Age | Commit message (Collapse) | Author |
|
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
|
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
|
the resized buffer.
From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@.
As was the previous commit where I didn't mention Pawel.
'should be olright' henning@
|
|
not the other way. At least partial fix for interfaces with >64
aliases. From Max Laier via Marc Balmer.
'seems right' sthen@ ok markus@
|
|
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
|
whether we're called from the interrupt context to the functions
performing allocations.
Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri,
the pr originator.
ok tedu
|
|
because it conflicted with the change he did in pf_if.c earlier.
He finally woke up to ok (well, ``yes'', really) this version now.
|
|
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
|
|
|
|
This prevents a null-deref when empty groups are used in set loginterface.
Fixes PR 5628 as reported by Andreas Bihlmaier.
Bad mpf :(
OK henning@
|
|
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.
OK henning@, markus@
|
|
-remove useless casts
-MALLOC/FREE -> malloc/free
-use M_ZERO where appropriate instead of seperate bzero
feedback & ok krw, hshoexer
|
|
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
|
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
pass to (ifgroup)
style notation.
instead of walking the list of associated dynaddrs with a pf-abstracted
interface which might not be present when there is no reference
to them in the rulset, and checking their pointer back to the interface
for group memberships, walk the groups an interface is member of
directly. even makes the code easier.
tests & ok bob ryan markus + tested moritz
|
|
- Introduces a rw_lock in pfioctl so that we can have concurrent readers
but only one process performing updates at a time;
- Separates state expiry into "unlink" and "free" parts; anyone can unlink
a state/src node from the RB trees at any time, but a state can only be
freed whilst the write lock is held;
- Converts state_updates into list state_list containing all states,
regardless of whether they are "linked" or "unlinked";
- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
to signal that they can be freed;
- Converts pf_purge_expired_state to an "unlink" state routine, which only
unlinks the state from the RB trees. Freeing the state/src nodes is left
to the purge thread, which runs whilst holding a write lock, such that all
"next" references remain valid;
- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
than the RB trees;
- Converts the purge thread to use the new state_list and perform a partial
purge every second, with the target rate a full state table walk every
PFTM_INTERVAL seconds.
seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then
|
|
to search for a particular entry in the RB trees are at the start of the
structure.
This permits us to place a much smaller structure on the stack in the
interrupt paths that match packets against state entries.
ok mcbride
|
|
to that in rev 1.40 for interface groups.
ok henning
|
|
"validating" it, pass the bits to be ignored down to the validating
function in its allowedflags argument. Saves a 1kB+ stack allocation.
ok henning@
|
|
notice that this kif is not referenced and not attached to an interface
or a group and actually deletes it. plugs a memleak, PR 4267 is caused by
this.
|
|
|
|
|
|
|
|
|
|
a group, or there cannot be addresses associated with it. so we can get rid
of checking kifs in the 3rd case and just be done with it.
-we don't need to try to manually clear the table used for the (interface)
notation when both the ifp and the group pointers are NULL, the pfr_set_addrs
call will do the right thing with an empty set of addrs
suggested by cedric, ryan ok
|
|
|
|
|
|
update the internal tables used for (ifgroup) notation
|
|
all IPs on all interfaces in testgroup
|
|
pf's interface abstraction, just attahc a linked list of the dynaddrs to
the respective kifs. makes things way easier and will be needed for the next
step, ryan jajajaja
|
|
the way it is done is completely retarded, needs fixing
with ryan
|
|
|
|
pass on mygroup ...
markus ok
|
|
|
|
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo
|
|
panicing at detach time.
ok dhartmei@ henning@
|
|
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@
|
|
from Max Laier.
|
|
ok mcbride@
|
|
sideffects in IPv6 land, noticed by Johan Fredin <griffin@legonet.org>
|
|
from Max Laier <max@love2party.net>
|
|
create an interface entry with the same name. Prevents panics due to
subsequent invalid refcounting.
from Chris Pascoe
ok dhartmei@ henning@
|
|
ok henning@
|
|
which drivers are hotpluggable. since we removed the stupid check from pfctl
a few days ago nothing relies on this any more.
ok pb@ mcbride@
|
|
ok millert@
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@
|
|
Also comment #endif properly while being here
ok mcbride@
|
|
|