Age | Commit message (Collapse) | Author |
|
and instead rely on the one provided by the same function just
a few lines below.
ok lteo henning
|
|
print out anchor rules recursively; unbreaks pf1.loaded regress test.
ok lteo, henning
|
|
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
|
|
SYNOPSIS suggests no options are neccessary, in fact a minimum of one
is required;
ok henning
|
|
ok henning
|
|
what happens when a broken pf config is encountered, both generally
and at system startup;
ok henning
|
|
|
|
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
ok ryan
|
|
|
|
ok sthen
|
|
|
|
|
|
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
|
|
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc
|
|
|
|
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
ok jmc
|
|
ok mikeb henning beck
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
From Hrvoje Popovski via Florian Obser, ok henning
|
|
|
|
whenever you see (flags >= ONE_OF_THE_FLAGS), run. that must break sooner
or later.
|
|
family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6"
there.
OK henning@ mikeb@
|
|
+ XXX comment as reminder to clean this up for good
|
|
brought up by ryan, discussed with him and theo and they convinced me
|
|
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
|
|
printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump's pf_print_state.c is not exactly the same as
pfctl's.
ok henning sthen
|
|
the kernel has code to deal with set-tos and that crap. don't ask for
details. stuart ok
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
spotted by jmc@
|
|
names if desired.
ok henning
|
|
|
|
|
|
the interface in question to be there, breaking ruleset verification
From: Silamael <Silamael at coronamundi dot de>
|
|
|
|
ok mikeb henning
|
|
|
|
pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.
positive review and comments from claudio, ok henning, sperreault
|
|
void function instead.
ok dlg
|
|
by bzero()ing the 'struct pfsync' properly.
ok dlg mpf
|
|
2/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg and myself
|
|
1/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg myself and gcc
|
|
|
|
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@
|
|
|
|
ok henning, mcbride
|
|
ok henning
|