summaryrefslogtreecommitdiffstats
path: root/contrib/pf
Commit message (Collapse)AuthorAgeFilesLines
* MFC r293015:dim2016-01-031-1/+1
| | | | | | | | | | | | | | | Merge r293013 from clang380-import branch: Fix a clang 3.8.0 warning in pflogd.c: contrib/pf/pflogd/pflogd.c:769:8: error: logical not is only applied to the left hand side of this comparison [-Werror,-Wlogical-not-parentheses] if (!if_exists(interface) == -1) { ^ ~~ The if_exists() function does not return -1, and even if it did, it would not be the correct way to check. Just ditch the == -1 instead. Obtained from: OpenBSD's pflogd.c 1.49
* MFC r284914:wblock2015-07-051-0/+2
| | | | | | Fix a couple of missing lines that obscured the -p description. Approved by: re
* MFC r261271:pluknet2014-10-291-2/+7
| | | | | | | Ressurect the local change documenting authpf's requirement for a mounted fdescfs(5). PR: docs/186250
* MFC r263289: Update NetBSD Foundation copyrights to 2-clause BSDemaste2014-03-241-7/+0
| | | | | | | | | | | The NetBSD Foundation states "Third parties are encouraged to change the license on any files which have a 4-clause license contributed to the NetBSD Foundation to a 2-clause license." This change removes clauses 3 and 4 from copyright / license blocks that list The NetBSD Foundation as the only copyright holder. Sponsored by: The FreeBSD Foundation
* o Create directory sys/netpfil, where all packet filters shouldglebius2012-09-1418-22161/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
* Merge the projects/pf/head branch, that was worked on for last six months,glebius2012-09-087-110/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
* Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:bz2012-02-171-4/+28
| | | | | | | | | | | | Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity. This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat. Sponsored by: Cisco Systems, Inc. Reviewed by: melifaro (basically) MFC after: 10 days
* Replace an OpenBSDism with a FreeBSDism in the pfctl(8) man page: we putrwatson2012-01-051-1/+1
| | | | | | | configuration file man pages in section 5, and we prefer rc.conf to rc.conf.local. MFC after: 3 days
* Restore a feature that was present in 5.x and 6.x, and was cleared inglebius2011-12-201-0/+17
| | | | | | | | | | | | | | | | | | | | | | | 7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP preemption, while it is running its bulk update. However, reimplement the feature in more elegant manner, that is partially inspired by newer OpenBSD: - Rename term "suppression" to "demotion", to match with OpenBSD. - Keep a global demotion factor, that can be raised by several conditions, for now these are: - interface goes down - carp(4) has problems with ip_output() or ip6_output() - pfsync performs bulk update - Unlike in OpenBSD the demotion factor isn't a counter, but is actual value added to advskew. The adjustment values for particular error conditions are also configurable, and their defaults are maximum advskew value, so a single failure bumps demotion to maximum. This is for POLA compatibility, and should satisfy most users. - Demotion factor is a writable sysctl, so user can do foot shooting, if he desires to.
* - Fix examples to show new CARP style.glebius2011-12-201-12/+11
| | | | - Remove OpenBSDisms, add FreeBSDisms.
* Correct the description of struct pfioc_state_kill.bz2011-07-171-2/+5
| | | | | PR: kern/158997 Submitted by: ohauer
* Note the PF version.obrien2011-07-071-2/+7
| | | | Discussed with: bz
* Update packet filter (pf) code to OpenBSD 4.5.bz2011-06-2829-1298/+2189
| | | | | | | | You need to update userland (world and ports) tools to be in sync with the kernel. Submitted by: mlaier Submitted by: eri
* Add a new option -P to suppress getservbyport(3) calls when printing rules.bz2011-06-135-19/+34
| | | | | | | | | | | | | This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. -P is currently unused in OpenBSD so the change is eligible for upstreaming. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated MFC after: 1 week
* Enable closefrom(2) here, as we have supported it for some time now.csjp2010-08-051-4/+0
| | | | | Discussed with: mlaier MFC after: 2 weeks
* Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Directdelphij2009-12-244-4/+45
| | | | | | | | | | | | | | | Server Return mode, where not all packets would be visible to the load balancer or gateway. This commit should be reverted when we merge future pf versions. The benefit it would provide is that this version does not break any existing public interface and thus won't be a problem if we want to MFC it to earlier FreeBSD releases. Discussed with: mlaier Obtained from: OpenBSD Sponsored by: iXsystems, Inc. MFC after: 1 month
* Max's changes got left out of the MRT commit.julian2008-05-091-15/+6
|
* Make ALTQ cope with disappearing interfaces (particularly common with mpdmlaier2008-03-292-0/+38
| | | | | | | | | and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 MFC after: 2 weeks
* MFOpenBSD rev 1.393 pf.conf.5remko2008-02-111-3/+3
| | | | | | | | do not describe `/' as solidus; from Allen (freebsd pr120484); PR: 120484 Submitted by: Allen <alandsidel at 1001islington dot com> MFC After: 3 days
* Update for libpcap 0.9.8mlaier2007-10-161-0/+3
|
* Lost these during the import. Hand me the pointy hat.mlaier2007-07-032-0/+125
| | | | Approved by: re (implicit)
* Commit resolved import of OpenBSD 4.1 pf userland from perforce.mlaier2007-07-0328-3423/+3641
| | | | Approved by: re (kensmith)
* This commit was generated by cvs2svn to compensate for changes in r171169,mlaier2007-07-0321-7/+5188
|\ | | | | | | which included commits to RCS files with non-trunk default branches.
| * Import pf userland from OpenBSD 4.1 and (for ftp-proxy) libevent 1.3b asmlaier2007-07-0343-2655/+8750
| | | | | | | | a local lib.
* | Revert my previous change, add an MLINK from securelevel.7 to security.7remko2007-06-011-2/+2
| | | | | | | | Discussed with: brueffer
* | Change securelevel(7) to security(7). Yes i am awareremko2007-06-011-2/+2
| | | | | | | | | | | | | | | | | | that this is within the contrib directory. PR: docs/104402 Submitted by: Dr. Markus Waldeck <waldeck at gmx dot de> Discussed with: mlaier
* | From OpenBSD, rev. 1.379dhartmei2007-05-211-2/+3
| | | | | | | | | | | | | | Document how 'allow-opts' applies to routing headers in IPv6. MFC after: 1 week Discussed with: mlaier
* | From OpenBSD, rev. 1.91:mlaier2006-11-301-2/+3
| | | | | | | | | | | | | | | | | | fix servicecurve check; no point in checking the same sc three times, it was obviously intended to check all three. has been wrong since the beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>, Vasil Dimov <vd@FreeBSD.org> mailed me then, ok mcbride MFC after: 3 days
* | Mention that we do not support route labels in the BUGS section.mlaier2006-10-301-1/+7
| | | | | | | | | | PR: docs/93590 Reported by: Niki Denev
* | - Note that the synchronisation interface needs to be up and haveglebius2006-06-061-2/+5
| | | | | | | | | | | | | | an IP address assigned. - Add "quick" keyword to pf.conf example. PR: docs/85209
* | Document authpf's requirement for a mounted fdescfs(5).mlaier2006-03-281-2/+8
| | | | | | | | | | PR: docs/89635 MFC after: 1 day
* | Constfy errstr as it is in OpenBSD to unbreak the build.mlaier2006-03-151-1/+1
| | | | | | | | Pointed out by: Suken Woo, Martin Wilke, Wesley Morgan
* | Use strtonum now that we have it in libc as well.mlaier2006-03-151-15/+0
| |
* | Fix build after timeval.tv_sec changed from long to time_t.mlaier2005-12-251-0/+8
| |
* | Add an rc.d script to start pfsync at the right moment of theyar2005-10-021-2/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | system boot, and hook it up in the system. The separate script is needed because in the presence of various interface lists in rc.conf ($network_interfaces, $cloned_interfaces, $sppp_interfaces, $gif_interfaces, more to come) it is hard to start them orderly, so that pfsync is brought up after its syncdev, which is required for the proper startup of pfsync. Discussed with: mlaier on -pf MFC after: 5 days
* | Redirect bridge(4) to if_bridge(4). These should have pointed to if_bridgemlaier2005-09-282-3/+3
| | | | | | | | | | | | from the begining. Reminded by: ru
* | FreeBSD now supports BIOCLOCK. So we can use it now.csjp2005-08-231-4/+0
| | | | | | | | Reviewed by: mlaier
* | More tcpdump 8->1 cleanup.brueffer2005-08-063-12/+17
| | | | | | | | | | Approved by: mlaier MFC after: 3 days
* | - Remove MLINKS to nonexistant manpagesbrueffer2005-07-143-6/+8
| | | | | | | | | | | | | | - Change some section numbers to match reality - For MLINKS to manpages from ports, mention which port installs them MFC after: 3 days
* | Resolve conflicts created during the import of pf 3.7 Some features aremlaier2005-05-0318-1390/+2370
| | | | | | | | | | | | | | missing and will be implemented in a second step. This is functional as is. Tested by: freebsd-pf, pfsense.org Obtained from: OpenBSD
* | This commit was generated by cvs2svn to compensate for changes in r145837,mlaier2005-05-0312-181/+1839
|\ \ | |/ | | | | which included commits to RCS files with non-trunk default branches.
| * Import pf userland from OpenBSD 3.7 (OPENBSD_3_7 as of today)mlaier2005-05-0329-1565/+4187
| |
| * Import pfctl_table.c#1.61 from OpenBSD into vendor branch.mlaier2004-08-221-1/+8
| |
* | - remove OpenBSDisms, add FreeBSDismsglebius2005-02-231-54/+46
| | | | | | | | | | | | | | | | | | | | | | | | - comment out feature, we do not have yet: tcpdumping on pfsync, add a BUGS section - reference carp.4 - dereference bpf(4), tcpdump(7), hostname.if(5) - sort references - tell when pfsync appeared in FreeBSD Reviewed by: mlaier MFC after: 1 week
* | Fix sloppy use of "manpage", bump .Dd where applicable and rename RED tomlaier2005-02-072-4/+4
| | | | | | | | | | | | | | Random Early Detection (not ... Drop) in order to be consistent with other documentation on ALTQ Pointed out by: simon, ru, Brad Davis
* | Be more verbose about altq SYNOPSIS and add more linkage in the relating pfmlaier2005-02-072-0/+10
| | | | | | | | | | | | | | | | documents. Inspired by: scottl Reviewed by: Brad Davis <so14kNOso14kSPAMcom> MFC after: 3 days
* | Fix a reference from pool(9) -> zone(9), but keep on talking about "memorymlaier2004-11-141-1/+1
| | | | | | | | | | | | pools" as that is what UMA provides. Submitted by: Jay <jay NO meangrape SPAM com>
* | Rename the QUEUEING section to QUEUEING/ALTQ to make it easier to find themlaier2004-10-071-2/+2
| | | | | | | | | | | | appropiate section when redirected from ALTQ(4). MFC after: 2 days
* | Make pflogd cope with module unload (and the sudden disappearing of pflog0).mlaier2004-10-051-1/+9
| | | | | | | | | | | | | | Instead of eating all the available CPU we now shutdown gracefully. Submitted by: yongari MFC after: 3 days
* | Document a problem with user/group filtering. With debug.mpsafenet=1 thismlaier2004-10-031-1/+32
| | | | | | | | | | | | | | | | | | | | | | might result in a deadlock. The fix involves critical changes in the PF locking strategy (which will happen after 5.3R). For now advise users to set debug.mpsafenet=0 if they use this kind of filtering. The same problem exists for IPFW. mdoc help from: simon MFC after: 2 days
OpenPOWER on IntegriCloud