|
Revision tags: release/14.0.0 |
|
| #
d0b2dbfa |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
3a1f834b |
| 20-Jun-2023 |
Doug Rabson <dfr@FreeBSD.org> |
pf: Add code to enable filtering for locally delivered packets
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for pac
pf: Add code to enable filtering for locally delivered packets
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:
sysctl net.pf.filter_local=1
service pf restart
PR: 268717
Reviewed-by: kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373
show more ...
|
| #
5ab15157 |
| 24-May-2023 |
Doug Rabson <dfr@FreeBSD.org> |
netinet*: Fix redirects for connections from localhost
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typica
netinet*: Fix redirects for connections from localhost
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
rules to change the destination address and port for a connection.
Typically, the rule triggers on an input event when a packet is received
by a router and the destination address and/or port is changed to
implement the redirect. When a reply packet on this connection is output
to the network, the rule triggers again, reversing the modification.
When the connection is initiated on the same host as the packet filter,
it is initially output via lo0 which queues it for input processing.
This causes an input event on the lo0 interface, allowing redirect
processing to rewrite the destination and create state for the
connection. However, when the reply is received, no corresponding output
event is generated; instead, the packet is delivered to the higher level
protocol (e.g. tcp or udp) without reversing the redirect, the reply is
not matched to the connection and the packet is dropped (for tcp, a
connection reset is also sent).
This commit fixes the problem by adding a second packet filter call in
the input path. The second call happens right before the handoff to
higher level processing and provides the missing output event to allow
the redirect's reply processing to perform its rewrite. This extra
processing is disabled by default and can be enabled using pfilctl:
pfilctl link -o pf:default-out inet-local
pfilctl link -o pf:default-out6 inet6-local
PR: 268717
Reviewed-by: kp, melifaro
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40256
show more ...
|
| #
4d846d26 |
| 10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
show more ...
|
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0 |
|
| #
adbe6e64 |
| 04-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
Reenable vnet tests in CI
After restoring the associated commits the tests can be enabled again.
This reverts commit 711524d961233cd017ee0fd17e4b87013720f1c8.
This reverts commit c4585b938a04dfb157
Reenable vnet tests in CI
After restoring the associated commits the tests can be enabled again.
This reverts commit 711524d961233cd017ee0fd17e4b87013720f1c8.
This reverts commit c4585b938a04dfb157d7a10fa958be13415145be.
PR: 263767
show more ...
|
| #
711524d9 |
| 03-May-2022 |
Marko Zec <zec@FreeBSD.org> |
tests/dummynet: disable since mbuf pointer serialization KPI to be backed out
Obtained from: github.com/glebius/FreeBSD/commits/backout-ifindex
|
| #
a95fcd81 |
| 27-Jan-2022 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: re-enable dummynet tests
These had been disabled due to panics with queued packets keeping
pointers (in m->m_pkthdr.rcvif) to removed interfaces.
This issue has been resolved in 16574
netpfil tests: re-enable dummynet tests
These had been disabled due to panics with queued packets keeping
pointers (in m->m_pkthdr.rcvif) to removed interfaces.
This issue has been resolved in 165746f4e4, so the tests can be run
again.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
5fecc5a7 |
| 06-Dec-2021 |
Kristof Provost <kp@FreeBSD.org> |
dummynet tests: disable for now
Disable the dummynet tests when running the ci tests. This avoids
running into the panic described in https://reviews.freebsd.org/D33064
(where an interface is remove
dummynet tests: disable for now
Disable the dummynet tests when running the ci tests. This avoids
running into the panic described in https://reviews.freebsd.org/D33064
(where an interface is removed but a dummynet queued packet still has a
pointer to it).
These tests can be re-enabled when the work in
https://reviews.freebsd.org/D33267 lands.
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
|
Revision tags: release/12.3.0 |
|
| #
ab55fa11 |
| 06-Sep-2021 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: extend dummynet tests to pf
Now that pf can also use dummynet we should extend the existing dummynet
tests to also test it when used with pf.
Reviewed by: donner
MFC after: 2 weeks
S
netpfil tests: extend dummynet tests to pf
Now that pf can also use dummynet we should extend the existing dummynet
tests to also test it when used with pf.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31905
show more ...
|
| #
ea3eca5c |
| 21-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
netpfil tests: Basic dummynet pipe test
Test dummynet pipes (i.e. bandwidth limitation) with ipfw. This is put
in the common tests because we hope to add dummynet support to pf in the
near future.
netpfil tests: Basic dummynet pipe test
Test dummynet pipes (i.e. bandwidth limitation) with ipfw. This is put
in the common tests because we hope to add dummynet support to pf in the
near future.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30380
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0 |
|
| #
0d9da68f |
| 17-Aug-2019 |
Tom Jones <thj@FreeBSD.org> |
Add basic NAT test for pf, ipf and ipfw
Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and
userspace NAT).
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC
Add basic NAT test for pf, ipf and ipfw
Add common firewall NAT tests for pf, ipf and ipfw (using both in-kernel and
userspace NAT).
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC 2019)
Reviewed by: kp
Approved by: bz (mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21199
show more ...
|
| #
f97a8a36 |
| 05-Aug-2019 |
Tom Jones <thj@FreeBSD.org> |
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test fi
Add common firewall test suite
Add a common test suite for the firewalls included in the base system. The test
suite allows common test infrastructure to test pf, ipfw and ipf firewalls from
test files containing the setup for all three firewalls.
Add the pass block test for pf, ipfw and ipf. The pass block test checks the
allow/deny functionality of the firewalls tested.
Submitted by: Ahsan Barkati
Sponsored by: Google, Inc. (GSoC 2019)
Reviewed by: kp
Approved by: bz (co-mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21065
show more ...
|