- prevent an endless loop with route-to lo0, fixes PR 3736 (dhartmei@)
- The rule_number parameter for pf_get_pool() needs to be 32 bits, not 8 -
this fixes corruption of the address pools with large rulesets.
(mcbride@, pb@)
Reviewed-by: dhartmei
Version 3.5 brings:
- Atomic commits of ruleset changes (reduce the chance of ending up in an
inconsistent state).
- A 30% reduction in the size of state table entries.
- Source-tracking (limit number of clients and states per client).
- Sticky-address (the flexibility of round-robin with the benefits of
source-hash).
- Significant improvements to interface handling.
- and many more ...
- change pf_get_pool() argument rule_number type from u_int32_t
to u_int8_t, fixes corruption of address pools with large
rulesets (mcbride@)
- prevent endless loops with route-to (dhartmei@)
- limit option length to 2 octets max (frantzen@)
Obtained from: OpenBSD
Approved by: mlaier(mentor), bms(mentor)
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
Obtained from: OpenBSD
Reviewed by: dhartmei
Approved by: rwatson
Fix by dhartmei@ and mcbride@
1.433
Properly m_copyback() modified TCP sequence number after demodulation
1.432
Fix icmp checksum when sequence number modlation is being used.
Also fix a daddr vs saddr cut-n-paste error in ICMP error handling.
Fixes PR 3724
#ifdefs in order to loop it back to OpenBSD after the next import. There are
a some implicit asserts involved which might be better spelled out
explicitly (af == AF_INET ...)
Approved by: bms(mentor)
- Fix binat for incoming connections when a netblock (not just a single
address) is used for source in the binat rule. closes PR 3535, reported by
Karl O.Pinc. ok henning@, cedric@
- Fix a problem related to empty anchor rulesets, which could cause a kernel
panic.
Approved by: bms(mentor)
- Fix binat for incoming connections when a netblock (not just a single
address) is used for source in the binat rule. closes PR 3535, reported by
Karl O.Pinc. ok henning@, cedric@
- Fix a problem related to empty anchor rulesets, which could cause a kernel
panic.
Approved by: bms(mentor)
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the
hooks in the kernel this was missed during the merge from the port.
Noticed by: Amir S. (for the HOOK_HACK part)
Approved by: bms(mentor)
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).
Approved by: bms(mentor)
for a long time and is run in production use. This is the code present in
portversion 2.03 with some additional tweaks.
The rather extensive diff accounts for:
- locking (to enable pf to work with a giant-free netstack)
- byte order difference between OpenBSD and FreeBSD for ip_len/ip_off
- conversion from pool(9) to zone(9)
- api differences etc.
Approved by: bms(mentor) (in general)
