| Age | Commit message (Collapse) | Author |
|---|
|
ok claudio@ henning@ mikeb@
|
|
to connect to the carp address when the carpdev interface has
an ip address too in the non-default rdomain.
ok claudio
|
|
the advskew as the master down timeout.
OK henning.
|
|
1.175.
ok henning mpf
|
|
in the v6 input path. IP6_EXTHDR_GET() internally uses m_pulldown(),
which might return a pointer to a different mbuf in the chain.
In this case, carp_cksum() will be called with the wrong mbuf.
This fixes occasional checksum mismatches.
Problem found and initial fix by stsp@
OK stsp@
|
|
IPv6.
ok claudio@
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
variables being processed.
ok bluhm@ henning@
|
|
This lets carp delete IFF_PROMISC on its carpdev upon destroy.
Fix from Stefan Rinkes.
OK sthen, bluhm, deraadt.
|
|
|
|
mkay? ok ryan
|
|
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
|
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
|
behaves as if SO_KEEPALIVE was set on all TCP sockets, forcing keepalives
to be sent every net.inet.tcp.keepidle half-seconds.
In conjunction with a keepidle value greatly reduced from the default,
this can be useful for keeping sessions open if you are stuck on a network
with short NAT or firewall timeouts.
Feedback from various people, ok henning@ claudio@
|
|
|
|
the issue in our kernel was the broadcast address calculated on the /31
caused a ton of checks for use of broadcast addresses to kick in and
prevent one of the two addresses on the /31 from being used.
this diff basically detects if a /31 has been configured and doesnt
configure a broadcast address for it, which makes the ips usable
for normal traffic.
i wrote this so i could interoperate with "carrier" network gear
better, and sthen wants it so he can conserve address space use.
the further special casing of broadcast address handling was from claudio@
ok claudio@ markus@ sthen@ henning@
|
|
again makes assumptions of the ifqueue internals, ok ryan claudio
|
|
ok claudio@
|
|
fix two typos (protcol -> protocol)
|
|
1.54.
ok claudio@ sosososo henning@
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
that are not up. OK henning.
|
|
with advertisement intervals of less than a second.
This is needed in setups where takover times < 3s are needed.
Don't use this unless you really need it. Running with
too agressive timeouts might lead to false positive
takeovers.
OK mcbride, claudio.
|
|
OK claudio@
|
|
a special meaning and should only be set if the link state is not known
because it is considered as being up. Use LINK_STATE_INVALID instead.
OK mpf@ mcbride@ henning@
|
|
while reading.
ok henning@ jsing@ tedu@ marco@ bluhm@ krw@
|
|
ok henning@ deraadt@
|
|
Fixes a case in bridge_output() where ARP requests are not broadcast
on interfaces without the discovery flag.
ok claudio deraadt
|
|
ok deraadt@
|
|
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).
ok claudio
|
|
|
|
specify the outgoing interface with a multicast option up. Doing
this before the route lookup allows multicast traffic to work even
when the default 224/4 reject route is installed. Raw IP and IPv6
already had this behaviour.
Based on work by Christiano F. Haesbaert. OK sthen@
|
|
this is not allowed according to Stevens and RFCs 5735 and 1122.
Suggestion to use ENETUNREACH from claudio.
OK phessler@, claudio@
|
|
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
|
may lead to a race.
ok markus@ mikeb@
|
|
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).
testing dlg@ ok claudio@
|
|
are dropped and when normal program flow occurs.
Change error return value of syn_cache_add() from 0 to -1 in order
to clearly communicate intent.
ok claudio@
|
|
discussed with and ok claudio
|
|
The address hook was only registered for v4 addresses.
We now call hook_establish at interface creation time.
The hook is now disestablished upon interface destroy,
which plugs a tiny memleak.
While there remove redundancy in carp_set_addr6 and sync
it with carp_set_addr.
Bug noticed by todd@. OK sthen, mikeb (on an earlier version)
OK and some hints by camield@
|
|
regardless of the rdomain the packet was received on. Explicitly
pass the rdomain to the tcp_respond() monstrosity to compensate
for said monstricism which led to this behavior.
ok claudio@
|
|
This fixes the problem of binding sockets to broadcast IPs in other
rdomains.
OK henning@
|
|
local network boradcast. While there kill some leftover AF_IMPLINK
checks.
OK henning@, sthen@
|
|
These sockets will only see broadcast sent to that particular address.
Some applications like samba use this feature.
Problem found and initial version by sthen@, OK sthen@, henning@
|
|
pass it to the correct raw ip input function if IPsec is disabled.
ok todd@ mpf@ mikeb@ blambert@ matthew@ deraadt@
|
|
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
|
confusing because both addresses and broadcast addresses are put
into the tree.
there are two types of local address lookup. the first is when the
socket layer wants a local address, the second is in ip_input when
the kernel is figuring out the packet is for it to process or
forward.
ip_input considers local addresses and broadcast addresses as local,
however, the handling of broadcast addresses is different depending
on whether ip_directedbcast is set. if if ip_directbcast is unset
then a packet coming in on any interface to any of the systems
broadcast addresses is considered local, otherwise the broadcast
packet must exist on the interface it was received on.
the code also needs to consider classful broadcast addresses so we
can continue some legacy applications (eg, netbooting old sparcs
that use rarp and bootparam requests to classful broadcast addresses
as per PR6382). this diff maintains that support, but restricts it
to packets that are broadcast on the link layer (eg, ethernet
broadcasted packets), and it only looks up addresses on the local
interface. we now only support classful broadcast addresses on local
interfaces to avoid weird side effects with packets routed to us.
the ip4 socket layer does lookups for local addresses with a wrapper
around the global address tree that rejects matches against broadcast
addresses. we now no longer support bind sockets to broadcast
addresses, no matter what the value of ip_directedbcast is.
ok henning@
testing (and possibly ok) claudio@
|
|
There is a massive issue with broadcast addrs because ifa_ifwithaddr()
handles them differently then in_iawithaddr().
|
|
|
|
of a connection originator. this allows one to query the source rdomain
with a SO_RTABLE socket option. figured out with reyk, ok claudio.
|
|
endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@
|
