♟ kp

pf: fix rules_counter:keepcounters test

pf.conf.5: rephrase macro section

pfctl.8: -z honours -a (reset rule stats per anchor)

pf: allows TCP RST packets in the backwards window if ACK matches

pf tests: test set limit

pf: set limits before rules

pf: Count m_gethdr() failures in PFRES_MEMORY counter

pfctl.8: omit preceding flag from command/modifier lists to get tags

pf tests: declare a table inside an anchor

pfctl: allow tables to be defined inside anchors

ifconfig: also fix removing IPv6 addresses without netlink

pf tests: verify rule numbers in pflog output

pfctl: remove prototypes with no matching function

pf: sync_ifp doesn't exist, remove externs

pfctl: ctime(3) and ctime_r(3) can fail when timestamps are way off.

pf tests: test fragment counters

pf: Show pf fragment reassembly counters.

pf.conf.5: hint how to set tcp timeout collectively

pfctl: add af-to and other missing action types in print_rule()

pfctl: fix anchortypes bounds test

pf.conf.5: document tcp.tsdiff

pf: fix possible pd->pcksum NULL deref

if_ovpn tests: skip float and linklocal test on < 2.7

ifconfig: also fix removing IPv6 addresses without netlink

pf tests: test state killing by source and destination address

pfctl: fix killing state by source and destination address

pf tests: recusrive table printing test

pfctl: support recusive printing of tables

pfctl: Use pfctl_fopen

pf: Remove dead code in pf_pull_hdr().

libifconfig and libpfctl look fine to me.

net/libpfctl: add 15.0 tarball

sys/netinet6: Fix SLAAC for interfaces with no /64 LL address

pf: fix possible pd->pcksum NULL deref

pf tests: sctp:pfsync robustness improvement

if_ovpn tests: skip float and linklocal test on < 2.7

pf: fix struct pf_krule_global leak

pf: free struct pf_krule_global with pf_rule_tree_free()

pf: fix memory leak in legacy getstate calls

pf(4) when doing af-to translation for ICMP protocol sends packets

pf: remove unused variables

pf: Introduce M_PF type for pf(4) related memory allocations.

pfctl: Rewrite some ugly for loops

pf: should be enforcing TTL=1 to packets sent to 224.0.0.1 only.

pf: fix ICMP type/code representation

In D52234#1193199, @guest-svmhdvn wrote:

Instead of skipping these and keeping around lots of code to check the ovpn version, why not just temporarily xfail them like I've done in the attached patch of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289150? That way, once Ports contains ovpn>=2.7, these tests will automatically start failing again with the message "failed: expected failure, but none found". We can remove the xfails promptly afterwards.

Also not something that must be done in this commit, but we should modify sbin/ifconfig to the new functions. That'll remove a little more code from ifconfig and it'll mean we test this code (as part of any test that runs ifconfig foo up).

The commit message needs to answer the "Why?".
Why are we bypassing the reference counting?

pfctl.8: small cleanups

pf: rewrite the pf_state_peer_ntoh and pf_state_peer_hton macros as functions.

pf: remove duplicate struct definition

syslogd: EAGAIN and ECONNREFUSED are not permanently fatal

pfctl: zero the number of added/deleted addresses

pf: fix potential infinite loop adding/deleting addresses in tables

Looks good, other than these minor remarks.

A quick pfctl test case for the parser changes (i.e. just a simple prefer-ipv6-nexthop route-to line) would be nice to have too.

if_ovpn: support IPv6 link-local addresses

if_ovpn tests: basic float test case

if_ovpn: support floating clients

if_ovpn: fill out sin_len/sin6_len

In D51871#1185506, @obiwac wrote:

Linux is actually doing something based on ifi_change currently (relevant code in net/core/rtnetlink.c, rtnl_dev_combine_flags).

Ah yes, "Documentation does not match reality", that's what I was missing. I did not check Linux code, I only looked at our tree.

So that seems correct if ifi_change lists the changed flags we should look at.

In D51778#1185229, @hrs wrote:

I am also curious about why the PPPoE implementation sticks to only /128 LLAs for the link. When creating a pppoe interface as IPv6-capable one, it should get a /64 LLA because of AUTO_LINKLOCAL flag. Does pfSense disable this address assignment?

pf: fix anchor/ethernet anchor cleanup

pf: free anchor and ethernet anchor zones on vnet shutdown

LGTM. Absent objections in the next day or two I'll commit this.

First impressions are that this makes sense, and removes a lot of 'route-to' special casing from code that ideally shouldn't have to know about route-to.

Tests look good, but of course only commit them once the fix lands too.

In D51789#1183132, @vegeta_tuxpowered.net wrote:

In D51789#1183098, @kp wrote:

No objection, but things just build even on LINT-NOINET6 kernels without this change, so I'm not sure what the motivation is.

I've seen such ifdefs around code in other places in pf, AFAIR the commits were labelled as "fix build without IPv4", so I thought it's always necessary.

No objection, but things just build even on LINT-NOINET6 kernels without this change, so I'm not sure what the motivation is.

In D51778#1182981, @zlei wrote:

I'm a little confused by PPP links with /128 LL addresses ? Can you elaborate how you setup the PPP links ?

pf: fix handling unreassembled fragments

pf tests: robustness improvement

pfctl: memset the pfctl struct in pfctl_reset()

pf.conf.5: document limit-item "anchors"; from martin vahlensieck

pf: also allocate ethernet anchors from a UMA zone

pf.conf.5: rework the text on mtu and mss

kp (Kristof Provost)
Troubleshooter

Projects (6)
View All

User Details

Recent Activity
View All

Yesterday

Thu, Sep 18

Wed, Sep 17

Mon, Sep 15

Sat, Sep 13

Fri, Sep 12

Wed, Sep 10

Sun, Sep 7

Sat, Sep 6

Fri, Sep 5

Thu, Sep 4

Wed, Sep 3

Tue, Sep 2

Fri, Aug 29

Thu, Aug 28

Wed, Aug 27

Tue, Aug 26

Mon, Aug 25

Fri, Aug 22

Aug 20 2025

Aug 18 2025

Aug 14 2025

Aug 13 2025

Aug 12 2025

Aug 11 2025

Aug 8 2025

Aug 7 2025

Aug 6 2025

Aug 5 2025

kp (Kristof Provost)Troubleshooter

Projects (6)View All