| Age | Commit message (Collapse) | Author |
|---|
|
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
|
|
ok dhartmei@ markus@ mcbride@
|
|
|
|
|
|
ok deraadt@ henning@
|
|
1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or
to a group of interfaces for example:
- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)
9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
|
|
|
int is not the same as u_long
caused an integer overflow on our 64 bit archs and thus made pf not working
there
ok mcbride@ marc@ millert@ cedric@
|
|
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):
- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:
- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
|
Add a warning on global/anchor name clashes to help prevent mistakes from our
users during the 3.3 -> 3.4 switch.
ok henning@
|
|
Make table tickets u_int32_t for consistency with other parts of PF.
Ok dhartmei@ henning@
|
|
|
|
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.
I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
|
ok dhartmei@
|
|
ok dhartmei@
|
|
The following two pfctl functions work with an "-a" option:
- pfctl [-a foo[:bar]] -sT
- pfctl [-a foo[:bar]] -FT
ok dhartmei@
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
of dintinct bw_percent
|
|
outside pfctl_altq.c uses them any more, nor should.
|
|
qid_to_qname is not used anywhere. moreover, I cannot think of any
legitimate use; misuse is easy tho.
|
|
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two }
queue one priority 1 priq(default)
queue two on $if0 priority 15
queue two on ! $if0 priority 0
ok dhartmei@
|
|
from David Hill <david at phobia.ms> a while ago
|
|
when looking up the queue IDs using qname_to_qid, we do not need to limit
the matching on the interface in question, as it is guaranteed that same
named queues on different interfaces habe the same queue id. moreover, we
must not limit the matches to the interface if we do not have an interface
given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
|
print the bandwidth in percent instead of the calculated absolute value.
if a queue belongs to more than one interface and they have different
bandwidth the calculated absolute is of course different per interface.
previously the first calculated absolute value was shown; what of course is
incorrect on the second interface. note that only the print was wrong, the
correct values were passed to the kernel.
ok theo daniel
|
|
pfctl -Dextif=wi0 -f /etc/pf.conf
command line macro definitions override the ones made in the file (idea
theo), very handy if your notebook has another NIC at some conference, as
well as for debugging etc.
idea rezine@mistrusted.net via pb@
hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
|
cbq only for now.
|
|
|
|
ok dhartmei cedric henning
|
|
Shows the number of entries in the table or if the table is not active.
ok dhartmei@, no objections.
|
|
This commit is dedicated to the cute KLM girls who made part of this
possible with giving me a seat in the plane where you actually have enough
place to hack. Thanks, girls.
ok markus@ dhartmei@
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
|
|
from, but whoever thought of it is stupid.
|
