pfctl: clear statistic for specified addresses

OK: bluhm@

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar>

This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.

The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.

feedback and OK bluhm@

show more ...

remove prototypes with no matching function

Do the actual pfr_strerror() to pf_strerror() rename

Missed in previous

Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option,

Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.

The idea was discussed with many on tech@ in spring 2019.

OK kn@

show more ...

When creating tables inside anchors, pfctl warned about namespace
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.

Deferring th

When creating tables inside anchors, pfctl warned about namespace
collisions with global tables, but only in certain cases and with
limited information sometimes leaving users clueless.

Deferring the check to process_tabledefs() where tables are eventually
created, both anchor and table name are known which allows for checking
all existing anchors.

With this, warn on all duplicates even in dry-runs (`-n') and print
quoted names so they can be copied to fix configurations right away.

No functional change in parsing or ruleset production.

Discussed with and OK sashan

show more ...

Error out on missing table command, zap internal wrapper function

Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and

Error out on missing table command, zap internal wrapper function

Table name and table command require each other as reflected in the
synopsis [-t table -T command [address ...]], so print usage and exit if
only one of them is given.

By moving the inter-dependence check right after option parsing is done,
we can bail out even before opening pf(4) and drop the internal wrapper
pfctl_command_tables() as unneeded indirection with now duplicate checks.

OK sashan

show more ...

Zap unused segment struct definition

There since import and last used by ALTQ which henning removed in 2004.

OK sashan

Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

Remove unused af argument from unmask()

This has been unused for years.

While here, zap the duplicate function signature from pfctl.h (already
present in pfctl_parser.h); spotted by sashan, thanks.

OK sashan

show more ...

Move duplicate code into new helper print_addr_str()

This simply puts the wiggle around inet_ntop() from four into one location.

OK benno

add option -N (no domain resolution)
manpage wording and reminder about usage() jmc@
ok florian@ henning@

sbin/pfctl: void functions and exit(3) on error

Changes:
voided:
- pfctl_clear_tables
- pfctl_show_tables
- pfctl_show_ifaces

Those functions now exit(3) in case of error instead
of passing

sbin/pfctl: void functions and exit(3) on error

Changes:
voided:
- pfctl_clear_tables
- pfctl_show_tables
- pfctl_show_ifaces

Those functions now exit(3) in case of error instead
of passing it up to the callers (where it was ignored).

OK mikeb@, sashan@

show more ...

DEFAULT_PRIORITY and DEFAULT_QLIMIT no longer used

remove altq bits here, too
(i was convinced i committed that yesterday already, hrm)

config bits for the bandwidth shaping part of the new queueing subsystem
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen

New attempt to make the -P flag work with -ss, so that states can be
printed with port names if desired.

tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump'

New attempt to make the -P flag work with -ss, so that states can be
printed with port names if desired.

tcpdump's pf_print_state.c has diverged significantly from pfctl's, so
the change to tcpdump's pf_print_state.c is not exactly the same as
pfctl's.

ok henning sthen

show more ...

revert previous, breaks tcpdump
spotted by jmc@

Make the -P flag work with -ss, so that states can be printed with port
names if desired.

ok henning

Add support for weighted round-robin in load balancing pools and tables.
Diff from zinke@ with a some minor cleanup.
ok henning claudio deraadt

The ioctl to show states returns a pfsync_state which is in network byte
order and therefore a ntohs is needed to show the rdomain correctly.
OK henning@ dlg@

remove -A, -O, -R and -T load
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generat

remove -A, -O, -R and -T load
the partial loading of a ruleset (leaving ancors aside) is wrong and
conflicts with the general idea of how pf works. last not least it breaks
with the optimizer generating tables automagically.
ok deraadt sthen krw manpage jmc

show more ...

rtables are stacked on rdomains (it is possible to have multiple routing
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that

rtables are stacked on rdomains (it is possible to have multiple routing
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@

show more ...

Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl

Second half of PF state table rearrangement.
- Mechanical change: Use arrays for state key pointers in pf_state, and
addr/port in pf_state_key, to allow the use of indexes.
- Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures.
In struct pfsync_state, both state keys are included even when identical.
- Also fix some bugs discovered in the existing code during testing.
(in particular, "block return" for TCP packets was not returning an RST)

ok henning beck deraadt
tested by otto dlg beck laurent

Special thanks to users Manuel Pata and Emilio Perea who did enough testing
to actually find some bugs.

show more ...

remove unused functions

from tobias@

ok mcbride@ tobias@

Cope with new ioctl interface (use pfsync_state instead of pf_state)

ok henning@ toby@ pyr@