summaryrefslogtreecommitdiffstats
path: root/sys/net/pf_table.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* when table content changes we need to reset indexmikeb2012-01-261-4/+4
| | | | | | to the initial value and do not use the counter; reported by Sebastian Benoit and Daniel Krambrock, tested by Sebastian Benoit, ok henning zinke
* Add support for weighted round-robin in load balancing pools and tables.mcbride2011-07-271-37/+126
| | | | | Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
* ensure that we won't enter an endless loop while iterating overmikeb2011-07-081-6/+12
| | | | | an address pool. problem found and solution tested by claudio. ok claudio, henning, "reads fine" to zinke
* bring in least-states load balancing algorithmzinke2011-07-031-17/+128
| | | | ok mcbride@ henning@
* KNF (no change in .o files)mcbride2011-06-141-5/+11
|
* exclude link local address from the dynamic interface address poolmikeb2011-05-171-3/+9
| | | | | | so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
* throw some yields into the pf table code so it doesn't lock up the kernel.tedu2010-11-201-2/+20
| | | | ok deraadt henning
* remove PFR_FLAG_ATOMIC. not used, and doesn't work as advertised.tedu2010-10-231-92/+30
| | | | ok henning
* Convert printf()'s to DPFDEBUG() macro.mcbride2010-09-301-17/+26
| | | | ok dlg
* No "\n" needed at the end of panic() strings.krw2010-08-071-2/+2
| | | | | | | Bogus chunks pointed out by matthew@ and miod@. No cookies for marco@ and jasper@. ok deraadt@ miod@ matthew@ jasper@ macro@
* Add the rtable id as an argument to rn_walktree(). Functions likeclaudio2010-06-281-3/+3
| | | | | | | rt_if_remove_rtdelete() need to know the table id to be able to correctly remove nodes. Problem found by Andrea Parazzini and analyzed by Martin Pelikán. OK henning@
* put back the line of code that copies the timestamp out for tableshenning2010-02-241-1/+2
| | | | tracked down by Dan Harnett <daniel at harnett.name>
* Convert pf debug logging to using log()/addlog(), a single standardisedmcbride2010-01-181-1/+2
| | | | | | | definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
* First pass at removing the 'pf_pool' mechanism for translation and routingmcbride2010-01-121-47/+81
| | | | | | | | | | | actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
* Fix splasserts seen in pr 5987 by propagating a flag that discribesmikeb2008-11-241-14/+24
| | | | | | | | | | whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
* Get rid of the second table entry pool (pfr_kentry_pl2); we're alreadymcbride2008-10-081-10/+3
| | | | | | | using the default interrupt handler for both, so there's no need to keep table entries created in interrupt context separate. ok henning art
* There's no more reason to use oldnointr allocator here since we paceart2008-06-141-3/+3
| | | | | | | the allocations in uvm_km_thread, as long as they are PR_WAITOK and all the memory hogs should be WAITOK in pf now. "following your explaination, it's ok" henning@
* pool_get()s not in interrupt context should not be PR_NOWAIT, buthenning2008-06-141-3/+3
| | | | PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
* Simplify code slightly; use PR_ZERO with pool_get() rather than bzero().mcbride2008-06-101-7/+5
| | | | ok mpf henning
* Free the counters struct when we free the table entry.mcbride2008-06-101-1/+3
|
* Make counters on table addresses optional and disabled by default.mcbride2008-06-101-10/+27
| | | | | | | | | | Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
* Implement routing priorities. Every route inserted has a priority assignedclaudio2008-05-071-3/+3
| | | | | | | | | and the one route with the lowest number wins. This will be used by the routing daemons to resolve the synchronisations issue in case of conflicts. The nasty bits of this are in the multipath code. If no priority is specified the kernel will choose an appropriate priority. Looked at by a few people at n2k8 code is much older
* increment the match/nomatch table counters when using a table/pool inreyk2007-12-201-2/+6
| | | | | | rdr rules. this helps to get some statistics about l3 redirections. ok henning@
* since thehenning2007-09-011-1/+2
| | | | | | MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
* use the intr pool when allocating from interrupt context;markus2007-05-231-3/+5
| | | | fixes pppoe f_addrhooks panics (e.g. pr 5454); ok canacar
* do not use out of scope variable in macros -- only use the macro arguments passed; makes it less of nfs kind of code; henning@ okmickey2007-03-201-46/+53
|
* fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, createdhartmei2006-05-021-2/+2
| | | | | | | | only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate.
* Instead of copying a table structure so we can mask off a bit beforepascoe2005-08-021-3/+5
| | | | | | | "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
* Backout 1.64, switch back to two-pool allocation scheme (with oldnointrdhartmei2005-06-061-7/+15
| | | | | allocator on one pool). Should fix PR 4231 and 4240, but reintroduces 4186. ok deraadt@
* add back ACCEPT_GLAGS and active flag check, pointed out by cedrichenning2005-05-271-2/+3
|
* change pool allocation of table entries, no longer use the oldnointrdhartmei2005-05-231-15/+7
| | | | | | | allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
* don't deny access to "special" tables in get_addrshenning2005-05-231-3/+2
| | | | | with this, when you know their name you can list their contents with pfctl ok ryan
* KNFmcbride2004-12-071-2/+2
|
* Add kernel code to keep track of tcp connections which have completedmcbride2004-12-041-8/+41
| | | | | | | | | | | the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
* correctly parse the anchor names to which tables refer.jaredy2004-10-151-1/+39
| | | | | | | | | now they abide to the same rules as anchor names referred to by rules: - initial slashes (/) are stripped - anchor names with characters after the terminating NUL byte are considered invalid ok dhartmei (and previously) beck henning
* Make 0/0 table entries work; also fix a problem setting the network maskmcbride2004-07-081-3/+3
| | | | | | on v6 addresses. Reported by Ilya A. Kovalenko, fix from Cedric Berger.
* pfr_commit_ktable calls functions that can result in the currentmcbride2004-06-231-3/+5
| | | | | | ktable being destroyed, which makes it unsafe in a SLIST_FOREACH. Fix from Chris Pascoe
* First step towards more sane time handling in the kernel -- this changestholo2004-06-211-9/+9
| | | | | | | | things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
* Eliminate a dereference after pool_put when an inactive/no-longer referencedmcbride2004-06-111-3/+5
| | | | | | table is destroyed in pfr_setflags_ktable. Fix from Chris Pascoe
* Make deletion of a few addresses much faster on big tables. ok claudio@cedric2004-06-071-3/+30
|
* tables like to allocate lots of memory at once. use the previoustedu2004-06-021-3/+3
| | | | pool allocator, _nointr. testing/ok beck@ cedric@
* Allow recursive anchors (anchors within anchors, up to 64dhartmei2004-05-191-36/+11
| | | | | | | levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
* gcc3 shut up (from naddy@)pb2004-04-281-1/+2
|
* do not return herepb2004-04-281-2/+1
|
* Dont step into INET6 code, just because af != AF_INETpb2004-04-281-13/+36
| | | | | | Also comment #endif properly while being here ok mcbride@
* radix tree with multipath support. from kame. deraadt okitojun2004-04-251-3/+3
| | | | | | | | | | | | | user visible changes: - you can add multiple routes with same key (route add A B then route add A C) - you have to specify gateway address if there are multiple entries on the table (route delete A B, instead of route delete A) kernel change: - radix_node_head has an extra entry - rnh_deladdr takes extra argument TODO: - actually take advantage of multipath (rtalloc -> rtalloc_mpath)
* move some of the non-interrupt pools from the small kmem_map to the muchfrantzen2004-04-091-3/+3
| | | | larger kernel map
* KNF, ok cedric@ deraadt@mcbride2004-03-091-10/+12
|
* KNFdhartmei2004-02-101-4/+4
|
* KNFhenning2004-02-101-12/+12
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.