![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.145 / (download) - annotate - [select for diffs], Thu Aug 10 16:44:04 2023 UTC (10 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.144: +5 -3 lines
Diff to previous 1.144 (colored)
Table persistent flag (PFR_TFLAG_PERSIST) won't get set
by ioctl(2) operation if table exists already. The issue
has been noticed by Giannis Kapetanakis (_at_) edu.physics.uoc.gr.
Giannis noticed relayd(8) aborts unexpectedly when 'relay host'
gets disabled by 'relayctl host dis ...' command. To understand
what's going on we must look at the way how relayd(8) manages
its firewall configuration. If relay-host 'example' is enabled relayd(8)
inserts rule to anchor relayd/example. The rule looks somewhat
like this:
pass in from ... to ... rdr-to <example>
When the rule gets inserted to pf(4) the table 'example' is
created with flags:
lumpy# pfctl -a relayd/example -vg -sT
----r-- example relayd/example
r-flag indicates table is referred by rule only. In the next
step relayd(8) creates and populates table example. It asks
pf(4) to add a persistent flag (PFR_TFLAG_PERSIST), so table
survives flush operation of relayd/example ruleset on behalf
of 'relayctl host dis ...' command. relayd(8) exits via abort()
when table is gone with disable operation.
Giannis was patient enough so we could debug and fix issue.
The committed change has been tested by Giannis too.
OK kn@, bluhm@
Revision 1.144 / (download) - annotate - [select for diffs], Thu Jan 5 10:06:58 2023 UTC (17 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)
pfctl fails to add addresses to undefined/inactive table
pfr_add_tables() function must set PFR_TFLAG_ACTIVE flag
to table which is attached to rule. This will then allow
pfr_add_addrs() to populate the table with addresses.
without this pair of pfctl(8) commands fails as follows:
# echo 'pass from <foo> to any' |pfctl -f -
# pfctl -t foo -T add 192.168.1.0/24
pfctl: Table does not exist
OK mbuhl@
Revision 1.143 / (download) - annotate - [select for diffs], Sun Jun 26 11:37:08 2022 UTC (23 months, 2 weeks ago) by mbuhl
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.142: +14 -16 lines
Diff to previous 1.142 (colored)
Allow waiting during ktable allocation in pf_ioctl. OK bluhm Reported-by: syzbot+50ea4f33ed5dd9264918@syzkaller.appspotmail.com Reported-by: syzbot+df65f8b7ee8c0089e885@syzkaller.appspotmail.com
Revision 1.142 / (download) - annotate - [select for diffs], Thu Jun 16 20:47:26 2022 UTC (23 months, 3 weeks ago) by sashan
Branch: MAIN
Changes since 1.141: +2 -2 lines
Diff to previous 1.141 (colored)
pfctl reports existing table as being added. glitch has been spotted and reported by jmc@ OK kn@
Revision 1.141 / (download) - annotate - [select for diffs], Tue Jun 7 22:14:15 2022 UTC (2 years ago) by sashan
Branch: MAIN
Changes since 1.140: +2 -3 lines
Diff to previous 1.140 (colored)
fixes NULL pointer dereference panic triggered by relayd. same panic can be triggered when address table is part of anchor loaded by 'load anchor ... from ..,' statement. pf_find_or_create_ruleset() function called by pfr_add_tables() must receive ruleset name which comes from pre-allocated root table. OK claudio@ dlg@
Revision 1.140 / (download) - annotate - [select for diffs], Tue May 10 23:12:25 2022 UTC (2 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.139: +160 -47 lines
Diff to previous 1.139 (colored)
move memory allocations in pfr_add_tables() out of NET_LOCK()/PF_LOCK() scope. bluhm@ helped a lot to put this diff into shape. OK bluhm@
Revision 1.139 / (download) - annotate - [select for diffs], Mon Nov 22 12:56:04 2021 UTC (2 years, 6 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.138: +6 -3 lines
Diff to previous 1.138 (colored)
move PFR_TFLAG_CONST test, missed in rev 1.138 prompted by uninitialised var found by bluhm@ running regress on sparc64 ok sashan@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Nov 16 20:51:31 2021 UTC (2 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.137: +233 -27 lines
Diff to previous 1.137 (colored)
move memory allocations in pfr_add_addrs() outside of NET_LOCK()/PF_LOCK() scope. feedback by bluhm@ OK bluhm@
Revision 1.137 / (download) - annotate - [select for diffs], Thu Nov 11 12:35:01 2021 UTC (2 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored)
Allow pfi_kif_get() callers to pre-allocate buffer for new kif. If kif object exists already, then caller must free the pre-allocated buffer. If caller does not pre-allocate buffer, the pfi_kif_get() will get memory from pool using M_NOWAIT flag. Commit is also polishing pfi_initialize() a bit so it uses M_WAITOK allocation for pfi_all. there is no change in current behaviour. feedback by bluhm@ OK bluhm@
Revision 1.136 / (download) - annotate - [select for diffs], Sun Oct 24 10:58:43 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.135: +12 -15 lines
Diff to previous 1.135 (colored)
let pf_table.c to use standard way to work with lists OK todd@, mvs@, kn@
Revision 1.135 / (download) - annotate - [select for diffs], Sat Oct 23 09:36:58 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.134: +21 -18 lines
Diff to previous 1.134 (colored)
YIELD() in pf_table.c should preempt for ioctl() callers only OK @mpi
Revision 1.134 / (download) - annotate - [select for diffs], Tue Jul 28 16:47:41 2020 UTC (3 years, 10 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.133: +18 -10 lines
Diff to previous 1.133 (colored)
Use the table on root always if current table is not active. ok sashan
Revision 1.133 / (download) - annotate - [select for diffs], Wed Jun 24 22:03:43 2020 UTC (3 years, 11 months ago) by cheloha
Branch: MAIN
Changes since 1.132: +10 -10 lines
Diff to previous 1.132 (colored)
kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9) time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
Revision 1.132 / (download) - annotate - [select for diffs], Thu Jun 4 04:27:51 2020 UTC (4 years ago) by yasuoka
Branch: MAIN
Changes since 1.131: +23 -41 lines
Diff to previous 1.131 (colored)
Fix pfr_kentry_byaddr() to be used for a rule in an anchor. It couldn't find an entry if its table is attached a table on the root. This fixes the problem "route-to <TABLE> least-states" doesn't work. The problem is found by IIJ. OK sashan
Revision 1.131 / (download) - annotate - [select for diffs], Mon Jul 8 17:49:57 2019 UTC (4 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.130: +3 -3 lines
Diff to previous 1.130 (colored)
free(9) sizes for M_RTABLE. ok kn@
Revision 1.130 / (download) - annotate - [select for diffs], Mon Dec 10 16:48:15 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.129: +9 -9 lines
Diff to previous 1.129 (colored)
Remove useless macros These are just unhelpful case conversion. OK sashan henning
Revision 1.129 / (download) - annotate - [select for diffs], Mon Oct 15 21:15:35 2018 UTC (5 years, 7 months ago) by kn
Branch: MAIN
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored)
use PFR_RB_NONE consistently Replace hardcoded 0 and implicit checks with enum as done in all other use cases of `pfra_fback'. No object change. OK sashan
Revision 1.128 / (download) - annotate - [select for diffs], Wed Mar 28 10:56:18 2018 UTC (6 years, 2 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.127: +4 -2 lines
Diff to previous 1.127 (colored)
- memory leak occurs when adding same table twice. (tj found fix in FreeBSD repo for us) OK @bluhm, @henning
Revision 1.127 / (download) - annotate - [select for diffs], Wed Aug 16 14:19:57 2017 UTC (6 years, 9 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.126: +6 -4 lines
Diff to previous 1.126 (colored)
Validate pfra_type after copyin before using it to index an array Don't trust the value of pfra_type blindly since it's coming from userland and sanitize it in pfr_validate_addr that is called after every copyin and also perform the check in pfr_create_kentry before we attempt to use the value not after. Coverity CID 1452909, 1453097, 1453384; Severity: Minor It can be triggered only by root by default or anyone with write access to /dev/pf if such access is provided. ok visa, bcook, sashan, jsg
Revision 1.126 / (download) - annotate - [select for diffs], Mon May 8 20:24:03 2017 UTC (7 years, 1 month ago) by patrick
Branch: MAIN
Changes since 1.125: +48 -28 lines
Diff to previous 1.125 (colored)
Replace the global variables pfr_{sin,sin6} with stack local variables
so that we can run these parts of pf in parallel. Also replace a
single usage of pfr_mask with a stack local variable.
ok mpi@
Revision 1.125 / (download) - annotate - [select for diffs], Tue Feb 14 10:31:15 2017 UTC (7 years, 3 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.124: +2 -3 lines
Diff to previous 1.124 (colored)
Convert most of the manual checks for CPU hogging to sched_pause(). The distinction between preempt() and yield() stays as it is usueful to know if a thread decided to yield by itself or if the kernel told him to go away. ok tedu@, guenther@
Revision 1.124 / (download) - annotate - [select for diffs], Thu Feb 9 10:29:37 2017 UTC (7 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.123: +4 -6 lines
Diff to previous 1.123 (colored)
Replace a custom loop calling yield() by the idiom to check if the current process is hogging a CPU. ok mikeb@, visa@, tedu@
Revision 1.123 / (download) - annotate - [select for diffs], Tue Jan 24 10:08:30 2017 UTC (7 years, 4 months ago) by krw
Branch: MAIN
Changes since 1.122: +6 -6 lines
Diff to previous 1.122 (colored)
A space here, a space there. Soon we're talking real whitespace rectification.
Revision 1.122 / (download) - annotate - [select for diffs], Mon Jan 23 09:08:24 2017 UTC (7 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.121: +4 -28 lines
Diff to previous 1.121 (colored)
Kill unecessary splsoftnet()/splx() dances, what's protecting radix globals is the KERNEL_LOCK(). ok claudio@
Revision 1.121 / (download) - annotate - [select for diffs], Wed Oct 26 21:07:22 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.120: +13 -1 lines
Diff to previous 1.120 (colored)
Put union pf_headers and struct pf_pdesc into separate header file pfvar_priv.h. The pf_headers had to be defined in multiple .c files before. In pfvar.h it would have unknown storage size, this file is included in too many places. The idea is to have a private pf header that is only included in the pf part of the kernel. For now it contains pf_pdesc and pf_headers, it may be extended later. discussion, input and OK henning@ procter@ sashan@
Revision 1.120 / (download) - annotate - [select for diffs], Tue Sep 27 04:57:17 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.119: +22 -22 lines
Diff to previous 1.119 (colored)
roll back turning RB into RBT until i get better at this process.
Revision 1.119 / (download) - annotate - [select for diffs], Tue Sep 27 02:51:12 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.118: +22 -22 lines
Diff to previous 1.118 (colored)
move pf from the RB macros to the RBT functions.
Revision 1.118 / (download) - annotate - [select for diffs], Thu Sep 15 02:00:18 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.117: +7 -13 lines
Diff to previous 1.117 (colored)
all pools have their ipl set via pool_setipl, so fold it into pool_init. the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
Revision 1.117 / (download) - annotate - [select for diffs], Fri Sep 2 10:19:49 2016 UTC (7 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.116: +6 -1 lines
Diff to previous 1.116 (colored)
pool_setipl for pf bits ok phessler@ henning@
Revision 1.116 / (download) - annotate - [select for diffs], Tue Nov 3 22:10:33 2015 UTC (8 years, 7 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.115: +5 -5 lines
Diff to previous 1.115 (colored)
- fixes potential use-after-free in pfr_set_addrs() OK mikeb@, OK bluhm@
Revision 1.115 / (download) - annotate - [select for diffs], Wed Oct 7 11:57:44 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.114: +3 -3 lines
Diff to previous 1.114 (colored)
rn_inithead() offset argument is now specified in byte, missed in previous.
Revision 1.114 / (download) - annotate - [select for diffs], Fri Sep 4 08:43:39 2015 UTC (8 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.113: +3 -1 lines
Diff to previous 1.113 (colored)
Make every subsystem using a radix tree call rn_init() and pass the length of the key as argument. This way every consumer of the radix tree has a chance to explicitly initialize the shared data structures and no longer rely on another subsystem to do the initialization. As a bonus ``dom_maxrtkey'' is no longer used an die. ART kernels should now be fully usable because pf(4) and IPSEC properly initialized the radix tree. ok chris@, reyk@
Revision 1.113 / (download) - annotate - [select for diffs], Mon Jul 20 18:42:08 2015 UTC (8 years, 10 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.112: +3 -1 lines
Diff to previous 1.112 (colored)
Add some panics to default paths where code later assumes a non default path was taken. This both prevents warnings from clang and acts as a sanity check. ok mcbride@ henning@
Revision 1.112 / (download) - annotate - [select for diffs], Sat Jul 18 19:06:37 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.111: +10 -9 lines
Diff to previous 1.111 (colored)
follow up changes on unknown AF handling - PF should always use unhandled_af() - 0 is lame, AF_UNSPEC is profi ok bluhm@
Revision 1.111 / (download) - annotate - [select for diffs], Sat Jul 18 15:19:44 2015 UTC (8 years, 10 months ago) by sashan
Branch: MAIN
Changes since 1.110: +93 -16 lines
Diff to previous 1.110 (colored)
INET/INET6 address family check should be unified in PF it also adds af_unhandled(), where it is currently missing. ok mcbride@
Revision 1.110 / (download) - annotate - [select for diffs], Thu Jul 16 18:17:27 2015 UTC (8 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.109: +1 -16 lines
Diff to previous 1.109 (colored)
Fix rn_match and there for the expoerted lookup functions in radix.c to never return the internal RNF_ROOT nodes. This removes the checks in the callee to verify that not an RNF_ROOT node was returned. OK mpi@
Revision 1.109 / (download) - annotate - [select for diffs], Sun Jun 7 12:02:28 2015 UTC (9 years ago) by jsg
Branch: MAIN
Changes since 1.108: +24 -7 lines
Diff to previous 1.108 (colored)
Introduce unhandled_af() for cases where code conditionally does something based on an address family and later assumes one of the paths was taken. This was initially just calls to panic until guenther suggested a function to reduce the amount of strings needed. This reduces the amount of noise with static analysers and acts as a sanity check. ok guenther@ bluhm@
Revision 1.108 / (download) - annotate - [select for diffs], Thu Apr 9 12:04:14 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.107: +4 -1 lines
Diff to previous 1.107 (colored)
Plug a memory leak in pfr_destroy_kentry pfi_kif objects allocated for table entries created by route-to or by specifying weight weren't garbage collected when the table entry was destroyed. Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>, thanks! Ok henning, florian
Revision 1.107 / (download) - annotate - [select for diffs], Wed Apr 8 14:19:28 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.106: +8 -8 lines
Diff to previous 1.106 (colored)
Table flags are not looked at when a table entry is created. Spotted by Alexandr Nedvedicky <alexandr ! nedvedicky at oracle ! com>, thanks!
Revision 1.106 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:51 2015 UTC (9 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.105: +1 -2 lines
Diff to previous 1.105 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Jan 20 17:25:35 2015 UTC (9 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.104: +2 -1 lines
Diff to previous 1.104 (colored)
Prevent tables referenced by rules in anchors from getting disabled. Analysis and patch by Richard Kojedzinszky, thanks! ok henning
Revision 1.104 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.103: +1 -11 lines
Diff to previous 1.103 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.103 / (download) - annotate - [select for diffs], Mon Sep 8 06:24:13 2014 UTC (9 years, 9 months ago) by jsg
Branch: MAIN
Changes since 1.102: +1 -2 lines
Diff to previous 1.102 (colored)
remove uneeded route.h includes ok miod@ mpi@
Revision 1.102 / (download) - annotate - [select for diffs], Sat Jul 12 18:44:22 2014 UTC (9 years, 11 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.101: +3 -3 lines
Diff to previous 1.101 (colored)
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jul 5 13:07:58 2013 UTC (10 years, 11 months ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.100: +27 -10 lines
Diff to previous 1.100 (colored)
Collect and display 'match' counters for pf tables. While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
Revision 1.100 / (download) - annotate - [select for diffs], Thu Jul 4 00:19:00 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.99: +22 -21 lines
Diff to previous 1.99 (colored)
Re-commit: use time_t for storing time_t values. This is an ABI change for pf, but that's fine at this time. You'll need to rebuild pf userland after updating your kernel. change to 'since' member ok henning@ rest ok henning@ deraadt@
Revision 1.99 / (download) - annotate - [select for diffs], Tue Jul 2 05:57:37 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.98: +21 -22 lines
Diff to previous 1.98 (colored)
Revert previous: sizeof(time_t) != sizeof(long) on LP64, so there was an ABI change involved.
Revision 1.98 / (download) - annotate - [select for diffs], Tue Jul 2 01:42:01 2013 UTC (10 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.97: +22 -21 lines
Diff to previous 1.97 (colored)
Use time_t for storing time_t values. No change to the underlying type**, so no ABI change. ok henning@ deraadt@ ** ...yet
Revision 1.97 / (download) - annotate - [select for diffs], Mon Feb 18 14:48:13 2013 UTC (11 years, 3 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
DIOCRCLRASTATS ioctl wasn't specifying a timestamp when cleared table statistics so it appeared later on as the Epoch. Noticed by [the] Shining on bugs@. Thanks! ok sthen, waver from deraadt
Revision 1.96 / (download) - annotate - [select for diffs], Wed Jan 16 09:18:34 2013 UTC (11 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)
Unbreak the negation toggle code when re-loading pf tables. Otherwise negating existing entries on re-load does not work (e.g. changing 192.168.6.0/24 to !192.168.6.0/24 in table was ignoed). ok mikeb@, henning@ mpf@, bluhm@,
Revision 1.95 / (download) - annotate - [select for diffs], Sat Dec 29 14:53:05 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.94: +42 -26 lines
Diff to previous 1.94 (colored)
pass pf_pool directly to pfr_pool_get(); simplifies the API; ok henning@, zinke@, mikeb@
Revision 1.94 / (download) - annotate - [select for diffs], Thu Jan 26 11:30:39 2012 UTC (12 years, 4 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.93: +4 -4 lines
Diff to previous 1.93 (colored)
when table content changes we need to reset index to the initial value and do not use the counter; reported by Sebastian Benoit and Daniel Krambrock, tested by Sebastian Benoit, ok henning zinke
Revision 1.93 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.92: +126 -37 lines
Diff to previous 1.92 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.92 / (download) - annotate - [select for diffs], Fri Jul 8 22:11:17 2011 UTC (12 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.91: +12 -6 lines
Diff to previous 1.91 (colored)
ensure that we won't enter an endless loop while iterating over an address pool. problem found and solution tested by claudio. ok claudio, henning, "reads fine" to zinke
Revision 1.91 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.90: +128 -17 lines
Diff to previous 1.90 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.90 / (download) - annotate - [select for diffs], Tue Jun 14 10:14:01 2011 UTC (13 years ago) by mcbride
Branch: MAIN
Changes since 1.89: +11 -5 lines
Diff to previous 1.89 (colored)
KNF (no change in .o files)
Revision 1.89 / (download) - annotate - [select for diffs], Tue May 17 12:44:05 2011 UTC (13 years ago) by mikeb
Branch: MAIN
Changes since 1.88: +9 -3 lines
Diff to previous 1.88 (colored)
exclude link local address from the dynamic interface address pool so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
Revision 1.88 / (download) - annotate - [select for diffs], Sat Nov 20 23:58:13 2010 UTC (13 years, 6 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.87: +20 -2 lines
Diff to previous 1.87 (colored)
throw some yields into the pf table code so it doesn't lock up the kernel. ok deraadt henning
Revision 1.87 / (download) - annotate - [select for diffs], Sat Oct 23 15:38:18 2010 UTC (13 years, 7 months ago) by tedu
Branch: MAIN
Changes since 1.86: +30 -92 lines
Diff to previous 1.86 (colored)
remove PFR_FLAG_ATOMIC. not used, and doesn't work as advertised. ok henning
Revision 1.86 / (download) - annotate - [select for diffs], Thu Sep 30 07:14:02 2010 UTC (13 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.85: +26 -17 lines
Diff to previous 1.85 (colored)
Convert printf()'s to DPFDEBUG() macro. ok dlg
Revision 1.85 / (download) - annotate - [select for diffs], Sat Aug 7 03:50:02 2010 UTC (13 years, 10 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.84: +2 -2 lines
Diff to previous 1.84 (colored)
No "\n" needed at the end of panic() strings. Bogus chunks pointed out by matthew@ and miod@. No cookies for marco@ and jasper@. ok deraadt@ miod@ matthew@ jasper@ macro@
Revision 1.84 / (download) - annotate - [select for diffs], Mon Jun 28 18:50:37 2010 UTC (13 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.83: +3 -3 lines
Diff to previous 1.83 (colored)
Add the rtable id as an argument to rn_walktree(). Functions like rt_if_remove_rtdelete() need to know the table id to be able to correctly remove nodes. Problem found by Andrea Parazzini and analyzed by Martin Pelikán. OK henning@
Revision 1.83 / (download) - annotate - [select for diffs], Wed Feb 24 15:04:40 2010 UTC (14 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.82: +2 -1 lines
Diff to previous 1.82 (colored)
put back the line of code that copies the timestamp out for tables tracked down by Dan Harnett <daniel at harnett.name>
Revision 1.82 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.81 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.80: +81 -47 lines
Diff to previous 1.80 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.80 / (download) - annotate - [select for diffs], Mon Nov 24 13:22:09 2008 UTC (15 years, 6 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.79: +24 -14 lines
Diff to previous 1.79 (colored)
Fix splasserts seen in pr 5987 by propagating a flag that discribes whether we're called from the interrupt context to the functions performing allocations. Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri, the pr originator. ok tedu
Revision 1.79 / (download) - annotate - [select for diffs], Wed Oct 8 06:24:50 2008 UTC (15 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.78: +3 -10 lines
Diff to previous 1.78 (colored)
Get rid of the second table entry pool (pfr_kentry_pl2); we're already using the default interrupt handler for both, so there's no need to keep table entries created in interrupt context separate. ok henning art
Revision 1.78 / (download) - annotate - [select for diffs], Sat Jun 14 03:50:14 2008 UTC (16 years ago) by art
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.77: +3 -3 lines
Diff to previous 1.77 (colored)
There's no more reason to use oldnointr allocator here since we pace the allocations in uvm_km_thread, as long as they are PR_WAITOK and all the memory hogs should be WAITOK in pf now. "following your explaination, it's ok" henning@
Revision 1.77 / (download) - annotate - [select for diffs], Sat Jun 14 02:22:13 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.76: +3 -3 lines
Diff to previous 1.76 (colored)
pool_get()s not in interrupt context should not be PR_NOWAIT, but PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
Revision 1.76 / (download) - annotate - [select for diffs], Tue Jun 10 22:39:31 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.75: +5 -7 lines
Diff to previous 1.75 (colored)
Simplify code slightly; use PR_ZERO with pool_get() rather than bzero(). ok mpf henning
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jun 10 21:25:29 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.74: +3 -1 lines
Diff to previous 1.74 (colored)
Free the counters struct when we free the table entry.
Revision 1.74 / (download) - annotate - [select for diffs], Tue Jun 10 20:55:02 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.73: +27 -10 lines
Diff to previous 1.73 (colored)
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
Revision 1.73 / (download) - annotate - [select for diffs], Wed May 7 05:14:21 2008 UTC (16 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.72: +3 -3 lines
Diff to previous 1.72 (colored)
Implement routing priorities. Every route inserted has a priority assigned and the one route with the lowest number wins. This will be used by the routing daemons to resolve the synchronisations issue in case of conflicts. The nasty bits of this are in the multipath code. If no priority is specified the kernel will choose an appropriate priority. Looked at by a few people at n2k8 code is much older
Revision 1.72 / (download) - annotate - [select for diffs], Thu Dec 20 20:07:41 2007 UTC (16 years, 5 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.71: +6 -2 lines
Diff to previous 1.71 (colored)
increment the match/nomatch table counters when using a table/pool in rdr rules. this helps to get some statistics about l3 redirections. ok henning@
Revision 1.71 / (download) - annotate - [select for diffs], Sat Sep 1 18:49:27 2007 UTC (16 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.70: +2 -1 lines
Diff to previous 1.70 (colored)
since the MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
Revision 1.70 / (download) - annotate - [select for diffs], Wed May 23 11:53:45 2007 UTC (17 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.69: +5 -3 lines
Diff to previous 1.69 (colored)
use the intr pool when allocating from interrupt context; fixes pppoe f_addrhooks panics (e.g. pr 5454); ok canacar
Revision 1.69 / (download) - annotate - [select for diffs], Tue Mar 20 10:37:29 2007 UTC (17 years, 2 months ago) by mickey
Branch: MAIN
Changes since 1.68: +53 -46 lines
Diff to previous 1.68 (colored)
do not use out of scope variable in macros -- only use the macro arguments passed; makes it less of nfs kind of code; henning@ ok
Revision 1.68 / (download) - annotate - [select for diffs], Tue May 2 10:08:45 2006 UTC (18 years, 1 month ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, create only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate.
Revision 1.67 / (download) - annotate - [select for diffs], Tue Aug 2 12:40:42 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9,
OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.66: +5 -3 lines
Diff to previous 1.66 (colored)
Instead of copying a table structure so we can mask off a bit before "validating" it, pass the bits to be ignored down to the validating function in its allowedflags argument. Saves a 1kB+ stack allocation. ok henning@
Revision 1.66 / (download) - annotate - [select for diffs], Mon Jun 6 09:01:55 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.65: +15 -7 lines
Diff to previous 1.65 (colored)
Backout 1.64, switch back to two-pool allocation scheme (with oldnointr allocator on one pool). Should fix PR 4231 and 4240, but reintroduces 4186. ok deraadt@
Revision 1.65 / (download) - annotate - [select for diffs], Fri May 27 18:53:09 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.64: +3 -2 lines
Diff to previous 1.64 (colored)
add back ACCEPT_GLAGS and active flag check, pointed out by cedric
Revision 1.64 / (download) - annotate - [select for diffs], Mon May 23 23:28:53 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.63: +7 -15 lines
Diff to previous 1.63 (colored)
change pool allocation of table entries, no longer use the oldnointr allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
Revision 1.63 / (download) - annotate - [select for diffs], Mon May 23 20:47:02 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.62: +2 -3 lines
Diff to previous 1.62 (colored)
don't deny access to "special" tables in get_addrs with this, when you know their name you can list their contents with pfctl ok ryan
Revision 1.62 / (download) - annotate - [select for diffs], Tue Dec 7 18:02:04 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.61: +2 -2 lines
Diff to previous 1.61 (colored)
KNF
Revision 1.61 / (download) - annotate - [select for diffs], Sat Dec 4 07:49:48 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.60: +41 -8 lines
Diff to previous 1.60 (colored)
Add kernel code to keep track of tcp connections which have completed the 3-way handshake. Allow limits on both total connections and connection rate, put offenders in a table which can be used in the ruleset, and optionally kill existing states. Rate tracking code from dhartmei@. Adds a second pool for table entries using the default allocator, which allows entries to be added at splsoftnet(). ok deraadt@ dhartmei@
Revision 1.60 / (download) - annotate - [select for diffs], Fri Oct 15 00:15:06 2004 UTC (19 years, 8 months ago) by jaredy
Branch: MAIN
Changes since 1.59: +39 -1 lines
Diff to previous 1.59 (colored)
correctly parse the anchor names to which tables refer. now they abide to the same rules as anchor names referred to by rules: - initial slashes (/) are stripped - anchor names with characters after the terminating NUL byte are considered invalid ok dhartmei (and previously) beck henning
Revision 1.59 / (download) - annotate - [select for diffs], Thu Jul 8 23:17:38 2004 UTC (19 years, 11 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.58: +3 -3 lines
Diff to previous 1.58 (colored)
Make 0/0 table entries work; also fix a problem setting the network mask on v6 addresses. Reported by Ilya A. Kovalenko, fix from Cedric Berger.
Revision 1.58 / (download) - annotate - [select for diffs], Wed Jun 23 04:34:17 2004 UTC (19 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.57: +5 -3 lines
Diff to previous 1.57 (colored)
pfr_commit_ktable calls functions that can result in the current ktable being destroyed, which makes it unsafe in a SLIST_FOREACH. Fix from Chris Pascoe
Revision 1.57 / (download) - annotate - [select for diffs], Mon Jun 21 23:50:37 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
Changes since 1.56: +9 -9 lines
Diff to previous 1.56 (colored)
First step towards more sane time handling in the kernel -- this changes things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Revision 1.31.4.6 / (download) - annotate - [select for diffs], Sun Jun 13 08:50:17 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.31.4.5: +4 -2 lines
Diff to previous 1.31.4.5 (colored) to branchpoint 1.31 (colored) next main 1.32 (colored)
sync to HEAD
Revision 1.56 / (download) - annotate - [select for diffs], Fri Jun 11 05:21:20 2004 UTC (20 years ago) by mcbride
Branch: MAIN
CVS Tags: SMP_SYNC_A
Changes since 1.55: +5 -3 lines
Diff to previous 1.55 (colored)
Eliminate a dereference after pool_put when an inactive/no-longer referenced table is destroyed in pfr_setflags_ktable. Fix from Chris Pascoe
Revision 1.31.4.5 / (download) - annotate - [select for diffs], Mon Jun 7 20:41:37 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.31.4.4: +29 -2 lines
Diff to previous 1.31.4.4 (colored) to branchpoint 1.31 (colored)
sync to head
Revision 1.55 / (download) - annotate - [select for diffs], Mon Jun 7 13:16:19 2004 UTC (20 years ago) by cedric
Branch: MAIN
CVS Tags: SMP_SYNC_B
Changes since 1.54: +30 -3 lines
Diff to previous 1.54 (colored)
Make deletion of a few addresses much faster on big tables. ok claudio@
Revision 1.31.4.4 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:24 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.31.4.3: +70 -70 lines
Diff to previous 1.31.4.3 (colored) to branchpoint 1.31 (colored)
Merge with the trunk
Revision 1.54 / (download) - annotate - [select for diffs], Wed Jun 2 22:18:25 2004 UTC (20 years ago) by tedu
Branch: MAIN
Changes since 1.53: +3 -3 lines
Diff to previous 1.53 (colored)
tables like to allocate lots of memory at once. use the previous pool allocator, _nointr. testing/ok beck@ cedric@
Revision 1.53 / (download) - annotate - [select for diffs], Wed May 19 17:50:52 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.52: +11 -36 lines
Diff to previous 1.52 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.52 / (download) - annotate - [select for diffs], Wed Apr 28 15:12:20 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.51: +2 -1 lines
Diff to previous 1.51 (colored)
gcc3 shut up (from naddy@)
Revision 1.51 / (download) - annotate - [select for diffs], Wed Apr 28 03:31:33 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.50: +1 -2 lines
Diff to previous 1.50 (colored)
do not return here
Revision 1.50 / (download) - annotate - [select for diffs], Wed Apr 28 02:43:09 2004 UTC (20 years, 1 month ago) by pb
Branch: MAIN
Changes since 1.49: +36 -13 lines
Diff to previous 1.49 (colored)
Dont step into INET6 code, just because af != AF_INET Also comment #endif properly while being here ok mcbride@
Revision 1.49 / (download) - annotate - [select for diffs], Sun Apr 25 02:48:03 2004 UTC (20 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
radix tree with multipath support. from kame. deraadt ok user visible changes: - you can add multiple routes with same key (route add A B then route add A C) - you have to specify gateway address if there are multiple entries on the table (route delete A B, instead of route delete A) kernel change: - radix_node_head has an extra entry - rnh_deladdr takes extra argument TODO: - actually take advantage of multipath (rtalloc -> rtalloc_mpath)
Revision 1.48 / (download) - annotate - [select for diffs], Fri Apr 9 19:30:41 2004 UTC (20 years, 2 months ago) by frantzen
Branch: MAIN
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)
move some of the non-interrupt pools from the small kmem_map to the much larger kernel map
Revision 1.47 / (download) - annotate - [select for diffs], Tue Mar 9 21:44:41 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.46: +12 -10 lines
Diff to previous 1.46 (colored)
KNF, ok cedric@ deraadt@
Revision 1.31.4.3 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:22 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.31.4.2: +382 -81 lines
Diff to previous 1.31.4.2 (colored) to branchpoint 1.31 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.46 / (download) - annotate - [select for diffs], Tue Feb 10 22:42:57 2004 UTC (20 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.45: +4 -4 lines
Diff to previous 1.45 (colored)
KNF
Revision 1.45 / (download) - annotate - [select for diffs], Tue Feb 10 18:49:10 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.44: +12 -12 lines
Diff to previous 1.44 (colored)
KNF
Revision 1.44 / (download) - annotate - [select for diffs], Wed Dec 31 22:14:42 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
spacing. note this, cedric
Revision 1.43 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:25 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.42: +107 -46 lines
Diff to previous 1.42 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.42 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.41: +32 -1 lines
Diff to previous 1.41 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.41 / (download) - annotate - [select for diffs], Fri Aug 22 15:19:23 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.40: +6 -6 lines
Diff to previous 1.40 (colored)
KNF
Revision 1.40 / (download) - annotate - [select for diffs], Sat Aug 9 14:56:48 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.39: +122 -2 lines
Diff to previous 1.39 (colored)
This patch remove the restriction that tables cannot be used in routing or
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jul 31 22:25:55 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.38: +28 -16 lines
Diff to previous 1.38 (colored)
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jun 24 13:52:50 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.37: +4 -4 lines
Diff to previous 1.37 (colored)
KNF
Revision 1.37 / (download) - annotate - [select for diffs], Sun Jun 8 10:32:35 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.36: +7 -7 lines
Diff to previous 1.36 (colored)
Returns the correct array size.
Revision 1.36 / (download) - annotate - [select for diffs], Sun Jun 8 09:41:08 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.35: +97 -20 lines
Diff to previous 1.35 (colored)
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
Revision 1.31.4.2 / (download) - annotate - [select for diffs], Sat Jun 7 11:06:07 2003 UTC (21 years ago) by ho
Branch: SMP
Changes since 1.31.4.1: +2 -3 lines
Diff to previous 1.31.4.1 (colored) to branchpoint 1.31 (colored)
Sync SMP branch to -current
Revision 1.35 / (download) - annotate - [select for diffs], Sat May 24 14:22:03 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.34: +2 -3 lines
Diff to previous 1.34 (colored)
Unused variable.
Revision 1.31.4.1 / (download) - annotate - [select for diffs], Tue May 13 19:36:16 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.31: +104 -16 lines
Diff to previous 1.31 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.34 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
CVS Tags: UBC_SYNC_A,
UBC
Changes since 1.33: +99 -11 lines
Diff to previous 1.33 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.33 / (download) - annotate - [select for diffs], Sun Apr 27 16:02:08 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.32: +5 -5 lines
Diff to previous 1.32 (colored)
Update the pfioc_table IOCTL structure. Prepare for anchors, improve robustness. WARNING: need to sync kernel/userland. ok dhartmei@
Revision 1.32 / (download) - annotate - [select for diffs], Fri Apr 4 01:46:04 2003 UTC (21 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)
KNF
Revision 1.31 / (download) - annotate - [select for diffs], Fri Mar 21 12:47:36 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Branch point for: SMP
Changes since 1.30: +15 -15 lines
Diff to previous 1.30 (colored)
- Add missing "\n" to some pf_table.c printf() - Fix two problems with pfr_update_stats(). Filtering was done properly, only stats were wrong. People should upgrade their kernel if: - They use bidirectional rules (without "in" or "out") with tables. - They use tables in negated statements, like "block from !<foo>" Thanks to David Krause for discovering the problem. Ok dhartmei@ henning@
Revision 1.30 / (download) - annotate - [select for diffs], Fri Mar 14 12:36:40 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.29: +15 -1 lines
Diff to previous 1.29 (colored)
Correctly flag out radix_node entries with RNF_ROOT flag set: this is not a match. Before that patch, an IP packet with source or dest address of 0.0.0.0 could corrupt the kernel. People filtering DHCP packets on their firewall using tables should upgrade their kernel now. Thanks to Chris Cappuccio for the good bug report. Ok dhartmei@ henning@
Revision 1.29 / (download) - annotate - [select for diffs], Thu Mar 13 17:56:16 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.28: +20 -1 lines
Diff to previous 1.28 (colored)
Plug slow memory leak (radix_mask structure). tested on i386 by me and Daniel on macppc. ok dhartmei@ henning@
Revision 1.28 / (download) - annotate - [select for diffs], Wed Mar 5 12:13:03 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.27: +8 -12 lines
Diff to previous 1.27 (colored)
Small fixes after code review, mostly on error path. ok dhartmei@ henning@ pb@
Revision 1.27 / (download) - annotate - [select for diffs], Fri Feb 28 11:04:05 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.26: +4 -1 lines
Diff to previous 1.26 (colored)
splsoftnet() around rn_lookup() which is not thread-safe. ok dhartmei@ henning@
Revision 1.26 / (download) - annotate - [select for diffs], Thu Feb 27 12:56:05 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
Repair IPv6 support for tables. ok dhartmei@ henning@
Revision 1.25 / (download) - annotate - [select for diffs], Wed Feb 12 20:10:08 2003 UTC (21 years, 4 months ago) by henric
Branch: MAIN
Changes since 1.24: +4 -1 lines
Diff to previous 1.24 (colored)
Labels should be followed by statements (fix gcc3 warning). ok cedric, jason, theo
Revision 1.24 / (download) - annotate - [select for diffs], Wed Jan 15 16:55:10 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.23: +7 -4 lines
Diff to previous 1.23 (colored)
Fix another buglet with inactive sets.
table <foo> { 1.2.3.4 1.2.3.4 1.2.3.4 }
Was causing the kernel to become noisy.
Now duplicates are silently rejected.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Jan 15 16:28:56 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.22: +26 -24 lines
Diff to previous 1.22 (colored)
Fix a buglet when one "creates" a table which is already in the referenced or inactive set. Flags were not updated correctly. Tested on i386, sparc64. More regression tests coming.
Revision 1.22 / (download) - annotate - [select for diffs], Wed Jan 15 10:42:48 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.21: +10 -14 lines
Diff to previous 1.21 (colored)
Cleanup NULL tests in and around pfr_destroy_ktable(). Makes code more readable.
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jan 15 09:42:52 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.20: +7 -5 lines
Diff to previous 1.20 (colored)
Kill stupid leaks when using FLAG_DUMMY option. Removes "_" from pool names. Regression tests for memory allocation coming soon....
Revision 1.20 / (download) - annotate - [select for diffs], Mon Jan 13 07:57:47 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.19: +96 -35 lines
Diff to previous 1.19 (colored)
Improve robustness & error handling. More thorough checks of user data. - Reject invalid CIDR networks (1.2.3.4/16 & friends). - Only allow values 0 or 1 for the "neg" flag. - Require all unused data to be set to 0 in pfr_addr and pfr_table. - Always check the return value of pfr_route_entry(). - Remove redundant kernel messages. Tested on i386, sparc64. Pass my (uncommited) regression tests.
Revision 1.19 / (download) - annotate - [select for diffs], Fri Jan 10 16:09:19 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.18: +19 -9 lines
Diff to previous 1.18 (colored)
Fix adding and deleting addresses in a table when there is a conflict with the "negated" attribute of an address. The previous behaviour was incorrect in both cases (too strict for the add command and too permissive for the delete command). ok dhartmei@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Jan 10 13:21:35 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.17: +8 -5 lines
Diff to previous 1.17 (colored)
Cosmetic change, makes code a bit easier to understand.
Revision 1.17 / (download) - annotate - [select for diffs], Thu Jan 9 15:58:35 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.16: +5 -5 lines
Diff to previous 1.16 (colored)
(whitespace) KNF, re-fold -w 80
Revision 1.16 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.15: +458 -189 lines
Diff to previous 1.15 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:07 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.14: +78 -145 lines
Diff to previous 1.14 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jan 6 14:19:40 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.13: +17 -3 lines
Diff to previous 1.13 (colored)
Move initialisation of radix table globals in pfr_initialize() ok dhartmei@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Jan 6 10:08:36 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.12: +19 -21 lines
Diff to previous 1.12 (colored)
knf
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.11: +8 -8 lines
Diff to previous 1.11 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.11 / (download) - annotate - [select for diffs], Fri Jan 3 19:31:43 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +13 -13 lines
Diff to previous 1.10 (colored)
KNF
Revision 1.10 / (download) - annotate - [select for diffs], Fri Jan 3 10:39:09 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.9: +25 -28 lines
Diff to previous 1.9 (colored)
1) pfr_insert_kentries() cannot return ENOMEM anymore -> make it void. 2) add new PFR_FLAG_REPLACE for use by pfr_tst_addrs(). 3) add new pfrio_nmatch alias to pfioc_table, set by pfr_tst_addrs(). Tested on i386, sparc64
Revision 1.9 / (download) - annotate - [select for diffs], Wed Jan 1 22:07:57 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.8: +2 -1 lines
Diff to previous 1.8 (colored)
Repair my last commit - zero the 2 radix nodes before inserting into table.
Revision 1.8 / (download) - annotate - [select for diffs], Wed Jan 1 16:08:52 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.7: +3 -3 lines
Diff to previous 1.7 (colored)
KNF
Revision 1.7 / (download) - annotate - [select for diffs], Wed Jan 1 15:26:17 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.6: +3 -3 lines
Diff to previous 1.6 (colored)
disable the CLSTATS flag for now, since it violates the O_RDONLY check.
Revision 1.6 / (download) - annotate - [select for diffs], Wed Jan 1 14:16:56 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.5: +56 -21 lines
Diff to previous 1.5 (colored)
Behaves correctly when duplicate addresses are given in the same ioctl. (i.e: pfradix -a test 1.2.3.4 1.2.3.4). The ioctl can also report theses duplicate to the caller using the new PFR_FB_DUPLICATE feedback tag.
Revision 1.5 / (download) - annotate - [select for diffs], Wed Jan 1 13:23:17 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.4: +35 -23 lines
Diff to previous 1.4 (colored)
Behaves properly when someone try to insert/delete the same table name multiple time in the same ioctl (i.e. pfradix -A/D test test test). This is not a very efficient implementation, and I'll change it if someone really add/delete more than hundred of tables in the same ioctl.
Revision 1.4 / (download) - annotate - [select for diffs], Mon Dec 30 15:39:18 2002 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)
Don't forget to copyout the time at which statistics got cleared.
Revision 1.3 / (download) - annotate - [select for diffs], Mon Dec 30 13:34:55 2002 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.2: +4 -2 lines
Diff to previous 1.2 (colored)
really count the number of deleted tables - obvious fix.
Revision 1.2 / (download) - annotate - [select for diffs], Mon Dec 30 02:37:27 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.1: +118 -117 lines
Diff to previous 1.1 (colored)
KNF
Revision 1.1 / (download) - annotate - [select for diffs], Sun Dec 29 20:07:34 2002 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Add support for radix tables for source and destination of PF rules. ok dhartmei@, mcbride@, henning@