#
352866 |
|
29-Sep-2019 |
cy |
MFC r352737:
ipf mistakenly regards UDP packets with a checksum of 0xffff as bad.
Obtained from: NetBSD fil.c r1.30, NetBSD PR/54443
|
#
351468 |
|
25-Aug-2019 |
cy |
MFC r351380:
Specifying array sizes for fully initialized tables at compile time is redundant.
|
#
349931 |
|
12-Jul-2019 |
cy |
MFC r349927, r349929:
r349927: Resolve IPv6 checksum errors with stateful inspection. According to PR/203585 this appears to have been broken by r235959, which predates the ipfilter 5.1.2 import into FreeBSD.
The IPv6 checksum calculation is incorrect. To resolve this we call in6_cksum() to do the the heavy lifting for us, through a new function ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe is added to aid with future debugging.
Plus whitespace adjustments (r348989).
PR: 203275, 203585 Differential Revision: https://reviews.freebsd.org/D20583
r349929: Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c. The reason for this is that ipftest(8), which still works on FreeBSD-11, fails to link to it, breaking stable/11 builds.
ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle. glebius@ suggested we disable building it until I can get around to fixing it. Hence this was not caught in -current.
The intention is to fix ipftest(8) as it is used by the netbsd-tests (imported by ngie@ many moons ago) for regression testing.
|
#
349927 |
|
12-Jul-2019 |
cy |
MFC r348987, r348989:
Resolve IPv6 checksum errors with stateful inspection. According to PR/203585 this appears to have been broken by r235959, which predates the ipfilter 5.1.2 import into FreeBSD.
The IPv6 checksum calculation is incorrect. To resolve this we call in6_cksum() to do the the heavy lifting for us, through a new function ipf_pcksum6(). Should we need to revisit this area again, a DTrace probe is added to aid with future debugging.
Plus whitespace adjustments (r348989).
PR: 203275, 203585 Differential Revision: https://reviews.freebsd.org/D20583
|
#
343691 |
|
03-Feb-2019 |
cy |
MFC r343600:
Document the instance context pointer.
|
#
342608 |
|
30-Dec-2018 |
cy |
MFC r342547:
Remove another empty #ifdef block. This empty block also exists in the upstream HEAD.
|
#
334202 |
|
25-May-2018 |
cy |
MFC r333392-r333393, r333427
r333392: Fix memory leak. (CID 1199373).
r333393: Document intentional fallthrough. (CID 976535)
r333427: Fix style error introduced in r333393.
Reported by: jhb, imp, phk
|
#
317434 |
|
26-Apr-2017 |
cy |
MFC r316810, r316814, r316816, r316991:
Keep state incorrectly assumes keep frags. This is counter to the ipfilter man pages. This also currently restricts keep frags to only when keep state is used, which is redundant because keep state currently assumes keep frags. This commit fixes this.
To the user this change means that to maintain the current behaviour one must add keep frags to any ipfilter keep state rule (as documented in the man pages).
This patch also allows the flexability to specify and use keep frags separate from keep state, as documented in an example in ipf.conf.5, instead of the currently broken behaviour.
MFC suggested by: rgrimes Relnotes: yes
|
#
275690 |
|
10-Dec-2014 |
cy |
MFC r275199.
Correctly define constants.
|
#
272995 |
|
12-Oct-2014 |
cy |
MFC r272552
ipfilter bug #554 Determining why a ipf rule matches is hard -- replace ipfilter rule compare with new ipf_rule_compare() function.
Obtained from: ipfilter CVS rep (r1.129)
|
#
272994 |
|
12-Oct-2014 |
cy |
MFC r272551
ipfiler bug #550 filter rule list corrupted with inserted rules
Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)
|
#
275690 |
|
10-Dec-2014 |
cy |
MFC r275199.
Correctly define constants.
|
#
272995 |
|
12-Oct-2014 |
cy |
MFC r272552
ipfilter bug #554 Determining why a ipf rule matches is hard -- replace ipfilter rule compare with new ipf_rule_compare() function.
Obtained from: ipfilter CVS rep (r1.129)
|
#
272994 |
|
12-Oct-2014 |
cy |
MFC r272551
ipfiler bug #550 filter rule list corrupted with inserted rules
Obtained from: ipfilter CVS repo (r1.128); NetBSD CVS repo (r1.15)
|