diff options
Diffstat (limited to 'contrib/pf')
| -rw-r--r-- | contrib/pf/man/pf.4 | 24 | ||||
| -rw-r--r-- | contrib/pf/man/pf.conf.5 | 40 | ||||
| -rw-r--r-- | contrib/pf/pfctl/parse.y | 43 | ||||
| -rw-r--r-- | contrib/pf/pfctl/pf_print_state.c | 5 | ||||
| -rw-r--r-- | contrib/pf/pfctl/pfctl.c | 17 | ||||
| -rw-r--r-- | contrib/pf/pfctl/pfctl_parser.c | 6 | ||||
| -rw-r--r-- | contrib/pf/pfctl/pfctl_table.c | 3 |
7 files changed, 28 insertions, 110 deletions
diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4 index 936a5a8..635078d 100644 --- a/contrib/pf/man/pf.4 +++ b/contrib/pf/man/pf.4 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 17 2011 +.Dd June 29 2012 .Dt PF 4 .Os .Sh NAME @@ -75,6 +75,25 @@ separated by characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed. +.Sh SYSCTL VARIABLES AND LOADER TUNABLES +The following +.Xr loader 8 +tunables are available. +.Bl -tag -width indent +.It Va net.pf.states_hashsize +Size of hash tables that store states. +Should be power of 2. +Default value is 32768. +.It Va net.pf.source_nodes_hashsize +Size of hash table that store source nodes. +Should be power of 2. +Default value is 8192. +.El +.Pp +Read only +.Xr sysctl 8 +variables with matching names are provided to obtain current values +at runtime. .Sh IOCTL INTERFACE .Nm supports the following @@ -351,7 +370,6 @@ struct pf_status { u_int64_t scounters[SCNT_MAX]; u_int64_t pcounters[2][2][3]; u_int64_t bcounters[2][2]; - u_int64_t stateid; u_int32_t running; u_int32_t states; u_int32_t src_nodes; @@ -493,7 +511,7 @@ struct pfioc_limit { }; enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, - PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; + PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; .Ed .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" Get the hard diff --git a/contrib/pf/man/pf.conf.5 b/contrib/pf/man/pf.conf.5 index dfec264..fc86111 100644 --- a/contrib/pf/man/pf.conf.5 +++ b/contrib/pf/man/pf.conf.5 @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 31 2009 +.Dd June 29 2012 .Dt PF.CONF 5 .Os .Sh NAME @@ -1421,7 +1421,7 @@ has the socket open where the packet is sourced from or destined to (depending on which socket is local). This is in addition to the normal information logged. .Pp -Due to the problems described in the BUGS section only the first packet +Only the first packet logged via .Ar log (all, user) will have the user credentials logged when using stateful matching. @@ -1479,13 +1479,6 @@ of the following keywords: .Bl -tag -width xxxxxxxxxxxxxx -compact .It Ar any Any address. -.It Ar route Aq Ar label -Any address whose associated route has label -.Aq Ar label . -See -.Xr route 4 -and -.Xr route 8 . .It Ar no-route Any address which is not currently routable. .It Ar urpf-failed @@ -1594,7 +1587,6 @@ pass in proto tcp from any to any port 25 pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e to ! 10.1.2.3 port != ssh pass in proto tcp from any os "OpenBSD" -pass in proto tcp from route "DTAG" .Ed .It Ar all This is equivalent to "from any to any". @@ -2949,9 +2941,9 @@ proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] hosts = "all" | "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | - "{" host-list "}" | "route" string ) [ port ] [ os ] + "{" host-list "}" ) [ port ] [ os ] "to" ( "any" | "no-route" | "self" | host | - "{" host-list "}" | "route" string ) [ port ] + "{" host-list "}" ) [ port ] ipspec = "any" | host | "{" host-list "}" host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) @@ -3048,28 +3040,6 @@ Protocol name database. .It Pa /etc/services Service name database. .El -.Sh BUGS -Due to a lock order reversal (LOR) with the socket layer, the use of the -.Ar group -and -.Ar user -filter parameter in conjuction with a Giant-free netstack -can result in a deadlock. -A workaround is available under the -.Va debug.pfugidhack -sysctl which is automatically enabled when a -.Ar user -/ -.Ar group -rule is added or -.Ar log (user) -is specified. -.Pp -Route labels are not supported by the -.Fx -.Xr route 4 -system. -Rules with a route label do not match any traffic. .Sh SEE ALSO .Xr altq 4 , .Xr carp 4 , @@ -3080,7 +3050,6 @@ Rules with a route label do not match any traffic. .Xr pf 4 , .Xr pflow 4 , .Xr pfsync 4 , -.Xr route 4 , .Xr tcp 4 , .Xr udp 4 , .Xr hosts 5 , @@ -3090,7 +3059,6 @@ Rules with a route label do not match any traffic. .Xr ftp-proxy 8 , .Xr pfctl 8 , .Xr pflogd 8 , -.Xr route 8 .Sh HISTORY The .Nm diff --git a/contrib/pf/pfctl/parse.y b/contrib/pf/pfctl/parse.y index f798cac..99c26c0 100644 --- a/contrib/pf/pfctl/parse.y +++ b/contrib/pf/pfctl/parse.y @@ -159,8 +159,7 @@ enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK, PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK, - PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, - PF_STATE_OPT_PFLOW }; + PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, }; enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE }; @@ -451,7 +450,7 @@ int parseport(char *, struct range *r, int); %token QUEUE PRIORITY QLIMIT RTABLE %token LOAD RULESET_OPTIMIZATION %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE -%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW +%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS %token DIVERTTO DIVERTREPLY %token <v.string> STRING @@ -2081,15 +2080,6 @@ pfrule : action dir logquick interface route af proto fromto } r.rule_flag |= PFRULE_STATESLOPPY; break; - case PF_STATE_OPT_PFLOW: - if (r.rule_flag & PFRULE_PFLOW) { - yyerror("state pflow " - "option: multiple " - "definitions"); - YYERROR; - } - r.rule_flag |= PFRULE_PFLOW; - break; case PF_STATE_OPT_TIMEOUT: if (o->data.timeout.number == PFTM_ADAPTIVE_START || @@ -2909,26 +2899,6 @@ host : STRING { $$->next = NULL; $$->tail = $$; } - | ROUTE STRING { - $$ = calloc(1, sizeof(struct node_host)); - if ($$ == NULL) { - free($2); - err(1, "host: calloc"); - } - $$->addr.type = PF_ADDR_RTLABEL; - if (strlcpy($$->addr.v.rtlabelname, $2, - sizeof($$->addr.v.rtlabelname)) >= - sizeof($$->addr.v.rtlabelname)) { - yyerror("route label too long, max %u chars", - sizeof($$->addr.v.rtlabelname) - 1); - free($2); - free($$); - YYERROR; - } - $$->next = NULL; - $$->tail = $$; - free($2); - } ; number : NUMBER @@ -3597,14 +3567,6 @@ state_opt_item : MAXIMUM NUMBER { $$->next = NULL; $$->tail = $$; } - | PFLOW { - $$ = calloc(1, sizeof(struct node_state_opt)); - if ($$ == NULL) - err(1, "state_opt_item: calloc"); - $$->type = PF_STATE_OPT_PFLOW; - $$->next = NULL; - $$->tail = $$; - } | STRING NUMBER { int i; @@ -5320,7 +5282,6 @@ lookup(char *s) { "out", OUT}, { "overload", OVERLOAD}, { "pass", PASS}, - { "pflow", PFLOW}, { "port", PORT}, { "priority", PRIORITY}, { "priq", PRIQ}, diff --git a/contrib/pf/pfctl/pf_print_state.c b/contrib/pf/pfctl/pf_print_state.c index 0698516..d6637b4 100644 --- a/contrib/pf/pfctl/pf_print_state.c +++ b/contrib/pf/pfctl/pf_print_state.c @@ -119,9 +119,6 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose) case PF_ADDR_URPFFAILED: printf("urpf-failed"); return; - case PF_ADDR_RTLABEL: - printf("route \"%s\"", addr->v.rtlabelname); - return; default: printf("?"); return; @@ -339,8 +336,6 @@ print_state(struct pfsync_state *s, int opts) printf(", rule %u", ntohl(s->rule)); if (s->state_flags & PFSTATE_SLOPPY) printf(", sloppy"); - if (s->state_flags & PFSTATE_PFLOW) - printf(", pflow"); if (s->sync_flags & PFSYNC_FLAG_SRCNODE) printf(", source-track"); if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) diff --git a/contrib/pf/pfctl/pfctl.c b/contrib/pf/pfctl/pfctl.c index 8b07a2b..90a2bb5 100644 --- a/contrib/pf/pfctl/pfctl.c +++ b/contrib/pf/pfctl/pfctl.c @@ -144,7 +144,6 @@ static const struct { { "states", PF_LIMIT_STATES }, { "src-nodes", PF_LIMIT_SRC_NODES }, { "frags", PF_LIMIT_FRAGS }, - { "tables", PF_LIMIT_TABLES }, { "table-entries", PF_LIMIT_TABLE_ENTRIES }, { NULL, 0 } }; @@ -1553,9 +1552,6 @@ pfctl_fopen(const char *name, const char *mode) void pfctl_init_options(struct pfctl *pf) { - int64_t mem; - int mib[2]; - size_t size; pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; @@ -1581,21 +1577,8 @@ pfctl_init_options(struct pfctl *pf) pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; - pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; - mib[0] = CTL_HW; -#ifdef __FreeBSD__ - mib[1] = HW_PHYSMEM; -#else - mib[1] = HW_PHYSMEM64; -#endif - size = sizeof(mem); - if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1) - err(1, "sysctl"); - if (mem <= 100*1024*1024) - pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; - pf->debug = PF_DEBUG_URGENT; } diff --git a/contrib/pf/pfctl/pfctl_parser.c b/contrib/pf/pfctl/pfctl_parser.c index d45b9b7..f248995 100644 --- a/contrib/pf/pfctl/pfctl_parser.c +++ b/contrib/pf/pfctl/pfctl_parser.c @@ -955,12 +955,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) printf("sloppy"); opts = 0; } - if (r->rule_flag & PFRULE_PFLOW) { - if (!opts) - printf(", "); - printf("pflow"); - opts = 0; - } for (i = 0; i < PFTM_MAX; ++i) if (r->timeout[i]) { int j; diff --git a/contrib/pf/pfctl/pfctl_table.c b/contrib/pf/pfctl/pfctl_table.c index 257c014..f3a1efd 100644 --- a/contrib/pf/pfctl/pfctl_table.c +++ b/contrib/pf/pfctl/pfctl_table.c @@ -621,8 +621,7 @@ print_iface(struct pfi_kif *p, int opts) if (!(opts & PF_OPT_VERBOSE2)) return; printf("\tCleared: %s", ctime(&tzero)); - printf("\tReferences: [ States: %-18d Rules: %-18d ]\n", - p->pfik_states, p->pfik_rules); + printf("\tReferences: %-18d\n", p->pfik_rulerefs); for (i = 0; i < 8; i++) { af = (i>>2) & 1; dir = (i>>1) &1; |
