Age | Commit message (Collapse) | Author |
|
ok claudio@
|
|
to prevent state key mismatches.
ok henning@
|
|
spotted by markus@
ok henning@ mpf@
|
|
Found by LLVM/Clang Static Analyzer.
ok mpf@ looks good mk@ ok henning@
|
|
Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.
ok art@, krw@
|
|
key stuff.
|
|
TIME_WAIT socket recycling code to redo the pcb lookup w/out
resetting the inp pointer. Therefore we used the stale pcb,
which leads us to reply with a RST to SYNs received on TIME_WAIT
sockets. Also move the findpcb label below the pf pcb cache lookup,
to avoid using a stale pcb when the caching code gets activated.
OK markus@, henning@
|
|
pcb. the state key ptr in the pcb is the one that had to be used by pf
outbound. but by convention the state key pointer in the pkthdr is the one
used INbound, so pf follows its reverse pointer to find the sk to use,
and since a reverse doesn't exist for locally terminated connections the
reverse pointer is null and thus the whole game a noop.
note that this only affects packets FROM local udp/tcp sockets, for the
other direction everything works as expected.
|
|
gets bigger than 255. OK henning@
|
|
|
|
|
|
header of the matching address family is available. Especially do
not read ip->ip_off from an IPv6 packet header.
ok markus
|
|
leak kernel memory for every closed v6 descriptor with certain options set
ok otto jsing todd claudio
|
|
of expected semantics. thus, for return packets coming out of an ipsec
tunnel, we need to clear the pf state key pointer in the mbuf header
to prevent a state for encapsulated traffic to be linked to the
decapsulated traffic one.
problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some
time to understand what the hell was going on. ok ryan
|
|
ok hshoexer claudio mpf henning
|
|
ok markus, also tested david sthen
|
|
|
|
skipping bitmasks to cover the entire 65536 port space - previously
they covered 512-1024 only.
sysctl needs to be updated to cope with this change; please
"make includes" before rebuilding it.
feedback millert@ ok millert@ deraadt@ markus@
|
|
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan
|
|
|
|
Not sure what's more surprising: how long it took for NetBSD to
catch up to the rest of the BSDs (including UCB), or the amount of
code that NetBSD has claimed for itself without attributing to the
actual authors.
OK deraadt@
|
|
ok bluhm@
|
|
whilst we're here.
ok henning@ deraadt@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
ok markus@
|
|
ok reyk@
|
|
Reduces the amount of dmesg noise.
Tested and OK mcbride@
|
|
ok markus@ henning@
|
|
ok markus@ mcbride@ henning@ deraadt@
|
|
According to millert@ this would have been promoted from a short to an int
anyway, since K&R C cannot pass variables that are smaller than an int.
ok deraadt@ millert@
|
|
as an aid to readability
ok and thinko-catching henning@
|
|
also fix the correction amount. This was only really visible on tcpdump,
as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made
it into the stack just fine, minus a few sanity checks.
reported by and debuged together with and ok todd@
|
|
do not process v4 headers as v6, 255 TTL + icmp (0x01) = ff01:: suddenly, eww!
debugged with bluhm@, verified by grunk@, ok markus@
|
|
ok deraadt@
|
|
parent instead of using RTP_DEFAULT. OK henning@
|
|
malloc();
ok henning@ some time ago
|
|
just insert arp entries. the inserted routes will have the right
priority no matter what, most times cloned.
problem found by Joerg Goltermann <jg@osn.de>, fix by his colleague
Armin Wolgermann <aw@osn.de>, ok claudio
|
|
|
|
take a proc argument, theres no need for these, since
they are just wrappers.
OK claudio@
|
|
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.
OK markus@, blambert@.
"go ahead" deraadt@.
Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.
|
|
Theo on an alpha ramdisk. OK deraadt@
|
|
|
|
ln_hold or la_hold into temporary storage and null ln_hold or
la_hold before manually processing the mbuf chain. Discard the mbuf chain
if it is put back in the hold area.
ok claudio@ markus@
|
|
OK henning@
|
|
ok claudio theo
|
|
|
|
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@
|
|
The option allows a socket to be bound to addresses which are not
local to the machine. In order to receive packets for these addresses
SO_BINDANY needs to be combined with matching outgoing pf(4) divert
rules, see pf.conf(5).
ok beck@
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
and the one route with the lowest number wins. This will be used by the
routing daemons to resolve the synchronisations issue in case of conflicts.
The nasty bits of this are in the multipath code. If no priority is specified
the kernel will choose an appropriate priority.
Looked at by a few people at n2k8 code is much older
|