#
a7b9eedc |
| 09-May-2024 |
florian <florian@openbsd.org> |
ctime(3) and ctime_r(3) can fail when timestamps are way off. Add missing error checks to all calls under sbin/
Input kettenis, millert OK millert
|
#
3898e353 |
| 15-Jan-2024 |
sashan <sashan@openbsd.org> |
Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows rules found in every anchor. This commit introduces the same behavior for tables. Command 'pfctl -a "*" -sT' prints all tables att
Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows rules found in every anchor. This commit introduces the same behavior for tables. Command 'pfctl -a "*" -sT' prints all tables attached to every anchor loaded to pf(4).
Inconsistency has been noticed by Klemens (kn@).
OK @bluhm, OK @kn
show more ...
|
#
352b17dc |
| 26-Oct-2023 |
deraadt <deraadt@openbsd.org> |
whitespace cleanup my fingers couldn't avoid doing while i was re-reading the parsing code
|
#
edd74edc |
| 21-Nov-2022 |
sashan <sashan@openbsd.org> |
Fix DIOCIGETIFACES ioctl so all network interfaces and interface groups are reported. The bug allowed to enumerate the first 64 interfaces only.
The issue has been noticed and bug kindly reported by
Fix DIOCIGETIFACES ioctl so all network interfaces and interface groups are reported. The bug allowed to enumerate the first 64 interfaces only.
The issue has been noticed and bug kindly reported by Olivier Croquin.
OK kn@
show more ...
|
#
c802a0d9 |
| 15-Jan-2020 |
kn <kn@openbsd.org> |
Do the actual pfr_strerror() to pf_strerror() rename
Missed in previous
|
#
e13f0105 |
| 15-Jan-2020 |
kn <kn@openbsd.org> |
Merge radix_perror() into simpler warnx()/errx() usage
Less nesting for clearer code.
OK sashan
|
#
ae711728 |
| 15-Jan-2020 |
sashan <sashan@openbsd.org> |
Enable pfctl(8) to recursively flush rules and tables from PF driver. The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option,
Enable pfctl(8) to recursively flush rules and tables from PF driver. The recursive operation ("pfctl -a '*' ...") works for '-s' option already. This change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
show more ...
|
#
898866c2 |
| 18-Apr-2019 |
kn <kn@openbsd.org> |
Always check for namespace collisions on table commands
`-t table -T add|replace ...' would only check for duplicate tables in case addresses where actually to the table.
Instead of using a positiv
Always check for namespace collisions on table commands
`-t table -T add|replace ...' would only check for duplicate tables in case addresses where actually to the table.
Instead of using a positive number of added addresses as prove for successful table operations, rely on the fact that CREATE_TABLE() is guaranteed to be called only if pf(4) can be accessed, that is warn_duplicate_tables() will return.
This improves duplicate detection rate as warnings are now also emitted even when table commands eventually leave tables unchanged.
OK benno sashan
show more ...
|
#
0de3a0c9 |
| 11-Jan-2019 |
kn <kn@openbsd.org> |
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless.
Deferring th
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless.
Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors.
With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away.
No functional change in parsing or ruleset production.
Discussed with and OK sashan
show more ...
|
#
97699edb |
| 02-Jan-2019 |
kn <kn@openbsd.org> |
Error out on missing table command, zap internal wrapper function
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and
Error out on missing table command, zap internal wrapper function
Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given.
By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks.
OK sashan
show more ...
|
#
ab23e671 |
| 15-Oct-2018 |
kn <kn@openbsd.org> |
use PFR_RB_NONE consistently
Replace hardcoded 0 and implicit checks with enum as done in all other use cases of `pfra_fback'. No object change.
OK sashan
|
#
7c8726d4 |
| 11-Aug-2017 |
benno <benno@openbsd.org> |
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
|
#
c5e9690e |
| 15-Jul-2017 |
awolk <awolk@openbsd.org> |
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing
sbin/pfctl: void functions and exit(3) on error
Changes: voided: - pfctl_clear_tables - pfctl_show_tables - pfctl_show_ifaces
Those functions now exit(3) in case of error instead of passing it up to the callers (where it was ignored).
OK mikeb@, sashan@
show more ...
|
#
90abbc64 |
| 13-Apr-2017 |
jsg <jsg@openbsd.org> |
fix wrongly indented lines
|
#
8717211f |
| 20-Jan-2015 |
deraadt <deraadt@openbsd.org> |
Rewrite to void using union sockaddr_union ok mikeb
|
#
b9fc9a72 |
| 16-Jan-2015 |
deraadt <deraadt@openbsd.org> |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
show more ...
|
#
401a01c8 |
| 05-Jul-2013 |
blambert <blambert@openbsd.org> |
Collect and display 'match' counters for pf tables.
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
|
#
cbdc262e |
| 27-Jul-2011 |
mcbride <mcbride@openbsd.org> |
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
|
#
bcb11948 |
| 03-Jul-2011 |
zinke <zinke@openbsd.org> |
bring in least-states load balancing algorithm
ok mcbride@ henning@
|
#
36754172 |
| 12-Jan-2010 |
mcbride <mcbride@openbsd.org> |
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule.
ok henning dlg claudio
show more ...
|
#
ed1ed052 |
| 21-Jun-2008 |
mcbride <mcbride@openbsd.org> |
Fix "-T expire"; clear pfra_fback on addresses before sending them back to the kernel to be deleted.
|
#
5f03a6e1 |
| 10-Jun-2008 |
mcbride <mcbride@openbsd.org> |
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an add
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address.
This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon.
ok henning mpf deraadt
show more ...
|
#
9d4f5fa2 |
| 01-Mar-2007 |
deraadt <deraadt@openbsd.org> |
be more careful with mixing &/| with &&/||, ok otto
|
#
d11096e9 |
| 18-Jan-2007 |
henning <henning@openbsd.org> |
implement -T expire. "pfctl -t tablename -T expire 3600" would expire all entries in the given table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
|
#
dd9c8f06 |
| 17-Aug-2005 |
dhartmei <dhartmei@openbsd.org> |
with pfctl -vsI, indicate which interfaces are being skipped. ok henning@, markus@, mpf@
|