Age | Commit message (Collapse) | Author |
|
DIOCADDRULE EBUSY turns into an error message that pfctl -n catches.
DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported
to occur, possibly from hfsc.c: this should be fixed as well.
ok henning mikeb sthen
|
|
|
|
overlooked in the previous commit
|
|
This lets us do the checks only once and also make smarter decisions
about the rule's own address family. As a result af-to rules no longer
need to specify the address family after 'pass'.
ok henning
|
|
In particular, disallow specifications containing addresses of
different address families when rule doesn't specify one, for
example "pass out nat-to { ::1 1.1.1.1 }" will now produce an
error instead of silently picking one of the addresses.
sthen and deraadt agree
|
|
is in a valid range.
OK henning@
|
|
ok deraadt millert
|
|
(i was convinced i committed that yesterday already, hrm)
|
|
ok henning@ mikeb@
|
|
wildcard path ("ftp-proxy/*"), but make sure to call it after we're
done with the ruleset for the current anchor. On one hand this
repairs printing content of such anchors and on the other it allows
to use a wildcard on the command line for anchors that were not
initially specified with a wildcard. Makes pfctl regress happy
again. OK henning, deraadt
|
|
commits.
ok henning@
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
allows things like
block out on $someif received-on any
to prevent packets to get forwarded to $someif
|
|
|
|
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
tested by naddy, ok deraadt
|
|
|
|
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
|
|
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen
|
|
the state file before returning.
ok henning
|
|
and instead rely on the one provided by the same function just
a few lines below.
ok lteo henning
|
|
print out anchor rules recursively; unbreaks pf1.loaded regress test.
ok lteo, henning
|
|
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
|
|
SYNOPSIS suggests no options are neccessary, in fact a minimum of one
is required;
ok henning
|
|
ok henning
|
|
what happens when a broken pf config is encountered, both generally
and at system startup;
ok henning
|
|
|
|
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
ok ryan
|
|
|
|
ok sthen
|
|
|
|
|
|
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
|
|
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc
|
|
|
|
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
ok jmc
|
|
ok mikeb henning beck
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
From Hrvoje Popovski via Florian Obser, ok henning
|
|
|
|
whenever you see (flags >= ONE_OF_THE_FLAGS), run. that must break sooner
or later.
|
|
family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6"
there.
OK henning@ mikeb@
|
|
+ XXX comment as reminder to clean this up for good
|
|
brought up by ryan, discussed with him and theo and they convinced me
|