![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jan 28 05:24:15 2022 UTC (2 years, 4 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
HEAD
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
Revision 1.48 / (download) - annotate - [select for diffs], Sun Jan 16 14:28:16 2022 UTC (2 years, 4 months ago) by naddy
Branch: MAIN
Changes since 1.47: +1 -4 lines
Diff to previous 1.47 (colored)
pfctl: fix -Wunused-but-set-variable warning ok dlg@ guenther@
Revision 1.47 / (download) - annotate - [select for diffs], Tue Jul 21 14:10:51 2020 UTC (3 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.46: +3 -3 lines
Diff to previous 1.46 (colored)
rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.h OPT is misleading and usually refers to command line arguments to pfctl ok sashan kn
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jan 28 15:40:35 2020 UTC (4 years, 4 months ago) by bket
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.45: +4 -15 lines
Diff to previous 1.45 (colored)
sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT OK kn@, sashan@, florian@
Revision 1.45 / (download) - annotate - [select for diffs], Wed Jan 15 22:38:31 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.44: +3 -3 lines
Diff to previous 1.44 (colored)
Do the actual pfr_strerror() to pf_strerror() rename Missed in previous
Revision 1.44 / (download) - annotate - [select for diffs], Wed Jan 15 22:31:51 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.43: +3 -3 lines
Diff to previous 1.43 (colored)
Unify error message for nonexisting anchors
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
Revision 1.43 / (download) - annotate - [select for diffs], Thu Dec 12 21:00:51 2019 UTC (4 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.42: +5 -2 lines
Diff to previous 1.42 (colored)
Avoid optimizing empty rulesets All optimizations work on actual rules; if there are none, return early. While here, tell which ruleset/anchor is being optimized to make the debug message actually useful. OK mikeb
Revision 1.42 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:45 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.41 / (download) - annotate - [select for diffs], Thu Mar 7 08:01:52 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.40: +1 -6 lines
Diff to previous 1.40 (colored)
Remove pfctl_*_pool() remnants Left behind in pfctl_parser.h revision 1.91 "First pass at removing the 'pf_pool' mechanism [...]" These functions don't exist anymore, no object change. OK procter
Revision 1.40 / (download) - annotate - [select for diffs], Thu Jan 3 22:49:00 2019 UTC (5 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.39: +2 -4 lines
Diff to previous 1.39 (colored)
Unbreak build under OPT_DEBUG In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped the macro's closing paranthese. Since DEBUG() is needlessly under an OPT_DEBUG guard, this was not effecting normal builds. Add the missing ')' and remove the ifdef. OK sashan
Revision 1.39 / (download) - annotate - [select for diffs], Thu Sep 6 15:07:33 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.38: +6 -6 lines
Diff to previous 1.38 (colored)
Remove unused af argument from unmask() This has been unused for years. While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks. OK sashan
Revision 1.38 / (download) - annotate - [select for diffs], Sat Nov 25 22:20:06 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.37: +38 -30 lines
Diff to previous 1.37 (colored)
- patching use-after-free and innocent memory leak in pfctl_optimzie.c OK bluhm@
Revision 1.37 / (download) - annotate - [select for diffs], Sat Nov 25 22:16:47 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
- pfctl rule optimizer: anchor name vs. anchor path mix up OK bluhm@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Aug 3 16:27:25 2016 UTC (7 years, 10 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.35: +3 -3 lines
Diff to previous 1.35 (colored)
A couple of "a->blah == a->blah" -> "a->blah == b->blah". Spotted by the Echelon team with AppChecker static analyzer. ok sashan@
Revision 1.35 / (download) - annotate - [select for diffs], Wed Jan 21 21:50:33 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.34: +3 -4 lines
Diff to previous 1.34 (colored)
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
Revision 1.34 / (download) - annotate - [select for diffs], Sat Sep 13 16:06:36 2014 UTC (9 years, 8 months ago) by doug
Branch: MAIN
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored)
Replace all queue *_END macro calls except CIRCLEQ_END with NULL. CIRCLEQ_* is deprecated and not called in the tree. The other queue types have *_END macros which were added for symmetry with CIRCLEQ_END. They are defined as NULL. There's no reason to keep the other *_END macro calls. ok millert@
Revision 1.33 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:48 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.32 / (download) - annotate - [select for diffs], Fri Oct 19 15:56:40 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.31: +1 -1 lines
Diff to previous 1.31 (colored)
rtableid must be BREAK instead of MERGE, otherwise the optimizer might reorder rules incorrectly, i. e.: pass rtable 2 pass from 10/16 rtable 0 pass from 10.1/16 rtable 1 so with this ruleset a packet from 10/16 will end up in rtable 0. now let's see what pfctl makes out of it, with default optimization: <brahe@tachi> pfctl $ pfctl -nvf t.conf pass inet from 10.0.0.0/16 to any flags S/SA rtable 0 pass inet from 10.1.0.0/16 to any flags S/SA rtable 1 pass all flags S/SA rtable 2 OUPS! a packet from 10/16 will end up in rtable 2 now. found by phessler, fix by your's truly, from EuroBSDcon ok beck phessler benno mikeb sthen
Revision 1.31 / (download) - annotate - [select for diffs], Mon Dec 19 23:26:16 2011 UTC (12 years, 5 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.30: +2 -1 lines
Diff to previous 1.30 (colored)
unbreak rule optimizer; ok henning, looks
Revision 1.30 / (download) - annotate - [select for diffs], Wed Nov 23 10:24:37 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
print ports as numbers by default; -P prints names instead 2/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg and myself
Revision 1.29 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.28 / (download) - annotate - [select for diffs], Thu Jul 7 00:47:19 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
Revision 1.27 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.26 / (download) - annotate - [select for diffs], Wed Apr 6 13:19:55 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.25: +14 -1 lines
Diff to previous 1.25 (colored)
Userland bits to allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.25 / (download) - annotate - [select for diffs], Tue Mar 23 13:31:29 2010 UTC (14 years, 2 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.24: +1 -6 lines
Diff to previous 1.24 (colored)
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
Revision 1.24 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.23: +8 -43 lines
Diff to previous 1.23 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.23 / (download) - annotate - [select for diffs], Thu Dec 10 15:57:20 2009 UTC (14 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.22: +2 -1 lines
Diff to previous 1.22 (colored)
plug some memory leaks; found by parfait, ok henning
Revision 1.22 / (download) - annotate - [select for diffs], Mon Nov 23 21:29:21 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.21: +2 -3 lines
Diff to previous 1.21 (colored)
since "nat/rdr pass" are history natpass can go
Revision 1.21 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.20: +7 -13 lines
Diff to previous 1.20 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.20 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.19: +13 -1 lines
Diff to previous 1.19 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.19 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.18: +24 -12 lines
Diff to previous 1.18 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.18 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.17 / (download) - annotate - [select for diffs], Tue May 6 03:45:21 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.16: +3 -2 lines
Diff to previous 1.16 (colored)
Add a counter to record how many states have been created by a rule. It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
Revision 1.16 / (download) - annotate - [select for diffs], Sat Jan 26 13:16:36 2008 UTC (16 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.15: +4 -3 lines
Diff to previous 1.15 (colored)
Create the automatic tables at the base of the anchor stack rather than in the inline anchor. Fixes optimizer bug where automatic table creation in inline anchors fails because rules are now loaded after optimization and no transaction has been opened for the anchor. bug reported by Henrik Johansen ok henning dhartmei
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jan 25 07:27:24 2008 UTC (16 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
Get rid of warning when compiling with OPT_DEBUG.
Revision 1.14 / (download) - annotate - [select for diffs], Tue Nov 27 16:22:13 2007 UTC (16 years, 6 months ago) by martynas
Branch: MAIN
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (colored)
typos; ok jmc@ sys/dev/pci/pciide.c from naddy@
Revision 1.13 / (download) - annotate - [select for diffs], Tue Oct 31 14:17:45 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.12: +3 -3 lines
Diff to previous 1.12 (colored)
Allow pfctl ruleset optimizer to be controlled from the ruleset. "set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
Revision 1.12 / (download) - annotate - [select for diffs], Sat Oct 28 14:29:05 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.11: +56 -32 lines
Diff to previous 1.11 (colored)
Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
Revision 1.11 / (download) - annotate - [select for diffs], Wed Oct 25 14:50:21 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.10: +2 -1 lines
Diff to previous 1.10 (colored)
teach the optimizer about logif, with & ok frantzen
Revision 1.10 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:44 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.9: +3 -1 lines
Diff to previous 1.9 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:26 2005 UTC (18 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9,
OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.8: +5 -3 lines
Diff to previous 1.8 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.8 / (download) - annotate - [select for diffs], Thu May 26 02:21:29 2005 UTC (19 years ago) by frantzen
Branch: MAIN
Changes since 1.7: +4 -3 lines
Diff to previous 1.7 (colored)
switch the max_src_{states,conn,conn_rate} from superblock breaks to superblock
optimization barriers to prevent table merging or rule re-ordering
ok dhartmei@
Revision 1.7 / (download) - annotate - [select for diffs], Wed May 25 23:58:11 2005 UTC (19 years ago) by frantzen
Branch: MAIN
Changes since 1.6: +13 -1 lines
Diff to previous 1.6 (colored)
make the remaining pf_rule fields named superblock BREAKs instead just letting them default to BREAKs. no functional change
Revision 1.6 / (download) - annotate - [select for diffs], Wed May 25 22:28:38 2005 UTC (19 years ago) by frantzen
Branch: MAIN
Changes since 1.5: +42 -2 lines
Diff to previous 1.5 (colored)
make the optimizer safe in the presence of interface groups. they must act as an optimization block break ok dhartmei@
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jan 3 15:18:10 2005 UTC (19 years, 5 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.4: +3 -1 lines
Diff to previous 1.4 (colored)
don't merge a rule's source address into a table if we're already trying to merge its destination address. caught by an assertion. it's tempting to do recursive reduction here to pick that low hanging fruit.... bug report from <gustavo AT hades DOT uint8t DOT org>
Revision 1.2.2.1 / (download) - annotate - [select for diffs], Fri Dec 17 02:51:35 2004 UTC (19 years, 5 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
MFC: Fix by frantzen@ &&/|| inversion would try to merge IP addresses with non-addresses into a single table causing a ruleset load error and eventually a double-free. ok deraadt@ mcbride@ henning@ frantzen@ dhartmei@
Revision 1.4 / (download) - annotate - [select for diffs], Tue Dec 14 20:16:37 2004 UTC (19 years, 5 months ago) by frantzen
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
&&/|| inversion would try to merge IP addresses with non-addresses into a
single table causing a ruleset load error and eventually a double-free.
bug report and testing from martin{AT}spamcop net
Revision 1.3 / (download) - annotate - [select for diffs], Tue Dec 14 17:03:49 2004 UTC (19 years, 5 months ago) by frantzen
Branch: MAIN
Changes since 1.2: +7 -3 lines
Diff to previous 1.2 (colored)
add two warn() calls to make sure a warning message gets printed if one of the table calls fails and the optimizer is gonna bomb out
Revision 1.2 / (download) - annotate - [select for diffs], Sun Aug 8 19:04:25 2004 UTC (19 years, 10 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.1: +8 -9 lines
Diff to previous 1.1 (colored)
spacing
Revision 1.1 / (download) - annotate - [select for diffs], Fri Jul 16 23:44:24 2004 UTC (19 years, 10 months ago) by frantzen
Branch: MAIN
'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset - remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@