aboutsummaryrefslogtreecommitdiff
path: root/sbin/pfilctl
Commit message (Collapse)AuthorAgeFilesLines
* pfilctl: improve formatting of "hooks" and "heads" command output.Gleb Smirnoff2021-03-191-4/+4
| | | | | | | In "heads" output just improve the header to describe all of the columns. In "hooks" print filter name and hook name delimited with colon, so that it matches "heads" output and also can be copy-and-pasted straight into the command line for future "link" command.
* Do a sweep and remove most WARNS=6 settingsKyle Evans2020-10-011-1/+0
| | | | | | | | | | | | | | | Repeating the default WARNS here makes it slightly more difficult to experiment with default WARNS changes, e.g. if we did something absolutely bananas and introduced a WARNS=7 and wanted to try lifting the default to that. Drop most of them; there is one in the blake2 kernel module, but I suspect it should be dropped -- the default WARNS in the rest of the build doesn't currently apply to kernel modules, and I haven't put too much thought into whether it makes sense to make it so. Notes: svn path=/head/; revision=366304
* Hopefully fix compilation by other compilers.Gleb Smirnoff2019-02-011-2/+1
| | | | Notes: svn path=/head/; revision=343636
* New pfil(9) KPI together with newborn pfil API and control utility.Gleb Smirnoff2019-01-313-0/+356
The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision: https://reviews.freebsd.org/D18951 Notes: svn path=/head/; revision=343631
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-13 10:19:00 +0000