the interface group containing theHenning Brauer
interfaces the default route(s) point to, proposed deraadt some days ago, ok djm deraadt
2005-06-13check wether mask is NULL in if_group_routechange before dereferencingHenning Brauer
2005-06-13spurious XXX comment left over from interface abstraction code whackingHenning Brauer