| Age | Commit message (Collapse) | Author |
|---|
|
marking the function "static". Use OSFP_DEBUG, in a similar
fashion to OPT_DEBUG (pfctl_optimize.c).
OK bluhm@
|
|
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change
from tcpdump is newer, so change pfctl. No binary change.
OK deraadt@
|
|
Reported by Carl Mascott, thanks! OK sthen
|
|
|
|
OK sthen, visa
|
|
|
|
Since only leaf queues can have packets assigned to them,
H-FSC requires the user specified root queue to have a
parent. To simplify userland tools and the configuration
interface, the kernel can be leveraged to set it up.
ok henning
|
|
sync usage() with SYNOPSIS;
|
|
and do not try to do all the documenting in SYNOPSIS/usage();
ok deraadt
|
|
the key of the state.
ok sasha
|
|
|
|
found by Klemens Nanni
|
|
|
|
label, by adding a -V <rdomain> option.
written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks.
ok florian@, with feedback from florian and jmc.
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
parser cannot handle that correctly and is is unclear wether the
kernel code would work. Remove the feature until someone needs it
and properly implements and tests it.
OK mike@ sashan@ mpi@
|
|
as broadcast address. The kernel does not consider this a broadcast
address and ifconfig(8) has a check to exclude it. Use the same
check in pfctl(8).
Found by regress/sbin/pfctl pfi2; OK mikeb@
|
|
ok mikeb@
|
|
OK mikeb@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
ok deraadt@
|
|
Spotted by the Echelon team with AppChecker static analyzer.
ok sashan@
|
|
|
|
noticed since struct node_queue stayed. ok claudio benno gcc
|
|
condition in the if statement more readable while I'm there.
ok phessler@, benno@, florian@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
the pf.conf parser allows it, which leads a non working configuration
being loaded.
this changes the parser to make pass out .. af-to an error.
ok henning@ mikeb@
|
|
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha
|
|
message - beats "pfctl: DIOCXCOMMIT: Invalid argument".
from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x!
ok sthen phessler, commit reminder mikeb
|
|
pf.conf. Change this before upgrade or pf.conf won't load.
florian@ henning@ phessler@ jung@
|
|
|
|
pfctl(8) did for the old queues.
ok sashan@ sthen@
|
|
|
|
Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>
ok jung@, ok mikeb@
|
|
|
|
Tweak pfctl to respect the rule ID parameter (-R) specified
along with the show states (-s states) option to filter out
states that are not associated with a given rule from the
output.
ok sthen, benno
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
ok henning
|
|
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
ok mikeb
|
|
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
|
ok mikeb
|
|
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
|
|
limit and the requested value.
OK henning@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
ok mikeb
|
