This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar>

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.

The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.

feedback and OK bluhm@

show more ...

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

pfctl: fix -Wunused-but-set-variable warning

ok dlg@ guenther@

rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.h
OPT is misleading and usually refers to command line arguments to pfctl
ok sashan kn

sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT

OK kn@, sashan@, florian@

Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerror() to

Unify error message for nonexisting anchors

pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.

Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.

There are other occasions as well but those need additional tweaks;
that's stuff for another diff.

OK and rename from sashan

show more ...

Avoid optimizing empty rulesets

All optimizations work on actual rules; if there are none, return early.

While here, tell which ruleset/anchor is being optimized to make the debug
message actually

Avoid optimizing empty rulesets

All optimizations work on actual rules; if there are none, return early.

While here, tell which ruleset/anchor is being optimized to make the debug
message actually useful.

OK mikeb

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Remove pfctl_*_pool() remnants

Left behind in pfctl_parser.h revision 1.91
"First pass at removing the 'pf_pool' mechanism [...]"

These functions don't exist anymore, no object change.

OK procter

Unbreak build under OPT_DEBUG

In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped
the macro's closing paranthese.

Since DEBUG() is needlessly under an OPT_DEBUG guard, this

Unbreak build under OPT_DEBUG

In r1.39 I removed the `af' parameter from `unmask()' but accidently zapped
the macro's closing paranthese.

Since DEBUG() is needlessly under an OPT_DEBUG guard, this was not
effecting normal builds.

Add the missing ')' and remove the ifdef.

OK sashan

show more ...

Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

OK sashan

show more ...

- patching use-after-free and innocent memory leak in pfctl_optimzie.c

OK bluhm@

- pfctl rule optimizer: anchor name vs. anchor path mix up

OK bluhm@

A couple of "a->blah == a->blah" -> "a->blah == b->blah".

Spotted by the Echelon team with AppChecker static analyzer.

ok sashan@

Include <netinet/in.h> before <net/pfvar.h>. In a future change when
ports is ready, <net/pfvar.h> will stop including a pile of balony.

Replace all queue *_END macro calls except CIRCLEQ_END with NULL.

CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRC

Replace all queue *_END macro calls except CIRCLEQ_END with NULL.

CIRCLEQ_* is deprecated and not called in the tree. The other queue types
have *_END macros which were added for symmetry with CIRCLEQ_END. They are
defined as NULL. There's no reason to keep the other *_END macro calls.

ok millert@

show more ...

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

rtableid must be BREAK instead of MERGE, otherwise the optimizer might
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1

so with this ruleset

rtableid must be BREAK instead of MERGE, otherwise the optimizer might
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1

so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:

<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2

OUPS! a packet from 10/16 will end up in rtable 2 now.

found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen

show more ...

unbreak rule optimizer; ok henning, looks

print ports as numbers by default; -P prints names instead
2/2 from Lawrence Teo <lteo at devio dot us>
ok sthen dlg and myself

Add support for weighted round-robin in load balancing pools and tables.
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt

Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.

Much feedback from mpf, bluhm & markus
Thank

Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes
a bunch of bugs with fragment handling not being in sync with the
rest of the ruleset.

Much feedback from mpf, bluhm & markus
Thanks to Tony Sarendal for help with testing

ok bluhm; various previous versions ok henning, claudio, mpf, markus

show more ...

bring in least-states load balancing algorithm

ok mcbride@ henning@

Userland bits to allow PF to filter on the rdomain a packet belongs to.
This allows to write rules like "pass in on rdomain 1".
Tested by phessler@, OK henning@