|
Revision tags: release/14.0.0 |
|
| #
fa9896e0 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line nroff pattern
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0, release/12.3.0, release/13.0.0, release/12.2.0 |
|
| #
1f7a058f |
| 22-Oct-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix typo
|
|
Revision tags: release/11.4.0, release/12.1.0, release/11.3.0 |
|
| #
c2c227a5 |
| 03-Feb-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r343571 through r343711.
|
| #
b252313f |
| 01-Feb-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
New pfil(9) KPI together with newborn pfil API and control utility.
The KPI have been reviewed and cleansed of features that were planned
back 20 years ago and never implemented. The pfil(9) intern
New pfil(9) KPI together with newborn pfil API and control utility.
The KPI have been reviewed and cleansed of features that were planned
back 20 years ago and never implemented. The pfil(9) internals have
been made opaque to protocols with only returned types and function
declarations exposed. The KPI is made more strict, but at the same time
more extensible, as kernel uses same command structures that userland
ioctl uses.
In nutshell [KA]PI is about declaring filtering points, declaring
filters and linking and unlinking them together.
New [KA]PI makes it possible to reconfigure pfil(9) configuration:
change order of hooks, rehook filter from one filtering point to a
different one, disconnect a hook on output leaving it on input only,
prepend/append a filter to existing list of filters.
Now it possible for a single packet filter to provide multiple rulesets
that may be linked to different points. Think of per-interface ACLs in
Cisco or Juniper. None of existing packet filters yet support that,
however limited usage is already possible, e.g. default ruleset can
be moved to single interface, as soon as interface would pride their
filtering points.
Another future feature is possiblity to create pfil heads, that provide
not an mbuf pointer but just a memory pointer with length. That would
allow filtering at very early stages of a packet lifecycle, e.g. when
packet has just been received by a NIC and no mbuf was yet allocated.
Differential Revision: https://reviews.freebsd.org/D18951
show more ...
|
|
Revision tags: release/12.0.0, release/11.2.0 |
|
| #
effaab88 |
| 23-Mar-2018 |
Kristof Provost <kp@FreeBSD.org> |
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.
Reviewed by: ae, kevans
Differential Revision: https://reviews.freebsd.org/D13715
show more ...
|
|
Revision tags: release/10.4.0, release/11.1.0 |
|
| #
aceea44d |
| 27-Mar-2017 |
Sergey Kandaurov <pluknet@FreeBSD.org> |
Fix pfil_add_hook() and pfil_remove_hook() type.
|
|
Revision tags: release/11.0.1, release/11.0.0, release/10.3.0, release/10.2.0, release/10.1.0, release/9.3.0, release/10.0.0 |
|
| #
0bfd163f |
| 18-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge head r233826 through r256722.
|
| #
1ccca3b5 |
| 10-Oct-2013 |
Alan Somers <asomers@FreeBSD.org> |
IFC @256277
Approved by: ken (mentor)
|
|
Revision tags: release/9.2.0 |
|
| #
ef90af83 |
| 20-Sep-2013 |
Peter Grehan <grehan@FreeBSD.org> |
IFC @ r255692
Comment out IA32_MISC_ENABLE MSR access - this doesn't exist on AMD.
Need to sort out how arch-specific MSRs will be handled.
|
| #
d1d01586 |
| 05-Sep-2013 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge from head
|
| #
46ed9e49 |
| 04-Sep-2013 |
Peter Grehan <grehan@FreeBSD.org> |
IFC @ r255209
|
| #
6871a82d |
| 25-Aug-2013 |
Mark Murray <markm@FreeBSD.org> |
MFC
|
| #
082dbcbf |
| 25-Aug-2013 |
Joel Dahl <joel@FreeBSD.org> |
mdoc fixes.
|
| #
6e3e14fe |
| 24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Fix BUGS section after botched modify in r254772.
Reported by: bjk
|
| #
b2e0423c |
| 24-Aug-2013 |
Mark Murray <markm@FreeBSD.org> |
MFC
|
| #
2c4e923d |
| 24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Adjust for the pfil_func_t typedef added in r254769.
|
| #
bacda5aa |
| 24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
pfil_hook_get() has been internalized in r254771 and is no longer
part of the API. It wasn't safe for external use in any case.
|
| #
cfe30d02 |
| 19-Jun-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge fresh head.
|
|
Revision tags: release/8.4.0 |
|
| #
d9a44755 |
| 08-Feb-2013 |
David E. O'Brien <obrien@FreeBSD.org> |
Sync with HEAD.
|
|
Revision tags: release/9.1.0 |
|
| #
300675f6 |
| 27-Nov-2012 |
Alexander Motin <mav@FreeBSD.org> |
MFC
|
| #
e477abf7 |
| 27-Nov-2012 |
Alexander Motin <mav@FreeBSD.org> |
MFC @ r241285
|
| #
32484645 |
| 17-Nov-2012 |
Neel Natu <neel@FreeBSD.org> |
IFC @ r243164
|
| #
fe6ba752 |
| 13-Nov-2012 |
Sergey Kandaurov <pluknet@FreeBSD.org> |
Correct rmlock(9) xref and add a missing comma.
|
| #
a10c6f55 |
| 11-Nov-2012 |
Neel Natu <neel@FreeBSD.org> |
IFC @ r242684
|
| #
23090366 |
| 04-Nov-2012 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Sync from head
|