| Age | Commit message (Collapse) | Author |
|---|
|
by numeric ID in combination with the "-s rules" or "-s labels" options.
For example, this allows you to dump the statistics of a specified rule
only (pfctl -sr -v -R 0).
ok henning@
|
|
written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!
ok henning@
|
|
to recursively print anchors with wildcards when not
requested via the command line but in practice only
applied to automatically generated inline anchors
(which don't have wildcards) or when recursion
was requested.
Found by the clang static analyser and behaviour explained
by mcbride@
ok henning@ mcbride@
|
|
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
|
|
ok mcbride
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
it is violating the transactional model we have and made stronger in
pf, it is broken in some cases and since some options are passed to the
kernel while some are userland only and affect how the rules are
parsed it is complete bullshit anyway - obviously, changing options
that affect ruleset parsing without reloading and thus reparsing the
ruleset cannot work. so stop pretending it could and cut the crap.
ok dlg krw deraadt
|
|
ALTQ transactions when anchors are loaded.
Fixes pfctl when using 'load anchor ... from' as seen by beck@
and Toni Mueller, which stopped working after r1.295 removed loadopt
(which was overloaded to do this job as well as indicate command-
line flags).
ok henning@
|
|
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
ok mcbride@ henning@
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
|
|
inspired by the short reboot times on an rb600a provided by stephan
rickauer.
testing and bugfixing by sthen@
ok mcbride@ sthen@
|
|
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
since all this stuff is transactional now we need to wrap that into
DIOCXBEGIN/COMMIT.
bad henning forgot to commit this chunk at c2k9
|
|
since the DIOCSETREASS ioctl is called on every ruleset load and was
overriding the initial setting in pfattach(). Fix setting of the global
no-df bitmask as well.
ok henning@
|
|
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.
|
|
looked at post-release -- out of time for these kinds of problems
david@ says: pfopt6 and f91.ok; pfopt6 change looks ok, but pf91 is
of concern.
|
|
|
|
|
|
From: Gleydson Soares <gsoares@gmail.com>, ryan ok
|
|
pf_ioctl.c r1.196.
|
|
Fix printing of the state id in pfctl -ss -vv.
Remove the psnk_af hack to return the number of killed states.
OK markus, beck. "I like it" henning, deraadt.
Manpage help from jmc.
|
|
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
|
|
ok henning@
|
|
sys/dev/pci/pciide.c from naddy@
|
|
yuck & ok henning@
|
|
|
|
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.
|
|
since only the first letter matters in the end and state still matches
states since we do strncmp this does not change xisting behaviour and
just allows plural states to be used as well.
pt out by Tom Van Looy <tom@ctors.net>
|
|
ok henning@ toby@ pyr@
|
|
|
|
is invalid now, it doesn't serve any purpose any more anyway since that is
the default. ok mcbride
|
|
to reflect this;
whilst there i had to wrap -t in Xo/Xc to stop line split,
and i zapped some extra whitespace in usage();
fixes user/5441 from sthen
|
|
ok deraadt henning
|
|
|
|
to 200,000 instead of the conservative 100,000; ok dhartmei beck
tested by ckuethe
|
|
|
|
with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the
read & reset operation atomic.
innstrument pfctl_show_rules() to clear counters while reading rules and
add a new output format for it, showing nothing, if only resetting counters
without actually displaying them is requested. minor cleanups on the way.
ok dhartmei & agreement from theo and ryan
|
|
"pfctl -t tablename -T expire 3600" would expire all entries in the given
table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
|
|
-k argument for killing states; From Berk D. Demir <bdd@mindcast.org>
ok dhartmei henning
|
|
|
|
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
|
|
contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with
the same name are specified.
reported by ckuethe@ and mkb@crypt.org.ru
|
