| Age | Commit message (Collapse) | Author |
|---|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
|
|
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.
tested by phessler
ok henning
|
|
will be getting cleaned up soon.
ok henning
|
|
ok mcbride
|
|
ok henning@ krw@
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
it is violating the transactional model we have and made stronger in
pf, it is broken in some cases and since some options are passed to the
kernel while some are userland only and affect how the rules are
parsed it is complete bullshit anyway - obviously, changing options
that affect ruleset parsing without reloading and thus reparsing the
ruleset cannot work. so stop pretending it could and cut the crap.
ok dlg krw deraadt
|
|
program does not free(3) it.
|
|
ALTQ transactions when anchors are loaded.
Fixes pfctl when using 'load anchor ... from' as seen by beck@
and Toni Mueller, which stopped working after r1.295 removed loadopt
(which was overloaded to do this job as well as indicate command-
line flags).
ok henning@
|
|
|
|
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc
|
|
need to free it with free(3).
from zinovik
|
|
Found by Marcus Muelbuesch. ok henning@
|
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
ok mcbride
|
|
|
|
ok mcbride@ henning@
|
|
address family is selected; don't print the v6 mask if it's a v4 address.
|
|
tests for illegal conditions in translation/routing.
|
|
collapsing into tables, so that we can handle all possible address family
expansions.
|
|
like a dynamic one in the routespec.
|
|
|
|
Fix binat-to sanity checks.
|
|
|
|
- purge irrelevant addresses from the lists before collapsing
- ensure the lists are freed after they're collapsed
- more careful ifname copying, avoiding double-free / use-after-free traps
|
|
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
lookahead in the parser
ok henning otto
|
|
10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
|
|
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.
ok jmc@
|
|
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:
pass out on em0 from $foo to $bar received-on fxp0
ive been running this in production for a week now. i find it particularly
usefull with interface groups.
no objections, and a few "i like"s from henning, claudio, deraadt, mpf
|
|
the original approach using a source tracking node.
the reimplementation i smore flexible than the original one, we now have an
slist of source tracking nodes per state. that is cheap because more than
one entry will be an absolute exception.
ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
|
|
|
|
|
|
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
|
expanded version of a diff from Vadim Zhukov.
ok henning@ claudio@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
that the load balancing code does not freak out but because of this
check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL
so check_netmask() is fixing up the netmask for IPv4 and stops complaining.
This is a partial fix for the failing regress test 13.
found with jsg, looks good henning
|
|
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
|
|
inspired by the short reboot times on an rb600a provided by stephan
rickauer.
testing and bugfixing by sthen@
ok mcbride@ sthen@
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
|
|
ok henning@ (sorry)
|
|
found by sthen@
ok henning@
|
