pf: Don't access sk and nk before they are allocated
The NAT addresses are chosen during ruleset parsing. The new afto code stores
post-nat addresses in nsaddr. The old nat code (also used for new nat-to rules)
creates state keys and stores addresses in them.
Ensure proper way of accessing the NAT addresses in case sticky-address
is used for af-to rules.
Reviewed by: kp
Approved by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D50768
pf: Don't return src node and hash from pf_map_addr_sn
The function pf_map_addr_sn() already returns naddr and nkif, there is
no need to return the source node too, it is redundant.
graphics/vulkan-validation-layers: Update 1.4.320 => 1.4.321, take maintainership
While here fix warnings from portclippy.
Move pkg-plist to PLIST_FILES as it only contained 2 files.
Add USE_LDCONFIG=yes.
PR: 288141
www/angie-module-lua: Update ngx_devel_kit 0.3.3 => 0.3.4
The www/angie-module-lua uses ngx_devel_kit in GH_TUPLE.
Changelog for ngx_devel_kit:
https://github.com/vision5/ngx_devel_kit/releases/tag/v0.3.4
PR: 288100 288166
Approved by: Oleg A. Mamontov <oleg at mamontov.net> (maintainer, implicit - inactive for more than 9 months)
net/liferea: update to 1.16-RC4
Release Notes: https://github.com/lwindolf/liferea/releases
Also, adopt port.
This rc seems to be more stable and well-behaved than the two years
old 1.14 series.
devel/libev: Unbreak current after inotify add
After inotify was added to main, if condition bellow leads to build error
related to missing (linux) statfs.h header.
Fix it by adjusting correct headers:
#if EV_USE_INOTIFY
-# include <sys/statfs.h>
+# include <sys/mount.h>
# include <sys/inotify.h>
While here, refresh patches.
Approved by: portmgr (blanket, build fix)
Sugested by: markj
See also; https://lists.freebsd.org/archives/dev-commits-src-all/2025-July/057269.html
pf: Use the table on root always if current table is not active.
ok sashan
Obtained from: OpenBSD, yasuoka <yasuoka at openbsd.org>, 26b6297991
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX
Move it to pf.h.
OPT is misleading and usually refers to command line arguments to pfctl
ok sashan kn
Obtained from: OpenBSD, henning <henning at openbsd.org>, 9c6ad19ba4
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: when calculating the ruleset's checksum, skip automatic table names.
the checksum is exclusively used for pfsync to verify rulesets are identical
on all nodes. the automatic table names are random and have a near zero
chance to match. found at a customer in zurich
ok sashan kn
Obtained from: OpenBSD, henning <henning at openbsd.org>, 7f1a6fd2a8
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl.8: Mention hostid and checksum
Complete the description of "-s info -v" such that grepping for them
in the manual pager yields something.
Feedback jmc
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, 0f5c867d7c
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: restore '.' at the end of these errors
The sys/netpfil/pf/table:reset_nonzero test expects them, and we're better off
not modifying errors without good reason.
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf: Fix pfr_kentry_byaddr() to be used for a rule in an anchor
It couldn't find an entry if its table is attached a table on the root. This
fixes the problem "route-to <TABLE> least-states" doesn't work.
The problem is found by IIJ.
OK sashan
Obtained from: OpenBSD, yasuoka <yasuoka at openbsd.org>, a7d8badaea
Sponsored by: Rubicon Communications, LLC ("Netgate")
pf.conf.5: should clearly state range match operator ':' does not work for uid/gid.
OK @kn, OK @sthen
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, 4521e23a38
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Refine error message
While code in pf/pfctl confusingly uses either anchor or ruleset
depending on the context, pfctl(8) (both manual and user interface)
should be consistent.
For users there are basically anchors only, so do not imply any
difference between the two terminologies.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, 910e8feeb5
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Fail on missing anchor
There is no reason to continue on anchor specific paths if the given
anchor does not exist.
OK sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, ad846651a1
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Do the actual pfr_strerror() to pf_strerror() rename
Missed in previous
Obtained from: OpenBSD, kn <kn at openbsd.org>, c802a0d9d6
Sponsored by: Rubicon Communications, LLC ("Netgate")
pfctl: Unify error message for nonexisting anchors
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
Obtained from: OpenBSD, kn <kn at openbsd.org>, e5c920154c
Sponsored by: Rubicon Communications, LLC ("Netgate")
