#
1.58 |
|
28-Mar-2022 |
riastradh |
driver(9): devsw_detach never fails. Make it return void.
Prune a whole lotta dead branches as a result of this. (Some logic calling this is also wrong for other reasons; devsw_detach is final -- you should never have any reason to decide to roll it back. To be cleaned up in subsequent commits...)
XXX kernel ABI change to devsw_detach signature requires bump
|
Revision tags: thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3
|
#
1.57 |
|
21-Feb-2020 |
joerg |
Explicitly cast pointers to uintptr_t before casting to enums. They are not necessarily the same size. Don't cast pointers to bool, check for NULL instead.
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 ad-namecache-base2 ad-namecache-base1 ad-namecache-base netbsd-9-0-RC1 phil-wifi-20191119 netbsd-9-base phil-wifi-20190609 isaki-audio2-base pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.56 |
|
10-Aug-2018 |
maxv |
branches: 1.56.6; Fix compilation of PF/IPF...
|
#
1.55 |
|
10-Aug-2018 |
maxv |
Rename
ip6_undefer_csum -> in6_undefer_cksum in6_delayed_cksum -> in6_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in6_offload.c. Add comments to explain what we're doing.
Same as IPv4.
|
Revision tags: pgoyette-compat-0728
|
#
1.54 |
|
11-Jul-2018 |
kre |
Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change). Because this is in a module, apparently, that means that netinet_in_offload.h needs to get installed in /usr/include, so do that as well.
Feel free to fix this in a better way...
|
#
1.53 |
|
11-Jul-2018 |
maxv |
Rename
ip_undefer_csum -> in_undefer_cksum in_delayed_cksum -> in_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in_offload.c. Add comments to explain what we're doing.
The same could be done for IPv6.
|
Revision tags: phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202
|
#
1.52 |
|
15-Oct-2017 |
pgoyette |
branches: 1.52.2; 1.52.4; Defer initialization of pf_status.host_id
The call to cprng_fast32() requires that per-cpu data has been initialized by corng_fast_init(), which doesn't get called until after the first part of auto-configuration is done, long after pfattach() calls cprng_fast32().
Fixed PR kern/52620
XXX This needs pull-up to the -8 branch.
|
Revision tags: nick-nhusb-base-20170825 perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320 nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 nick-nhusb-base-20150921
|
#
1.51 |
|
20-Aug-2015 |
christos |
branches: 1.51.8; 1.51.10; include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base tls-earlyentropy-base tls-maxphys-base
|
#
1.50 |
|
25-Jul-2014 |
dholland |
branches: 1.50.4; Add d_discard to all struct cdevsw instances I could find.
All have been set to "nodiscard"; some should get a real implementation.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base
|
#
1.49 |
|
16-Mar-2014 |
dholland |
branches: 1.49.2; Change (mostly mechanically) every cdevsw/bdevsw I can find to use designated initializers.
I have not built every extant kernel so I have probably broken at least one build; however I've also found and fixed some wrong cdevsw/bdevsw entries so even if so I think we come out ahead.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.48 |
|
01-Jul-2013 |
skrll |
PFIL_HOOKS is dead.
|
#
1.47 |
|
30-Jun-2013 |
rmind |
Update pf to pfil(9) changes. Missed in previous commit.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.46 |
|
28-Nov-2011 |
tls |
branches: 1.46.8; 1.46.12; Remove arc4random() and arc4randbytes() from the kernel API. Replace arc4random() hacks in rump with stubs that call the host arc4random() to get numbers that are hopefully actually random (arc4random() keyed with stack junk is not). This should fix some of the currently failing anita tests -- we should no longer generate duplicate "random" MAC addresses in the test environment.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.45 |
|
30-Aug-2011 |
jmcneill |
branches: 1.45.2; fix -Wshadow warnings when ALTQ is enabled
|
#
1.44 |
|
29-Aug-2011 |
jmcneill |
build pf module with WARNS=3, and remove the need for -Wno-shadow
|
Revision tags: rmind-uvmplock-nbase cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base rmind-uvmplock-base
|
#
1.43 |
|
19-Jan-2011 |
drochner |
make sure the "overload_tbl" member of "struct pf_rule" copied in from userland is initialized (it is used by the kernel only) fixes crash or data injection (CVE-2010-3830), usually by root user only OpenBSD has rewritten the code to start with a zero'd struct and fills in needed parts only - to be considered in case a newer pf version is imported.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11 uebayasi-xip-base2 yamt-nfs-mp-base10
|
#
1.42 |
|
07-May-2010 |
degroote |
branches: 1.42.2; Add support for pfs(8)
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to dump internal configuration of pf, and restore at a latter point, after a maintenance reboot for example, in a transparent way for user.
This work has been done mostly during my GSoC 2009
No objections on tech-net@
|
Revision tags: uebayasi-xip-base1
|
#
1.41 |
|
13-Apr-2010 |
ahoka |
Do not unload pf when enabled, not even manually.
|
#
1.40 |
|
13-Apr-2010 |
ahoka |
change module class to driver.
|
#
1.39 |
|
13-Apr-2010 |
ahoka |
Do not auto unload pf if it's enabled.
|
#
1.38 |
|
12-Apr-2010 |
ahoka |
- Make the pf and pflog driver able to detach. - Add code for module support.
Original patch from Jared McNeill
|
Revision tags: yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 jym-xensuspend-nbase
|
#
1.37 |
|
03-Oct-2009 |
elad |
branches: 1.37.2; 1.37.4; Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD versions that are no longer maintained. It won't make the code more readable, but we should consider removing them.
|
Revision tags: yamt-nfs-mp-base8
|
#
1.36 |
|
14-Sep-2009 |
degroote |
Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf.
This work was part of my 2009 GSoC
No objection on tech-net@
|
Revision tags: yamt-nfs-mp-base7
|
#
1.35 |
|
28-Jul-2009 |
minskim |
Remove LKM code from pf.
|
Revision tags: netbsd-5-2-3-RELEASE netbsd-5-1-5-RELEASE netbsd-5-2-2-RELEASE netbsd-5-1-4-RELEASE netbsd-5-2-1-RELEASE netbsd-5-1-3-RELEASE netbsd-5-2-RELEASE netbsd-5-2-RC1 netbsd-5-1-2-RELEASE netbsd-5-1-1-RELEASE matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.34 |
|
22-Jun-2008 |
peter |
Wrap definition of pfil6_wrapper in #ifdef INET6.
From Scott Ellis in PR/39007.
|
#
1.33 |
|
18-Jun-2008 |
yamt |
merge yamt-pf42 branch. (import newer pf from OpenBSD 4.2)
ok'ed by peter@. requested by core@
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base vmlocking2-base3 bouyer-xeni386-nbase yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.32 |
|
11-Dec-2007 |
lukem |
branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16; use __KERNEL_RCSID()
|
Revision tags: nick-csl-alignment-base5 matt-armv6-prevmlocking yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base matt-mips64-base jmcneill-pm-base nick-csl-alignment-base reinoud-bufcleanup-base mjf-ufs-trans-base vmlocking-base
|
#
1.31 |
|
09-Jul-2007 |
ad |
branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20; Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes - select()/poll() improvements - miscellaneous MT safety improvements
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.30 |
|
12-Mar-2007 |
ad |
branches: 1.30.2; Pass an ipl argument to pool_init/POOL_INIT to be used when initializing the pool's lock.
|
#
1.29 |
|
04-Mar-2007 |
christos |
branches: 1.29.2; Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: netbsd-4-0-1-RELEASE wrstuden-fixsa-newbase wrstuden-fixsa-base-1 netbsd-4-0-RELEASE netbsd-4-0-RC5 matt-nb4-arm-base netbsd-4-0-RC4 netbsd-4-0-RC3 netbsd-4-0-RC2 netbsd-4-0-RC1 wrstuden-fixsa-base ad-audiomp-base post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.28 |
|
16-Nov-2006 |
christos |
branches: 1.28.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.27 |
|
12-Oct-2006 |
peter |
Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
|
#
1.26 |
|
12-Oct-2006 |
christos |
- sprinkle __unused on function decls. - fix a couple of unused bugs - no more -Wno-unused for i386
|
#
1.25 |
|
01-Oct-2006 |
pavel |
In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects, and if ALTQ and pf are both enabled, it leads to compile errors. So, change all tests for ALTQ to ALTQ_NEW, which won't be defined.
This allows simultaneous compilation of pf and ALTQ and is a temporary measure before the peter-altq brach is merged.
Tested and approved by Peter Postma.
|
#
1.24 |
|
19-Sep-2006 |
elad |
Remove ugly (void *) casts from network scope authorization wrapper and calls to it.
While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run).
Update documentation.
|
Revision tags: yamt-splraiseipl-base yamt-pdpolicy-base9
|
#
1.23 |
|
08-Sep-2006 |
elad |
branches: 1.23.2; First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick reference, including code samples.
All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
Revision tags: yamt-pdpolicy-base8 rpaulo-netinet-merge-pcb-base
|
#
1.22 |
|
03-Sep-2006 |
christos |
branches: 1.22.2; add missing initializer
|
Revision tags: abandoned-netbsd-4-base yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base
|
#
1.21 |
|
11-Dec-2005 |
christos |
branches: 1.21.4; 1.21.8; 1.21.12; merge ktrace-lwp.
|
Revision tags: yamt-readahead-base3 yamt-readahead-base2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base ktrace-lwp-base
|
#
1.20 |
|
11-Aug-2005 |
yamt |
pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.
|
#
1.19 |
|
06-Aug-2005 |
yamt |
wrap INET only code by #if defined(INET). (in __NetBSD__ part)
|
#
1.18 |
|
26-Jul-2005 |
peter |
pf_test() can set *mp to NULL, check for this before de-referencing it. From Akihiro Sagawa in PR/30835.
|
#
1.17 |
|
01-Jul-2005 |
peter |
branches: 1.17.2; Resolve conflicts (pf from OpenBSD 3.7, kernel part).
|
Revision tags: yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base
|
#
1.16 |
|
15-Mar-2005 |
peter |
branches: 1.16.2; Fix a GCC warning when compiling on evbppc. From FUKAUMI Naoki in PR #29669.
|
#
1.15 |
|
14-Feb-2005 |
peter |
Merge in a fix from OPENBSD_3_6. ok yamt@
> MFC: > Fix by dhartmei@ > > replace finer-grained spl locking in pfioctl() with a single broad lock > around the entire body. this resolves the (misleading) panics in > pf_tag_packet() during heavy ioctl operations (like when using authpf) > that occur because softclock can interrupt ioctl on i386 since SMP. > patch from camield@.
|
Revision tags: yamt-km-base2 yamt-km-base kent-audio1-beforemerge
|
#
1.14 |
|
01-Jan-2005 |
yamt |
branches: 1.14.2; 1.14.4; pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
|
Revision tags: kent-audio1-base
|
#
1.13 |
|
04-Dec-2004 |
peter |
Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
|
#
1.12 |
|
14-Nov-2004 |
yamt |
resolve conflicts. (pf from OpenBSD 3.6, kernel part)
|
#
1.11 |
|
13-Nov-2004 |
yamt |
backout whitespace changes to make further import easier.
|
#
1.10 |
|
06-Sep-2004 |
yamt |
pfil4_wrapper, pfil6_wrapper: ensure that mbufs are writable beforehand as pf assumes it. PR/26433.
|
#
1.9 |
|
27-Jul-2004 |
yamt |
branches: 1.9.2; - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events as well. - use it for pf(4).
mostly from Peter Postma. PR/26403.
|
#
1.8 |
|
26-Jul-2004 |
yamt |
fix dynaddr tracking.
from Peter Postma, PR/26369. ok'ed by itojun.
|
#
1.7 |
|
26-Jul-2004 |
yamt |
call PFIL_NEWIF hooks at a correct place. (on SIOCAIFADDR rather than SIOCGIFALIAS.)
from Peter Postma, PR/26402. ok'ed by itojun.
|
#
1.6 |
|
29-Jun-2004 |
itojun |
make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
|
#
1.5 |
|
25-Jun-2004 |
itojun |
PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma
|
#
1.4 |
|
22-Jun-2004 |
martin |
Make it compile on non-IPv6 kernels.
|
#
1.3 |
|
22-Jun-2004 |
christos |
add a pfdetach() method to be used by lkm's
|
#
1.2 |
|
22-Jun-2004 |
itojun |
PF from openbsd 3.5. missing features: - pfsync (due to protocol # assignment issues) - carp (not really a PF portion, but thought important to mention) - PF and ALTQ are mutually-exclusive. this will be sorted out when kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)
reviewed by matt, christos, perry
torture-test is very welcomed.
|
#
1.1 |
|
22-Jun-2004 |
itojun |
branches: 1.1.1; Initial revision
|
#
1.57 |
|
21-Feb-2020 |
joerg |
Explicitly cast pointers to uintptr_t before casting to enums. They are not necessarily the same size. Don't cast pointers to bool, check for NULL instead.
|
Revision tags: netbsd-9-0-RELEASE netbsd-9-0-RC2 ad-namecache-base2 ad-namecache-base1 ad-namecache-base netbsd-9-0-RC1 phil-wifi-20191119 netbsd-9-base phil-wifi-20190609 isaki-audio2-base pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.56 |
|
10-Aug-2018 |
maxv |
Fix compilation of PF/IPF...
|
#
1.55 |
|
10-Aug-2018 |
maxv |
Rename
ip6_undefer_csum -> in6_undefer_cksum in6_delayed_cksum -> in6_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in6_offload.c. Add comments to explain what we're doing.
Same as IPv4.
|
Revision tags: pgoyette-compat-0728
|
#
1.54 |
|
11-Jul-2018 |
kre |
Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change). Because this is in a module, apparently, that means that netinet_in_offload.h needs to get installed in /usr/include, so do that as well.
Feel free to fix this in a better way...
|
#
1.53 |
|
11-Jul-2018 |
maxv |
Rename
ip_undefer_csum -> in_undefer_cksum in_delayed_cksum -> in_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in_offload.c. Add comments to explain what we're doing.
The same could be done for IPv6.
|
Revision tags: phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202
|
#
1.52 |
|
15-Oct-2017 |
pgoyette |
branches: 1.52.2; 1.52.4; Defer initialization of pf_status.host_id
The call to cprng_fast32() requires that per-cpu data has been initialized by corng_fast_init(), which doesn't get called until after the first part of auto-configuration is done, long after pfattach() calls cprng_fast32().
Fixed PR kern/52620
XXX This needs pull-up to the -8 branch.
|
Revision tags: nick-nhusb-base-20170825 perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320 nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 nick-nhusb-base-20150921
|
#
1.51 |
|
20-Aug-2015 |
christos |
branches: 1.51.8; 1.51.10; include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base tls-earlyentropy-base tls-maxphys-base
|
#
1.50 |
|
25-Jul-2014 |
dholland |
branches: 1.50.4; Add d_discard to all struct cdevsw instances I could find.
All have been set to "nodiscard"; some should get a real implementation.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base
|
#
1.49 |
|
16-Mar-2014 |
dholland |
branches: 1.49.2; Change (mostly mechanically) every cdevsw/bdevsw I can find to use designated initializers.
I have not built every extant kernel so I have probably broken at least one build; however I've also found and fixed some wrong cdevsw/bdevsw entries so even if so I think we come out ahead.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.48 |
|
01-Jul-2013 |
skrll |
PFIL_HOOKS is dead.
|
#
1.47 |
|
30-Jun-2013 |
rmind |
Update pf to pfil(9) changes. Missed in previous commit.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.46 |
|
28-Nov-2011 |
tls |
branches: 1.46.8; 1.46.12; Remove arc4random() and arc4randbytes() from the kernel API. Replace arc4random() hacks in rump with stubs that call the host arc4random() to get numbers that are hopefully actually random (arc4random() keyed with stack junk is not). This should fix some of the currently failing anita tests -- we should no longer generate duplicate "random" MAC addresses in the test environment.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.45 |
|
30-Aug-2011 |
jmcneill |
branches: 1.45.2; fix -Wshadow warnings when ALTQ is enabled
|
#
1.44 |
|
29-Aug-2011 |
jmcneill |
build pf module with WARNS=3, and remove the need for -Wno-shadow
|
Revision tags: rmind-uvmplock-nbase cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base rmind-uvmplock-base
|
#
1.43 |
|
19-Jan-2011 |
drochner |
make sure the "overload_tbl" member of "struct pf_rule" copied in from userland is initialized (it is used by the kernel only) fixes crash or data injection (CVE-2010-3830), usually by root user only OpenBSD has rewritten the code to start with a zero'd struct and fills in needed parts only - to be considered in case a newer pf version is imported.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11 uebayasi-xip-base2 yamt-nfs-mp-base10
|
#
1.42 |
|
07-May-2010 |
degroote |
branches: 1.42.2; Add support for pfs(8)
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to dump internal configuration of pf, and restore at a latter point, after a maintenance reboot for example, in a transparent way for user.
This work has been done mostly during my GSoC 2009
No objections on tech-net@
|
Revision tags: uebayasi-xip-base1
|
#
1.41 |
|
13-Apr-2010 |
ahoka |
Do not unload pf when enabled, not even manually.
|
#
1.40 |
|
13-Apr-2010 |
ahoka |
change module class to driver.
|
#
1.39 |
|
13-Apr-2010 |
ahoka |
Do not auto unload pf if it's enabled.
|
#
1.38 |
|
12-Apr-2010 |
ahoka |
- Make the pf and pflog driver able to detach. - Add code for module support.
Original patch from Jared McNeill
|
Revision tags: yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 jym-xensuspend-nbase
|
#
1.37 |
|
03-Oct-2009 |
elad |
branches: 1.37.2; 1.37.4; Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD versions that are no longer maintained. It won't make the code more readable, but we should consider removing them.
|
Revision tags: yamt-nfs-mp-base8
|
#
1.36 |
|
14-Sep-2009 |
degroote |
Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf.
This work was part of my 2009 GSoC
No objection on tech-net@
|
Revision tags: yamt-nfs-mp-base7
|
#
1.35 |
|
28-Jul-2009 |
minskim |
Remove LKM code from pf.
|
Revision tags: netbsd-5-2-3-RELEASE netbsd-5-1-5-RELEASE netbsd-5-2-2-RELEASE netbsd-5-1-4-RELEASE netbsd-5-2-1-RELEASE netbsd-5-1-3-RELEASE netbsd-5-2-RELEASE netbsd-5-2-RC1 netbsd-5-1-2-RELEASE netbsd-5-1-1-RELEASE matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.34 |
|
22-Jun-2008 |
peter |
Wrap definition of pfil6_wrapper in #ifdef INET6.
From Scott Ellis in PR/39007.
|
#
1.33 |
|
18-Jun-2008 |
yamt |
merge yamt-pf42 branch. (import newer pf from OpenBSD 4.2)
ok'ed by peter@. requested by core@
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base vmlocking2-base3 bouyer-xeni386-nbase yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.32 |
|
11-Dec-2007 |
lukem |
branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16; use __KERNEL_RCSID()
|
Revision tags: nick-csl-alignment-base5 matt-armv6-prevmlocking yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base matt-mips64-base jmcneill-pm-base nick-csl-alignment-base reinoud-bufcleanup-base mjf-ufs-trans-base vmlocking-base
|
#
1.31 |
|
09-Jul-2007 |
ad |
branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20; Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes - select()/poll() improvements - miscellaneous MT safety improvements
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.30 |
|
12-Mar-2007 |
ad |
branches: 1.30.2; Pass an ipl argument to pool_init/POOL_INIT to be used when initializing the pool's lock.
|
#
1.29 |
|
04-Mar-2007 |
christos |
branches: 1.29.2; Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: netbsd-4-0-1-RELEASE wrstuden-fixsa-newbase wrstuden-fixsa-base-1 netbsd-4-0-RELEASE netbsd-4-0-RC5 matt-nb4-arm-base netbsd-4-0-RC4 netbsd-4-0-RC3 netbsd-4-0-RC2 netbsd-4-0-RC1 wrstuden-fixsa-base ad-audiomp-base post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.28 |
|
16-Nov-2006 |
christos |
branches: 1.28.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.27 |
|
12-Oct-2006 |
peter |
Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
|
#
1.26 |
|
12-Oct-2006 |
christos |
- sprinkle __unused on function decls. - fix a couple of unused bugs - no more -Wno-unused for i386
|
#
1.25 |
|
01-Oct-2006 |
pavel |
In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects, and if ALTQ and pf are both enabled, it leads to compile errors. So, change all tests for ALTQ to ALTQ_NEW, which won't be defined.
This allows simultaneous compilation of pf and ALTQ and is a temporary measure before the peter-altq brach is merged.
Tested and approved by Peter Postma.
|
#
1.24 |
|
19-Sep-2006 |
elad |
Remove ugly (void *) casts from network scope authorization wrapper and calls to it.
While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run).
Update documentation.
|
Revision tags: yamt-splraiseipl-base yamt-pdpolicy-base9
|
#
1.23 |
|
08-Sep-2006 |
elad |
branches: 1.23.2; First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick reference, including code samples.
All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
Revision tags: yamt-pdpolicy-base8 rpaulo-netinet-merge-pcb-base
|
#
1.22 |
|
03-Sep-2006 |
christos |
branches: 1.22.2; add missing initializer
|
Revision tags: abandoned-netbsd-4-base yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base
|
#
1.21 |
|
11-Dec-2005 |
christos |
branches: 1.21.4; 1.21.8; 1.21.12; merge ktrace-lwp.
|
Revision tags: yamt-readahead-base3 yamt-readahead-base2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base ktrace-lwp-base
|
#
1.20 |
|
11-Aug-2005 |
yamt |
pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.
|
#
1.19 |
|
06-Aug-2005 |
yamt |
wrap INET only code by #if defined(INET). (in __NetBSD__ part)
|
#
1.18 |
|
26-Jul-2005 |
peter |
pf_test() can set *mp to NULL, check for this before de-referencing it. From Akihiro Sagawa in PR/30835.
|
#
1.17 |
|
01-Jul-2005 |
peter |
branches: 1.17.2; Resolve conflicts (pf from OpenBSD 3.7, kernel part).
|
Revision tags: yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base
|
#
1.16 |
|
15-Mar-2005 |
peter |
branches: 1.16.2; Fix a GCC warning when compiling on evbppc. From FUKAUMI Naoki in PR #29669.
|
#
1.15 |
|
14-Feb-2005 |
peter |
Merge in a fix from OPENBSD_3_6. ok yamt@
> MFC: > Fix by dhartmei@ > > replace finer-grained spl locking in pfioctl() with a single broad lock > around the entire body. this resolves the (misleading) panics in > pf_tag_packet() during heavy ioctl operations (like when using authpf) > that occur because softclock can interrupt ioctl on i386 since SMP. > patch from camield@.
|
Revision tags: yamt-km-base2 yamt-km-base kent-audio1-beforemerge
|
#
1.14 |
|
01-Jan-2005 |
yamt |
branches: 1.14.2; 1.14.4; pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
|
Revision tags: kent-audio1-base
|
#
1.13 |
|
04-Dec-2004 |
peter |
Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
|
#
1.12 |
|
14-Nov-2004 |
yamt |
resolve conflicts. (pf from OpenBSD 3.6, kernel part)
|
#
1.11 |
|
13-Nov-2004 |
yamt |
backout whitespace changes to make further import easier.
|
#
1.10 |
|
06-Sep-2004 |
yamt |
pfil4_wrapper, pfil6_wrapper: ensure that mbufs are writable beforehand as pf assumes it. PR/26433.
|
#
1.9 |
|
27-Jul-2004 |
yamt |
branches: 1.9.2; - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events as well. - use it for pf(4).
mostly from Peter Postma. PR/26403.
|
#
1.8 |
|
26-Jul-2004 |
yamt |
fix dynaddr tracking.
from Peter Postma, PR/26369. ok'ed by itojun.
|
#
1.7 |
|
26-Jul-2004 |
yamt |
call PFIL_NEWIF hooks at a correct place. (on SIOCAIFADDR rather than SIOCGIFALIAS.)
from Peter Postma, PR/26402. ok'ed by itojun.
|
#
1.6 |
|
29-Jun-2004 |
itojun |
make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
|
#
1.5 |
|
25-Jun-2004 |
itojun |
PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma
|
#
1.4 |
|
22-Jun-2004 |
martin |
Make it compile on non-IPv6 kernels.
|
#
1.3 |
|
22-Jun-2004 |
christos |
add a pfdetach() method to be used by lkm's
|
#
1.2 |
|
22-Jun-2004 |
itojun |
PF from openbsd 3.5. missing features: - pfsync (due to protocol # assignment issues) - carp (not really a PF portion, but thought important to mention) - PF and ALTQ are mutually-exclusive. this will be sorted out when kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)
reviewed by matt, christos, perry
torture-test is very welcomed.
|
#
1.1 |
|
22-Jun-2004 |
itojun |
branches: 1.1.1; Initial revision
|
Revision tags: isaki-audio2-base pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906
|
#
1.56 |
|
10-Aug-2018 |
maxv |
Fix compilation of PF/IPF...
|
#
1.55 |
|
10-Aug-2018 |
maxv |
Rename
ip6_undefer_csum -> in6_undefer_cksum in6_delayed_cksum -> in6_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in6_offload.c. Add comments to explain what we're doing.
Same as IPv4.
|
Revision tags: pgoyette-compat-0728
|
#
1.54 |
|
11-Jul-2018 |
kre |
Fix build. pf_ioctl.c needs netinet/in_offload.h (after previous change). Because this is in a module, apparently, that means that netinet_in_offload.h needs to get installed in /usr/include, so do that as well.
Feel free to fix this in a better way...
|
#
1.53 |
|
11-Jul-2018 |
maxv |
Rename
ip_undefer_csum -> in_undefer_cksum in_delayed_cksum -> in_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in_offload.c. Add comments to explain what we're doing.
The same could be done for IPv6.
|
Revision tags: phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base tls-maxphys-base-20171202
|
#
1.52 |
|
15-Oct-2017 |
pgoyette |
branches: 1.52.2; Defer initialization of pf_status.host_id
The call to cprng_fast32() requires that per-cpu data has been initialized by corng_fast_init(), which doesn't get called until after the first part of auto-configuration is done, long after pfattach() calls cprng_fast32().
Fixed PR kern/52620
XXX This needs pull-up to the -8 branch.
|
Revision tags: nick-nhusb-base-20170825 perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320 nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 nick-nhusb-base-20150921
|
#
1.51 |
|
20-Aug-2015 |
christos |
branches: 1.51.8; 1.51.10; include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base tls-earlyentropy-base tls-maxphys-base
|
#
1.50 |
|
25-Jul-2014 |
dholland |
branches: 1.50.4; Add d_discard to all struct cdevsw instances I could find.
All have been set to "nodiscard"; some should get a real implementation.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base
|
#
1.49 |
|
16-Mar-2014 |
dholland |
branches: 1.49.2; Change (mostly mechanically) every cdevsw/bdevsw I can find to use designated initializers.
I have not built every extant kernel so I have probably broken at least one build; however I've also found and fixed some wrong cdevsw/bdevsw entries so even if so I think we come out ahead.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.48 |
|
01-Jul-2013 |
skrll |
PFIL_HOOKS is dead.
|
#
1.47 |
|
30-Jun-2013 |
rmind |
Update pf to pfil(9) changes. Missed in previous commit.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.46 |
|
28-Nov-2011 |
tls |
branches: 1.46.8; 1.46.12; Remove arc4random() and arc4randbytes() from the kernel API. Replace arc4random() hacks in rump with stubs that call the host arc4random() to get numbers that are hopefully actually random (arc4random() keyed with stack junk is not). This should fix some of the currently failing anita tests -- we should no longer generate duplicate "random" MAC addresses in the test environment.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.45 |
|
30-Aug-2011 |
jmcneill |
branches: 1.45.2; fix -Wshadow warnings when ALTQ is enabled
|
#
1.44 |
|
29-Aug-2011 |
jmcneill |
build pf module with WARNS=3, and remove the need for -Wno-shadow
|
Revision tags: rmind-uvmplock-nbase cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base rmind-uvmplock-base
|
#
1.43 |
|
19-Jan-2011 |
drochner |
make sure the "overload_tbl" member of "struct pf_rule" copied in from userland is initialized (it is used by the kernel only) fixes crash or data injection (CVE-2010-3830), usually by root user only OpenBSD has rewritten the code to start with a zero'd struct and fills in needed parts only - to be considered in case a newer pf version is imported.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11 uebayasi-xip-base2 yamt-nfs-mp-base10
|
#
1.42 |
|
07-May-2010 |
degroote |
branches: 1.42.2; Add support for pfs(8)
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to dump internal configuration of pf, and restore at a latter point, after a maintenance reboot for example, in a transparent way for user.
This work has been done mostly during my GSoC 2009
No objections on tech-net@
|
Revision tags: uebayasi-xip-base1
|
#
1.41 |
|
13-Apr-2010 |
ahoka |
Do not unload pf when enabled, not even manually.
|
#
1.40 |
|
13-Apr-2010 |
ahoka |
change module class to driver.
|
#
1.39 |
|
13-Apr-2010 |
ahoka |
Do not auto unload pf if it's enabled.
|
#
1.38 |
|
12-Apr-2010 |
ahoka |
- Make the pf and pflog driver able to detach. - Add code for module support.
Original patch from Jared McNeill
|
Revision tags: yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 jym-xensuspend-nbase
|
#
1.37 |
|
03-Oct-2009 |
elad |
branches: 1.37.2; 1.37.4; Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD versions that are no longer maintained. It won't make the code more readable, but we should consider removing them.
|
Revision tags: yamt-nfs-mp-base8
|
#
1.36 |
|
14-Sep-2009 |
degroote |
Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf.
This work was part of my 2009 GSoC
No objection on tech-net@
|
Revision tags: yamt-nfs-mp-base7
|
#
1.35 |
|
28-Jul-2009 |
minskim |
Remove LKM code from pf.
|
Revision tags: netbsd-5-2-3-RELEASE netbsd-5-1-5-RELEASE netbsd-5-2-2-RELEASE netbsd-5-1-4-RELEASE netbsd-5-2-1-RELEASE netbsd-5-1-3-RELEASE netbsd-5-2-RELEASE netbsd-5-2-RC1 netbsd-5-1-2-RELEASE netbsd-5-1-1-RELEASE matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.34 |
|
22-Jun-2008 |
peter |
Wrap definition of pfil6_wrapper in #ifdef INET6.
From Scott Ellis in PR/39007.
|
#
1.33 |
|
18-Jun-2008 |
yamt |
merge yamt-pf42 branch. (import newer pf from OpenBSD 4.2)
ok'ed by peter@. requested by core@
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base vmlocking2-base3 bouyer-xeni386-nbase yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.32 |
|
11-Dec-2007 |
lukem |
branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16; use __KERNEL_RCSID()
|
Revision tags: nick-csl-alignment-base5 matt-armv6-prevmlocking yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base matt-mips64-base jmcneill-pm-base nick-csl-alignment-base reinoud-bufcleanup-base mjf-ufs-trans-base vmlocking-base
|
#
1.31 |
|
09-Jul-2007 |
ad |
branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20; Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes - select()/poll() improvements - miscellaneous MT safety improvements
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.30 |
|
12-Mar-2007 |
ad |
branches: 1.30.2; Pass an ipl argument to pool_init/POOL_INIT to be used when initializing the pool's lock.
|
#
1.29 |
|
04-Mar-2007 |
christos |
branches: 1.29.2; Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: netbsd-4-0-1-RELEASE wrstuden-fixsa-newbase wrstuden-fixsa-base-1 netbsd-4-0-RELEASE netbsd-4-0-RC5 matt-nb4-arm-base netbsd-4-0-RC4 netbsd-4-0-RC3 netbsd-4-0-RC2 netbsd-4-0-RC1 wrstuden-fixsa-base ad-audiomp-base post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.28 |
|
16-Nov-2006 |
christos |
branches: 1.28.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.27 |
|
12-Oct-2006 |
peter |
Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
|
#
1.26 |
|
12-Oct-2006 |
christos |
- sprinkle __unused on function decls. - fix a couple of unused bugs - no more -Wno-unused for i386
|
#
1.25 |
|
01-Oct-2006 |
pavel |
In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects, and if ALTQ and pf are both enabled, it leads to compile errors. So, change all tests for ALTQ to ALTQ_NEW, which won't be defined.
This allows simultaneous compilation of pf and ALTQ and is a temporary measure before the peter-altq brach is merged.
Tested and approved by Peter Postma.
|
#
1.24 |
|
19-Sep-2006 |
elad |
Remove ugly (void *) casts from network scope authorization wrapper and calls to it.
While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run).
Update documentation.
|
Revision tags: yamt-splraiseipl-base yamt-pdpolicy-base9
|
#
1.23 |
|
08-Sep-2006 |
elad |
branches: 1.23.2; First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick reference, including code samples.
All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
Revision tags: yamt-pdpolicy-base8 rpaulo-netinet-merge-pcb-base
|
#
1.22 |
|
03-Sep-2006 |
christos |
branches: 1.22.2; add missing initializer
|
Revision tags: abandoned-netbsd-4-base yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base
|
#
1.21 |
|
11-Dec-2005 |
christos |
branches: 1.21.4; 1.21.8; 1.21.12; merge ktrace-lwp.
|
Revision tags: yamt-readahead-base3 yamt-readahead-base2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base ktrace-lwp-base
|
#
1.20 |
|
11-Aug-2005 |
yamt |
pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.
|
#
1.19 |
|
06-Aug-2005 |
yamt |
wrap INET only code by #if defined(INET). (in __NetBSD__ part)
|
#
1.18 |
|
26-Jul-2005 |
peter |
pf_test() can set *mp to NULL, check for this before de-referencing it. From Akihiro Sagawa in PR/30835.
|
#
1.17 |
|
01-Jul-2005 |
peter |
branches: 1.17.2; Resolve conflicts (pf from OpenBSD 3.7, kernel part).
|
Revision tags: yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base
|
#
1.16 |
|
15-Mar-2005 |
peter |
branches: 1.16.2; Fix a GCC warning when compiling on evbppc. From FUKAUMI Naoki in PR #29669.
|
#
1.15 |
|
14-Feb-2005 |
peter |
Merge in a fix from OPENBSD_3_6. ok yamt@
> MFC: > Fix by dhartmei@ > > replace finer-grained spl locking in pfioctl() with a single broad lock > around the entire body. this resolves the (misleading) panics in > pf_tag_packet() during heavy ioctl operations (like when using authpf) > that occur because softclock can interrupt ioctl on i386 since SMP. > patch from camield@.
|
Revision tags: yamt-km-base2 yamt-km-base kent-audio1-beforemerge
|
#
1.14 |
|
01-Jan-2005 |
yamt |
branches: 1.14.2; 1.14.4; pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
|
Revision tags: kent-audio1-base
|
#
1.13 |
|
04-Dec-2004 |
peter |
Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
|
#
1.12 |
|
14-Nov-2004 |
yamt |
resolve conflicts. (pf from OpenBSD 3.6, kernel part)
|
#
1.11 |
|
13-Nov-2004 |
yamt |
backout whitespace changes to make further import easier.
|
#
1.10 |
|
06-Sep-2004 |
yamt |
pfil4_wrapper, pfil6_wrapper: ensure that mbufs are writable beforehand as pf assumes it. PR/26433.
|
#
1.9 |
|
27-Jul-2004 |
yamt |
branches: 1.9.2; - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events as well. - use it for pf(4).
mostly from Peter Postma. PR/26403.
|
#
1.8 |
|
26-Jul-2004 |
yamt |
fix dynaddr tracking.
from Peter Postma, PR/26369. ok'ed by itojun.
|
#
1.7 |
|
26-Jul-2004 |
yamt |
call PFIL_NEWIF hooks at a correct place. (on SIOCAIFADDR rather than SIOCGIFALIAS.)
from Peter Postma, PR/26402. ok'ed by itojun.
|
#
1.6 |
|
29-Jun-2004 |
itojun |
make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
|
#
1.5 |
|
25-Jun-2004 |
itojun |
PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma
|
#
1.4 |
|
22-Jun-2004 |
martin |
Make it compile on non-IPv6 kernels.
|
#
1.3 |
|
22-Jun-2004 |
christos |
add a pfdetach() method to be used by lkm's
|
#
1.2 |
|
22-Jun-2004 |
itojun |
PF from openbsd 3.5. missing features: - pfsync (due to protocol # assignment issues) - carp (not really a PF portion, but thought important to mention) - PF and ALTQ are mutually-exclusive. this will be sorted out when kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)
reviewed by matt, christos, perry
torture-test is very welcomed.
|
#
1.1 |
|
22-Jun-2004 |
itojun |
branches: 1.1.1; Initial revision
|
#
1.52 |
|
15-Oct-2017 |
pgoyette |
Defer initialization of pf_status.host_id
The call to cprng_fast32() requires that per-cpu data has been initialized by corng_fast_init(), which doesn't get called until after the first part of auto-configuration is done, long after pfattach() calls cprng_fast32().
Fixed PR kern/52620
XXX This needs pull-up to the -8 branch.
|
Revision tags: nick-nhusb-base-20170825 perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 jdolecek-ncq-base pgoyette-localcount-20170320 nick-nhusb-base-20170204 bouyer-socketcan-base pgoyette-localcount-20170107 nick-nhusb-base-20161204 pgoyette-localcount-20161104 nick-nhusb-base-20161004 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 nick-nhusb-base-20150921
|
#
1.51 |
|
20-Aug-2015 |
christos |
branches: 1.51.8; include "ioconf.h" to get the 'void <driver>attach(int count);' prototype.
|
Revision tags: netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 netbsd-7-1-RC1 netbsd-7-0-2-RELEASE netbsd-7-nhusb-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base tls-earlyentropy-base tls-maxphys-base
|
#
1.50 |
|
25-Jul-2014 |
dholland |
branches: 1.50.4; Add d_discard to all struct cdevsw instances I could find.
All have been set to "nodiscard"; some should get a real implementation.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base
|
#
1.49 |
|
16-Mar-2014 |
dholland |
branches: 1.49.2; Change (mostly mechanically) every cdevsw/bdevsw I can find to use designated initializers.
I have not built every extant kernel so I have probably broken at least one build; however I've also found and fixed some wrong cdevsw/bdevsw entries so even if so I think we come out ahead.
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.48 |
|
01-Jul-2013 |
skrll |
PFIL_HOOKS is dead.
|
#
1.47 |
|
30-Jun-2013 |
rmind |
Update pf to pfil(9) changes. Missed in previous commit.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-pre-base2 jmcneill-usbmp-base2 netbsd-6-base jmcneill-usbmp-base
|
#
1.46 |
|
28-Nov-2011 |
tls |
branches: 1.46.8; 1.46.12; Remove arc4random() and arc4randbytes() from the kernel API. Replace arc4random() hacks in rump with stubs that call the host arc4random() to get numbers that are hopefully actually random (arc4random() keyed with stack junk is not). This should fix some of the currently failing anita tests -- we should no longer generate duplicate "random" MAC addresses in the test environment.
|
Revision tags: jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base
|
#
1.45 |
|
30-Aug-2011 |
jmcneill |
branches: 1.45.2; fix -Wshadow warnings when ALTQ is enabled
|
#
1.44 |
|
29-Aug-2011 |
jmcneill |
build pf module with WARNS=3, and remove the need for -Wno-shadow
|
Revision tags: rmind-uvmplock-nbase cherry-xenmp-base bouyer-quota2-nbase bouyer-quota2-base rmind-uvmplock-base
|
#
1.43 |
|
19-Jan-2011 |
drochner |
make sure the "overload_tbl" member of "struct pf_rule" copied in from userland is initialized (it is used by the kernel only) fixes crash or data injection (CVE-2010-3830), usually by root user only OpenBSD has rewritten the code to start with a zero'd struct and fills in needed parts only - to be considered in case a newer pf version is imported.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11 uebayasi-xip-base2 yamt-nfs-mp-base10
|
#
1.42 |
|
07-May-2010 |
degroote |
branches: 1.42.2; Add support for pfs(8)
pfs(8) is a tool similar to ipfs(8) but for pf(4). It allows the admin to dump internal configuration of pf, and restore at a latter point, after a maintenance reboot for example, in a transparent way for user.
This work has been done mostly during my GSoC 2009
No objections on tech-net@
|
Revision tags: uebayasi-xip-base1
|
#
1.41 |
|
13-Apr-2010 |
ahoka |
Do not unload pf when enabled, not even manually.
|
#
1.40 |
|
13-Apr-2010 |
ahoka |
change module class to driver.
|
#
1.39 |
|
13-Apr-2010 |
ahoka |
Do not auto unload pf if it's enabled.
|
#
1.38 |
|
12-Apr-2010 |
ahoka |
- Make the pf and pflog driver able to detach. - Add code for module support.
Original patch from Jared McNeill
|
Revision tags: yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 jym-xensuspend-nbase
|
#
1.37 |
|
03-Oct-2009 |
elad |
branches: 1.37.2; 1.37.4; Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD versions that are no longer maintained. It won't make the code more readable, but we should consider removing them.
|
Revision tags: yamt-nfs-mp-base8
|
#
1.36 |
|
14-Sep-2009 |
degroote |
Import pfsync support from OpenBSD 4.2
Pfsync interface exposes change in the pf(4) over a pseudo-interface, and can be used to synchronise different pf.
This work was part of my 2009 GSoC
No objection on tech-net@
|
Revision tags: yamt-nfs-mp-base7
|
#
1.35 |
|
28-Jul-2009 |
minskim |
Remove LKM code from pf.
|
Revision tags: netbsd-5-2-3-RELEASE netbsd-5-1-5-RELEASE netbsd-5-2-2-RELEASE netbsd-5-1-4-RELEASE netbsd-5-2-1-RELEASE netbsd-5-1-3-RELEASE netbsd-5-2-RELEASE netbsd-5-2-RC1 netbsd-5-1-2-RELEASE netbsd-5-1-1-RELEASE matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 jym-xensuspend-base netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base nick-hppapmap-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase simonb-wapbl-base wrstuden-revivesa-base mjf-devfs2-base
|
#
1.34 |
|
22-Jun-2008 |
peter |
Wrap definition of pfil6_wrapper in #ifdef INET6.
From Scott Ellis in PR/39007.
|
#
1.33 |
|
18-Jun-2008 |
yamt |
merge yamt-pf42 branch. (import newer pf from OpenBSD 4.2)
ok'ed by peter@. requested by core@
|
Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-nfs-mp-base2 yamt-nfs-mp-base yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base vmlocking2-base3 bouyer-xeni386-nbase yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 bouyer-xeni386-base matt-armv6-nbase mjf-devfs-base matt-armv6-base hpcarm-cleanup-base
|
#
1.32 |
|
11-Dec-2007 |
lukem |
branches: 1.32.8; 1.32.10; 1.32.12; 1.32.14; 1.32.16; use __KERNEL_RCSID()
|
Revision tags: nick-csl-alignment-base5 matt-armv6-prevmlocking yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base matt-mips64-base jmcneill-pm-base nick-csl-alignment-base reinoud-bufcleanup-base mjf-ufs-trans-base vmlocking-base
|
#
1.31 |
|
09-Jul-2007 |
ad |
branches: 1.31.8; 1.31.16; 1.31.18; 1.31.20; Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes - select()/poll() improvements - miscellaneous MT safety improvements
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.30 |
|
12-Mar-2007 |
ad |
branches: 1.30.2; Pass an ipl argument to pool_init/POOL_INIT to be used when initializing the pool's lock.
|
#
1.29 |
|
04-Mar-2007 |
christos |
branches: 1.29.2; Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: netbsd-4-0-1-RELEASE wrstuden-fixsa-newbase wrstuden-fixsa-base-1 netbsd-4-0-RELEASE netbsd-4-0-RC5 matt-nb4-arm-base netbsd-4-0-RC4 netbsd-4-0-RC3 netbsd-4-0-RC2 netbsd-4-0-RC1 wrstuden-fixsa-base ad-audiomp-base post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.28 |
|
16-Nov-2006 |
christos |
branches: 1.28.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.27 |
|
12-Oct-2006 |
peter |
Merge the peter-altq branch.
(sync with KAME & add support for using ALTQ with pf(4)).
|
#
1.26 |
|
12-Oct-2006 |
christos |
- sprinkle __unused on function decls. - fix a couple of unused bugs - no more -Wno-unused for i386
|
#
1.25 |
|
01-Oct-2006 |
pavel |
In pf, there are lots of #ifdef ALTQ, but our ALTQ is not what pf expects, and if ALTQ and pf are both enabled, it leads to compile errors. So, change all tests for ALTQ to ALTQ_NEW, which won't be defined.
This allows simultaneous compilation of pf and ALTQ and is a temporary measure before the peter-altq brach is merged.
Tested and approved by Peter Postma.
|
#
1.24 |
|
19-Sep-2006 |
elad |
Remove ugly (void *) casts from network scope authorization wrapper and calls to it.
While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run).
Update documentation.
|
Revision tags: yamt-splraiseipl-base yamt-pdpolicy-base9
|
#
1.23 |
|
08-Sep-2006 |
elad |
branches: 1.23.2; First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick reference, including code samples.
All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
Revision tags: yamt-pdpolicy-base8 rpaulo-netinet-merge-pcb-base
|
#
1.22 |
|
03-Sep-2006 |
christos |
branches: 1.22.2; add missing initializer
|
Revision tags: abandoned-netbsd-4-base yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base
|
#
1.21 |
|
11-Dec-2005 |
christos |
branches: 1.21.4; 1.21.8; 1.21.12; merge ktrace-lwp.
|
Revision tags: yamt-readahead-base3 yamt-readahead-base2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base ktrace-lwp-base
|
#
1.20 |
|
11-Aug-2005 |
yamt |
pfil6_wrapper: handle M_CSUM_TCPv6|M_CSUM_UDPv6.
|
#
1.19 |
|
06-Aug-2005 |
yamt |
wrap INET only code by #if defined(INET). (in __NetBSD__ part)
|
#
1.18 |
|
26-Jul-2005 |
peter |
pf_test() can set *mp to NULL, check for this before de-referencing it. From Akihiro Sagawa in PR/30835.
|
#
1.17 |
|
01-Jul-2005 |
peter |
branches: 1.17.2; Resolve conflicts (pf from OpenBSD 3.7, kernel part).
|
Revision tags: yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base
|
#
1.16 |
|
15-Mar-2005 |
peter |
branches: 1.16.2; Fix a GCC warning when compiling on evbppc. From FUKAUMI Naoki in PR #29669.
|
#
1.15 |
|
14-Feb-2005 |
peter |
Merge in a fix from OPENBSD_3_6. ok yamt@
> MFC: > Fix by dhartmei@ > > replace finer-grained spl locking in pfioctl() with a single broad lock > around the entire body. this resolves the (misleading) panics in > pf_tag_packet() during heavy ioctl operations (like when using authpf) > that occur because softclock can interrupt ioctl on i386 since SMP. > patch from camield@.
|
Revision tags: yamt-km-base2 yamt-km-base kent-audio1-beforemerge
|
#
1.14 |
|
01-Jan-2005 |
yamt |
branches: 1.14.2; 1.14.4; pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.
|
Revision tags: kent-audio1-base
|
#
1.13 |
|
04-Dec-2004 |
peter |
Improve the cleanup routines for detachment. Fixes PR 28132.
Reviewed by yamt.
|
#
1.12 |
|
14-Nov-2004 |
yamt |
resolve conflicts. (pf from OpenBSD 3.6, kernel part)
|
#
1.11 |
|
13-Nov-2004 |
yamt |
backout whitespace changes to make further import easier.
|
#
1.10 |
|
06-Sep-2004 |
yamt |
pfil4_wrapper, pfil6_wrapper: ensure that mbufs are writable beforehand as pf assumes it. PR/26433.
|
#
1.9 |
|
27-Jul-2004 |
yamt |
branches: 1.9.2; - rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events as well. - use it for pf(4).
mostly from Peter Postma. PR/26403.
|
#
1.8 |
|
26-Jul-2004 |
yamt |
fix dynaddr tracking.
from Peter Postma, PR/26369. ok'ed by itojun.
|
#
1.7 |
|
26-Jul-2004 |
yamt |
call PFIL_NEWIF hooks at a correct place. (on SIOCAIFADDR rather than SIOCGIFALIAS.)
from Peter Postma, PR/26402. ok'ed by itojun.
|
#
1.6 |
|
29-Jun-2004 |
itojun |
make PF lkm working. from Peter Postma and Joel Wilsson.
remove pf_ioctl_head/pf_newif_head, which was never used.
|
#
1.5 |
|
25-Jun-2004 |
itojun |
PR kern/26011: pf leaks mbufs on disallowed packets. Peter Postma
|
#
1.4 |
|
22-Jun-2004 |
martin |
Make it compile on non-IPv6 kernels.
|
#
1.3 |
|
22-Jun-2004 |
christos |
add a pfdetach() method to be used by lkm's
|
#
1.2 |
|
22-Jun-2004 |
itojun |
PF from openbsd 3.5. missing features: - pfsync (due to protocol # assignment issues) - carp (not really a PF portion, but thought important to mention) - PF and ALTQ are mutually-exclusive. this will be sorted out when kjc@csl.sony.co.jp updates ALTQ and PF (and API inbetween)
reviewed by matt, christos, perry
torture-test is very welcomed.
|
#
1.1 |
|
22-Jun-2004 |
itojun |
branches: 1.1.1; Initial revision
|