| #
339a1977 |
| 10-Sep-2024 |
Mark Johnston <markj@FreeBSD.org> |
pf: Add a sysctl to limit work done for rdr source port rewriting
It was pointed out that the current approach of exhaustively searching
for a free source port might be very time consuming. Limit t
pf: Add a sysctl to limit work done for rdr source port rewriting
It was pointed out that the current approach of exhaustively searching
for a free source port might be very time consuming. Limit the amount
of work that we might do before giving up.
Reviewed by: kp
Reported by: Eirik Øverby <ltning-freebsd@anduin.net>
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D46495
show more ...
|
| #
390dc369 |
| 06-Sep-2024 |
Tom Jones <thj@FreeBSD.org> |
pf: Add support for endpoint independent NAT bindings for UDP
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT r
pf: Add support for endpoint independent NAT bindings for UDP
With Endpoint Independent NAT bindings for UDP flows from a NATed source
address are always mapped to the same ip:port pair on the NAT router.
This allows a client to connect to multiple external servers while
appearing as the same host and enables NAT traversal without requiring
the client to use a middlebox traversal protocol such as STUN or TURN.
Introduce the 'endpoint-independent' option to NAT rules to allow
configuration of endpoint independent without effecting existing
deployments.
This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
NAT.
Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
not introduce any additional security considerations compared to other
forms of NAT.
PR: 219803
Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
Co-authored-by: Naman Sood <mail@nsood.in>
Reviewed-by: kp
Sponsored-by: Tailscale
Sponsored-by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D11137
show more ...
|
| #
a9ac25d6 |
| 02-Sep-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf.4: document missing sysctls
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46510
|
|
Revision tags: release/14.1.0, release/13.3.0, release/14.0.0 |
|
| #
6869f90b |
| 23-Oct-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: update pf(4) man page to list DIOCGETSTATESV2
The nvlist based state retrieval ioctl has been replaced by an old-style
ioctl for performance reasons. Document that one.
Reported by: Michael Gme
pf: update pf(4) man page to list DIOCGETSTATESV2
The nvlist based state retrieval ioctl has been replaced by an old-style
ioctl for performance reasons. Document that one.
Reported by: Michael Gmelin <grembo@freebsd.org>
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42331
show more ...
|
| #
3e609fd4 |
| 27-Sep-2023 |
Ed Maste <emaste@FreeBSD.org> |
pf: add note about changes ported from OpenBSD after 4.5
The last comprehensive sync with OpenBSD's pf corresponds to
OpenBSD 4.5, but many changes have been ported over since then.
Reviewed by: kp
pf: add note about changes ported from OpenBSD after 4.5
The last comprehensive sync with OpenBSD's pf corresponds to
OpenBSD 4.5, but many changes have been ported over since then.
Reviewed by: kp, gbe, Kajetan Staszkiewicz <vegeta@tuxpowered.net>
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42002
show more ...
|
| #
1117b320 |
| 26-Sep-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
pf.4: Bump .Dd
Missed in c531c1d1462c (pf: Convert PF_DEFAULT_TO_DROP into a vnet loader
tunable 'net.pf.default_to_drop') .
MFC after: 10 days
MFC with: c531c1d1462c
|
| #
c531c1d1 |
| 22-Sep-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
the pf(4) default rule to drop. While this
pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
the pf(4) default rule to drop. While this change exposes a vnet loader
tunable 'net.pf.default_to_drop' so that users can change the default
rule without re-compiling the pf(4) module.
This change is similiar to that for IPFW [1].
1. 5f17ebf94db5 Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept'
Reviewed by: #network, kp
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D39866
show more ...
|
| #
2e8edbc2 |
| 28-Aug-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: Remove DIOCCLRSTATES and DIOCKILLSTATES
These now have nvlist based alternatives, so remove them.
Reviewed by: mjg, Pau Amma <pauamma@gundo.com> (man page)
MFC after: never
Sponsored by: Rubico
pf: Remove DIOCCLRSTATES and DIOCKILLSTATES
These now have nvlist based alternatives, so remove them.
Reviewed by: mjg, Pau Amma <pauamma@gundo.com> (man page)
MFC after: never
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30056
show more ...
|
| #
fa9896e0 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line nroff pattern
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
| #
df56c806 |
| 12-Jul-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix error descriptions in the man page
PR: 272459
Submitted by: alex@inferiorhumanorgans.com
MFC after: 1 week
|
| #
64b30b7a |
| 12-Jul-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: fix pfi_kif definition in the man page
PR: 272455
Submitted by: alex@inferiorhumanorgans.com
MFC after: 1 week
|
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0, release/12.3.0 |
|
| #
0592a4c8 |
| 05-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add DIOCGETSTATESNV
Add DIOCGETSTATESNV, an nvlist-based alternative to DIOCGETSTATES.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: http
pf: Add DIOCGETSTATESNV
Add DIOCGETSTATESNV, an nvlist-based alternative to DIOCGETSTATES.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30243
show more ...
|
| #
1732afaa |
| 05-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add DIOCGETSTATENV
Add DIOCGETSTATENV, an nvlist-based alternative to DIOCGETSTATE.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://review
pf: Add DIOCGETSTATENV
Add DIOCGETSTATENV, an nvlist-based alternative to DIOCGETSTATE.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30242
show more ...
|
| #
abbcba9c |
| 30-Apr-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Allow states to by killed per 'gateway'
This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links
pf: Allow states to by killed per 'gateway'
This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links goes down.
Submitted by: Steven Brown
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30058
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0, release/11.3.0, release/12.0.0 |
|
| #
14b841d4 |
| 11-Aug-2018 |
Kyle Evans <kevans@FreeBSD.org> |
MFH @ r337607, in preparation for boarding
|
| #
f9c0a512 |
| 10-Aug-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r337286 through r337585.
|
| #
91e0f2d2 |
| 05-Aug-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Increase default hash table size
Now that we (by default) limit the number of states to 100.000 it makse sense
to also adjust the default size of the hash table.
Based on the benchmarking resul
pf: Increase default hash table size
Now that we (by default) limit the number of states to 100.000 it makse sense
to also adjust the default size of the hash table.
Based on the benchmarking results in
https://github.com/ocochard/netbenches/blob/master/Atom_C2758_8Cores-Chelsio_T540-CR/pf-states_hashsize/results/fbsd12-head.r332390/README.md
128K entries offers a good compromise between performance and memory use.
Users may still overrule this setting with the net.pf.states_hashsize and
net.pf.source_nodes_hashsize loader(8) tunables.
show more ...
|
| #
cc535c95 |
| 04-Jul-2018 |
Will Andrews <will@FreeBSD.org> |
Revert r335833.
Several third-parties use at least some of these ioctls. While it would be
better for regression testing if they were used in base (or at least in the
test suite), it's currently no
Revert r335833.
Several third-parties use at least some of these ioctls. While it would be
better for regression testing if they were used in base (or at least in the
test suite), it's currently not worth the trouble to push through removal.
Submitted by: antoine, markj
show more ...
|
| #
24e8c132 |
| 01-Jul-2018 |
Will Andrews <will@FreeBSD.org> |
pf(4): remove reference to non-existent pflow(4).
|
| #
c1887e9f |
| 01-Jul-2018 |
Will Andrews <will@FreeBSD.org> |
pf: remove unused ioctls.
Several ioctls are unused in pf, in the sense that no base utility
references them. Additionally, a cursory review of pf-based ports
indicates they're not used elsewhere e
pf: remove unused ioctls.
Several ioctls are unused in pf, in the sense that no base utility
references them. Additionally, a cursory review of pf-based ports
indicates they're not used elsewhere either. Some of them have been
unused since the original import. As far as I can tell, they're also
unused in OpenBSD. Finally, removing this code removes the need for
future pf work to take them into account.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D16076
show more ...
|
|
Revision tags: release/11.2.0, release/10.4.0, release/11.1.0, release/11.0.1, release/11.0.0 |
|
| #
646fa387 |
| 08-Jun-2016 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Fix typos.
MFC after: 1 month
|
|
Revision tags: release/10.3.0, release/10.2.0, release/10.1.0, release/9.3.0 |
|
| #
3b8f0845 |
| 28-Apr-2014 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge head
|
| #
84e51a1b |
| 23-Apr-2014 |
Alan Somers <asomers@FreeBSD.org> |
IFC @264767
|
| #
485ac45a |
| 04-Feb-2014 |
Peter Grehan <grehan@FreeBSD.org> |
MFC @ r259205 in preparation for some SVM updates. (for real this time)
|
|
Revision tags: release/10.0.0 |
|
| #
654957c2 |
| 19-Nov-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge head up to r258343.
|