| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
restore afterwards
help & ok theo
|
|
ok theo
|
|
|
|
ok and help theo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
right now it only connects to bgpd and prints a list of neighbors and their
status; that will change.
|
|
|
|
only implemented type yet is IMSG_CTL_SHOW_NEIGHBOR which sends back
the struct peer for all neighbors.
will be used by bgpdctl
|
|
|
|
imsg into the buffer. since imsg_get by definition only returns one imsg we
missed the next imsg(s) until the next poll event on the socket in question,
building up a queue on that socket. didn't show up as a problem yet...
factor out imsg_read, which reads into the buffer. imsg_get now entirely
operates on the buffers and does not read(2) itself.
make all callers cope by calling imsg_read on poll events and calling
imsg_get in a loop until all imsgs are processed.
|
|
causes a conflicht with upcoming changes
|
|
instead of aborting outright with loads of files unregistered...
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
From: Patrick Latifi <pat@eyeo.org>
|
|
all three) after buf_open failure. as this does not happen normally (except
for in out of memory cases) it wasn't noticed.
|
|
From: Patrick Latifi <pat@eyeo.org>
|
|
detected a closed connection which caused an fsm call which causes a
deallocation of said ressources
(that was long for "missing return")
|
|
|
|
|
|
|
|
|
|
|
|
ok deraadt@
|
|
- sort options
- document "-out filename" for gendsa
- typos and grammar
|
|
originally from Alexander.Farber@t-online.de
|
|
Also remove unused hlen variable.
|
|
A pfsync system which recieves a partial update for a state it cannot
find can now request a full version of the update, and insert it.
pfsync'd firewalls now converge more gracefully if one is missing some
states (due to reset, lost insert packets, etc).
|
|
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
|
|
performance even further.
gets rif od struct imsg_readbuf; rename peer_read_buf to read_buf as that
is more appropriate now.
|
|
local-addr -> local-address
|
|
pfsync_state struct.
|
|
|
|
|
|
|
|
|
|
makes more sense this way
|
|
From: Dries Schellekens <gwyllion@ace.ulyssis.org>
|
|
|
|
changed.
if it is absent but was present before, call kroute_fib_couple
if it is present but was absent before, call kroute_fib_decouple
|
|
internal view to the kernel routing table respectively removing them all from
the kernel routing table
kroute_shutdown is now a simple wrapper to kroute_fib_decouple
|
|
|
