#
1.16 |
|
30-May-2020 |
rmind |
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction' settings. Users can now choose whether the connection state should be strictly per-interface or global at the configuration level. Keep NAT logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce more parameters. Remove npf_nvlist_{copyin,copyout}() functions and refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have a single entry point for operations. Introduce npf_flow_t and clean up some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list' more informative; misc usability improvements and more user-friendly error messages.
- Amend and improve the manual pages.
|
Revision tags: phil-wifi-20200421 phil-wifi-20200411 is-mlppp-base phil-wifi-20200406 phil-wifi-20191119
|
#
1.15 |
|
25-Aug-2019 |
rmind |
- npfctl_load_nvlist: simplify the config loading logic. - Fix a small race condition in npf_nat_getaddr(). - Rework pserialize/EBR wrappers, make it easier to maintain.
|
#
1.14 |
|
08-Aug-2019 |
rmind |
NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169.
|
Revision tags: netbsd-9-base
|
#
1.13 |
|
23-Jul-2019 |
rmind |
branches: 1.13.2; NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
Revision tags: phil-wifi-20190609
|
#
1.12 |
|
17-Apr-2019 |
tih |
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930
|
#
1.11 |
|
29-Sep-2018 |
rmind |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
|
Revision tags: pgoyette-compat-0906 pgoyette-compat-0728 netbsd-8-0-RELEASE phil-wifi-base pgoyette-compat-0625 netbsd-8-0-RC2 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.10 |
|
27-Dec-2016 |
rmind |
branches: 1.10.6; 1.10.12; 1.10.14; npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
branches: 1.8.2; - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|
#
1.15 |
|
25-Aug-2019 |
rmind |
- npfctl_load_nvlist: simplify the config loading logic. - Fix a small race condition in npf_nat_getaddr(). - Rework pserialize/EBR wrappers, make it easier to maintain.
|
#
1.14 |
|
08-Aug-2019 |
rmind |
NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169.
|
Revision tags: netbsd-9-base
|
#
1.13 |
|
23-Jul-2019 |
rmind |
branches: 1.13.2; NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
Revision tags: phil-wifi-20190609
|
#
1.12 |
|
17-Apr-2019 |
tih |
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930
|
#
1.11 |
|
29-Sep-2018 |
rmind |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
|
Revision tags: pgoyette-compat-0906 pgoyette-compat-0728 netbsd-8-0-RELEASE phil-wifi-base pgoyette-compat-0625 netbsd-8-0-RC2 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.10 |
|
27-Dec-2016 |
rmind |
branches: 1.10.6; 1.10.12; 1.10.14; npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
branches: 1.8.2; - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|
#
1.14 |
|
08-Aug-2019 |
rmind |
NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169.
|
Revision tags: netbsd-9-base
|
#
1.13 |
|
23-Jul-2019 |
rmind |
branches: 1.13.2; NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
Revision tags: phil-wifi-20190609
|
#
1.12 |
|
17-Apr-2019 |
tih |
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930
|
#
1.11 |
|
29-Sep-2018 |
rmind |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
|
Revision tags: pgoyette-compat-0906 pgoyette-compat-0728 netbsd-8-0-RELEASE phil-wifi-base pgoyette-compat-0625 netbsd-8-0-RC2 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.10 |
|
27-Dec-2016 |
rmind |
branches: 1.10.6; 1.10.12; 1.10.14; npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
branches: 1.8.2; - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|
#
1.13 |
|
23-Jul-2019 |
rmind |
NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
|
Revision tags: phil-wifi-20190609
|
#
1.12 |
|
17-Apr-2019 |
tih |
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930
|
#
1.11 |
|
29-Sep-2018 |
rmind |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
|
Revision tags: pgoyette-compat-0906 pgoyette-compat-0728 netbsd-8-0-RELEASE phil-wifi-base pgoyette-compat-0625 netbsd-8-0-RC2 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.10 |
|
27-Dec-2016 |
rmind |
branches: 1.10.6; 1.10.12; 1.10.14; npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
branches: 1.8.2; - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|
#
1.12 |
|
17-Apr-2019 |
tih |
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted.
Reviewed by <rmind> Closes PR bin/54124 Pullup to NetBSD 8
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930
|
#
1.11 |
|
29-Sep-2018 |
rmind |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
|
Revision tags: pgoyette-compat-0906 pgoyette-compat-0728 netbsd-8-0-RELEASE phil-wifi-base pgoyette-compat-0625 netbsd-8-0-RC2 pgoyette-compat-0521 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 pgoyette-compat-base matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 bouyer-socketcan-base pgoyette-localcount-20170107
|
#
1.10 |
|
27-Dec-2016 |
rmind |
branches: 1.10.6; 1.10.12; npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
branches: 1.8.2; - npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|
#
1.10 |
|
27-Dec-2016 |
rmind |
npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any
|
#
1.9 |
|
26-Dec-2016 |
christos |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
Revision tags: pgoyette-localcount-20161104 localcount-20160914 pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base
|
#
1.8 |
|
08-Jun-2015 |
rmind |
- npfctl: fix the confusion in the parser (0/0 case with no other filter). - Always populate the error dictionary, not only for DEBUG/DIAGNOSTIC.
|
Revision tags: tls-maxphys-base netbsd-7-base tls-earlyentropy-base
|
#
1.7 |
|
29-Jun-2014 |
rmind |
branches: 1.7.2; 1.7.4; NPF: - Populate the BPF external memory store with L3 information. - Eliminate NPF_COP_L3 call and just use the data in the memstore. - Bump NPF_VERSION.
|
#
1.6 |
|
31-May-2014 |
rmind |
npfctl_build_code: generate TCP/UDP check for ports case when other blocks do not imply L4 check; add an assert in npfctl_bpf_proto() and elsewhere.
|
#
1.5 |
|
15-May-2014 |
rmind |
branches: 1.5.2; NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense.
|
Revision tags: yamt-pagecache-base9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3
|
#
1.4 |
|
15-Mar-2014 |
rmind |
branches: 1.4.2; npfctl_bpf_cidr: another buf fix in handling IPv6 masks (bug found on ARM).
|
#
1.3 |
|
13-Feb-2014 |
rmind |
npfctl_bpf_cidr: fix a bug in handling of smaller IPv6 masks.
|
#
1.2 |
|
05-Nov-2013 |
rmind |
npfctl: optimise fetch_l3() to avoid unnecessary call to NPF_COP_L3.
|
#
1.1 |
|
19-Sep-2013 |
rmind |
- Convert NPF to use BPF byte-code by default. Compile BPF byte-code in npfctl(8) and generate separate marks to describe the filter criteria. - Rewrite 'npfctl show' functionality and fix some of the bugs. - npftest: add a test for BPF COP. - Bump NPF_VERSION.
|