| Age | Commit message (Collapse) | Author |
|---|
|
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
|
|
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen
|
|
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
|
|
ok ryan
|
|
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
|
|
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc
|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6"
there.
OK henning@ mikeb@
|
|
brought up by ryan, discussed with him and theo and they convinced me
|
|
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
|
|
the kernel has code to deal with set-tos and that crap. don't ask for
details. stuart ok
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
void function instead.
ok dlg
|
|
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@
|
|
|
|
ok henning, mcbride
|
|
ok henning
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
attributes (this is now required by pf_rule_test().
ok sthen henning
|
|
for the new priority queueing implementation. valid range is 0 to 7. the old
trick for priorizing empty ACKs etc remains thru the latter notation
ok ryan mpf sthen plus pea testing and halex and claudio reading
|
|
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
|
i added that button many many many years ago since the order (options, scrub,
nat, filter) was enforced back then, which I hated. now we had that turned
off for ages, and with the scrub and nat rulesets being gone, there is very
little reason to enforce an order at all. so let's get rid of it.
introducing this button was one of my very early commits to openbsd... feels
a bit strange to remove it now :)
ok ryan dlg theo
|
|
|
|
ok mcbride@ henning@
|
|
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
|
|
route-to and friends were introduced making it obsolete. one even
has to look it up int the ipf manual to get and idea what it's
supposed to do. reuse some kernel bits for the upcoming nat64
stuff. "kill it with fire" from mcbride, "what mcbride said"
from mpf, "kill kill kill" and ok henning.
|
|
no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and
document it in pf.conf(5).
ok henning@ jmc@
|
|
From: Thomas Pfaff <tpfaff@tp76.info>
|
|
ok henning@ mcbride@
|
|
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg
|
|
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
implementation time ~1 min bikeshedding about the keyword longish.
i voted for "matches" since i like to play with matches
idea was theo's, actually
|
|
written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!
ok henning@
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
|
|
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc
|
|
ok mcbride
|
|
tests for illegal conditions in translation/routing.
|
|
collapsing into tables, so that we can handle all possible address family
expansions.
|
|
like a dynamic one in the routespec.
|
|
Fix binat-to sanity checks.
|
|
- purge irrelevant addresses from the lists before collapsing
- ensure the lists are freed after they're collapsed
- more careful ifname copying, avoiding double-free / use-after-free traps
|
|
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
lookahead in the parser
ok henning otto
|
|
10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
|
|
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.
ok jmc@
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
