| Age | Commit message (Collapse) | Author |
|---|
|
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
|
|
limit and the requested value.
OK henning@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
ok mikeb
|
|
specifications under certain circumstances resulting in potentially
elevated access permissions for IPv6 traffic. Reported by sthen@;
ok henning benno sthen
|
|
ok millert@
|
|
CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.
ok millert@
|
|
DIOCADDRULE EBUSY turns into an error message that pfctl -n catches.
DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported
to occur, possibly from hfsc.c: this should be fixed as well.
ok henning mikeb sthen
|
|
|
|
overlooked in the previous commit
|
|
This lets us do the checks only once and also make smarter decisions
about the rule's own address family. As a result af-to rules no longer
need to specify the address family after 'pass'.
ok henning
|
|
In particular, disallow specifications containing addresses of
different address families when rule doesn't specify one, for
example "pass out nat-to { ::1 1.1.1.1 }" will now produce an
error instead of silently picking one of the addresses.
sthen and deraadt agree
|
|
is in a valid range.
OK henning@
|
|
ok deraadt millert
|
|
(i was convinced i committed that yesterday already, hrm)
|
|
ok henning@ mikeb@
|
|
wildcard path ("ftp-proxy/*"), but make sure to call it after we're
done with the ruleset for the current anchor. On one hand this
repairs printing content of such anchors and on the other it allows
to use a wildcard on the command line for anchors that were not
initially specified with a wildcard. Makes pfctl regress happy
again. OK henning, deraadt
|
|
commits.
ok henning@
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
allows things like
block out on $someif received-on any
to prevent packets to get forwarded to $someif
|
|
|
|
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
tested by naddy, ok deraadt
|
|
|
|
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
|
|
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen
|
|
the state file before returning.
ok henning
|
|
and instead rely on the one provided by the same function just
a few lines below.
ok lteo henning
|
|
print out anchor rules recursively; unbreaks pf1.loaded regress test.
ok lteo, henning
|
|
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).
"wow!" henning, ok benno, florian
|
|
SYNOPSIS suggests no options are neccessary, in fact a minimum of one
is required;
ok henning
|
|
ok henning
|
|
what happens when a broken pf config is encountered, both generally
and at system startup;
ok henning
|
|
|
|
|
|
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
|
ok ryan
|
|
|
|
ok sthen
|
|
|
|
|
|
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
|
|
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc
|
|
|
|
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
ok jmc
|
|
ok mikeb henning beck
|
