system/freebsd-src

mirror of https://github.com/freebsd/freebsd-src synced 2024-09-06 17:18:32 +00:00

Author	SHA1	Message	Date
Kristof Provost	ba2a920786	pf: convert DIOCBEGINADDRS to netlink	2024-06-08 04:46:43 +02:00
Kristof Provost	71d3c7041d	pf: convert DIOCNATLOOK to netlink Sponsored by: Rubicon Communications, LLC ("Netgate")	2024-06-04 14:59:58 +02:00
Alexander Ziaee	1a720cbec5	man filesystems: fix xrefs after move to section 4 Reviewed by: des, imp Pull Request: https://github.com/freebsd/freebsd-src/pull/1077	2024-05-16 10:25:29 -06:00
Kristof Provost	5824df8d99	pf: convert DIOCGETSTATUS to netlink Introduce pfctl_get_status_h() because we need the pfctl_handle. In this variant use netlink to obtain the information. Sponsored by: Rubicon Communications, LLC ("Netgate")	2024-04-29 16:32:23 +02:00
Kristof Provost	044243fcc9	libpfctl: allow access to the fd pfctl_open() opens both /dev/pf and a netlink socket. Allow access to the /dev/ pf fd via pfctl_fd(). This means that libpfctl users no longer have to open /dev/pf themselves for any calls that are not yet available in libpfctl. Sponsored by: Rubicon Communications, LLC ("Netgate") MFC after: 2 weeks	2024-04-29 16:32:23 +02:00
Kristof Provost	706d465dae	pf: convert kill/clear state to use netlink Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44090	2024-02-28 23:26:18 +01:00
Kristof Provost	324fd7ec40	libpfctl: introduce a handle-enabled variant of pfctl_add_rule() Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a file descriptor (which it didn't use). This means that library users can open the handle while they're running as root, but later drop privileges and still add rules to pf. Sponsored by: Rubicon Communications, LLC ("Netgate")	2024-01-04 23:10:44 +01:00
Brooks Davis	bbde5c0725	pf: Remove __FBSDID() macro use These are local additions that no longer make sense with the transition to git. This partially reverts `a10f530f93`. Reviewed by: kp, imp Differential Revision: https://reviews.freebsd.org/D42687	2023-11-21 00:21:11 +00:00
Kristof Provost	ddd08375c8	pf (t)ftp-proxy: use libpfctl instead of DIOCGETSTATUS Prefer libpfctl functions over direct access to the ioctl whenever possible. This will allow subsequent removal of DIOCGETSTATUS (in 15) as there already is an nvlist-based alternative. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D41647	2023-08-31 10:56:31 +02:00
John Baldwin	b488428efe	pf/libevent: Consistently pass evsignal to sigaction. This silences a set but unused warning from GCC. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D40649	2023-06-20 12:31:19 -07:00
Ed Maste	81f964e2ff	authpf: do not sprintf to a null pointer The fgetln loop will terminate with buf = NULL at EOF. Reported by: GCC Reviewed by: kp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D39947	2023-05-03 10:03:27 -04:00
Joseph Mingrone	0c59e0b4e5	pflogd: Do not access obsolete structure member pcap.tzoff This change is in preparation for a libpcap update. See also: `d4d65e7c4c` Reviewed by: emaste Sponsored by: The FreeBSD Foundation	2023-03-30 15:58:45 -03:00
Kristof Provost	8923ea6c86	ftp-proxy: Revert incorrect migration to libpfctl libpfctl supports creating rules, but not (yet) adding addresses to a pool. Adding addresses certainly does not work through adding a rule. PR: 256917 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")	2021-07-01 21:34:40 +02:00
Kristof Provost	2b2ed4a697	authpf: Start using libpfctl Use pfctl_kill_states() rather than the DIOCKILLSTATES ioctl directly. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30057	2021-05-07 22:13:31 +02:00
Kristof Provost	e9eb09414a	libpfctl: Switch to pfctl_rule Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule. Now that we use nvlists to communicate with the kernel these structures can be fully decoupled. Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29644	2021-04-10 11:16:02 +02:00
Kristof Provost	95be9288f0	(t)ftp-proxy: use libpfctl Reviewed by: glebius MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29641	2021-04-10 11:16:02 +02:00
Kyle Evans	64c01719e4	libevent1: fix layout of duplicated RB_ENTRY() definition `3a509754de` removed the color field from our definition, but libevent1 has a copy of it off to the side to prevent event.h consumers from needing to pull in sys/queue.h and sys/tree.h. Update the event.h definition so that we don't accidentally end up with two different views of struct event. This appears to have no functional effect on anything in tree, but this came up in a local patch to port if_switch(4) and related components from OpenBSD. MFC after: 1 week	2021-03-23 23:39:43 -05:00
Sevan Janiyan	2bda75506d	Fix escaping, otherwise Dx gets translated as the macro for DragonFly. From 2018 Linuxhotel Hackathon & DevSummit Approved by: eadler Obtained from: OpenBSD r1.49 Differential Revision: https://reviews.freebsd.org/D16616	2018-08-11 00:08:59 +00:00
Hans Petter Selasky	5fd1ea0810	Re-apply r190640. - Restore local change to include <net/bpf.h> inside pcap.h. This fixes ports build problems. - Update local copy of dlt.h with new DLT types. - Revert no longer needed <net/bpf.h> includes which were added as part of r334277. Suggested by: antoine@, delphij@, np@ MFC after: 3 weeks Sponsored by: Mellanox Technologies	2018-05-31 09:11:21 +00:00
Hans Petter Selasky	b00ab7548b	MFV r333789: libpcap 1.9.0 (pre-release) MFC after: 1 month Sponsored by: Mellanox Technologies	2018-05-28 08:12:18 +00:00
Baptiste Daroussin	053a88680a	Rename getline with get_line to avoid collision with getline(3) When getline(3) in 2009 was added a _WITH_GETLINE guard has also been added. This rename is made in preparation for the removal of this guard Obtained from: OpenBSD	2016-05-10 11:09:26 +00:00
Dimitry Andric	f7862a87d0	Fix a clang 3.8.0 warning in pflogd.c: contrib/pf/pflogd/pflogd.c:769:8: error: logical not is only applied to the left hand side of this comparison [-Werror,-Wlogical-not-parentheses] if (!if_exists(interface) == -1) { ^ ~~ The if_exists() function does not return -1, and even if it did, it would not be the correct way to check. Just ditch the == -1 instead. Obtained from: OpenBSD's pflogd.c 1.49 MFC after: 3 days	2015-12-31 22:45:00 +00:00
Warren Block	62c332ce9c	Fix a couple of missing lines that obscured the -p description. Submitted by: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@NTLWorld.com> MFC after: 1 week	2015-06-28 20:53:36 +00:00
Ed Maste	0fcefb433d	Update NetBSD Foundation copyrights to 2-clause BSD The NetBSD Foundation states "Third parties are encouraged to change the license on any files which have a 4-clause license contributed to the NetBSD Foundation to a 2-clause license." This change removes clauses 3 and 4 from copyright / license blocks that list The NetBSD Foundation as the only copyright holder. Sponsored by: The FreeBSD Foundation	2014-03-18 01:40:25 +00:00
Sergey Kandaurov	a24f107bb9	Ressurect the local change documenting authpf's requirement for a mounted fdescfs(5). PR: docs/186250 MFC after: 1 week	2014-01-29 19:28:52 +00:00
Gleb Smirnoff	3b3a8eb937	o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/.c -> sys/netpfil/pf/ sys/contrib/pf/net/.h -> sys/net/ contrib/pf/pfctl/.c -> sbin/pfctl contrib/pf/pfctl/.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/.4 -> share/man/man4 contrib/pf/pfctl/.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi	2012-09-14 11:51:49 +00:00
Gleb Smirnoff	d6d3f01e0a	Merge the projects/pf/head branch, that was worked on for last six months, into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>	2012-09-08 06:41:54 +00:00
Bjoern A. Zeeb	bb4b19cae2	Fix the upper limit bounds checking for the "rtables" keyword wrapping it in a function to dynamically query the currently supported number of FIBs by the kernel for FreeBSD. Sponsored by: Cisco Systems, Inc.	2012-02-03 13:54:25 +00:00
Robert Watson	460b3e8f1d	Replace an OpenBSDism with a FreeBSDism in the pfctl(8) man page: we put configuration file man pages in section 5, and we prefer rc.conf to rc.conf.local. MFC after: 3 days	2012-01-05 23:11:05 +00:00
Gleb Smirnoff	f08535f872	Restore a feature that was present in 5.x and 6.x, and was cleared in 7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP preemption, while it is running its bulk update. However, reimplement the feature in more elegant manner, that is partially inspired by newer OpenBSD: - Rename term "suppression" to "demotion", to match with OpenBSD. - Keep a global demotion factor, that can be raised by several conditions, for now these are: - interface goes down - carp(4) has problems with ip_output() or ip6_output() - pfsync performs bulk update - Unlike in OpenBSD the demotion factor isn't a counter, but is actual value added to advskew. The adjustment values for particular error conditions are also configurable, and their defaults are maximum advskew value, so a single failure bumps demotion to maximum. This is for POLA compatibility, and should satisfy most users. - Demotion factor is a writable sysctl, so user can do foot shooting, if he desires to.	2011-12-20 13:53:31 +00:00
Gleb Smirnoff	df6faa4c5c	- Fix examples to show new CARP style. - Remove OpenBSDisms, add FreeBSDisms.	2011-12-20 13:32:56 +00:00
Bjoern A. Zeeb	5847215098	Correct the description of struct pfioc_state_kill. PR: kern/158997 Submitted by: ohauer	2011-07-17 17:33:39 +00:00
David E. O'Brien	cd2809fc68	Note the PF version. Discussed with: bz	2011-07-07 23:17:56 +00:00
Bjoern A. Zeeb	e0bfbfce79	Update packet filter (pf) code to OpenBSD 4.5. You need to update userland (world and ports) tools to be in sync with the kernel. Submitted by: mlaier Submitted by: eri	2011-06-28 11:57:25 +00:00
Bjoern A. Zeeb	38a253506a	Add a new option -P to suppress getservbyport(3) calls when printing rules. This allows one to force consistent printing of numeric port numbers like we do with -n for other tools like netstat (just that -n was already taken) rather than the service names. -P is currently unused in OpenBSD so the change is eligible for upstreaming. PR: misc/151015 Submitted by: Matt Koivisto (mkoivisto sandvine.com) Sponsored by: Sandvine Incorporated MFC after: 1 week	2011-06-13 20:11:28 +00:00
Christian S.J. Peron	1a28a37578	Enable closefrom(2) here, as we have supported it for some time now. Discussed with: mlaier MFC after: 2 weeks	2010-08-05 18:49:06 +00:00
Xin LI	dcc2b1ff46	Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct Server Return mode, where not all packets would be visible to the load balancer or gateway. This commit should be reverted when we merge future pf versions. The benefit it would provide is that this version does not break any existing public interface and thus won't be a problem if we want to MFC it to earlier FreeBSD releases. Discussed with: mlaier Obtained from: OpenBSD Sponsored by: iXsystems, Inc. MFC after: 1 month	2009-12-24 00:43:44 +00:00
Max Laier	551100331f	Flatten out the pf userland vendor area	2008-12-10 19:31:42 +00:00
Julian Elischer	30ab20975f	Max's changes got left out of the MRT commit.	2008-05-09 23:53:01 +00:00
Max Laier	4239d24b98	Make ALTQ cope with disappearing interfaces (particularly common with mpd and netgraph in gernal). This also allows to add queues for an interface that is not yet existing (you have to provide the bandwidth for the interface, however). PR: kern/106400, kern/117827 MFC after: 2 weeks	2008-03-29 00:24:36 +00:00
Remko Lodder	90b87073e6	MFOpenBSD rev 1.393 pf.conf.5 do not describe `/' as solidus; from Allen (freebsd pr120484); PR: 120484 Submitted by: Allen <alandsidel at 1001islington dot com> MFC After: 3 days	2008-02-11 21:09:34 +00:00
Max Laier	3765fc7d77	Update for libpcap 0.9.8	2007-10-16 02:12:06 +00:00
Max Laier	e298b784dc	Lost these during the import. Hand me the pointy hat. Approved by: re (implicit)	2007-07-03 14:08:49 +00:00
Max Laier	5ee7cd2107	Commit resolved import of OpenBSD 4.1 pf userland from perforce. Approved by: re (kensmith)	2007-07-03 12:30:03 +00:00
Max Laier	67ecd4f3a4	Import pf userland from OpenBSD 4.1 and (for ftp-proxy) libevent 1.3b as a local lib.	2007-07-03 12:22:02 +00:00
Max Laier	fc515400ab	This commit was generated by cvs2svn to compensate for changes in r171169, which included commits to RCS files with non-trunk default branches.	2007-07-03 12:22:02 +00:00
Remko Lodder	ce7fce4055	Revert my previous change, add an MLINK from securelevel.7 to security.7 Discussed with: brueffer	2007-06-01 21:33:21 +00:00
Remko Lodder	14ced2763a	Change securelevel(7) to security(7). Yes i am aware that this is within the contrib directory. PR: docs/104402 Submitted by: Dr. Markus Waldeck <waldeck at gmx dot de> Discussed with: mlaier	2007-06-01 21:09:11 +00:00
Daniel Hartmeier	6cde8a4235	From OpenBSD, rev. 1.379 Document how 'allow-opts' applies to routing headers in IPv6. MFC after: 1 week Discussed with: mlaier	2007-05-21 20:12:35 +00:00
Max Laier	e3ae39ac24	From OpenBSD, rev. 1.91: fix servicecurve check; no point in checking the same sc three times, it was obviously intended to check all three. has been wrong since the beginning, 4 years... noticed by Earl Lapus <earl.lapus@gmail.com>, Vasil Dimov <vd@FreeBSD.org> mailed me then, ok mcbride MFC after: 3 days	2006-11-30 18:55:36 +00:00

1 2

90 commits