| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
OK kn@, sashan@, florian@
|
| |
|
|
| |
Missed in previous
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
|
| |
|
|
|
|
|
|
|
| |
All optimizations work on actual rules; if there are none, return early.
While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.
OK mikeb
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
|
|
|
|
|
| |
Left behind in pfctl_parser.h revision 1.91
"First pass at removing the 'pf_pool' mechanism [...]"
These functions don't exist anymore, no object change.
OK procter
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped
the macro's closing paranthese.
Since DEBUG() is needlessly under an OPT_DEBUG guard, this was not
effecting normal builds.
Add the missing ')' and remove the ifdef.
OK sashan
|
| |
|
|
|
|
|
|
|
| |
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
| |
|
|
| |
OK bluhm@
|
| |
|
|
| |
OK bluhm@
|
| |
|
|
|
|
| |
Spotted by the Echelon team with AppChecker static analyzer.
ok sashan@
|
| |
|
|
| |
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
| |
|
|
|
|
|
|
| |
CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.
ok millert@
|
| |
|
|
| |
Careful second audit by millert
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
|
| | |
|
| |
|
|
|
| |
2/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg and myself
|
| |
|
|
|
| |
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt
|
| |
|
|
|
|
|
|
|
|
| |
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.
Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing
ok bluhm; various previous versions ok henning, claudio, mpf, markus
|
| |
|
|
| |
ok mcbride@ henning@
|
| |
|
|
|
| |
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@
|
| |
|
|
|
|
|
| |
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc
|
| |
|
|
|
|
|
|
|
|
|
| |
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing
|
| |
|
|
|
|
|
|
| |
which unbreaks ie route-to after the recent pf changes.
With much help debugging and pointing out of missing bits from claudio@
ok claudio@ "looks good" henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too
|
| | |
|
| |
|
|
|
|
|
| |
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
|
| |
|
|
|
|
|
|
|
|
| |
in the inline anchor. Fixes optimizer bug where automatic table creation in
inline anchors fails because rules are now loaded after optimization
and no transaction has been opened for the anchor.
bug reported by Henrik Johansen
ok henning dhartmei
|
| | |
|
| |
|
|
| |
sys/dev/pci/pciide.c from naddy@
|
| |
|
|
|
|
|
|
|
|
| |
"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]
You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.
cleanup and ok henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.
bugfix feedback claudio@; ok claudio@ and dhartmei@
|
| |
|
|
|
|
|
|
| |
matches the counters on states now. also fix the counting on scrub rules
where we previously did not handle the byte counters at all.
extend pfctl -sl output to include the new seperate in/out counters
hacked on the ferry from Earls Cove to Saltery Bay
ok ryan
|
| |
|
|
|
| |
optimization barriers to prevent table merging or rule re-ordering
ok dhartmei@
|
| |
|
|
| |
them default to BREAKs. no functional change
|
| |
|
|
|
| |
an optimization block break
ok dhartmei@
|
| |
|
|
|
|
|
| |
merge its destination address. caught by an assertion. it's tempting to do
recursive reduction here to pick that low hanging fruit....
bug report from <gustavo AT hades DOT uint8t DOT org>
|
| |
|
|
|
| |
single table causing a ruleset load error and eventually a double-free.
bug report and testing from martin{AT}spamcop net
|
| |
|
|
| |
the table calls fails and the optimizer is gonna bomb out
|
| | |
|
|
|
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@
|
bket
kn
deraadt
sashan
krw
doug
henning
mikeb
mcbride
zinke
claudio
jsg
markus
mpf
martynas
djm
frantzen