summaryrefslogtreecommitdiffstats
path: root/sys/net (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* The ingress filter of pipex and npppd become configurable and disabledyasuoka2012-01-232-11/+13
| | | | | | | | | | by default. After this change we need to add ppp.ingress_filter: true to npppd.conf if it is needed. ok sthen
* Ansify ppp... function definitions.bluhm2012-01-201-50/+21
| | | | from Michael W. Bombardieri
* Teach pppoe(4) about RFC 4638. This allows negotiating increased MTU withsthen2012-01-192-22/+73
| | | | | | | | | | | | | | | | | | compatible equipment provided that the physical interface and other layer 2 devices involved support and are configured to use jumbo frames. Manpage to follow; typical use is to request 1500 MTU for pppoe, this requires 1508+ MTU on the physical interface, e.g. "ifconfig em0 mtu 1508; ifconfig pppoe0 mtu 1500". Known to be usable in the UK with some ISPs (e.g. aaisp) using BT FTTC backhaul. From Matt Dainty, originally based on support in NetBSD, changed to decouple pppoe from physical interface MTU. Tested with UK FTTC by Matt, no regressions on my standard UK ADSL setup or yasuoka@'s setup (in Japan, NTT uses 1452 byte MTU for PPPoE and 1500 byte MTU for IPv6 on the same network). ok yasuoka@
* Remove dead assignments and newly created unused variables.chl2012-01-181-6/+2
| | | | | | Found by LLVM/Clang Static Analyzer. ok henning@ markus@
* Fix a problem that causes LCP keepalive timeout. In case the ack number ofyasuoka2012-01-181-8/+4
| | | | | | | | | a packet that is passed to the userland has not incremented, `pipex' passed the packet mistakenly with invalid ack number. Then `npppd' will drop these packets, so that caused the problem. tested jmatthew ok jmatthew
* Fix trailing whitespace.bluhm2012-01-171-2/+2
|
* Pass struct pf_pdesc to pf_walk_option6() and pf_walk_header6() tobluhm2012-01-162-64/+57
| | | | | | make their argument list shorter. Also fix a bug where pf_walk_option6() used the outer header in the pd2 case. ok henning@ mikeb@
* do carp demotion adjustments on syncdev link state change.mikeb2012-01-161-1/+55
| | | | | | | | | this prevents backup to failover back to master immediately after getting link back on carpdev interface if underlying pfsync interface went down as well. instead pfsync will request a bulk update to get new states from the master. sthen and mpf like the idea, ok dlg
* bpf devices behave similar to raw sockets and never block on write,guenther2012-01-161-15/+20
| | | | | | so always show as writable to poll()/select(). Behavior pointed out by Fernando Gont. ok deraadt@
* Calling pf_normalize_ip() from pf_setup_pdesc() was bad as thebluhm2012-01-154-90/+73
| | | | | | | latter is called from pf packet logging. This resulted in normalization and reassembly of bad packets to be logged. So rearrange the code and move the call to pf_test(). ok henning@
* Drop IPv6 packets built from overlapping fragments in pf reassembly.bluhm2012-01-131-8/+43
| | | | | | | | | | | | | | | | The reassembly state will be dropped after timeout, all related fragments are dropped until that. This is conforming to RFC 5722. - Sort pf_fragment fields while there. - If the fr_queue is empty, we had overlapping fragments, don't add new ones. - If we detect overlapping IPv6 fragments, flush the fr_queue and drop all fragments immediately. - Rearrange debug output, to make clear what happens. - An IPv4 fragment that is totaly overlapped does not inclease the bad fragment counter. - Put an KASSERT into pf_isfull_fragment() to make sure that the fr_queue is never emtpy there. discussed with Fernando Gont; ok henning@
* Ansify raw_... function definitions. No binary change.bluhm2012-01-112-23/+10
| | | | from Michael W. Bombardieri; ok henning@
* ansify and de'register some prototypesdhill2012-01-111-47/+16
| | | | ok miod@
* To access the ifaddr of an in_ifaddr or in6_ifaddr struct, it isbluhm2012-01-031-4/+3
| | | | | | cleaner to access the first member via ia_ifa instead of casting. No binary change. ok henning@ krw@
* Instead of having two functions pf_free_fragment() and pf_remove_fragment()bluhm2012-01-031-24/+19
| | | | | | | doing more or less the same, merge them into one. Just remove fragment entries from the queue in pf_join_fragment() before they are freed. Then pf_remove_fragment() is not needed anymore. ok henning@
* Just use pd->sidx and pd->didx to reverse the state key argumentsmpf2011-12-211-32/+12
| | | | | in pf_test_state_*(). This needs less code and is more consistent. OK mikeb, markus, henning.
* don't attempt to run pf_translate on fragments: it will fail miserably.mikeb2011-12-211-3/+4
| | | | also don't do af translation if pf_translate didn't succeed. ok henning
* improve the icmp direction check to deal correctly with af-to statesmikeb2011-12-191-4/+10
| | | | | | | (there only one state and it's direction is always PF_IN) and don't exclude icmp echo replies from the test. ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
* fixup af-to regression with match rulesmikeb2011-12-123-7/+7
| | | | | | | | | | pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
* Remove needless temporary variable for greater clarity.blambert2011-12-061-6/+3
| | | | | testing sthen@ ok sthen@ henning@ dlg@
* don't duplicate rtfree actions taken by rtrequest1() in rtdeletemsg()blambert2011-12-061-7/+2
| | | | | testing sthen@ ok sthen@ henning@ dlg@
* simplify the somewhat-tangled conditional maze in rt_getifa()blambert2011-12-061-8/+9
| | | | | testing sthen@ ok sthen@ henning@ dlg@
* Kill unused IFCAP_IPSEC and IFCAP_IPCOMP.haesbaert2011-12-022-7/+4
| | | | ok claudio@ henning@ mikeb@
* Make sure we only enter pf_route() when undefering in the PF_ROUTETO case.mcbride2011-12-011-2/+2
| | | | ok dlg claudio
* use a u_int64_t for the state id in pfsync_state. this makes it consistentdlg2011-11-293-13/+13
| | | | | | | | | | | | with every other thing that stores the state id (including other pfsync messages). includes improvements to the systat code to consider the creatorid as well as the state id in its cache to avoid collisions between states created on different hosts. tested by me in production and on amd64 talking to sparc64. ok henning@
* deprecate PFTM_UNTIL_PACKET. nothing in the tree uses it, anddlg2011-11-283-9/+5
| | | | | | | pf_state_expires() handled it incorrectly. discussed with mikeb@ ok henning@
* Protect more operations in the pfsync_clone_destroy to preventmikeb2011-11-271-3/+3
| | | | accidental race conditions. From Erik Lax, thanks! ok dlg
* Kill old comment, we already do 802.1p tagging.haesbaert2011-11-271-3/+2
|
* Tie the 802.1p (CoS) value in vlan(4) with the new prio scheme in pf.haesbaert2011-11-261-28/+7
| | | | | | | | | | | | When transmitting through vlan(4), it will now use the prio value in pf packet header. When receiving, we save the incoming Cos in the same place, this gives us the hability to preserve the CoS value across two different vlan interfaces. This kills the SIOC[GS]VLANPRIO ioctls and removes the corresponding buttons from ifconfig(8). ok henning@ claudio@ mcbride@
* Apply route-to to deferred packet; without this the first packet of amcbride2011-11-263-14/+35
| | | | | | connection does not observe the route-to option. ok dlg mikeb
* fix compile errors without INET6. no binary change.yasuoka2011-11-252-3/+13
| | | | | pointed out by Julien Crapovich on misc@ ok deraadt mikeb
* use time_uptime to set state creation values as time_second can bedlg2011-11-255-12/+12
| | | | | | | skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. ok deraadt@ mikeb@
* Improve flag setting ioctl so that bulk updates are requestedmikeb2011-11-161-3/+6
| | | | | | | | only when we're going up, not when we set PROMISC or any other flag. Fixes spontaneous CARP failovers when running tcpdump on pfsync. ok henning, mcbride, camield
* Fix a commentclaudio2011-11-121-2/+2
| | | | From Abel Abraham Camarillo Ojeda, reminded by Brad.
* State expire time is a baseline time ("last active") for expirycamield2011-11-091-12/+11
| | | | | | | | | | | | | | | | | | calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future). Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates. This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger. Timeout code from mikeb. Found and testing by Maxim Bourmistrov. ok mikeb dlg
* Select a correct protocol for a stack side state key when importingmikeb2011-11-041-2/+14
| | | | an icmp<->icmp6 state (nat64); ok henning, mcbride, dlg
* Expose if_capabilities to userland so that ifconfig can display thehaesbaert2011-11-021-4/+3
| | | | | | | | | device hardware features. Tune ifconfig to show them with 'hwfeatures' argument. While here, kill some old unused capabilities and respect 80 columns in brconfig.h. ok mcbride@, henning@, mpf@.
* Don't forget to cancel bulk update failure timeout when destroying anmikeb2011-10-311-1/+2
| | | | interface. Problem report and fix from Erik Lax, thanks!
* Allow setting big MTU values on the pfsync interface but not largermikeb2011-10-301-7/+6
| | | | | than the syncdev MTU. Prompted by the discussion with and tested by Maxim Bourmistrov; ok dlg, mpf
* Take more care to ensure all callbacks are initialized. In particularkrw2011-10-281-1/+4
| | | | | | | | | | tr_linkstate() was not initialized in trunk_rr_attach(), and tr_init() and tr_stop() were missing in trunk_lb_attach(). Fixes crash triggered by changing trunkproto, reported by Anders Berggren on bugs@. ok mpf henning
* i didnt copy the tun code properly. fix a use of an uninitted value founddlg2011-10-251-3/+3
| | | | by pedro/gcc.
* Don't detach interface from group in if_clone_destroy(),camield2011-10-241-8/+3
| | | | | | | if_detach() handles this ok. carpdetach() can now lower the demote count on the carp group correctly. ok henning mpf
* strengthen some checks to prevent m_copy* routines from operatingmikeb2011-10-211-9/+29
| | | | | | | | on mbuf chains of insufficient length; prevents crashes seen by dhill. also bring in some chunks omitted in the nat64 commit and are essential for correct packet interpretation. tested by dhill and me, ok henning
* add forgotten fixup for icmp6 id's when translating; ok henningmikeb2011-10-211-1/+5
|
* remove a bogus chunk accidentally introduced by mcbride in rev1.141;mikeb2011-10-201-22/+1
| | | | mcbride agrees, ok mpf, dlg
* Added "provision for rewound PPP frames" that allows receivingyasuoka2011-10-154-66/+172
| | | | | | | | | | | | | | | | | reorder packets to pass to the upper layer without reorder. It will improve performance (throughput or loss rate) for PPTP or L2TP(/IPesc) on networks that latency is unstable such as mobile network. As our test environment (bandwidth: 6Mbps, latency: 50ms for 97% of traffic and 52ms for rest of traffic), throughput has changed from 0.76MB to 2.17MB on file upload by PPTP connected Windows Vista ftp.exe. Developed by UMEZAWA Takeshi at IIJ. ok jmatthew@ tested jmatthew@ and myself.
* Since the IPv6 madness is not enough introduce NAT64 -- which is actuallyclaudio2011-10-137-173/+1173
| | | | | | | | "af-to" a generic IP version translator for pf(4). Not everything perfect yet but lets fix these things in the tree. Insane amount of work done by sperreault@, mikeb@ and reyk@. Looked over by mcbride@ henning@ and myself at eurobsdcon. OK mcbride@ and general put it in from deraadt@
* rename some vars and functionshenning2011-10-073-28/+28
| | | | | | unfortunately altq is one giant namespace violation. rename just those that conflict with new stuff for now only to be found on my laptop. reduce pain, the diff is huge already. ok ryan
* remove inaccurate comment - we don't have state tableS any more, there ishenning2011-10-071-3/+1
| | | | just one and the variable name is clear enough. ryan ok
* pf_poolqueue is long dead, remove corpses. from eurobsdcon, ryan okhenning2011-10-071-4/+1
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.