Age | Commit message (Collapse) | Author |
|
ok deraadt@ sthen@
|
|
cleaned up to be less gross after some suggestions from stsp.
ok stsp@
|
|
of the id payload, so using the existing id printer. ok dlg@
|
|
|
|
ok yasuoka@
* add many missing truncation checks and don't output control
characters to the terminal
ok sthen@
|
|
options are specified.
ok claudio@ sthen@ deraadt@ jmc@
|
|
|
|
calculation. Mostly from tcpdump.org; ok jsing@
|
|
syntax errors found by mandoc(1), also required to fix the mandoc build;
ok jmc@
|
|
- sync actions with PF changes (pass/block/match not just pass/block,
and remove some binat/nat/rdr entries)
- list all reason codes in tcpdump(8)
ok henning jmc
|
|
is run with -v. This behavior is analog to ipv4.
ok mpf@ todd@
|
|
treat them the same as truncated packets
ok sthen
|
|
|
|
Found by parfait.
|
|
|
|
used to carry GPRS data over IP for GSM and UMTS networks. The decoder
understands GTPv0, GTPv0', GTPv1-C, GTPv1-U and GTPv1' traffic, however
at this stage not all TLV fields are fully decoded.
This work has been kindly sponsored by SystemNet AS (www.systemnet.no).
"commit" deraadt@
|
|
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
survived a full make build on i386;
"sure" deraadt@
|
|
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms
|
|
additional checks to make sure the known capabilities are correctly
encoded and not truncated. Help and OK sthen@
|
|
and handle 32-bit ASN. ok claudio@
|
|
of pcap_live and priv_pcap_live in rev 1.6 to differ from the implementations,
change the type back to what it was.
ok djm@
|
|
|
|
|
|
ICMP_UNREACH_PORT. from Peter J. Philipp, ok jsing@. Closes system/6149.
|
|
|
|
|
|
with deraadt@, mcbride@, and mpf@ it is obvious that a hmac doesnt make
sense for pfsync.
this also firms up some of the input parsing so it handles short frames a
bit better.
|
|
|
|
frame according to the pfsync header. dont try to parse an unsupported
version of the protocol.
|
|
ok hshoexer msf
|
|
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC
this is a new variant of the protocol and a large reworking of the
pfsync code to address some performance issues. the single largest
benefit comes from having multiple pfsync messages of different
types handled in a single packet. pfsyncs handling of pf states is
highly optimised now, along with packet parsing and construction.
huggz for beck@ for testing.
huge thanks to mcbride@ for his help during development and for
finding all the bugs during the initial tests.
thanks to peter sutton for letting me get credit for this work.
ok beck@ mcbride@ "good." deraadt@
|
|
|
|
without knobs. ok djm, deraadt.
|
|
that new line restores the one-line -> one-packet semantics.
ok hshoexer@, henning@, markus@
|
|
OK canacar@
|
|
packet and thus modifying it use local varialbes instead. Otherwise,
hexdumping packets shows corrupted data.
ok markus@ some time ago
|
|
type number 0x88a8 specified by 802.1ad.
from reyk on misc@. "ok, go for it" dlg
|
|
the xauth vendor id is a hash of "draft-ietf-ipsra-isakmp-xauth-06.txt"
and defined in the document "draft-ietf-ipsec-isakmp-xauth-06.txt".
|
|
ok hshoexer@
|
|
ok henning@
|
|
Code from tcpdump.org with cleanup and shrinkage by me.
Help and ideas for extra sanity checks from canacar@
OK canacar@
|
|
provided by canacar@. I just modified it a bit to skip the data link proto
number as well. OK deraadt@
|
|
Don't increment a pointer *before* testing it for NULL.
OK canacar@
|
|
OK deraadt@ and millert@
|
|
forgotten in one of my trees
|
|
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt
tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.
|
|
creation time. OK mcbride@, henning@.
|
|
from Alf Schlichting;
help/ok henning
|