333187 |
02-May-2018 |
kp |
MFC r333084:
pfctl: Don't break connections on skipped interfaces on reload
On reload we used to first flush everything, including the list of skipped interfaces. This can lead to termination of these connections if they send packets before the new configuration is applied.
Note that this doesn't currently happen on 12 or 11, because of special EACCES handling introduced in r315514. This special behaviour in tcp_output() may change, hence the fix in pfctl.
PR: 214613 Submitted by: Andreas Longwitz <longwitz at incore.de> |
328649 |
01-Feb-2018 |
pfg |
MFC r328497: pfctl(8): Fix two wrong conditions.
Caught by gcc80's -Wtautological-compare option.
MFC after: 5 days Reviewed by: kp Obtained from: DragonFlyBSD (git e3cdbf6c) |
326414 |
30-Nov-2017 |
kp |
MFC r325850: pfctl: teach route-to to deal with interfaces with multiple addresses
The route_host parsing code set the interface name, but only for the first node_host in the list. If that one happened to be the inet6 address and the rule wanted an inet address it'd get removed by remove_invalid_hosts() later on, and we'd have no interface name.
We must set the interface name for all node_host entries in the list, not just the first one.
PR: 223208 |
307409 |
16-Oct-2016 |
sevan |
MFC r306614: Note the version PF first appeared in FreeBSD & from which version it was ported from. Address the contractions raised by igor.
PR: 212574 Approved by: bcr (mentor) Differential Revision: https://reviews.freebsd.org/D8105 |
304281 |
17-Aug-2016 |
kp |
MFC r303663:
pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero. This allows users to enforce TOS == 0 with pf.
Reported by: Radek Krejča <radek.krejca@starnet.cz> |
303865 |
09-Aug-2016 |
loos |
MFC r303760:
Fix a regression in pf.conf while parsing the 'interval' keyword.
The bug was introduced by r287009.
PR: 210924 Submitted by: kp@ Sponsored by: Rubicon Communications (Netgate) |
300514 |
23-May-2016 |
loos |
MFC r297984:
Make pfctl(8) more flexible when parsing bandwidth values.
This is the current behaviour in OpenBSD and a similar patch exist in pfSense too.
Obtained from: OpenBSD (partly - rev. 1.625) Sponsored by: Rubicon Communications (Netgate) |
298133 |
16-Apr-2016 |
loos |
MFC r287009, r287120 and r298131:
Add ALTQ(9) support for the CoDel algorithm.
CoDel is a parameterless queue discipline that handles variable bandwidth and RTT.
It can be used as the single queue discipline on an interface or as a sub discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
Obtained from: pfSense Sponsored by: Rubicon Communications (Netgate) |
298115 |
16-Apr-2016 |
loos |
Fix the build.
pointy hat to: loos Reported by: gjb, Herbert J. Skuhra |
298091 |
16-Apr-2016 |
loos |
MFC r284777, r284814, r284863 and r298088:
ALTQ FAIRQ discipline import from DragonFLY.
Differential Revision: https://reviews.freebsd.org/D2847 Obtained from: pfSense Sponsored by: Rubicon Communications (Netgate) |
296370 |
03-Mar-2016 |
gnn |
MFC 285730 Only report the lack of ALTQ support if pfctl is using verbose (-v) mode.
PR: 194935 Submitted by: Jim Thompson Approved by: re (gjb) |
292288 |
15-Dec-2015 |
kp |
MFC r290236
pfctl: Fix uninitialised veriable
In pfctl_set_debug() we used 'level' without ever initialising it. We correctly parsed the option, but them failed to actually assign the parsed value to 'level' before performing to ioctl() to configure the debug level.
PR: 202996 Submitted by: Andrej Kolontai |
270047 |
16-Aug-2014 |
bz |
MFC r259916:
Use feature_present(3) to determine whether to open an INET or an INET6 socket when needed to allow pfctl to work on noinet and noinet6 kernels (and try to provide a fallback using AF_LINK as best effort). Adjust the Makefile to also respect relevant src.conf(5) options for compile time decisions on INET and INET6 support.
Reviewed by: glebius (no objections) |
263029 |
11-Mar-2014 |
glebius |
Merge r261882, r261898, r261937, r262760, r262799: Once pf became not covered by a single mutex, many counters in it became race prone. Some just gather statistics, but some are later used in different calculations.
A real problem was the race provoked underflow of the states_cur counter on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this value is used in pf_state_expires() and any state created by this rule is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct pf_rule be counter(9)s. |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
241052 |
29-Sep-2012 |
glebius |
- Get rid of #ifdef __FreeBSD__. - Use correct format when printing uint64_t.
|
240497 |
14-Sep-2012 |
joel |
Minor mdoc fix.
|
240494 |
14-Sep-2012 |
glebius |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match.
Discussed with: bz, luigi
|
198236 |
19-Oct-2009 |
ru |
Switch the default WARNS level for sbin/ to 6.
Submitted by: Ulrich Spörlein
|
171173 |
03-Jul-2007 |
mlaier |
Link pf 4.1 to the build: - move ftp-proxy from libexec to usr.sbin - add tftp-proxy - new altq mtag link
Approved by: re (kensmith)
|
157721 |
13-Apr-2006 |
ru |
Add missing library dependencies.
|
145841 |
03-May-2005 |
mlaier |
Adapt Makefiles for pfctl(8) and authpf(8) to 3.7 sources.
|
136078 |
03-Oct-2004 |
mlaier |
Remove -I from CFLAGS. This splipped in with the 3.5 import (as I was building on a box with older pfvar.h installed). Didn't intend to commit it.
Requested by: ru (on a C&P to ipfw's Makefile)
|
131747 |
07-Jul-2004 |
ru |
Removed redundant and unsafe BINDIR redefinition.
|
130617 |
16-Jun-2004 |
mlaier |
Commit userland part of pf version 3.5 from OpenBSD (OPENBSD_3_5_BASE).
|
128073 |
09-Apr-2004 |
markm |
Remove advertising clause from University of California Regent's license, per letter dated July 22, 1999.
Approved by: core, imp
|
126385 |
28-Feb-2004 |
mlaier |
Add skeleton build dirs for pf userland: libexec/ftp-proxy - ftp proxy for pf sbin/pfctl - equivalent to sbin/ipf sbin/pflogd - deamon logging packets via if_pflog in pcap format usr.sbin/authpf - authentification shell to modify pf rulesets
Bring along some altq headers used to satisfy pfctl/authpf compile. This helps to keep the diff down and will make it easy to have a altq-patchset use the full powers of pf.
Also make sure that the pf headers are installed.
This does not link anything to the build. There will be a NO_PF switch for make.conf once pf userland is linked.
Approved by: bms(mentor)
|