| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
found.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
have already done this, so I have styled the patch on their work:
1) introduce a ip_newid() static inline function that checks
the sysctl and then decides if it should return a sequential
or random IP ID.
2) named the sysctl net.inet.ip.random_id
3) IPv6 flow IDs and fragment IDs are now always random.
Flow IDs and frag IDs are significantly less common in the
IPv6 world (ie. rarely generated per-packet), so there should
be smaller performance concerns.
The sysctl defaults to 0 (sequential IP IDs).
Reviewed by: andre, silby, mlaier, ume
Based on: NetBSD
MFC after: 2 months
|
| |
|
|
|
| |
Add missing check for NULL in DIOCCHANGERULE. This prevents a crash
in certain rare cases.
|
| |
|
|
|
|
|
|
|
| |
pf_cksum_fixup() was called without last argument from
normalization, also fixup checksum when random-id modifies ip_id.
This would previously lead to incorrect checksums for packets
modified by scrub random-id.
(Originally) Submitted by: yongari
|
| |
|
|
|
|
|
| |
skip over interface addresses without IFA_ROUTE, fixes some issue
with pppd
PR: misc/69954
|
| |
|
|
|
|
|
| |
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.
Glanced over by: dhartmei
|
| |
|
|
|
|
|
| |
1st ifnet (ifnet) @/usr/src/sys/contrib/pf/net/pf_if.c:191
2nd pf task mtx (pf task mtx) @/usr/src/sys/contrib/pf/net/pf_if.c:197
Reported by: Pyun YongHyeon (a long time ago)
|
| |
|
|
|
|
|
|
| |
calls further down the stack. If we find the cksum to be okay we pretend
that the hardware did all the work and hence keep the upper layers from
checking again.
Submitted by: Pyun YongHyeon
|
| |
|
|
|
|
|
| |
This fixes checksum for some drivers with partial H/W ckcsum offloads.
Reported by: Simon 'corecode' Schubert, Devon H. O'Dell, hmp
Reviewed by: Pyun YongHyeon
|
| |
|
|
| |
Submitted by: rwatson
|
| |
|
|
|
|
|
|
|
|
|
| |
MFC:
Fix by dhartmei@
change pf_route() loop detection: introduce a counter (number of times
a packet is routed already) in the mbuf tag, allow at most four times.
Fixes some legitimate cases broken by the previous change.
Reviewed by: dhartmei
|
| |
|
|
|
|
|
|
| |
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.
Discussed with: juli
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Split the code out into if_clone.[ch].
- Locked struct if_clone. [1]
- Add a per-cloner match function rather then simply matching names of
the form <name><unit> and <name>.
- Use the match function to allow creation of <interface>.<tag>
vlan interfaces. The old way is preserved unchanged!
- Also the match function to allow creation of stf(4) interfaces named
stf0, stf, or 6to4. This is the only major user visible change in
that "ifconfig stf" creates the interface stf rather then stf0 and
does not print "stf0" to stdout.
- Allow destroy functions to fail so they can refuse to delete
interfaces. Currently, we forbid the deletion of interfaces which
were created in the init function, particularly lo0, pflog0, and
pfsync0. In the case of lo0 this was a panic implementation so it
does not count as a user visiable change. :-)
- Since most interfaces do not need the new functionality, an family of
wrapper functions, ifc_simple_*(), were created to wrap old style
cloner functions.
- The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
instead.
Submitted by: Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by: andre, mlaier
Discussed on: net
|
| |
|
|
|
|
|
|
|
| |
- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
- The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
this fixes corruption of the address pools with large rulesets.
(mcbride@, pb@)
Reviewed-by: dhartmei
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Version 3.5 brings:
- Atomic commits of ruleset changes (reduce the chance of ending up in an
inconsistent state).
- A 30% reduction in the size of state table entries.
- Source-tracking (limit number of clients and states per client).
- Sticky-address (the flexibility of round-robin with the benefits of
source-hash).
- Significant improvements to interface handling.
- and many more ...
|
| |\
| |
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Fix binat for incoming connections when a netblock (not just a single
address) is used for source in the binat rule. closes PR 3535, reported by
Karl O.Pinc. ok henning@, cedric@
- Fix a problem related to empty anchor rulesets, which could cause a kernel
panic.
Approved by: bms(mentor)
|
| | |
| |
| |
| | |
Bump __FreeBSD_version accordingly.
|
| | |
| |
| |
| |
| |
| | |
kernels w/ pf, but w/o altq.
Reported-by: Xin LI
|
| | |
| |
| |
| |
| | |
- remove old pfaltq module linkage
- move pfaltq_running to pf_ioctl.c It is protected by PF_LOCK()
|
| | |
| |
| |
| |
| |
| |
| | |
better do no longer depend on it.
Requested-by: phk
Approved-by: bms(mentor)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- change pf_get_pool() argument rule_number type from u_int32_t
to u_int8_t, fixes corruption of address pools with large
rulesets (mcbride@)
- prevent endless loops with route-to (dhartmei@)
- limit option length to 2 octets max (frantzen@)
Obtained from: OpenBSD
Approved by: mlaier(mentor), bms(mentor)
|
| | |
| |
| |
| | |
Reviewed by: mlaier
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
Obtained from: OpenBSD
Reviewed by: dhartmei
Approved by: rwatson
|
| | |
| |
| |
| |
| |
| |
| |
| | |
#ifdefs in order to loop it back to OpenBSD after the next import. There are
a some implicit asserts involved which might be better spelled out
explicitly (af == AF_INET ...)
Approved by: bms(mentor)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Fix binat for incoming connections when a netblock (not just a single
address) is used for source in the binat rule. closes PR 3535, reported by
Karl O.Pinc. ok henning@, cedric@
- Fix a problem related to empty anchor rulesets, which could cause a kernel
panic.
Approved by: bms(mentor)
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the
hooks in the kernel this was missed during the merge from the port.
Noticed by: Amir S. (for the HOOK_HACK part)
Approved by: bms(mentor)
|
| | |
| |
| |
| |
| | |
Noticed by: Craig Rodrigues
Approved by: bms(mentor)
|
| | |
| |
| |
| |
| |
| |
| | |
LINT. This fixes LINT compliation for now, but needs to be revised.
Changes do not affect the objects.
Approved by: bms(mentor)
|
| | |
| |
| |
| |
| |
| |
| | |
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).
Approved by: bms(mentor)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
for a long time and is run in production use. This is the code present in
portversion 2.03 with some additional tweaks.
The rather extensive diff accounts for:
- locking (to enable pf to work with a giant-free netstack)
- byte order difference between OpenBSD and FreeBSD for ip_len/ip_off
- conversion from pool(9) to zone(9)
- api differences etc.
Approved by: bms(mentor) (in general)
|
|
|
Approved by: bms(mentor), core (in general)
|
