History log of /freebsd/sbin/pfctl/parse.y (Results 26 – 50 of 118)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 788f194f 16-Aug-2024 Kajetan Staszkiewicz <vegeta@tuxpowered.net>

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
s

pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.

Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.

Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46310

show more ...


# d9ab8999 07-Jun-2024 Kristof Provost <kp@FreeBSD.org>

pf: migrate DIOCGETLIMIT/DIOCSETLIMIT to netlink

Event: Kitchener-Waterloo Hackathon 202406


# 30bad751 05-Jun-2024 Kristof Provost <kp@FreeBSD.org>

pf: convert DIOCGETTIMEOUT/DIOCSETTIMEOUT to netlink


# dc3ee89c 05-Jun-2024 Kristof Provost <kp@FreeBSD.org>

pfctl: fix possible out-of-bounds read

Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.

Use strlcp

pfctl: fix possible out-of-bounds read

Tags in $10 (filter_opts) are not guaranteed to be the maximum possible
tag length, so memcpy() can end up reading outside of the allocated
buffer.

Use strlcpy() instead.

Reported by: CheriBSD
Event: Kitchener-Waterloo Hackathon 202406

show more ...


# c36c90a2 01-Jun-2024 Kristof Provost <kp@FreeBSD.org>

pf: convert DIOCSETDEBUG to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")


Revision tags: release/14.1.0, release/13.3.0
# fc6e5069 13-Dec-2023 Kristof Provost <kp@FreeBSD.org>

pflow: add RFC8158 NAT support

Extend pflow(4) to send NAT44 Session Create and Delete events.
This applies only to IPFIX (i.e. proto version 10), and requires no
user configuration.

Sponsored by:

pflow: add RFC8158 NAT support

Extend pflow(4) to send NAT44 Session Create and Delete events.
This applies only to IPFIX (i.e. proto version 10), and requires no
user configuration.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43114

show more ...


# baf9b6d0 01-Dec-2023 Kristof Provost <kp@FreeBSD.org>

pf: allow pflow to be activated per rule

Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflo

pf: allow pflow to be activated per rule

Only generate ipfix/netflow reports (through pflow) for the rules where
this is enabled. Reports can also be enabled globally through 'set
state-default pflow'.

Obtained from: OpenBSD
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43108

show more ...


Revision tags: release/14.0.0
# 7ce98cf2 06-Oct-2023 Kristof Provost <kp@FreeBSD.org>

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have a

pfctl: fix incorrect mask on dynamic address

A PF rule using an IPv4 address followed by an IPv6 address and then a
dynamic address, e.g. "pass from {192.0.2.1 2001:db8::1} to (pppoe0)",
will have an incorrect /32 mask applied to the dynamic address.

MFC after: 3 weeks
Obtained from: OpenBSD
See also: https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/007_pfctl.patch.sig
Sponsored by: Rubicon Communications, LLC ("Netgate")
Event: Oslo Hackathon at Modirum

show more ...


# 1d386b48 16-Aug-2023 Warner Losh <imp@FreeBSD.org>

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/


# 0bd4a683 26-Apr-2023 Kristof Provost <kp@FreeBSD.org>

pfctl: SCTP can have port numbers

MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D40861


# 9ec48bc3 25-Apr-2023 Kristof Provost <kp@FreeBSD.org>

pfctl: match expand_label_addr() prototype to definition

Sponsored by: Rubicon Communications, LLC ("Netgate")


# ef661d4a 24-Apr-2023 Christian McDonald <cmcdonald@netgate.com>

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored

pf: introduce ridentifier and labels to ether rules

Make Ethernet rules more similar to the usual layer 3 rules by also
allowing ridentifier and labels to be set on them.

Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 39282ef3 13-Apr-2023 Kajetan Staszkiewicz <vegeta@tuxpowered.net>

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is bac

pf: backport OpenBSD syntax of "scrub" option for "match" and "pass" rules

Introduce the OpenBSD syntax of "scrub" option for "match" and "pass"
rules and the "set reassemble" flag. The patch is backward-compatible,
pf.conf can be still written in FreeBSD-style.

Obtained from: OpenBSD
MFC after: never
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D38025

show more ...


Revision tags: release/13.2.0, release/12.4.0
# 88e858e5 22-Nov-2022 Kristof Provost <kp@FreeBSD.org>

pf: drop support for fragment crop|drop-ovl

We removed the code for these modes back in 2015, but converted such
configurations to 'scrub fragment reassemble'. It's been long enough,
drop the backwa

pf: drop support for fragment crop|drop-ovl

We removed the code for these modes back in 2015, but converted such
configurations to 'scrub fragment reassemble'. It's been long enough,
drop the backwards compatibility glue too.

Reviewed by: mjg
MFC after: never
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37460

show more ...


# 57e047e5 22-Nov-2022 Kristof Provost <kp@FreeBSD.org>

pf: allow scrub rules without fragment reassemble

scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this ha

pf: allow scrub rules without fragment reassemble

scrub rules have defaulted to handling fragments for a long time, but
since we removed "fragment crop" and "fragment drop-ovl" in 64b3b4d611
this has become less obvious and more expensive ("reassemble" being the
more expensive option, even if it's the one the vast majority of users
should be using).

Extend the 'scrub' syntax to allow fragment reassembly to be disabled,
while retaining the other scrub behaviour (e.g. TTL changes, random-id,
..) using 'scrub fragment no reassemble'.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37459

show more ...


# 8a8af942 22-Sep-2022 Kristof Provost <kp@FreeBSD.org>

pf: bridge-to

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to fun

pf: bridge-to

Allow pf (l2) to be used to redirect ethernet packets to a different
interface.

The intended use case is to send 802.1x challenges out to a side
interface, to enable AT&T links to function with pfSense as a gateway,
rather than the AT&T provided hardware.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37193

show more ...


# cfa1a130 01-Sep-2022 Kristof Provost <kp@FreeBSD.org>

pfctl: fix recrusive printing of ethernet anchors

Similar to the preceding fix for layer three rules, ensure that we
recursively list wildcard anchors for ethernet rules.

MFC after: 3 weeks
Sponsor

pfctl: fix recrusive printing of ethernet anchors

Similar to the preceding fix for layer three rules, ensure that we
recursively list wildcard anchors for ethernet rules.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36417

show more ...


# 585a5ed0 01-Sep-2022 Kristof Provost <kp@FreeBSD.org>

pfctl: fix recrusive printing of anchors

Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the a

pfctl: fix recrusive printing of anchors

Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.

tested by phessler
ok henning

Also fix the relevant pfctl test case to reflect the new (and now
correct) behaviour).

MFC after: 3 weeks
Obtained from: OpenBSD (mcbride, f9a568a27c740528301ca3419316c85a9fc7f1de)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D36416

show more ...


# 1e73fbd8 06-Aug-2022 Franco Fichtner <franco@opnsense.org>

pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash

pass inet proto icmp icmp-type {unreach}
pass route-to (if0 127.0.0.1/8) sticky-address inet

The wrong struct was being tested. The parser tries to pre

pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash

pass inet proto icmp icmp-type {unreach}
pass route-to (if0 127.0.0.1/8) sticky-address inet

The wrong struct was being tested. The parser tries to prevent
"sticky-address sticky-address" syntax but was actually cross-rule
enforcing that ICMP filter cannot be before the use of "sticky-address"
in next rule.

MFC after: 2 weeks
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D36050

show more ...


# 1f61367f 31-May-2022 Kristof Provost <kp@FreeBSD.org>

pf: support matching on tags for Ethernet rules

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D35362


Revision tags: release/13.1.0
# 812839e5 12-Apr-2022 Kristof Provost <kp@FreeBSD.org>

pf: allow the use of tables in ethernet rules

Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.

Sponsored by: Rubicon Communications, LLC

pf: allow the use of tables in ethernet rules

Allow tables to be used for the l3 source/destination matching.
This requires taking the PF_RULES read lock.

Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34917

show more ...


# 2fa6223a 27-Mar-2022 Gordon Bergling <gbe@FreeBSD.org>

pfctl(8): Fix a typo in a comment

- s/steping/stepping/

MFC after: 3 days


# 3468cd95 25-Mar-2022 Kristof Provost <kp@FreeBSD.org>

pf: ether l3 rules can only use addresses

Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethe

pf: ether l3 rules can only use addresses

Disallow the use of tables in ethernet rules. Using tables requires
taking the PF_RULES lock. Moreover, the current table code isn't ready
to deal with ethernet rules.

Disallow their use for now.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


# 8a42005d 08-Mar-2022 Kristof Provost <kp@FreeBSD.org>

pf: support basic L3 filtering in the Ethernet rules

Allow filtering based on the source or destination IP/IPv6 address in
the Ethernet layer rules.

Reviewed by: pauamma_gundo.com (man), debdrup (m

pf: support basic L3 filtering in the Ethernet rules

Allow filtering based on the source or destination IP/IPv6 address in
the Ethernet layer rules.

Reviewed by: pauamma_gundo.com (man), debdrup (man)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D34482

show more ...


# c32cd180 21-Jan-2022 Kristof Provost <kp@FreeBSD.org>

pfctl: print ethernet rules when called with '-n'

Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.

Sponsored by: Rubicon Communicati

pfctl: print ethernet rules when called with '-n'

Just as pfctl already does for other rules we print the ethernet rules
we would have loaded if '-n' is specified.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...


12345