Thanks for the find! Looks reasonable to bring in. I will try to get more test coverage from our users, though feedback was low on this particular hang ;(

Added motivation for checking for untagged priority to the filter program comments.

add comment about need to test for VID 0 presence

Not sure about omitting the match on a NAT rule, but doing it inside the log code was definitely wrong.

void REASON_SET by directly passing PFRES_MATCH

But to be fair both rules are matching accounting-wise unless we assume that only "pass" can account for "match".

There is an older discussion about it here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224961

• skip to end on vlanid != 0 and add comments

Correct. Here is the test:

• lease declaration skip fixes

Use EVL_VLID_MASK as suggested

OpenBSD added the single htons() while adding write filter, but nowhere else. I suspect the fragmentation check is mostly correct so this doesn't matter in the real world.

constify filters and avoid static length variables

Appreciate the reviews :) Unfortunately I'm not a committer so is someone willing to help out? Thanks in advance.

fixed partial length on tx

Another one refactored

That would be great, thanks!

The only other script is the DNS script and it looks like -u already does append the sender address to that script's data.

now avoids raw access to ntopbuf from scripts call

Merged into https://reviews.freebsd.org/D31501

Much nicer, thanks! Added Stephan as reviewer who originally worked on this to give it a go.

On second thought: maybe I'm mixing up hardware. I'm not sure, but in either case 12.x does seem not exhibit this issue judging from the complete lack of user reports.

@kbowling for us https://cgit.freebsd.org/src/commit/?id=0aa7d3ff9ea resolved the issue back then and has not come back. Is this meant to replace it or to be applied on top? I can test it on the specific hardware, but unsure if this will be inconclusive for the mentioned reason

Thanks for the update :)

@skozlov feel free to take maintainership of net/intel-em-kmod and thanks for working on these modules! :)

"if:0" and "(if:0)" have separate implementations. the one for "if:0" is missing, see ifa_lookup() in sbin/pfctl/pfctl_parser.c

Looks good, thanks!

We all invest time so thank you for the offer. Yes, I am OK with that.

I do not wish to acknowledge the advertising in the commit message.

I'm sorry, I'm playing by the rules that FreeBSD imposes on its external contributors.

There's a PR here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229904

Any news on this? :)

Seeing this after migration...

this one is stable, thank you @ale

No, I'm not asking for support that would take a few weeks of ping pong in a bug tracker, if any. This is real world feedback for this review. Take it or leave it. :)

Thanks, but we've narrowed it down to this commit.

We do seem to have a persistent problem with this patch in some PPPoE environments that will cause a crash in ng_pppoe_rcvdata_ether():

Nevermind, now it displays correctly. Please commit. :)

can you rebase this patch? it looks off with the update to 3.2.2 and no OPTIONS_DEFINE like it was already applied

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220025
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220026

So FWIW I stand by the approval of the previous version that does not use REDIS_CONFIGURE_ENABLE.

looks good, will accept after typo fix :)

• correctly build against GENERIC

I've updated the TUNNELBLICK patch to work with 2.4, it was just a clash with the new code formatting. Looks good so far, runtime test is pending.

• omit empty reads for ip[6]_get_fwdtag
• error out safely on failure

• use else if

• complete conversion

• requested changes