| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Also sort pd to the beginning of the functions' parameter lists for
consistency.
ok henning
|
| |
|
|
| |
KNF, no binary change.
|
| |
|
|
|
|
| |
pf_setup_pdesc(). It is better to check and bail out early than
to rely on pf_pull_hdr() later.
ok henning mpf
|
| |
|
|
|
|
|
| |
AF_INET6. So remove useless af switch defaults here and there.
Always use "switch(af)" instead of "if (af) else" for af dependent
code. Always use AF_ defines instead of PF_ when checking af values.
ok claudio mpf henning
|
| |
|
|
|
|
| |
around. This is a mechanical change. Initialize pd2 and use it
where appropriate.
ok henning on an earlier version; ok mpf
|
| |
|
|
|
|
|
|
|
| |
and change their type from int to u_int32_t. Do not pass struct
tcphdr *th and sa_family_t af, it is in pd anyway. Do not use af
and pd->af intermixed, the latter makes clear where it comes from.
Do not calculate the packet length again if pd already has it. Use
pd2.off instead of off2.
go go go go don't stop henning@ mpf@
|
| |
|
|
|
|
| |
some IPv4 and IPv6 code. Make sure that both code paths set the
same fields in the same order.
ok mpf henning
|
| |
|
|
|
| |
variables being processed.
ok bluhm@ henning@
|
| |
|
|
|
|
|
| |
reassembled by normalization from pf_setup_pdesc() to pf_test().
This simplifies the paramter list of pf_setup_pdesc() as it can
concentrate on its job filling the pf_pdesc struct.
ok henning mpf
|
| |
|
|
|
|
| |
the one occurrence in pf_test_state_icmp() that uses pd2.ip_sum by
a local variable. Remove ip_sum and proto_sum from struct pf_pdesc.
ok claudio henning
|
| |
|
|
| |
pf_setup_pdesc. fixes logging of packets passed statefully. ok bluhm
|
| |
|
|
|
| |
been reassembled by normalization.
ok henning claudio
|
| |
|
|
|
|
|
|
| |
ruleset after match. In case this is the only rule in the anchor,
the anchor will be destroyed automatically after the rule is matched.
This is an extremely handy technique for firewall proxies.
ok henning, mcbride
|
| |
|
|
|
|
| |
inefficient but doesn't matter with reasonable numbers of interfaces.
ok dlg@
|
| |
|
|
| |
From Christiano F. Haesbaert.
|
| |
|
|
|
| |
It's already in pfvar.h
OK mcbride@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
without growing it in pfsync_state too.
to keep the wire format compat this uses some of the pad bytes to send
all the state flags on the wire as well as maintaining the old state_flags
field. after 5.0 we'll deprecate the original field and only use the new
one.
discussed with mcbride and deraadt and based on a diff from deraadt.
tested against an "old" pfsync locally.
ok mcbride@ henning@ deraadt@
|
| |
|
|
|
|
|
|
| |
Reject states with pfsync_state->af == 0 in pfsync_state_import(), in
preparation for states which specify an address family in each state key
instead (change will take place post-5.0).
ok dlg henning mikeb
|
| |
|
|
|
|
| |
improved debugging for error cases inside the weighted round-robin loop.
original diff from claudio, ok henning
|
| |
|
|
|
|
| |
lo' must not match a group 'local'. diff from sthen who is not around for a
few days, ok me and mpf. I can't find the mail of the guy who initially
ran into this problem, sorry for that, thanks for reporting!
|
| |
|
|
|
| |
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
| |
|
|
| |
former anymore. OK miod@.
|
| |
|
|
|
|
| |
now, put it in the IPPROTO_TCP case of the pf_test_rule() inner loop.
ok henning sthen
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the common function pf_walk_header6(). For that, pf_walk_header6()
can now extract both the information wether it is a fragment and
the final protocol if it is the first fragment. This allows to
match the icmp6 too big packet of a first fragment to the reassembled
packet's state. This is neccesary if a refragmented fragment is
to big for the Path-MTU.
Note that pd.proto contains the real protocol number for the first
fragment and IPPROTO_FRAGMENT for later fragments. pd.virtual_protocol
is set to PF_VPROTO_FRAGMENT for all fragments.
ok mcbride@
|
| |
|
|
| |
from Martin Pelikan
|
| |
|
|
|
|
|
|
| |
Rather than silently dropping ALL icmp packets, return icmp/icmp6 error
for 'informational' message types (but continue dropping ICMP errors
unconditionally).
ok markus sthen henning
|
| | |
|
| |
|
|
| |
with input and ok from bluhm and claudio
|
| |
|
|
|
|
| |
so it evaluates in the order we want.
ok claudio@
|
| |
|
|
|
|
| |
payload, we missed to drop them. While there, also add a reason
to the corresponding check in pf_test().
ok mcbride@ claudio@
|
| | |
|
| | |
|
| |
|
|
| |
ok claudio henning yasuoka
|
| | |
|
| | |
|
| |
|
|
|
| |
an address pool. problem found and solution tested by claudio.
ok claudio, henning, "reads fine" to zinke
|
| |
|
|
|
|
| |
Integrate them into pipex_common_input().
ok hsuenaga@
|
| |
|
|
|
| |
implementation. ok ryan mpf sthen and also testing pea and halex looked
at it and commented as well
|
| |
|
|
|
| |
unconditional, always on. 8 priority levels, as every better switch, the
vlan header etc etc. ok ryan mpf sthen, pea tested as well
|
| |
|
|
|
|
|
|
| |
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
| |
|
|
|
| |
Additionally round the sizeof(struct sockaddr_dl) to a power of 2.
OK guenther@ deraadt@
|
| |
|
|
|
|
| |
(in this case it's unnecessary, bss is initialized to zero at boot)
ok henning
|
| |
|
|
|
|
|
|
| |
walking over the IPv6 header chain. Merge them into one loop,
adjust some length checks and fix IPv6 jumbo option handling. Also
allow strange but legal IPv6 packets with plen=0 passing through
pf. IPv6 jumbo packets still get dropped.
testing dhill@; ok mcbride@ henning@
|
| |
|
|
|
| |
with this nothing in the tree fiddles if ifqueue internals any more, of
course except if.c and if.h (and some altq)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
| |
|
|
|
|
|
|
|
|
| |
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
| |
|
|
|
| |
this in my monster diff and wondered that i hadn't put that in already...
claudio ryan ok
|
| |
|
|
| |
one tree less in my forest (for a few seconds)! ok claudio
|
| |
|
|
|
| |
the same, ok'd with IFQ_PURGE with happens to break on altq kernels by
claudio, ryan and bluhm
|
bluhm
miod
henning
mikeb
jmatthew
mcbride
mpf
dlg
martynas
deraadt
jsg
dhill
yasuoka
claudio