Re: svn commit: r327675 - head/sys/netpfil/pf

On 7 Jan 2018, at 15:44, Konstantin Belousov wrote: On Sun, Jan 07, 2018 at 01:35:15PM +, Kristof Provost wrote: Author: kp Date: Sun Jan 7 13:35:15 2018 New Revision: 327675 URL: https://svnweb.freebsd.org/changeset/base/327675 Log: pf: Avoid integer overflow issues by using

svn commit: r327677 - head/sys/contrib/vchiq/interface/compat

Author: kp Date: Sun Jan 7 13:41:06 2018 New Revision: 327677 URL: https://svnweb.freebsd.org/changeset/base/327677 Log: vchiq: Use mallocarray() to provide kcalloc() This means we now also provide integer overflow protection, like the Linux kcalloc(). Modified:

svn commit: r327676 - head/sys/compat/linuxkpi/common/include/linux

Author: kp Date: Sun Jan 7 13:39:12 2018 New Revision: 327676 URL: https://svnweb.freebsd.org/changeset/base/327676 Log: linuxkpi: Implement kcalloc() based on mallocarray() This means we now get integer overflow protection, which Linux code might expect as it is also provided by

svn commit: r327675 - head/sys/netpfil/pf

Author: kp Date: Sun Jan 7 13:35:15 2018 New Revision: 327675 URL: https://svnweb.freebsd.org/changeset/base/327675 Log: pf: Avoid integer overflow issues by using mallocarray() iso. malloc() pfioctl() handles several ioctl that takes variable length input, these include: -

svn commit: r327674 - in head: share/man/man9 sys/kern sys/sys

Author: kp Date: Sun Jan 7 13:21:01 2018 New Revision: 327674 URL: https://svnweb.freebsd.org/changeset/base/327674 Log: Introduce mallocarray() in the kernel Similar to calloc() the mallocarray() function checks for integer overflows before allocating memory. It does not zero memory,

svn commit: r327434 - head/sys/netpfil/pf

Author: kp Date: Sun Dec 31 16:18:13 2017 New Revision: 327434 URL: https://svnweb.freebsd.org/changeset/base/327434 Log: pf: Allow the module to be unloaded pf can now be safely unloaded. Most of this code is exercised on vnet jail shutdown. Don't block unloading. Modified:

Re: svn commit: r327270 - head/sbin/pfctl

On 28 Dec 2017, at 5:33, Warner Losh wrote: > Author: imp > Date: Thu Dec 28 05:33:54 2017 > New Revision: 327270 > URL: https://svnweb.freebsd.org/changeset/base/327270 > > Log: > Free path before returnig. > > CID: 977827 > Thanks! Kristof ___

svn commit: r327433 - in head/sys: net netpfil/pf

Author: kp Date: Sun Dec 31 10:01:31 2017 New Revision: 327433 URL: https://svnweb.freebsd.org/changeset/base/327433 Log: pf: Clean all fragments on shutdown When pf is unloaded, or a vnet jail using pf is stopped we need to ensure we clean up all fragments, not just the expired ones.

Re: svn commit: r326497 - in head: etc/mtree tests/sys tests/sys/netipsec tests/sys/netipsec/tunnel

On 3 Dec 2017, at 19:20, Alan Somers wrote: > On Sun, Dec 3, 2017 at 6:52 AM, Kristof Provost <k...@freebsd.org> wrote: > >> Author: kp >> Date: Sun Dec 3 13:52:35 2017 >> New Revision: 326497 >> URL: https://svnweb.freebsd.org/changeset/base/326497 >> &

svn commit: r326500 - head/tests/sys/netipsec/tunnel

Author: kp Date: Sun Dec 3 18:35:07 2017 New Revision: 326500 URL: https://svnweb.freebsd.org/changeset/base/326500 Log: tests: ipsec: Don't load/unload aesni.ko in the test header We can't kldunload in the test head as Kyua interprets any output from them. This would lead to syntax

svn commit: r326497 - in head: etc/mtree tests/sys tests/sys/netipsec tests/sys/netipsec/tunnel

Author: kp Date: Sun Dec 3 13:52:35 2017 New Revision: 326497 URL: https://svnweb.freebsd.org/changeset/base/326497 Log: Add IPSec tests in tunnel mode Some IPSec in tunnel mode allowing to test multiple IPSec configurations. These tests are reusing the jail/vnet scripts from pf

svn commit: r326415 - stable/11/etc/rc.d

Author: kp Date: Thu Nov 30 21:38:09 2017 New Revision: 326415 URL: https://svnweb.freebsd.org/changeset/base/326415 Log: MFC r320696: Allow ipsec to run in vnet jails ipsec is usable in vnet jails, so allow it to run there. PR: 211364 Submitted by: Matthias Meyser

svn commit: r326414 - stable/10/sbin/pfctl

Author: kp Date: Thu Nov 30 21:32:28 2017 New Revision: 326414 URL: https://svnweb.freebsd.org/changeset/base/326414 Log: MFC r325850: pfctl: teach route-to to deal with interfaces with multiple addresses The route_host parsing code set the interface name, but only for the first

svn commit: r326413 - stable/11/sbin/pfctl

Author: kp Date: Thu Nov 30 21:21:22 2017 New Revision: 326413 URL: https://svnweb.freebsd.org/changeset/base/326413 Log: MFC r325850: pfctl: teach route-to to deal with interfaces with multiple addresses The route_host parsing code set the interface name, but only for the first

svn commit: r325850 - head/sbin/pfctl

Author: kp Date: Wed Nov 15 12:27:02 2017 New Revision: 325850 URL: https://svnweb.freebsd.org/changeset/base/325850 Log: pfctl: teach route-to to deal with interfaces with multiple addresses The route_host parsing code set the interface name, but only for the first node_host in the

Re: svn commit: r324657 - head/usr.sbin/wlandebug

On 16 Oct 2017, at 15:01, Andriy Voskoboinyk wrote: Author: avos Date: Mon Oct 16 07:01:27 2017 New Revision: 324657 URL: https://svnweb.freebsd.org/changeset/base/324657 Log: wlandebug(8): obtain original interface name via ifconfig_get_orig_name() Modified:

svn commit: r325283 - head/sys/net

Author: kp Date: Wed Nov 1 14:27:26 2017 New Revision: 325283 URL: https://svnweb.freebsd.org/changeset/base/325283 Log: epair: Fix panic on unload The VNET_SYSUNINIT() callback is executed after the MOD_UNLOAD. That means that netisr_unregister() has already been called when

svn commit: r325282 - stable/11/sys/netinet6

Author: kp Date: Wed Nov 1 13:54:16 2017 New Revision: 325282 URL: https://svnweb.freebsd.org/changeset/base/325282 Log: MFC r324996: Evaluate packet size after the firewall had its chance in the ip6 fast path Defer the packet size check until after the firewall has had a look at it.

svn commit: r325022 - head/tests/sys/netpfil/pf

Author: kp Date: Thu Oct 26 20:55:33 2017 New Revision: 325022 URL: https://svnweb.freebsd.org/changeset/base/325022 Log: pf tests: Remove temporary files Remove the created_jails.lst and created_interfaces.lst files in the cleanup code. Modified: head/tests/sys/netpfil/pf/utils.subr

svn commit: r325021 - head/tests/sys/netpfil/pf

Author: kp Date: Thu Oct 26 20:54:52 2017 New Revision: 325021 URL: https://svnweb.freebsd.org/changeset/base/325021 Log: pf tests: Fragmentation (v6) test Test fragmentation handling (i.e. scrub fragment reassemble) code for IPv6. Two simple tests: Ping a host (jail) and test

svn commit: r325020 - head/tests/sys/netpfil/pf

Author: kp Date: Thu Oct 26 20:53:56 2017 New Revision: 325020 URL: https://svnweb.freebsd.org/changeset/base/325020 Log: pf tests: destroy jails before destroying interfaces When cleaning up we must destroy the jails before we destroy the interfaces. Otherwise we might try to destroy

svn commit: r324996 - head/sys/netinet6

Author: kp Date: Wed Oct 25 19:21:48 2017 New Revision: 324996 URL: https://svnweb.freebsd.org/changeset/base/324996 Log: Evaluate packet size after the firewall had its chance in the ip6 fast path Defer the packet size check until after the firewall has had a look at it. This means

svn commit: r324664 - head/tests/sys/netpfil/pf

Author: kp Date: Mon Oct 16 15:05:32 2017 New Revision: 324664 URL: https://svnweb.freebsd.org/changeset/base/324664 Log: pf tests: Use pft_set_rules everywhere We now have a utility function to set pf rules in the jail. Use it whenever we need to set the pf rules in the test jail.

svn commit: r324663 - head/tests/sys/netpfil/pf

Author: kp Date: Mon Oct 16 15:03:45 2017 New Revision: 324663 URL: https://svnweb.freebsd.org/changeset/base/324663 Log: pf tests: Basic IPv6 forwarding tests Pass/block packets in the forwarding path with pf. Introduce the pft_set_rules() helper function, because we need to

svn commit: r324662 - head/tests/sys/netpfil/pf

Author: kp Date: Mon Oct 16 15:01:49 2017 New Revision: 324662 URL: https://svnweb.freebsd.org/changeset/base/324662 Log: pf: test set-tos Introduce tests for the set-tos feature of pf. Teach pft_ping.py to send and verify ToS flags. Added: head/tests/sys/netpfil/pf/set_tos.sh

svn commit: r324608 - head/etc/devd

Author: kp Date: Fri Oct 13 20:29:35 2017 New Revision: 324608 URL: https://svnweb.freebsd.org/changeset/base/324608 Log: Regenerate usb.conf Modified: head/etc/devd/usb.conf Modified: head/etc/devd/usb.conf == ---

svn commit: r324607 - in head/sys/dev/usb: . serial

Author: kp Date: Fri Oct 13 19:41:35 2017 New Revision: 324607 URL: https://svnweb.freebsd.org/changeset/base/324607 Log: Support the D-Link DWM-222 LTE Dongle Submitted by: Daniel Hänschke Modified: head/sys/dev/usb/serial/u3g.c head/sys/dev/usb/usbdevs

svn commit: r324376 - head/tests/sys/netpfil/pf

Author: kp Date: Fri Oct 6 20:51:32 2017 New Revision: 324376 URL: https://svnweb.freebsd.org/changeset/base/324376 Log: pf: Very basic forwarding test This test illustrates the use of scapy to test pf. Differential Revision:https://reviews.freebsd.org/D12581 Added:

svn commit: r324375 - in head: etc/mtree tests/sys tests/sys/netpfil tests/sys/netpfil/pf

Author: kp Date: Fri Oct 6 20:43:14 2017 New Revision: 324375 URL: https://svnweb.freebsd.org/changeset/base/324375 Log: pf: Basic automated test using VIMAGE If VIMAGE is present we can start jails with their own pf instance. This makes it fairly easy to run tests. For example, this

svn commit: r324116 - stable/10/sys/net

Author: kp Date: Sat Sep 30 10:16:15 2017 New Revision: 324116 URL: https://svnweb.freebsd.org/changeset/base/324116 Log: MFC r323864 bridge: Set module version This ensures that the loader will not load the module if it's also built in to the kernel. PR: 220860

svn commit: r324115 - stable/11/sys/net

Author: kp Date: Sat Sep 30 10:15:04 2017 New Revision: 324115 URL: https://svnweb.freebsd.org/changeset/base/324115 Log: MFC r323864 bridge: Set module version This ensures that the loader will not load the module if it's also built in to the kernel. PR: 220860

svn commit: r323864 - head/sys/net

Author: kp Date: Thu Sep 21 14:14:01 2017 New Revision: 323864 URL: https://svnweb.freebsd.org/changeset/base/323864 Log: bridge: Set module version This ensures that the loader will not load the module if it's also built in to the kernel. PR: 220860 Submitted by: Eugene

svn commit: r323034 - stable/11/sys/net

Author: kp Date: Wed Aug 30 21:18:56 2017 New Revision: 323034 URL: https://svnweb.freebsd.org/changeset/base/323034 Log: MFC r322590: bpf: Fix incorrect cleanup Cleaning up a bpf_if is a two stage process. We first move it to the bpf_freelist (in bpfdetach()) and only later do we

svn commit: r322591 - stable/11/sys/netpfil/pf

Author: kp Date: Wed Aug 16 19:52:31 2017 New Revision: 322591 URL: https://svnweb.freebsd.org/changeset/base/322591 Log: MFC r322280: pf_get_sport(): Prevent possible endless loop when searching for an unused nat port This is an import of Alexander Bluhm's OpenBSD commit r1.60, the

svn commit: r322590 - head/sys/net

Author: kp Date: Wed Aug 16 19:40:07 2017 New Revision: 322590 URL: https://svnweb.freebsd.org/changeset/base/322590 Log: bpf: Fix incorrect cleanup Cleaning up a bpf_if is a two stage process. We first move it to the bpf_freelist (in bpfdetach()) and only later do we actually free it

svn commit: r322280 - head/sys/netpfil/pf

Author: kp Date: Tue Aug 8 21:09:26 2017 New Revision: 322280 URL: https://svnweb.freebsd.org/changeset/base/322280 Log: pf_get_sport(): Prevent possible endless loop when searching for an unused nat port This is an import of Alexander Bluhm's OpenBSD commit r1.60, the first chunk had

svn commit: r321771 - head/usr.bin/calendar/calendars

/10 Jean-Yves Lefort <jylef...@freebsd.org> born in Charleroi, Belgium, 1980 01/12 Yen-Ming Lee <le...@freebsd.org> born in Taipei, Taiwan, Republic of China, 1977 01/12 Ying-Chieh Liao <ijl...@freebsd.org> born in Taipei, Taiwan, Republic of China, 1979 +01/12

svn commit: r321687 - stable/11/lib/libsysdecode

Author: kp Date: Sat Jul 29 17:30:25 2017 New Revision: 321687 URL: https://svnweb.freebsd.org/changeset/base/321687 Log: MFC r321370 Handle WITH/WITHOUT_PF in libsysdecode Only filter out the PF ioctls if we're building without pf support. Until now those were always filtered out,

Re: svn commit: r320802 - head/etc/rc.d

On 29 Jul 2017, at 17:20, Harry Schmalzbauer wrote: Bezüglich Kristof Provost's Nachricht vom 08.07.2017 11:28 (localtime): Author: kp Date: Sat Jul 8 09:28:31 2017 New Revision: 320802 URL: https://svnweb.freebsd.org/changeset/base/320802 Log: Allow more services to run in vnet jails Do

svn commit: r321679 - head/sys/dev/virtio/network

Author: kp Date: Sat Jul 29 09:22:48 2017 New Revision: 321679 URL: https://svnweb.freebsd.org/changeset/base/321679 Log: vtnet: Support jumbo frames without TSO/GSO Currently in Virtio driver without TSO/GSO features enabled, the max scatter gather segments for the TX path can be 4,

Re: svn commit: r321370 - head/lib/libsysdecode

On 22 Jul 2017, at 17:42, Ngie Cooper (yaneurabeya) wrote: > On Jul 22, 2017, at 5:51 AM, Kristof Provost <k...@freebsd.org> wrote: Author: kp Date: Sat Jul 22 12:51:19 2017 New Revision: 321370 URL: https://svnweb.freebsd.org/changeset/base/321370 Log: Handle WITH/WITHOUT_PF in lib

svn commit: r321370 - head/lib/libsysdecode

Author: kp Date: Sat Jul 22 12:51:19 2017 New Revision: 321370 URL: https://svnweb.freebsd.org/changeset/base/321370 Log: Handle WITH/WITHOUT_PF in libsysdecode Only filter out the PF ioctls if we're building without pf support. Until now those were always filtered out, so truss did not

svn commit: r321296 - stable/11/sys/netpfil/pf

Author: kp Date: Thu Jul 20 17:15:18 2017 New Revision: 321296 URL: https://svnweb.freebsd.org/changeset/base/321296 Log: MFC r312943 Do not run the pf purge thread while the VNET variables are not initialized, this can cause a divide by zero (if the VNET initialization takes to long

svn commit: r321030 - in head: etc/mtree sbin/pfctl sbin/pfctl/tests sbin/pfctl/tests/files targets/pseudo/tests

Author: kp Date: Sat Jul 15 19:22:01 2017 New Revision: 321030 URL: https://svnweb.freebsd.org/changeset/base/321030 Log: pfctl parser tests Copy the most important test cases from OpenBSD's corresponding src/regress/sbin/pfctl, those that run pfctl on a test input file and check

svn commit: r320848 - head/sys/netpfil/pf

Author: kp Date: Sun Jul 9 17:56:39 2017 New Revision: 320848 URL: https://svnweb.freebsd.org/changeset/base/320848 Log: pf: Fix vnet purging pf_purge_thread() breaks up the work of iterating all states (in pf_purge_expired_states()) and tracks progress in the idx variable. If

svn commit: r320802 - head/etc/rc.d

Author: kp Date: Sat Jul 8 09:28:31 2017 New Revision: 320802 URL: https://svnweb.freebsd.org/changeset/base/320802 Log: Allow more services to run in vnet jails After some tests, here are the services that run into a vnet jail: - defaultroute - dhclient - ip6addrctl -

svn commit: r320696 - head/etc/rc.d

Author: kp Date: Wed Jul 5 20:00:58 2017 New Revision: 320696 URL: https://svnweb.freebsd.org/changeset/base/320696 Log: Allow ipsec to run in vnet jails ipsec is usable in vnet jails, so allow it to run there. PR: 211364 Submitted by: Matthias Meyser Modified:

svn commit: r320618 - head/etc/rc.d

Author: kp Date: Mon Jul 3 20:36:58 2017 New Revision: 320618 URL: https://svnweb.freebsd.org/changeset/base/320618 Log: Allow rtadvd and bsnmpd to run in vnet jails Both of these tools are usable in vnet jails, so allow them to run there. PR: 220431, 220432 Submitted by:

Re: svn commit: r318160 - in head: sbin/ifconfig sys/net sys/sys

On 11 May 2017, at 11:05, Kristof Provost wrote: On 11 May 2017, at 3:43, Ravi Pokala wrote: Author: rpokala Date: Wed May 10 22:13:47 2017 New Revision: 318160 URL: https://svnweb.freebsd.org/changeset/base/318160 Log: Persistently store NIC's hardware MAC address, and add a way to retrive

Re: svn commit: r318160 - in head: sbin/ifconfig sys/net sys/sys

On 11 May 2017, at 3:43, Ravi Pokala wrote: Author: rpokala Date: Wed May 10 22:13:47 2017 New Revision: 318160 URL: https://svnweb.freebsd.org/changeset/base/318160 Log: Persistently store NIC's hardware MAC address, and add a way to retrive it Modified: head/sys/net/if_ethersubr.c

svn commit: r317907 - head/sys/netpfil/pf

Author: kp Date: Sun May 7 14:33:58 2017 New Revision: 317907 URL: https://svnweb.freebsd.org/changeset/base/317907 Log: pf: Fix vnet initialisation When running the vnet init code (pf_load_vnet()) we used to iterate over all vnets, marking them as unhooked. This is incorrect and

svn commit: r317773 - head/sys/netpfil/pf

Author: kp Date: Wed May 3 20:56:54 2017 New Revision: 317773 URL: https://svnweb.freebsd.org/changeset/base/317773 Log: pf: Fix panic on unload vnet_pf_uninit() is called through vnet_deregister_sysuninit() and linker_file_unload() when the pf module is unloaded. This is executed

svn commit: r317333 - in stable/11/sys: netinet6 netpfil/pf

Author: kp Date: Sun Apr 23 08:58:50 2017 New Revision: 317333 URL: https://svnweb.freebsd.org/changeset/base/317333 Log: MFC r317186 pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments

svn commit: r317335 - in stable/10/sys: netinet6 netpfil/pf

Author: kp Date: Sun Apr 23 08:59:57 2017 New Revision: 317335 URL: https://svnweb.freebsd.org/changeset/base/317335 Log: MFC r317186 pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments

svn commit: r317282 - head/sys/netinet6

Author: kp Date: Sat Apr 22 13:04:36 2017 New Revision: 317282 URL: https://svnweb.freebsd.org/changeset/base/317282 Log: Rename variable for clarity Rename the mtu variable in ip6_fragment(), because mtu is misleading. The variable actually holds the fragment length. No functional

svn commit: r317186 - in head/sys: netinet6 netpfil/pf

Author: kp Date: Thu Apr 20 09:05:53 2017 New Revision: 317186 URL: https://svnweb.freebsd.org/changeset/base/317186 Log: pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments based on this size.

svn commit: r317102 - head/sys/netpfil/pf

Author: kp Date: Tue Apr 18 20:07:21 2017 New Revision: 317102 URL: https://svnweb.freebsd.org/changeset/base/317102 Log: pf: Also clear limit counters The "pfctl -F info" command didn't clear the limit counters ( as shown in the "pfctl -vsi" output). Submitted by: Max

svn commit: r316641 - stable/10/sys/netpfil/pf

Author: kp Date: Sat Apr 8 09:49:21 2017 New Revision: 316641 URL: https://svnweb.freebsd.org/changeset/base/316641 Log: MFC r316355 pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without cleaning up. PR: 217997 Submitted

svn commit: r316640 - stable/11/sys/netpfil/pf

Author: kp Date: Sat Apr 8 09:48:21 2017 New Revision: 316640 URL: https://svnweb.freebsd.org/changeset/base/316640 Log: MFC r316355 pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without cleaning up. PR: 217997 Submitted

svn commit: r316355 - head/sys/netpfil/pf

Author: kp Date: Sat Apr 1 12:22:34 2017 New Revision: 316355 URL: https://svnweb.freebsd.org/changeset/base/316355 Log: pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without cleaning up. PR: 217997 Submitted by: Max

svn commit: r316000 - stable/10/sys/netpfil/pf

Author: kp Date: Sun Mar 26 18:12:50 2017 New Revision: 316000 URL: https://svnweb.freebsd.org/changeset/base/316000 Log: MFC 315529 pf: Fix rule evaluation after inet6 route-to In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out of a different interface.

svn commit: r315999 - stable/11/sys/netpfil/pf

Author: kp Date: Sun Mar 26 18:11:40 2017 New Revision: 315999 URL: https://svnweb.freebsd.org/changeset/base/315999 Log: MFC 315529 pf: Fix rule evaluation after inet6 route-to In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out of a different interface.

svn commit: r315741 - in head/sys: net netpfil/pf

Author: kp Date: Wed Mar 22 21:18:18 2017 New Revision: 315741 URL: https://svnweb.freebsd.org/changeset/base/315741 Log: pf: Fix possible shutdown race Prevent possible races in the pf_unload() / pf_purge_thread() shutdown code. Lock the pf_purge_thread() with the new pf_end_lock to

svn commit: r315529 - head/sys/netpfil/pf

Author: kp Date: Sun Mar 19 03:06:09 2017 New Revision: 315529 URL: https://svnweb.freebsd.org/changeset/base/315529 Log: pf: Fix rule evaluation after inet6 route-to In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out of a different interface. pf_test6() needs to

svn commit: r315469 - head/sys/netpfil/pf

Author: kp Date: Sat Mar 18 01:37:20 2017 New Revision: 315469 URL: https://svnweb.freebsd.org/changeset/base/315469 Log: pf: Fix memory leak on vnet shutdown or unload Rules are unlinked in shutdown_pf(), so we must call pf_unload_vnet_purge(), which frees unlinked rules, after that,

Re: svn commit: r315136 - head/sys/netpfil/pf

On 15 Mar 2017, at 15:45, John Baldwin wrote: You are ignoring interrupts and preemption. Suppose you get an interrupt after 'wakeup_one(pf_purge_thread)' and before 'tsleep(..., 0)' in pf_unload(). If the interrupt preempts and results in the purge thread running and issuing its wakeup

Re: svn commit: r315136 - head/sys/netpfil/pf

On 15 Mar 2017, at 6:57, Gleb Smirnoff wrote: On Sun, Mar 12, 2017 at 05:42:57AM +, Kristof Provost wrote: K> Log: K> pf: Fix incorrect rw_sleep() in pf_unload() K> K> When we unload we don't hold the pf_rules_lock, so we cannot call rw_sleep() K> with it, because i

svn commit: r315136 - head/sys/netpfil/pf

Author: kp Date: Sun Mar 12 05:42:57 2017 New Revision: 315136 URL: https://svnweb.freebsd.org/changeset/base/315136 Log: pf: Fix incorrect rw_sleep() in pf_unload() When we unload we don't hold the pf_rules_lock, so we cannot call rw_sleep() with it, because it would release a lock we

svn commit: r315131 - head/sys/netpfil/pf

Author: kp Date: Sun Mar 12 05:00:04 2017 New Revision: 315131 URL: https://svnweb.freebsd.org/changeset/base/315131 Log: pf: Do not lose the VNET lock when ending the purge thread When the pf_purge_thread() exits it must make sure to release the VNET_LIST_RLOCK it still holds.

svn commit: r314941 - stable/11

Author: kp Date: Thu Mar 9 03:21:41 2017 New Revision: 314941 URL: https://svnweb.freebsd.org/changeset/base/314941 Log: MFC r314810: pf: Fix a crash in low-memory situations (Merge-tracking only. This was mistakenly committed directly to stable/11 in r314702) Modified: Directory

svn commit: r314940 - stable/10/sys/netpfil/pf

Author: kp Date: Thu Mar 9 03:20:20 2017 New Revision: 314940 URL: https://svnweb.freebsd.org/changeset/base/314940 Log: MFC r314810: pf: Fix a crash in low-memory situations If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's no more memory for it) it

Re: svn commit: r314702 - stable/11/sys/netpfil/pf

for the fix. Very likely this is my mistake back from 2012. On Sun, Mar 05, 2017 at 01:14:18PM +, Kristof Provost wrote: K> Author: kp K> Date: Sun Mar 5 13:14:18 2017 K> New Revision: 314702 K> URL: https://svnweb.freebsd.org/changeset/base/314702 K> K> Log: K> p

svn commit: r314810 - head/sys/netpfil/pf

Author: kp Date: Mon Mar 6 23:41:23 2017 New Revision: 314810 URL: https://svnweb.freebsd.org/changeset/base/314810 Log: pf: Fix a crash in low-memory situations If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's no more memory for it) it frees skp. This is

svn commit: r314702 - stable/11/sys/netpfil/pf

Author: kp Date: Sun Mar 5 13:14:18 2017 New Revision: 314702 URL: https://svnweb.freebsd.org/changeset/base/314702 Log: pf: Fix a crash in low-memory situations If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's no more memory for it) it frees skp. This is

svn commit: r313066 - stable/10/sys/net

Author: kp Date: Wed Feb 1 21:44:50 2017 New Revision: 313066 URL: https://svnweb.freebsd.org/changeset/base/313066 Log: MFC 312782 bridge: Release the bridge lock when calling bridge_set_ifcap() This calls ioctl() handlers for the different interfaces in the bridge. These handlers

svn commit: r313050 - stable/11/sys/net

Author: kp Date: Wed Feb 1 20:27:38 2017 New Revision: 313050 URL: https://svnweb.freebsd.org/changeset/base/313050 Log: MFC 312782 bridge: Release the bridge lock when calling bridge_set_ifcap() This calls ioctl() handlers for the different interfaces in the bridge. These handlers

svn commit: r312782 - head/sys/net

Author: kp Date: Wed Jan 25 21:25:26 2017 New Revision: 312782 URL: https://svnweb.freebsd.org/changeset/base/312782 Log: bridge: Release the bridge lock when calling bridge_set_ifcap() This calls ioctl() handlers for the different interfaces in the bridge. These handlers expect to get

svn commit: r312224 - head/sys/dev/etherswitch/arswitch

Author: kp Date: Sun Jan 15 10:21:25 2017 New Revision: 312224 URL: https://svnweb.freebsd.org/changeset/base/312224 Log: arswitch: Ensure the lock is always held when calling arswitch_modifyreg() arswitch_setled() and a number of _global_setup functions did not acquire the lock before

svn commit: r310094 - stable/10/sys/netpfil/pf

Author: kp Date: Wed Dec 14 21:30:35 2016 New Revision: 310094 URL: https://svnweb.freebsd.org/changeset/base/310094 Log: MFC r309563: pflog: Correctly initialise subrulenr subrulenr is considered unset if it's set to -1, not if it's set to 1. See contrib/tcpdump/print-pflog.c

svn commit: r310093 - stable/11/sys/netpfil/pf

Author: kp Date: Wed Dec 14 21:29:12 2016 New Revision: 310093 URL: https://svnweb.freebsd.org/changeset/base/310093 Log: MFC r309563: pflog: Correctly initialise subrulenr subrulenr is considered unset if it's set to -1, not if it's set to 1. See contrib/tcpdump/print-pflog.c

svn commit: r309563 - head/sys/netpfil/pf

Author: kp Date: Mon Dec 5 21:52:10 2016 New Revision: 309563 URL: https://svnweb.freebsd.org/changeset/base/309563 Log: pflog: Correctly initialise subrulenr subrulenr is considered unset if it's set to -1, not if it's set to 1. See contrib/tcpdump/print-pflog.c pflog_print() for a

svn commit: r308486 - head/sbin/pfctl

Author: kp Date: Thu Nov 10 18:41:43 2016 New Revision: 308486 URL: https://svnweb.freebsd.org/changeset/base/308486 Log: pfctl: fix nested inline anchors Import the OpenBSD fix for nested inline anchors. PR: 196314 Submitted by: kri...@cflinux.hu Obtained from:

Re: svn commit: r307235 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

This work was done by franco_opnsense.org I forgot to credit him in the commit message. Sorry Franco. Regards, Kristof On 13 Oct 2016, at 22:34, Kristof Provost wrote: Author: kp Date: Thu Oct 13 20:34:44 2016 New Revision: 307235 URL: https://svnweb.freebsd.org/changeset/base/307235 Log

svn commit: r307235 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

Author: kp Date: Thu Oct 13 20:34:44 2016 New Revision: 307235 URL: https://svnweb.freebsd.org/changeset/base/307235 Log: pf: port extended DSCP support from OpenBSD Ignore the ECN bits on 'tos' and 'set-tos' and allow to use DCSP names instead of having to embed their TOS equivalents

svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

Author: kp Date: Tue Oct 4 19:35:14 2016 New Revision: 306684 URL: https://svnweb.freebsd.org/changeset/base/306684 Log: pf: remove fastroute tag The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code allows to skip the in pfil hooks and completely removes the out

svn commit: r306594 - stable/10/sys/net

Author: kp Date: Sun Oct 2 21:11:25 2016 New Revision: 306594 URL: https://svnweb.freebsd.org/changeset/base/306594 Log: MFC r306289: bridge: Fix fragment handling and memory leak Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling feature (like pf'scrub)

svn commit: r306593 - stable/11/sys/net

Author: kp Date: Sun Oct 2 21:06:55 2016 New Revision: 306593 URL: https://svnweb.freebsd.org/changeset/base/306593 Log: MFC r306289: bridge: Fix fragment handling and memory leak Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling feature (like pf'scrub)

Re: svn commit: r306289 - head/sys/net

On 26 Sep 2016, at 15:28, Renato Botelho wrote: > > On 24 Sep 2016, at 04:09, Kristof Provost <k...@freebsd.org> wrote: >> Author: kp >> Date: Sat Sep 24 07:09:43 2016 >> New Revision: 306289 >> URL: https://svnweb.freebsd.org/changeset/base/306289 >>

svn commit: r306289 - head/sys/net

Author: kp Date: Sat Sep 24 07:09:43 2016 New Revision: 306289 URL: https://svnweb.freebsd.org/changeset/base/306289 Log: bridge: Fix fragment handling and memory leak Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling feature (like pf'scrub) is enabled on the

svn commit: r305395 - in head: lib/libifconfig share/examples/libifconfig

Author: kp Date: Sun Sep 4 20:55:27 2016 New Revision: 305395 URL: https://svnweb.freebsd.org/changeset/base/305395 Log: libifconfig: style(9) fixes Also switch from BSD 3-clause to 2-clause license where possible, and consolidate duplicate 3-clause license into one. Submitted by:

svn commit: r305290 - in head: lib lib/libifc lib/libifconfig share/examples/libifc share/examples/libifconfig share/mk

Author: kp Date: Fri Sep 2 18:33:08 2016 New Revision: 305290 URL: https://svnweb.freebsd.org/changeset/base/305290 Log: Renaming libifc to libifconfig in response to feedback on initial commit of this library. Sticking to 'libifconfig' (and 'ifconfig_' as function prefix) should reduce

Re: svn commit: r304815 - in head: lib lib/libifc share/examples/libifc share/mk

On 25 Aug 2016, at 22:14, John Baldwin wrote: On Thursday, August 25, 2016 07:40:25 PM Kristof Provost wrote: Author: kp Date: Thu Aug 25 19:40:25 2016 New Revision: 304815 URL: https://svnweb.freebsd.org/changeset/base/304815 Log: Add libifc, a library implementing core functionality

svn commit: r304815 - in head: lib lib/libifc share/examples/libifc share/mk

Author: kp Date: Thu Aug 25 19:40:25 2016 New Revision: 304815 URL: https://svnweb.freebsd.org/changeset/base/304815 Log: Add libifc, a library implementing core functionality that exists in ifconfig(8) today. libifc (pronounced lib-ifconfig) aims to be a light abstraction layer between

svn commit: r304466 - stable/9/sys/contrib/pf/net

Author: kp Date: Fri Aug 19 13:39:36 2016 New Revision: 304466 URL: https://svnweb.freebsd.org/changeset/base/304466 Log: MFC r304152: pf: Add missing byte-order swap to pf_match_addr_range Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses

svn commit: r304463 - stable/10/sys/netpfil/pf

Author: kp Date: Fri Aug 19 11:36:00 2016 New Revision: 304463 URL: https://svnweb.freebsd.org/changeset/base/304463 Log: MFC r304152: pf: Add missing byte-order swap to pf_match_addr_range Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses

svn commit: r304462 - stable/11/sys/netpfil/pf

Author: kp Date: Fri Aug 19 11:31:30 2016 New Revision: 304462 URL: https://svnweb.freebsd.org/changeset/base/304462 Log: MFC r304152: pf: Add missing byte-order swap to pf_match_addr_range Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not match addresses

svn commit: r304293 - stable/10/sys/net

Author: kp Date: Wed Aug 17 15:14:21 2016 New Revision: 304293 URL: https://svnweb.freebsd.org/changeset/base/304293 Log: MFC r289932, r289940: PF_ANEQ() macro will in most situations returns TRUE comparing two identical IPv4 packets (when it should return FALSE). It happens because

svn commit: r304283 - stable/10/sys/netpfil/pf

Author: kp Date: Wed Aug 17 09:24:46 2016 New Revision: 304283 URL: https://svnweb.freebsd.org/changeset/base/304283 Log: MFC r302497: pf: Map hook returns onto the correct error values pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers expect to get E error

svn commit: r304282 - stable/11/sys/netpfil/pf

Author: kp Date: Wed Aug 17 09:23:40 2016 New Revision: 304282 URL: https://svnweb.freebsd.org/changeset/base/304282 Log: MFC r302497: pf: Map hook returns onto the correct error values pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers expect to get E error

svn commit: r304281 - stable/10/sbin/pfctl

Author: kp Date: Wed Aug 17 09:21:55 2016 New Revision: 304281 URL: https://svnweb.freebsd.org/changeset/base/304281 Log: MFC r303663: pfctl: Allow TOS bits to be cleared TOS value 0 is valid, so use 256 as an invalid value rather than zero. This allows users to enforce TOS == 0

<    1   2   3   4   5   6   7   8   >