| Age | Commit message (Collapse) | Author |
|---|
|
noticed by Wiktor Izdebski
OK henning@
|
|
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.
for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)
many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@
|
|
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
|
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
|
|
|
|
vlan link0 was replaced with IFCAP_VLAN_HWTAGGING in 2001.
prompted by a mail from Insan Praja. ok deraadt@
|
|
ok krw otto
|
|
ok deraadt@, oga@
|
|
feedback/ok sobrado martynas
|
|
|
|
|
|
gets the declarations it uses. ok krw@
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
device.
"Yeah!" marco@
|
|
ok marco cnst
|
|
|
|
Make it possible to use DiffServ Code Point in the TOS fields.
Requested by deraadt@
|
|
|
|
on block devices
ok marco@
|
|
af11, cs6 and ef will now be mapped to the coresponding TOS value.
OK henning@, sthen@, mcbride@
|
|
how -A and A will carve up your disk;
help/ok krw deraadt
|
|
|
|
specified. Most people want -n to avoid reverse DNS lookups, and
it's stupid not to print a useful interface name just for that.
YES PLEASE! Ok claudio@
|
|
LINK_STATE_UNKOWN. In the other case use LINK_STATE_IS_UP() to
print either "up" or "down". OK henning@, sthen@
|
|
requested & diff tested by david@
ok miod@
|
|
|
|
making n flag work as expected for set. ok miod@
|
|
similar way that mixerctl does. so that info for setting things
like brightness makes sense (since we scale, like, 8 values to
per-cent). also, it consistifies get/put, shrinks code since we
don't need to do that in every single 'driver'. ok miod@
|
|
since all this stuff is transactional now we need to wrap that into
DIOCXBEGIN/COMMIT.
bad henning forgot to commit this chunk at c2k9
|
|
ok deraadt@
|
|
suggested by dlg@, ok claudio@, laurent@, blambert@
|
|
ourselves
ok krw
|
|
Tested and OK sthen@, OK henning@
|
|
from routing messages retrieved via routing socket or sysctl.
Tested and OK sthen@, OK henning@
|
|
input jmc@, ok claudio@
|
|
|
|
|
|
so it can try /dev/ksyms. The first call to kvm_openfiles()
was already correct.
|
|
ifconfig <if> inet6 used to print all inet6 addresses, and last not least
the installer relies on that behaviour. so don't. to turn inet6 on again
you have to assign any inet6 address or run rtsol.
nobody happy about this asymmetry, but that is the best we could come up
with for now.
|
|
|
|
ok marco@
|
|
ok jordan
|
|
ok jordan
|
|
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
|
|
for the different disciplines.
|
|
interface to each address and trying to ping the gateway. This will
trigger an RTM_NEWADDR message.
routehandler() only checks for the active and alias address in
RTM_NEWADDR messages, so we can exit when state_panic() and the
message address is on client->leases. routehandler() needs to also
check client->leases.
testing krw, 'I say commit' krw
|
|
ok claudio@
|
|
cleared in both cases. So just do it inside zero_partitions() since
we are looping over all the partitions there anyway.
Should fix an install corner case discovered by todd@.
|
|
along with vnode type-specific info to make it more useful for fstat(1).
OK deraadt@
|
|
|
