| Age | Commit message (Collapse) | Author |
|---|
|
ok henning@
|
|
those tags later on.
ok dhartmei@ pb@ mcbride@ frantzen@
|
|
ok henning@ frantzen@
|
|
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
|
|
|
|
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@
|
|
Prepare for anchors, improve robustness.
WARNING: need to sync kernel/userland.
ok dhartmei@
|
|
-DIOCCHANGERULE (just the affected rule)
-DIOCCOMMITRULES (all filter rules that get committed - one anchor or main rs)
-DIOCCOMMITALTQS (all filter rules, main set plus all anchors)
This fixes a whole bunch of issues.
previously, this was done in userland at load time. This worked fine for the
usual case, full ruleset load. It did not work inside anchors, as the queue
name <-> queue ID mapping is unknown there. Also, if the queue definitions
were changed without reloading the rules too (pfctl -A), the queue IDs on
the rules were not updated.
The three ioctls mentioned above are all entry points where the mapping is
touched.
helpful discussion with dhartmei@ and cedric@ helped verifying my approach
for this fix was right.
ok dhartmei@ cedric@
|
|
so states created by rules in anchors correctly use rule options like
routing and (soon) queues...
Rule number bumped to 32 bit value.
USERLAND NEED TO BE RECOMPILED.
ok dhartmei@ henning@
|
|
|
|
implicit "pass all" first rule match and remove all "r == NULL"
tests which are now useless.
ok dhartmei@
|
|
field of a new pf_default_rule structure.
ok dhartmei@
|
|
States can still be created without a rule for people who have only
NAT rules, for example.
|
|
ok dhartmei@
|
|
Fix a bunch of issues.
Removal of unneeded (r != null) tests coming soon...
ok dhartmei@
|
|
|
|
|
|
|
|
|
|
Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@
|
|
introduce reference counting for tables, they are now automatically
created and deleted through referencing rules. Diff partly from cedric@.
ok mcbride@, henning@, cedric@
|
|
ok dhartmei@
|
|
name. ok henning@, mcbride@, cedric@
|
|
|
|
2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs().
3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs().
Tested on i386, sparc64
|
|
ok dhartmei@ henning@
|
|
|
|
|
|
Precursor to removing rule.action from skip steps.
Also a couple of other small fixes:
- s/PF_RULESET_RULE/PF_RULESET_FILTER/
- replacement of 4 with PF_RULESET_MAX in pfvar.h struct ruleset {
- error handling in ioctl of an invalid value in rule.action
- counting evaluations and matching packets for scrub rules
ok henning@ dhartmei@
|
|
normal configurations, and sufficient for many. You can always increase
it, if you need more concurrent states and have enough memory (65000 for
64MB RAM, for instance). Suggested earlier by henning@. ok mcbride@
|
|
|
|
ok dhartmei@, mcbride@, henning@
|
|
- set rpool.cur in DIOCCHANGERULE
- check to make sure rpool.list is not empty if we're doing translation
or routing other than fastroute
ok dhartmei@ henning@
|
|
Solves the crashes in pf_route() with -current.
Reports from Michael Lucas and Bjorn Runaker.
|
|
we don't need the second list of addresses for DIOCCHANGE* operations)
Also get rid of a bug where DIOCBEGINADDRS clears pabuf[1] when pabuf[0]
is the one being used.
ok henning@ dhartmei@
|
|
Unlike with filter rules, nat rules inside anchors might be pointed to.
|
|
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
|
|
|
|
main purpose is making them regress-testable.
|
|
skip steps on translation rules.
Also:
- Require a ticket for DIOCCHANGERULE operations to prevent races.
- Remove pf_compare_* functions from pf_ioctl.c. DIOCCHANGE* operations
use a rule number, and comparisons happen in userland.
Testing and fixes from dhartmei@ and frantzen@
ok dhartmei@ henning@
|
|
this allows for a second queue on pf_rule.
assign packets with tos 0x10 (lowdelay) to this one.
if the second queue isn't specified set pqid = qid
idea dhartmei@
ok dhartmei@ frantzen@ deraadt@
|
|
|
|
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
|
|
|
|
freeing rules. Fixes a number of potential memory leaks and other bugs.
- Add new pool_ticket to insure that address pools don't get messed
with by someone else while we add rules.
- Add a second address pool buffer, so that DIOCCHANGE* operations which use
pf_compare* will work correctly.
Excellent bug report and anaylsis from DJ Gregor.
ok dhartmei@ henning@
|
|
PF_CHANGE_REMOVE from dereferencing a NULL pointer.
Noticed by dhartmei@
ok dhartmei@
|
|
after altq gets flushed, altq forgot that it was enabled since
altq is actually detached with an empty ruleset.
so, add a variable, pfaltq_running, to remember the running state
and re-enable altq when a new ruleset is loaded.
noticed, tested, and oked by henning@
|
|
|
|
and rdr, as well as route-to, dup-to and reply-to.
Addresses can be allocated in a number of ways:
- masking out the network portion of the address and replacing it
- randomly assigning an address in the block
- hashing the source address and a key to determine the redirection address
- iterating through the addresses sequentially (this is the only allocation
scheme which works when a list of addresses is specified)
ok dhartmei@ henning@
|
|
dhartmei@ ok
|
