| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
configuration file man pages in section 5, and we prefer rc.conf to
rc.conf.local.
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP
preemption, while it is running its bulk update.
However, reimplement the feature in more elegant manner, that is
partially inspired by newer OpenBSD:
- Rename term "suppression" to "demotion", to match with OpenBSD.
- Keep a global demotion factor, that can be raised by several
conditions, for now these are:
- interface goes down
- carp(4) has problems with ip_output() or ip6_output()
- pfsync performs bulk update
- Unlike in OpenBSD the demotion factor isn't a counter, but
is actual value added to advskew. The adjustment values for
particular error conditions are also configurable, and their
defaults are maximum advskew value, so a single failure bumps
demotion to maximum. This is for POLA compatibility, and should
satisfy most users.
- Demotion factor is a writable sysctl, so user can do
foot shooting, if he desires to.
|
| |
|
|
| |
- Remove OpenBSDisms, add FreeBSDisms.
|
| |
|
|
|
| |
PR: kern/158997
Submitted by: ohauer
|
| |
|
|
| |
Discussed with: bz
|
| |
|
|
|
|
|
|
| |
You need to update userland (world and ports) tools
to be in sync with the kernel.
Submitted by: mlaier
Submitted by: eri
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows one to force consistent printing of numeric port numbers like
we do with -n for other tools like netstat (just that -n was already taken)
rather than the service names.
-P is currently unused in OpenBSD so the change is eligible for upstreaming.
PR: misc/151015
Submitted by: Matt Koivisto (mkoivisto sandvine.com)
Sponsored by: Sandvine Incorporated
MFC after: 1 week
|
| |
|
|
|
| |
Discussed with: mlaier
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Server Return mode, where not all packets would be visible to the load
balancer or gateway.
This commit should be reverted when we merge future pf versions. The
benefit it would provide is that this version does not break any existing
public interface and thus won't be a problem if we want to MFC it to
earlier FreeBSD releases.
Discussed with: mlaier
Obtained from: OpenBSD
Sponsored by: iXsystems, Inc.
MFC after: 1 month
|
| | |
|
| |
|
|
|
|
|
|
|
| |
and netgraph in gernal). This also allows to add queues for an interface
that is not yet existing (you have to provide the bandwidth for the
interface, however).
PR: kern/106400, kern/117827
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
do not describe `/' as solidus; from Allen (freebsd pr120484);
PR: 120484
Submitted by: Allen <alandsidel at 1001islington dot com>
MFC After: 3 days
|
| | |
|
| |
|
|
| |
Approved by: re (implicit)
|
| |
|
|
| |
Approved by: re (kensmith)
|
| |\
| |
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | |
| |
| |
| | |
a local lib.
|
| | |
| |
| |
| | |
Discussed with: brueffer
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
that this is within the contrib directory.
PR: docs/104402
Submitted by: Dr. Markus Waldeck <waldeck at gmx dot de>
Discussed with: mlaier
|
| | |
| |
| |
| |
| |
| |
| | |
Document how 'allow-opts' applies to routing headers in IPv6.
MFC after: 1 week
Discussed with: mlaier
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
fix servicecurve check; no point in checking the same sc three times, it
was obviously intended to check all three. has been wrong since the
beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>, Vasil
Dimov <vd@FreeBSD.org> mailed me then, ok mcbride
MFC after: 3 days
|
| | |
| |
| |
| |
| | |
PR: docs/93590
Reported by: Niki Denev
|
| | |
| |
| |
| |
| |
| |
| | |
an IP address assigned.
- Add "quick" keyword to pf.conf example.
PR: docs/85209
|
| | |
| |
| |
| |
| | |
PR: docs/89635
MFC after: 1 day
|
| | |
| |
| |
| | |
Pointed out by: Suken Woo, Martin Wilke, Wesley Morgan
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
system boot, and hook it up in the system.
The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.
Discussed with: mlaier on -pf
MFC after: 5 days
|
| | |
| |
| |
| |
| |
| | |
from the begining.
Reminded by: ru
|
| | |
| |
| |
| | |
Reviewed by: mlaier
|
| | |
| |
| |
| |
| | |
Approved by: mlaier
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| | |
- Change some section numbers to match reality
- For MLINKS to manpages from ports, mention which port installs them
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| | |
missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org
Obtained from: OpenBSD
|
| |\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- comment out feature, we do not have yet: tcpdumping on pfsync,
add a BUGS section
- reference carp.4
- dereference bpf(4), tcpdump(7), hostname.if(5)
- sort references
- tell when pfsync appeared in FreeBSD
Reviewed by: mlaier
MFC after: 1 week
|
| | |
| |
| |
| |
| |
| |
| | |
Random Early Detection (not ... Drop) in order to be consistent with other
documentation on ALTQ
Pointed out by: simon, ru, Brad Davis
|
| | |
| |
| |
| |
| |
| |
| |
| | |
documents.
Inspired by: scottl
Reviewed by: Brad Davis <so14kNOso14kSPAMcom>
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| | |
pools" as that is what UMA provides.
Submitted by: Jay <jay NO meangrape SPAM com>
|
| | |
| |
| |
| |
| |
| | |
appropiate section when redirected from ALTQ(4).
MFC after: 2 days
|
| | |
| |
| |
| |
| |
| |
| | |
Instead of eating all the available CPU we now shutdown gracefully.
Submitted by: yongari
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
might result in a deadlock. The fix involves critical changes in the PF
locking strategy (which will happen after 5.3R). For now advise users to set
debug.mpsafenet=0 if they use this kind of filtering.
The same problem exists for IPFW.
mdoc help from: simon
MFC after: 2 days
|
| | |
| |
| |
| |
| | |
Submitted by: Anders Hanssen
MFC after: 1 day
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Add OpenBSD example rulesets as advertised in etc/pf.conf and pf.conf(5)
- Tweak the pointer to fit the FreeBSD default location share/examples/pf
- Account for the new directory in BSD.usr.dist (no hier(7) change required
as share/examples is an opaque item there).
Obtained from: OpenBSD
Reminded by: Thomas T. Veldhouse
PR: docs/71691
MFC after: 2 days
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pcap_pkthdr. This makes /var/log/pflog standart compliant on 64bit archs.
OpenBSD has fixed this by changing the bpf timeval to 32bit in the kernel,
so no need to report this over (again).
PR: bin/71096 (w/ changes)
Submitted by: Ville-Pertti Keinonen
Tested by: amd64(submitter), sparc64(yongari), i386(myself)
MFC after: 3 days
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Fix table add/replace commands with securelevel=2.
Reported by James J. Lippard.
Discussed with: yongari
MFC after: 5 days
|
| | |
| |
| |
| | |
Found-by: tinderbox(amd64)
|
| | | |
|
| |\ \
| |/
| |
| | |
which included commits to RCS files with non-trunk default branches.
|
