#
c6879c6c |
| 23-Oct-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r339015 through r339669.
|
#
4a8e4793 |
| 22-Oct-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Fix line numbers when \ is used inside ""
PR: 201520 Obtained from: OpenBSD MFC after: 2 weeks
|
#
a2a90d6e |
| 20-Oct-2018 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Dup strings
When we set the ifname we have to copy the string, rather than just keep the pointer.
PR: 231323 MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D17507
|
#
7847e041 |
| 24-Aug-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r338026 through r338297, and resolve conflicts.
|
#
249cc75f |
| 22-Aug-2018 |
Patrick Kelsey <pkelsey@FreeBSD.org> |
Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of 2^32 bps or greater to be used. Prior to this, bandwidth parameters would simply wrap at the 2^32 boundary. The computations in th
Extended pf(4) ioctl interface and pfctl(8) to allow bandwidths of 2^32 bps or greater to be used. Prior to this, bandwidth parameters would simply wrap at the 2^32 boundary. The computations in the HFSC scheduler and token bucket regulator have been modified to operate correctly up to at least 100 Gbps. No other algorithms have been examined or modified for correct operation above 2^32 bps (some may have existing computation resolution or overflow issues at rates below that threshold). pfctl(8) will now limit non-HFSC bandwidth parameters to 2^32 - 1 before passing them to the kernel.
The extensions to the pf(4) ioctl interface have been made in a backwards-compatible way by versioning affected data structures, supporting all versions in the kernel, and implementing macros that will cause existing code that consumes that interface to use version 0 without source modifications. If version 0 consumers of the interface are used against a new kernel that has had bandwidth parameters of 2^32 or greater configured by updated tools, such bandwidth parameters will be reported as 2^32 - 1 bps by those old consumers.
All in-tree consumers of the pf(4) interface have been updated. To update out-of-tree consumers to the latest version of the interface, define PFIOC_USE_LATEST ahead of any includes and use the code of pfctl(8) as a guide for the ioctls of interest.
PR: 211730 Reviewed by: jmallett, kp, loos MFC after: 2 weeks Relnotes: yes Sponsored by: RG Nets Differential Revision: https://reviews.freebsd.org/D16782
show more ...
|
#
150182e3 |
| 22-Jun-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support "return" statements in passing rules when they fail.
Normally pf rules are expected to do one of two things: pass the traffic or block it. Blocking can be silent - "drop", or loud - "ret
pf: Support "return" statements in passing rules when they fail.
Normally pf rules are expected to do one of two things: pass the traffic or block it. Blocking can be silent - "drop", or loud - "return", "return-rst", "return-icmp". Yet there is a 3rd category of traffic passing through pf: Packets matching a "pass" rule but when applying the rule fails. This happens when redirection table is empty or when src node or state creation fails. Such rules always fail silently without notifying the sender.
Allow users to configure this behaviour too, so that pf returns an error packet in these cases.
PR: 226850 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> MFC after: 1 week Sponsored by: InnoGames GmbH
show more ...
|
Revision tags: release/11.2.0 |
|
#
1de7b4b8 |
| 27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
various: general adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error
various: general adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task.
The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts.
No functional change intended.
show more ...
|
#
937d37fc |
| 19-Nov-2017 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Merge ^/head r325842 through r325998.
|
#
58c8430a |
| 15-Nov-2017 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: teach route-to to deal with interfaces with multiple addresses
The route_host parsing code set the interface name, but only for the first node_host in the list. If that one happened to be the
pfctl: teach route-to to deal with interfaces with multiple addresses
The route_host parsing code set the interface name, but only for the first node_host in the list. If that one happened to be the inet6 address and the rule wanted an inet address it'd get removed by remove_invalid_hosts() later on, and we'd have no interface name.
We must set the interface name for all node_host entries in the list, not just the first one.
PR: 223208 MFC after: 2 weeks
show more ...
|
Revision tags: release/10.4.0, release/11.1.0 |
|
#
1e93588b |
| 28-Dec-2016 |
Luiz Otavio O Souza <loos@FreeBSD.org> |
Fix the parsing of NPt binat rules.
In this specific case the src address can be set to any, which was not accepted prior to this commit.
pfSense bug report: https://redmine.pfsense.org/issues/6985
Fix the parsing of NPt binat rules.
In this specific case the src address can be set to any, which was not accepted prior to this commit.
pfSense bug report: https://redmine.pfsense.org/issues/6985 Reviewed by: kp Obtained from: pfSense MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC (Netgate)
show more ...
|
#
a0e610c4 |
| 16-Oct-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r306906 through r307382.
|
#
1f495578 |
| 13-Oct-2016 |
Kristof Provost <kp@FreeBSD.org> |
pf: port extended DSCP support from OpenBSD
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use DCSP names instead of having to embed their TOS equivalents as plain numbers.
Obtained from:
pf: port extended DSCP support from OpenBSD
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use DCSP names instead of having to embed their TOS equivalents as plain numbers.
Obtained from: OpenBSD Sponsored by: OPNsense Differential Revision: https://reviews.freebsd.org/D8165
show more ...
|
#
242b2482 |
| 09-Oct-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r306412 through r306905.
|
#
813196a1 |
| 04-Oct-2016 |
Kristof Provost <kp@FreeBSD.org> |
pf: remove fastroute tag
The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code allows to skip the in pfil hooks and completely removes the out pfil invoke, albeit looking up a
pf: remove fastroute tag
The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code allows to skip the in pfil hooks and completely removes the out pfil invoke, albeit looking up a route that the IP stack will likely find on its own. The code between IPv4 and IPv6 is also inconsistent and marked as "XXX" for years.
Submitted by: Franco Fichtner <franco@opnsense.org> Differential Revision: https://reviews.freebsd.org/D8058
show more ...
|
Revision tags: release/11.0.1, release/11.0.0 |
|
#
27067774 |
| 16-Aug-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r303250 through r304235.
|
#
7f8af000 |
| 05-Aug-2016 |
Luiz Otavio O Souza <loos@FreeBSD.org> |
Fix a regression in pf.conf while parsing the 'interval' keyword.
The bug was introduced by r287009.
PR: 210924 Submitted by: kp@ Sponsored by: Rubicon Communications (Netgate) Pointy hat to: loos
|
#
13cfafab |
| 04-Aug-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Make most global variables static.
This will make it easier to link as a library.
Submitted by: Christian Mauderer <christian.mauderer@embedded-brains.de>
|
#
0cd7a91a |
| 02-Aug-2016 |
Kristof Provost <kp@FreeBSD.org> |
pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero. This allows users to enforce TOS == 0 with pf.
Reported by: Radek Krejča <radek.krejca@sta
pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero. This allows users to enforce TOS == 0 with pf.
Reported by: Radek Krejča <radek.krejca@starnet.cz>
show more ...
|
#
3e248e0f |
| 17-Jun-2016 |
Kristof Provost <kp@FreeBSD.org> |
pf: Filter on and set vlan PCP values
Adopt the OpenBSD syntax for setting and filtering on VLAN PCP values. This introduces two new keywords: 'set prio' to set the PCP value, and 'prio' to filter o
pf: Filter on and set vlan PCP values
Adopt the OpenBSD syntax for setting and filtering on VLAN PCP values. This introduces two new keywords: 'set prio' to set the PCP value, and 'prio' to filter on it.
Reviewed by: allanjude, araujo Approved by: re (gjb) Obtained from: OpenBSD (mostly) Differential Revision: https://reviews.freebsd.org/D6786
show more ...
|
#
b68ac800 |
| 30-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sbin: minor spelling fixes.
No functional change.
|
#
0edd2576 |
| 16-Apr-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|
#
db1bbde6 |
| 14-Apr-2016 |
Luiz Otavio O Souza <loos@FreeBSD.org> |
Make pfctl(8) more flexible when parsing bandwidth values.
This is the current behaviour in OpenBSD and a similar patch exist in pfSense too.
Obtained from: OpenBSD (partly - rev. 1.625) MFC after:
Make pfctl(8) more flexible when parsing bandwidth values.
This is the current behaviour in OpenBSD and a similar patch exist in pfSense too.
Obtained from: OpenBSD (partly - rev. 1.625) MFC after: 2 weeks Sponsored by: Rubicon Communications (Netgate)
show more ...
|
Revision tags: release/10.3.0 |
|
#
11d38a57 |
| 28-Oct-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Merge from head
Sponsored by: Gandi.net
|
#
becbad1f |
| 13-Oct-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Merge from head
|
#
b5ff185e |
| 12-Sep-2015 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Merge from head
|