User Details
User Details
- User Since
- Sep 28 2014, 7:22 PM (590 w, 3 d)
Tue, Jan 20
Tue, Jan 20
pf: fix min-ttl and set-tos for nat64
Mon, Jan 19
Mon, Jan 19
kp committed rG2e0e45a516b9: pfctl(8): change default limiter action from no-match to block (authored by kp).
pfctl(8): change default limiter action from no-match to block
Thu, Jan 15
Thu, Jan 15
if_ovpn: add interface counters
Wed, Jan 14
Wed, Jan 14
pfctl: allow new page character (^L) in pf.conf
kp added a comment to D54695: pf: tests: Introduce wait_for_process().
I'm not sure this is sufficient. It is still possible for tcpdump to have started, but not gotten to the point of actually opening the pflog device.
pf: remove unused function
pf tests: test block/no-match limiters
kp committed rGe28dfd6b5557: pfctl: make the source limiter output match the input (authored by kp).
pfctl: make the source limiter output match the input
pf: configurable action on limiter exceeded
kp committed rG1ee4405a00d7: pf: avoid a shadowed variable in the pf_create_state() source limiter handling (authored by kp).
pf: avoid a shadowed variable in the pf_create_state() source limiter handling
kp committed rG393243a38d74: pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer. (authored by kp).
pfctl: ifa_load() in pfctl_parser.c may attempt to read beyond the buffer.
pf.conf.5: s/State Limiter/&s/ in .Ss
pfctl: distinguish broadcast and PPP peer addresses
pf: state/source limiter finishing touches
pf: remove redundant range checks
pf.conf.5: spelling
pf tests: basic state limiters test case
pf tests: extend the source limiter test
pf tests: basic source limiters test case
pf tests: state limiter rate test
pfctl tests: basic source and state limiter tests
pfctl.8: mention -k source -k <IP>
pfctl: improve limiters printing
pfctl: resolve '-s' ambiguity
pf: convert state limiter interface to netlink
pf: introduce source and state limiters
Sat, Jan 10
Sat, Jan 10
pf: don't reject route-to'd too-large packets
Thu, Jan 8
Thu, Jan 8
pf: handle nlattr_add_nested() failure
pf: remove redundant zeroing
Tue, Jan 6
Tue, Jan 6
Sat, Jan 3
Sat, Jan 3
kp added a comment to D54382: MFC sys/netinet6: Implement RFC 7217 (private stable addresses).
Fri, Jan 2
Fri, Jan 2
pf: sprinkle const over pf_addr_cmp()
Tue, Dec 30
Tue, Dec 30
pfctl: remove duplicate "va" entry
pf tests: avoid cleanup failures on skipped tests
pf: convert DIOCRCLRASTATS to netlink
pf: move DIOCRCLRASTATS into libpfctl
kp committed rG190c1f3d9326: pfctl: allow network programs select DSCP_VA for network ToS (authored by kp).
pfctl: allow network programs select DSCP_VA for network ToS
Mon, Dec 29
Mon, Dec 29
pf: handle TTL expired during nat64
Fri, Dec 26
Fri, Dec 26
kp committed rGeaa424e3bde8: snmp_pf: remove errno usage after pfctl_get_status_h change (authored by rootnode_freebsd_wollwage.com).
snmp_pf: remove errno usage after pfctl_get_status_h change
pf: don't reject route-to'd too-large packets
Dec 22 2025
Dec 22 2025
atf_python: support setting interface mtu
Dec 21 2025
Dec 21 2025
kp requested review of D54333: atf_python: support setting interface mtu.
pf: fix pcounters array size
kp committed rG823ebd7c4f89: libpfctl: export a get states variant that takes a pfctl_handle (authored by kp).
libpfctl: export a get states variant that takes a pfctl_handle
Dec 20 2025
Dec 20 2025
Dec 19 2025
Dec 19 2025
DIOCGETRULENV takes the write lock as well but I believe this is only
required when clearing rule counters. (It might not be required even
then, on platforms where counter increment is done atomically.) Acquire
the read lock if that is not the case.
Dec 18 2025
Dec 18 2025
snmp_pf: fix refresh
libpfctl: fix tstats address count
Dec 17 2025
Dec 17 2025
if_ovpn: use epoch to free peers
if_ovpn: use epoch to free peers
Dec 15 2025
Dec 15 2025
kp added inline comments to D54105: kyua: Add flaky metadata.
pf: fix min-ttl and set-tos for nat64
Dec 13 2025
Dec 13 2025
pfctl: report ICMP states consistently for IPv4/IPv6
Dec 11 2025
Dec 11 2025
kp added a comment to D54175: if_ovpn: fix memory leak in VNET.
I believe that was accidentally broken by 96b29c7f0cffd377a757ad8ccc0cdd8fcb96d0dd, which fixed the issue of jails being unable to go away while they still had ovpn interfaces in them. It fixed that, but also removed the VNET_SYSUNINIT that prevented this leak.
pf: handle TTL expired during nat64
pf: relax sctp v_tag verification
pf: relax sctp v_tag verification
libpfctl: improve error handling
pf: relax sctp v_tag verification
Dec 10 2025
Dec 10 2025
kp requested review of D54166: pf: handle TTL expired during nat64.
kp added a reviewer for D54163: pfsync: Avoid zeroing the state export union: vegeta_tuxpowered.net.
Dec 9 2025
Dec 9 2025
kp added a comment to D54148: netlink: Don't overwrite existing data in a linear buffer in snl_writer.
Ah, thanks. With the original patch reverted this applies and works as expected.
I'm not all that familiar with this code, but it works and I don't see any obvious problems (and it addresses the problem CHERI found, being that we used more than 'new_size' from 'new_base'.)
if_ovpn: use epoch to free peers
pfsync: fix incorrect unlock during destroy
pfctl: restore '-Tload -f pf.conf' functionality
pfsync: fix incorrect unlock during destroy
pfsync: fix incorrect unlock during destroy
kp added a comment to D54148: netlink: Don't overwrite existing data in a linear buffer in snl_writer.
What's this based on? It doesn't seem to want to apply to FreeBSD main (f9500e75791cf793904c80ca4a52433afd585a23).
Dec 8 2025
Dec 8 2025
Dec 5 2025
Dec 5 2025
snmp_pf: use the libpfctl wrapper to retrieve astats
pf: convert DIOCRGETASTATS to netlink
pfctl: move astats query into libpfctl
Dec 4 2025
Dec 4 2025
Dec 1 2025
Dec 1 2025
pfsync: fix incorrect unlock during destroy
pfctl: restore '-Tload -f pf.conf' functionality
pf: use correct sized variables in pf_change_icmp()
Nov 30 2025
Nov 30 2025
pf: handle divert packets
pf: handle divert packets
pf: handle divert packets
Nov 28 2025
Nov 28 2025
pf: fix another endpoint-independent crash
Nov 27 2025
Nov 27 2025
pf tests: pflog:{rdr_action,state_max} disable IPv6
kp committed rG685d5860acea: pf tests: explicitly set the source address in killstate:v6 (authored by kp).
pf tests: explicitly set the source address in killstate:v6
pf tests: fix killstate:v6
pf tests: fix syncookie:loopback_v6
Nov 26 2025
Nov 26 2025
tests: detect built-in modules
Nov 25 2025
Nov 25 2025
pf: relax sctp v_tag verification
libpfctl: improve error handling
if_ovpn: use IFT_TUNNEL
pf: fix udp_mapping cleanup
if_ovpn: use IFT_TUNNEL
Nov 24 2025
Nov 24 2025
Nov 21 2025
Nov 21 2025
pf: fix another endpoint-independent crash
kp requested review of D53856: pf: fix another endpoint-independent crash.