Use pfctl_fopen (which checks to ensure the given file isn't a directory)
for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir
instead of a file (e.g. if you have an /etc/pf directory and don't notice
the name when tab-completing), you successfully install an empty ruleset.
ok sashan@

whitespace cleanup my fingers couldn't avoid doing while i was re-reading
the parsing code

internal representation of icmp type/code in pfctl(8)/pf(4) does not
fit into u_int8_t. Issue has been noticed and kindly reported by
amalinin _at_ bh0.amt.ru via bugs@.

OK bluhm@

Fix detection of duplicate sticky-address in pf.conf parser.
reported to FreeBSD by Franco Fichtner; from Kristof Provost

- pfctl $nr incorrect macro expansion

Issue reported by Kristof Provost from FreeBSD.
[ https://reviews.freebsd.org/D32488 ]

In order to fix the issue we must delay '$nr' macro
expansion after optimizer collapses ruleset.

OK kn@

Don't declare variables as "unsigned char *" that are passed to
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.

For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.

With help from millert@
ok benno@ deraadt@

change route-to so it sends packets to IPs instead of interfaces.

this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.

the main reasons for this change are:

- route-to, reply-to, and dup-to do not work with pfsync

this is because the information about where to route-to is stored in
rules, and it is hard to have a ruleset synced between firewalls,
and impossible to have them synced 100% of the time.

- i can make my boxes panic in certain situations using route-to

yeah...

- the configuration and syntax for route-to rules are confusing.

the argument to route-to and co is an interace name with an optional
ip address. there are several problems with this. one is that people
tend to think about routing as sending packets to peers by their
address, not by the interface they're reachable on. another is that
we currently have no way to synchronise interface topology information
between firewalls, so using an interface to say where packets go
means we can't do failover of these states with pfsync. another
is that a change in routing topology means a host may become
reachable over a different interface. tying routing policy to
interfaces gets in the way of failover and load balancing.

this change does the following:

- stores the route info in the state instead of the pf rule

this allows route-to to keep working when the ruleset changes, and
allows route-to info to be sent over pfsync. there's enough spare bits
in pfsync messages that the protocol doesnt break.

the caveat is that route-to becomes tied to pass rules that create
state, like rdr-to and nat-to.

- the argument to route-to etc is a destination ip address

it's not limited to a next-hop address (thought a next-hop can be a
destination address). this allows for the failover and load balancing
referred to above.

- deprecates the address@interface host syntax in pfctl

because routing is done entirely by IPs, the interface is derived from
the route lookup, not pf. any attempt to use the @interface syntax
will fail now in all contexts.

there's enthusiasm from proctor@ jmatthew@ and others
ok sashan@ bluhm@

Sometimes a user ID was logged in pflog(4) although the logopt of
the rule did not specify it. Check the option again for the log
rule in case another rule has triggered a socket lookup. Remove
logopt group, it is not documented and cannot work as struct pfloghdr
does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER
to express what it does. The lookup involved is only an implemntation
detail.
OK kn@ sashan@ mvs@

Fail to parse rules with invalid ranges

This makes pfctl(8) detect bogus ranges (with and without `-n') before
loading the ruleset and completes the previous commit.

OK sashan sthen

Reject rules with invalid port ranges

Ranges where the left boundary is bigger than the right one are always bogus
as they work like `port any' (`port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").

Add checks for all ranges and invalidate those that yield no or all ports.

For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such; that is to
say, `struct pf_pool's `port_op' member was unused in the kernel so far.

`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com

OK sashan

synproxy should be processing incoming SYN packets only.
issue noticed by sthen@. fix discussed with bluhm@ and procter@

OK bluhm@, kn@, procter@

rdomain IDs do not need to exist for "on rdomain N" to work

Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet
state and will always work no matter if rdomain N currently exists or not,
i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if
rdomain 42 exists, and it will simply not match (neither pass nor block)
packets if 42 does not exist.

There's no need to reload the ruleset whenever routing domains are created
or deleted, which can already be observed now by creating an rdomain,
loading rules referencing it and deleting the same rdomain immediately
afterwards: pf will continue to work as expected.

Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to
accept any valid routing domain ID without expecting it to exist at the time
of ruleset creation - this lifts the requirement to create rdomains before
referencing them in pf.conf while keeping pf behaviour unchanged.

Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable
to exist upon ruleset creation.

Discussed with claudio and bluhm at k2k20.

Feedback sashan
OK sashan yasouka claudio

Fix the previous commit whose conditions were reversed.

ok kn

Make pfctl(8) check if the rtable really exists when parsing the
config. work with and diff from kn

ok kn

sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT

OK kn@, sashan@, florian@

Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX.
This is the userland portion. OK deraadt@ sashan@

Fix file descriptor leak due to popfile() never closing the main config file.

The fix is the same as for other parse.y files in the tree (see bgpd(8) or
unwind(8))

ok bluhm@

Fix integer sizes in format strings and enable formatting warnings
for yyerror.

From Moritz Buhl
ok bluhm@ claudio@

pfctl should check pfctl.astack is not overrun
(bug found and fixed by Petr Hoffmann _at_ oracle.com)

OK kn@

Fix table definition parsing as unprivileged user

revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking
the parser on tables withs insufficient permissions to open pf(4):

$ echo 'table <t>' | pfctl -nf-
pfctl: pfr_get_tables: Bad file descriptor

So simply check whether pfctl is able to get the table list first. If not,
instead of silently avoiding namespace collision checks, print a brief
notice iff `-v' is given to help finding duplicate definitions by hand:

$ echo 'table <t>' | ./obj/pfctl -vnf-
table <t>
stdin:1: skipping duplicate table checks for <t>

Reported by Rivo Nurges, thanks!
OK benno sashan

Fix once rules

parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and
`anchor "a" once'.

Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the
parser already such that they can be used to distinguish anchor rules in
the same check as well.

Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks!

While here, remove an unneeded cast and make pfctl_add_rule() void as it
always returned 0.

OK sashan

(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno

Anchor names must not be empty

The parser would allow bogus input and sometimes even produce invalid rules
on empty anchor names, so error out immediately.

OK sashan

Unify anchor name sanity checks

For anchor names, make `load anchor' use the same grammar as `anchor' and
merge unique checks from both places so that anchor names are validated
regardless of the specific rule at hand.

OK sashan

Make divert-packet port accept any port specification

Contrary to other rules accepting a single port, this one only works with
numerical values. Fix it by simply using the proper grammar.

Port ranges are not accepted, but an error message on a range without start
was missing in general, so add it while here.

OK bluhm

When creating tables inside anchors, pfctl warned about namespace
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.

Deferring the check to process_tabledefs() where tables are eventually
created, both anchor and table name are known which allows for checking
all existing anchors.

With this, warn on all duplicates even in dry-runs (`-n') and print
quoted names so they can be copied to fix configurations right away.

No functional change in parsing or ruleset production.

Discussed with and OK sashan

scrub opts dont set tos, so remove it from the scrub_opts struct

ok deraadt@

Unbreak `-D macro=value' (r1.686 regression)

Zap trailing semicolon introduced with miko's cmdline_symset() leading to
unconditional err(3). Zap trailing tab while here.

sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@

- odd condition/test in PF lexer
(and other lexers too)

This commit rectifies earlier change:

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).

OK deraadt@, OK millert@

Use uid_from_user(3) and gid_from_group(3) in utilities that
do repeated lookups. OK tb@

Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

OK sashan

reduce duplicate code, fix typo/free correct buffer

In filteropts_to_rule():

* Merge `once' handling from `anchorrule' and `pfrule'
* Remove/shorten duplicate code block
* Fix typo I introduced with r1.678 that frees the wrong buffer (twice)

OK sashan

Fix regression on child queue definitions

I comitted the wrong diff in 1.680 which turned `queue cq parent pq ...'
into invalid syntax by changing `interface' to `ON if_item'.

Found by bket, thanks!

Prevent invalid interface specifiers on queue rules

pf.conf(5) states that queues attach to actual interfaces only, yet the
following parses:

# echo queue eq on egress bandwidth 1G default | pfctl -f-
# pfctl -sq
pfctl: DIOCGETQSTATS: Bad file descriptor

# echo queue rq on rdomain 0 bandwidth 1G default | pfctl -vf-
queue rq bandwidth 1G default
# pfctl -sq
pfctl: DIOCGETQSTATS: Bad file descriptor

On rdomains, ifa_exists() returns NULL.
On interface groups, ifa_exists() returns non-NULL but af is never set
to AF_LINK.

OK henning sashan

Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.

ok henning@

'set delay' for the generic packet delay mechanism, ok benno sashan

fix anchor rules with filter opts, introduce filteropts_to_rule()

Some filter options were parsed but not set on anchor rules due to missing
copies of the respective struct members:

$ cat pf.conf
queue rq on trunk0 bandwidth 1G
queue dq parent rq bandwidth 1G default
anchor a set queue dq
$ pfctl -vnf pf.conf | fgrep queue
anchor "a" all

Fix this by moving common code from `anchorrule' and `pfrule' into a new
helper filteropts_to_rule().

Input from henning and benno
OK henning sashan jca

Zap dead code

Commented since r1.465 (2004).

OK deraadt benno jca sashan

No need to mention which memory allocation entry point failed (malloc,
calloc or strdup), we just need to log that we ran out of memory in a
particular function.

Recommended by florian@ and deraadt@

ok benno@ henning@ tb@

Be consistent in warn() and log_warn() usage when
running out of memory.

Next step, be correct *and* consistent.

ok dennis@ tb@ benno@ schwarze@

A pf rule with a "on rdomain n" with nonexisting rdomain n will cause an

pfctl: DIOCADDRULE: Device busy

error when loading the ruleset, with no information which rule caused
the problem and no indication that the problem is the rdomain
<nonexisting>.

This diff makes pfctl check if the rdomain really exists when parsing
the config.

ok bluhm@

Fix (include file ) line number counting by keeping track of the unget
buffer per file; also use that buffer to expand macros.
ok sashan@ dennis@ krw@

Plug leak in error case of the common 'varset' implementations.

ok benno@

make the watermarks/thresholds for entering and leaving syncookie mode when
syncookies are set to adaptive tunable, ok claudio benno

allow control over syncookies: set syncookies never/always/adaptive

The divert structure was using the port number to indicate that
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@

The divert structure was using the port number to indicate that
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Convert the pfctl(8) rule parser to divert types, kernel cleanup
will be the next step.
OK sashan@

- pfctl fails to handle nested 'load anchor' properly
[ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ]

OK bluhm@

- nested anchors vs. pfctl/parse.y
bug reported and fix tested by Leonardo Guardati

OK bluhm@

add a generic packet rate matching filter. allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb

add option -N (no domain resolution)
manpage wording and reminder about usage() jmc@
ok florian@ henning@

Allow HFSC classes to use flow queues

The FQ-CoDel related configuration (flows, quantum) becomes available
for the regular bandwidth queue. Internally the kernel will pick the
FQ-CoDel for use as a queue manager for the specified class instead of
the FIFO.

Discussed with and OK henning@ at d2k17 as a part of a larger diff.

Rework HFSC vs FQ-CoDel checks

The selection mechanism introduced in pf_ioctl.c -r1.316 suffers
from being too ambiguous and lacks robustness. Instead of relying
on composition of multiple flags in the queue specification, it's
easier to identify the root class (if it exists) and derive all
further checks from it.

Don't check np->port for NULL - it's an array, it's never NULL.

OK bluhm@

Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8)

OK sthen, visa

Remove double assignments

Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.

Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().

No intentional functional change.

ok bluhm@ otto@

Explicitly forbid to combine af-to with route-to in pfctl. The
parser cannot handle that correctly and is is unclear wether the
kernel code would work. Remove the feature until someone needs it
and properly implements and tests it.
OK mike@ sashan@ mpi@

Add <time.h> for time(); sort <*.h> includes

ok deraadt@

g/c unused (global!) var: oqueues isn't used any more. ALTQ leftover; not
noticed since struct node_queue stayed. ok claudio benno gcc

Add curly braces that were missed in rev 1.651. Add parenthesis to make the
condition in the if statement more readable while I'm there.

ok phessler@, benno@, florian@

do not allow whitespace in macro names, i.e. "this is" = "a variable".
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.

feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@

the manpage documents that af-to does not work on pass out rules, but
the pf.conf parser allows it, which leads a non working configuration
being loaded.
this changes the parser to make pass out .. af-to an error.

ok henning@ mikeb@

allow include in inline anchors
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha

- route-to, dup-to, reply-to should not override the block action

Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>

ok jung@, ok mikeb@

Improve divert-to specification parsing w.r.t. rule address family.
ok henning

%% not % in error message; ok millert@ henning@

Rather than using 0xff as a placeholder for "don't check prio", use 0xff to
mean "prio is 0". This avoids the need for code changes in programs which add
pf rules (as was done in pfctl but not other programs) to handle the new
"check prio" functionality. Specifically this unbreaks ftp-proxy.

Use of #define rather than magic 0xff suggested by benno.
ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"

since we inherit prio (as in, the queuing priority) from outside sources,
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Support source-hash and random with tables and dynifs; not just pools.
This finally allows to use source-hash for dynamic loadbalancing, eg.
"rdr-to <hosts> source-hash", instead of just round-robin and least-states.

An older pre-siphash version of this diff was tested by many people.

OK tedu@ benno@

Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.

pfctl parse.y patch from and ok deraadt@

Fixup incorrect expansion of the networking mask for dynamic interface
specifications under certain circumstances resulting in potentially
elevated access permissions for IPv6 traffic. Reported by sthen@;
ok henning benno sthen

Remove unnecessary netinet/in_systm.h include.

ok millert@

Replace all queue *_END macro calls except CIRCLEQ_END with NULL.

CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.

ok millert@

when you specify queues in a rule, make sure they have been defined.

DIOCADDRULE EBUSY turns into an error message that pfctl -n catches.
DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported
to occur, possibly from hfsc.c: this should be fixed as well.

ok henning mikeb sthen

deny "once" flags for match rules; ok henning

branches: 1.636.4;
condition above makes this part of the check useless;
overlooked in the previous commit

Merge two loops in collapse_redirspec into one

This lets us do the checks only once and also make smarter decisions
about the rule's own address family. As a result af-to rules no longer
need to specify the address family after 'pass'.

ok henning

Make stricter decisions when handling translation specifications.

In particular, disallow specifications containing addresses of
different address families when rule doesn't specify one, for
example "pass out nat-to { ::1 1.1.1.1 }" will now produce an
error instead of silently picking one of the addresses.

sthen and deraadt agree

When parsing a numerical value for the TOS bits, make sure that it
is in a valid range.
OK henning@

remove altq bits here, too
(i was convinced i committed that yesterday already, hrm)

branches: 1.631.4;
relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

if_item can be "any" now.
allows things like
block out on $someif received-on any
to prevent packets to get forwarded to $someif

support "!received-on <interface>", ok dlg benno

use u_char for buffers in yylex, for ctype calls
found by millert@, ok deraadt@

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

cannot have queue definitions inside anchors.
don't attempt to load them and err out if we run into one
ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly

config bits for the bandwidth shaping part of the new queueing subsystem
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen

Provide local implementations of if_nametoindex(3) and if_indextoname(3)
that make use of the cache of addresses populated by the ifa_load on
startup to save the trouble of calling expensive getaddrinfo(3) up to
four times per rule. Performance wise this change provides a speed up
factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250
IP addresses (20 seconds down to 1 in this case).

"wow!" henning, ok benno, florian

branches: 1.623.2;
remove set-tos backwards compat, moved into the set {} block a year ago
ok ryan

When a PF rule contains 'set tos' *followed by* a scrub option, the tos
value is changed to 0x00. Left-over from the previous implementation where
set-tos was part of "scrub". Problem reported by Jason Mader, ok henning

for consistency with prio etc, the queue assignment really belongs
into the set block. so make pfctl accept, print and the manpage document
. match set queue foo
instead of
. match queue foo
but keep accepting the old way without the explicit set.
ok bob, man jmc

Disallow tables and interface address pools for rdr-to, nat-to and
route-to with any other scheduling algorithms than round-robin or
least-states. Before this change, pfctl accepted and loaded invalid
address pools, eg. "rdr-to <table> source-hash", but it is not
supported by the kernel and was silently ignored in operation.

Also clarify the manpage a bit by mentioning that tables are only
valid with round-robin or least-states.

ok zinke@

prio 0 is valid, therefore, I chose an "impossible" value for prio meaning
"not set" and used a PF_PRIO_NOTSET define for it. now that means that
everything that creates a struct pf_rule doesn't get away with bzero'ing it,
which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead,
make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio
should be set. ok benno claudio mikeb

Allow an implicit address family for af-to rules. If the address
family can be determined by the "from" or "to" parameter in the
matching part, it is no longer necessary to specify "inet" or "inet6"
there.
OK henning@ mikeb@

set { ... } -> set ( ... )
brought up by ryan, discussed with him and theo and they convinced me

fix some of the confusion we have in pf regarding filter criteria vs
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler

remove incorrect check in pfctl preventing set-tos for ipvshit.
the kernel has code to deal with set-tos and that crap. don't ask for
details. stuart ok

rename prio in struct pf_rule and related structs to set_prio so it is
utterly clear this is not a filter criteria but a packet modification thing.
also preparation for upcoming changes, including one to unscrew this mess
(I should not have to touch half the tree for this - ifixitlater)
not user visible, ok gcc

unbreak rule optimizer; ok henning, looks

fixup af-to regression with match rules

pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule. essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.

positive review and comments from claudio, ok henning, sperreault

pfctl_set_hostid always returns 0; don't pretend otherwise and make it a
void function instead.

ok dlg

pfctl change for af-to / NAT64 support.
The general syntax is:
pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2
In the NAT64 case the "to" is not needed in af-to and the IP is extraced
from the IPv6 dst (assuming a /64 prefix).
Again most work by sperreault@, mikeb@ and reyk@
OK mcbride@, put it in deraadt@

Avoid possible SIGSEGV when wrong tos option.

One shot rules can be used in pf.conf by specifying a "once" filter option.

ok henning, mcbride

Remove requirement to quote 'debug' loglevel for the 'debug' option.

ok henning

Add support for weighted round-robin in load balancing pools and tables.
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt

Force user to specify protocol when filtering on user, gid, and os
attributes (this is now required by pf_rule_test().

ok sthen henning

allow rules to specify "prio X" or "prio (X, Y)" to assign priority levels
for the new priority queueing implementation. valid range is 0 to 7. the old
trick for priorizing empty ACKs etc remains thru the latter notation
ok ryan mpf sthen plus pea testing and halex and claudio reading

Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.

Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing

ok bluhm; various previous versions ok henning, claudio, mpf, markus

bye bye require-order.
i added that button many many many years ago since the order (options, scrub,
nat, filter) was enforced back then, which I hated. now we had that turned
off for ages, and with the scrub and nat rulesets being gone, there is very
little reason to enforce an order at all. so let's get rid of it.
introducing this button was one of my very early commits to openbsd... feels
a bit strange to remove it now :)
ok ryan dlg theo

g/c RIO traces (aka clean up after tedu :))

bring in least-states load balancing algorithm

ok mcbride@ henning@

Userland bits to allow PF to filter on the rdomain a packet belongs to.
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@

ditch fastroute, an ipf feature that made its way into pf before
route-to and friends were introduced making it obsolete. one even
has to look it up int the ipf manual to get and idea what it's
supposed to do. reuse some kernel bits for the upcoming nat64
stuff. "kill it with fire" from mcbride, "what mcbride said"
from mpf, "kill kill kill" and ok henning.

According to pf_scrub_ip6() pf does not support the scrub options
no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and
document it in pf.conf(5).
ok henning@ jmc@

make the "invalid probability:" yyerror suck less
From: Thomas Pfaff <tpfaff@tp76.info>

remove some unused tokens
ok henning@ mcbride@

remove the check that enforced rdr-to only inbound and nat-to only outbound.
both now can be used in both directions. the kernel allowed that ever since
we did the great NAT rewrite.
still enforce that a direction is given, a rule with rdr-to and/or nat-to
and no direction is pretty certainly an error (which it would work,
technically)
ok ryan claudio dlg

new log opt "matches"
awesome for debugging, a rule like
match log(matches) from $testbox
will show you exactly which subsequent rules match on that packet
real ok theo assumed oks ryan & dlg bikeshedding many
implementation time ~1 min bikeshedding about the keyword longish.
i voted for "matches" since i like to play with matches
idea was theo's, actually

remove trailing spaces and tabs; no binary change.

written with help from henning@, who suggested ensuring that there
are no changes in the digests for object files, thanks!

ok henning@

fix linecount bug with comments spanning multiple lines
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?

Fix a couple of problems with printing of anchors, in particular recursive
printing, both of inline anchors and when requested explicitly with a '*'
in the anchor.
- Correct recursive printing of wildcard anchors (recurse into child anchors
rather than rules, which don't exist)
- Print multi-part anchor paths correctly (pr6065)
- Fix comments and prevent users from specifying multi-component names for
inline anchors.

tested by phessler
ok henning

remove -A, -O, -R and -T load
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc

Move tokens before productions into more consistant places
ok mcbride

Allow /netmask notation in redir spec, fix the rest of the regress
tests for illegal conditions in translation/routing.

We actually have to keep the translate/route spec addresses around after
collapsing into tables, so that we can handle all possible address family
expansions.

Set roundrobin flag correctly, and don't treat a bare interface
like a dynamic one in the routespec.

Add restrictions to make @if illegal in outside of routing specs;
Fix binat-to sanity checks.

Fix some issues in redir spec handling, discovered thanks to dlg testing
- purge irrelevant addresses from the lists before collapsing
- ensure the lists are freed after they're collapsed
- more careful ifname copying, avoiding double-free / use-after-free traps

Don't leak @if0 format routing host names, pointed out by claudio.

First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.

Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.

ok henning dlg claudio

lex <=, >=, and != into a single token for correctness and to reduce the
lookahead in the parser
ok henning otto

In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

add support to pf for filtering a packet by the interface it was received
on. use the received-on IFNAME filter option on a pf.conf rule to restrict
which packet the interface had to be received on. eg:

pass out on em0 from $foo to $bar received-on fxp0

ive been running this in production for a week now. i find it particularly
usefull with interface groups.

no objections, and a few "i like"s from henning, claudio, deraadt, mpf

plug some memory leaks; found by parfait, ok henning

cleanup after the NAT changes. we used to have multiple rulesets (scrub,
NAT, filter). now we only have one. no need for an array any more. simplifies
the code quite a bit.
in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the
table code.
written at the filesystem hackathon in stockholm, committed from the
hardware hackathon in portugal. ok gcc and jsing

A few more places to be updated for the route pool change.
expanded version of a diff from Vadim Zhukov.

ok henning@ claudio@

Add a dedicated pf pool for route options as suggested by henning,
which unbreaks ie route-to after the recent pf changes.

With much help debugging and pointing out of missing bits from claudio@

ok claudio@ "looks good" henning@

route_host initializes the netmask to a /128 no matter what af is used so
that the load balancing code does not freak out but because of this
check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL
so check_netmask() is fixing up the netmask for IPv4 and stops complaining.
This is a partial fix for the failing regress test 13.
found with jsg, looks good henning

Correct function name in err and errx.

Add (again) support for divert sockets. They allow you to:

- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.

The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).

The pf syntax is pretty simple, e.g.:

pass on em0 inet proto tcp from any to any port 80 divert-packet port 1

A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.

OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.

discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@

I had not enough oks to commit this diff.
Sorry.

Add support for divert sockets. They allow you to:

- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.

The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).

The pf syntax is pretty simple, e.g.:

pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000

test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.

implement binat-to as a macro-like rule: a rule using the new binat-to
syntax will be expanded by the parser to a nat-to+rdr-to combination
to be loaded into the kernel. this simplifies the migration from old
binat rules and is less error-prone.

feedback from many, manpage bits from jmc@
ok henning@

this time i commit the right diff that was
ok henning@ (sorry)

fix two route-to vs. rdr-to conflicts.

found by sthen@
ok henning@

all the new *-to options are part of the "filteropts" section at the
end of a pf rule (nat-to, divert-to, rdr-to, ...). take the
historical chance to upgrade the grammar and move the route options to
the filteropts section as well.

for example,
pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1
becomes
pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1)

many people like this including pyr@ mk@ kettenis@ todd@ and others
ok henning@

the diff theo calls me insanae for:
rewrite of the NAT code, basically. nat and rdr become actions on regular
rules, seperate nat/rdr/binat rules do not exist any more.
match in on $intf rdr-to 1.2.3.4
match out on $intf nat-to 5.6.7.8
the code is capable of doing nat and rdr in any direction, but we prevent
this in pfctl for now, there are implications that need to be documented
better.
the address rewrite happens inline, subsequent rules will see the already
changed addresses. nat / rdr can be applied multiple times as well.
match in on $intf rdr-to 1.2.3.4
match in on $intf to 1.2.3.4 rdr-to 5.6.7.8
help and ok dlg sthen claudio, reyk tested too

Bring back rev. 1.560:
Make it possible to use DiffServ Code Point in the TOS fields.
Requested by deraadt@

When will people learn to commit their .h file changes?

Make it possible to use DiffServ Code Point in the TOS fields. Names like
af11, cs6 and ef will now be mapped to the coresponding TOS value.
OK henning@, sthen@, mcbride@

actually change the require-order default to No; I missed a part with
my last commit. ok deraadt@

switch the require-order default to "no". regression tests still pass.
ok henning@ deraadt@

scrub_opts must not be empty, scrub on its own does nothing.
noticed due to a question from otto@, ok regress/sbin/pfctl/ ;)

1) scrub rules are completely gone.
2) packet reassembly: only one method remains, full reassembly. crop
and drop-ovl are gone.
. set reassemble yes|no [no-df]
if no-df is given fragments (and only fragments!) with the df bit set
have it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have df set either. it does NOT touch
non-fragmented packets.
3) regular rules can have scrub options.
. pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay)
. match scrub(reassemble tcp, random-id)
of course all options are optional. the individual options still do
what they used to do on scrub rules, but everything is stateful now.
4) match rules
"match" is a new action, just like pass and block are, and can be used
like they do. opposed to pass or block, they do NOT change the
pass/block state of a packet. i. e.
. pass
. match
passes the packet, and
. block
. match
blocks it.
Every time (!) a match rule matches, i. e. not only when it is the
last matching rule, the following actions are set:
-queue assignment. can be overwritten later, the last rule that set a
queue wins. note how this is different from the last matching rule
wins, if the last matching rule has no queue assignments and the
second last matching rule was a match rule with queue assignments,
these assignments are taken.
-rtable assignments. works the same as queue assignments.
-set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work
like the above
-logging. every matching rule causes the packet to be logged. this
means a single packet can get logged more than once (think multiple log
interfaces with different receivers, like pflogd and spamlogd)
.
almost entirely hacked at n2k9 in basel, could not be committed close to
release. this really should have been multiple diffs, but splitting them
now is not feasible any more. input from mcbride and dlg, and frantzen
about the fragment handling.
speedup around 7% for the common case, the more the more scrub rules
were in use.
manpage not up to date, being worked on.

spacing

in findeol(), do not skip the pushback buffer. fixes PR 5952 by sthen@ and
should make the pushback buffer really transparent.
diagnosis by me, fix with mpf, some input deraadt, ok mpf

implement "set state-defaults X", where X is a list of state options as
permitted keep state(X). applies to all rules which do not have keep state
explicitely. e. g. "set state-defaults pflow, no-sync"
ok phessler deraadt

do not try to print $$ when it has not been set

welcome pflow(4), a netflow v5 compatible flow export interface.
flows export data gathered from pf states.
initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many
changes by me. 'put it in' theo

correctly copy the log interface spec when expanding an antispoof rule that
covers loopback addresses. ok ryan
problem report from Harald Dunkel <harald.dunkel@aixigo.de>

do not forget to initialize other member of $$ in qname; noted by mark shroyer
ok henning

Make counters on table addresses optional and disabled by default.
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.

This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.

ok henning mpf deraadt

new state option "sloppy" to use the sloppy tcp state tracker instead
of the good one. ok theo ryan reyk

Replace a crockpot of semi-cloned productions for handling port
numbers with one, and fix a few other bugs along the way
ok mpf henning

convert port byte order in the production; add port keyword; ok deraadt@

divert packets to local socket without modifying the ip header;
makes transparent proxies much easier; ok beck@, feedback claudio@

make "to any" optional in binat, or well, the implied default.
requested by reyk, ok reyk mpf

Loosen grammer to permit any number of newlines within most kinds of { }
blocks, as requested by reyk; ok reyk mpf henning

Bring back (in a more yacc friendly way) support for setting variables
to a sequence of strings and numbers, which get folded together into one
string (and later, when used, is re-lexed)
ok mpf

do not assume PF_INOUT is 0 in the enum; ok mcbride

scrub packets based on tags; ok henning

allow setting TOS with scrub; ok mcbride, claudio

optnl is a crutch for those who do not understand yacc. it
leads to a variety of errors; ok mcbride

Enable the rest of the filter_opts to be used on anchors. These were accepted
by the parser but not passed to the kernel. This allows filtering based on
uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability;
It also allows the label to be set. State options and tagging are not
permitted.

ok henning mpf

Bring back the number converter for 'set hostid'.
I forgot to think about hex numbers when I removed it.
OK deraadt@

Remove space/tab compression function from lgetc() and replace
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@

Fix probability rules w/ numbers (e.g probability 0.4).
Add support for probablities of 0% and 100%.
With and OK deraadt@

sync with daemon parser code.
ok deraadt@

pfctl does not need file secrecy

Allow unquoted numbers in variables.
Change 'set hostid' to NUMBER and remove unneeded converter.
Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal.

OK deraadt@

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr

support an include directive; file of course must also be "secure" like
the main configuration file; ok henning

in all these programs using the same pfctl-derived parse.y, re-unify the
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.

next step in the yylex unification: handle quoted strings in a nicer fashion
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others

Backout NUMBER to string conversion.
Requested by deraadt@

Add loginterface support for groups.
Using a group sums up the statistics of all members.
Modify pfctl(1) slightly to allow a groupname "all",
which gives us an overall pf(4) statistic.

OK henning@, markus@

Allow numbers to be used as unquoted strings again.
While there, also restrict the use of concatenated, unquoted
strings for variable assignments only.

Eyeballed by markus@, OK henning@

add a missing range check for rtable ids; ok cloder henning

Add support to the lex for parsing number out of the stream. handle
this in the parser. because the new numbers are int64_t, many new
range checks for < 0 are needed. re-check and improve all the
existing rangechecks while at it. thanks for help by cloder and
dhartmei

add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@

always initialize logif, from max laier, ok ryan

Allow "log" for nat rules without "pass".
OK henning@, ``passt scho'' markus@

in decide_address_family(), only limit a rule to a specific address family
when ALL entries have this specific AF (when even just one entry has no
specific AF, use any). found by Maurice Janssen, ok henning@

Unbreak authpf by handling non-inline anchors separately from the { } anchors
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.

ok deraadt@

Allow pfctl ruleset optimizer to be controlled from the ruleset.

"set" "ruleset-optimization" [ "none" | "basic" | "profile" ]

You can optionally control ruleset optimization with these keywords on the
command line with the -o option; the command line setting will override the
pf.conf setting. The existing -o/-oo flags continue to work as expected.

cleanup and ok henning@

- don't allow anchors with _* names to be cleared or loaded from the
command line (but they can still be viewed)
- don't allow users to specify _* as an anchor name in the ruleset
- don't print _* anchor names with pfctl -sA unless -v is specified

'looks sensible' deraadt@

Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").

anchor on fxp0 {
pass in proto tcp port 22
}

The anchor name is optional on inline loaded anchors.

testing ckuethe@
ok henning@ dhartmei@

make absolutely sure logif is 0 unless set specifically, even if log is 0.
logif is to be considered invalid unless log is set, but we need this to
please the optimizer...

and another nit, $$.log should be set to 0 explicitely on quick without log

urgs, $$.quick needs to be set to 0 explicitely on log (without quick)

allow the log interface to be selected like
pass log(to pflog5)
block out log(to pflog2)
input & ok mcbride

Don't automatically set 'flags S/SA' on stateless rules.

pointed out by david@

ok mpf@ dhartmei@

quotes around filename, pr 5253, sthen@zephyr.spacehopper.org

Allow the 'quick' keyword on an anchor. IFF there is a matching rule inside
the anchor, terminate ruleset evaluation when stepping out of the anchor.

This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.

ok dhartmei@ henning@ deraadt@

Oops, flags S/SA doesn't work on fragments.

Make 'flags S/SA keep state' the implicit for filter rules, based on
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.

IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.

Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.

ok dhartmei@ deraadt@ henning@

back out -r1.497 (support for "tagged {}" lists), it broke "tagged" support
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.

add "rtable" to select alternate routing tables.
with & ok claudio hshoexer

KNF

Make per-rule adaptive timeouts behave the same way as the global adaptive
timeouts.

\<char> is <char> except for \<newline> -- no exceptions. much like how
other things work. ok henning

fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, create
only bar under foo, not /bar as well.
secondly, when using "load anchor from" from a sub-anchor, the loading
point should be relative to the sub-anchor doing the load (unless absolute
paths are used, of course).
from Boris Polevoy. probably a -stable candidate.

add support for "tagged {}" lists, from Pierre-Yves Ritschard

allow lists inside lists for address specs, has been in my tree for
quite some time... theo likes

implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4)
which optionally verifies that a packet is received on the interface
that holds the route back to the packet's source address. This makes
it an automatic ingress filter, but only when routing is fully
symmetric.

bugfix feedback claudio@; ok claudio@ and dhartmei@

for pfctl -f rules, open the file before resetting options. when opening
the file fails, produce only the error message and leave options
unchanged. reported by Tamas TEVESZ, ok deraadt@

unused parameters

no need to restrict tagging to stateful rules any more, dhartmei ok
From: "Alexey E. Suslikov" <cruel@texnika.com.ua>

get rid of 'log-all'. now that we have 'log (options)', make 'all' an
option to log. so, 'log-all' becomes 'log (all)'.

get rid of shift/reduce conflicts, don't support empty logopts

log two pairs of uid/pid through pflog: the uid/pid of the process that
inserted the rule which causes the logging. secondly, the uid/pid of the
process in case the logged packet is delivered to/from a local socket.
a lookup of the local socket can be forced for logged packets with a new
option, 'log (user)'. make tcpdump print the additional information when
-e and -v is used. note: this changes the pflog header struct, rebuild all
dependancies. ok bob@, henning@.

allow 'tagged' in 'anchor' rules (without complaining about missing
'keep state'), as a condition to branch into the anchor. suggested
by Bill Marquette.

The illegalness of "no nat log" is already enforced by the grammar.

ok dhartmei

support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch
from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants.
ok frantzen@, camield@

remove code that duplicates getservice()

ok dhartmei mcbride

clean up and rework the interface absraction code big time, rip out multiple
useless layers of indirection and make the code way cleaner overall.
this is just the start, more to come...
worked very hard on by Ryan and me in Montreal last week, on the airplane to
vancouver and yesterday here in calgary. it hurt.
ok ryan theo

Catch bad flags, ie. flags that always evaluate to false. This happens
if there are flags on the lefthandside that are masked off by the
righthand side.

ok mcbride@ (long time ago) dhartmei@ henning@

print unsigned long with %lu, not with %d and not with %ld.
From: Andrey Matveev <andrushock@korovino.net>

allow commas in the hfsc service curve spec, inconsistency pointed out in
PR4134 / geoff@collyer.net and a longer mail exhcange with han boetes

print "set skip on" with -v in such a way that the output is valid input
syntax, instead of the cryptic hex flags output.

support 'tagged' in translation rules, non-delayed tag lookup
ok henning@, deraadt@

ypu sure get the impression the number of memory leaks in error pathes
is infinite... Andrey Matveev <andrushock@korovino.net> spotted a few again!

KNF; ok henning@

add messages for syntax errors that caused silent failure before.
found by Peter Fraser, ok henning@

dynamic interface names must start with a letter. catches the nonsensical
"(10.1.2.3)" that results from a simple typo like "$(ext_ip)" instead of
"$(ext_if)".

Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie.
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -

ok henning@ dhartmei@

Print 'set fingerprints' correctly when parsing verbosely.

set rule_flag PFRULE_SRCTRACK when setting srctrack, found by camield@
using regress test pf84

Introduce 'set skip on <ifspec>' to support a list of interfaces where no
packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@

missing free()s; with pat

allow pf to filter on route labels
pass in from route dtag keep state queue reallyslow
tested by Gabriel Kihlman <gk@stacken.kth.se> and
Michael Knudsen <e@molioner.dk> and ryan
ok ryan

Add "'overload' requires 'max-src-conn' or 'max-src-conn-rate'" sanity check,
fix some cut-n-paste mayhem in other related checks.

re-commit mcbride@'s 'flush global', this time without the breakage in
pfvar.h. builds kernel and userland.

real backout

oops, incomplete backout

tree does not compile, spotted by dlg (not obvious how to fix)
----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.

ok deraadt@ henning@ dhartmei@

Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.

ok deraadt@ henning@ dhartmei@

initialize $$->tail and $$->next for MAXSRCCONNRATE

Userland support for limiting open tcp connections per source. eg:

keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush)

allow a maximum of 1000 open connections or 100 new connections in 10 seconds.
The addresses of offenders are added to the <bad> table which can be used in
the ruleset, and existing states from that host are flushed.

ok deraadt@ dhartmei@

Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok

remove cedric's bogus interface name verification code.
this was meant to verify that ne3 is a valid interface that could show
up, but bogus0 is not. while this might sound like a good idea it is
completely broken and causes a shitload of problems. just allow for anything
as interface name, the kernel abstracts that nice enough. if no interface
by that name exists (or shows up) the rule never matches; that matches
pf semantics used everywhere else.
this also fixes the "pfctl always has to run as root" issue that cedric
did not fix over the last 6 months despite being bugged to regularily.
help & ok mcbride@

convert a few memcpy()s to strlcpy() so we don't copy uninitialized junk into
a interface name's slack space past the \0. will be needed for the optimizer.
ok henning@

add back PF_INOUT, fixes reassemble tcp
ok canacar@ mcbride@

repair tree nanobreak by the nanobum

rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved
keyword in C++. ok henning@, cedric@

Use '/' instead of ':' as separator for anchor path components. Note that
the parser now needs quotes around paths containing separators.
ok mcbride@

Allow recursive anchors (anchors within anchors, up to 64
levels deep). More work required, but this is already
functional. authpf users will need to adjust their anchor
calls, but this will change again soon. ok beck@, cedric@,
henning@, mcbride@

Add "probability xxx" rule modifier. ok deraadt@

typo, From: Jared Yanovich <jjy2+@pitt.edu>

make antispoof work with dynamic addresses. ok dhartmei@ mcbride@

spelling fix; ok dhartmei@ henning@ deraadt@

#include fixes, from Max Laier, ok beck@ henning@

plug 124 memory leaks
ok mcbride@ pb@ dhartmei@

from bgpd:
plug a memory leak in the lexer.
the issue is this code fragement from yylex():
. token = lookup(buf);
. yylval.v.string = strdup(buf);
. if (yylval.v.string == NULL)
. err(1, "yylex: strdup");
. return (token);
lookup() tries to match buf against a list of keywords, and returns the
associated token if it has a match, or the token STRING otherwise.
STRING is the only token that needs (and free()s) yylval.v.string. however,
we assigned memory for it with the strdup in yylex for each and every token.
the fix is obviously only setting yylval.v.string when lookup() returns STRING.
Patrick Latifi noticed that something was leaking with token handling,
analysis and fix by me.
ok deraadt@

support "tagged <name>" on anchor rules, suggested by vd@vmunix.lt,
ok henning@, cedric@

'max-src-nodes' requires 'source-track rule'. Set that automatically,
unless 'source-track global' is explicit, in which case error out. Lots of
help from cedric@.

ok cedric@ henning@

fixup.

Check for 'source-track rule' with 'max-src-nodes'.

ok cedric@ henning@

Fix interface clobbering for link-local addresses. Found by Pyun YongHyeon.
Fix "antispoof for foo" when foo has no addresses.
ok+help dhartmei@, ok mcbride@

KNF

fix at leats the worst of Cedric "KNF is for everybody but me" Berger's fuckup

Handle rules like 'pass ... proto { tcp udp icmp } ... modulate state'

ok dhartmei@ henning@

fix PR 3664 / jared r r spiegel
we need to save the unexpanded tag/tagged strings before entering the
expansion loop, and at each loop, start with the unexpanded tag, so that
on subsequent loops the macros are replaced with current values and not
the values from previous loop persist
ryan theo ok

few off by ones in strlcpy overflow check; Patrick Latifi

don't ignore "!" on "binat on !foo". ok mcbride@

spacing. note this, cedric

Many improvements to the handling of interfaces in PF.

1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.

2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.

3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"

4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.

5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.

6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"

7) Scrub rules now support the !if syntax.

8) States can be bound to the specific interface that created them or
to a group of interfaces for example:

- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)

9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.

10) "pfctl -ss" will now print the interface scope of the state.

This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)

Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel

ok deraadt@ mcbride@

fix TAILQ abuse.
TAILQ_REMOVE is a no-no within a TAILQ_FOREACH loop.
also free the symbol itself after removal.
all found while hacking bgpd which incorporates pfctl's sym code (macros).

ok cedric@

i wrote much of these, assert my copyright

assert copyright. i rewrite much of this

Check that max-src-states and max-src-nodes are not being set to 0.

KNF here too

Whitespace.

Add initial support for pf state synchronization over the network.
Implemented as an in-kernel multicast IP protocol.

Turn it on like this:

# ifconfig pfsync0 up syncif fxp0

There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.

NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.

Much more to come.

ok deraadt@

Add support to track stateful connections by source ip. This allows us
to:
- Ensure that clients get a consistent IP mapping with load-balanced
translation/routing rules
- Limit the number of simultaneous connections a client can make
- Limit the number of clients which can connect through a rule

ok dhartmei@ deraadt@

allow ':' (range including boundaries) to be used whereever '><' (range
excluding boundaries) is legal. already supported by kernel, requires only
removal of three error messages. ok henning@

daniel stumbled over a broken regress test, and it turned out that I forgot
to commit a diff from 11/6...
do not insert the "block in on ! interface" rule for antispoof statements when
the interface in question does not have any IP address, because that then
expands to
block in on ! interface all
which is obviously bad.
niklas@ found it, dhartmei@ ok, and I think some more ppl ok I don't remember

allow the debuglevel to be set from pf.conf (set debug)

ok cedric@

Add 'no-sync' state option to prevent state transition messages for states
created by this rule from appearing on the pfsync(4) interface. e.g.

pass in proto tcp to self flags S/SA keep state (no-sync)

ok cedric@ henning@ dhartmei@

and fix two err() that should be errx() while beeing here

need calloc here

allow the label macros to be used in tags as well.
the idea is not mine and I'dlove to get credit, but I cannot find the mail
any more :-((

ok canacar@ dhartmei@

don't use NULL as (int)0. henning ok

Rearchitecture of the userland/kernel IOCTL interface for transactions.
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

- Anchors/Rulesets cannot disappear unexpectedly anymore.
- No more leftover in the kernel if "pfctl -f" fail.
- Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

- DIOCBEGINRULES
- DIOCCOMMITRULES
- DIOCBEGINALTQS
- DIOCCOMMITALTQS
- DIOCRINABEGIN
- DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

- DIOCXBEGIN
- DIOCXCOMMIT
- DIOCXROLLBACK

Ok dhartmei@ mcbride@

KNF

This change is busted. what's worse, REGRESSION TESTS WOULD HAVE CAUGHT IT!
You MUST test nework stack changes on BOTH BYTE-ORDERS.
Someone can fix this later, but right now I need to get the damn
firewall up. Grr.

catch port/user/group a <>/>< b with a >= b, from mpech@

catch return-rst ttl values > 255, from aaron@

Tweaks:
- Make sure we allow only tables in round-robin pools for routing options,
same as what we do for translation rules.
- Don't reject rules like: "nat on sis0 -> <foo>" because
"no address family is given". This is perfectly valid.
ok henning@

pf spelling police
ok dhartmei@ jmc@

Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001

braindeadness police: catch queues which specify itself as child... 'nuff said

err out nicer on errors in queue def

catch max-mss values > 65535, report by Gregory Steuck

This patch remove the restriction that tables cannot be used in routing or
redirection rules...

The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.

This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.

Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"

ok henning@ mcbride@

indent

Simplify struct pf_pooladdr to include struct pf_addr_wrap directly
instead of indirectly trough struct pf_rule_addr.

Ryan McBride says:
If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as
well. The code was changed to fix some of the bugs with port ranges, but
it was too late in the release cycle to make kernel API changes, so the
structure was left as is.

Needless to say: KERNEL/USERLAND SYNC REQUIRED.

ok henning@ mcbride@

Simplify handling of flags (-R, -N...). Remove PFCTL_FLAG_ALL.
ok dhartmei@

Repair memory managment in table parsing code.
I need vacations.
Found and verified by Pyun YongHyeon.
ok dhartmei@

tpo

Better parsing and -v support for tables:

- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.

ok dhartmei@

Fix merging of host lists.
ok dhartmei@ henning@

KNF after cedric (grmpf)

allow for a "pass" modifier on translation rules:
nat pass on $ext_if from $a to $b -> $ext_if
when the pass modifier is given, the filter ruleset is _not_ evaluated but
the packets matching this translation rule are passed unconditionally.

ok dhartmei@ cedric@ markus@

Bye bye atexit(), bye bye globals...
The pfctl.c part will probably need some further improvements.
ok henning@

This patch finally cleanup pfctl_table.c. No more global buffer,
and a couple of parsing functions moved to parse.y or pfctl_parser
where they belong.

I also took the opportunity to replace "void" functions with exit(1)
or err() inside by "int" functions, with the caller checking the
return value for errors (much cleaner and an old request from Theo)

ok dhartmei@ henning@

knf

change expand_label_addr() to use a switch (h->addr.type) instead of
if .. else if .. else, and handle PF_ADDR_NOROUTE as well.
inspired by a comment from cedric.

when expanding the $srcaddr/$dstaddr label macros and the address is actually
a table refernence, don't print nonsense but the table name.
found by claudio jeker, fix by me, agreement by cedric

Attempt to resolve byte order confusion in nat code once and for all.

- pf_get_sport() leaves the translated port in the packet in network byte order
- merge code for the p1=0 p2=0 case and static-port case in pr_get_sport()

NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.

must not run check_netmask() before remove_invalid_hosts() - binat case had it
wrong for the redirection target.
reported by jared r r spiegel <jrrs@ice-nine.org>

reject invalid netmasks like 10.0.0.0/68, and fix up the netmask for
dynaddr rules after we know the address family

ok dhartmei@, inspired by a session with bob

all host() receivers have to test for NULL

if host() returns NULL, it is an error, so err the fuck out and don't
load bullshit

support inverse matching on tags like
block in ! tagged sometag

ok dhartmei@ pb@

TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.

No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.

ok frantzen@

properly complain about too long tags

add scrub modifier "reassemble tcp" to turn on stateful TCP normalizations
ok henning@ dhartmei@

tagging on binat

enabled tagging on rdr rules

with tag/tagged given, only whine about missing keep state on pass rules

allow SCRUB rules to specify protocol again. broken sometime in the past.
okie dhartmei@, yay pb@

tags on nat rules:
nat on $ext_if all tag humppa -> $ext_if
pass out tagged hummpa keep state

make sure tagging is only ever used with stateful filter rules

userland part for tagging.
it's now possible to tag packets with an arbitary tag and filter based on
that tag later on other interfaces:
pass in quick on fxp0 keep state tag blah
pass out quick on wi0 keep state with tag blah
can be used to express trust between interfaces, to distinguish between
NATed connections and connection originating from teh firewall itself
and much more

ok dhartmei@ frantzen@ pb@ mcbride@

Don't ntohs() the translation port for nat as it is already in host byte order.
Makes nat ... -> $ext_if port 500 rules work correctly again.

ok henning@ dhartemi@ frantzen@

support loading of anchors from within the main ruleset via
load anchor anchorname:rulesetname file /path/to/file

ok pb@ dhartmei@ cedric@

don't free() the char * carrying the rule label too early
noticed by Mathieu Sauve-Frankel <m.sauve at secureops.net> via silc

ease label handling

ok cedric@

allow label on antispoof; requested by Gregor Binder <gbinder at sysfive.com>

ok cedric@

Allow tables to be loaded into anchors.
Most pfctl table commands (excluding 'show' and 'flush') support the "-a"
modifier.
ok dhartmei@

Properly copy the second part of nat proxy port range, when specified.
ok henning@

pass down the unparsed queue opts (struct node_queue_opt) to
print_altq/print_hfsc -> print_hfsc_opts and extract struct node_hfsc_sc
there for each service curve and pass those down to print_hfsc_sc. now
bandwidth specifications in the service curves are printed correct in the
case of a queue belonging to more than one interface/parent queue, the
parent queues having different bandwidths and the bandwith on teh service
curve beeing specified in percent.

let print_altq and print_queue take a struct node_queue_bw parameter instead
of dintinct bw_percent

KNF

prevent double service curve specification

add support for the HFSC linkshare, realtime, and upperlimit service curves
to be specified.

unbreak (missing })

say bye bye to hfscflags_list and hfscflags_item
welcome hfscopts_list and hfscopts_item, returning a full struct
node_hfsc_opt instead of just an int for the flags. needed because of all
the opts hfsc knows

new struct node_hfsc_opts for, surprise, hfsc options. needed because they
contain bandwidth specifications and we need to carry the unprocessed bw
specs around for quite some time until we can break them down to absolute
values.

pass down the struct node_queue_opts from the altqif/queuespec yacc targets
to expand_altq/expand_queue -> eval_pfaltq/eval_pfqueue and
further down to the new eval_queue_opts() instead of evaluating them directly
in the yacc grammar.
this will be needed to process the hfsc options which can contain relative
bandwidth specifications, and we can't break them down to an absolute one
earlier.

move the structs node_queue_bw and node_queue_opt to pfctl_parser.h.
let eval_pfqueue() and eval_pfaltq() take a pointer to a struct
node_queue_bw instead of two distince bw_absolute and bw_percent parameters.

move the bandwidth keyword from within the bandwidth target up to the
queue_opts target so the bandwidth parser can be used for other things too;
will be needed for hfsc's linkshare etc

initial support for the HFSC scheduler.
whoever uses that for more than toying around is on drugs. it's far from done.

KNF

don't set r->qid and r->pqid in expand_rule any more, queue name -> queue ID
mapping is done in kernel land now

Catch and refuse invalid icmp codes (> 255). ok pb@, mpech@.

ease netmask handling a bit

input theo, ok dhartmei@

allow queue specs to be limited to certain interfaces.

altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two }
queue one priority 1 priq(default)
queue two on $if0 priority 15
queue two on ! $if0 priority 0

ok dhartmei@

whitespace KNF

clean up:
instead of letting the lexer interpret '<' '>' '=' '>=' '<=' and return them
as PF_OP_LT, PF_OP_GT etc etc etc in PORTUNARY, just let the lexer return
'<' '>' and '=' literally, and in the few cases where the old PORTUNARY was
really used like originally intended, replace that by a new unaryop yacc
target. in all other cases that gets rid of quite some checks wether PORTUNARY
is really < and nothing else etc etc etc.

ok cedric@ deraadt@

lotsa const char *
from David Hill <david at phobia.ms> a while ago

introduce a "yesno" target. eases code a bit and yes is no keyword any more.

handle invalid priq/cbq flags better and give a nice error message

default, borrow, ecn, red and rio are no keywords any more. use STRING and
strcmp instead.

switch symset/symget to TAILQ instead of using hand baked lists

ok dhartmei@ cedric@

branches: 1.343.2;
kill the address token and move the host() invocation up to the host token,
so that host() always gets the full address to be parsed including the
netmask instead of applying the netmask afterwards. this could break some
edge cases and was broken since the (interface)/24 fix.
new token dynaddr for, well, dynaddr, and apply an eventually given netmask
afterwards in the host token just in this case.

found after bug report From: Julien Bordet <zejames@greyhats.org> via dhartmei

ok daniel cedric

correctly cope with errors returned by eval_pfqueue and pfctl_add_altq

ok dhartmei@ pb@ (as part of... you know, monsterdiff)

when complaining about a queue wiwthout parent, include the queue name in
the error message

ok dhartmei@ pb@ (as part of a monsterdiff)

cope with LOOP_THROUGH modifying the lis (queues).
in case of an error in the queue def in question the queues list remains
unmodified, but the LOOP_THROUGH caused a mod anyway, and the list can stay
empty. subsequent checks for NULL which check for a empty list fail then.
fix by adding an explicit check before looping.
fixes regress pfail31
error report by Kamil Andrusz via pb@, testcase from pb@
ok dhartmei@

cope with the fact that LOOP_THROUGH loops once even if the list is empty by
moving the addition of child queues a bit down after the successfull
addition of the current queue and an explicit NULL check before looping.
fixes regress pf59
found by kjc@
ok kjc@ cedric@ dhartmei@

fix the obvious:
since we do not modify the struct pf_altq *a any more but our private copy,
we can of course not inherit teh scheduler type from it, since it did not
inherit the scheduler type from the parent.
so just inherit the scheduler type from the parent directly...

ok dhartmei@ cedric@

in expand_queue, make a private copy of the struct pf_altq before modifying
it. modifying the original one had undesired side effects if a queue was
expanded to more than one because it belonged to more than one interface

ok pb@ cedric@ dhartmei@

fix queue assignment on filter rules which are not bound to an interface.
when looking up the queue IDs using qname_to_qid, we do not need to limit
the matching on the interface in question, as it is guaranteed that same
named queues on different interfaces habe the same queue id. moreover, we
must not limit the matches to the interface if we do not have an interface
given on the filter rule to match on ;-)

found after problems reported by Andre Nathan <andre at v2r dot com dot br>

ok dhartmei@ pb@ cedric@

when printing queues at load time that have bandwidth specified in percent,
print the bandwidth in percent instead of the calculated absolute value.
if a queue belongs to more than one interface and they have different
bandwidth the calculated absolute is of course different per interface.
previously the first calculated absolute value was shown; what of course is
incorrect on the second interface. note that only the print was wrong, the
correct values were passed to the kernel.

ok theo daniel

remove the control keyword for cbq queues.
the control class was a legacy of the original CBQ design by LBL/Sun
to support RSVP.
the control class is not used in openbsd, in the sense that
we don't automatically set filters for ICMP/IGMP/RSVP for the control
class.

ok dhartmei@ kjc@ deraadt@

modify error message to match the same 7 sections in pf.conf(5)
ok deraadt@ henning@

in expand_rule, correctly set r->pqid if a priority queue was defined, and
reuse the value of r->qid if not.

ok dhartmei@ mcbride@

some minor KNF my fingers just did...

ok dhartmei@ cedric@

repair/simplify/flexify binat userland.
ok dhartmei@ henning@

when a macro is redefined, don't bother with reusing the existing entry in
symset() but just prepend a new sym entry to symhead like we always did. as
symget searches the list sequentially, the newest one is picked first.
prevents an endless loop introduced when trying to reuse the existing entry
by an invalid setting for the next pointer.
fixes regress test pf57.

found after conversation with Chris Linn, celinn at mtu dot edu

ok dhartmei@ cedric@

re-allow set loginterface none
ok cedric@ dhartmei@

better error message if set loginterface is called with nonexistant
interface, found by krause (who is doing EXCELLENT work. Thank you very
much!), fix by me, ok dhartmei@ and cedric@

reject nonexistant interfaces in the dynaddr case, noticed during discussion
with jasondixon at myrealbox dot com

ok dhartmei@

Make 'from (kue0)/24' work again (dynamic interface name translation with
a /prefix), reported by Jason Dixon. ok henning@

better error message on icmp version / address family mismatch

ok markus@

fix load option handling (-A, -N, -R) for options.
due to a bug in the loadopt check options were always loaded no matter which
loadopts where specified.
while beeing there, move the prints for that to where they belong, into the
appropriate pfctl_set_* functions, and thus only print when the options are
actually loaded.
fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier.

ok dhartmei@

"optarg" was a bad pick for the variable name in pfctl_cmdline_symset, it
shadows a global. rename.

-#include <sys/ioctl.h>

mcbride@, dhartmei@ ok

unneeded {}

throw a syntax error if the portunary operator in varset is no '='
extif>"whatever"
should not be the same as
extif="whatever"
but a syntax error.

Allow route-to loopback interfaces again, since Ryan fixed the loops that
might have occured before.

Better and more consistent error message.
Ok dhartmei@

ease the yacc a bit by using a "not" rule instead of having two rules w/ and
without '!' everywhere

ok dhartmei@

KNF after ryan

Simplify the code and make the parser handle the different rule types
more consistently.

- Merge expand_nat and expand_rdr into expand_rule
- Merge rdrrule token into natrule

ok concept henning@
ok dhartmei@

allow macro definition on the command line:
pfctl -Dextif=wi0 -f /etc/pf.conf
command line macro definitions override the ones made in the file (idea
theo), very handy if your notebook has another NIC at some conference, as
well as for debugging etc.
idea rezine@mistrusted.net via pb@
hacked live at FOSDEM

ok pb@ dhartmei@ cedric@

more live code from FOSDEM:
make
pass in proto tcp to port 80
work.
-allow to omit the "any" if you're specifying a port
-allow to omit the from or to part if you want "any" for the other

ok dhartmei@ pb@

KNF

Fix a few warnings and remove unnecessary check and cast.

ok dhartmei henning

Add scrub option 'random-id', which replaces IP IDs with random values
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@

Fix "pass out dup-to (tun0 1.1.1.1) inet6 all" error message
Allow "pass out dup-to tun0 all"
ok mcbride@ henning@

Set the network mask to all 1's if no address is specified for a
route-to/dup-to/reply-to rule. Keeps round-robin from incrementing through
the entire address space.

ok dhartmei@

pretty

Don't allow loopback interfaces as route/reply/dup-to targets. ok henning@

remove loadopt global definition and cleanup a bit.
ok henning@

fix a problem with queue definitions when load options (like -N etc) are
given; they used to check for their parent interface/queue even in this
case.

ok dhartmei@ cedric@

there is no need to pass opts to parse_rules explicitely; it's passed as
part of the struct pfctl.

KNF

Match changes for rdr port ranges made to pf.c:
- fixes behaviour of rdr on le0 from foo to bar port 1:20 -> (lo0) port 22
- makes calculated mapping more explicit for the -> (lo0) port 22:* case

testing from dhartmei@

ok dhartmei@