ipfsync is a WIP sync daemon designed to be used in a failover scenario.
It was removed by 5ee61c7daa. This commit
restores its three files. ipfsync is in my work queue.
(cherry picked from commit 08ab34a06a)
The work to ANSIfy and adjust returns to style(9) resulted in a mismerge
of a stash when ipfilter was moved from contrib to sbin. An older file
replaced WIP at the time, resulting in a regression.
The majority of this work was done in 2018 saved as git stashes within
a git-svn tree and migrated to the git tree. The regression occurred
when the various stashes were sequentially merged to create individual
commits, following the ipfilter move to netpfil and sbin.
Reported by: jrtc27
Fixes: 2582ae5740
Pointy hat to: cy
(cherry picked from commit a3522837b0)
Replace the INLINE macro with inline. Some ancient compilers supported
__inline__ instead of inline. The INLINE hack compensated for it.
Ancient compilers are history.
Reported by: glebius
(cherry picked from commit 9be9c1c084)
Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).
Reviewed by: glebius (for #network)
Differential Revision: https://reviews.freebsd.org/D33595
(cherry picked from commit efeb8bffe3)
Since the move of ipfilter from contrib to sbin adjusting the source path
is no longer required.
Fixes: 41edb306f0
(cherry picked from commit 7cb2d7c413)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 41edb306f0)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.
This is the first of three commits the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 3b9b51fe46)
Under some INET/INET6 src.conf configurations sbin/route previously
failed to build due to an unused variable warning. It was functionally
write-only anyway, so just remove it.
Reported by: melifaro
Reviewed by: melifaro
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33717
(cherry picked from commit c217390359)
(cherry picked from commit f567fcb2ff)
The "bg" option does not go background until the initial mount
attempt fails, which can take 60+ seconds.
This new "bgnow" option goes background immediately, avoiding
the 60+ second delay, if the NFS server is not yet available.
The man page update is a content change.
PR: 260764
(cherry picked from commit 08a8d16cbb)
Those can be returned by CHECK POWER MODE command (0xe5).
Note that some of the definitions duplicate definitions for Extended
Power Conditions.
(cherry picked from commit 75bc7150f4)
A quick grep through the kernel code shows network drivers compute the
changed bits of network capabilities after a SIOCSIFCAP IOCTL(2) by
using the bitwise exclusive or operation. When the set capabilities
are equal to the already read capabilities, no action will be taken.
Let ifconfig(8) predict this case and skip the SIOCSIFCAP IOCTL(2)
system call.
Discussed with: kib@ (revert change in case of issues)
Sponsored by: NVIDIA Networking
(cherry picked from commit ad8f078f66)
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33435
(cherry picked from commit 93c4369096)
There is no need to have it in runtime as it's not essential.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
(cherry picked from commit 0855e37c72)
when the fstab(5) entry for the filesystem has the "failok" attribute.
PR: 246201
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D33424
(cherry picked from commit c72372c693)
When we exposed the PFSYNCF_OK flag to userspace in 5f5bf88949 we
unintentionally caused defer mode to always be enabled.
The ioctl check only looked for nonzero, not for the PFSYNCF_DEFER flag.
Fix this check and ensure ifconfig sets the flag.
Reviewed by: glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33244
(cherry picked from commit 73fd0eaf59)
It does not build (and serves no purpose) if neither is true (i.e.,
building WITHOUT_INET and WITHOUT_INET6). Also add an explicit error
in ping to make this case clear.
PR: 260082
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a4ef9e58bc)
OptionalObsoleteFiles: remove ping with INET & INET6 disabled
Reported by: kevans
Fixes: a4ef9e58bc ("sbin: build ping if at least one of...")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 0179739a00)
ping uses a two-pass option parser. The first pass determines whether
ipv4 or ipv6 is desired, and the second parses the rest of the options.
But the first pass wrongly detects a '4' or '6' in an option's value as
a request to use ipv6 or ipv6 respectively, for example in an invocation
like "ping -c6 1.2.3.4".
Fix this confusion by including all options in the first round of
parsing, but ignoring those unrelated to ipv4/ipv6 selection.
PR: 258048
Reported by: ghuckriede@blackberry.com
Submitted by: ghuckriede@blackberry.com
MFC after: 2 weeks
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D32344
(cherry picked from commit 9ce201f2ee)
Add a postproc function for af_inet, and add interface flags as a
parameter. Check there if setting an address without a mask unless
the interface is loopback or point-to-point, where mask is not really
meaningful; warn if so. This will hopefully be an error in the future.
(cherry picked from commit d8237b9555)
Vinum is a Logical Volume Manager that was introduced in FreeBSD 3.0,
and for FreeBSD 5 was ported to geom(4) as gvinum. gvinum has had no
specific development at least as far back as 2010, and has a number of
known bugs which are unlikely to be resolved.
Add a deprecation notice to raise awareness but state that vinum "may
not be" available in FreeBSD 14. Either it will be removed and the
notice will be updated to "is not" available, or someone will step up
to fix issues and maintain it and we will remove the notice.
Reviewed by: imp (earlier version)
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29424
(cherry picked from commit b218441ac0)
Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.
Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D32750
(cherry picked from commit 76c5eecc34)
Revision 9e9be081d8 introduced a new devfs rule devfsrules_jail_vnet. It
includes rule devfsrules_jail which include other rules. Unfortunately
devfs could not recursively parse the action include and thus
devfsrules_jail_vnet will expose all nodes.
PR: 255660
Reviewed by: kp
Obtained from: Gijs Peskens <gijs@peskens.net>
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D32814
(cherry picked from commit 7acd322ebe)
For some cloud/virtualization use cases it can be convenient to grow the
filesystem on boot any time the disk/partition happens to be larger, but
not fail if it remains the same size.
Continue to emit a message if we have no action to take, but exit with
status 0 if the size remains the same.
Reviewed by: trasz
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32856
(cherry picked from commit 3f9acedb02)
I made a mistaking in merging the final commits for the devctl changes. This
adds the 'hushed' variable and has the correct dates for the manuals.
Pointy hat to: imp
(cherry picked from commit 80f21bb039)
Generate VT events when the bell beeps. When coupled with disabling the
bell,this allows custom bells to be rung when we'd otherwise beep.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D32656
(cherry picked from commit 4ac3d08a96)
Patch the manpage to remove references to devq_openings and devq_queued.
Document the allocated tag that has been added in the same commit. The
relevant code change was committed as r271588
(959ec2581b) by mav@.
PR: 223651
Reported by: Bertrand Petit <bsdpr@phoe.frmug.org>
(cherry picked from commit d4cf7dc0df)
We used to expand the $nr macro in labels into the rule number prior to
the optimisation step. This would occasionally produce incorrect rule
numbers in the labels.
Delay all macro expansion until after the optimisation step to ensure
that we expand the correct values.
MFC after: 1 week
Reported by: Özkan KIRIK <ozkan.kirik@gmail.com>
Differential Revision: https://reviews.freebsd.org/D32488
(cherry picked from commit 09c7f23869)
Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.
/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465
(cherry picked from commit 0b95680e07)
795d78a467 pfctl: Don't use PRIu64 mistakenly changed these to be
printed as hexadecimal numbers.
Reported by: Florian Smeets
MFC after: 4 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 846a6e8f9a)
Rather than PRIu64 we can just treat the data as uintmax_t, and use %jx
instead.
MFC after: 1 week
Suggested by: kib
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 795d78a467)
Use PRIu64 to printf(3) uint64_t quantities, otherwise this will result
in "error: format specifies type 'unsigned long' but the argument has
type 'uint64_t' (aka 'unsigned long long') [-Werror,-Wformat]" on 32-bit
architectures.
Fixes: 80078d9d38
MFC after: 1 week
(cherry picked from commit 5b8f07b12f)
Rather than call DIOCGETSTATUS ourselves use the new libpfctl functions.
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31697
(cherry picked from commit 80078d9d38)
Since the conversion to the new DIOCKILLSTATESNV the kernel no longer
exists the id and creatorid to be big-endian.
As a result killing states by id (i.e. `pfctl -k id -k 12345`) no longer
worked.
Reported by: Özkan KIRIK
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit e59eff9ad3)
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).
Reviewed by: np, scottl
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31582
(cherry picked from commit 20ffd88ed5)
This can be useful for, e.g., unmounting filesystems that were needed
for shutdown.
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #63
(cherry picked from commit 4d15976919)
SO_RERROR indicates that receive buffer overflows should be handled as
errors. Historically receive buffer overflows have been ignored and
programs could not tell if they missed messages or messages had been
truncated because of overflows. Since programs historically do not
expect to get receive overflow errors, this behavior is not the
default.
This is really really important for programs that use route(4) to keep
in sync with the system. If we loose a message then we need to reload
the full system state, otherwise the behaviour from that point is
undefined and can lead to chasing bogus bug reports.
Reviewed by: philip (network), kbowling (transport), gbe (manpages)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D26652
(cherry picked from commit 7045b1603b)
Commit 1e0a518d65 added a new NFS mount option "nconnect".
This patch adds information on this option to the man page.
It also adds an IMPLEMENTATION section that explains how
the default I/O size is determined and that "nfsstat -m" can
be used to find out what option settings are actually in use.
This is a content change.
(cherry picked from commit 4488c8c34b)
This allows the use of VLAN PCP in dhclient, which is required for
certain ISPs (such as Orange.fr).
Reviewed by: bcr (man page)
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31263
(cherry picked from commit 1e7fe2fbb9)
Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.
For the avoidance of doubt: this is NOT full support for the match
keyword as found in OpenBSD's pf. That could potentially be built on top
of this, but this commit is NOT that.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31115
(cherry picked from commit ef950daa35)
These were all incorrectly labeled as 2-clause BSD licenses by a
semi-automated process, when in fact they are 3-clause.
Discussed with: pfg, imp
Sponsored by: Axcient
(cherry picked from commit 3874c0abb0)
Xen VMs get a simulated serial device meant for use as a console. Often
an xterm or other advanced terminal is used, so use xterm as the type.
Depending on configuration, FreeBSD on Xen for amd64 may instead use an
emulated serial port, but the virtual console may also be available.
Submitted by: Elliott Mitchell <ehem+freebsd@m5p.com>
Reviewed by: imp (slightly earlier version)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29873
(cherry picked from commit 2b2c460d7b)
The tty lists were already pretty similar and there hadn't been any real
need for them to remain distinct for some time. As such, merge to a
single file.
The RISC-V console is preserved. For systems where it doesn't exist, its
presence in /etc/ttys is harmless. The uncommented version of the
ttyv8/XDM line from ttys.amd64 was the one chosen.
Reviewed by: imp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30256
(cherry picked from commit c76616f496)
Back in the day, we used to have a number of entries that were either
'on' or 'off' directly, rather than conditionally on 'onifexists'
etc. Back then, we tried to line up the 'secure' columns by using the
construct 'on secure' or 'off secure' (one space or two). Now that these
have all moved to a conditional construct, remove the second space on
the ttys that still have it. This reduces diffs between the different
ttys and is no functional change. i386 and amd64 did this a long time
ago, and those are the only ones that affected external users (who used
to sed 's/on /off /' the entires as part of the automation).
MFC After: 3 days
Sponsored by: Netflix
(cherry picked from commit 36be84b966)
According to the spec: "If the value reported is 0h, then LBA format
is not supported / used or is not currently available".
MFC after: 1 week
(cherry picked from commit d379886a41)
Background checks are only allowed for mounted filesystems - don't try
to open the device for writing when performing a background check.
While here, remove a debugging printf that's commented out.
PR: 256746
Fixes: 5cc52631b3
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D30880
(cherry picked from commit 0c5a59252c)
Beauty correction for verbose mode or in case we print multiple key
information to not continue with the next options directly after
as we did so far, e.g.:
AES-CCM 2:128-bit
AES-CCM 3:128-bit powersavemode ...
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D29393
(cherry picked from commit 5ba4c8de15)
I wrote this code, not Intel, so put my copyright on this. I mistakenly
copied it for the initial commit.
Sponsored by: Netflix
(cherry picked from commit 6d6cca3633)
Report status from dword0 for passthru commands. Many commands report
some status or information here, so reporting it can help know what's
going on.
Sponsored by: Netflix
(cherry picked from commit 510a3da147)
The description of the power command is missing. While the synopsis is
present, there's no explanation. Add one.
Reviewed by: mav, chuck
PR: 237866
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31122
(cherry picked from commit 445b5554bf)
The NFSv4 client now uses the highest minor version of NFSv4
by default instead of minor version 0, for NFSv4 mounts.
The "minorversion" mount option may be used to override this default.
This patch updates the man page to reflect this change. While here,
fix nfsstat(8) to be nfsstat(1).
(cherry picked from commit b413b03597)
The previous changes that added support for the coreutils -c option
modified the output generated by passing -r to match that of the
coreutils versions. The difference is that coreutils separates the
hash from the file name by two blanks " " (or a blank followed by
an asterisk " *" with the -b option denoting).
While most scripts or users will not notice the difference, it might
be considered a violation of POLA and this commit reverts the change
for the non-sum programs. These will print a single blank " " as the
separator, as they die before the previous commit.
In order to still generate output that is identical to that of the
coreutils programs, this commit generates the " " or " *" separator
used by them for the -sum versions, depending on the presence of the
-b option.
(cherry picked from commit b33d1898c1)
As for example pfctl -ss keeps calling it, it saves a lot of overhead
from elided parsing of /etc/nsswitch.conf and /etc/protocols.
Sample result when running a pre-nvlist binary with nfs root and dumping
7 mln states:
before: 24.817u 62.993s 1:28.52 99.1%
after: 8.064u 1.117s 0:18.87 48.5%
Idea by Jim Thompson
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 858937bea4)
On macOS and Linux the current set of headers do not end up pulling in
sys/param.h, causing MAXPATHLEN to not be defined and the build to fail.
(cherry picked from commit cab31e0e21)
The -c option expects a digest file in either BSD or coreutils format.
The output for matched and mismatched files is identical to that
of the coreutils version.
The review of these changes included test cases that have already
been committed for the functionality that existed before.
Another test script is added to cover the coreutils compatible
extension implemented by this patch.
This commit contains a tests/Makefile that has been cleaned up
compared to the review version, using an implicit rule to apply the
TESTBASE path at build time (and the scripts have been renamed to
have an extension of .SH instead of .sh to trigger this rule).
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D30812
(cherry picked from commit 84f35b6f86)
(cherry picked from commit c2870e576b)
stdbool.h needs to be included to use type bool variables. Due to
namespace pollution, this gets brought in on FreeBSD, but not on
other systems. Include it explicilty.
Noticed by: arichards@
Sponsored by: Netflix
(cherry picked from commit d0ea5e467f)
On Linux, there's a similar set of programs to ours, but that end in the
letters 'sum'. These act basically like FreeBSD versions run with the -r
option. Add code so that when the program ends in 'sum' you get the
linux -r behavior. This is enough to make most things that use sha*sum
work correctly (the -c / --check options, as well as the long args are
not implemented). When running with the -sum programs, ignore -t instead
of running internal speed tests and make -c an error.
Reviewed by: sef, and kp and allanjude (earlier version)
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D30309
(cherry picked from commit 086feed850)
While the correctness of the supported hash algorithms can be tested
with the built-in self-test feature, these test cases are meant to
detect changes in the output format.
A follow-up commit will improve the compatibility with the coreutils
versions of the hash programs, and these tests should detect any
unintended side-effects of such a change on existing functionality.
(cherry picked from commit 884fc5527a)
sbin/md5: Create /usr/tests/sbin/md5 directory for placing tests
(Fix by lwhsu (Li-Wen Hsu) to un-break "make distribute".)
(cherry picked from commit cb194afef5)
sbin/md5: fix test case to not write outside temp directory
The bsd-p-test did create files 1.out .. 8.out in the test directory.
This has been fixed and the temporary output files are now written
to the temporary directory.
(cherry picked from commit 95d3044bbd)
Sponsored by: The FreeBSD Foundation (commit cb194afef5 only)
Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.
PR: 254617
Submitted by: Oliver Kiddle
Differential Revision: https://reviews.freebsd.org/D30189
(cherry picked from commit c8250c5ada)
Boot environment datasets that contain spaces are not bootable.
When a user attempts to create a boot environment with a space, abort
the creation and print an error message.
PR: 254441
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D30194
(cherry picked from commit 0e6549c874)
The segfault was being hit in ckfini() (sbin/fsck_ffs/fsutil.c) while
attempting to traverse the buffer cache. The tail queue used for the
buffer cache was not initialized before dropping into gjournal_check().
Initialize the buffer cache before calling gjournal_check().
PR: 245907
Reviewed by: jhb, mckusick
Differential Revision: https://reviews.freebsd.org/D30537
(cherry picked from commit 441e69e419)
Only print buffer cache debug message when a cache lookup has been done.
When running `fsck_ffs -d` on a gjournal'ed filesystem, it's possible
that totalreads is greater than zero when no cache lookup has been
done - causing a divide by zero. This commit fixes the following error:
Floating point exception (core dumped)
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D30370
(cherry picked from commit 20123b25ee)
We used to have a bug where pfctl could crash setting fairq queues. Test
this case and ensure it does not crash pfctl.
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30348
(cherry picked from commit 9938fcaa65)
The following config could crash pfctl:
altq on igb0 fairq bandwidth 1Gb queue { qLink }
queue qLink fairq(default)
That happens because when we're parsing the parent queue (on igb0) it
doesn't have a parent, and the check in eval_pfqueue_fairq() checks
pa->parent rather than parent.
This was changed in eval_pfqueue_hfsc() in
1d34c9dac8, but not for fairq.
Reviewed by: pkelsey
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30346
(cherry picked from commit 26705a39e5)
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245
(cherry picked from commit d0fdf2b28f)
Migrate to using the new nvlist-based DIOCGETSTATESNV call to obtain the
states list.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30244
(cherry picked from commit bc94129147)
We failed to account for the FAIRQ scheduler in expand_altq(), which led
it to be set up without its parent queue.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30347
(cherry picked from commit dc78428796)
Fix some erronous lines in the example section.
PR: 248943
Submitted by: Jose Luis Duran
Reviewers: ae, manpages (gbe)
Differential Revision: https://reviews.freebsd.org/D30191
(cherry picked from commit 802637be06)
The argument parser does not recognise the optional port for an
"tablearg" argument. Fix simplifies the code by make the internal
representation expicit for the parser. Includes the fix from D30208.
PR: 252744
Reported by: <bugs.freebsd.org@mx.zzux.com>
Approved by: nc
Tested by: <bugs.freebsd.org@mx.zzux.com>
Differential Revision: https://reviews.freebsd.org/D30164
(cherry picked from commit 6cb13813ca)
(cherry picked from commit f6f297871d)
This allows us to kill states created from a rule with route-to/reply-to
set. This is particularly useful in multi-wan setups, where one of the
WAN links goes down.
Submitted by: Steven Brown
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30058
(cherry picked from commit abbcba9cf5)
When showing the states, in very verbose mode, also display the gateway
(i.e. the target for route-to/reply-to).
Submitted by: Steven Brown
Reviewed by: donner
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30051
(cherry picked from commit cc948296e6)
Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780
(cherry picked from commit 42ec75f83a)
MAP-E (RFC 7597) requires special care for selecting source ports
in NAT operation on the Customer Edge because a part of bits of the port
numbers are used by the Border Relay to distinguish another side of the
IPv4-over-IPv6 tunnel.
PR: 254577
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D29468
(cherry picked from commit 2aa21096c7)
Add 'syncok' field to ifconfig's pfsync interface output. This allows
userspace to figure out when pfsync has completed the initial bulk
import.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29948
(cherry picked from commit 5f5bf88949)
Allow up to 5 labels to be set on each rule.
This offers more flexibility in using labels. For example, it replaces
the customer 'schedule' keyword used by pfSense to terminate states
according to a schedule.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29936
(cherry picked from commit 6fcc8e042a)
The coldsync port was removed in 2012. The last stable release of
coldsync was issued in 2002. Let's get rid of it.
PR: 255051
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D30100
(cherry picked from commit 1a212abd54)
ipfw -[tT] prints statistics of the last access. If the rule was never
used, the counter might be not exist. This happens unconditionally on
inserting a new rule. Avoid printing statistics in this case.
PR: 255491
Reported by: Haisheng Zhouz
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D30046
(cherry picked from commit bf7cc0f9cb)
After the migration to libpfctl for rule retrieval we accidentally lost
support for clearing the rules counters.
Introduce a get_clear variant of pfctl_get_rule() which allows rules
counters to be cleared.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29727
(cherry picked from commit 4eabfe468b)
Introduce pfctl_pool to be able to extend the pool part of the pf rule
without breaking the ABI.
Reviewed by: kp
MFC after: 4 weeks
Differential Revision: https://reviews.freebsd.org/D29721
(cherry picked from commit 600bd6ce06)
struct pf_rule had a few counter_u64_t counters. Those couldn't be
usefully comminicated with userspace, so the fields were doubled up in
uint64_t u_* versions.
Now that we use struct pfctl_rule (i.e. a fully userspace version) we
can safely change the structure and remove this wart.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29645
(cherry picked from commit ab5707a5cf)
Stop using the kernel's struct pf_rule, switch to libpfctl's pfctl_rule.
Now that we use nvlists to communicate with the kernel these structures
can be fully decoupled.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29644
(cherry picked from commit e9eb09414a)
These functions no longer exist in the kernel, so there's no reason to
keep the prototypes in a kernel header. Move them to pfctl where they're
actually implemented.
Reviewed by: glebius
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29643
(cherry picked from commit a9b338b260)
Create wrapper functions to handle the parsing of the nvlist and move
that code into pfctl_ioctl.c.
At some point this should be moved into a libpfctl.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29560
(cherry picked from commit 0d6c8174ef)
Start using the new nvlist based ioctl to add rules.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29558
(cherry picked from commit 5c11c5a365)