| Age | Commit message (Collapse) | Author |
|---|
|
OK kn@
|
|
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
|
All optimizations work on actual rules; if there are none, return early.
While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.
OK mikeb
|
|
|
|
This is the userland portion. OK deraadt@ sashan@
|
|
The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))
ok bluhm@
|
|
(bug found and fix tested by Jesper Wallin)
OK deraadt OK kn
|
|
Prompted by and OK deraadt
|
|
for yyerror.
From Moritz Buhl
ok bluhm@ claudio@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
(bug found and fixed by Petr Hoffmann _at_ oracle.com)
OK kn@
|
|
great input by Ingo, Jason and Klemens
OK schwarze@, OK kn@, OK jmc@
|
|
`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.
Instead of using a positive number of added addresses as prove for
successful table operations, rely on the fact that CREATE_TABLE() is
guaranteed to be called only if pf(4) can be accessed, that is
warn_duplicate_tables() will return.
This improves duplicate detection rate as warnings are now also emitted
even when table commands eventually leave tables unchanged.
OK benno sashan
|
|
revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking
the parser on tables withs insufficient permissions to open pf(4):
$ echo 'table <t>' | pfctl -nf-
pfctl: pfr_get_tables: Bad file descriptor
So simply check whether pfctl is able to get the table list first. If not,
instead of silently avoiding namespace collision checks, print a brief
notice iff `-v' is given to help finding duplicate definitions by hand:
$ echo 'table <t>' | ./obj/pfctl -vnf-
table <t>
stdin:1: skipping duplicate table checks for <t>
Reported by Rivo Nurges, thanks!
OK benno sashan
|
|
(discussed with many at tech@)
OK deraadt@, kn@, sthen@, tedu@
|
|
Fix a regression of revision 1.326 "Zap v4mask and v6mask in host()" which
allowed CIDR networks with more than one "/" to be loaded into tables.
I took care of this code path with regard to rules coming the ruleset
parser, which aborts earlier on such invalid specifications, but missed
`-T add 1/2/3' and the like.
Analyzed and fixed by Petr Hoffmann <petr dot hoffmann at oracle dot com>,
thanks!
OK deraadt
|
|
Left behind in pfctl_parser.h revision 1.91
"First pass at removing the 'pf_pool' mechanism [...]"
These functions don't exist anymore, no object change.
OK procter
|
|
parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.
Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser already such that they can be used to distinguish anchor rules in
the same check as well.
Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks!
While here, remove an unneeded cast and make pfctl_add_rule() void as it
always returned 0.
OK sashan
|
|
pfioc_src_nodes to size_t. This avoids integer truncation by casts
to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES
ioctl(2) arguments change, pfctl(8) and systat(1) should be updated
together with the kernel. Calculate number of pf(4) states as
size_t in userland.
OK sashan@ deraadt@
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.
OK sashan
|
|
For anchor names, make `load anchor' use the same grammar as `anchor' and
merge unique checks from both places so that anchor names are validated
regardless of the specific rule at hand.
OK sashan
|
|
ok sthen
|
|
Contrary to other rules accepting a single port, this one only works with
numerical values. Fix it by simply using the proper grammar.
Port ranges are not accepted, but an error message on a range without start
was missing in general, so add it while here.
OK bluhm
|
|
Recently introduced in pfctl_parser.c r1.333, this helper nicely
simplifies code when copying IPs based on their address family, so use
it in five other places when killing state or source node entries.
All addresses copied in these code paths result from either
pfctl_parse_host() or pfctl_addrprefix() which guarantee the address
family set to AF_INET or AF_INET6. Therefore, effectively relaxing the
case of unhandled families from errx(3) in callers to warnx(3) in
copy_satopfaddr() is safe since it's never reached.
OK sashan
|
|
Either disable DNS or enable additional reverse lookups, but not both.
OK benno
|
|
Killing source tracking or state entries by hostname or CIDR would pass
given keys twice to getaddrinfo(3): once to resolve/parse and again to
parse the numerical address in case a prefix was specified.
Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask
in one go and return the list of IPs to the callers. This notably
simplifies both logic and sanity checks around prefix length and address
family.
While here, also pass -N along such that -k and -K can be restricted to
not use DNS.
Discussed with procter sashan, OK sashan
|
|
OK benno
|
|
Tweak spacing while here, no object change.
Feedback and OK procter, OK sceloha
|
|
Flushing all filter parameters does not make sense on one specific
interface only as already noted. However, the main ruleset as well as
all tables were still cleared on such invalid usage.
Furthermore, an empty interface name was treated like no interface at
all, hence source tracking entries, statistics and interface flags were
cleared also.
Immediately error out if `-i' is given regardless of its argument before
flushing anything.
OK sashan
|
|
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.
Deferring the check to process_tabledefs() where tables are eventually
created, both anchor and table name are known which allows for checking
all existing anchors.
With this, warn on all duplicates even in dry-runs (`-n') and print
quoted names so they can be copied to fix configurations right away.
No functional change in parsing or ruleset production.
Discussed with and OK sashan
|
|
Killing source tracking entries per interface does not make sense and
`-i interface' along with `-K key' is completely ignored anyway.
There since import in 2006, probably just copy/pasta.
OK sashan
|
|
In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped
the macro's closing paranthese.
Since DEBUG() is needlessly under an OPT_DEBUG guard, this was not
effecting normal builds.
Add the missing ')' and remove the ifdef.
OK sashan
|
|
Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and exit if
only one of them is given.
By moving the inter-dependence check right after option parsing is done,
we can bail out even before opening pf(4) and drop the internal wrapper
pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
|
There since import and last used by ALTQ which henning removed in 2004.
OK sashan
|
|
pf.conf(5)'s TABLE section explains it, but lets be clear about it in the
table command descriptions, too.
"go for it" jmc
|
|
These are in <net/pfvar.h> already.
OK sashan
|
|
"driver" is a left-over from earlier implementations.
Nowadays each driver such as lo(4) has it's respective interface group of
the same name ("lo"), but additional driver-independent groups exist, too:
# ifconfig lo0 group foo
# pfctl -s I -i foo
foo
lo0
OK henning
|
|
ok deraadt@
|
|
Zap trailing semicolon introduced with miko's cmdline_symset() leading to
unconditional err(3). Zap trailing tab while here.
|
|
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
Replace hardcoded 0 and implicit checks with enum as done in all other
use cases of `pfra_fback'. No object change.
OK sashan
|
|
With r1.358 I simplified anchor handling but also broke semantics with
regard to tables:
# pfctl -a aname -t tname -T show
pfctl: anchors apply to -f, -F and -s only
Unbreak this by checking for table commands as well.
OK bluhm
|
|
that are used for netmask, broadcast, and destination address. In
pfctl(8) take the family of the interface address and write it to
the other addresses. This fixes some bugs when copy_satopfaddr()
copied only part of IPv6 addresses. Print a warning if the address
family is unknown.
OK kn@
|
|
do repeated lookups. OK tb@
|
|
OK bluhm
|
|
I introduced this error with r1.330 while removing the af parameter from
unmask().
`pass inet from (lo0)/24' would result in `pass inet from (lo0)', sorry.
|
|
Left-over from pre-host_ip() times. While here, use __func__.
OK henning benno
|
|
Except for networks such as "10/8" host_ip() now handles addresses in an
AF-agnostic way with more duplicate code removed/merged.
OK sashan (as for earlier copy_satopfaddr() diff) henning
|
