On 7 Jan 2018, at 15:44, Konstantin Belousov wrote:
On Sun, Jan 07, 2018 at 01:35:15PM +, Kristof Provost wrote:
Author: kp
Date: Sun Jan 7 13:35:15 2018
New Revision: 327675
URL: https://svnweb.freebsd.org/changeset/base/327675
Log:
pf: Avoid integer overflow issues by using
Author: kp
Date: Sun Jan 7 13:41:06 2018
New Revision: 327677
URL: https://svnweb.freebsd.org/changeset/base/327677
Log:
vchiq: Use mallocarray() to provide kcalloc()
This means we now also provide integer overflow protection, like the
Linux kcalloc().
Modified:
Author: kp
Date: Sun Jan 7 13:39:12 2018
New Revision: 327676
URL: https://svnweb.freebsd.org/changeset/base/327676
Log:
linuxkpi: Implement kcalloc() based on mallocarray()
This means we now get integer overflow protection, which Linux code
might expect as it is also provided by
Author: kp
Date: Sun Jan 7 13:35:15 2018
New Revision: 327675
URL: https://svnweb.freebsd.org/changeset/base/327675
Log:
pf: Avoid integer overflow issues by using mallocarray() iso. malloc()
pfioctl() handles several ioctl that takes variable length input, these
include:
-
Author: kp
Date: Sun Jan 7 13:21:01 2018
New Revision: 327674
URL: https://svnweb.freebsd.org/changeset/base/327674
Log:
Introduce mallocarray() in the kernel
Similar to calloc() the mallocarray() function checks for integer
overflows before allocating memory.
It does not zero memory,
Author: kp
Date: Sun Dec 31 16:18:13 2017
New Revision: 327434
URL: https://svnweb.freebsd.org/changeset/base/327434
Log:
pf: Allow the module to be unloaded
pf can now be safely unloaded. Most of this code is exercised on vnet
jail shutdown.
Don't block unloading.
Modified:
On 28 Dec 2017, at 5:33, Warner Losh wrote:
> Author: imp
> Date: Thu Dec 28 05:33:54 2017
> New Revision: 327270
> URL: https://svnweb.freebsd.org/changeset/base/327270
>
> Log:
> Free path before returnig.
>
> CID: 977827
>
Thanks!
Kristof
___
Author: kp
Date: Sun Dec 31 10:01:31 2017
New Revision: 327433
URL: https://svnweb.freebsd.org/changeset/base/327433
Log:
pf: Clean all fragments on shutdown
When pf is unloaded, or a vnet jail using pf is stopped we need to
ensure we clean up all fragments, not just the expired ones.
On 3 Dec 2017, at 19:20, Alan Somers wrote:
> On Sun, Dec 3, 2017 at 6:52 AM, Kristof Provost <k...@freebsd.org> wrote:
>
>> Author: kp
>> Date: Sun Dec 3 13:52:35 2017
>> New Revision: 326497
>> URL: https://svnweb.freebsd.org/changeset/base/326497
>>
&
Author: kp
Date: Sun Dec 3 18:35:07 2017
New Revision: 326500
URL: https://svnweb.freebsd.org/changeset/base/326500
Log:
tests: ipsec: Don't load/unload aesni.ko in the test header
We can't kldunload in the test head as Kyua interprets any output from
them. This would lead to syntax
Author: kp
Date: Sun Dec 3 13:52:35 2017
New Revision: 326497
URL: https://svnweb.freebsd.org/changeset/base/326497
Log:
Add IPSec tests in tunnel mode
Some IPSec in tunnel mode allowing to test multiple IPSec
configurations. These tests are reusing the jail/vnet scripts from pf
Author: kp
Date: Thu Nov 30 21:38:09 2017
New Revision: 326415
URL: https://svnweb.freebsd.org/changeset/base/326415
Log:
MFC r320696: Allow ipsec to run in vnet jails
ipsec is usable in vnet jails, so allow it to run there.
PR: 211364
Submitted by: Matthias Meyser
Author: kp
Date: Thu Nov 30 21:32:28 2017
New Revision: 326414
URL: https://svnweb.freebsd.org/changeset/base/326414
Log:
MFC r325850: pfctl: teach route-to to deal with interfaces with multiple
addresses
The route_host parsing code set the interface name, but only for the first
Author: kp
Date: Thu Nov 30 21:21:22 2017
New Revision: 326413
URL: https://svnweb.freebsd.org/changeset/base/326413
Log:
MFC r325850: pfctl: teach route-to to deal with interfaces with multiple
addresses
The route_host parsing code set the interface name, but only for the first
Author: kp
Date: Wed Nov 15 12:27:02 2017
New Revision: 325850
URL: https://svnweb.freebsd.org/changeset/base/325850
Log:
pfctl: teach route-to to deal with interfaces with multiple addresses
The route_host parsing code set the interface name, but only for the first
node_host in the
On 16 Oct 2017, at 15:01, Andriy Voskoboinyk wrote:
Author: avos
Date: Mon Oct 16 07:01:27 2017
New Revision: 324657
URL: https://svnweb.freebsd.org/changeset/base/324657
Log:
wlandebug(8): obtain original interface name via
ifconfig_get_orig_name()
Modified:
Author: kp
Date: Wed Nov 1 14:27:26 2017
New Revision: 325283
URL: https://svnweb.freebsd.org/changeset/base/325283
Log:
epair: Fix panic on unload
The VNET_SYSUNINIT() callback is executed after the MOD_UNLOAD. That means
that netisr_unregister() has already been called when
Author: kp
Date: Wed Nov 1 13:54:16 2017
New Revision: 325282
URL: https://svnweb.freebsd.org/changeset/base/325282
Log:
MFC r324996:
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it.
Author: kp
Date: Thu Oct 26 20:55:33 2017
New Revision: 325022
URL: https://svnweb.freebsd.org/changeset/base/325022
Log:
pf tests: Remove temporary files
Remove the created_jails.lst and created_interfaces.lst files in the
cleanup code.
Modified:
head/tests/sys/netpfil/pf/utils.subr
Author: kp
Date: Thu Oct 26 20:54:52 2017
New Revision: 325021
URL: https://svnweb.freebsd.org/changeset/base/325021
Log:
pf tests: Fragmentation (v6) test
Test fragmentation handling (i.e. scrub fragment reassemble) code for
IPv6.
Two simple tests: Ping a host (jail) and test
Author: kp
Date: Thu Oct 26 20:53:56 2017
New Revision: 325020
URL: https://svnweb.freebsd.org/changeset/base/325020
Log:
pf tests: destroy jails before destroying interfaces
When cleaning up we must destroy the jails before we destroy the interfaces.
Otherwise we might try to destroy
Author: kp
Date: Wed Oct 25 19:21:48 2017
New Revision: 324996
URL: https://svnweb.freebsd.org/changeset/base/324996
Log:
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it.
This
means
Author: kp
Date: Mon Oct 16 15:05:32 2017
New Revision: 324664
URL: https://svnweb.freebsd.org/changeset/base/324664
Log:
pf tests: Use pft_set_rules everywhere
We now have a utility function to set pf rules in the jail. Use it
whenever we need to set the pf rules in the test jail.
Author: kp
Date: Mon Oct 16 15:03:45 2017
New Revision: 324663
URL: https://svnweb.freebsd.org/changeset/base/324663
Log:
pf tests: Basic IPv6 forwarding tests
Pass/block packets in the forwarding path with pf.
Introduce the pft_set_rules() helper function, because we need to
Author: kp
Date: Mon Oct 16 15:01:49 2017
New Revision: 324662
URL: https://svnweb.freebsd.org/changeset/base/324662
Log:
pf: test set-tos
Introduce tests for the set-tos feature of pf. Teach pft_ping.py to send
and verify ToS flags.
Added:
head/tests/sys/netpfil/pf/set_tos.sh
Author: kp
Date: Fri Oct 13 20:29:35 2017
New Revision: 324608
URL: https://svnweb.freebsd.org/changeset/base/324608
Log:
Regenerate usb.conf
Modified:
head/etc/devd/usb.conf
Modified: head/etc/devd/usb.conf
==
---
Author: kp
Date: Fri Oct 13 19:41:35 2017
New Revision: 324607
URL: https://svnweb.freebsd.org/changeset/base/324607
Log:
Support the D-Link DWM-222 LTE Dongle
Submitted by: Daniel Hänschke
Modified:
head/sys/dev/usb/serial/u3g.c
head/sys/dev/usb/usbdevs
Author: kp
Date: Fri Oct 6 20:51:32 2017
New Revision: 324376
URL: https://svnweb.freebsd.org/changeset/base/324376
Log:
pf: Very basic forwarding test
This test illustrates the use of scapy to test pf.
Differential Revision:https://reviews.freebsd.org/D12581
Added:
Author: kp
Date: Fri Oct 6 20:43:14 2017
New Revision: 324375
URL: https://svnweb.freebsd.org/changeset/base/324375
Log:
pf: Basic automated test using VIMAGE
If VIMAGE is present we can start jails with their own pf instance. This
makes it fairly easy to run tests.
For example, this
Author: kp
Date: Sat Sep 30 10:16:15 2017
New Revision: 324116
URL: https://svnweb.freebsd.org/changeset/base/324116
Log:
MFC r323864
bridge: Set module version
This ensures that the loader will not load the module if it's also built in to
the kernel.
PR: 220860
Author: kp
Date: Sat Sep 30 10:15:04 2017
New Revision: 324115
URL: https://svnweb.freebsd.org/changeset/base/324115
Log:
MFC r323864
bridge: Set module version
This ensures that the loader will not load the module if it's also built in to
the kernel.
PR: 220860
Author: kp
Date: Thu Sep 21 14:14:01 2017
New Revision: 323864
URL: https://svnweb.freebsd.org/changeset/base/323864
Log:
bridge: Set module version
This ensures that the loader will not load the module if it's also built in to
the kernel.
PR: 220860
Submitted by: Eugene
Author: kp
Date: Wed Aug 30 21:18:56 2017
New Revision: 323034
URL: https://svnweb.freebsd.org/changeset/base/323034
Log:
MFC r322590: bpf: Fix incorrect cleanup
Cleaning up a bpf_if is a two stage process. We first move it to the
bpf_freelist (in bpfdetach()) and only later do we
Author: kp
Date: Wed Aug 16 19:52:31 2017
New Revision: 322591
URL: https://svnweb.freebsd.org/changeset/base/322591
Log:
MFC r322280:
pf_get_sport(): Prevent possible endless loop when searching for an unused
nat port
This is an import of Alexander Bluhm's OpenBSD commit r1.60,
the
Author: kp
Date: Wed Aug 16 19:40:07 2017
New Revision: 322590
URL: https://svnweb.freebsd.org/changeset/base/322590
Log:
bpf: Fix incorrect cleanup
Cleaning up a bpf_if is a two stage process. We first move it to the
bpf_freelist (in bpfdetach()) and only later do we actually free it
Author: kp
Date: Tue Aug 8 21:09:26 2017
New Revision: 322280
URL: https://svnweb.freebsd.org/changeset/base/322280
Log:
pf_get_sport(): Prevent possible endless loop when searching for an unused
nat port
This is an import of Alexander Bluhm's OpenBSD commit r1.60,
the first chunk had
/10 Jean-Yves Lefort <jylef...@freebsd.org> born in Charleroi, Belgium, 1980
01/12 Yen-Ming Lee <le...@freebsd.org> born in Taipei, Taiwan, Republic of
China, 1977
01/12 Ying-Chieh Liao <ijl...@freebsd.org> born in Taipei, Taiwan, Republic
of China, 1979
+01/12
Author: kp
Date: Sat Jul 29 17:30:25 2017
New Revision: 321687
URL: https://svnweb.freebsd.org/changeset/base/321687
Log:
MFC r321370
Handle WITH/WITHOUT_PF in libsysdecode
Only filter out the PF ioctls if we're building without pf support.
Until now those were always filtered out,
On 29 Jul 2017, at 17:20, Harry Schmalzbauer wrote:
Bezüglich Kristof Provost's Nachricht vom 08.07.2017 11:28
(localtime):
Author: kp
Date: Sat Jul 8 09:28:31 2017
New Revision: 320802
URL: https://svnweb.freebsd.org/changeset/base/320802
Log:
Allow more services to run in vnet jails
Do
Author: kp
Date: Sat Jul 29 09:22:48 2017
New Revision: 321679
URL: https://svnweb.freebsd.org/changeset/base/321679
Log:
vtnet: Support jumbo frames without TSO/GSO
Currently in Virtio driver without TSO/GSO features enabled, the max scatter
gather segments for the TX path can be 4,
On 22 Jul 2017, at 17:42, Ngie Cooper (yaneurabeya) wrote:
> On Jul 22, 2017, at 5:51 AM, Kristof Provost <k...@freebsd.org> wrote:
Author: kp
Date: Sat Jul 22 12:51:19 2017
New Revision: 321370
URL: https://svnweb.freebsd.org/changeset/base/321370
Log:
Handle WITH/WITHOUT_PF in lib
Author: kp
Date: Sat Jul 22 12:51:19 2017
New Revision: 321370
URL: https://svnweb.freebsd.org/changeset/base/321370
Log:
Handle WITH/WITHOUT_PF in libsysdecode
Only filter out the PF ioctls if we're building without pf support.
Until now those were always filtered out, so truss did not
Author: kp
Date: Thu Jul 20 17:15:18 2017
New Revision: 321296
URL: https://svnweb.freebsd.org/changeset/base/321296
Log:
MFC r312943
Do not run the pf purge thread while the VNET variables are not
initialized, this can cause a divide by zero (if the VNET initialization
takes to long
Author: kp
Date: Sat Jul 15 19:22:01 2017
New Revision: 321030
URL: https://svnweb.freebsd.org/changeset/base/321030
Log:
pfctl parser tests
Copy the most important test cases from OpenBSD's corresponding
src/regress/sbin/pfctl, those that run pfctl on a test input file and check
Author: kp
Date: Sun Jul 9 17:56:39 2017
New Revision: 320848
URL: https://svnweb.freebsd.org/changeset/base/320848
Log:
pf: Fix vnet purging
pf_purge_thread() breaks up the work of iterating all states (in
pf_purge_expired_states()) and tracks progress in the idx variable.
If
Author: kp
Date: Sat Jul 8 09:28:31 2017
New Revision: 320802
URL: https://svnweb.freebsd.org/changeset/base/320802
Log:
Allow more services to run in vnet jails
After some tests, here are the services that run into a vnet jail:
- defaultroute
- dhclient
- ip6addrctl
-
Author: kp
Date: Wed Jul 5 20:00:58 2017
New Revision: 320696
URL: https://svnweb.freebsd.org/changeset/base/320696
Log:
Allow ipsec to run in vnet jails
ipsec is usable in vnet jails, so allow it to run there.
PR: 211364
Submitted by: Matthias Meyser
Modified:
Author: kp
Date: Mon Jul 3 20:36:58 2017
New Revision: 320618
URL: https://svnweb.freebsd.org/changeset/base/320618
Log:
Allow rtadvd and bsnmpd to run in vnet jails
Both of these tools are usable in vnet jails, so allow them to run there.
PR: 220431, 220432
Submitted by:
On 11 May 2017, at 11:05, Kristof Provost wrote:
On 11 May 2017, at 3:43, Ravi Pokala wrote:
Author: rpokala
Date: Wed May 10 22:13:47 2017
New Revision: 318160
URL: https://svnweb.freebsd.org/changeset/base/318160
Log:
Persistently store NIC's hardware MAC address, and add a way to
retrive
On 11 May 2017, at 3:43, Ravi Pokala wrote:
Author: rpokala
Date: Wed May 10 22:13:47 2017
New Revision: 318160
URL: https://svnweb.freebsd.org/changeset/base/318160
Log:
Persistently store NIC's hardware MAC address, and add a way to
retrive it
Modified: head/sys/net/if_ethersubr.c
Author: kp
Date: Sun May 7 14:33:58 2017
New Revision: 317907
URL: https://svnweb.freebsd.org/changeset/base/317907
Log:
pf: Fix vnet initialisation
When running the vnet init code (pf_load_vnet()) we used to iterate over
all vnets, marking them as unhooked.
This is incorrect and
Author: kp
Date: Wed May 3 20:56:54 2017
New Revision: 317773
URL: https://svnweb.freebsd.org/changeset/base/317773
Log:
pf: Fix panic on unload
vnet_pf_uninit() is called through vnet_deregister_sysuninit() and
linker_file_unload() when the pf module is unloaded. This is executed
Author: kp
Date: Sun Apr 23 08:58:50 2017
New Revision: 317333
URL: https://svnweb.freebsd.org/changeset/base/317333
Log:
MFC r317186
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments
Author: kp
Date: Sun Apr 23 08:59:57 2017
New Revision: 317335
URL: https://svnweb.freebsd.org/changeset/base/317335
Log:
MFC r317186
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments
Author: kp
Date: Sat Apr 22 13:04:36 2017
New Revision: 317282
URL: https://svnweb.freebsd.org/changeset/base/317282
Log:
Rename variable for clarity
Rename the mtu variable in ip6_fragment(), because mtu is misleading. The
variable actually holds the fragment length.
No functional
Author: kp
Date: Thu Apr 20 09:05:53 2017
New Revision: 317186
URL: https://svnweb.freebsd.org/changeset/base/317186
Log:
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments based on this size.
Author: kp
Date: Tue Apr 18 20:07:21 2017
New Revision: 317102
URL: https://svnweb.freebsd.org/changeset/base/317102
Log:
pf: Also clear limit counters
The "pfctl -F info" command didn't clear the limit counters ( as shown in the
"pfctl -vsi" output).
Submitted by: Max
Author: kp
Date: Sat Apr 8 09:49:21 2017
New Revision: 316641
URL: https://svnweb.freebsd.org/changeset/base/316641
Log:
MFC r316355
pf: Fix leak of pf_state_keys
If we hit the state limit we returned from pf_create_state() without cleaning
up.
PR: 217997
Submitted
Author: kp
Date: Sat Apr 8 09:48:21 2017
New Revision: 316640
URL: https://svnweb.freebsd.org/changeset/base/316640
Log:
MFC r316355
pf: Fix leak of pf_state_keys
If we hit the state limit we returned from pf_create_state() without cleaning
up.
PR: 217997
Submitted
Author: kp
Date: Sat Apr 1 12:22:34 2017
New Revision: 316355
URL: https://svnweb.freebsd.org/changeset/base/316355
Log:
pf: Fix leak of pf_state_keys
If we hit the state limit we returned from pf_create_state() without cleaning
up.
PR: 217997
Submitted by: Max
Author: kp
Date: Sun Mar 26 18:12:50 2017
New Revision: 316000
URL: https://svnweb.freebsd.org/changeset/base/316000
Log:
MFC 315529
pf: Fix rule evaluation after inet6 route-to
In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
of a different interface.
Author: kp
Date: Sun Mar 26 18:11:40 2017
New Revision: 315999
URL: https://svnweb.freebsd.org/changeset/base/315999
Log:
MFC 315529
pf: Fix rule evaluation after inet6 route-to
In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
of a different interface.
Author: kp
Date: Wed Mar 22 21:18:18 2017
New Revision: 315741
URL: https://svnweb.freebsd.org/changeset/base/315741
Log:
pf: Fix possible shutdown race
Prevent possible races in the pf_unload() / pf_purge_thread() shutdown
code. Lock the pf_purge_thread() with the new pf_end_lock to
Author: kp
Date: Sun Mar 19 03:06:09 2017
New Revision: 315529
URL: https://svnweb.freebsd.org/changeset/base/315529
Log:
pf: Fix rule evaluation after inet6 route-to
In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
of a different interface. pf_test6() needs to
Author: kp
Date: Sat Mar 18 01:37:20 2017
New Revision: 315469
URL: https://svnweb.freebsd.org/changeset/base/315469
Log:
pf: Fix memory leak on vnet shutdown or unload
Rules are unlinked in shutdown_pf(), so we must call
pf_unload_vnet_purge(), which frees unlinked rules, after that,
On 15 Mar 2017, at 15:45, John Baldwin wrote:
You are ignoring interrupts and preemption. Suppose you get an
interrupt
after 'wakeup_one(pf_purge_thread)' and before 'tsleep(..., 0)' in
pf_unload(). If the interrupt preempts and results in the purge
thread
running and issuing its wakeup
On 15 Mar 2017, at 6:57, Gleb Smirnoff wrote:
On Sun, Mar 12, 2017 at 05:42:57AM +, Kristof Provost wrote:
K> Log:
K> pf: Fix incorrect rw_sleep() in pf_unload()
K>
K> When we unload we don't hold the pf_rules_lock, so we cannot call
rw_sleep()
K> with it, because i
Author: kp
Date: Sun Mar 12 05:42:57 2017
New Revision: 315136
URL: https://svnweb.freebsd.org/changeset/base/315136
Log:
pf: Fix incorrect rw_sleep() in pf_unload()
When we unload we don't hold the pf_rules_lock, so we cannot call rw_sleep()
with it, because it would release a lock we
Author: kp
Date: Sun Mar 12 05:00:04 2017
New Revision: 315131
URL: https://svnweb.freebsd.org/changeset/base/315131
Log:
pf: Do not lose the VNET lock when ending the purge thread
When the pf_purge_thread() exits it must make sure to release the
VNET_LIST_RLOCK it still holds.
Author: kp
Date: Thu Mar 9 03:21:41 2017
New Revision: 314941
URL: https://svnweb.freebsd.org/changeset/base/314941
Log:
MFC r314810:
pf: Fix a crash in low-memory situations
(Merge-tracking only. This was mistakenly committed directly to stable/11 in
r314702)
Modified:
Directory
Author: kp
Date: Thu Mar 9 03:20:20 2017
New Revision: 314940
URL: https://svnweb.freebsd.org/changeset/base/314940
Log:
MFC r314810:
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e.
there's
no more memory for it) it
for the fix. Very likely this is my mistake back from
2012.
On Sun, Mar 05, 2017 at 01:14:18PM +, Kristof Provost wrote:
K> Author: kp
K> Date: Sun Mar 5 13:14:18 2017
K> New Revision: 314702
K> URL: https://svnweb.freebsd.org/changeset/base/314702
K>
K> Log:
K> p
Author: kp
Date: Mon Mar 6 23:41:23 2017
New Revision: 314810
URL: https://svnweb.freebsd.org/changeset/base/314810
Log:
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e.
there's
no more memory for it) it frees skp. This is
Author: kp
Date: Sun Mar 5 13:14:18 2017
New Revision: 314702
URL: https://svnweb.freebsd.org/changeset/base/314702
Log:
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e.
there's
no more memory for it) it frees skp. This is
Author: kp
Date: Wed Feb 1 21:44:50 2017
New Revision: 313066
URL: https://svnweb.freebsd.org/changeset/base/313066
Log:
MFC 312782
bridge: Release the bridge lock when calling bridge_set_ifcap()
This calls ioctl() handlers for the different interfaces in the bridge.
These handlers
Author: kp
Date: Wed Feb 1 20:27:38 2017
New Revision: 313050
URL: https://svnweb.freebsd.org/changeset/base/313050
Log:
MFC 312782
bridge: Release the bridge lock when calling bridge_set_ifcap()
This calls ioctl() handlers for the different interfaces in the bridge.
These handlers
Author: kp
Date: Wed Jan 25 21:25:26 2017
New Revision: 312782
URL: https://svnweb.freebsd.org/changeset/base/312782
Log:
bridge: Release the bridge lock when calling bridge_set_ifcap()
This calls ioctl() handlers for the different interfaces in the bridge.
These handlers expect to get
Author: kp
Date: Sun Jan 15 10:21:25 2017
New Revision: 312224
URL: https://svnweb.freebsd.org/changeset/base/312224
Log:
arswitch: Ensure the lock is always held when calling arswitch_modifyreg()
arswitch_setled() and a number of _global_setup functions did not acquire the
lock before
Author: kp
Date: Wed Dec 14 21:30:35 2016
New Revision: 310094
URL: https://svnweb.freebsd.org/changeset/base/310094
Log:
MFC r309563: pflog: Correctly initialise subrulenr
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c
Author: kp
Date: Wed Dec 14 21:29:12 2016
New Revision: 310093
URL: https://svnweb.freebsd.org/changeset/base/310093
Log:
MFC r309563: pflog: Correctly initialise subrulenr
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c
Author: kp
Date: Mon Dec 5 21:52:10 2016
New Revision: 309563
URL: https://svnweb.freebsd.org/changeset/base/309563
Log:
pflog: Correctly initialise subrulenr
subrulenr is considered unset if it's set to -1, not if it's set to 1.
See contrib/tcpdump/print-pflog.c pflog_print() for a
Author: kp
Date: Thu Nov 10 18:41:43 2016
New Revision: 308486
URL: https://svnweb.freebsd.org/changeset/base/308486
Log:
pfctl: fix nested inline anchors
Import the OpenBSD fix for nested inline anchors.
PR: 196314
Submitted by: kri...@cflinux.hu
Obtained from:
This work was done by franco_opnsense.org
I forgot to credit him in the commit message. Sorry Franco.
Regards,
Kristof
On 13 Oct 2016, at 22:34, Kristof Provost wrote:
Author: kp
Date: Thu Oct 13 20:34:44 2016
New Revision: 307235
URL: https://svnweb.freebsd.org/changeset/base/307235
Log
Author: kp
Date: Thu Oct 13 20:34:44 2016
New Revision: 307235
URL: https://svnweb.freebsd.org/changeset/base/307235
Log:
pf: port extended DSCP support from OpenBSD
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
DCSP names instead of having to embed their TOS equivalents
Author: kp
Date: Tue Oct 4 19:35:14 2016
New Revision: 306684
URL: https://svnweb.freebsd.org/changeset/base/306684
Log:
pf: remove fastroute tag
The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
allows to skip the in pfil hooks and completely removes the out
Author: kp
Date: Sun Oct 2 21:11:25 2016
New Revision: 306594
URL: https://svnweb.freebsd.org/changeset/base/306594
Log:
MFC r306289:
bridge: Fix fragment handling and memory leak
Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling
feature (like pf'scrub)
Author: kp
Date: Sun Oct 2 21:06:55 2016
New Revision: 306593
URL: https://svnweb.freebsd.org/changeset/base/306593
Log:
MFC r306289:
bridge: Fix fragment handling and memory leak
Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling
feature (like pf'scrub)
On 26 Sep 2016, at 15:28, Renato Botelho wrote:
> > On 24 Sep 2016, at 04:09, Kristof Provost <k...@freebsd.org> wrote:
>> Author: kp
>> Date: Sat Sep 24 07:09:43 2016
>> New Revision: 306289
>> URL: https://svnweb.freebsd.org/changeset/base/306289
>>
Author: kp
Date: Sat Sep 24 07:09:43 2016
New Revision: 306289
URL: https://svnweb.freebsd.org/changeset/base/306289
Log:
bridge: Fix fragment handling and memory leak
Fragmented UDP and ICMP packets were corrupted if a firewall with reassembling
feature (like pf'scrub) is enabled on the
Author: kp
Date: Sun Sep 4 20:55:27 2016
New Revision: 305395
URL: https://svnweb.freebsd.org/changeset/base/305395
Log:
libifconfig: style(9) fixes
Also switch from BSD 3-clause to 2-clause license where possible, and
consolidate duplicate 3-clause license into one.
Submitted by:
Author: kp
Date: Fri Sep 2 18:33:08 2016
New Revision: 305290
URL: https://svnweb.freebsd.org/changeset/base/305290
Log:
Renaming libifc to libifconfig in response to feedback on initial commit of
this library. Sticking to 'libifconfig' (and 'ifconfig_' as function prefix)
should reduce
On 25 Aug 2016, at 22:14, John Baldwin wrote:
On Thursday, August 25, 2016 07:40:25 PM Kristof Provost wrote:
Author: kp
Date: Thu Aug 25 19:40:25 2016
New Revision: 304815
URL: https://svnweb.freebsd.org/changeset/base/304815
Log:
Add libifc, a library implementing core functionality
Author: kp
Date: Thu Aug 25 19:40:25 2016
New Revision: 304815
URL: https://svnweb.freebsd.org/changeset/base/304815
Log:
Add libifc, a library implementing core functionality that exists in
ifconfig(8) today.
libifc (pronounced lib-ifconfig) aims to be a light abstraction layer between
Author: kp
Date: Fri Aug 19 13:39:36 2016
New Revision: 304466
URL: https://svnweb.freebsd.org/changeset/base/304466
Log:
MFC r304152:
pf: Add missing byte-order swap to pf_match_addr_range
Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not
match addresses
Author: kp
Date: Fri Aug 19 11:36:00 2016
New Revision: 304463
URL: https://svnweb.freebsd.org/changeset/base/304463
Log:
MFC r304152:
pf: Add missing byte-order swap to pf_match_addr_range
Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not
match addresses
Author: kp
Date: Fri Aug 19 11:31:30 2016
New Revision: 304462
URL: https://svnweb.freebsd.org/changeset/base/304462
Log:
MFC r304152:
pf: Add missing byte-order swap to pf_match_addr_range
Without this, rules using address ranges (e.g. "10.1.1.1 - 10.1.1.5") did not
match addresses
Author: kp
Date: Wed Aug 17 15:14:21 2016
New Revision: 304293
URL: https://svnweb.freebsd.org/changeset/base/304293
Log:
MFC r289932, r289940:
PF_ANEQ() macro will in most situations returns TRUE comparing two identical
IPv4 packets (when it should return FALSE). It happens because
Author: kp
Date: Wed Aug 17 09:24:46 2016
New Revision: 304283
URL: https://svnweb.freebsd.org/changeset/base/304283
Log:
MFC r302497:
pf: Map hook returns onto the correct error values
pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers
expect to get E error
Author: kp
Date: Wed Aug 17 09:23:40 2016
New Revision: 304282
URL: https://svnweb.freebsd.org/changeset/base/304282
Log:
MFC r302497:
pf: Map hook returns onto the correct error values
pf returns PF_PASS, PF_DROP, ... in the netpfil hooks, but the hook callers
expect to get E error
Author: kp
Date: Wed Aug 17 09:21:55 2016
New Revision: 304281
URL: https://svnweb.freebsd.org/changeset/base/304281
Log:
MFC r303663:
pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero.
This allows users to enforce TOS == 0
501 - 600 of 704 matches
Mail list logo