User Details
- User Since
- Sep 28 2014, 7:22 PM (613 w, 5 d)
Yesterday
That looks pretty good to me, but I'd like to give Gleb some time to look as well. He's a lot more familiar with unmapped buffers than I am.
Wed, Jul 1
Tue, Jun 30
Sun, Jun 28
Fri, Jun 26
Remove epoch cleanup.
Update failing test case to use pfsync0 iso. pflog0 (for now).
mtx -> sx
Do you happen to know of a way to get an interface (struct ifnet) without AF_INET6? I used to use pflog0 for this, and now clearly can't any more. (The test for PR 288263 does that.)
Ideally I'd like to not remove the test, but without such an interface there's no point to it.
- locking fixes
- man page improvement
- fix pflogd to not look for a network interface
- have /etc/rc.d/pflogd create extra log devices if required
Ah, yeah, that's an issue.
I could remove the MPSAFE, but we probably don't want to rely on Giant, so that's not great either.
Thu, Jun 25
Wed, Jun 24
Tue, Jun 23
Mon, Jun 22
Yes. that's indeed a bug, but I fixed it two weeks ago: https://cgit.freebsd.org/src/commit/?id=fcb31b57112425a4eb64241651a0206108105298
Sat, Jun 20
Wed, Jun 17
Will do.
Tue, Jun 16
Fri, Jun 12
Thu, Jun 11
Wed, Jun 10
Mon, Jun 8
Fri, Jun 5
Jun 3 2026
May 28 2026
May 26 2026
May 21 2026
May 16 2026
May 12 2026
May 9 2026
May 7 2026
May 5 2026
May 1 2026
Apr 30 2026
Apr 29 2026
Apr 28 2026
Apr 26 2026
Apr 25 2026
Apr 23 2026
I suppose we could spell the example rules like this too:
block out quick on $wan from any to { 255.255.255.255, ($wan:broadcast), 224.0.0.0/4, ff00::/8 } received-on any
but they're fine as they are. They result in the same rules in the kernel anyway.
Apr 22 2026
There are good arguments for both blocking and allowing this I believe.
I'm not entirely sure where I fall. On the one hand, yes, users should be allowed to shoot themselves in the foot if they really want to, but on the other hand, it's non-obvious that this will happen. There are going to be a lot more users in the "I didn't want this to happen but it did" camp than there'd be in the "I want to do this dumb thing and pf won't let me." camp.
The pf change looks fine to me.
Apr 21 2026
Apr 20 2026
If we tweak it slightly I guess we can express everything we need.
So here's a version where we deny the call from the indicated securelevel on up,
and don't do anything if the value is 0
Apr 19 2026
I did see a warning about that recently but didn't investigate too much. This (with Gleb's remark) makes sense.
