| Age | Commit message (Collapse) | Author |
|---|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
|
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Convert the pfctl(8) rule parser to divert types, kernel cleanup
will be the next step.
OK sashan@
|
|
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]
OK bluhm@
|
|
OK bluhm@
|
|
OK bluhm@
|
|
bug reported and fix tested by Leonardo Guardati
OK bluhm@
|
|
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
|
|
OK mikeb@
|
|
tested by Hrvoje
OK mpi@, OK bluhm@
|
|
|
|
manpage wording and reminder about usage() jmc@
ok florian@ henning@
|
|
ICMP6_DST_UNREACH_NOTNEIGHBOR is ICMP6_DST_UNREACH_BEYONDSCOPE (RFC
1885 was obsoleted).
sthen grepped the ports sources to make sure nothing uses it.
OK millert, jca
|
|
|
|
The FQ-CoDel related configuration (flows, quantum) becomes available
for the regular bandwidth queue. Internally the kernel will pick the
FQ-CoDel for use as a queue manager for the specified class instead of
the FIFO.
Discussed with and OK henning@ at d2k17 as a part of a larger diff.
|
|
The selection mechanism introduced in pf_ioctl.c -r1.316 suffers
from being too ambiguous and lacks robustness. Instead of relying
on composition of multiple flags in the queue specification, it's
easier to identify the root class (if it exists) and derive all
further checks from it.
|
|
Changes:
voided:
- pfctl_clear_tables
- pfctl_show_tables
- pfctl_show_ifaces
Those functions now exit(3) in case of error instead
of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
|
Transform the following functions (which never return anything other than 0, and
whose return value is never used) to void:
* pfctl_clear_stats, pfctl_clear_interface_flags, pfctl_clear_rules,
pfctl_clear_src_nodes, pfctl_clear_states
* pfctl_kill_src_nodes, pfctl_net_kill_states, pfctl_label_kill_states,
pfctl_id_kill_states, pfctl_key_kill_states
inside main: merge two identical if conditions next to each other into one.
Submitted by rain1 (thanks!) with additional credit to:
- mikeb@ for pointing out we can void all _clear_ functions
- ghostyy for pointing out all _kill_ functions can be voided
OK tb@, mikeb@
|
|
time_second. Since time_second changes depending on the wall-
clock time, time_second is not a reliable source for the status.
We can even end up with a negative time delta. Thus, use the
monotonically growing time_uptime and export it to userland.
ok bluhm@ mikeb@
|
|
|
|
OK bluhm@
|
|
marking the function "static". Use OSFP_DEBUG, in a similar
fashion to OPT_DEBUG (pfctl_optimize.c).
OK bluhm@
|
|
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change
from tcpdump is newer, so change pfctl. No binary change.
OK deraadt@
|
|
Reported by Carl Mascott, thanks! OK sthen
|
|
|
|
OK sthen, visa
|
|
|
|
Since only leaf queues can have packets assigned to them,
H-FSC requires the user specified root queue to have a
parent. To simplify userland tools and the configuration
interface, the kernel can be leveraged to set it up.
ok henning
|
|
sync usage() with SYNOPSIS;
|
|
and do not try to do all the documenting in SYNOPSIS/usage();
ok deraadt
|
|
the key of the state.
ok sasha
|
|
|
|
found by Klemens Nanni
|
|
|
|
label, by adding a -V <rdomain> option.
written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks.
ok florian@, with feedback from florian and jmc.
|
|
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
|
|
parser cannot handle that correctly and is is unclear wether the
kernel code would work. Remove the feature until someone needs it
and properly implements and tests it.
OK mike@ sashan@ mpi@
|
|
as broadcast address. The kernel does not consider this a broadcast
address and ifconfig(8) has a check to exclude it. Use the same
check in pfctl(8).
Found by regress/sbin/pfctl pfi2; OK mikeb@
|
|
ok mikeb@
|
|
OK mikeb@
|
|
Thanks mikeb@ for idea to add expire time.
OK mpi@, OK mikeb@
|
|
ok deraadt@
|
|
Spotted by the Echelon team with AppChecker static analyzer.
ok sashan@
|
|
|
|
noticed since struct node_queue stayed. ok claudio benno gcc
|
|
condition in the if statement more readable while I'm there.
ok phessler@, benno@, florian@
|
|
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.
feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@
|
|
the pf.conf parser allows it, which leads a non working configuration
being loaded.
this changes the parser to make pass out .. af-to an error.
ok henning@ mikeb@
|
|
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha
|
|
message - beats "pfctl: DIOCXCOMMIT: Invalid argument".
from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x!
ok sthen phessler, commit reminder mikeb
|
|
pf.conf. Change this before upgrade or pf.conf won't load.
florian@ henning@ phessler@ jung@
|
