| Age | Commit message (Collapse) | Author |
|---|
|
use pkill(1) in /etc/newsyslog.conf instead
together with otto and suggestions from tedu
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
reminded by STeve Andre.
|
|
useful from time to time and it is easer then deciphering ktrace output.
While there kill the no longer needed msec macro.
OK henning
|
|
While there remove some very old compat code supporting a syntax that
no one still knows or uses. OK henning@, deraadt@
|
|
lines; this prevents poll(2) from saying the fd has data to be read, when
it only had a status line change. Prevents ldattach from exiting when
relaying data to gpsd while being driven by a gps with 1PPS.
ok deraadt
|
|
mplslabel label was added, fix.
|
|
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
|
that the load balancing code does not freak out but because of this
check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL
so check_netmask() is fixing up the netmask for IPv4 and stops complaining.
This is a partial fix for the failing regress test 13.
found with jsg, looks good henning
|
|
|
|
ldattach exiting when relaying (nmea to gpsd, for example).
ok deraadt@
|
|
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms
|
|
volume could no longer be brought up.
Found by Pedro la Peu <pedro@am-gen.org>, thanks for the report.
|
|
|
|
ok jmc@
|
|
|
|
|
|
|
|
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
|
|
|
|
inspired by the short reboot times on an rb600a provided by stephan
rickauer.
testing and bugfixing by sthen@
ok mcbride@ sthen@
|
|
|
|
|
|
is used. discussed and ok krw@
|
|
of the if_media dance. Simplifies the code nicely.
OK henning, sthen, michele, deraadt
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.
feedback from many, manpage bits from jmc@
ok henning@
|
|
|
|
ok henning@ (sorry)
|
|
found by sthen@
ok henning@
|
|
noticed by Wiktor Izdebski
OK henning@
|
|
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.
for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)
many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
|
|
vlan link0 was replaced with IFCAP_VLAN_HWTAGGING in 2001.
prompted by a mail from Insan Praja. ok deraadt@
|
|
ok krw otto
|
|
ok deraadt@, oga@
|
|
feedback/ok sobrado martynas
|
|
|
|
|
|
gets the declarations it uses. ok krw@
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
device.
"Yeah!" marco@
|
|
ok marco cnst
|
|
|
