| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
MFC after: 2 weeks.
|
| |\
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the current behaviour in OpenBSD and a similar patch exist in
pfSense too.
Obtained from: OpenBSD (partly - rev. 1.625)
MFC after: 2 weeks
Sponsored by: Rubicon Communications (Netgate)
|
| |\ \
| |/
| |
| | |
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| | |
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.
Sponsored by: EMC / Isilon Storage Division
|
| |/
|
|
|
|
|
|
| |
iscsi, natd, nandfs, pf, quotacheck, and routed.
Add ping6 and rtsol to the runtime package.
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
embedded structures out of a packed, unaligned struct into local copies
on the stack which are aligned.
The original patch to do this was submitted by Guy Yur <guyyur@gmail.com>,
and this is conceptually the same change, but restructured with the
#ifndef __NO_STRICT_ALIGNMENT wrapper, similar to how the same issue is
handled in the kernel pf code.
PR: 185617
PR: 206658
|
| |
|
|
|
|
|
|
|
| |
In pfctl_set_debug() we used 'level' without ever initialising it.
We correctly parsed the option, but them failed to actually assign the parsed
value to 'level' before performing to ioctl() to configure the debug level.
PR: 202996
Submitted by: Andrej Kolontai
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
users into making poor choices.
It's also a fairly large amount of complex code, so just remove the support
altogether.
Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
implicitly converted to 'scrub fragment reassemble'.
Reviewed by: gnn, eri
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D3466
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.
It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
Differential Revision: https://reviews.freebsd.org/D3272
Reviewd by: rpaulo, gnn (previous version)
Obtained from: pfSense
Sponsored by: Rubicon Communications (Netgate)
|
| |
|
|
|
|
| |
PR: 194935
Submitted by: Jim Thompson
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by: glebius, wblock(manpage)
Approved by: gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.
Still need to add real targets under targets/ to build packages.
Differential Revision: D2796
Reviewed by: brooks imp
|
| | | |
|
| | |\
| |/
|/| |
|
| | |\ |
|
| | | | |
|
| | | | |
|
| | |\ \ |
|
| | |\ \ \ |
|
| | | | | | |
|
| | | | | | |
|
| | | | | | | |
| | | \ \ \ | |
| | |\ \ \ \ \ |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
Requested by: Simon Gerraty <sjg@juniper.net>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
discontinued by its initial authors. In FreeBSD the code was already
slightly edited during the pf(4) SMP project. It is about to be edited
more in the projects/ifnet. Moving out of contrib also allows to remove
several hacks to the make glue.
Reviewed by: net@
|
| | |_|_|_|/
|/| | | |
| | | | |
| | | | | |
Reduce overlinking
|
| | |_|_|/
|/| | | |
|
| | |_|/
|/| |
| | |
| | | |
from the latter.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
structure pf_rule, that are used when the structure is passed via
ioctl().
PR: 187074
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
race prone. Some just gather statistics, but some are later used in
different calculations.
A real problem was the race provoked underflow of the states_cur counter
on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
value is used in pf_state_expires() and any state created by this rule
is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct
pf_rule be counter(9)s.
Thanks to Dennis for providing me shell access to problematic box and
his help with reproducing, debugging and investigating the problem.
Thanks to: Dennis Yusupoff <dyr smartspb.net>
Also reported by: dumbbell, pgj, Rambler
Sponsored by: Nginx, Inc.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
INET6 socket when needed to allow pfctl to work on noinet and noinet6
kernels (and try to provide a fallback using AF_LINK as best effort).
Adjust the Makefile to also respect relevant src.conf(5) options
for compile time decisions on INET and INET6 support.
Reviewed by: glebius (no objections)
MFC after: 1 week
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Original log:
pfctl -ss printed state levels for ICMPv6. Disable this the same
way it has already been done for ICMPv4.
Difference with OpenBSD:
- WITHOUT_INET6 safe
Obtained from: OpenBSD
|
| | |
| |
| |
| | |
- Use correct format when printing uint64_t.
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/
sys/contrib/pf/net/*.h -> sys/net/
contrib/pf/pfctl/*.c -> sbin/pfctl
contrib/pf/pfctl/*.h -> sbin/pfctl
contrib/pf/pfctl/pfctl.8 -> sbin/pfctl
contrib/pf/pfctl/*.4 -> share/man/man4
contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.
Discussed with: bz, luigi
|
| |
|
|
| |
Submitted by: Ulrich Spörlein
|
| |
|
|
|
|
|
|
| |
- move ftp-proxy from libexec to usr.sbin
- add tftp-proxy
- new altq mtag link
Approved by: re (kensmith)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
building on a box with older pfvar.h installed). Didn't intend to commit it.
Requested by: ru (on a C&P to ipfw's Makefile)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
per letter dated July 22, 1999.
Approved by: core, imp
|
|
|
libexec/ftp-proxy - ftp proxy for pf
sbin/pfctl - equivalent to sbin/ipf
sbin/pflogd - deamon logging packets via if_pflog in pcap format
usr.sbin/authpf - authentification shell to modify pf rulesets
Bring along some altq headers used to satisfy pfctl/authpf compile. This
helps to keep the diff down and will make it easy to have a altq-patchset
use the full powers of pf.
Also make sure that the pf headers are installed.
This does not link anything to the build. There will be a NO_PF switch for
make.conf once pf userland is linked.
Approved by: bms(mentor)
|
