Age | Commit message (Collapse) | Author |
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
|
|
|
|
inspired by the short reboot times on an rb600a provided by stephan
rickauer.
testing and bugfixing by sthen@
ok mcbride@ sthen@
|
|
|
|
|
|
is used. discussed and ok krw@
|
|
of the if_media dance. Simplifies the code nicely.
OK henning, sthen, michele, deraadt
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
|
|
ok henning@ (sorry)
|
|
found by sthen@
ok henning@
|
|
noticed by Wiktor Izdebski
OK henning@
|
|
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.
for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)
many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
|
|
vlan link0 was replaced with IFCAP_VLAN_HWTAGGING in 2001.
prompted by a mail from Insan Praja. ok deraadt@
|
|
ok krw otto
|
|
ok deraadt@, oga@
|
|
feedback/ok sobrado martynas
|
|
|
|
|
|
gets the declarations it uses. ok krw@
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
device.
"Yeah!" marco@
|
|
ok marco cnst
|
|
|
|
Make it possible to use DiffServ Code Point in the TOS fields.
Requested by deraadt@
|
|
|
|
on block devices
ok marco@
|
|
af11, cs6 and ef will now be mapped to the coresponding TOS value.
OK henning@, sthen@, mcbride@
|
|
how -A and A will carve up your disk;
help/ok krw deraadt
|
|
|
|
specified. Most people want -n to avoid reverse DNS lookups, and
it's stupid not to print a useful interface name just for that.
YES PLEASE! Ok claudio@
|
|
LINK_STATE_UNKOWN. In the other case use LINK_STATE_IS_UP() to
print either "up" or "down". OK henning@, sthen@
|
|
requested & diff tested by david@
ok miod@
|
|
|
|
making n flag work as expected for set. ok miod@
|
|
similar way that mixerctl does. so that info for setting things
like brightness makes sense (since we scale, like, 8 values to
per-cent). also, it consistifies get/put, shrinks code since we
don't need to do that in every single 'driver'. ok miod@
|
|
since all this stuff is transactional now we need to wrap that into
DIOCXBEGIN/COMMIT.
bad henning forgot to commit this chunk at c2k9
|
|
ok deraadt@
|
|
suggested by dlg@, ok claudio@, laurent@, blambert@
|
|
ourselves
ok krw
|
|
Tested and OK sthen@, OK henning@
|
|
from routing messages retrieved via routing socket or sysctl.
Tested and OK sthen@, OK henning@
|
|
input jmc@, ok claudio@
|