Commit Graph

12 Commits

Author SHA1 Message Date
csjp
63e89c05d2 Introduce a new entry point, mac_create_mbuf_from_firewall. This entry point
exists to allow the mandatory access control policy to properly initialize
mbufs generated by the firewall. An example where this might happen is keep
alive packets, or ICMP error packets in response to other packets.

This takes care of kernel panics associated with un-initialize mbuf labels
when the firewall generates packets.

[1] I modified this patch from it's original version, the initial patch
    introduced a number of entry points which were programmatically
    equivalent. So I introduced only one. Instead, we should leverage
    mac_create_mbuf_netlayer() which is used for similar situations,
    an example being icmp_error()

    This will minimize the impact associated with the MFC

Submitted by:	mlaier [1]
MFC after:	1 week

This is a RELENG_6 candidate
2006-09-12 04:25:13 +00:00
ru
388e590f95 Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
yar
7260b91842 The pf' and pflog' sources do not depend on DEV_PF or DEV_PFLOG,
which is normal for own files of a device driver.

DEV_FOO should be used if an unrelated kernel file needs to know of
the `foo' driver's static presence.  Obviously, module source files
should never use DEV_*.
2006-03-09 15:48:45 +00:00
mlaier
0c9bbeed73 Make pflog a seperate module. As a result pflog_packet() becomes a function
pointer that is declared in pf_ioctl.c

Requested by:	yar (as part of the module build reorg)
MFC after:	1 week
X-MFC with:	yar's module reorg
2006-02-05 17:17:32 +00:00
yar
024c6e0e38 Let modules use the kernel's opt_*.h files if built along with
the kernel by wrapping all targets for fake opt_*.h files in
.if defined(KERNBUILDDIR).  Thus, such fake files won't be
created at all if modules are built with the kernel.

Some modules undergo cleanup like removing unused or unneeded
options or .h files, without which they wouldn't build this way
or the other.

Reviewed by:	ru
Tested by:	no binary changes in modules built alone
Tested on:	i386 sparc64 amd64
2005-10-14 23:30:17 +00:00
ru
fb4127d5cf Let kmod.mk create an empty .h file. 2005-06-05 05:30:37 +00:00
ru
5c04306fea NOINET6 -> NO_INET6 2004-12-21 10:49:29 +00:00
ru
52db62cfc9 Removed -Wall from CFLAGS. 2004-09-01 07:39:12 +00:00
dwmalone
5df13d37b2 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
mlaier
5eba798674 Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...
2004-06-16 23:24:02 +00:00
mlaier
3c891e9b96 Make pf* modules respect NOINET6 from make.conf(5) in order to build them
for INET6-less kernel.

Requested by:	many
Approved by:	bms(mentor)
2004-04-06 15:12:50 +00:00
mlaier
428f1c9a0f Tweak existing header and other build infrastructure to be able to build
pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).

Approved by: bms(mentor)
2004-02-26 03:53:54 +00:00