| Age | Commit message (Collapse) | Author |
|---|
|
the code relevant for UDP from sosend() and soreceive() into somove().
That allows the kernel to directly transfer the UDP data from one
socket to another.
OK claudio@
|
|
the pointer to the statekey in the mbuf.
When an UDP socket is spliced, pf would use this key during ip_output()
although the packet went through two sockets in the meantime. Reset
the mbuf's statekey in tcp_input() and udp_input() to eliminate the
pointer to pf lingering in the socket buffers.
OK claudio@
|
|
ok claudio
|
|
pointer. Allows stricter type checking. No functional change.
OK claudio@
|
|
worked with them to define a specific format, ietf quietly changed their
mind and did something different.
First step of transitioning over two release -- accept both types, but
continue sending old format.
pointed out by david.dahlberg@fkie.fraunhofer.de
ok claudio
|
|
|
|
a gruesome union, to block the compiler from placing the struct
incorrectly aligned on stack frames
ok guenther
|
|
|
|
inside the NPF block. Fixes checksum issues seen on ramdisk kernels.
Initial diff by naddy@, tested and OK by many
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
|
ok mikeb@
|
|
Resurrect the rather silly "unplug my network device while I am
doing nfs diskless revarp" safety code which was disabled due to
a missing "ether.h" include, found by jsg
ok jsg
|
|
An NSC HYPERchannel remnant from the CSRG times bites the dust.
ok deraadt, reyk
|
|
is really needed, instead of an ethernet header and selector.
ok mikeb henning mpf
|
|
include sys/mbuf.h in net/pfvar.h.
Flagged by and ok guenther@
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
|
|
|
|
ok yasuoka@
|
|
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
to a radix_node struct.
The radix tree pushdown continues.
ok claudio@
|
|
in my tree for a while and I forgot what exactly triggered it, but in one
way or another this comes from the netbsd camp
ok benno mpf
|
|
the spl call in the icmp case may be too aggressive, but better safe
than sorry
ok claudio@
|
|
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
|
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.
from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm
|
|
Much ports testing of various versions by naddy@ and jasper@
ok matthew@, miller@
|
|
instead of allocating a new mbuf. This is a third or fourth
attempt to incorporate a change like this meaning a handful of
people have lost their hair trying to make it work, namely dlg@,
henning@, deraadt@, and thib@. Unfortunately the fixed version
was never put back which is exceptionally unfortunate since the
impact on performance is huge: it nearly doubles the forwarding
performance on selected hardware in simple setups.
So after being beaten in test and production environments on
several architectures it's ready to be put back again. We're
doing it early in the release cycle so that it will receive a
good test exposure.
ok derradt, henning
|
|
L2TP packets.
ok markus henning
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
OK henning@
|
|
since it may already been gone. Fixes panic seen by stsp@ when unplugging
a used USB interface. Tested and OK stsp@
|
|
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.
ok deraadt@
|
|
added in 1.40). This fixes a pathological case where in_scrubprefix would
do the wrong thing. Found and reported by glebius@FreeBSD
OK bluhm@
|
|
and ifatoia(). No binary diff.
OK blambert@ henning@ claudio@
|
|
advertisements, according to RFC 6106.
original diff from Stephane A. Sezer on tech@, many thanks!
OK phessler@, todd@
|
|
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
|
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.
ports testing by naddy@
ok millert@ deraadt@
|
|
bpf_mtap() needs to be called without the etherip_header.
Idea to use a forward declaration for struct tdb by claudio.
OK claudio@
|
|
|
|
figured out by and ok guenther
|
|
While there change IP_RTABLE to SO_RTABLE. IP_RTABLE will die soon.
With and OK guenther@
|
|
It could not use the destination address properly, so it failed to
find the pipex session. This bug caused LCP keepalive failures on some
clients.
found and tested by sebastia@ and mxb at alumni.chalmers.se.
ok sthen
|
|
don't have a MTU to announce in the icmp need fragment packet.
this fixes PMTU-discovery for TCP over IPsec; ok mpf@, fries@
|
|
no objection from mcbride@ krw@ markus@ deraadt@
|
|
- ipip_input() recalculate the IP header checksum if the tos bits
are changed after decapsulation. Otherwise these packets are
dropped later in the stack.
- ip_ecn_egress(): do not drop packets for IPsec if the outter
packet of a Tunnel has the ECN-CE bit set (Congestion Experienced)
and the inner packet does not indicate support ECN.
- remove unused ip6_ecn_ingress(), ip6_ecn_egress() code
ok mikeb@
|
|
draft-ietf-tcpm-initcwnd. net.inet.tcp.rfc3390 defaults to 2 now which
uses the 10*MSS, setting it back to 1 brings back the old default of 4*MSS.
OK sperreault@, henning@, sthen@, markus@
|
|
While there make sure we do the lookup in the correct routing table.
OK mikeb, henning and phessler
|
|
from Tobias Ulmer (tobiasu at tmux.org); ok jmc@, krw@
|
