#
1.62 |
|
15-Jan-2020 |
kn |
Do the actual pfr_strerror() to pf_strerror() rename
Missed in previous
|
#
1.61 |
|
15-Jan-2020 |
sashan |
Enable pfctl(8) to recursively flush rules and tables from PF driver. The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.60 |
|
11-Jan-2019 |
kn |
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless.
Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors.
With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away.
No functional change in parsing or ruleset production.
Discussed with and OK sashan
|
#
1.59 |
|
02-Jan-2019 |
kn |
Error out on missing table command, zap internal wrapper function
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given.
By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
#
1.58 |
|
02-Jan-2019 |
kn |
Zap unused segment struct definition
There since import and last used by ALTQ which henning removed in 2004.
OK sashan
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
06-Sep-2018 |
kn |
Remove unused af argument from unmask()
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
#
1.56 |
|
24-Jul-2018 |
kn |
Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|
#
1.60 |
|
11-Jan-2019 |
kn |
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless.
Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors.
With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away.
No functional change in parsing or ruleset production.
Discussed with and OK sashan
|
#
1.59 |
|
02-Jan-2019 |
kn |
Error out on missing table command, zap internal wrapper function
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given.
By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
#
1.58 |
|
02-Jan-2019 |
kn |
Zap unused segment struct definition
There since import and last used by ALTQ which henning removed in 2004.
OK sashan
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
06-Sep-2018 |
kn |
Remove unused af argument from unmask()
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
#
1.56 |
|
24-Jul-2018 |
kn |
Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|
#
1.59 |
|
02-Jan-2019 |
kn |
Error out on missing table command, zap internal wrapper function
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given.
By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
|
#
1.58 |
|
02-Jan-2019 |
kn |
Zap unused segment struct definition
There since import and last used by ALTQ which henning removed in 2004.
OK sashan
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.57 |
|
06-Sep-2018 |
kn |
Remove unused af argument from unmask()
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
#
1.56 |
|
24-Jul-2018 |
kn |
Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|
#
1.57 |
|
06-Sep-2018 |
kn |
Remove unused af argument from unmask()
This has been unused for years.
While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks.
OK sashan
|
#
1.56 |
|
24-Jul-2018 |
kn |
Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|
#
1.56 |
|
24-Jul-2018 |
kn |
Move duplicate code into new helper print_addr_str()
This simply puts the wiggle around inet_ntop() from four into one location.
OK benno
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.55 |
|
11-Aug-2017 |
benno |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
1.54 |
|
15-Jul-2017 |
awolk |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
#
1.53 |
|
19-Jan-2015 |
deraadt |
DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.52 |
|
19-Apr-2014 |
henning |
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.51 |
|
12-Oct-2013 |
henning |
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.50 |
|
08-Jul-2012 |
lteo |
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired.
tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's.
ok henning sthen
|
#
1.49 |
|
01-Jun-2012 |
jsg |
revert previous, breaks tcpdump spotted by jmc@
|
#
1.48 |
|
01-Jun-2012 |
lteo |
Make the -P flag work with -ss, so that states can be printed with port names if desired.
ok henning
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.47 |
|
27-Jul-2011 |
mcbride |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.46 |
|
12-Nov-2010 |
claudio |
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.45 |
|
23-Mar-2010 |
henning |
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
|
Revision tags: OPENBSD_4_7_BASE
|
#
1.44 |
|
03-Nov-2009 |
claudio |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
|
Revision tags: OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.43 |
|
29-May-2008 |
mcbride |
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST)
ok henning beck deraadt tested by otto dlg beck laurent
Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
|
Revision tags: OPENBSD_4_3_BASE
|
#
1.42 |
|
05-Dec-2007 |
chl |
remove unused functions
from tobias@
ok mcbride@ tobias@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.41 |
|
31-May-2007 |
mcbride |
Cope with new ioctl interface (use pfsync_state instead of pf_state)
ok henning@ toby@ pyr@
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.40 |
|
09-Feb-2007 |
henning |
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
|
Revision tags: OPENBSD_3_9_BASE OPENBSD_4_0_BASE
|
#
1.39 |
|
28-Jan-2006 |
henning |
zap unused function From: Andrey Matveev <evol@online.ptt.ru>
|
Revision tags: OPENBSD_3_8_BASE
|
#
1.38 |
|
21-May-2005 |
henning |
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.37 |
|
05-Jan-2005 |
mcbride |
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie. they are reset to default values if omitted from a subsequent ruleset load. Also: - make sure 'set ...' options are not loaded in anchors. - add a -m ("merge") flag to pfctl which allows an individual option to be set without reseting the others, eg: # echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
|
Revision tags: OPENBSD_3_6_BASE
|
#
1.36 |
|
14-Jun-2004 |
cedric |
Remove unused functions. ok beck@ henning@
|
#
1.35 |
|
19-May-2004 |
dhartmei |
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
|
#
1.34 |
|
09-Apr-2004 |
cedric |
Do not try to load directories. found+ok mpech@
|
Revision tags: OPENBSD_3_5_BASE
|
#
1.33 |
|
19-Feb-2004 |
cedric |
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
|
#
1.32 |
|
17-Feb-2004 |
cedric |
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
|
#
1.31 |
|
10-Feb-2004 |
dhartmei |
KNF
|
#
1.30 |
|
29-Jan-2004 |
mcbride |
Clean up 'pfctl -s all' output.
ok deraadt@ henning@
|
#
1.29 |
|
31-Dec-2003 |
cedric |
Many improvements to the handling of interfaces in PF.
1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs.
2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in.
3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all"
4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers.
5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour.
6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)"
7) Scrub rules now support the !if syntax.
8) States can be bound to the specific interface that created them or to a group of interfaces for example:
- pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating)
9) The default value when only keep state is given can be selected by using the "set state-policy" statement.
10) "pfctl -ss" will now print the interface scope of the state.
This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)
Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel
ok deraadt@ mcbride@
|
#
1.28 |
|
06-Nov-2003 |
henning |
KNF
|
#
1.27 |
|
08-Oct-2003 |
henning |
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there
ok mcbride@ marc@ millert@ cedric@
|
#
1.26 |
|
26-Sep-2003 |
cedric |
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are:
- Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL.
WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel.
The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded):
- DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE
They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets:
- DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK
Ok dhartmei@ mcbride@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.25 |
|
29-Aug-2003 |
cedric |
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
|
#
1.24 |
|
31-Jul-2003 |
cedric |
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
|
#
1.23 |
|
04-Jul-2003 |
henning |
KNF after cedric (grmpf)
|
#
1.22 |
|
03-Jul-2003 |
cedric |
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong.
I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo)
ok dhartmei@ henning@
|
#
1.21 |
|
30-Jun-2003 |
cedric |
Buffer management functions. ok dhartmei@
|
#
1.20 |
|
27-Jun-2003 |
cedric |
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
|
#
1.19 |
|
08-Jun-2003 |
cedric |
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
|
#
1.18 |
|
30-Apr-2003 |
cedric |
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
|
#
1.17 |
|
14-Apr-2003 |
henning |
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
|
#
1.16 |
|
11-Apr-2003 |
henning |
qname_to_qid and qname_to_pfaltq can be private functions now; nothing outside pfctl_altq.c uses them any more, nor should.
|
#
1.15 |
|
11-Apr-2003 |
henning |
kill dead code. qid_to_qname is not used anywhere. moreover, I cannot think of any legitimate use; misuse is easy tho.
|
#
1.14 |
|
05-Apr-2003 |
henning |
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two } queue one priority 1 priq(default) queue two on $if0 priority 15 queue two on ! $if0 priority 0
ok dhartmei@
|
#
1.13 |
|
27-Mar-2003 |
henning |
lotsa const char * from David Hill <david at phobia.ms> a while ago
|
Revision tags: OPENBSD_3_3_BASE
|
#
1.12 |
|
06-Mar-2003 |
henning |
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-)
found after problems reported by Andre Nathan <andre at v2r dot com dot br>
ok dhartmei@ pb@ cedric@
|
#
1.11 |
|
02-Mar-2003 |
henning |
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel.
ok theo daniel
|
#
1.10 |
|
11-Feb-2003 |
henning |
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM
ok pb@ dhartmei@ cedric@
|
#
1.9 |
|
24-Jan-2003 |
henning |
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
|
#
1.8 |
|
24-Jan-2003 |
henning |
export rate2str
|
#
1.7 |
|
20-Jan-2003 |
camield |
no named parameters in prototypes
ok dhartmei cedric henning
|
#
1.6 |
|
20-Jan-2003 |
cedric |
Improve pfctl -vvs{r,n} output with rule containing tables. Shows the number of entries in the table or if the table is not active. ok dhartmei@, no objections.
|
#
1.5 |
|
09-Jan-2003 |
henning |
first attack at pfctl queue statistics, to be displayed with pfctl -vsq
This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls.
ok markus@ dhartmei@
|
#
1.4 |
|
09-Jan-2003 |
cedric |
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
|
#
1.3 |
|
07-Jan-2003 |
dhartmei |
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
|
#
1.2 |
|
04-Jan-2003 |
henning |
minor style
|
#
1.1 |
|
04-Jan-2003 |
deraadt |
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
|