ctime(3) and ctime_r(3) can fail when timestamps are way off.
Add missing error checks to all calls under sbin/

Input kettenis, millert
OK millert

Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows
rules found in every anchor. This commit introduces the same behavior
for tables. Command 'pfctl -a "*" -sT' prints all tables att

Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows
rules found in every anchor. This commit introduces the same behavior
for tables. Command 'pfctl -a "*" -sT' prints all tables attached to
every anchor loaded to pf(4).

Inconsistency has been noticed by Klemens (kn@).

OK @bluhm, OK @kn

show more ...

whitespace cleanup my fingers couldn't avoid doing while i was re-reading
the parsing code

Fix DIOCIGETIFACES ioctl so all network interfaces
and interface groups are reported. The bug allowed
to enumerate the first 64 interfaces only.

The issue has been noticed and bug kindly reported
by

Fix DIOCIGETIFACES ioctl so all network interfaces
and interface groups are reported. The bug allowed
to enumerate the first 64 interfaces only.

The issue has been noticed and bug kindly reported
by Olivier Croquin.

OK kn@

show more ...

Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Merge radix_perror() into simpler warnx()/errx() usage

Less nesting for clearer code.

OK sashan

Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option,

Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.

The idea was discussed with many on tech@ in spring 2019.

OK kn@

show more ...

Always check for namespace collisions on table commands

`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.

Instead of using a positiv

Always check for namespace collisions on table commands

`-t table -T add|replace ...' would only check for duplicate tables in case
addresses where actually to the table.

Instead of using a positive number of added addresses as prove for
successful table operations, rely on the fact that CREATE_TABLE() is
guaranteed to be called only if pf(4) can be accessed, that is
warn_duplicate_tables() will return.

This improves duplicate detection rate as warnings are now also emitted
even when table commands eventually leave tables unchanged.

OK benno sashan

show more ...

When creating tables inside anchors, pfctl warned about namespace
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.

Deferring th

When creating tables inside anchors, pfctl warned about namespace
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.

Deferring the check to process_tabledefs() where tables are eventually
created, both anchor and table name are known which allows for checking
all existing anchors.

With this, warn on all duplicates even in dry-runs (`-n') and print
quoted names so they can be copied to fix configurations right away.

No functional change in parsing or ruleset production.

Discussed with and OK sashan

show more ...

Error out on missing table command, zap internal wrapper function

Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and

Error out on missing table command, zap internal wrapper function

Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and exit if
only one of them is given.

By moving the inter-dependence check right after option parsing is done,
we can bail out even before opening pf(4) and drop the internal wrapper
pfctl_command_tables() as unneeded indirection with now duplicate checks.

OK sashan

show more ...

use PFR_RB_NONE consistently

Replace hardcoded 0 and implicit checks with enum as done in all other
use cases of `pfra_fback'. No object change.

OK sashan

add option -N (no domain resolution)
manpage wording and reminder about usage() jmc@
ok florian@ henning@

sbin/pfctl: void functions and exit(3) on error

Changes:
voided:
- pfctl_clear_tables
- pfctl_show_tables
- pfctl_show_ifaces

Those functions now exit(3) in case of error instead
of passing

sbin/pfctl: void functions and exit(3) on error

Changes:
voided:
- pfctl_clear_tables
- pfctl_show_tables
- pfctl_show_ifaces

Those functions now exit(3) in case of error instead
of passing it up to the callers (where it was ignored).

OK mikeb@, sashan@

show more ...

fix wrongly indented lines

Rewrite to void using union sockaddr_union
ok mikeb

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Collect and display 'match' counters for pf tables.

While here, fix pf table displays to fit within 80 chars.

Manpage input jmc@

ok henning@ reyk@

Add support for weighted round-robin in load balancing pools and tables.
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt

bring in least-states load balancing algorithm

ok mcbride@ henning@

First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only

First pass at removing the 'pf_pool' mechanism for translation and routing
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.

Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.

ok henning dlg claudio

show more ...

Fix "-T expire"; clear pfra_fback on addresses before sending them back to
the kernel to be deleted.

Make counters on table addresses optional and disabled by default.
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an add

Make counters on table addresses optional and disabled by default.
Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.

This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.

ok henning mpf deraadt

show more ...

be more careful with mixing &/| with &&/||, ok otto

implement -T expire.
"pfctl -t tablename -T expire 3600" would expire all entries in the given
table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc

with pfctl -vsI, indicate which interfaces are being skipped.
ok henning@, markus@, mpf@