| Age | Commit message (Collapse) | Author |
|---|
|
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.
Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.
ok zinke@
|
|
|
|
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
|
|
and put them into the main filtering section, at least for now;
ok henning
|
|
|
|
|
|
load balancing case, this allows Weighted Least States (WLS).
Everything prepared on c2k11 with help from mcbride@.
This finally makes PF ready for the cloud.
ok henning@ mikeb@ pyr@
|
|
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
|
|
ok henning
|
|
characters;
prompted by a diff from robert peichaer org
thanks gilles and henning for feedback
ok deraadt zinke
|
|
|
|
the patch was started by todd about a year ago and have been
finally finished by phessler and myself today; discussed with
and tweaks from jmc, ok sthen, henning
|
|
Issue reported by Felix Rust; ok jmc@
|
|
from Sebastian Benoit <benoit-lists at fb12.de>, ok/input jmc, reminder/input
deraadt and too much of a trail to mention all of it, thx everybody involved
|
|
ok jmc henning sthen claudio
|
|
ok henning, mcbride, jmc
|
|
From: william dunand <william.dunand at gmail.com>
|
|
When one of the state limits is reached, further packets that would
create state are dropped, until existing states time out. Discussed
with mcbride, ok henning, jmc
|
|
ok deraadt
|
|
ok henning
|
|
- zap trailing whitespace
|
|
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
|
|
|
ok henning
|
|
|
|
|
|
i added that button many many many years ago since the order (options, scrub,
nat, filter) was enforced back then, which I hated. now we had that turned
off for ages, and with the scrub and nat rulesets being gone, there is very
little reason to enforce an order at all. so let's get rid of it.
introducing this button was one of my very early commits to openbsd... feels
a bit strange to remove it now :)
ok ryan dlg theo
|
|
ok mcbride@ henning@
|
|
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).
Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.
|
|
config load time. This may change in future but for now it's better to
document it.
|
|
ok henning
|
|
|
|
'you are not allowed to speak until you commit' mikeb@
|
|
ok jmc@
|
|
diff from patrick keshishian on misc for this
- document that packets passed by default, matching neither block nor
pass rules, are effectively created with "no state"; as discovered by tedu
...after much discussion on misc and with henning
|
|
with tweaks from jmc
|
|
the redirect; the sample rule used "match" for the general case which
negated the exemptions. From Harald Dunkel.
|
|
no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and
document it in pf.conf(5).
ok henning@ jmc@
|
|
ok henning
|
|
|
|
From: Thomas Pfaff <tpfaff@tp76.info>
|
|
ok henning
- while here, knock out a bad .Pp
|
|
actually look at the manpage when changing it. ok jmc
|
|
|
|
and mention the constraints for use in the "unnatural" direction
ok claudio ryan dlg
|
|
|
|
PR 6448 pjp at centroid dot eu
|
|
- include translation options
- include "scrub"
- don't include max-mss etc, which aren't used directly rather they
are written like 'match ... scrub (max-mss xxx)'
ok jmc@ henning@
|
|
part of filtering.
ok henning@
|
|
ok henning
|
