Commit Graph

66 Commits

Author SHA1 Message Date
pluknet
39f6ac9066 MFC r261271:
Ressurect the local change documenting
  authpf's requirement for a mounted fdescfs(5).

PR:		docs/186250
2014-10-29 09:32:36 +00:00
emaste
f9534c5185 MFC r263289: Update NetBSD Foundation copyrights to 2-clause BSD
The NetBSD Foundation states "Third parties are encouraged to change the
  license on any files which have a 4-clause license contributed to the
  NetBSD Foundation to a 2-clause license."

  This change removes clauses 3 and 4 from copyright / license blocks that
  list The NetBSD Foundation as the only copyright holder.

Sponsored by:	The FreeBSD Foundation
2014-03-24 13:48:04 +00:00
glebius
0ccf4838d7 o Create directory sys/netpfil, where all packet filters should
reside, and move there ipfw(4) and pf(4).

o Move most modified parts of pf out of contrib.

Actual movements:

sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
sys/contrib/pf/net/*.h		-> sys/net/
contrib/pf/pfctl/*.c		-> sbin/pfctl
contrib/pf/pfctl/*.h		-> sbin/pfctl
contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
contrib/pf/pfctl/*.4		-> share/man/man4
contrib/pf/pfctl/*.5		-> share/man/man5

sys/netinet/ipfw		-> sys/netpfil/ipfw

The arguable movement is pf/net/*.h -> sys/net. There are
future plans to refactor pf includes, so I decided not to
break things twice.

Not modified bits of pf left in contrib: authpf, ftp-proxy,
tftp-proxy, pflogd.

The ipfw(4) movement is planned to be merged to stable/9,
to make head and stable match.

Discussed with:		bz, luigi
2012-09-14 11:51:49 +00:00
glebius
5190d38ee3 Merge the projects/pf/head branch, that was worked on for last six months,
into head. The most significant achievements in the new code:

 o Fine grained locking, thus much better performance.
 o Fixes to many problems in pf, that were specific to FreeBSD port.

New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.

  Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:

r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.

I'd like to thank people who participated in early testing:

Tested by:	Florian Smeets <flo freebsd.org>
Tested by:	Chekaluk Vitaly <artemrts ukr.net>
Tested by:	Ben Wilber <ben desync.com>
Tested by:	Ian FREISLICH <ianf cloudseed.co.za>
2012-09-08 06:41:54 +00:00
bz
dcdb23291f Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:
Extend the so far IPv4-only support for multiple routing tables (FIBs)
introduced in r178888 to IPv6 providing feature parity.

This includes an extended rtalloc(9) KPI for IPv6, the necessary
adjustments to the network stack, and user land support as in netstat.

Sponsored by:	Cisco Systems, Inc.
Reviewed by:	melifaro (basically)
MFC after:	10 days
2012-02-17 02:39:58 +00:00
rwatson
c3696bb070 Replace an OpenBSDism with a FreeBSDism in the pfctl(8) man page: we put
configuration file man pages in section 5, and we prefer rc.conf to
rc.conf.local.

MFC after:	3 days
2012-01-05 23:11:05 +00:00
glebius
8c74bad9f3 Restore a feature that was present in 5.x and 6.x, and was cleared in
7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP
preemption, while it is running its bulk update.

However, reimplement the feature in more elegant manner, that is
partially inspired by newer OpenBSD:

- Rename term "suppression" to "demotion", to match with OpenBSD.
- Keep a global demotion factor, that can be raised by several
  conditions, for now these are:
  - interface goes down
  - carp(4) has problems with ip_output() or ip6_output()
  - pfsync performs bulk update
- Unlike in OpenBSD the demotion factor isn't a counter, but
  is actual value added to advskew. The adjustment values for
  particular error conditions are also configurable, and their
  defaults are maximum advskew value, so a single failure bumps
  demotion to maximum. This is for POLA compatibility, and should
  satisfy most users.
- Demotion factor is a writable sysctl, so user can do
  foot shooting, if he desires to.
2011-12-20 13:53:31 +00:00
glebius
91985bb2d6 - Fix examples to show new CARP style.
- Remove OpenBSDisms, add FreeBSDisms.
2011-12-20 13:32:56 +00:00
bz
81c9e88d02 Correct the description of struct pfioc_state_kill.
PR:		kern/158997
Submitted by:	ohauer
2011-07-17 17:33:39 +00:00
obrien
2adee38efa Note the PF version.
Discussed with:	bz
2011-07-07 23:17:56 +00:00
bz
e15f804c7b Update packet filter (pf) code to OpenBSD 4.5.
You need to update userland (world and ports) tools
to be in sync with the kernel.

Submitted by:	mlaier
Submitted by:	eri
2011-06-28 11:57:25 +00:00
bz
7ceffe8d59 Add a new option -P to suppress getservbyport(3) calls when printing rules.
This allows one to force consistent printing of numeric port numbers like
we do with -n for other tools like netstat (just that -n was already taken)
rather than the service names.

-P is currently unused in OpenBSD so the change is eligible for upstreaming.

PR:		misc/151015
Submitted by:	Matt Koivisto (mkoivisto sandvine.com)
Sponsored by:	Sandvine Incorporated
MFC after:	1 week
2011-06-13 20:11:28 +00:00
csjp
df8e8f6859 Enable closefrom(2) here, as we have supported it for some time now.
Discussed with:	mlaier
MFC after:	2 weeks
2010-08-05 18:49:06 +00:00
delphij
40c18ac3ff Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct
Server Return mode, where not all packets would be visible to the load
balancer or gateway.

This commit should be reverted when we merge future pf versions.  The
benefit it would provide is that this version does not break any existing
public interface and thus won't be a problem if we want to MFC it to
earlier FreeBSD releases.

Discussed with:	mlaier
Obtained from:	OpenBSD
Sponsored by:	iXsystems, Inc.
MFC after:	1 month
2009-12-24 00:43:44 +00:00
julian
dfe0135978 Max's changes got left out of the MRT commit. 2008-05-09 23:53:01 +00:00
mlaier
5cb64aae63 Make ALTQ cope with disappearing interfaces (particularly common with mpd
and netgraph in gernal).  This also allows to add queues for an interface
that is not yet existing (you have to provide the bandwidth for the
interface, however).

PR:		kern/106400, kern/117827
MFC after:	2 weeks
2008-03-29 00:24:36 +00:00
remko
dfed0500c5 MFOpenBSD rev 1.393 pf.conf.5
do not describe `/' as solidus; from Allen (freebsd pr120484);

PR:		120484
Submitted by:	Allen <alandsidel at 1001islington dot com>
MFC After:	3 days
2008-02-11 21:09:34 +00:00
mlaier
8ad5ea95ae Update for libpcap 0.9.8 2007-10-16 02:12:06 +00:00
mlaier
73f16a7800 Lost these during the import. Hand me the pointy hat.
Approved by:	re (implicit)
2007-07-03 14:08:49 +00:00
mlaier
edb0b64179 Commit resolved import of OpenBSD 4.1 pf userland from perforce.
Approved by:	re (kensmith)
2007-07-03 12:30:03 +00:00
mlaier
d1f1f8d084 This commit was generated by cvs2svn to compensate for changes in r171169,
which included commits to RCS files with non-trunk default branches.
2007-07-03 12:22:02 +00:00
mlaier
9501569295 Import pf userland from OpenBSD 4.1 and (for ftp-proxy) libevent 1.3b as
a local lib.
2007-07-03 12:22:02 +00:00
remko
48e05cbb50 Revert my previous change, add an MLINK from securelevel.7 to security.7
Discussed with:	brueffer
2007-06-01 21:33:21 +00:00
remko
02d75b0108 Change securelevel(7) to security(7). Yes i am aware
that this is within the contrib directory.

PR:		docs/104402
Submitted by:	Dr. Markus Waldeck <waldeck at gmx dot de>

Discussed with:	mlaier
2007-06-01 21:09:11 +00:00
dhartmei
b84c57b21a From OpenBSD, rev. 1.379
Document how 'allow-opts' applies to routing headers in IPv6.

MFC after:	1 week
Discussed with:	mlaier
2007-05-21 20:12:35 +00:00
mlaier
7a56ec02c0 From OpenBSD, rev. 1.91:
fix servicecurve check; no point in checking the same sc three times, it
  was obviously intended to check all three. has been wrong since the
  beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>, Vasil
  Dimov <vd@FreeBSD.org> mailed me then, ok mcbride

MFC after:	3 days
2006-11-30 18:55:36 +00:00
mlaier
3c9a14bd36 Mention that we do not support route labels in the BUGS section.
PR:		docs/93590
Reported by:	Niki Denev
2006-10-30 15:15:37 +00:00
glebius
cd66f71303 - Note that the synchronisation interface needs to be up and have
an IP address assigned.
- Add "quick" keyword to pf.conf example.

PR:		docs/85209
2006-06-06 12:35:53 +00:00
mlaier
332f3f5a7b Document authpf's requirement for a mounted fdescfs(5).
PR:		docs/89635
MFC after:	1 day
2006-03-28 15:26:16 +00:00
mlaier
26d969a376 Constfy errstr as it is in OpenBSD to unbreak the build.
Pointed out by:	Suken Woo, Martin Wilke, Wesley Morgan
2006-03-15 16:28:12 +00:00
mlaier
8e7c134331 Use strtonum now that we have it in libc as well. 2006-03-15 00:30:19 +00:00
mlaier
74c57f2ec0 Fix build after timeval.tv_sec changed from long to time_t. 2005-12-25 22:57:08 +00:00
yar
327895a26d Add an rc.d script to start pfsync at the right moment of the
system boot, and hook it up in the system.

The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.

Discussed with:	mlaier on -pf
MFC after:	5 days
2005-10-02 18:59:02 +00:00
mlaier
f86976eb12 Redirect bridge(4) to if_bridge(4). These should have pointed to if_bridge
from the begining.

Reminded by:	ru
2005-09-28 08:11:15 +00:00
csjp
f267b4783c FreeBSD now supports BIOCLOCK. So we can use it now.
Reviewed by:	mlaier
2005-08-23 00:03:58 +00:00
brueffer
ec4f7f03b1 More tcpdump 8->1 cleanup.
Approved by:	mlaier
MFC after:	3 days
2005-08-06 13:03:03 +00:00
brueffer
2a75eb6afb - Remove MLINKS to nonexistant manpages
- Change some section numbers to match reality
- For MLINKS to manpages from ports, mention which port installs them

MFC after:	3 days
2005-07-14 20:29:08 +00:00
mlaier
b28479dfe2 Resolve conflicts created during the import of pf 3.7 Some features are
missing and will be implemented in a second step.  This is functional as is.

Tested by:	freebsd-pf, pfsense.org
Obtained from:	OpenBSD
2005-05-03 16:55:20 +00:00
mlaier
511d1c13c3 Import pf userland from OpenBSD 3.7 (OPENBSD_3_7 as of today) 2005-05-03 16:47:37 +00:00
mlaier
f9e60af500 This commit was generated by cvs2svn to compensate for changes in r145837,
which included commits to RCS files with non-trunk default branches.
2005-05-03 16:47:37 +00:00
glebius
d94b19b89c - remove OpenBSDisms, add FreeBSDisms
- comment out feature, we do not have yet: tcpdumping on pfsync,
  add a BUGS section
- reference carp.4
- dereference bpf(4), tcpdump(7), hostname.if(5)
- sort references
- tell when pfsync appeared in FreeBSD

Reviewed by:	mlaier
MFC after:	1 week
2005-02-23 17:37:39 +00:00
mlaier
ccaba02daa Fix sloppy use of "manpage", bump .Dd where applicable and rename RED to
Random Early Detection (not ... Drop) in order to be consistent with other
documentation on ALTQ

Pointed out by:	simon, ru, Brad Davis
2005-02-07 23:20:12 +00:00
mlaier
8b6d2b4fe7 Be more verbose about altq SYNOPSIS and add more linkage in the relating pf
documents.

Inspired by:	scottl
Reviewed by:	Brad Davis <so14kNOso14kSPAMcom>
MFC after:	3 days
2005-02-07 11:46:36 +00:00
mlaier
89e05e38ca Fix a reference from pool(9) -> zone(9), but keep on talking about "memory
pools" as that is what UMA provides.

Submitted by:	Jay <jay NO meangrape SPAM com>
2004-11-14 17:05:54 +00:00
mlaier
d848661392 Rename the QUEUEING section to QUEUEING/ALTQ to make it easier to find the
appropiate section when redirected from ALTQ(4).

MFC after:	2 days
2004-10-07 15:39:02 +00:00
mlaier
c5e647a2a2 Make pflogd cope with module unload (and the sudden disappearing of pflog0).
Instead of eating all the available CPU we now shutdown gracefully.

Submitted by:	yongari
MFC after:	3 days
2004-10-05 08:26:34 +00:00
mlaier
283a694fdb Document a problem with user/group filtering. With debug.mpsafenet=1 this
might result in a deadlock. The fix involves critical changes in the PF
locking strategy (which will happen after 5.3R). For now advise users to set
debug.mpsafenet=0 if they use this kind of filtering.

The same problem exists for IPFW.

mdoc help from:		simon
MFC after:		2 days
2004-10-03 10:42:42 +00:00
mlaier
f00a812528 PFIL_HOOKS is no longer an optional item.
Submitted by:	Anders Hanssen
MFC after:	1 day
2004-09-26 16:10:40 +00:00
mlaier
61e73d53e0 Bring in some examples (and create space for future work here):
- Add OpenBSD example rulesets as advertised in etc/pf.conf and pf.conf(5)
- Tweak the pointer to fit the FreeBSD default location share/examples/pf
- Account for the new directory in BSD.usr.dist (no hier(7) change required
  as share/examples is an opaque item there).

Obtained from:	OpenBSD
Reminded by:	Thomas T. Veldhouse
PR:		docs/71691
MFC after:	2 days
2004-09-14 01:07:19 +00:00
mlaier
8fda63d007 Make pflogd(8) store pcap_sf_pkthdr instead of MD timeval contaminated
pcap_pkthdr. This makes /var/log/pflog standart compliant on 64bit archs.

OpenBSD has fixed this by changing the bpf timeval to 32bit in the kernel,
so no need to report this over (again).

PR:		bin/71096 (w/ changes)
Submitted by:	Ville-Pertti Keinonen
Tested by:	amd64(submitter), sparc64(yongari), i386(myself)
MFC after:	3 days
2004-08-31 18:04:34 +00:00