pf: convert DIOCRDELADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRADDADDRS to netlink

Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.

Sponsored by: Rubicon Communications,

pf: convert DIOCRADDADDRS to netlink

Add up to 64 addresses at once. We are limited by the netlink socket buffer, so
we can only add a limited number at once.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerr

pfctl: Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.

There are other occasions as well but those need additional tweaks;
that's stuff for another diff.

OK and rename from sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, e5c920154c
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: Refine error message

While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.

For users ther

pfctl: Refine error message

While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.

For users there are basically anchors only, so do not imply any
difference between the two terminologies.

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 910e8feeb5
Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pfctl: add option -S (no domain resolution)

manpage wording and reminder about usage() jmc@
ok florian@ henning@

Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8

pfctl: add option -S (no domain resolution)

manpage wording and reminder about usage() jmc@
ok florian@ henning@

Reviewed by: ziaee (manpages)
Obtained from: OpenBSD, benno <benno@openbsd.org>, 7c8726d43b
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50724

show more ...

pf: convert DIOCRCLRADDRS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: Remove NULL-checks before free(). ok tb@

Obtained from: OpenBSD, mmcc <mmcc@openbsd.org>, 5ce950dec1
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRCLRTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRGETTSTATS to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: consolidate some code by using reallocarray in all cases

ok deraadt millert

Obtained from: OpenBSD, tedu <tedu@openbsd.org>, 97d14fe110
Sponsored by: Rubicon Communications, LLC ("Netgate")

pf: convert DIOCRDELTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: simplify pfr_del_tables() to pfr_del_table()

We only ever delete a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by:

pfctl: simplify pfr_del_tables() to pfr_del_table()

We only ever delete a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCRADDTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: simplify pfr_add_tables() to pfr_add_table()

We only ever add a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rub

pfctl: simplify pfr_add_tables() to pfr_add_table()

We only ever add a single table at a time, so remove the size argument.
This will make subsequent conversion to netlink easier.

Sponsored by: Rubicon Communications, LLC ("Netgate")

show more ...

pf: convert DIOCRCLRTABLES to netlink

Sponsored by: Rubicon Communications, LLC ("Netgate")

pfctl: add -T `reset` to touch pfras_tzero only for non-zero entries

This will make it easier for scripts to detect idle hosts in tables.

PR: 282984
Reviewed by: kp
MFC after: 2 weeks

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
function

pfctl: clear statistic for specified addresses

The ioctl DIOCRCLRASTATS provides the functionality of clearing stats
not only for the whole table for for addresses stored in that table. The
functionality was missing from pfctl, though. Add it now.

PR: 282877
Obtained from: OpenBSD, kirill <kirill@openbsd.org>, e496dff3a7
MFC after: 3 weeks

show more ...

pfctl: Allow a semicolon (;) as a comment

To make parsing of, for example, Spamhaus' drop.txt and similar
files that contains semicolons as comments, allow them also
in file-based tables.

Reviewed

pfctl: Allow a semicolon (;) as a comment

To make parsing of, for example, Spamhaus' drop.txt and similar
files that contains semicolons as comments, allow them also
in file-based tables.

Reviewed by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D46088

show more ...

sbin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remo

sbin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

pfctl: Fix mismatch in array bounds for pfr_next_token().

Reviewed by: kp, emaste
Differential Revision: https://reviews.freebsd.org/D36806

libpfctl: relocate implementations of pfr_add/get/set_addrs

Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34740

pfctl: Warn users when they run into kernel limits

Warn users when they try to add/delete/modify more items than the kernel will
allow.

Reviewed by: allanjude (previous version), Lutz Donnerhacke
D

pfctl: Warn users when they run into kernel limits

Warn users when they try to add/delete/modify more items than the kernel will
allow.

Reviewed by: allanjude (previous version), Lutz Donnerhacke
Differential Revision: https://reviews.freebsd.org/D22733

show more ...

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

show more ...

Merge ^/head r303250 through r304235.