summaryrefslogtreecommitdiff
path: root/sbin/pfctl
AgeCommit message (Collapse)Author
2018-02-08make the watermarks/thresholds for entering and leaving syncookie mode whenHenning Brauer
syncookies are set to adaptive tunable, ok claudio benno
2018-02-08show current synflood detection watermarks in pfctl -vsi, for the lackHenning Brauer
of a more appropriate place. ok claudio benno procter
2018-02-06allow control over syncookies: set syncookies never/always/adaptiveHenning Brauer
2017-11-28The divert structure was using the port number to indicate thatAlexander Bluhm
divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
2017-11-27The divert structure was using the port number to indicate thatAlexander Bluhm
divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Convert the pfctl(8) rule parser to divert types, kernel cleanup will be the next step. OK sashan@
2017-11-25- pfctl fails to handle nested 'load anchor' properlyAlexandr Nedvedicky
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ] OK bluhm@
2017-11-25- patching use-after-free and innocent memory leak in pfctl_optimzie.cAlexandr Nedvedicky
OK bluhm@
2017-11-25- pfctl rule optimizer: anchor name vs. anchor path mix upAlexandr Nedvedicky
OK bluhm@
2017-11-14- nested anchors vs. pfctl/parse.yAlexandr Nedvedicky
bug reported and fix tested by Leonardo Guardati OK bluhm@
2017-11-13add a generic packet rate matching filter. allows things likeHenning Brauer
pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
2017-09-26- pfctl always prints warning when flushes rulesetAlexandr Nedvedicky
OK mikeb@
2017-09-05- split pf_find_or_create_ruleset() to smaller chunks.Alexandr Nedvedicky
tested by Hrvoje OK mpi@, OK bluhm@
2017-08-14expose the half-open tcp states counter, ok bluhmHenning Brauer
2017-08-11add option -N (no domain resolution)Sebastian Benoit
manpage wording and reminder about usage() jmc@ ok florian@ henning@
2017-08-03Since nearly 20 years the correct spelling ofFlorian Obser
ICMP6_DST_UNREACH_NOTNEIGHBOR is ICMP6_DST_UNREACH_BEYONDSCOPE (RFC 1885 was obsoleted). sthen grepped the ports sources to make sure nothing uses it. OK millert, jca
2017-07-20"no-route" is also shown by -sinfo;Jason McIntyre
2017-07-19Allow HFSC classes to use flow queuesMike Belopuhov
The FQ-CoDel related configuration (flows, quantum) becomes available for the regular bandwidth queue. Internally the kernel will pick the FQ-CoDel for use as a queue manager for the specified class instead of the FIFO. Discussed with and OK henning@ at d2k17 as a part of a larger diff.
2017-07-19Rework HFSC vs FQ-CoDel checksMike Belopuhov
The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
2017-07-15sbin/pfctl: void functions and exit(3) on errorAdam Wolk
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored). OK mikeb@, sashan@
2017-06-16pfctl: merge identifical if conditions and void functions discarding ret valuesAdam Wolk
Transform the following functions (which never return anything other than 0, and whose return value is never used) to void: * pfctl_clear_stats, pfctl_clear_interface_flags, pfctl_clear_rules, pfctl_clear_src_nodes, pfctl_clear_states * pfctl_kill_src_nodes, pfctl_net_kill_states, pfctl_label_kill_states, pfctl_id_kill_states, pfctl_key_kill_states inside main: merge two identical if conditions next to each other into one. Submitted by rain1 (thanks!) with additional credit to: - mikeb@ for pointing out we can void all _clear_ functions - ghostyy for pointing out all _kill_ functions can be voided OK tb@, mikeb@
2017-06-01Return time_uptime as value for when pf was enabled instead ofPatrick Wildt
time_second. Since time_second changes depending on the wall- clock time, time_second is not a reliable source for the status. We can even end up with a negative time delta. Thus, use the monotonically growing time_uptime and export it to userland. ok bluhm@ mikeb@
2017-05-30fix a commentHenning Brauer
2017-05-28Don't check np->port for NULL - it's an array, it's never NULL.Michal Mazurek
OK bluhm@
2017-05-28print_ioctl() is unused if not debugging. Found with clang, afterMichal Mazurek
marking the function "static". Use OSFP_DEBUG, in a similar fashion to OPT_DEBUG (pfctl_optimize.c). OK bluhm@
2017-05-27Move includes.Michal Mazurek
This reduces the diff with usr.sbin/tcpdump/pfctl_osfp.c. The change from tcpdump is newer, so change pfctl. No binary change. OK deraadt@
2017-05-15Fixup printing of queue bandwidth specificationsMike Belopuhov
Reported by Carl Mascott, thanks! OK sthen
2017-05-15Put the closing parenthesis in the right spot and fix std-dev calculationMike Belopuhov
2017-05-15Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8)Mike Belopuhov
OK sthen, visa
2017-04-28Remove double assignmentsMike Belopuhov
2017-04-26Perform H-FSC root queue allocation in the kernelMike Belopuhov
Since only leaf queues can have packets assigned to them, H-FSC requires the user specified root queue to have a parent. To simplify userland tools and the configuration interface, the kernel can be leveraged to set it up. ok henning
2017-04-23oops, this was meant to be committed with the pfctl.8 change:Jason McIntyre
sync usage() with SYNOPSIS;
2017-04-23trim the documentation for -k: make it more consistent,Jason McIntyre
and do not try to do all the documenting in SYNOPSIS/usage(); ok deraadt
2017-04-21Add "key" modifier for -k to make pfctl can kill a state by specifyingYASUOKA Masahiko
the key of the state. ok sasha
2017-04-13fix wrongly indented linesJonathan Gray
2017-03-27rather than printing the wrong function name, dont print it at all.Sebastian Benoit
found by Klemens Nanni
2017-01-26one more fix i requested for previous;Jason McIntyre
2017-01-26Select the routing domain to be used for kill states by host or bySebastian Benoit
label, by adding a -V <rdomain> option. written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks. ok florian@, with feedback from florian and jmc.
2017-01-05Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQKenneth R Westerback
with more modern TAILQ_FOREACH(). This what symget() was already doing. Add paranoia '{}' around body of symget()'s TAILQ_FOREACH(). No intentional functional change. ok bluhm@ otto@
2016-11-23Explicitly forbid to combine af-to with route-to in pfctl. TheAlexander Bluhm
parser cannot handle that correctly and is is unclear wether the kernel code would work. Remove the feature until someone needs it and properly implements and tests it. OK mike@ sashan@ mpi@
2016-10-26When using a /32 IPv4 interface address, pfctl(8) reports a 0.0.0.0Alexander Bluhm
as broadcast address. The kernel does not consider this a broadcast address and ifconfig(8) has a check to exclude it. Use the same check in pfctl(8). Found by regress/sbin/pfctl pfi2; OK mikeb@
2016-09-03err->errx, errno info is not related to the failure modeJeremie Courreges-Anglas
ok mikeb@
2016-09-03pfctl mixes up anchorname with anchorpathAlexandr Nedvedicky
OK mikeb@
2016-09-03Let purge thread to remove once rules, not packets.Alexandr Nedvedicky
Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
2016-08-26Add <time.h> for time(); sort <*.h> includesPhilip Guenther
ok deraadt@
2016-08-03A couple of "a->blah == a->blah" -> "a->blah == b->blah".Kenneth R Westerback
Spotted by the Echelon team with AppChecker static analyzer. ok sashan@
2016-07-18no more cbq_opts - CBQ is gone, ok mpi phessler bennoHenning Brauer
2016-07-18g/c unused (global!) var: oqueues isn't used any more. ALTQ leftover; notHenning Brauer
noticed since struct node_queue stayed. ok claudio benno gcc
2016-06-22Add curly braces that were missed in rev 1.651. Add parenthesis to make theMark Kettenis
condition in the if statement more readable while I'm there. ok phessler@, benno@, florian@
2016-06-21do not allow whitespace in macro names, i.e. "this is" = "a variable".Sebastian Benoit
change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
2016-06-21the manpage documents that af-to does not work on pass out rules, butSebastian Benoit
the pf.conf parser allows it, which leads a non working configuration being loaded. this changes the parser to make pass out .. af-to an error. ok henning@ mikeb@