#
948e8413 |
|
02-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pflog: pass the action to pflog directly If a packet is malformed, it is dropped by pf(4). The rule referenced in pflog(4) is the default rule. As the default rule is a pass rule, tcpdump printed "pass" although the packet was actually dropped. Use the actual action, rather than the rule's action, or an attempt at guessing the correct action. Inspired by OpenBSD's 'pflog(4) logs packet dropped by default rule with block.' commit. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
95ee2897 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
f2064dd1 |
|
12-Jul-2023 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf: Fix duplicate storage of direction The variable storing the direction of a processed packet is passed around to many functions. Most of those functions already have a pointer to struct pf_pdesc which also contains the direction. By using the one in struct pf_pdesc we can reduce the amount of arguments passed around. Reviewed by: kp Sponsored by: InnGames GmbH Differential Revision: https://reviews.freebsd.org/D41008
|
#
4daa31c1 |
|
01-Feb-2022 |
Kristof Provost <kp@FreeBSD.org> |
pflog: align header to 4 bytes, not 8 6d4baa0d01 incorrectly rounded the lenght of the pflog header up to 8 bytes, rather than 4. PR: 261566 Reported by: Guy Harris <gharris@sonic.net> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
dc04fa80 |
|
15-Dec-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: make if_pflog.h self-contained Reviewed by: imp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33503
|
#
6d4baa0d |
|
02-Dec-2021 |
Kristof Provost <kp@FreeBSD.org> |
if_pflog: fix packet length There were two issues with the new pflog packet length. The first is that the length is expected to be a multiple of sizeof(long), but we'd assumed it had to be a multiple of sizeof(uint32_t). The second is that there's some broken software out there (such as Wireshark) that makes incorrect assumptions about the amount of padding. That is, Wireshark assumes there's always three bytes of padding, rather than however much is needed to get to a multiple of sizeof(long). Fix this by adding extra padding, and a fake field to maintain Wireshark's assumption. Reported by: Ozkan KIRIK <ozkan.kirik@gmail.com> Tested by: Ozkan KIRIK <ozkan.kirik@gmail.com> MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33236
|
#
76c5eecc |
|
29-Oct-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Introduce ridentifier Allow users to set a number on rules which will be exposed as part of the pflog header. The intent behind this is to allow users to correlate rules across updates (remember that pf rules continue to exist and match existing states, even if they're removed from the active ruleset) and pflog. Obtained from: pfSense MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32750
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|