| Age | Commit message (Collapse) | Author |
|---|
|
In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped
the macro's closing paranthese.
Since DEBUG() is needlessly under an OPT_DEBUG guard, this was not
effecting normal builds.
Add the missing ')' and remove the ifdef.
OK sashan
|
|
Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and exit if
only one of them is given.
By moving the inter-dependence check right after option parsing is done,
we can bail out even before opening pf(4) and drop the internal wrapper
pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
|
There since import and last used by ALTQ which henning removed in 2004.
OK sashan
|
|
pf.conf(5)'s TABLE section explains it, but lets be clear about it in the
table command descriptions, too.
"go for it" jmc
|
|
These are in <net/pfvar.h> already.
OK sashan
|
|
"driver" is a left-over from earlier implementations.
Nowadays each driver such as lo(4) has it's respective interface group of
the same name ("lo"), but additional driver-independent groups exist, too:
# ifconfig lo0 group foo
# pfctl -s I -i foo
foo
lo0
OK henning
|
|
ok deraadt@
|
|
Zap trailing semicolon introduced with miko's cmdline_symset() leading to
unconditional err(3). Zap trailing tab while here.
|
|
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
Replace hardcoded 0 and implicit checks with enum as done in all other
use cases of `pfra_fback'. No object change.
OK sashan
|
|
With r1.358 I simplified anchor handling but also broke semantics with
regard to tables:
# pfctl -a aname -t tname -T show
pfctl: anchors apply to -f, -F and -s only
Unbreak this by checking for table commands as well.
OK bluhm
|
|
that are used for netmask, broadcast, and destination address. In
pfctl(8) take the family of the interface address and write it to
the other addresses. This fixes some bugs when copy_satopfaddr()
copied only part of IPv6 addresses. Print a warning if the address
family is unknown.
OK kn@
|
|
do repeated lookups. OK tb@
|
|
OK bluhm
|
|
I introduced this error with r1.330 while removing the af parameter from
unmask().
`pass inet from (lo0)/24' would result in `pass inet from (lo0)', sorry.
|
|
Left-over from pre-host_ip() times. While here, use __func__.
OK henning benno
|
|
Except for networks such as "10/8" host_ip() now handles addresses in an
AF-agnostic way with more duplicate code removed/merged.
OK sashan (as for earlier copy_satopfaddr() diff) henning
|
|
Move the same dance around v4/v6 for copying IP addresses from sockaddr
into pf_addr to avoid duplicate code and improve readability.
Feedback and OK bluhm
|
|
|
|
`pfctl -a foo' would do nothing with the non-existent anchor and exit 0.
This implements behaviour as documented in pfctl(8):
-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.
While here, hoist a duplicate "_" check by using the more mnemonic `mode'.
OK henning sashan
|
|
|
|
|
|
henning@ removed this functionality years ago, see the share/man/man4/lo.4
revision 1.27.
OK jca claudio
|
|
Reduce differences address families and replace strlcpy() with simpler
if/else logic as done in print_addr_str().
OK sashan
|
|
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
|
Instead of masking the host address in two different ways, just fill it
no matter the address family. In case of AF_INET, setting the extra 96 bit
does not hurt.
While here, stop resetting `af' for no reason and move up the variable
declaration.
OK benno sashan
|
|
Instead of doing the same dance with every caller, check for user provided
mask or address familiy specific maximum inside the function itself.
Feedback and OK claudio
|
|
This brings it in line with host() and host_dns().
OK sashan miko
|
|
This avoids a duplicate strrchr() call and makes the function consistent
with host_v6() regarding mask handling.
While here, use the destination's size in memcpy instead of hardcoding its
type.
OK sashan
|
|
Simply defer checks whether a mask has been specified to where it's set in
host_*(); this is to reduce address family specific code.
OK sashan
|
|
Get rid of the `cont' flag, zap obvious comments, add error label.
OK benno sashan
|
|
This is simpler than checking three cases for `q' and gives nicer error
messages. While here, use `v6mask' as maximum netmask instead of hardcoding
it.
OK sashan
|
|
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
|
`error' is not used so drop it and jump to the end.
OK sashan
|
|
Tiny left over from 2003 when it was removed. Twist the logic by checking
for `show' and `test' to make it even simpler.
OK sashan henning
|
|
In filteropts_to_rule():
* Merge `once' handling from `anchorrule' and `pfrule'
* Remove/shorten duplicate code block
* Fix typo I introduced with r1.678 that frees the wrong buffer (twice)
OK sashan
|
|
I comitted the wrong diff in 1.680 which turned `queue cq parent pq ...'
into invalid syntax by changing `interface' to `ON if_item'.
Found by bket, thanks!
|
|
pf.conf(5) states that queues attach to actual interfaces only, yet the
following parses:
# echo queue eq on egress bandwidth 1G default | pfctl -f-
# pfctl -sq
pfctl: DIOCGETQSTATS: Bad file descriptor
# echo queue rq on rdomain 0 bandwidth 1G default | pfctl -vf-
queue rq bandwidth 1G default
# pfctl -sq
pfctl: DIOCGETQSTATS: Bad file descriptor
On rdomains, ifa_exists() returns NULL.
On interface groups, ifa_exists() returns non-NULL but af is never set
to AF_LINK.
OK henning sashan
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
|
|
ok benno@
|
|
Some filter options were parsed but not set on anchor rules due to missing
copies of the respective struct members:
$ cat pf.conf
queue rq on trunk0 bandwidth 1G
queue dq parent rq bandwidth 1G default
anchor a set queue dq
$ pfctl -vnf pf.conf | fgrep queue
anchor "a" all
Fix this by moving common code from `anchorrule' and `pfrule' into a new
helper filteropts_to_rule().
Input from henning and benno
OK henning sashan jca
|
|
Commented since r1.465 (2004).
OK deraadt benno jca sashan
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
on gcc architectures. ok florian@
|
|
pfctl: DIOCADDRULE: Device busy
error when loading the ruleset, with no information which rule caused
the problem and no indication that the problem is the rdomain
<nonexisting>.
This diff makes pfctl check if the rdomain really exists when parsing
the config.
ok bluhm@
|
|
buffer per file; also use that buffer to expand macros.
ok sashan@ dennis@ krw@
|
|
ok benno@
|
