summaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl.c
AgeCommit message (Collapse)Author
2020-10-14Accommodate a basename(3) that takes a non-const parameter and mayChristian Weisgerber
in fact modify the string buffer. ok kn@ sashan@ cVS: ----------------------------------------------------------------------
2020-01-16Fail on missing anchorkn
There is no reason to continue on anchor specific paths if the given anchor does not exist. OK sashan
2020-01-15Do the actual pfr_strerror() to pf_strerror() renamekn
Missed in previous
2020-01-15Unify error message for nonexisting anchorskn
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if the specified anchor does not exist. Extend and rename {pfr -> pf}_strerror() to make error message more consistent. There are other occasions as well but those need additional tweaks; that's stuff for another diff. OK and rename from sashan
2020-01-15Print the main ruleset/anchor as "/" not "<root>" for consistencykn
OK sashan
2020-01-15Enable pfctl(8) to recursively flush rules and tables from PF driver. TheAlexandr Nedvedicky
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver. The idea was discussed with many on tech@ in spring 2019. OK kn@
2019-11-27Fix function name in error message (zap trailing s)kn
2019-08-15pfctl_reset() must set syncookies settings back to defaultAlexandr Nedvedicky
(bug found and fix tested by Jesper Wallin) OK deraadt OK kn
2019-07-09Add parentheses for readabilitykn
Prompted by and OK deraadt
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-04-15introduce 'pfctl -FR' to reset settings to defaultsAlexandr Nedvedicky
(discussed with many at tech@) OK deraadt@, kn@, sthen@, tedu@
2019-03-06Fix once ruleskn
parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and `anchor "a" once'. Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the parser already such that they can be used to distinguish anchor rules in the same check as well. Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks! While here, remove an unneeded cast and make pfctl_add_rule() void as it always returned 0. OK sashan
2019-02-18Change ps_len of struct pfioc_states and psn_len of structAlexander Bluhm
pfioc_src_nodes to size_t. This avoids integer truncation by casts to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES ioctl(2) arguments change, pfctl(8) and systat(1) should be updated together with the kernel. Calculate number of pf(4) states as size_t in userland. OK sashan@ deraadt@
2019-02-10Anchor names must not be emptykn
The parser would allow bogus input and sometimes even produce invalid rules on empty anchor names, so error out immediately. OK sashan
2019-01-29Reuse copy_satopfaddr() when killing entrieskn
Recently introduced in pfctl_parser.c r1.333, this helper nicely simplifies code when copying IPs based on their address family, so use it in five other places when killing state or source node entries. All addresses copied in these code paths result from either pfctl_parse_host() or pfctl_addrprefix() which guarantee the address family set to AF_INET or AF_INET6. Therefore, effectively relaxing the case of unhandled families from errx(3) in callers to warnx(3) in copy_satopfaddr() is safe since it's never reached. OK sashan
2019-01-29Make -N and -r mutually exclusivekn
Either disable DNS or enable additional reverse lookups, but not both. OK benno
2019-01-28Simplify lookups when killing entrieskn
Killing source tracking or state entries by hostname or CIDR would pass given keys twice to getaddrinfo(3): once to resolve/parse and again to parse the numerical address in case a prefix was specified. Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask in one go and return the list of IPs to the callers. This notably simplifies both logic and sanity checks around prefix length and address family. While here, also pass -N along such that -k and -K can be restricted to not use DNS. Discussed with procter sashan, OK sashan
2019-01-19Use mnemonic PFCTL_SHOW_* macros, terminate string with null characterkn
Tweak spacing while here, no object change. Feedback and OK procter, OK sceloha
2019-01-11Defuse `-F all -i interface'kn
Flushing all filter parameters does not make sense on one specific interface only as already noted. However, the main ruleset as well as all tables were still cleared on such invalid usage. Furthermore, an empty interface name was treated like no interface at all, hence source tracking entries, statistics and interface flags were cleared also. Immediately error out if `-i' is given regardless of its argument before flushing anything. OK sashan
2019-01-11When creating tables inside anchors, pfctl warned about namespacekn
collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless. Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors. With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away. No functional change in parsing or ruleset production. Discussed with and OK sashan
2019-01-10Zap unnused iface function parameter from pfctl_kill_src_nodes()kn
Killing source tracking entries per interface does not make sense and `-i interface' along with `-K key' is completely ignored anyway. There since import in 2006, probably just copy/pasta. OK sashan
2019-01-02Error out on missing table command, zap internal wrapper functionkn
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given. By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks. OK sashan
2018-12-27Zap duplicate struct declarationkn
These are in <net/pfvar.h> already. OK sashan
2018-09-18fix table commands under anchorskn
With r1.358 I simplified anchor handling but also broke semantics with regard to tables: # pfctl -a aname -t tname -T show pfctl: anchors apply to -f, -F and -s only Unbreak this by checking for table commands as well. OK bluhm
2018-09-08Allocate path only when needed, use __func__kn
2018-09-08Error out early on bad anchor usagekn
`pfctl -a foo' would do nothing with the non-existent anchor and exit 0. This implements behaviour as documented in pfctl(8): -a anchor Apply flags -f, -F, and -s only to the rules in the specified anchor. While here, hoist a duplicate "_" check by using the more mnemonic `mode'. OK henning sashan
2018-09-07Fix function name in error messages by using __func__kn
2018-07-20Stop checking table commands for `create'kn
Tiny left over from 2003 when it was removed. Twist the logic by checking for `show' and `test' to make it even simpler. OK sashan henning
2018-07-10'set delay' for the generic packet delay mechanism, ok benno sashanHenning Brauer
2018-02-08make the watermarks/thresholds for entering and leaving syncookie mode whenHenning Brauer
syncookies are set to adaptive tunable, ok claudio benno
2018-02-08show current synflood detection watermarks in pfctl -vsi, for the lackHenning Brauer
of a more appropriate place. ok claudio benno procter
2018-02-06allow control over syncookies: set syncookies never/always/adaptiveHenning Brauer
2017-11-25- pfctl fails to handle nested 'load anchor' properlyAlexandr Nedvedicky
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ] OK bluhm@
2017-09-26- pfctl always prints warning when flushes rulesetAlexandr Nedvedicky
OK mikeb@
2017-09-05- split pf_find_or_create_ruleset() to smaller chunks.Alexandr Nedvedicky
tested by Hrvoje OK mpi@, OK bluhm@
2017-08-11add option -N (no domain resolution)Sebastian Benoit
manpage wording and reminder about usage() jmc@ ok florian@ henning@
2017-07-19Allow HFSC classes to use flow queuesMike Belopuhov
The FQ-CoDel related configuration (flows, quantum) becomes available for the regular bandwidth queue. Internally the kernel will pick the FQ-CoDel for use as a queue manager for the specified class instead of the FIFO. Discussed with and OK henning@ at d2k17 as a part of a larger diff.
2017-07-19Rework HFSC vs FQ-CoDel checksMike Belopuhov
The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
2017-06-16pfctl: merge identifical if conditions and void functions discarding ret valuesAdam Wolk
Transform the following functions (which never return anything other than 0, and whose return value is never used) to void: * pfctl_clear_stats, pfctl_clear_interface_flags, pfctl_clear_rules, pfctl_clear_src_nodes, pfctl_clear_states * pfctl_kill_src_nodes, pfctl_net_kill_states, pfctl_label_kill_states, pfctl_id_kill_states, pfctl_key_kill_states inside main: merge two identical if conditions next to each other into one. Submitted by rain1 (thanks!) with additional credit to: - mikeb@ for pointing out we can void all _clear_ functions - ghostyy for pointing out all _kill_ functions can be voided OK tb@, mikeb@
2017-05-30fix a commentHenning Brauer
2017-05-15Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8)Mike Belopuhov
OK sthen, visa
2017-04-26Perform H-FSC root queue allocation in the kernelMike Belopuhov
Since only leaf queues can have packets assigned to them, H-FSC requires the user specified root queue to have a parent. To simplify userland tools and the configuration interface, the kernel can be leveraged to set it up. ok henning
2017-04-23oops, this was meant to be committed with the pfctl.8 change:Jason McIntyre
sync usage() with SYNOPSIS;
2017-04-21Add "key" modifier for -k to make pfctl can kill a state by specifyingYASUOKA Masahiko
the key of the state. ok sasha
2017-03-27rather than printing the wrong function name, dont print it at all.Sebastian Benoit
found by Klemens Nanni
2017-01-26Select the routing domain to be used for kill states by host or bySebastian Benoit
label, by adding a -V <rdomain> option. written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks. ok florian@, with feedback from florian and jmc.
2016-09-03err->errx, errno info is not related to the failure modeJeremie Courreges-Anglas
ok mikeb@
2016-09-03pfctl mixes up anchorname with anchorpathAlexandr Nedvedicky
OK mikeb@
2016-09-03Let purge thread to remove once rules, not packets.Alexandr Nedvedicky
Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
2016-01-14detect multiple root queues on a single interface and give a nice errorHenning Brauer
message - beats "pfctl: DIOCXCOMMIT: Invalid argument". from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x! ok sthen phessler, commit reminder mikeb