with a percentage or modulo operation). This is a demo module, although it can
be used for packet loss simulation. Example of a procedure in npf.conf:
procedure "somedrop" {
# Drop 1.9% of the traffic
rndblock: percentage 1.9
}
data, fixing up only the RST to the initial SYN. This makes off-path attacks
more difficult. For the reference, see "Reflection Scan: an Off-Path Attack
on TCP" by Jan Wrobel.
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module. Move normalisation and logging functionality into their own
extensions. More improvements to come.
negative after the timer expired until the entry is deleted.
make it signed, so that we don't get output like
"00:1b:78:12:50:46 wm0 18446744073709551349 flags=0<>"
1 before return when invoked from m_xword() and m_xhalf() functions.
The caller doesn't set it to 1 either. So, set *err to 1 before
invoking MINDEX().
- When handling contiguous buffer in _bpf_tap(), pass its real size
rather than 0 to avoid reading packet data as mbuf struct on
out-of-bounds loads.
- Correctly pass pktlen and buflen arguments from bpf_deliver() to
bpf_filter() to avoid reading mbuf struct as packet data.
JIT case is still broken.
Also, test pointers againts NULL.
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
using radix / Patricia tree. Universal IPv4/IPv6 comparator for ptree(3)
was contributed by Matt Thomas.
- NPF tables: update regression tests, improve npfctl(8) error messages.
- Fix few bugs when using kernel modules and handle module autounloader.
- Few other fixes and misc cleanups.
- Bump the version.
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.
- Rename some functions for consistency and de-inline them.
- Fix few invalid asserts (add regressoin test).
- Use pserialize(9) for ALG interface.
- Minor fixes, sprinkle many comments.
of different types and configurations of NAT.
- npfctl: improve disassemble and show-config command functionality.
- Fix custom ICMP code and type filtering.