Page MenuHomeFreeBSD

pf: Introduce ridentifier
ClosedPublic

Authored by kp on Oct 30 2021, 9:53 AM.

Details

Summary

Allow users to set a number on rules which will be exposed as part of
the pflog header.
The intent behind this is to allow users to correlate rules across
updates (remember that pf rules continue to exist and match existing
states, even if they're removed from the active ruleset) and pflog.

Obtained from: pfSense
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kp requested review of this revision.Oct 30 2021, 9:53 AM
bcr added a subscriber: bcr.

Man page part of the change looks good. It needs a .Dd date bump when the commit happens.
Thanks for keeping up the good work on pf!

eri requested changes to this revision.Oct 30 2021, 10:16 PM
eri added a subscriber: eri.
eri added inline comments.
sbin/pfctl/parse.y
266

Is there no better place for such info?
It sounds like forced through as is

This revision now requires changes to proceed.Oct 30 2021, 10:16 PM
sbin/pfctl/parse.y
266

I’m not sure I understand your objection.

sbin/pfctl/parse.y
266

I am pointing out that antispoof structure does not seem to have a relationship with a rule identifier.
Is there no better place to stick this new info/tag?

kp marked 2 inline comments as done.Nov 1 2021, 8:50 AM
kp added inline comments.
sbin/pfctl/parse.y
266

That's there because you can also set ridentifier on antispoof rules. See line 1332 (in the new version).

kp marked an inline comment as done.

Ensure all antispoof rules get the ridentifier

This revision was not accepted when it landed; it landed in state Needs Review.Nov 5 2021, 9:17 AM
Closed by commit rG76c5eecc3490: pf: Introduce ridentifier (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.