♟ kp

pf: export expiration time as time_t

pfctl: refactor 'rule_numbers' variable

pf tests: basic 'once' test

pf tests: test once rule inside an anchor

pfctl: print once shot rule expiration time

pfctl: fix anchor handling for nat/rdr/binat anchors

pfctl.8/pf.conf.5: Improve "once" bits

pf: simplify expiration of 'once' rules.

pfctl: reduce duplicate code

pfctl: fix once rules

pf: print 'once' rule expire time

pfctl: deny "once" flags for match rules

pf.conf.5: Document a "once" filter option used to create one shot rules.

pfctl tests: basic 'once' rule test

pf: support one shot rules

pfctl: One shot rules can be used in pf.conf by specifying a "once" filter…

pf: fix rules_counter:keepcounters test

pf: pass pre-NAT addresses to dummynet

pf: check if a group has a kif before dereferencing it

pf: fix rules_counter:keepcounters test

pf.conf.5: rephrase macro section

pfctl.8: -z honours -a (reset rule stats per anchor)

pf: allows TCP RST packets in the backwards window if ACK matches

pf tests: test set limit

pf: set limits before rules

pf: Count m_gethdr() failures in PFRES_MEMORY counter

pfctl.8: omit preceding flag from command/modifier lists to get tags

pf tests: declare a table inside an anchor

pfctl: allow tables to be defined inside anchors

ifconfig: also fix removing IPv6 addresses without netlink

pf tests: verify rule numbers in pflog output

pfctl: remove prototypes with no matching function

pf: sync_ifp doesn't exist, remove externs

pfctl: ctime(3) and ctime_r(3) can fail when timestamps are way off.

pf tests: test fragment counters

pf: Show pf fragment reassembly counters.

pf.conf.5: hint how to set tcp timeout collectively

pfctl: add af-to and other missing action types in print_rule()

pfctl: fix anchortypes bounds test

pf.conf.5: document tcp.tsdiff

pf: fix possible pd->pcksum NULL deref

if_ovpn tests: skip float and linklocal test on < 2.7

ifconfig: also fix removing IPv6 addresses without netlink

pf tests: test state killing by source and destination address

pfctl: fix killing state by source and destination address

pf tests: recusrive table printing test

pfctl: support recusive printing of tables

pfctl: Use pfctl_fopen

pf: Remove dead code in pf_pull_hdr().

libifconfig and libpfctl look fine to me.

net/libpfctl: add 15.0 tarball

sys/netinet6: Fix SLAAC for interfaces with no /64 LL address

pf: fix possible pd->pcksum NULL deref

pf tests: sctp:pfsync robustness improvement

if_ovpn tests: skip float and linklocal test on < 2.7

pf: fix struct pf_krule_global leak

pf: free struct pf_krule_global with pf_rule_tree_free()

pf: fix memory leak in legacy getstate calls

pf(4) when doing af-to translation for ICMP protocol sends packets

pf: remove unused variables

pf: Introduce M_PF type for pf(4) related memory allocations.

pfctl: Rewrite some ugly for loops

pf: should be enforcing TTL=1 to packets sent to 224.0.0.1 only.

pf: fix ICMP type/code representation

In D52234#1193199, @guest-svmhdvn wrote:

Instead of skipping these and keeping around lots of code to check the ovpn version, why not just temporarily xfail them like I've done in the attached patch of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289150? That way, once Ports contains ovpn>=2.7, these tests will automatically start failing again with the message "failed: expected failure, but none found". We can remove the xfails promptly afterwards.

Also not something that must be done in this commit, but we should modify sbin/ifconfig to the new functions. That'll remove a little more code from ifconfig and it'll mean we test this code (as part of any test that runs ifconfig foo up).

The commit message needs to answer the "Why?".
Why are we bypassing the reference counting?

pfctl.8: small cleanups

pf: rewrite the pf_state_peer_ntoh and pf_state_peer_hton macros as functions.

pf: remove duplicate struct definition

syslogd: EAGAIN and ECONNREFUSED are not permanently fatal

pfctl: zero the number of added/deleted addresses

pf: fix potential infinite loop adding/deleting addresses in tables

Looks good, other than these minor remarks.

A quick pfctl test case for the parser changes (i.e. just a simple prefer-ipv6-nexthop route-to line) would be nice to have too.

if_ovpn: support IPv6 link-local addresses

if_ovpn tests: basic float test case

if_ovpn: support floating clients

kp (Kristof Provost)
Troubleshooter

Projects (6)
View All

User Details

Recent Activity
View All

Today

Yesterday

Fri, Sep 19

Thu, Sep 18

Wed, Sep 17

Mon, Sep 15

Sat, Sep 13

Fri, Sep 12

Wed, Sep 10

Sun, Sep 7

Sat, Sep 6

Fri, Sep 5

Thu, Sep 4

Wed, Sep 3

Tue, Sep 2

Fri, Aug 29

Thu, Aug 28

Wed, Aug 27

Aug 26 2025

Aug 25 2025

Aug 22 2025

Aug 20 2025

Aug 18 2025

Aug 14 2025

Aug 13 2025

kp (Kristof Provost)Troubleshooter

Projects (6)View All