summaryrefslogtreecommitdiffstats
path: root/sys/contrib/pf/net/pf_norm.c
Commit message (Collapse)AuthorAgeFilesLines
* o Create directory sys/netpfil, where all packet filters shouldglebius2012-09-141-1999/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
* Merge the projects/pf/head branch, that was worked on for last six months,glebius2012-09-081-570/+210
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
* Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:bz2012-02-171-6/+6
| | | | | | | | | | | | Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity. This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat. Sponsored by: Cisco Systems, Inc. Reviewed by: melifaro (basically) MFC after: 10 days
* Update packet filter (pf) code to OpenBSD 4.5.bz2011-06-281-57/+354
| | | | | | | | You need to update userland (world and ports) tools to be in sync with the kernel. Submitted by: mlaier Submitted by: eri
* Remove some further INET related symbols from pf to allow the modulebz2011-05-311-0/+2
| | | | | | | | | | | to not only compile bu load as well for testing with IPv6-only kernels. For the moment we ignore the csum change in pf_ioctl.c given the pending update to pf45. Reported by: dru Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 20 days
* Commit resolved import of OpenBSD 4.1 pf from perforce.mlaier2007-07-031-47/+75
| | | | Approved by: re (kensmith)
* Fix hardware checksum verification on fragments.mlaier2007-07-031-0/+9
| | | | | | | MFC after: 7 days Reported/tested by: Hugo Koji Kobayashi, Vadym Chepkov Reviewed/help by: yongari Approved by: re (kensmith)
* Loopback pf_norm.c rev. 1.106 from OpenBSD:mlaier2006-03-251-4/+22
| | | | | | | | fixup IP checksum when modifying IP header fields PR: kern/93849 Obtained from: OpenBSD MFC after: 3 days
* fix a bug in the fragment cache (used for 'scrub fragment crop/drop-ovl',dhartmei2006-01-191-1/+1
| | | | | | | | | but not 'fragment reassemble'), which can cause some fragments to get inserted into the cache twice, thereby violating an invariant, and panic- ing the system subsequently. Reviewed by: mlaier MFC after: 1 day
* Move m_adj after checking that m_dup succeeded.mlaier2006-01-141-3/+4
| | | | | Found with: Coverity Prevent(tm) MFC after: 3 days
* Fix build after timeval.tv_sec changed from long to time_t.mlaier2005-12-251-2/+5
|
* Fix -Wundef warnings found when compiling i386 LINT, GENERIC andru2005-12-051-0/+4
| | | | custom kernels.
* move RFC3542 related definitions into ip6.h.ume2005-07-201-42/+0
| | | | | | Submitted by: Keiichi SHIMA <keiichi__at__iijlab.net> Reviewed by: mlaier Obtained from: KAME
* Resolve conflicts created during the import of pf 3.7 Some features aremlaier2005-05-031-48/+359
| | | | | | | | missing and will be implemented in a second step. This is functional as is. Tested by: freebsd-pf, pfsense.org Obtained from: OpenBSD X-MFC after: never (breaks API/ABI)
* Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSDdwmalone2004-08-141-4/+0
| | | | | | | | | | | | | | | | | | | | | have already done this, so I have styled the patch on their work: 1) introduce a ip_newid() static inline function that checks the sysctl and then decides if it should return a sequential or random IP ID. 2) named the sysctl net.inet.ip.random_id 3) IPv6 flow IDs and fragment IDs are now always random. Flow IDs and frag IDs are significantly less common in the IPv6 world (ie. rarely generated per-packet), so there should be smaller performance concerns. The sysctl defaults to 0 (sequential IP IDs). Reviewed by: andre, silby, mlaier, ume Based on: NetBSD MFC after: 2 months
* Loopback fix from Daniel Hartmeier:mlaier2004-08-121-5/+9
| | | | | | | | | pf_cksum_fixup() was called without last argument from normalization, also fixup checksum when random-id modifies ip_id. This would previously lead to incorrect checksums for packets modified by scrub random-id. (Originally) Submitted by: yongari
* Initialize s variable early to shut up GCC warnings.kan2004-07-281-0/+5
| | | | | | | Do not declare inline functions without body as this is useless in general and generates a warning with GCC 3.4.x. Glanced over by: dhartmei
* Import two fixes from the OpenBSD stable branch:mlaier2004-06-171-5/+5
| | | | | | | | | - prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@) - The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 - this fixes corruption of the address pools with large rulesets. (mcbride@, pb@) Reviewed-by: dhartmei
* Commit pf version 3.5 and link additional files to the kernel build.mlaier2004-06-161-28/+38
| | | | | | | | | | | | Version 3.5 brings: - Atomic commits of ruleset changes (reduce the chance of ending up in an inconsistent state). - A 30% reduction in the size of state table entries. - Source-tracking (limit number of clients and states per client). - Sticky-address (the flexibility of round-robin with the benefits of source-hash). - Significant improvements to interface handling. - and many more ...
* Commit three imported bugfixes from OpenBSD 3.4-stable:dhartmei2004-05-021-5/+5
| | | | | | | | | | | - change pf_get_pool() argument rule_number type from u_int32_t to u_int8_t, fixes corruption of address pools with large rulesets (mcbride@) - prevent endless loops with route-to (dhartmei@) - limit option length to 2 octets max (frantzen@) Obtained from: OpenBSD Approved by: mlaier(mentor), bms(mentor)
* Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdefmlaier2004-03-171-30/+28
| | | | | | | | Also set HOOK_HACK to true (remove the related #ifdef's) as we have the hooks in the kernel this was missed during the merge from the port. Noticed by: Amir S. (for the HOOK_HACK part) Approved by: bms(mentor)
* Remove __inline keyword from functions that can't be inlined according tomlaier2004-02-291-0/+4
| | | | | | | LINT. This fixes LINT compliation for now, but needs to be revised. Changes do not affect the objects. Approved by: bms(mentor)
* Bring diff from the security/pf port. This has code been tested as a portmlaier2004-02-261-2/+185
| | | | | | | | | | | | | for a long time and is run in production use. This is the code present in portversion 2.03 with some additional tweaks. The rather extensive diff accounts for: - locking (to enable pf to work with a giant-free netstack) - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off - conversion from pool(9) to zone(9) - api differences etc. Approved by: bms(mentor) (in general)
* Vendor import of OpenBSD's packet filter (pf) as of OpenBSD 3.4mlaier2004-02-261-0/+1528
Approved by: bms(mentor), core (in general)
OpenPOWER on IntegriCloud