| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
| |
Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
In e11dacbf8484adc7bbb61b20fee3ab8385745925 the redirect pool was renamed from
rpool to rdr. It included backwards compatibility support for libpfctl users,
but didn't fully implement the rename in our own code.
Do so now. No functional change.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In libpcap 1.10.5, two structures that we relied on, pcap_timeval and
pcap_sf_pkthdr, were made private. As a workaround, we initially
defined the structures in pflogd.h. After further investigation, mostly
by kp@, we concluded that it is reasonable to define these structures
ourselves since they represent a file format and thus are unlikely to
change from under us. We will stick with this solution but move the
definitions out of the header file to prevent others from using pflogd.h
to access them.
Another solution that was considered was using libpcap's pcap_dump()
function to write packets, but there are blockers. For example, pflogd
writes to a memory buffer, and libpcap lacks support for this.
Reviewed by: kp
MFC after: 3 days
Event: EuroBSDCon 2024
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46894
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In libpcap-1.10.5, two structures that we rely on, pcap_timeval and
pcap_sf_pkthdr, were made private.
https://github.com/the-tcpdump-group/libpcap/commit/c2d8cbb977963be1f6cb07863e5bb59609e87fae
Temporarily define them here to fix the build. kp and I will
investigate a permanent solution at EuroBSDCon in Dublin.
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46676
|
| | |
|
| |
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
| |
Reviewed by: des, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1077
|
| |
|
|
|
|
|
| |
Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant
use netlink to obtain the information.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/
pf fd via pfctl_fd().
This means that libpfctl users no longer have to open /dev/pf themselves for any
calls that are not yet available in libpfctl.
Sponsored by: Rubicon Communications, LLC ("Netgate")
MFC after: 2 weeks
|
| |
|
|
|
| |
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D44090
|
| |
|
|
|
|
|
|
|
| |
Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
file descriptor (which it didn't use). This means that library users can
open the handle while they're running as root, but later drop privileges
and still add rules to pf.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
| |
These are local additions that no longer make sense with the transition
to git.
This partially reverts a10f530f936b7b2e3a19c406ae199b91a48f34d3.
Reviewed by: kp, imp
Differential Revision: https://reviews.freebsd.org/D42687
|
| |
|
|
|
|
|
|
|
|
| |
Prefer libpfctl functions over direct access to the ioctl whenever
possible. This will allow subsequent removal of DIOCGETSTATUS (in 15) as
there already is an nvlist-based alternative.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D41647
|
| |
|
|
|
|
|
| |
This silences a set but unused warning from GCC.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D40649
|
| |
|
|
|
|
|
|
|
|
| |
The fgetln loop will terminate with buf = NULL at EOF.
Reported by: GCC
Reviewed by: kp
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D39947
|
| |
|
|
|
|
|
|
| |
This change is in preparation for a libpcap update.
See also: https://github.com/the-tcpdump-group/libpcap/commit/d4d65e7c4c0a6233784b346dcb0ebb7e23a3feaa
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
| |
libpfctl supports creating rules, but not (yet) adding addresses to a
pool. Adding addresses certainly does not work through adding a rule.
PR: 256917
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
| |
Use pfctl_kill_states() rather than the DIOCKILLSTATES ioctl directly.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30057
|
| |
|
|
|
|
|
|
|
|
|
| |
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644
|
| |
|
|
|
|
|
| |
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29641
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
3a509754ded1 removed the color field from our definition, but libevent1
has a copy of it off to the side to prevent event.h consumers from
*needing* to pull in sys/queue.h and sys/tree.h.
Update the event.h definition so that we don't accidentally end up with
two different views of struct event.
This appears to have no functional effect on anything in tree, but this
came up in a local patch to port if_switch(4) and related components
from OpenBSD.
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
| |
From 2018 Linuxhotel Hackathon & DevSummit
Approved by: eadler
Obtained from: OpenBSD r1.49
Differential Revision: https://reviews.freebsd.org/D16616
Notes:
svn path=/head/; revision=337595
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Restore local change to include <net/bpf.h> inside pcap.h.
This fixes ports build problems.
- Update local copy of dlt.h with new DLT types.
- Revert no longer needed <net/bpf.h> includes which were added
as part of r334277.
Suggested by: antoine@, delphij@, np@
MFC after: 3 weeks
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=334418
|
| |
|
|
|
|
|
|
| |
MFC after: 1 month
Sponsored by: Mellanox Technologies
Notes:
svn path=/head/; revision=334277
|
| |
|
|
|
|
|
|
|
|
| |
When getline(3) in 2009 was added a _WITH_GETLINE guard has also been added.
This rename is made in preparation for the removal of this guard
Obtained from: OpenBSD
Notes:
svn path=/head/; revision=299354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
contrib/pf/pflogd/pflogd.c:769:8: error: logical not is only applied to the left hand side of this comparison [-Werror,-Wlogical-not-parentheses]
if (!if_exists(interface) == -1) {
^ ~~
The if_exists() function does not return -1, and even if it did, it
would not be the correct way to check. Just ditch the == -1 instead.
Obtained from: OpenBSD's pflogd.c 1.49
MFC after: 3 days
Notes:
svn path=/projects/clang380-import/; revision=293013
|
| |
|
|
|
|
|
|
| |
Submitted by: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@NTLWorld.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=284914
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NetBSD Foundation states "Third parties are encouraged to change the
license on any files which have a 4-clause license contributed to the
NetBSD Foundation to a 2-clause license."
This change removes clauses 3 and 4 from copyright / license blocks that
list The NetBSD Foundation as the only copyright holder.
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=263289
|
| |
|
|
|
|
|
|
|
|
| |
authpf's requirement for a mounted fdescfs(5).
PR: docs/186250
MFC after: 1 week
Notes:
svn path=/head/; revision=261271
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.
Discussed with: bz, luigi
Notes:
svn path=/head/; revision=240494
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
into head. The most significant achievements in the new code:
o Fine grained locking, thus much better performance.
o Fixes to many problems in pf, that were specific to FreeBSD port.
New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.
Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:
r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
I'd like to thank people who participated in early testing:
Tested by: Florian Smeets <flo freebsd.org>
Tested by: Chekaluk Vitaly <artemrts ukr.net>
Tested by: Ben Wilber <ben desync.com>
Tested by: Ian FREISLICH <ianf cloudseed.co.za>
Notes:
svn path=/head/; revision=240233
|
| |
|
|
|
|
|
|
|
|
| |
it in a function to dynamically query the currently supported number
of FIBs by the kernel for FreeBSD.
Sponsored by: Cisco Systems, Inc.
Notes:
svn path=/projects/multi-fibv6/head/; revision=230946
|
| |
|
|
|
|
|
|
|
|
| |
configuration file man pages in section 5, and we prefer rc.conf to
rc.conf.local.
MFC after: 3 days
Notes:
svn path=/head/; revision=229669
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP
preemption, while it is running its bulk update.
However, reimplement the feature in more elegant manner, that is
partially inspired by newer OpenBSD:
- Rename term "suppression" to "demotion", to match with OpenBSD.
- Keep a global demotion factor, that can be raised by several
conditions, for now these are:
- interface goes down
- carp(4) has problems with ip_output() or ip6_output()
- pfsync performs bulk update
- Unlike in OpenBSD the demotion factor isn't a counter, but
is actual value added to advskew. The adjustment values for
particular error conditions are also configurable, and their
defaults are maximum advskew value, so a single failure bumps
demotion to maximum. This is for POLA compatibility, and should
satisfy most users.
- Demotion factor is a writable sysctl, so user can do
foot shooting, if he desires to.
Notes:
svn path=/head/; revision=228736
|
| |
|
|
|
|
|
| |
- Remove OpenBSDisms, add FreeBSDisms.
Notes:
svn path=/head/; revision=228734
|
| |
|
|
|
|
|
|
| |
PR: kern/158997
Submitted by: ohauer
Notes:
svn path=/head/; revision=224141
|
| |
|
|
|
|
|
| |
Discussed with: bz
Notes:
svn path=/head/; revision=223849
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
You need to update userland (world and ports) tools
to be in sync with the kernel.
Submitted by: mlaier
Submitted by: eri
Notes:
svn path=/head/; revision=223637
|
| | |
| |
| |
| | |
Notes:
svn path=/vendor/pf/dist/; revision=185872
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows one to force consistent printing of numeric port numbers like
we do with -n for other tools like netstat (just that -n was already taken)
rather than the service names.
-P is currently unused in OpenBSD so the change is eligible for upstreaming.
PR: misc/151015
Submitted by: Matt Koivisto (mkoivisto sandvine.com)
Sponsored by: Sandvine Incorporated
MFC after: 1 week
Notes:
svn path=/head/; revision=223057
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Discussed with: mlaier
MFC after: 2 weeks
Notes:
svn path=/head/; revision=210878
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Server Return mode, where not all packets would be visible to the load
balancer or gateway.
This commit should be reverted when we merge future pf versions. The
benefit it would provide is that this version does not break any existing
public interface and thus won't be a problem if we want to MFC it to
earlier FreeBSD releases.
Discussed with: mlaier
Obtained from: OpenBSD
Sponsored by: iXsystems, Inc.
MFC after: 1 month
Notes:
svn path=/head/; revision=200930
|
| | |
| |
| |
| | |
Notes:
svn path=/head/; revision=178894
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
and netgraph in gernal). This also allows to add queues for an interface
that is not yet existing (you have to provide the bandwidth for the
interface, however).
PR: kern/106400, kern/117827
MFC after: 2 weeks
Notes:
svn path=/head/; revision=177700
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
do not describe `/' as solidus; from Allen (freebsd pr120484);
PR: 120484
Submitted by: Allen <alandsidel at 1001islington dot com>
MFC After: 3 days
Notes:
svn path=/head/; revision=176196
|
| | |
| |
| |
| | |
Notes:
svn path=/head/; revision=172682
|
| | |
| |
| |
| |
| |
| |
| | |
Approved by: re (implicit)
Notes:
svn path=/head/; revision=171176
|
| | |
| |
| |
| |
| |
| |
| | |
Approved by: re (kensmith)
Notes:
svn path=/head/; revision=171172
|
