1. 24 Sep, 2021 1 commit
  2. 17 Jul, 2021 1 commit
  3. 19 Apr, 2021 1 commit
  4. 13 Apr, 2021 1 commit
  5. 06 Mar, 2021 1 commit
  6. 18 Aug, 2020 1 commit
  7. 11 May, 2020 1 commit
    • Mark Johnston's avatar
      pf: Don't allocate per-table entry counters unless required. · 21121f9b
      Mark Johnston authored
      pf by default does not do per-table address accounting unless the
      "counters" keyword is specified in the corresponding pf.conf table
      definition.  Yet, we always allocate 12 per-CPU counters per table.  For
      large tables this carries a lot of overhead, so only allocate counters
      when they will actually be used.
      
      A further enhancement might be to use a dedicated UMA zone to allocate
      counter arrays for table entries, since close to half of the structure
      size comes from counter pointers.  A related issue is the cost of
      zeroing counters, since counter_u64_zero() calls smp_rendezvous() on
      some architectures.
      
      Reported by:	loos, Jim Pingle <jimp@netgate.com>
      Reviewed by:	kp
      MFC after:	2 weeks
      Sponsored by:	Rubicon Communications, LLC (Netgate)
      Differential Revision:	https://reviews.freebsd.org/D24803
      21121f9b
  8. 08 Dec, 2019 1 commit
  9. 12 Mar, 2019 1 commit
    • Benedict Reuschling's avatar
      Extend descriptions and comments about the need to create /etc/pf.conf. · 1b35da5a
      Benedict Reuschling authored
      FreeBSD removed the default /etc/pf.conf file in previous releases, but
      the documentation kept mentioning it like any other file present in the
      system.  Change pf.conf(5) to mention in the description of the default
      ruleset location that this file needs to be created manually. Also, the
      default rc.conf file had it's comment extended a bit to let people know
      that this file does not exist by default.
      
      PR:		    231977
      Submitted by:	    koobs@
      Reviewed by:	    kp@, 0mp@
      Approved by:	    kp@
      MFC after:	    10 days
      Differential Revision:	https://reviews.freebsd.org/D19530
      1b35da5a
  10. 05 Jan, 2019 1 commit
  11. 28 Oct, 2018 1 commit
  12. 22 Jun, 2018 1 commit
    • Kristof Provost's avatar
      pf: Support "return" statements in passing rules when they fail. · 150182e3
      Kristof Provost authored
      Normally pf rules are expected to do one of two things: pass the traffic or
      block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
      "return-icmp". Yet there is a 3rd category of traffic passing through pf:
      Packets matching a "pass" rule but when applying the rule fails. This happens
      when redirection table is empty or when src node or state creation fails. Such
      rules always fail silently without notifying the sender.
      
      Allow users to configure this behaviour too, so that pf returns an error packet
      in these cases.
      
      PR:		226850
      Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
      MFC after:	1 week
      Sponsored by:	InnoGames GmbH
      150182e3
  13. 13 Oct, 2016 1 commit
  14. 04 Oct, 2016 1 commit
    • Kristof Provost's avatar
      pf: remove fastroute tag · 813196a1
      Kristof Provost authored
      The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
      allows to skip the in pfil hooks and completely removes the out pfil invoke,
      albeit looking up a route that the IP stack will likely find on its own.
      The code between IPv4 and IPv6 is also inconsistent and marked as "XXX"
      for years.
      
      Submitted by:	Franco Fichtner <franco@opnsense.org>
      Differential Revision:	https://reviews.freebsd.org/D8058
      813196a1
  15. 17 Jun, 2016 1 commit
  16. 27 Aug, 2015 1 commit
    • Kristof Provost's avatar
      pf: Remove support for 'scrub fragment crop|drop-ovl' · 64b3b4d6
      Kristof Provost authored
      The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
      users into making poor choices.
      It's also a fairly large amount of complex code, so just remove the support
      altogether.
      
      Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
      implicitly converted to 'scrub fragment reassemble'.
      
      Reviewed by:	gnn, eri
      Relnotes:	yes
      Differential Revision:	https://reviews.freebsd.org/D3466
      64b3b4d6
  17. 25 Jul, 2015 1 commit
  18. 21 Dec, 2014 1 commit
  19. 30 Jul, 2014 1 commit
  20. 15 Jun, 2014 1 commit
  21. 13 May, 2013 1 commit
  22. 14 Sep, 2012 1 commit
    • Gleb Smirnoff's avatar
      o Create directory sys/netpfil, where all packet filters should · 3b3a8eb9
      Gleb Smirnoff authored
        reside, and move there ipfw(4) and pf(4).
      
      o Move most modified parts of pf out of contrib.
      
      Actual movements:
      
      sys/contrib/pf/net/*.c		-> sys/netpfil/pf/
      sys/contrib/pf/net/*.h		-> sys/net/
      contrib/pf/pfctl/*.c		-> sbin/pfctl
      contrib/pf/pfctl/*.h		-> sbin/pfctl
      contrib/pf/pfctl/pfctl.8	-> sbin/pfctl
      contrib/pf/pfctl/*.4		-> share/man/man4
      contrib/pf/pfctl/*.5		-> share/man/man5
      
      sys/netinet/ipfw		-> sys/netpfil/ipfw
      
      The arguable movement is pf/net/*.h -> sys/net. There are
      future plans to refactor pf includes, so I decided not to
      break things twice.
      
      Not modified bits of pf left in contrib: authpf, ftp-proxy,
      tftp-proxy, pflogd.
      
      The ipfw(4) movement is planned to be merged to stable/9,
      to make head and stable match.
      
      Discussed with:		bz, luigi
      3b3a8eb9
  23. 08 Sep, 2012 1 commit
    • Gleb Smirnoff's avatar
      Merge the projects/pf/head branch, that was worked on for last six months, · d6d3f01e
      Gleb Smirnoff authored
      into head. The most significant achievements in the new code:
      
       o Fine grained locking, thus much better performance.
       o Fixes to many problems in pf, that were specific to FreeBSD port.
      
      New code doesn't have that many ifdefs and much less OpenBSDisms, thus
      is more attractive to our developers.
      
        Those interested in details, can browse through SVN log of the
      projects/pf/head branch. And for reference, here is exact list of
      revisions merged:
      
      r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
      r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
      r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
      r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
      r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
      r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
      r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
      r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
      r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
      r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
      r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
      r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
      r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
      r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
      r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
      r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
      r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
      
      I'd like to thank people who participated in early testing:
      
      Tested by:	Florian Smeets <flo freebsd.org>
      Tested by:	Chekaluk Vitaly <artemrts ukr.net>
      Tested by:	Ben Wilber <ben desync.com>
      Tested by:	Ian FREISLICH <ianf cloudseed.co.za>
      d6d3f01e
  24. 29 Jun, 2012 1 commit
  25. 28 May, 2012 1 commit
  26. 19 Oct, 2010 1 commit
  27. 10 Mar, 2010 1 commit
  28. 23 Jan, 2010 1 commit
    • Xin LI's avatar
      MFC r200930: · bd277cec
      Xin LI authored
      Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct
      Server Return mode, where not all packets would be visible to the load
      balancer or gateway.
      
      This commit should be reverted when we merge future pf versions.  The
      benefit it would provide is that this version does not break any existing
      public interface and thus won't be a problem if we want to MFC it to
      earlier FreeBSD releases.
      
      Discussed with:	mlaier
      Obtained from:	OpenBSD
      Sponsored by:	iXsystems, Inc.
      bd277cec
  29. 24 Dec, 2009 1 commit
    • Xin LI's avatar
      Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct · dcc2b1ff
      Xin LI authored
      Server Return mode, where not all packets would be visible to the load
      balancer or gateway.
      
      This commit should be reverted when we merge future pf versions.  The
      benefit it would provide is that this version does not break any existing
      public interface and thus won't be a problem if we want to MFC it to
      earlier FreeBSD releases.
      
      Discussed with:	mlaier
      Obtained from:	OpenBSD
      Sponsored by:	iXsystems, Inc.
      MFC after:	1 month
      dcc2b1ff
  30. 10 Dec, 2008 1 commit
  31. 19 Oct, 2008 1 commit
  32. 11 Feb, 2008 1 commit
    • Remko Lodder's avatar
      MFOpenBSD rev 1.393 pf.conf.5 · 90b87073
      Remko Lodder authored
        do not describe `/' as solidus; from Allen (freebsd pr120484);
      
      PR:		120484
      Submitted by:	Allen <alandsidel at 1001islington dot com>
      MFC After:	3 days
      90b87073
  33. 03 Jul, 2007 2 commits
  34. 01 Jun, 2007 2 commits
  35. 21 May, 2007 1 commit
  36. 30 Oct, 2006 1 commit
  37. 28 Sep, 2005 1 commit
  38. 03 May, 2005 1 commit