| Age | Commit message (Collapse) | Author |
|---|
|
imsg into the buffer. since imsg_get by definition only returns one imsg we
missed the next imsg(s) until the next poll event on the socket in question,
building up a queue on that socket. didn't show up as a problem yet...
factor out imsg_read, which reads into the buffer. imsg_get now entirely
operates on the buffers and does not read(2) itself.
make all callers cope by calling imsg_read on poll events and calling
imsg_get in a loop until all imsgs are processed.
|
|
causes a conflicht with upcoming changes
|
|
instead of aborting outright with loads of files unregistered...
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
From: Patrick Latifi <pat@eyeo.org>
|
|
all three) after buf_open failure. as this does not happen normally (except
for in out of memory cases) it wasn't noticed.
|
|
From: Patrick Latifi <pat@eyeo.org>
|
|
detected a closed connection which caused an fsm call which causes a
deallocation of said ressources
(that was long for "missing return")
|
|
|
|
|
|
|
|
|
|
|
|
ok deraadt@
|
|
- sort options
- document "-out filename" for gendsa
- typos and grammar
|
|
originally from Alexander.Farber@t-online.de
|
|
Also remove unused hlen variable.
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
|
|
performance even further.
gets rif od struct imsg_readbuf; rename peer_read_buf to read_buf as that
is more appropriate now.
|
|
local-addr -> local-address
|
|
pfsync_state struct.
|
|
|
|
|
|
|
|
|
|
makes more sense this way
|
|
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
|
|
|
|
changed.
if it is absent but was present before, call kroute_fib_couple
if it is present but was absent before, call kroute_fib_decouple
|
|
internal view to the kernel routing table respectively removing them all from
the kernel routing table
kroute_shutdown is now a simple wrapper to kroute_fib_decouple
|
|
|
|
|
|
wether there's another (bigger-prefix) non-bgp route suitable to reach the
prefix, and if that is the case change the references over to the new route.
if not, we need to invalidate the nexthop.
unfortunately, we cannot just call kroute_nexthop_insert (whoch does these
checks) again, as it does too much.
factor out the matching and reference adding code from kroute_nexthop_insert
to a new kroute_nexthop_checkmatch(), and make the surrpounding stuff cope.
the kroute parts of "static route addition/deletion affects nexthop-valifity"
work now.
|
|
|
|
that is flagged invalid yet and make it valid, notify RDE etc
|
|
|
|
zap aspath->state, which was a copy of aspath->nexthop->state, for a tiny
little bit faster access. tho, it happened what had to happen, they ran
out of sync.
it's just not worth it.
also add a missinf LIST_INIT.
|
|
(in other words, make sure true_nexthop always has the right ip address
for nexthops in state reachable)
|
|
somehow...
|
|
the exit nexthop as the latter will only work if the two happen to be equal
|
|
|
|
|
|
|
|
The bgpd.conf program didn't first appear in OpenBSD 3.5, because,
well, a config file is not a program.
|
|
|
|
|
|
o do not send a kroute_add request when the only aspath for the given
| prefix has an nexthop whihc is not reachable (can be unreachable or
| unchecked - that's why the check for == unreachable is not enough)
|
|
and gcc should have had complained... well.
|
|
make the callers cope.
|
