Commit Graph

64 Commits

Author SHA1 Message Date
Enji Cooper
22289a8c3d sbin: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-04 11:33:01 +00:00
Luiz Otavio O Souza
1e93588b1d Fix the parsing of NPt binat rules.
In this specific case the src address can be set to any, which was not
accepted prior to this commit.

pfSense bug report:	https://redmine.pfsense.org/issues/6985
Reviewed by:	kp
Obtained from:	pfSense
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC (Netgate)
2016-12-28 16:16:48 +00:00
Kristof Provost
2fd47dea4e pfctl: fix nested inline anchors
Import the OpenBSD fix for nested inline anchors.

PR:		196314
Submitted by:	krichy@cflinux.hu
Obtained from:	OpenBSD
2016-11-10 18:41:43 +00:00
Bryan Drewery
28323add09 Fix improper use of "its".
Sponsored by:	Dell EMC Isilon
2016-11-08 23:59:41 +00:00
Kristof Provost
1f4955785d pf: port extended DSCP support from OpenBSD
Ignore the ECN bits on 'tos' and 'set-tos' and allow to use
DCSP names instead of having to embed their TOS equivalents
as plain numbers.

Obtained from:	OpenBSD
Sponsored by:	OPNsense
Differential Revision:	https://reviews.freebsd.org/D8165
2016-10-13 20:34:44 +00:00
Kristof Provost
813196a11a pf: remove fastroute tag
The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
allows to skip the in pfil hooks and completely removes the out pfil invoke,
albeit looking up a route that the IP stack will likely find on its own.
The code between IPv4 and IPv6 is also inconsistent and marked as "XXX"
for years.

Submitted by:	Franco Fichtner <franco@opnsense.org>
Differential Revision:	https://reviews.freebsd.org/D8058
2016-10-04 19:35:14 +00:00
Sevan Janiyan
eb6d64f86c Note the version PF first appeared in FreeBSD & from which version it was ported from.
Address the contractions raised by igor.

PR:		212574
Approved by:	bcr (mentor)
MFC after:	4 days
Differential Revision:	https://reviews.freebsd.org/D8105
2016-10-03 00:35:14 +00:00
Luiz Otavio O Souza
7f8af000a9 Fix a regression in pf.conf while parsing the 'interval' keyword.
The bug was introduced by r287009.

PR:		210924
Submitted by:	kp@
Sponsored by:	Rubicon Communications (Netgate)
Pointy hat to:	loos
2016-08-05 02:19:03 +00:00
Kristof Provost
13cfafabf4 pfctl: Make most global variables static.
This will make it easier to link as a library.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-04 19:24:44 +00:00
Kristof Provost
233e1432b7 pfctl: Add missing __FBSDID to pfctl_osfp.c 2016-08-04 19:24:05 +00:00
Kristof Provost
72a3cf0f41 pfctl: Use const where possible.
This adds const qualifiers where it is possible.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-02 20:32:02 +00:00
Kristof Provost
9a5e33be57 pfctl: Match prototype of pfctl_load_hostid.
The prototype and the implementation of the pfctl_load_hostid used a
different data type for one of the parameters.

Submitted by:	Christian Mauderer <christian.mauderer@embedded-brains.de>
2016-08-02 19:54:40 +00:00
Kristof Provost
0cd7a91aa7 pfctl: Allow TOS bits to be cleared
TOS value 0 is valid, so use 256 as an invalid value rather than zero.
This allows users to enforce TOS == 0 with pf.

Reported by:	Radek Krejča <radek.krejca@starnet.cz>
2016-08-02 15:41:42 +00:00
Kristof Provost
3e248e0fb4 pf: Filter on and set vlan PCP values
Adopt the OpenBSD syntax for setting and filtering on VLAN PCP values. This
introduces two new keywords: 'set prio' to set the PCP value, and 'prio' to
filter on it.

Reviewed by:    allanjude, araujo
Approved by:	re (gjb)
Obtained from:  OpenBSD (mostly)
Differential Revision:  https://reviews.freebsd.org/D6786
2016-06-17 18:21:55 +00:00
Pedro F. Giffuni
b68ac8007d sbin: minor spelling fixes.
No functional change.
2016-04-30 19:04:59 +00:00
Marcelo Araujo
c52ee6c23b Use nitems() from sys/param.h.
MFC after:	2 weeks.
2016-04-19 06:32:35 +00:00
Glen Barber
0edd2576c0 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
Luiz Otavio O Souza
db1bbde602 Make pfctl(8) more flexible when parsing bandwidth values.
This is the current behaviour in OpenBSD and a similar patch exist in
pfSense too.

Obtained from:	OpenBSD (partly - rev. 1.625)
MFC after:	2 weeks
Sponsored by:	Rubicon Communications (Netgate)
2016-04-14 18:37:40 +00:00
Glen Barber
52259a98ad MFH
Sponsored by:	The FreeBSD Foundation
2016-03-02 16:14:46 +00:00
Bryan Drewery
bd18fd57db DIRDEPS_BUILD: Regenerate without local dependencies.
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:20:11 +00:00
Glen Barber
7de1daeb93 Create packages for atm, ccdconfig, devd, ipf, ipfw,
iscsi, natd, nandfs, pf, quotacheck, and routed.

Add ping6 and rtsol to the runtime package.

Sponsored by:	The FreeBSD Foundation
2016-02-09 19:30:31 +00:00
Ian Lepore
1cac26262e Make pfctl(8) work on strict-alignment platforms, by copying a pair of
embedded structures out of a packed, unaligned struct into local copies
on the stack which are aligned.

The original patch to do this was submitted by Guy Yur <guyyur@gmail.com>,
and this is conceptually the same change, but restructured with the
#ifndef __NO_STRICT_ALIGNMENT wrapper, similar to how the same issue is
handled in the kernel pf code.

PR:		185617
PR:		206658
2016-01-30 22:03:14 +00:00
Kristof Provost
3e768368d0 pfctl: Fix uninitialised veriable
In pfctl_set_debug() we used 'level' without ever initialising it.
We correctly parsed the option, but them failed to actually assign the parsed
value to 'level' before performing to ioctl() to configure the debug level.

PR:		202996
Submitted by:	Andrej Kolontai
2015-11-01 17:20:17 +00:00
Kristof Provost
64b3b4d611 pf: Remove support for 'scrub fragment crop|drop-ovl'
The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
users into making poor choices.
It's also a fairly large amount of complex code, so just remove the support
altogether.

Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
implicitly converted to 'scrub fragment reassemble'.

Reviewed by:	gnn, eri
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D3466
2015-08-27 21:27:47 +00:00
Luiz Otavio O Souza
0a70aaf8f5 Add ALTQ(9) support for the CoDel algorithm.
CoDel is a parameterless queue discipline that handles variable bandwidth
and RTT.

It can be used as the single queue discipline on an interface or as a sub
discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.

Differential Revision:	https://reviews.freebsd.org/D3272
Reviewd by:	rpaulo, gnn (previous version)
Obtained from:	pfSense
Sponsored by:	Rubicon Communications (Netgate)
2015-08-21 22:02:22 +00:00
George V. Neville-Neil
a413464757 Only report the lack of ALTQ support if pfctl is using verbose (-v) mode.
PR:		194935
Submitted by:	Jim Thompson
MFC after:	2 weeks
2015-07-20 23:24:25 +00:00
Ermal Luçi
a5b789f65a ALTQ FAIRQ discipline import from DragonFLY
Differential Revision:  https://reviews.freebsd.org/D2847
Reviewed by:    glebius, wblock(manpage)
Approved by:    gnn(mentor)
Obtained from:  pfSense
Sponsored by:   Netgate
2015-06-24 19:16:41 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Gleb Smirnoff
772e66a6fc Move ALTQ from contrib to net/altq. The ALTQ code is for many years
discontinued by its initial authors. In FreeBSD the code was already
slightly edited during the pf(4) SMP project. It is about to be edited
more in the projects/ifnet. Moving out of contrib also allows to remove
several hacks to the make glue.

Reviewed by:	net@
2015-04-16 20:22:40 +00:00
Baptiste Daroussin
13eb765f2d Convert sbin/ to LIBADD
Reduce overlinking
2014-11-25 11:23:12 +00:00
Simon J. Gerraty
ee7b0571c2 Merge head from 7/28 2014-08-19 06:50:54 +00:00
Joel Dahl
df2d82e003 mdoc: remove superfluous paragraph macros. 2014-06-23 18:40:21 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
cc3f4b9965 Merge from head 2014-05-08 23:54:15 +00:00
Warner Losh
c6063d0da8 Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
Simon J. Gerraty
3b8f084595 Merge head 2014-04-28 07:50:45 +00:00
Gleb Smirnoff
5a9ab48795 Fix compilation for 32-bit machines. 2014-03-05 19:26:22 +00:00
Gleb Smirnoff
fb3541ad15 Instead of playing games with casts simply add 3 more members to the
structure pf_rule, that are used when the structure is passed via
ioctl().

PR:		187074
2014-03-05 00:40:03 +00:00
Gleb Smirnoff
2dfe3ec23d Better build fix. 2014-02-15 16:22:51 +00:00
Gleb Smirnoff
4a70ff6ddb Fix build on 32bit arches broken by me in r261882. 2014-02-14 19:43:00 +00:00
Gleb Smirnoff
48278b8846 Once pf became not covered by a single mutex, many counters in it became
race prone. Some just gather statistics, but some are later used in
different calculations.

A real problem was the race provoked underflow of the states_cur counter
on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
value is used in pf_state_expires() and any state created by this rule
is immediately expired.

Thus, make fields states_cur, states_tot and src_nodes of struct
pf_rule be counter(9)s.

Thanks to Dennis for providing me shell access to problematic box and
his help with reproducing, debugging and investigating the problem.

Thanks to:		Dennis Yusupoff <dyr smartspb.net>
Also reported by:	dumbbell, pgj, Rambler
Sponsored by:		Nginx, Inc.
2014-02-14 10:05:21 +00:00
Bjoern A. Zeeb
f870cb7f3b Use feature_present(3) to determine whether to open an INET or an
INET6 socket when needed to allow pfctl to work on noinet and noinet6
kernels (and try to provide a fallback using AF_LINK as best effort).
Adjust the Makefile to also respect relevant src.conf(5) options
for compile time decisions on INET and INET6 support.

Reviewed by:	glebius (no objections)
MFC after:	1 week
2013-12-26 15:51:14 +00:00
Gleb Smirnoff
116e43f021 Remove __FreeBSD__ ifdefs. 2013-11-22 20:13:32 +00:00
Gleb Smirnoff
0c46447bda Rewrite usage() so that its source code resembles what is printed. 2013-11-22 20:11:17 +00:00
Baptiste Daroussin
e0b95cb532 Import pf_print_state.c 1.54 from OpenBSD
Original log:
pfctl -ss printed state levels for ICMPv6. Disable this the same
way it has already been done for ICMPv4.

Difference with OpenBSD:
- WITHOUT_INET6 safe

Obtained from:	OpenBSD
2013-10-27 21:07:37 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00