| Age | Commit message (Collapse) | Author |
|---|
|
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha
|
|
message - beats "pfctl: DIOCXCOMMIT: Invalid argument".
from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x!
ok sthen phessler, commit reminder mikeb
|
|
pf.conf. Change this before upgrade or pf.conf won't load.
florian@ henning@ phessler@ jung@
|
|
|
|
pfctl(8) did for the old queues.
ok sashan@ sthen@
|
|
|
|
Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>
ok jung@, ok mikeb@
|
|
|
|
Tweak pfctl to respect the rule ID parameter (-R) specified
along with the show states (-s states) option to filter out
states that are not associated with a given rule from the
output.
ok sthen, benno
|
|
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@
|
|
ok henning
|
|
|
|
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.
Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
|
|
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan
|
|
ok mikeb
|
|
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
|
ok mikeb
|
|
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.
An older pre-siphash version of this diff was tested by many people.
OK tedu@ benno@
|
|
limit and the requested value.
OK henning@
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
ok mikeb
|
|
specifications under certain circumstances resulting in potentially
elevated access permissions for IPv6 traffic. Reported by sthen@;
ok henning benno sthen
|
|
ok millert@
|
|
CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.
ok millert@
|
|
DIOCADDRULE EBUSY turns into an error message that pfctl -n catches.
DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported
to occur, possibly from hfsc.c: this should be fixed as well.
ok henning mikeb sthen
|
|
|
|
overlooked in the previous commit
|
|
This lets us do the checks only once and also make smarter decisions
about the rule's own address family. As a result af-to rules no longer
need to specify the address family after 'pass'.
ok henning
|
|
In particular, disallow specifications containing addresses of
different address families when rule doesn't specify one, for
example "pass out nat-to { ::1 1.1.1.1 }" will now produce an
error instead of silently picking one of the addresses.
sthen and deraadt agree
|
|
is in a valid range.
OK henning@
|
|
ok deraadt millert
|
|
(i was convinced i committed that yesterday already, hrm)
|
|
ok henning@ mikeb@
|
|
wildcard path ("ftp-proxy/*"), but make sure to call it after we're
done with the ruleset for the current anchor. On one hand this
repairs printing content of such anchors and on the other it allows
to use a wildcard on the command line for anchors that were not
initially specified with a wildcard. Makes pfctl regress happy
again. OK henning, deraadt
|
|
commits.
ok henning@
|
|
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian
|
|
allows things like
block out on $someif received-on any
to prevent packets to get forwarded to $someif
|
|
|
|
|
|
found by millert@, ok deraadt@
|
|
Careful second audit by millert
|
|
tested by naddy, ok deraadt
|
|
|
|
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
|
|
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen
|
|
the state file before returning.
ok henning
|
|
and instead rely on the one provided by the same function just
a few lines below.
ok lteo henning
|
|
print out anchor rules recursively; unbreaks pf1.loaded regress test.
ok lteo, henning
|
