Age | Commit message (Collapse) | Author |
|
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
|
|
Missed in previous
|
|
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
|
OK sashan
|
|
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
|
|
|
(bug found and fix tested by Jesper Wallin)
OK deraadt OK kn
|
|
Prompted by and OK deraadt
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
(discussed with many at tech@)
OK deraadt@, kn@, sthen@, tedu@
|
|
parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.
Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser already such that they can be used to distinguish anchor rules in
the same check as well.
Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks!
While here, remove an unneeded cast and make pfctl_add_rule() void as it
always returned 0.
OK sashan
|
|
pfioc_src_nodes to size_t. This avoids integer truncation by casts
to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES
ioctl(2) arguments change, pfctl(8) and systat(1) should be updated
together with the kernel. Calculate number of pf(4) states as
size_t in userland.
OK sashan@ deraadt@
|
|
The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.
OK sashan
|
|
Recently introduced in pfctl_parser.c r1.333, this helper nicely
simplifies code when copying IPs based on their address family, so use
it in five other places when killing state or source node entries.
All addresses copied in these code paths result from either
pfctl_parse_host() or pfctl_addrprefix() which guarantee the address
family set to AF_INET or AF_INET6. Therefore, effectively relaxing the
case of unhandled families from errx(3) in callers to warnx(3) in
copy_satopfaddr() is safe since it's never reached.
OK sashan
|
|
Either disable DNS or enable additional reverse lookups, but not both.
OK benno
|
|
Killing source tracking or state entries by hostname or CIDR would pass
given keys twice to getaddrinfo(3): once to resolve/parse and again to
parse the numerical address in case a prefix was specified.
Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask
in one go and return the list of IPs to the callers. This notably
simplifies both logic and sanity checks around prefix length and address
family.
While here, also pass -N along such that -k and -K can be restricted to
not use DNS.
Discussed with procter sashan, OK sashan
|
|
Tweak spacing while here, no object change.
Feedback and OK procter, OK sceloha
|
|
Flushing all filter parameters does not make sense on one specific
interface only as already noted. However, the main ruleset as well as
all tables were still cleared on such invalid usage.
Furthermore, an empty interface name was treated like no interface at
all, hence source tracking entries, statistics and interface flags were
cleared also.
Immediately error out if `-i' is given regardless of its argument before
flushing anything.
OK sashan
|
|
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.
Deferring the check to process_tabledefs() where tables are eventually
created, both anchor and table name are known which allows for checking
all existing anchors.
With this, warn on all duplicates even in dry-runs (`-n') and print
quoted names so they can be copied to fix configurations right away.
No functional change in parsing or ruleset production.
Discussed with and OK sashan
|
|
Killing source tracking entries per interface does not make sense and
`-i interface' along with `-K key' is completely ignored anyway.
There since import in 2006, probably just copy/pasta.
OK sashan
|
|
Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and exit if
only one of them is given.
By moving the inter-dependence check right after option parsing is done,
we can bail out even before opening pf(4) and drop the internal wrapper
pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
|
These are in <net/pfvar.h> already.
OK sashan
|
|
With r1.358 I simplified anchor handling but also broke semantics with
regard to tables:
# pfctl -a aname -t tname -T show
pfctl: anchors apply to -f, -F and -s only
Unbreak this by checking for table commands as well.
OK bluhm
|
|
|
|
`pfctl -a foo' would do nothing with the non-existent anchor and exit 0.
This implements behaviour as documented in pfctl(8):
-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.
While here, hoist a duplicate "_" check by using the more mnemonic `mode'.
OK henning sashan
|
|
|
|
Tiny left over from 2003 when it was removed. Twist the logic by checking
for `show' and `test' to make it even simpler.
OK sashan henning
|
|
|
|
syncookies are set to adaptive tunable, ok claudio benno
|
|
of a more appropriate place. ok claudio benno procter
|
|
|
|
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]
OK bluhm@
|
|
OK mikeb@
|
|
tested by Hrvoje
OK mpi@, OK bluhm@
|
|
manpage wording and reminder about usage() jmc@
ok florian@ henning@
|
|
The FQ-CoDel related configuration (flows, quantum) becomes available
for the regular bandwidth queue. Internally the kernel will pick the
FQ-CoDel for use as a queue manager for the specified class instead of
the FIFO.
Discussed with and OK henning@ at d2k17 as a part of a larger diff.
|
|
The selection mechanism introduced in pf_ioctl.c -r1.316 suffers
from being too ambiguous and lacks robustness. Instead of relying
on composition of multiple flags in the queue specification, it's
easier to identify the root class (if it exists) and derive all
further checks from it.
|
|
Transform the following functions (which never return anything other than 0, and
whose return value is never used) to void:
* pfctl_clear_stats, pfctl_clear_interface_flags, pfctl_clear_rules,
pfctl_clear_src_nodes, pfctl_clear_states
* pfctl_kill_src_nodes, pfctl_net_kill_states, pfctl_label_kill_states,
pfctl_id_kill_states, pfctl_key_kill_states
inside main: merge two identical if conditions next to each other into one.
Submitted by rain1 (thanks!) with additional credit to:
- mikeb@ for pointing out we can void all _clear_ functions
- ghostyy for pointing out all _kill_ functions can be voided
OK tb@, mikeb@
|
|
|
|
OK sthen, visa
|
|
Since only leaf queues can have packets assigned to them,
H-FSC requires the user specified root queue to have a
parent. To simplify userland tools and the configuration
interface, the kernel can be leveraged to set it up.
ok henning
|
|
sync usage() with SYNOPSIS;
|
|
the key of the state.
ok sasha
|
|
found by Klemens Nanni
|
|
label, by adding a -V <rdomain> option.
written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks.
ok florian@, with feedback from florian and jmc.
|
|
ok mikeb@
|
|
OK mikeb@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
message - beats "pfctl: DIOCXCOMMIT: Invalid argument".
from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x!
ok sthen phessler, commit reminder mikeb
|
|
pf.conf. Change this before upgrade or pf.conf won't load.
florian@ henning@ phessler@ jung@
|