| Age | Commit message (Collapse) | Author |
|---|
|
wildcard path ("ftp-proxy/*"), but make sure to call it after we're
done with the ruleset for the current anchor. On one hand this
repairs printing content of such anchors and on the other it allows
to use a wildcard on the command line for anchors that were not
initially specified with a wildcard. Makes pfctl regress happy
again. OK henning, deraadt
|
|
commits.
ok henning@
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
allows things like
block out on $someif received-on any
to prevent packets to get forwarded to $someif
|
|
|
|
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
tested by naddy, ok deraadt
|
|
|
|
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
|
|
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen
|
|
the state file before returning.
ok henning
|
|
and instead rely on the one provided by the same function just
a few lines below.
ok lteo henning
|
|
print out anchor rules recursively; unbreaks pf1.loaded regress test.
ok lteo, henning
|
|
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
|
|
SYNOPSIS suggests no options are neccessary, in fact a minimum of one
is required;
ok henning
|
|
ok henning
|
|
what happens when a broken pf config is encountered, both generally
and at system startup;
ok henning
|
|
|
|
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
ok ryan
|
|
|
|
ok sthen
|
|
|
|
|
|
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
|
|
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc
|
|
|
|
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
ok jmc
|
|
ok mikeb henning beck
|
|
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb
|
|
From Hrvoje Popovski via Florian Obser, ok henning
|
|
|
|
whenever you see (flags >= ONE_OF_THE_FLAGS), run. that must break sooner
or later.
|
|
family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6"
there.
OK henning@ mikeb@
|
|
+ XXX comment as reminder to clean this up for good
|
|
brought up by ryan, discussed with him and theo and they convinced me
|
|
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
|
|
printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump's pf_print_state.c is not exactly the same as
pfctl's.
ok henning sthen
|
|
the kernel has code to deal with set-tos and that crap. don't ask for
details. stuart ok
|
|
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc
|
|
spotted by jmc@
|
|
names if desired.
ok henning
|
|
|
|
|
|
the interface in question to be there, breaking ruleset verification
From: Silamael <Silamael at coronamundi dot de>
|
