Hello Klemens,
I think what you see is actually somewhat desired/expected behavior of
current PF. stay tuned for explanation further below.
>
> Clean up:
>
> # ./obj/pfctl -Fa -aregress/*
> 0 tables deleted.
> rules cleared
> 0 tables deleted.
> rules cleared
>
On Wed, May 08, 2019 at 09:47:30PM +0200, Alexandr Nedvedicky wrote:
> Diff below introduces PF_OPT_IGNFAIL, which optionally relaxes err()/errx()
> to warn()/warnx(), where my following changes need that. I have not done
> 'global' replace of err()/errx() to pfctl_err()/pfctl_errx() to keep change
On Wed, May 15, 2019 at 11:08:14PM +0200, Klemens Nanni wrote:
> > -void
> > +int
> > pfctl_clear_rules(int dev, int opts, char *anchorname)
> > {
> > - struct pfr_buffer t;
> > + struct pfr_buffer t;
> > + int rv = 0;
> Not needed...
> >
> > memset(&t, 0, si
On Wed, May 15, 2019 at 09:08:20PM +0200, Alexandr Nedvedicky wrote:
> completely agree with you. my diff indeed ignores '-a'. Thanks for
> spotting that. With change below the complete patch behaves as you
> expect. Finishing touch below adds makes pfctl_recurse() to
> accept an 'a
Hello Klemens,
On Mon, May 13, 2019 at 12:22:34AM +0200, Klemens Nanni wrote:
> On Wed, Apr 17, 2019 at 01:28:57AM +0200, Alexandr Nedvedicky wrote:
> > The idea has been already discussed few weeks ago [1]. Reusing "-a '*'"
> > option
> > to tell pfctl to flush everything is sthen's idea [2]. T
On Wed, Apr 17, 2019 at 01:28:57AM +0200, Alexandr Nedvedicky wrote:
> The idea has been already discussed few weeks ago [1]. Reusing "-a '*'" option
> to tell pfctl to flush everything is sthen's idea [2]. The patch below makes
> pfctl to understand
> pfctl -a '*' -FT
> pfctl -a '*' -Fr
>
Hello,
Petr Hoffmann pointed out three nits off-list.
we are better to use errx() instead of fprintf() + exit here:
+pfctl_get_anchors(int dev, int opts)
+{
+
+ if (pfra.pfra == NULL)
+ errx(1,
+ "%s failed to allocate main anchor, can't continue\n",
+
Hello,
diff 3/3 makes patch complete. It uses pfctl_recurse() introduced in
2/3 to implement operations as follows:
pfctl -a "*" -Fa(applies pfctl_call_clearanchors())
pfctl -a "*" -Fr(applies pfctl_call_clearrules())
pfctl -a "*" -FT(applies pfctl_call_cleartables())
All
Hello,
second diff makes current implementation of 'pfctl -vsA' (show rules) more
generic. It changes current pfctl_show_anchors() to pfctl_walk_anchors()
which accepts a callback as argument (pfctl_show_anchor()) to show anchor
found in kernel. So existing pfctl_show_anchors() is changed
to this:
Hello,
looks like the diff is too big for review. so let me slice it
to smaller chunks. I've tested the complete diff I have not
tested the partial diffs.
no issues were discovered by running regress on pfctl. furthermore doing
'pfctl -a "*" -Fa' with my changes in did expected thing: it removed
Hello,
this is a fairly large change to pfctl, which allows PF administrator to
purge all anchors from PF driver. Consider ruleset as follows:
lumpy# pfctl -a '*' -sr
pass all flags S/SA
anchor "foo" all {
anchor "inbound" from any to {
match in on any inet from 10.163.
11 matches
Mail list logo
