![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.715 / (download) - annotate - [select for diffs], Thu Nov 2 20:47:31 2023 UTC (6 months, 4 weeks ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.714: +2 -2 lines
Diff to previous 1.714 (colored)
Use pfctl_fopen (which checks to ensure the given file isn't a directory) for pfctl -f /path/to/pf.conf. Otherwise, if you accidentally use a dir instead of a file (e.g. if you have an /etc/pf directory and don't notice the name when tab-completing), you successfully install an empty ruleset. ok sashan@
Revision 1.714 / (download) - annotate - [select for diffs], Thu Oct 26 16:26:01 2023 UTC (7 months ago) by deraadt
Branch: MAIN
Changes since 1.713: +10 -10 lines
Diff to previous 1.713 (colored)
whitespace cleanup my fingers couldn't avoid doing while i was re-reading the parsing code
Revision 1.713 / (download) - annotate - [select for diffs], Tue Feb 7 17:58:43 2023 UTC (15 months, 3 weeks ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.712: +3 -3 lines
Diff to previous 1.712 (colored)
internal representation of icmp type/code in pfctl(8)/pf(4) does not fit into u_int8_t. Issue has been noticed and kindly reported by amalinin _at_ bh0.amt.ru via bugs@. OK bluhm@
Revision 1.712 / (download) - annotate - [select for diffs], Fri Sep 23 21:33:17 2022 UTC (20 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.711: +2 -2 lines
Diff to previous 1.711 (colored)
Fix detection of duplicate sticky-address in pf.conf parser. reported to FreeBSD by Franco Fichtner; from Kristof Provost
Revision 1.711 / (download) - annotate - [select for diffs], Mon Oct 25 14:50:29 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.710: +13 -8 lines
Diff to previous 1.710 (colored)
- pfctl $nr incorrect macro expansion Issue reported by Kristof Provost from FreeBSD. [ https://reviews.freebsd.org/D32488 ] In order to fix the issue we must delay '$nr' macro expansion after optimizer collapses ruleset. OK kn@
Revision 1.710 / (download) - annotate - [select for diffs], Fri Oct 15 15:01:27 2021 UTC (2 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.709: +6 -6 lines
Diff to previous 1.709 (colored)
Don't declare variables as "unsigned char *" that are passed to functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
Revision 1.709 / (download) - annotate - [select for diffs], Mon Feb 1 00:31:04 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.708: +50 -185 lines
Diff to previous 1.708 (colored)
change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
Revision 1.708 / (download) - annotate - [select for diffs], Tue Jan 12 00:10:34 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.707: +2 -3 lines
Diff to previous 1.707 (colored)
Sometimes a user ID was logged in pflog(4) although the logopt of the rule did not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to express what it does. The lookup involved is only an implemntation detail. OK kn@ sashan@ mvs@
Revision 1.707 / (download) - annotate - [select for diffs], Wed Dec 16 18:01:16 2020 UTC (3 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.706: +33 -3 lines
Diff to previous 1.706 (colored)
Fail to parse rules with invalid ranges This makes pfctl(8) detect bogus ranges (with and without `-n') before loading the ruleset and completes the previous commit. OK sashan sthen
Revision 1.706 / (download) - annotate - [select for diffs], Wed Dec 16 18:00:44 2020 UTC (3 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.705: +4 -2 lines
Diff to previous 1.705 (colored)
Reject rules with invalid port ranges Ranges where the left boundary is bigger than the right one are always bogus as they work like `port any' (`port 34<>12' means "all ports") or in way that inverts the rule's action (`pass ... port 34:12' means "pass no port at all"). Add checks for all ranges and invalidate those that yield no or all ports. For this to work on redirections, make pfctl(8) pass the range's type, otherwise boundary including ranges are not detected as such; that is to say, `struct pf_pool's `port_op' member was unused in the kernel so far. `rdr-to' rules with invalid ranges could panic the kernel when hit. Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com OK sashan
Revision 1.705 / (download) - annotate - [select for diffs], Mon Dec 7 08:29:41 2020 UTC (3 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.704: +7 -1 lines
Diff to previous 1.704 (colored)
synproxy should be processing incoming SYN packets only. issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@
Revision 1.704 / (download) - annotate - [select for diffs], Thu Oct 1 14:02:08 2020 UTC (3 years, 8 months ago) by kn
Branch: MAIN
Changes since 1.703: +3 -9 lines
Diff to previous 1.703 (colored)
rdomain IDs do not need to exist for "on rdomain N" to work Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet state and will always work no matter if rdomain N currently exists or not, i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if rdomain 42 exists, and it will simply not match (neither pass nor block) packets if 42 does not exist. There's no need to reload the ruleset whenever routing domains are created or deleted, which can already be observed now by creating an rdomain, loading rules referencing it and deleting the same rdomain immediately afterwards: pf will continue to work as expected. Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to accept any valid routing domain ID without expecting it to exist at the time of ruleset creation - this lifts the requirement to create rdomains before referencing them in pf.conf while keeping pf behaviour unchanged. Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable to exist upon ruleset creation. Discussed with claudio and bluhm at k2k20. Feedback sashan OK sashan yasouka claudio
Revision 1.703 / (download) - annotate - [select for diffs], Thu Sep 17 14:26:59 2020 UTC (3 years, 8 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.702: +3 -3 lines
Diff to previous 1.702 (colored)
Fix the previous commit whose conditions were reversed. ok kn
Revision 1.702 / (download) - annotate - [select for diffs], Thu Sep 17 10:09:43 2020 UTC (3 years, 8 months ago) by yasuoka
Branch: MAIN
Changes since 1.701: +19 -12 lines
Diff to previous 1.701 (colored)
Make pfctl(8) check if the rtable really exists when parsing the config. work with and diff from kn ok kn
Revision 1.701 / (download) - annotate - [select for diffs], Tue Jan 28 15:40:35 2020 UTC (4 years, 4 months ago) by bket
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.700: +4 -9 lines
Diff to previous 1.700 (colored)
sbin/pfctl: replace TAILQ concatenation loop with TAILQ_CONCAT OK kn@, sashan@, florian@
Revision 1.700 / (download) - annotate - [select for diffs], Wed Jan 15 22:38:30 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.699: +2 -2 lines
Diff to previous 1.699 (colored)
Do the actual pfr_strerror() to pf_strerror() rename Missed in previous
Revision 1.699 / (download) - annotate - [select for diffs], Thu Oct 17 21:54:28 2019 UTC (4 years, 7 months ago) by millert
Branch: MAIN
Changes since 1.698: +7 -7 lines
Diff to previous 1.698 (colored)
Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX. This is the userland portion. OK deraadt@ sashan@
Revision 1.698 / (download) - annotate - [select for diffs], Mon Aug 26 18:53:58 2019 UTC (4 years, 9 months ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.697: +15 -14 lines
Diff to previous 1.697 (colored)
Fix file descriptor leak due to popfile() never closing the main config file. The fix is the same as for other parse.y files in the tree (see bgpd(8) or unwind(8)) ok bluhm@
Revision 1.697 / (download) - annotate - [select for diffs], Fri Jul 5 06:56:22 2019 UTC (4 years, 10 months ago) by patrick
Branch: MAIN
Changes since 1.696: +22 -20 lines
Diff to previous 1.696 (colored)
Fix integer sizes in format strings and enable formatting warnings for yyerror. From Moritz Buhl ok bluhm@ claudio@
Revision 1.696 / (download) - annotate - [select for diffs], Wed May 8 21:31:30 2019 UTC (5 years ago) by sashan
Branch: MAIN
Changes since 1.695: +3 -1 lines
Diff to previous 1.695 (colored)
pfctl should check pfctl.astack is not overrun (bug found and fixed by Petr Hoffmann _at_ oracle.com) OK kn@
Revision 1.695 / (download) - annotate - [select for diffs], Thu Apr 18 21:58:59 2019 UTC (5 years, 1 month ago) by kn
Branch: MAIN
Changes since 1.694: +7 -2 lines
Diff to previous 1.694 (colored)
Fix table definition parsing as unprivileged user revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking the parser on tables withs insufficient permissions to open pf(4): $ echo 'table <t>' | pfctl -nf- pfctl: pfr_get_tables: Bad file descriptor So simply check whether pfctl is able to get the table list first. If not, instead of silently avoiding namespace collision checks, print a brief notice iff `-v' is given to help finding duplicate definitions by hand: $ echo 'table <t>' | ./obj/pfctl -vnf- table <t> stdin:1: skipping duplicate table checks for <t> Reported by Rivo Nurges, thanks! OK benno sashan
Revision 1.694 / (download) - annotate - [select for diffs], Wed Mar 6 19:49:05 2019 UTC (5 years, 2 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.693: +40 -15 lines
Diff to previous 1.693 (colored)
Fix once rules parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and `anchor "a" once'. Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the parser already such that they can be used to distinguish anchor rules in the same check as well. Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks! While here, remove an unneeded cast and make pfctl_add_rule() void as it always returned 0. OK sashan
Revision 1.693 / (download) - annotate - [select for diffs], Wed Feb 13 22:57:07 2019 UTC (5 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.692: +3 -3 lines
Diff to previous 1.692 (colored)
(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
Revision 1.692 / (download) - annotate - [select for diffs], Sun Feb 10 15:05:17 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
Changes since 1.691: +6 -1 lines
Diff to previous 1.691 (colored)
Anchor names must not be empty The parser would allow bogus input and sometimes even produce invalid rules on empty anchor names, so error out immediately. OK sashan
Revision 1.691 / (download) - annotate - [select for diffs], Sun Feb 10 14:55:58 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
Changes since 1.690: +20 -15 lines
Diff to previous 1.690 (colored)
Unify anchor name sanity checks For anchor names, make `load anchor' use the same grammar as `anchor' and merge unique checks from both places so that anchor names are validated regardless of the specific rule at hand. OK sashan
Revision 1.690 / (download) - annotate - [select for diffs], Thu Jan 31 18:08:36 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.689: +6 -5 lines
Diff to previous 1.689 (colored)
Make divert-packet port accept any port specification Contrary to other rules accepting a single port, this one only works with numerical values. Fix it by simply using the proper grammar. Port ranges are not accepted, but an error message on a range without start was missing in general, so add it while here. OK bluhm
Revision 1.689 / (download) - annotate - [select for diffs], Fri Jan 11 01:56:54 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.688: +2 -1 lines
Diff to previous 1.688 (colored)
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless. Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors. With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away. No functional change in parsing or ruleset production. Discussed with and OK sashan
Revision 1.688 / (download) - annotate - [select for diffs], Thu Nov 15 03:22:01 2018 UTC (5 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.687: +1 -2 lines
Diff to previous 1.687 (colored)
scrub opts dont set tos, so remove it from the scrub_opts struct ok deraadt@
Revision 1.687 / (download) - annotate - [select for diffs], Sat Nov 10 21:22:17 2018 UTC (5 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.686: +3 -3 lines
Diff to previous 1.686 (colored)
Unbreak `-D macro=value' (r1.686 regression) Zap trailing semicolon introduced with miko's cmdline_symset() leading to unconditional err(3). Zap trailing tab while here.
Revision 1.686 / (download) - annotate - [select for diffs], Wed Nov 7 08:10:45 2018 UTC (5 years, 6 months ago) by miko
Branch: MAIN
Changes since 1.685: +3 -5 lines
Diff to previous 1.685 (colored)
sync cmdline_symset() changes with src/usr.sbin; OK sashan@ claudio@
Revision 1.685 / (download) - annotate - [select for diffs], Thu Nov 1 00:18:44 2018 UTC (5 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.684: +3 -2 lines
Diff to previous 1.684 (colored)
- odd condition/test in PF lexer
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
Revision 1.684 / (download) - annotate - [select for diffs], Sun Sep 16 02:44:06 2018 UTC (5 years, 8 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.683: +7 -7 lines
Diff to previous 1.683 (colored)
Use uid_from_user(3) and gid_from_group(3) in utilities that do repeated lookups. OK tb@
Revision 1.683 / (download) - annotate - [select for diffs], Thu Sep 6 15:07:33 2018 UTC (5 years, 8 months ago) by kn
Branch: MAIN
Changes since 1.682: +4 -4 lines
Diff to previous 1.682 (colored)
Remove unused af argument from unmask() This has been unused for years. While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks. OK sashan
Revision 1.682 / (download) - annotate - [select for diffs], Mon Jul 16 08:29:08 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.681: +11 -29 lines
Diff to previous 1.681 (colored)
reduce duplicate code, fix typo/free correct buffer In filteropts_to_rule(): * Merge `once' handling from `anchorrule' and `pfrule' * Remove/shorten duplicate code block * Fix typo I introduced with r1.678 that frees the wrong buffer (twice) OK sashan
Revision 1.681 / (download) - annotate - [select for diffs], Fri Jul 13 08:41:15 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.680: +7 -6 lines
Diff to previous 1.680 (colored)
Fix regression on child queue definitions I comitted the wrong diff in 1.680 which turned `queue cq parent pq ...' into invalid syntax by changing `interface' to `ON if_item'. Found by bket, thanks!
Revision 1.680 / (download) - annotate - [select for diffs], Wed Jul 11 18:06:25 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.679: +12 -4 lines
Diff to previous 1.679 (colored)
Prevent invalid interface specifiers on queue rules pf.conf(5) states that queues attach to actual interfaces only, yet the following parses: # echo queue eq on egress bandwidth 1G default | pfctl -f- # pfctl -sq pfctl: DIOCGETQSTATS: Bad file descriptor # echo queue rq on rdomain 0 bandwidth 1G default | pfctl -vf- queue rq bandwidth 1G default # pfctl -sq pfctl: DIOCGETQSTATS: Bad file descriptor On rdomains, ifa_exists() returns NULL. On interface groups, ifa_exists() returns non-NULL but af is never set to AF_LINK. OK henning sashan
Revision 1.679 / (download) - annotate - [select for diffs], Wed Jul 11 07:39:22 2018 UTC (5 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.678: +12 -12 lines
Diff to previous 1.678 (colored)
Do for most running out of memory err() what was done for most running
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
Revision 1.678 / (download) - annotate - [select for diffs], Tue Jul 10 09:30:49 2018 UTC (5 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.677: +22 -2 lines
Diff to previous 1.677 (colored)
'set delay' for the generic packet delay mechanism, ok benno sashan
Revision 1.677 / (download) - annotate - [select for diffs], Tue Jul 10 08:44:55 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.676: +123 -139 lines
Diff to previous 1.676 (colored)
fix anchor rules with filter opts, introduce filteropts_to_rule() Some filter options were parsed but not set on anchor rules due to missing copies of the respective struct members: $ cat pf.conf queue rq on trunk0 bandwidth 1G queue dq parent rq bandwidth 1G default anchor a set queue dq $ pfctl -vnf pf.conf | fgrep queue anchor "a" all Fix this by moving common code from `anchorrule' and `pfrule' into a new helper filteropts_to_rule(). Input from henning and benno OK henning sashan jca
Revision 1.676 / (download) - annotate - [select for diffs], Mon Jul 9 15:07:06 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.675: +1 -9 lines
Diff to previous 1.675 (colored)
Zap dead code Commented since r1.465 (2004). OK deraadt benno jca sashan
Revision 1.675 / (download) - annotate - [select for diffs], Mon Jul 9 12:05:10 2018 UTC (5 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.674: +6 -8 lines
Diff to previous 1.674 (colored)
No need to mention which memory allocation entry point failed (malloc, calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
Revision 1.674 / (download) - annotate - [select for diffs], Sun Jul 8 17:15:07 2018 UTC (5 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.673: +5 -3 lines
Diff to previous 1.673 (colored)
Be consistent in warn() and log_warn() usage when running out of memory. Next step, be correct *and* consistent. ok dennis@ tb@ benno@ schwarze@
Revision 1.673 / (download) - annotate - [select for diffs], Fri May 18 13:39:49 2018 UTC (6 years ago) by benno
Branch: MAIN
Changes since 1.672: +42 -5 lines
Diff to previous 1.672 (colored)
A pf rule with a "on rdomain n" with nonexisting rdomain n will cause an pfctl: DIOCADDRULE: Device busy error when loading the ruleset, with no information which rule caused the problem and no indication that the problem is the rdomain <nonexisting>. This diff makes pfctl check if the rdomain really exists when parsing the config. ok bluhm@
Revision 1.672 / (download) - annotate - [select for diffs], Wed May 9 11:07:20 2018 UTC (6 years ago) by otto
Branch: MAIN
Changes since 1.671: +77 -48 lines
Diff to previous 1.671 (colored)
Fix (include file ) line number counting by keeping track of the unget buffer per file; also use that buffer to expand macros. ok sashan@ dennis@ krw@
Revision 1.671 / (download) - annotate - [select for diffs], Thu Apr 26 14:12:19 2018 UTC (6 years, 1 month ago) by krw
Branch: MAIN
Changes since 1.670: +3 -1 lines
Diff to previous 1.670 (colored)
Plug leak in error case of the common 'varset' implementations. ok benno@
Revision 1.670 / (download) - annotate - [select for diffs], Thu Feb 8 09:15:46 2018 UTC (6 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.669: +38 -3 lines
Diff to previous 1.669 (colored)
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
Revision 1.669 / (download) - annotate - [select for diffs], Tue Feb 6 23:47:47 2018 UTC (6 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.668: +23 -2 lines
Diff to previous 1.668 (colored)
allow control over syncookies: set syncookies never/always/adaptive
Revision 1.668 / (download) - annotate - [select for diffs], Tue Nov 28 16:05:46 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.667: +6 -4 lines
Diff to previous 1.667 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
Revision 1.667 / (download) - annotate - [select for diffs], Mon Nov 27 23:21:50 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.666: +46 -35 lines
Diff to previous 1.666 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Convert the pfctl(8) rule parser to divert types, kernel cleanup will be the next step. OK sashan@
Revision 1.666 / (download) - annotate - [select for diffs], Sat Nov 25 22:26:25 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.665: +3 -3 lines
Diff to previous 1.665 (colored)
- pfctl fails to handle nested 'load anchor' properly [ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ] OK bluhm@
Revision 1.665 / (download) - annotate - [select for diffs], Tue Nov 14 22:17:41 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.664: +2 -2 lines
Diff to previous 1.664 (colored)
- nested anchors vs. pfctl/parse.y bug reported and fix tested by Leonardo Guardati OK bluhm@
Revision 1.664 / (download) - annotate - [select for diffs], Mon Nov 13 11:30:11 2017 UTC (6 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.663: +24 -1 lines
Diff to previous 1.663 (colored)
add a generic packet rate matching filter. allows things like pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
Revision 1.663 / (download) - annotate - [select for diffs], Fri Aug 11 22:30:38 2017 UTC (6 years, 9 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.662: +13 -12 lines
Diff to previous 1.662 (colored)
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
Revision 1.662 / (download) - annotate - [select for diffs], Wed Jul 19 12:58:31 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.661: +1 -11 lines
Diff to previous 1.661 (colored)
Allow HFSC classes to use flow queues The FQ-CoDel related configuration (flows, quantum) becomes available for the regular bandwidth queue. Internally the kernel will pick the FQ-CoDel for use as a queue manager for the specified class instead of the FIFO. Discussed with and OK henning@ at d2k17 as a part of a larger diff.
Revision 1.661 / (download) - annotate - [select for diffs], Wed Jul 19 12:51:30 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.660: +7 -8 lines
Diff to previous 1.660 (colored)
Rework HFSC vs FQ-CoDel checks The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
Revision 1.660 / (download) - annotate - [select for diffs], Sun May 28 15:15:21 2017 UTC (7 years ago) by akfaew
Branch: MAIN
Changes since 1.659: +2 -2 lines
Diff to previous 1.659 (colored)
Don't check np->port for NULL - it's an array, it's never NULL. OK bluhm@
Revision 1.659 / (download) - annotate - [select for diffs], Mon May 15 11:23:25 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.658: +61 -5 lines
Diff to previous 1.658 (colored)
Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8) OK sthen, visa
Revision 1.658 / (download) - annotate - [select for diffs], Fri Apr 28 14:15:45 2017 UTC (7 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.657: +1 -3 lines
Diff to previous 1.657 (colored)
Remove double assignments
Revision 1.657 / (download) - annotate - [select for diffs], Thu Jan 5 12:42:18 2017 UTC (7 years, 4 months ago) by krw
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.656: +7 -5 lines
Diff to previous 1.656 (colored)
Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.
Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().
No intentional functional change.
ok bluhm@ otto@
Revision 1.656 / (download) - annotate - [select for diffs], Wed Nov 23 12:13:23 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.655: +6 -1 lines
Diff to previous 1.655 (colored)
Explicitly forbid to combine af-to with route-to in pfctl. The parser cannot handle that correctly and is is unclear wether the kernel code would work. Remove the feature until someone needs it and properly implements and tests it. OK mike@ sashan@ mpi@
Revision 1.655 / (download) - annotate - [select for diffs], Fri Aug 26 06:06:58 2016 UTC (7 years, 9 months ago) by guenther
Branch: MAIN
Changes since 1.654: +2 -2 lines
Diff to previous 1.654 (colored)
Add <time.h> for time(); sort <*.h> includes ok deraadt@
Revision 1.654 / (download) - annotate - [select for diffs], Mon Jul 18 15:21:33 2016 UTC (7 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.653: +1 -1 lines
Diff to previous 1.653 (colored)
g/c unused (global!) var: oqueues isn't used any more. ALTQ leftover; not noticed since struct node_queue stayed. ok claudio benno gcc
Revision 1.653 / (download) - annotate - [select for diffs], Wed Jun 22 10:13:14 2016 UTC (7 years, 11 months ago) by kettenis
Branch: MAIN
Changes since 1.652: +3 -2 lines
Diff to previous 1.652 (colored)
Add curly braces that were missed in rev 1.651. Add parenthesis to make the condition in the if statement more readable while I'm there. ok phessler@, benno@, florian@
Revision 1.652 / (download) - annotate - [select for diffs], Tue Jun 21 21:35:24 2016 UTC (7 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.651: +9 -1 lines
Diff to previous 1.651 (colored)
do not allow whitespace in macro names, i.e. "this is" = "a variable". change this in all config parsers in our tree that support macros. problem reported by sven falempin. feedback from henning@, stsp@, deraadt@ ok florian@ mikeb@
Revision 1.651 / (download) - annotate - [select for diffs], Tue Jun 21 13:40:43 2016 UTC (7 years, 11 months ago) by benno
Branch: MAIN
Changes since 1.650: +4 -1 lines
Diff to previous 1.650 (colored)
the manpage documents that af-to does not work on pass out rules, but the pf.conf parser allows it, which leads a non working configuration being loaded. this changes the parser to make pass out .. af-to an error. ok henning@ mikeb@
Revision 1.650 / (download) - annotate - [select for diffs], Thu Jun 16 15:46:20 2016 UTC (7 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.649: +1 -0 lines
Diff to previous 1.649 (colored)
allow include in inline anchors
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha
Revision 1.649 / (download) - annotate - [select for diffs], Tue Sep 1 19:12:25 2015 UTC (8 years, 9 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.648: +14 -4 lines
Diff to previous 1.648 (colored)
- route-to, dup-to, reply-to should not override the block action Spotted by Dilli Paudel <dilli ! paudel at oracle ! com> ok jung@, ok mikeb@
Revision 1.648 / (download) - annotate - [select for diffs], Tue Apr 21 16:34:59 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.647: +51 -29 lines
Diff to previous 1.647 (colored)
Improve divert-to specification parsing w.r.t. rule address family. ok henning
Revision 1.647 / (download) - annotate - [select for diffs], Thu Feb 26 18:27:45 2015 UTC (9 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.646: +3 -3 lines
Diff to previous 1.646 (colored)
%% not % in error message; ok millert@ henning@
Revision 1.646 / (download) - annotate - [select for diffs], Sat Feb 14 23:32:41 2015 UTC (9 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.645: +13 -9 lines
Diff to previous 1.645 (colored)
Rather than using 0xff as a placeholder for "don't check prio", use 0xff to mean "prio is 0". This avoids the need for code changes in programs which add pf rules (as was done in pfctl but not other programs) to handle the new "check prio" functionality. Specifically this unbreaks ftp-proxy. Use of #define rather than magic 0xff suggested by benno. ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
Revision 1.645 / (download) - annotate - [select for diffs], Tue Feb 10 06:45:55 2015 UTC (9 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.644: +22 -0 lines
Diff to previous 1.644 (colored)
since we inherit prio (as in, the queuing priority) from outside sources, i. e. on vlan interfaces, it is useful to be able to match on it - effectively matching on classification done elsewhere. i thought i had long implemented that, but chrisz@ asking for it made me notice that wasn't the case. tests by chrisz, ok phessler pelikan
Revision 1.644 / (download) - annotate - [select for diffs], Fri Jan 16 06:40:00 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.643: +6 -6 lines
Diff to previous 1.643 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.643 / (download) - annotate - [select for diffs], Fri Dec 19 13:04:07 2014 UTC (9 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.642: +14 -20 lines
Diff to previous 1.642 (colored)
Support source-hash and random with tables and dynifs; not just pools. This finally allows to use source-hash for dynamic loadbalancing, eg. "rdr-to <hosts> source-hash", instead of just round-robin and least-states. An older pre-siphash version of this diff was tested by many people. OK tedu@ benno@
Revision 1.642 / (download) - annotate - [select for diffs], Thu Nov 20 05:51:20 2014 UTC (9 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.641: +4 -1 lines
Diff to previous 1.641 (colored)
Don't allow embedded nul characters in strings. Fixes a pfctl crash with an anchor name containing an embedded nul found with the afl fuzzer. pfctl parse.y patch from and ok deraadt@
Revision 1.623.2.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:44 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_4
Changes since 1.623: +22 -2 lines
Diff to previous 1.623 (colored) next main 1.624 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.631.4.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:15 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_5
Changes since 1.631: +22 -2 lines
Diff to previous 1.631 (colored) next main 1.632 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.636.4.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:29:33 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_6
Changes since 1.636: +22 -2 lines
Diff to previous 1.636 (colored) next main 1.637 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.641 / (download) - annotate - [select for diffs], Mon Oct 27 21:51:32 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.640: +22 -2 lines
Diff to previous 1.640 (colored)
Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen
Revision 1.640 / (download) - annotate - [select for diffs], Sat Oct 25 03:18:13 2014 UTC (9 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.639: +1 -2 lines
Diff to previous 1.639 (colored)
Remove unnecessary netinet/in_systm.h include. ok millert@
Revision 1.639 / (download) - annotate - [select for diffs], Sat Sep 13 16:06:36 2014 UTC (9 years, 8 months ago) by doug
Branch: MAIN
Changes since 1.638: +3 -3 lines
Diff to previous 1.638 (colored)
Replace all queue *_END macro calls except CIRCLEQ_END with NULL. CIRCLEQ_* is deprecated and not called in the tree. The other queue types have *_END macros which were added for symmetry with CIRCLEQ_END. They are defined as NULL. There's no reason to keep the other *_END macro calls. ok millert@
Revision 1.638 / (download) - annotate - [select for diffs], Sat Aug 23 00:11:03 2014 UTC (9 years, 9 months ago) by pelikan
Branch: MAIN
Changes since 1.637: +23 -1 lines
Diff to previous 1.637 (colored)
when you specify queues in a rule, make sure they have been defined. DIOCADDRULE EBUSY turns into an error message that pfctl -n catches. DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported to occur, possibly from hfsc.c: this should be fixed as well. ok henning mikeb sthen
Revision 1.637 / (download) - annotate - [select for diffs], Thu Aug 21 15:09:27 2014 UTC (9 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.636: +8 -2 lines
Diff to previous 1.636 (colored)
deny "once" flags for match rules; ok henning
Revision 1.636 / (download) - annotate - [select for diffs], Wed Jul 2 13:03:41 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE
Branch point for: OPENBSD_5_6
Changes since 1.635: +3 -3 lines
Diff to previous 1.635 (colored)
condition above makes this part of the check useless; overlooked in the previous commit
Revision 1.635 / (download) - annotate - [select for diffs], Mon Jun 30 13:17:17 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.634: +81 -65 lines
Diff to previous 1.634 (colored)
Merge two loops in collapse_redirspec into one This lets us do the checks only once and also make smarter decisions about the rule's own address family. As a result af-to rules no longer need to specify the address family after 'pass'. ok henning
Revision 1.634 / (download) - annotate - [select for diffs], Wed Jun 25 15:11:20 2014 UTC (9 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.633: +35 -6 lines
Diff to previous 1.633 (colored)
Make stricter decisions when handling translation specifications.
In particular, disallow specifications containing addresses of
different address families when rule doesn't specify one, for
example "pass out nat-to { ::1 1.1.1.1 }" will now produce an
error instead of silently picking one of the addresses.
sthen and deraadt agree
Revision 1.633 / (download) - annotate - [select for diffs], Sat May 17 08:12:53 2014 UTC (10 years ago) by bluhm
Branch: MAIN
Changes since 1.632: +12 -7 lines
Diff to previous 1.632 (colored)
When parsing a numerical value for the TOS bits, make sure that it is in a valid range. OK henning@
Revision 1.632 / (download) - annotate - [select for diffs], Sat Apr 19 14:22:32 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.631: +3 -620 lines
Diff to previous 1.631 (colored)
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
Revision 1.631 / (download) - annotate - [select for diffs], Wed Jan 22 00:21:16 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE
Branch point for: OPENBSD_5_5
Changes since 1.630: +3 -3 lines
Diff to previous 1.630 (colored)
relax the cfg file secrecy check slightly to allow group readability default permissions and mtree NOT changed. prodded by benno, ok phessler benno jmatthew theo pelikan florian
Revision 1.630 / (download) - annotate - [select for diffs], Tue Jan 21 01:51:55 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.629: +10 -1 lines
Diff to previous 1.629 (colored)
if_item can be "any" now. allows things like block out on $someif received-on any to prevent packets to get forwarded to $someif
Revision 1.629 / (download) - annotate - [select for diffs], Mon Jan 20 02:59:13 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.628: +4 -2 lines
Diff to previous 1.628 (colored)
support "!received-on <interface>", ok dlg benno
Revision 1.628 / (download) - annotate - [select for diffs], Mon Nov 25 12:52:45 2013 UTC (10 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.627: +7 -7 lines
Diff to previous 1.627 (colored)
use u_char for buffers in yylex, for ctype calls found by millert@, ok deraadt@
Revision 1.627 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:48 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.626: +3 -3 lines
Diff to previous 1.626 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.626 / (download) - annotate - [select for diffs], Thu Oct 17 19:59:54 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.625: +5 -2 lines
Diff to previous 1.625 (colored)
cannot have queue definitions inside anchors. don't attempt to load them and err out if we run into one ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
Revision 1.625 / (download) - annotate - [select for diffs], Sat Oct 12 12:16:11 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.624: +281 -75 lines
Diff to previous 1.624 (colored)
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
Revision 1.624 / (download) - annotate - [select for diffs], Thu Aug 1 19:03:11 2013 UTC (10 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.623: +5 -5 lines
Diff to previous 1.623 (colored)
Provide local implementations of if_nametoindex(3) and if_indextoname(3) that make use of the cache of addresses populated by the ifa_load on startup to save the trouble of calling expensive getaddrinfo(3) up to four times per rule. Performance wise this change provides a speed up factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250 IP addresses (20 seconds down to 1 in this case). "wow!" henning, ok benno, florian
Revision 1.623 / (download) - annotate - [select for diffs], Sat Jun 1 21:51:54 2013 UTC (11 years ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE
Branch point for: OPENBSD_5_4
Changes since 1.622: +1 -10 lines
Diff to previous 1.622 (colored)
remove set-tos backwards compat, moved into the set {} block a year ago
ok ryan
Revision 1.622 / (download) - annotate - [select for diffs], Sat Mar 2 12:28:13 2013 UTC (11 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.621: +1 -2 lines
Diff to previous 1.621 (colored)
When a PF rule contains 'set tos' *followed by* a scrub option, the tos value is changed to 0x00. Left-over from the previous implementation where set-tos was part of "scrub". Problem reported by Jason Mader, ok henning
Revision 1.621 / (download) - annotate - [select for diffs], Wed Jan 16 01:49:20 2013 UTC (11 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.620: +7 -0 lines
Diff to previous 1.620 (colored)
for consistency with prio etc, the queue assignment really belongs into the set block. so make pfctl accept, print and the manpage document . match set queue foo instead of . match queue foo but keep accepting the old way without the explicit set. ok bob, man jmc
Revision 1.620 / (download) - annotate - [select for diffs], Thu Oct 18 15:18:57 2012 UTC (11 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.619: +9 -19 lines
Diff to previous 1.619 (colored)
Disallow tables and interface address pools for rdr-to, nat-to and route-to with any other scheduling algorithms than round-robin or least-states. Before this change, pfctl accepted and loaded invalid address pools, eg. "rdr-to <table> source-hash", but it is not supported by the kernel and was silently ignored in operation. Also clarify the manpage a bit by mentioning that tables are only valid with round-robin or least-states. ok zinke@
Revision 1.619 / (download) - annotate - [select for diffs], Tue Sep 18 10:11:52 2012 UTC (11 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.618: +4 -5 lines
Diff to previous 1.618 (colored)
prio 0 is valid, therefore, I chose an "impossible" value for prio meaning "not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
Revision 1.618 / (download) - annotate - [select for diffs], Tue Jul 10 09:29:36 2012 UTC (11 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.617: +6 -14 lines
Diff to previous 1.617 (colored)
Allow an implicit address family for af-to rules. If the address family can be determined by the "from" or "to" parameter in the matching part, it is no longer necessary to specify "inet" or "inet6" there. OK henning@ mikeb@
Revision 1.617 / (download) - annotate - [select for diffs], Tue Jul 10 09:13:41 2012 UTC (11 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.616: +2 -2 lines
Diff to previous 1.616 (colored)
set { ... } -> set ( ... )
brought up by ryan, discussed with him and theo and they convinced me
Revision 1.616 / (download) - annotate - [select for diffs], Mon Jul 9 14:05:35 2012 UTC (11 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.615: +25 -5 lines
Diff to previous 1.615 (colored)
fix some of the confusion we have in pf regarding filter criteria vs
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
Revision 1.615 / (download) - annotate - [select for diffs], Sat Jul 7 18:39:21 2012 UTC (11 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.614: +3 -3 lines
Diff to previous 1.614 (colored)
remove incorrect check in pfctl preventing set-tos for ipvshit. the kernel has code to deal with set-tos and that crap. don't ask for details. stuart ok
Revision 1.614 / (download) - annotate - [select for diffs], Sat Jul 7 16:24:32 2012 UTC (11 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.613: +15 -15 lines
Diff to previous 1.613 (colored)
rename prio in struct pf_rule and related structs to set_prio so it is utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
Revision 1.613 / (download) - annotate - [select for diffs], Mon Dec 19 23:26:16 2011 UTC (12 years, 5 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.612: +2 -2 lines
Diff to previous 1.612 (colored)
unbreak rule optimizer; ok henning, looks
Revision 1.612 / (download) - annotate - [select for diffs], Mon Dec 12 21:30:27 2011 UTC (12 years, 5 months ago) by mikeb
Branch: MAIN
Changes since 1.611: +11 -10 lines
Diff to previous 1.611 (colored)
fixup af-to regression with match rules pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
Revision 1.611 / (download) - annotate - [select for diffs], Sat Dec 3 12:46:16 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.610: +2 -5 lines
Diff to previous 1.610 (colored)
pfctl_set_hostid always returns 0; don't pretend otherwise and make it a void function instead. ok dlg
Revision 1.610 / (download) - annotate - [select for diffs], Thu Oct 13 18:30:54 2011 UTC (12 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.609: +79 -5 lines
Diff to previous 1.609 (colored)
pfctl change for af-to / NAT64 support. The general syntax is: pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2 In the NAT64 case the "to" is not needed in af-to and the IP is extraced from the IPv6 dst (assuming a /64 prefix). Again most work by sperreault@, mikeb@ and reyk@ OK mcbride@, put it in deraadt@
Revision 1.609 / (download) - annotate - [select for diffs], Wed Sep 7 23:40:52 2011 UTC (12 years, 8 months ago) by haesbaert
Branch: MAIN
Changes since 1.608: +2 -2 lines
Diff to previous 1.608 (colored)
Avoid possible SIGSEGV when wrong tos option.
Revision 1.608 / (download) - annotate - [select for diffs], Tue Aug 30 00:43:57 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.607: +15 -2 lines
Diff to previous 1.607 (colored)
One shot rules can be used in pf.conf by specifying a "once" filter option. ok henning, mcbride
Revision 1.607 / (download) - annotate - [select for diffs], Fri Jul 29 10:51:46 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.606: +7 -1 lines
Diff to previous 1.606 (colored)
Remove requirement to quote 'debug' loglevel for the 'debug' option. ok henning
Revision 1.606 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.605: +86 -17 lines
Diff to previous 1.605 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.605 / (download) - annotate - [select for diffs], Wed Jul 13 20:57:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.604: +15 -1 lines
Diff to previous 1.604 (colored)
Force user to specify protocol when filtering on user, gid, and os attributes (this is now required by pf_rule_test(). ok sthen henning
Revision 1.604 / (download) - annotate - [select for diffs], Fri Jul 8 18:52:47 2011 UTC (12 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.603: +44 -3 lines
Diff to previous 1.603 (colored)
allow rules to specify "prio X" or "prio (X, Y)" to assign priority levels for the new priority queueing implementation. valid range is 0 to 7. the old trick for priorizing empty ACKs etc remains thru the latter notation ok ryan mpf sthen plus pea testing and halex and claudio reading
Revision 1.603 / (download) - annotate - [select for diffs], Thu Jul 7 00:47:19 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
Changes since 1.602: +3 -3 lines
Diff to previous 1.602 (colored)
Fold pf_test_fragment() into pf_test_rule(), reduce code and fixes a bunch of bugs with fragment handling not being in sync with the rest of the ruleset. Much feedback from mpf, bluhm & markus Thanks to Tony Sarendal for help with testing ok bluhm; various previous versions ok henning, claudio, mpf, markus
Revision 1.602 / (download) - annotate - [select for diffs], Mon Jul 4 03:36:14 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.601: +2 -86 lines
Diff to previous 1.601 (colored)
bye bye require-order. i added that button many many many years ago since the order (options, scrub, nat, filter) was enforced back then, which I hated. now we had that turned off for ages, and with the scrub and nat rulesets being gone, there is very little reason to enforce an order at all. so let's get rid of it. introducing this button was one of my very early commits to openbsd... feels a bit strange to remove it now :) ok ryan dlg theo
Revision 1.601 / (download) - annotate - [select for diffs], Sun Jul 3 23:59:43 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.600: +1 -7 lines
Diff to previous 1.600 (colored)
g/c RIO traces (aka clean up after tedu :))
Revision 1.600 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.599: +41 -16 lines
Diff to previous 1.599 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.599 / (download) - annotate - [select for diffs], Wed Apr 6 13:19:55 2011 UTC (13 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.598: +27 -2 lines
Diff to previous 1.598 (colored)
Userland bits to allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.598 / (download) - annotate - [select for diffs], Tue Apr 5 13:48:18 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.597: +4 -10 lines
Diff to previous 1.597 (colored)
ditch fastroute, an ipf feature that made its way into pf before route-to and friends were introduced making it obsolete. one even has to look it up int the ipf manual to get and idea what it's supposed to do. reuse some kernel bits for the upcoming nat64 stuff. "kill it with fire" from mcbride, "what mcbride said" from mpf, "kill kill kill" and ok henning.
Revision 1.597 / (download) - annotate - [select for diffs], Fri Dec 31 12:15:31 2010 UTC (13 years, 5 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.596: +7 -1 lines
Diff to previous 1.596 (colored)
According to pf_scrub_ip6() pf does not support the scrub options no-df, random-id, set-tos for IPv6 rules. Check this in pfctl and document it in pf.conf(5). ok henning@ jmc@
Revision 1.596 / (download) - annotate - [select for diffs], Wed Dec 15 13:54:50 2010 UTC (13 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.595: +2 -2 lines
Diff to previous 1.595 (colored)
make the "invalid probability:" yyerror suck less From: Thomas Pfaff <tpfaff@tp76.info>
Revision 1.595 / (download) - annotate - [select for diffs], Wed Dec 1 10:35:18 2010 UTC (13 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.594: +3 -9 lines
Diff to previous 1.594 (colored)
remove some unused tokens ok henning@ mcbride@
Revision 1.594 / (download) - annotate - [select for diffs], Fri Sep 24 09:17:46 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.593: +4 -7 lines
Diff to previous 1.593 (colored)
remove the check that enforced rdr-to only inbound and nat-to only outbound. both now can be used in both directions. the kernel allowed that ever since we did the great NAT rewrite. still enforce that a direction is given, a rule with rdr-to and/or nat-to and no direction is pretty certainly an error (which it would work, technically) ok ryan claudio dlg
Revision 1.593 / (download) - annotate - [select for diffs], Wed Sep 22 06:02:59 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.592: +4 -2 lines
Diff to previous 1.592 (colored)
new log opt "matches" awesome for debugging, a rule like match log(matches) from $testbox will show you exactly which subsequent rules match on that packet real ok theo assumed oks ryan & dlg bikeshedding many implementation time ~1 min bikeshedding about the keyword longish. i voted for "matches" since i like to play with matches idea was theo's, actually
Revision 1.592 / (download) - annotate - [select for diffs], Thu Sep 2 14:01:04 2010 UTC (13 years, 9 months ago) by sobrado
Branch: MAIN
Changes since 1.591: +9 -9 lines
Diff to previous 1.591 (colored)
remove trailing spaces and tabs; no binary change. written with help from henning@, who suggested ensuring that there are no changes in the digests for object files, thanks! ok henning@
Revision 1.591 / (download) - annotate - [select for diffs], Tue Aug 3 18:42:40 2010 UTC (13 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.590: +4 -3 lines
Diff to previous 1.590 (colored)
fix linecount bug with comments spanning multiple lines problem reported with the obvious fix for bgpd by Sebastian Benoit <benoit-lists at fb12.de>, also PR 6432 applied to all the others by yours truly. ok theo isn't it amazing how far this parser (and more) spread?
Revision 1.590 / (download) - annotate - [select for diffs], Sat Jul 3 02:28:57 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.589: +15 -3 lines
Diff to previous 1.589 (colored)
Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors. tested by phessler ok henning
Revision 1.589 / (download) - annotate - [select for diffs], Tue Mar 23 13:31:29 2010 UTC (14 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.588: +5 -17 lines
Diff to previous 1.588 (colored)
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
Revision 1.588 / (download) - annotate - [select for diffs], Wed Jan 13 05:20:10 2010 UTC (14 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.587: +22 -22 lines
Diff to previous 1.587 (colored)
Move tokens before productions into more consistant places ok mcbride
Revision 1.587 / (download) - annotate - [select for diffs], Wed Jan 13 00:56:13 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.586: +41 -13 lines
Diff to previous 1.586 (colored)
Allow /netmask notation in redir spec, fix the rest of the regress tests for illegal conditions in translation/routing.
Revision 1.586 / (download) - annotate - [select for diffs], Tue Jan 12 19:18:55 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.585: +30 -59 lines
Diff to previous 1.585 (colored)
We actually have to keep the translate/route spec addresses around after collapsing into tables, so that we can handle all possible address family expansions.
Revision 1.585 / (download) - annotate - [select for diffs], Tue Jan 12 16:22:49 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.584: +3 -3 lines
Diff to previous 1.584 (colored)
Set roundrobin flag correctly, and don't treat a bare interface like a dynamic one in the routespec.
Revision 1.584 / (download) - annotate - [select for diffs], Tue Jan 12 15:52:07 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.583: +36 -16 lines
Diff to previous 1.583 (colored)
Add restrictions to make @if illegal in outside of routing specs; Fix binat-to sanity checks.
Revision 1.583 / (download) - annotate - [select for diffs], Tue Jan 12 14:44:26 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.582: +25 -17 lines
Diff to previous 1.582 (colored)
Fix some issues in redir spec handling, discovered thanks to dlg testing - purge irrelevant addresses from the lists before collapsing - ensure the lists are freed after they're collapsed - more careful ifname copying, avoiding double-free / use-after-free traps
Revision 1.582 / (download) - annotate - [select for diffs], Tue Jan 12 03:33:28 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.581: +2 -1 lines
Diff to previous 1.581 (colored)
Don't leak @if0 format routing host names, pointed out by claudio.
Revision 1.581 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.580: +138 -49 lines
Diff to previous 1.580 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.580 / (download) - annotate - [select for diffs], Sun Jan 10 23:48:22 2010 UTC (14 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.579: +15 -7 lines
Diff to previous 1.579 (colored)
lex <=, >=, and != into a single token for correctness and to reduce the lookahead in the parser ok henning otto
Revision 1.579 / (download) - annotate - [select for diffs], Sun Jan 10 07:45:41 2010 UTC (14 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.578: +12 -4 lines
Diff to previous 1.578 (colored)
In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
Revision 1.578 / (download) - annotate - [select for diffs], Thu Dec 24 10:06:35 2009 UTC (14 years, 5 months ago) by sobrado
Branch: MAIN
Changes since 1.577: +2 -2 lines
Diff to previous 1.577 (colored)
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok. ok jmc@
Revision 1.577 / (download) - annotate - [select for diffs], Thu Dec 24 04:24:19 2009 UTC (14 years, 5 months ago) by dlg
Branch: MAIN
Changes since 1.576: +24 -10 lines
Diff to previous 1.576 (colored)
add support to pf for filtering a packet by the interface it was received on. use the received-on IFNAME filter option on a pf.conf rule to restrict which packet the interface had to be received on. eg: pass out on em0 from $foo to $bar received-on fxp0 ive been running this in production for a week now. i find it particularly usefull with interface groups. no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Revision 1.576 / (download) - annotate - [select for diffs], Thu Dec 10 15:57:20 2009 UTC (14 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.575: +3 -1 lines
Diff to previous 1.575 (colored)
plug some memory leaks; found by parfait, ok henning
Revision 1.575 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.574: +10 -16 lines
Diff to previous 1.574 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.574 / (download) - annotate - [select for diffs], Mon Nov 9 14:31:58 2009 UTC (14 years, 6 months ago) by jsg
Branch: MAIN
Changes since 1.573: +9 -9 lines
Diff to previous 1.573 (colored)
A few more places to be updated for the route pool change. expanded version of a diff from Vadim Zhukov. ok henning@ claudio@
Revision 1.573 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.572: +19 -14 lines
Diff to previous 1.572 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.572 / (download) - annotate - [select for diffs], Wed Oct 28 12:53:11 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.571: +2 -1 lines
Diff to previous 1.571 (colored)
route_host initializes the netmask to a /128 no matter what af is used so that the load balancing code does not freak out but because of this check_netmask() is now complaining. So set the addr.type to PF_ADDR_DYNIFTL so check_netmask() is fixing up the netmask for IPv4 and stops complaining. This is a partial fix for the failing regress test 13. found with jsg, looks good henning
Revision 1.571 / (download) - annotate - [select for diffs], Wed Oct 28 12:41:16 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.570: +3 -3 lines
Diff to previous 1.570 (colored)
Correct function name in err and errx.
Revision 1.570 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.569: +24 -3 lines
Diff to previous 1.569 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.569 / (download) - annotate - [select for diffs], Tue Sep 8 17:52:17 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.568: +2 -15 lines
Diff to previous 1.568 (colored)
I had not enough oks to commit this diff. Sorry.
Revision 1.568 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.567: +16 -3 lines
Diff to previous 1.567 (colored)
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
Revision 1.567 / (download) - annotate - [select for diffs], Mon Sep 7 12:21:09 2009 UTC (14 years, 8 months ago) by reyk
Branch: MAIN
Changes since 1.566: +109 -25 lines
Diff to previous 1.566 (colored)
implement binat-to as a macro-like rule: a rule using the new binat-to syntax will be expanded by the parser to a nat-to+rdr-to combination to be loaded into the kernel. this simplifies the migration from old binat rules and is less error-prone. feedback from many, manpage bits from jmc@ ok henning@
Revision 1.566 / (download) - annotate - [select for diffs], Thu Sep 3 12:16:21 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.565: +2 -2 lines
Diff to previous 1.565 (colored)
this time i commit the right diff that was ok henning@ (sorry)
Revision 1.565 / (download) - annotate - [select for diffs], Thu Sep 3 12:12:37 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.564: +4 -3 lines
Diff to previous 1.564 (colored)
fix two route-to vs. rdr-to conflicts. found by sthen@ ok henning@
Revision 1.564 / (download) - annotate - [select for diffs], Wed Sep 2 13:28:03 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.563: +115 -113 lines
Diff to previous 1.563 (colored)
all the new *-to options are part of the "filteropts" section at the end of a pf rule (nat-to, divert-to, rdr-to, ...). take the historical chance to upgrade the grammar and move the route options to the filteropts section as well. for example, pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1 becomes pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1) many people like this including pyr@ mk@ kettenis@ todd@ and others ok henning@
Revision 1.563 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.562: +210 -649 lines
Diff to previous 1.562 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.562 / (download) - annotate - [select for diffs], Tue Jul 28 13:26:52 2009 UTC (14 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.561: +60 -10 lines
Diff to previous 1.561 (colored)
Bring back rev. 1.560: Make it possible to use DiffServ Code Point in the TOS fields. Requested by deraadt@
Revision 1.561 / (download) - annotate - [select for diffs], Mon Jul 27 19:00:28 2009 UTC (14 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.560: +9 -59 lines
Diff to previous 1.560 (colored)
When will people learn to commit their .h file changes?
Revision 1.560 / (download) - annotate - [select for diffs], Mon Jul 27 12:56:48 2009 UTC (14 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.559: +60 -10 lines
Diff to previous 1.559 (colored)
Make it possible to use DiffServ Code Point in the TOS fields. Names like af11, cs6 and ef will now be mapped to the coresponding TOS value. OK henning@, sthen@, mcbride@
Revision 1.559 / (download) - annotate - [select for diffs], Thu May 14 22:56:11 2009 UTC (15 years ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.558: +2 -2 lines
Diff to previous 1.558 (colored)
actually change the require-order default to No; I missed a part with my last commit. ok deraadt@
Revision 1.558 / (download) - annotate - [select for diffs], Sun Apr 26 12:30:20 2009 UTC (15 years, 1 month ago) by sthen
Branch: MAIN
Changes since 1.557: +2 -2 lines
Diff to previous 1.557 (colored)
switch the require-order default to "no". regression tests still pass. ok henning@ deraadt@
Revision 1.557 / (download) - annotate - [select for diffs], Sat Apr 25 19:29:54 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.556: +1 -5 lines
Diff to previous 1.556 (colored)
scrub_opts must not be empty, scrub on its own does nothing. noticed due to a question from otto@, ok regress/sbin/pfctl/ ;)
Revision 1.556 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.555: +80 -125 lines
Diff to previous 1.555 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.555 / (download) - annotate - [select for diffs], Thu Feb 19 17:08:42 2009 UTC (15 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.554: +4 -4 lines
Diff to previous 1.554 (colored)
spacing
Revision 1.554 / (download) - annotate - [select for diffs], Fri Oct 17 12:59:53 2008 UTC (15 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.553: +5 -3 lines
Diff to previous 1.553 (colored)
in findeol(), do not skip the pushback buffer. fixes PR 5952 by sthen@ and should make the pushback buffer really transparent. diagnosis by me, fix with mpf, some input deraadt, ok mpf
Revision 1.553 / (download) - annotate - [select for diffs], Thu Oct 2 12:31:18 2008 UTC (15 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.552: +20 -6 lines
Diff to previous 1.552 (colored)
implement "set state-defaults X", where X is a list of state options as permitted keep state(X). applies to all rules which do not have keep state explicitely. e. g. "set state-defaults pflow, no-sync" ok phessler deraadt
Revision 1.552 / (download) - annotate - [select for diffs], Wed Sep 10 00:32:03 2008 UTC (15 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.551: +2 -2 lines
Diff to previous 1.551 (colored)
do not try to print $$ when it has not been set
Revision 1.551 / (download) - annotate - [select for diffs], Tue Sep 9 13:56:38 2008 UTC (15 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.550: +22 -3 lines
Diff to previous 1.550 (colored)
welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
Revision 1.550 / (download) - annotate - [select for diffs], Thu Aug 7 18:29:32 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.549: +2 -1 lines
Diff to previous 1.549 (colored)
correctly copy the log interface spec when expanding an antispoof rule that covers loopback addresses. ok ryan problem report from Harald Dunkel <harald.dunkel@aixigo.de>
Revision 1.549 / (download) - annotate - [select for diffs], Thu Jul 3 16:09:34 2008 UTC (15 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.548: +3 -1 lines
Diff to previous 1.548 (colored)
do not forget to initialize other member of $$ in qname; noted by mark shroyer ok henning
Revision 1.548 / (download) - annotate - [select for diffs], Tue Jun 10 20:55:02 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.547: +3 -1 lines
Diff to previous 1.547 (colored)
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
Revision 1.547 / (download) - annotate - [select for diffs], Tue Jun 10 04:28:54 2008 UTC (15 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.546: +27 -3 lines
Diff to previous 1.546 (colored)
new state option "sloppy" to use the sloppy tcp state tracker instead of the good one. ok theo ryan reyk
Revision 1.546 / (download) - annotate - [select for diffs], Fri May 9 08:16:07 2008 UTC (16 years ago) by deraadt
Branch: MAIN
Changes since 1.545: +63 -71 lines
Diff to previous 1.545 (colored)
Replace a crockpot of semi-cloned productions for handling port numbers with one, and fix a few other bugs along the way ok mpf henning
Revision 1.545 / (download) - annotate - [select for diffs], Fri May 9 05:41:01 2008 UTC (16 years ago) by markus
Branch: MAIN
Changes since 1.544: +5 -5 lines
Diff to previous 1.544 (colored)
convert port byte order in the production; add port keyword; ok deraadt@
Revision 1.544 / (download) - annotate - [select for diffs], Fri May 9 02:44:54 2008 UTC (16 years ago) by markus
Branch: MAIN
Changes since 1.543: +49 -1 lines
Diff to previous 1.543 (colored)
divert packets to local socket without modifying the ip header; makes transparent proxies much easier; ok beck@, feedback claudio@
Revision 1.543 / (download) - annotate - [select for diffs], Thu May 8 08:08:36 2008 UTC (16 years ago) by deraadt
Branch: MAIN
Changes since 1.542: +38 -34 lines
Diff to previous 1.542 (colored)
make "to any" optional in binat, or well, the implied default. requested by reyk, ok reyk mpf
Revision 1.542 / (download) - annotate - [select for diffs], Thu May 8 07:29:30 2008 UTC (16 years ago) by deraadt
Branch: MAIN
Changes since 1.541: +58 -54 lines
Diff to previous 1.541 (colored)
Loosen grammer to permit any number of newlines within most kinds of { }
blocks, as requested by reyk; ok reyk mpf henning
Revision 1.541 / (download) - annotate - [select for diffs], Thu May 8 00:17:26 2008 UTC (16 years ago) by deraadt
Branch: MAIN
Changes since 1.540: +22 -14 lines
Diff to previous 1.540 (colored)
Bring back (in a more yacc friendly way) support for setting variables to a sequence of strings and numbers, which get folded together into one string (and later, when used, is re-lexed) ok mpf
Revision 1.540 / (download) - annotate - [select for diffs], Wed May 7 08:08:39 2008 UTC (16 years ago) by deraadt
Branch: MAIN
Changes since 1.539: +2 -2 lines
Diff to previous 1.539 (colored)
do not assume PF_INOUT is 0 in the enum; ok mcbride
Revision 1.539 / (download) - annotate - [select for diffs], Wed May 7 07:07:29 2008 UTC (16 years ago) by markus
Branch: MAIN
Changes since 1.538: +15 -1 lines
Diff to previous 1.538 (colored)
scrub packets based on tags; ok henning
Revision 1.538 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years ago) by markus
Branch: MAIN
Changes since 1.537: +31 -16 lines
Diff to previous 1.537 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.537 / (download) - annotate - [select for diffs], Mon Apr 21 01:42:19 2008 UTC (16 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.536: +5 -9 lines
Diff to previous 1.536 (colored)
optnl is a crutch for those who do not understand yacc. it leads to a variety of errors; ok mcbride
Revision 1.536 / (download) - annotate - [select for diffs], Fri Feb 1 06:58:45 2008 UTC (16 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.535: +53 -3 lines
Diff to previous 1.535 (colored)
Enable the rest of the filter_opts to be used on anchors. These were accepted by the parser but not passed to the kernel. This allows filtering based on uid, gid, icmp options, tcp flags, os fingerprint, tos, tags, and probability; It also allows the label to be set. State options and tagging are not permitted. ok henning mpf
Revision 1.535 / (download) - annotate - [select for diffs], Tue Nov 13 00:47:56 2007 UTC (16 years, 6 months ago) by mpf
Branch: MAIN
Changes since 1.534: +17 -3 lines
Diff to previous 1.534 (colored)
Bring back the number converter for 'set hostid'. I forgot to think about hex numbers when I removed it. OK deraadt@
Revision 1.534 / (download) - annotate - [select for diffs], Mon Nov 12 23:59:41 2007 UTC (16 years, 6 months ago) by mpf
Branch: MAIN
Changes since 1.533: +2 -10 lines
Diff to previous 1.533 (colored)
Remove space/tab compression function from lgetc() and replace it with a simple filter in the yylex() loop. The compression in lgetc() didn't happen for quoted strings, thus creating a regression when tabs were used in variables. Some testing by todd@ and pyr@ OK deraadt@
Revision 1.533 / (download) - annotate - [select for diffs], Thu Oct 25 21:36:21 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.532: +32 -18 lines
Diff to previous 1.532 (colored)
Fix probability rules w/ numbers (e.g probability 0.4). Add support for probablities of 0% and 100%. With and OK deraadt@
Revision 1.532 / (download) - annotate - [select for diffs], Mon Oct 22 16:35:33 2007 UTC (16 years, 7 months ago) by pyr
Branch: MAIN
Changes since 1.531: +6 -2 lines
Diff to previous 1.531 (colored)
sync with daemon parser code. ok deraadt@
Revision 1.531 / (download) - annotate - [select for diffs], Mon Oct 22 00:40:46 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.530: +3 -3 lines
Diff to previous 1.530 (colored)
pfctl does not need file secrecy
Revision 1.530 / (download) - annotate - [select for diffs], Tue Oct 16 19:20:27 2007 UTC (16 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.529: +17 -18 lines
Diff to previous 1.529 (colored)
Allow unquoted numbers in variables. Change 'set hostid' to NUMBER and remove unneeded converter. Add '=' to allowed_to_end_number(x) to make varsets like 4=5 illegal. OK deraadt@
Revision 1.529 / (download) - annotate - [select for diffs], Tue Oct 16 06:06:49 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.528: +4 -2 lines
Diff to previous 1.528 (colored)
in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). pointed out by mpf, discussed with pyr
Revision 1.528 / (download) - annotate - [select for diffs], Sat Oct 13 21:49:13 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.527: +20 -3 lines
Diff to previous 1.527 (colored)
support an include directive; file of course must also be "secure" like the main configuration file; ok henning
Revision 1.527 / (download) - annotate - [select for diffs], Sat Oct 13 16:35:18 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.526: +186 -101 lines
Diff to previous 1.526 (colored)
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
Revision 1.526 / (download) - annotate - [select for diffs], Thu Oct 11 14:39:16 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.525: +30 -19 lines
Diff to previous 1.525 (colored)
next step in the yylex unification: handle quoted strings in a nicer fashion as found in hoststated, and make all the code diff as clean as possible. a few issues remain mostly surrounding include support, which will likely be added to more of the grammers soon. ok norby pyr, others
Revision 1.525 / (download) - annotate - [select for diffs], Mon Oct 1 12:37:40 2007 UTC (16 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.524: +16 -25 lines
Diff to previous 1.524 (colored)
Backout NUMBER to string conversion. Requested by deraadt@
Revision 1.524 / (download) - annotate - [select for diffs], Thu Sep 27 22:24:05 2007 UTC (16 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.523: +11 -3 lines
Diff to previous 1.523 (colored)
Add loginterface support for groups. Using a group sums up the statistics of all members. Modify pfctl(1) slightly to allow a groupname "all", which gives us an overall pf(4) statistic. OK henning@, markus@
Revision 1.523 / (download) - annotate - [select for diffs], Sun Sep 23 20:59:59 2007 UTC (16 years, 8 months ago) by mpf
Branch: MAIN
Changes since 1.522: +25 -16 lines
Diff to previous 1.522 (colored)
Allow numbers to be used as unquoted strings again. While there, also restrict the use of concatenated, unquoted strings for variable assignments only. Eyeballed by markus@, OK henning@
Revision 1.522 / (download) - annotate - [select for diffs], Wed Sep 12 18:49:03 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.521: +9 -5 lines
Diff to previous 1.521 (colored)
add a missing range check for rtable ids; ok cloder henning
Revision 1.521 / (download) - annotate - [select for diffs], Wed Sep 12 15:58:40 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.520: +334 -187 lines
Diff to previous 1.520 (colored)
Add support to the lex for parsing number out of the stream. handle this in the parser. because the new numbers are int64_t, many new range checks for < 0 are needed. re-check and improve all the existing rangechecks while at it. thanks for help by cloder and dhartmei
Revision 1.520 / (download) - annotate - [select for diffs], Thu Aug 30 09:28:49 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.519: +37 -0 lines
Diff to previous 1.519 (colored)
add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@
Revision 1.519 / (download) - annotate - [select for diffs], Thu Jun 21 19:30:03 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.518: +3 -3 lines
Diff to previous 1.518 (colored)
always initialize logif, from max laier, ok ryan
Revision 1.518 / (download) - annotate - [select for diffs], Wed Jun 20 14:14:17 2007 UTC (16 years, 11 months ago) by mpf
Branch: MAIN
Changes since 1.517: +7 -6 lines
Diff to previous 1.517 (colored)
Allow "log" for nat rules without "pass". OK henning@, ``passt scho'' markus@
Revision 1.517 / (download) - annotate - [select for diffs], Sat Feb 3 23:26:40 2007 UTC (17 years, 4 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.516: +8 -12 lines
Diff to previous 1.516 (colored)
in decide_address_family(), only limit a rule to a specific address family when ALL entries have this specific AF (when even just one entry has no specific AF, use any). found by Maurice Janssen, ok henning@
Revision 1.516 / (download) - annotate - [select for diffs], Tue Nov 7 01:12:01 2006 UTC (17 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.515: +30 -27 lines
Diff to previous 1.515 (colored)
Unbreak authpf by handling non-inline anchors separately from the { } anchors
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
Revision 1.515 / (download) - annotate - [select for diffs], Tue Oct 31 14:17:44 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.514: +28 -7 lines
Diff to previous 1.514 (colored)
Allow pfctl ruleset optimizer to be controlled from the ruleset. "set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
Revision 1.514 / (download) - annotate - [select for diffs], Tue Oct 31 07:02:35 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.513: +8 -1 lines
Diff to previous 1.513 (colored)
- don't allow anchors with _* names to be cleared or loaded from the command line (but they can still be viewed) - don't allow users to specify _* as an anchor name in the ruleset - don't print _* anchor names with pfctl -sA unless -v is specified 'looks sensible' deraadt@
Revision 1.513 / (download) - annotate - [select for diffs], Sat Oct 28 14:29:05 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.512: +123 -15 lines
Diff to previous 1.512 (colored)
Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
Revision 1.512 / (download) - annotate - [select for diffs], Wed Oct 25 14:50:30 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.511: +6 -6 lines
Diff to previous 1.511 (colored)
make absolutely sure logif is 0 unless set specifically, even if log is 0. logif is to be considered invalid unless log is set, but we need this to please the optimizer...
Revision 1.511 / (download) - annotate - [select for diffs], Wed Oct 25 11:53:46 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.510: +2 -2 lines
Diff to previous 1.510 (colored)
and another nit, $$.log should be set to 0 explicitely on quick without log
Revision 1.510 / (download) - annotate - [select for diffs], Wed Oct 25 11:45:48 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.509: +2 -2 lines
Diff to previous 1.509 (colored)
urgs, $$.quick needs to be set to 0 explicitely on log (without quick)
Revision 1.509 / (download) - annotate - [select for diffs], Wed Oct 25 11:28:36 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.508: +51 -14 lines
Diff to previous 1.508 (colored)
allow the log interface to be selected like pass log(to pflog5) block out log(to pflog2) input & ok mcbride
Revision 1.508 / (download) - annotate - [select for diffs], Tue Oct 17 07:14:28 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.507: +4 -3 lines
Diff to previous 1.507 (colored)
Don't automatically set 'flags S/SA' on stateless rules. pointed out by david@ ok mpf@ dhartmei@
Revision 1.507 / (download) - annotate - [select for diffs], Wed Oct 11 21:04:18 2006 UTC (17 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.506: +2 -2 lines
Diff to previous 1.506 (colored)
quotes around filename, pr 5253, sthen@zephyr.spacehopper.org
Revision 1.506 / (download) - annotate - [select for diffs], Wed Oct 11 08:42:31 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.505: +18 -13 lines
Diff to previous 1.505 (colored)
Allow the 'quick' keyword on an anchor. IFF there is a matching rule inside the anchor, terminate ruleset evaluation when stepping out of the anchor. This means that if you absolutely want the anchor to be terminal, you probably want to use a 'block all' or 'pass all' rule at the start of the anchor. ok dhartmei@ henning@ deraadt@
Revision 1.505 / (download) - annotate - [select for diffs], Fri Oct 6 11:05:30 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.504: +2 -2 lines
Diff to previous 1.504 (colored)
Oops, flags S/SA doesn't work on fragments.
Revision 1.504 / (download) - annotate - [select for diffs], Fri Oct 6 10:45:44 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.503: +20 -2 lines
Diff to previous 1.503 (colored)
Make 'flags S/SA keep state' the implicit for filter rules, based on
a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
Revision 1.503 / (download) - annotate - [select for diffs], Tue Aug 22 15:55:13 2006 UTC (17 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.502: +34 -65 lines
Diff to previous 1.502 (colored)
back out -r1.497 (support for "tagged {}" lists), it broke "tagged" support
for nat rules. sorry, existing functionality trumps syntactic sugar. feel
free to resubmit a complete patch. closes PR 5207.
Revision 1.502 / (download) - annotate - [select for diffs], Thu Jul 6 13:26:41 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.501: +111 -53 lines
Diff to previous 1.501 (colored)
add "rtable" to select alternate routing tables. with & ok claudio hshoexer
Revision 1.501 / (download) - annotate - [select for diffs], Sat Jun 17 11:38:41 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.500: +18 -16 lines
Diff to previous 1.500 (colored)
KNF
Revision 1.500 / (download) - annotate - [select for diffs], Sun May 28 03:05:53 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.499: +13 -1 lines
Diff to previous 1.499 (colored)
Make per-rule adaptive timeouts behave the same way as the global adaptive timeouts.
Revision 1.499 / (download) - annotate - [select for diffs], Fri May 26 01:06:12 2006 UTC (18 years ago) by deraadt
Branch: MAIN
Changes since 1.498: +2 -4 lines
Diff to previous 1.498 (colored)
\<char> is <char> except for \<newline> -- no exceptions. much like how other things work. ok henning
Revision 1.498 / (download) - annotate - [select for diffs], Tue May 2 10:08:45 2006 UTC (18 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.497: +9 -4 lines
Diff to previous 1.497 (colored)
fix creation of sub-anchors, e.g. if you create an anchor /foo/bar, create only bar under foo, not /bar as well. secondly, when using "load anchor from" from a sub-anchor, the loading point should be relative to the sub-anchor doing the load (unless absolute paths are used, of course). from Boris Polevoy. probably a -stable candidate.
Revision 1.497 / (download) - annotate - [select for diffs], Mon May 1 12:24:32 2006 UTC (18 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.496: +65 -34 lines
Diff to previous 1.496 (colored)
add support for "tagged {}" lists, from Pierre-Yves Ritschard
Revision 1.496 / (download) - annotate - [select for diffs], Thu Apr 6 21:54:56 2006 UTC (18 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.495: +3 -3 lines
Diff to previous 1.495 (colored)
allow lists inside lists for address specs, has been in my tree for quite some time... theo likes
Revision 1.495 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:43 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.494: +39 -3 lines
Diff to previous 1.494 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.494 / (download) - annotate - [select for diffs], Thu Nov 17 20:52:39 2005 UTC (18 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.493: +7 -2 lines
Diff to previous 1.493 (colored)
for pfctl -f rules, open the file before resetting options. when opening the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@
Revision 1.493 / (download) - annotate - [select for diffs], Thu Oct 13 13:27:06 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.492: +2 -2 lines
Diff to previous 1.492 (colored)
unused parameters
Revision 1.492 / (download) - annotate - [select for diffs], Tue Jun 14 18:15:49 2005 UTC (18 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.491: +1 -6 lines
Diff to previous 1.491 (colored)
no need to restrict tagging to stateful rules any more, dhartmei ok From: "Alexey E. Suslikov" <cruel@texnika.com.ua>
Revision 1.491 / (download) - annotate - [select for diffs], Fri May 27 18:52:41 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.490: +4 -6 lines
Diff to previous 1.490 (colored)
get rid of 'log-all'. now that we have 'log (options)', make 'all' an option to log. so, 'log-all' becomes 'log (all)'.
Revision 1.490 / (download) - annotate - [select for diffs], Fri May 27 18:41:29 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.489: +2 -3 lines
Diff to previous 1.489 (colored)
get rid of shift/reduce conflicts, don't support empty logopts
Revision 1.489 / (download) - annotate - [select for diffs], Fri May 27 17:22:40 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.488: +13 -4 lines
Diff to previous 1.488 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.488 / (download) - annotate - [select for diffs], Fri May 27 03:54:27 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.487: +8 -8 lines
Diff to previous 1.487 (colored)
allow 'tagged' in 'anchor' rules (without complaining about missing 'keep state'), as a condition to branch into the anchor. suggested by Bill Marquette.
Revision 1.487 / (download) - annotate - [select for diffs], Thu May 26 20:20:38 2005 UTC (19 years ago) by camield
Branch: MAIN
Changes since 1.486: +7 -7 lines
Diff to previous 1.486 (colored)
The illegalness of "no nat log" is already enforced by the grammar. ok dhartmei
Revision 1.486 / (download) - annotate - [select for diffs], Thu May 26 15:29:48 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.485: +27 -12 lines
Diff to previous 1.485 (colored)
support 'log' and 'log-all' in 'nat/rdr/binat pass' rules. original patch from camield@. use #defines PF_LOG, PF_LOGALL instead of magic constants. ok frantzen@, camield@
Revision 1.485 / (download) - annotate - [select for diffs], Mon May 23 21:29:50 2005 UTC (19 years ago) by camield
Branch: MAIN
Changes since 1.484: +5 -23 lines
Diff to previous 1.484 (colored)
remove code that duplicates getservice() ok dhartmei mcbride
Revision 1.484 / (download) - annotate - [select for diffs], Sat May 21 21:03:58 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.483: +2 -10 lines
Diff to previous 1.483 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.483 / (download) - annotate - [select for diffs], Fri Apr 22 11:05:36 2005 UTC (19 years, 1 month ago) by camield
Branch: MAIN
Changes since 1.482: +7 -3 lines
Diff to previous 1.482 (colored)
Catch bad flags, ie. flags that always evaluate to false. This happens if there are flags on the lefthandside that are masked off by the righthand side. ok mcbride@ (long time ago) dhartmei@ henning@
Revision 1.482 / (download) - annotate - [select for diffs], Mon Mar 7 13:20:03 2005 UTC (19 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.481: +8 -8 lines
Diff to previous 1.481 (colored)
print unsigned long with %lu, not with %d and not with %ld. From: Andrey Matveev <andrushock@korovino.net>
Revision 1.481 / (download) - annotate - [select for diffs], Sun Mar 6 19:11:36 2005 UTC (19 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.480: +13 -10 lines
Diff to previous 1.480 (colored)
allow commas in the hfsc service curve spec, inconsistency pointed out in PR4134 / geoff@collyer.net and a longer mail exhcange with han boetes
Revision 1.480 / (download) - annotate - [select for diffs], Sun Mar 6 02:40:08 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.479: +9 -1 lines
Diff to previous 1.479 (colored)
print "set skip on" with -v in such a way that the output is valid input syntax, instead of the cryptic hex flags output.
Revision 1.479 / (download) - annotate - [select for diffs], Sun Feb 27 15:08:39 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.478: +72 -44 lines
Diff to previous 1.478 (colored)
support 'tagged' in translation rules, non-delayed tag lookup ok henning@, deraadt@
Revision 1.478 / (download) - annotate - [select for diffs], Sat Feb 26 15:14:58 2005 UTC (19 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.477: +4 -1 lines
Diff to previous 1.477 (colored)
ypu sure get the impression the number of memory leaks in error pathes is infinite... Andrey Matveev <andrushock@korovino.net> spotted a few again!
Revision 1.477 / (download) - annotate - [select for diffs], Mon Feb 7 18:18:14 2005 UTC (19 years, 3 months ago) by david
Branch: MAIN
Changes since 1.476: +2 -3 lines
Diff to previous 1.476 (colored)
KNF; ok henning@
Revision 1.476 / (download) - annotate - [select for diffs], Fri Jan 28 17:29:31 2005 UTC (19 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.475: +6 -1 lines
Diff to previous 1.475 (colored)
add messages for syntax errors that caused silent failure before. found by Peter Fraser, ok henning@
Revision 1.475 / (download) - annotate - [select for diffs], Thu Jan 27 15:30:35 2005 UTC (19 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.474: +6 -1 lines
Diff to previous 1.474 (colored)
dynamic interface names must start with a letter. catches the nonsensical "(10.1.2.3)" that results from a simple typo like "$(ext_ip)" instead of "$(ext_if)".
Revision 1.474 / (download) - annotate - [select for diffs], Wed Jan 5 18:23:10 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.473: +9 -5 lines
Diff to previous 1.473 (colored)
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie.
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
Revision 1.473 / (download) - annotate - [select for diffs], Wed Dec 29 16:27:05 2004 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.472: +2 -2 lines
Diff to previous 1.472 (colored)
Print 'set fingerprints' correctly when parsing verbosely.
Revision 1.472 / (download) - annotate - [select for diffs], Thu Dec 23 17:21:48 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.471: +2 -1 lines
Diff to previous 1.471 (colored)
set rule_flag PFRULE_SRCTRACK when setting srctrack, found by camield@ using regress test pf84
Revision 1.471 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:55 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.470: +38 -2 lines
Diff to previous 1.470 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.470 / (download) - annotate - [select for diffs], Wed Dec 15 16:11:14 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.469: +7 -2 lines
Diff to previous 1.469 (colored)
missing free()s; with pat
Revision 1.469 / (download) - annotate - [select for diffs], Fri Dec 10 22:13:26 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.468: +18 -2 lines
Diff to previous 1.468 (colored)
allow pf to filter on route labels pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
Revision 1.468 / (download) - annotate - [select for diffs], Wed Dec 8 01:27:23 2004 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.467: +9 -3 lines
Diff to previous 1.467 (colored)
Add "'overload' requires 'max-src-conn' or 'max-src-conn-rate'" sanity check, fix some cut-n-paste mayhem in other related checks.
Revision 1.467 / (download) - annotate - [select for diffs], Tue Dec 7 10:33:41 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.466: +6 -5 lines
Diff to previous 1.466 (colored)
re-commit mcbride@'s 'flush global', this time without the breakage in pfvar.h. builds kernel and userland.
Revision 1.466 / (download) - annotate - [select for diffs], Tue Dec 7 09:39:30 2004 UTC (19 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.465: +0 -0 lines
Diff to previous 1.465 (colored)
real backout
Revision 1.465 / (download) - annotate - [select for diffs], Tue Dec 7 09:38:04 2004 UTC (19 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.464: +4892 -1419 lines
Diff to previous 1.464 (colored)
oops, incomplete backout
Revision 1.464 / (download) - annotate - [select for diffs], Tue Dec 7 09:36:16 2004 UTC (19 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.463: +1419 -4893 lines
Diff to previous 1.463 (colored)
tree does not compile, spotted by dlg (not obvious how to fix) ---- Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.463 / (download) - annotate - [select for diffs], Tue Dec 7 05:30:26 2004 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.462: +6 -5 lines
Diff to previous 1.462 (colored)
Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.462 / (download) - annotate - [select for diffs], Sun Dec 5 10:11:29 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.461: +3 -1 lines
Diff to previous 1.461 (colored)
initialize $$->tail and $$->next for MAXSRCCONNRATE
Revision 1.461 / (download) - annotate - [select for diffs], Sat Dec 4 07:58:51 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.460: +142 -6 lines
Diff to previous 1.460 (colored)
Userland support for limiting open tcp connections per source. eg: keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush) allow a maximum of 1000 open connections or 100 new connections in 10 seconds. The addresses of offenders are added to the <bad> table which can be used in the ruleset, and existing states from that host are flushed. ok deraadt@ dhartmei@
Revision 1.460 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:11 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
Changes since 1.459: +15 -4 lines
Diff to previous 1.459 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.459 / (download) - annotate - [select for diffs], Tue Jun 29 22:14:13 2004 UTC (19 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.458: +5 -29 lines
Diff to previous 1.458 (colored)
remove cedric's bogus interface name verification code. this was meant to verify that ne3 is a valid interface that could show up, but bogus0 is not. while this might sound like a good idea it is completely broken and causes a shitload of problems. just allow for anything as interface name, the kernel abstracts that nice enough. if no interface by that name exists (or shows up) the rule never matches; that matches pf semantics used everywhere else. this also fixes the "pfctl always has to run as root" issue that cedric did not fix over the last 6 months despite being bugged to regularily. help & ok mcbride@
Revision 1.458 / (download) - annotate - [select for diffs], Tue Jun 29 17:40:18 2004 UTC (19 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.457: +5 -4 lines
Diff to previous 1.457 (colored)
convert a few memcpy()s to strlcpy() so we don't copy uninitialized junk into a interface name's slack space past the \0. will be needed for the optimizer. ok henning@
Revision 1.457 / (download) - annotate - [select for diffs], Sat Jun 26 07:25:16 2004 UTC (19 years, 11 months ago) by david
Branch: MAIN
Changes since 1.456: +2 -2 lines
Diff to previous 1.456 (colored)
add back PF_INOUT, fixes reassemble tcp ok canacar@ mcbride@
Revision 1.456 / (download) - annotate - [select for diffs], Fri Jun 25 05:45:48 2004 UTC (19 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.455: +2 -2 lines
Diff to previous 1.455 (colored)
repair tree nanobreak by the nanobum
Revision 1.455 / (download) - annotate - [select for diffs], Thu Jun 10 14:22:54 2004 UTC (19 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.454: +4 -4 lines
Diff to previous 1.454 (colored)
rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved keyword in C++. ok henning@, cedric@
Revision 1.454 / (download) - annotate - [select for diffs], Fri May 21 23:10:48 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.453: +3 -4 lines
Diff to previous 1.453 (colored)
Use '/' instead of ':' as separator for anchor path components. Note that the parser now needs quotes around paths containing separators. ok mcbride@
Revision 1.453 / (download) - annotate - [select for diffs], Wed May 19 17:50:50 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.452: +33 -57 lines
Diff to previous 1.452 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.452 / (download) - annotate - [select for diffs], Sat Apr 24 23:22:54 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.451: +27 -2 lines
Diff to previous 1.451 (colored)
Add "probability xxx" rule modifier. ok deraadt@
Revision 1.451 / (download) - annotate - [select for diffs], Thu Apr 22 08:34:30 2004 UTC (20 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.450: +2 -2 lines
Diff to previous 1.450 (colored)
typo, From: Jared Yanovich <jjy2+@pitt.edu>
Revision 1.450 / (download) - annotate - [select for diffs], Wed Apr 14 11:16:42 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.449: +42 -9 lines
Diff to previous 1.449 (colored)
make antispoof work with dynamic addresses. ok dhartmei@ mcbride@
Revision 1.449 / (download) - annotate - [select for diffs], Sat Mar 20 23:20:20 2004 UTC (20 years, 2 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.448: +3 -3 lines
Diff to previous 1.448 (colored)
spelling fix; ok dhartmei@ henning@ deraadt@
Revision 1.448 / (download) - annotate - [select for diffs], Sun Mar 14 21:51:44 2004 UTC (20 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.447: +2 -1 lines
Diff to previous 1.447 (colored)
#include fixes, from Max Laier, ok beck@ henning@
Revision 1.447 / (download) - annotate - [select for diffs], Mon Mar 8 16:10:02 2004 UTC (20 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.446: +175 -42 lines
Diff to previous 1.446 (colored)
plug 124 memory leaks ok mcbride@ pb@ dhartmei@
Revision 1.446 / (download) - annotate - [select for diffs], Sat Mar 6 21:49:25 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.445: +4 -5 lines
Diff to previous 1.445 (colored)
from bgpd: plug a memory leak in the lexer. the issue is this code fragement from yylex(): . token = lookup(buf); . yylval.v.string = strdup(buf); . if (yylval.v.string == NULL) . err(1, "yylex: strdup"); . return (token); lookup() tries to match buf against a list of keywords, and returns the associated token if it has a match, or the token STRING otherwise. STRING is the only token that needs (and free()s) yylval.v.string. however, we assigned memory for it with the strdup in yylex for each and every token. the fix is obviously only setting yylval.v.string when lookup() returns STRING. Patrick Latifi noticed that something was leaking with token handling, analysis and fix by me. ok deraadt@
Revision 1.445 / (download) - annotate - [select for diffs], Mon Mar 1 17:40:54 2004 UTC (20 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.444: +12 -3 lines
Diff to previous 1.444 (colored)
support "tagged <name>" on anchor rules, suggested by vd@vmunix.lt, ok henning@, cedric@
Revision 1.444 / (download) - annotate - [select for diffs], Tue Feb 24 20:35:18 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.443: +21 -13 lines
Diff to previous 1.443 (colored)
'max-src-nodes' requires 'source-track rule'. Set that automatically, unless 'source-track global' is explicit, in which case error out. Lots of help from cedric@. ok cedric@ henning@
Revision 1.443 / (download) - annotate - [select for diffs], Tue Feb 24 14:28:45 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.442: +2 -2 lines
Diff to previous 1.442 (colored)
fixup.
Revision 1.442 / (download) - annotate - [select for diffs], Tue Feb 24 11:16:26 2004 UTC (20 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.441: +5 -1 lines
Diff to previous 1.441 (colored)
Check for 'source-track rule' with 'max-src-nodes'. ok cedric@ henning@
Revision 1.441 / (download) - annotate - [select for diffs], Wed Feb 11 18:34:51 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.440: +11 -8 lines
Diff to previous 1.440 (colored)
Fix interface clobbering for link-local addresses. Found by Pyun YongHyeon. Fix "antispoof for foo" when foo has no addresses. ok+help dhartmei@, ok mcbride@
Revision 1.440 / (download) - annotate - [select for diffs], Tue Feb 10 21:06:04 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.439: +23 -19 lines
Diff to previous 1.439 (colored)
KNF
Revision 1.439 / (download) - annotate - [select for diffs], Tue Feb 10 17:48:08 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.438: +13 -13 lines
Diff to previous 1.438 (colored)
fix at leats the worst of Cedric "KNF is for everybody but me" Berger's fuckup
Revision 1.438 / (download) - annotate - [select for diffs], Wed Feb 4 17:35:40 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.437: +10 -8 lines
Diff to previous 1.437 (colored)
Handle rules like 'pass ... proto { tcp udp icmp } ... modulate state'
ok dhartmei@ henning@
Revision 1.437 / (download) - annotate - [select for diffs], Tue Feb 3 19:29:50 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.436: +14 -1 lines
Diff to previous 1.436 (colored)
fix PR 3664 / jared r r spiegel we need to save the unexpanded tag/tagged strings before entering the expansion loop, and at each loop, start with the unexpanded tag, so that on subsequent loops the macros are replaced with current values and not the values from previous loop persist ryan theo ok
Revision 1.436 / (download) - annotate - [select for diffs], Mon Jan 5 22:04:24 2004 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.435: +5 -5 lines
Diff to previous 1.435 (colored)
few off by ones in strlcpy overflow check; Patrick Latifi
Revision 1.435 / (download) - annotate - [select for diffs], Sun Jan 4 12:30:29 2004 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.434: +2 -1 lines
Diff to previous 1.434 (colored)
don't ignore "!" on "binat on !foo". ok mcbride@
Revision 1.434 / (download) - annotate - [select for diffs], Wed Dec 31 22:14:41 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.433: +3 -3 lines
Diff to previous 1.433 (colored)
spacing. note this, cedric
Revision 1.433 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.432: +139 -78 lines
Diff to previous 1.432 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.432 / (download) - annotate - [select for diffs], Tue Dec 30 16:59:38 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.431: +5 -3 lines
Diff to previous 1.431 (colored)
fix TAILQ abuse. TAILQ_REMOVE is a no-no within a TAILQ_FOREACH loop. also free the symbol itself after removal. all found while hacking bgpd which incorporates pfctl's sym code (macros). ok cedric@
Revision 1.431 / (download) - annotate - [select for diffs], Fri Dec 19 16:12:43 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.430: +2 -1 lines
Diff to previous 1.430 (colored)
i wrote much of these, assert my copyright
Revision 1.430 / (download) - annotate - [select for diffs], Fri Dec 19 01:11:14 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.429: +2 -1 lines
Diff to previous 1.429 (colored)
assert copyright. i rewrite much of this
Revision 1.429 / (download) - annotate - [select for diffs], Tue Dec 16 01:10:21 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.428: +11 -1 lines
Diff to previous 1.428 (colored)
Check that max-src-states and max-src-nodes are not being set to 0.
Revision 1.428 / (download) - annotate - [select for diffs], Mon Dec 15 09:12:55 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.427: +6 -6 lines
Diff to previous 1.427 (colored)
KNF here too
Revision 1.427 / (download) - annotate - [select for diffs], Mon Dec 15 07:30:17 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.426: +5 -5 lines
Diff to previous 1.426 (colored)
Whitespace.
Revision 1.426 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.425: +13 -2 lines
Diff to previous 1.425 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.425 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.424: +193 -60 lines
Diff to previous 1.424 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.424 / (download) - annotate - [select for diffs], Sat Nov 29 10:05:55 2003 UTC (20 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.423: +1 -14 lines
Diff to previous 1.423 (colored)
allow ':' (range including boundaries) to be used whereever '><' (range excluding boundaries) is legal. already supported by kernel, requires only removal of three error messages. ok henning@
Revision 1.423 / (download) - annotate - [select for diffs], Sat Nov 22 13:44:20 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.422: +4 -3 lines
Diff to previous 1.422 (colored)
daniel stumbled over a broken regress test, and it turned out that I forgot to commit a diff from 11/6... do not insert the "block in on ! interface" rule for antispoof statements when the interface in question does not have any IP address, because that then expands to block in on ! interface all which is obviously bad. niklas@ found it, dhartmei@ ok, and I think some more ppl ok I don't remember
Revision 1.422 / (download) - annotate - [select for diffs], Fri Nov 14 13:51:09 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.421: +11 -2 lines
Diff to previous 1.421 (colored)
allow the debuglevel to be set from pf.conf (set debug) ok cedric@
Revision 1.421 / (download) - annotate - [select for diffs], Sat Nov 8 00:45:34 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.420: +20 -3 lines
Diff to previous 1.420 (colored)
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
Revision 1.420 / (download) - annotate - [select for diffs], Thu Nov 6 15:16:50 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.419: +4 -4 lines
Diff to previous 1.419 (colored)
and fix two err() that should be errx() while beeing here
Revision 1.419 / (download) - annotate - [select for diffs], Thu Nov 6 15:13:22 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.418: +2 -2 lines
Diff to previous 1.418 (colored)
need calloc here
Revision 1.418 / (download) - annotate - [select for diffs], Thu Nov 6 14:02:19 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.417: +47 -37 lines
Diff to previous 1.417 (colored)
allow the label macros to be used in tags as well. the idea is not mine and I'dlove to get credit, but I cannot find the mail any more :-(( ok canacar@ dhartmei@
Revision 1.417 / (download) - annotate - [select for diffs], Tue Oct 21 21:09:12 2003 UTC (20 years, 7 months ago) by itojun
Branch: MAIN
Changes since 1.416: +2 -2 lines
Diff to previous 1.416 (colored)
don't use NULL as (int)0. henning ok
Revision 1.416 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.415: +3 -3 lines
Diff to previous 1.415 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.415 / (download) - annotate - [select for diffs], Mon Sep 1 15:07:40 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.414: +3 -3 lines
Diff to previous 1.414 (colored)
KNF
Revision 1.414 / (download) - annotate - [select for diffs], Thu Aug 28 19:27:32 2003 UTC (20 years, 9 months ago) by kjell
Branch: MAIN
Changes since 1.413: +0 -12 lines
Diff to previous 1.413 (colored)
This change is busted. what's worse, REGRESSION TESTS WOULD HAVE CAUGHT IT! You MUST test nework stack changes on BOTH BYTE-ORDERS. Someone can fix this later, but right now I need to get the damn firewall up. Grr.
Revision 1.413 / (download) - annotate - [select for diffs], Tue Aug 26 18:43:04 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.412: +13 -1 lines
Diff to previous 1.412 (colored)
catch port/user/group a <>/>< b with a >= b, from mpech@
Revision 1.412 / (download) - annotate - [select for diffs], Mon Aug 25 17:44:44 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.411: +5 -1 lines
Diff to previous 1.411 (colored)
catch return-rst ttl values > 255, from aaron@
Revision 1.411 / (download) - annotate - [select for diffs], Sun Aug 24 13:02:28 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
Changes since 1.410: +21 -7 lines
Diff to previous 1.410 (colored)
Tweaks: - Make sure we allow only tables in round-robin pools for routing options, same as what we do for translation rules. - Don't reject rules like: "nat on sis0 -> <foo>" because "no address family is given". This is perfectly valid. ok henning@
Revision 1.410 / (download) - annotate - [select for diffs], Fri Aug 22 21:50:34 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
Changes since 1.409: +2 -2 lines
Diff to previous 1.409 (colored)
pf spelling police ok dhartmei@ jmc@
Revision 1.409 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:08 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.408: +93 -26 lines
Diff to previous 1.408 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.408 / (download) - annotate - [select for diffs], Wed Aug 20 16:27:36 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.407: +7 -1 lines
Diff to previous 1.407 (colored)
braindeadness police: catch queues which specify itself as child... 'nuff said
Revision 1.407 / (download) - annotate - [select for diffs], Wed Aug 20 13:02:52 2003 UTC (20 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.406: +4 -2 lines
Diff to previous 1.406 (colored)
err out nicer on errors in queue def
Revision 1.406 / (download) - annotate - [select for diffs], Mon Aug 18 11:08:10 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.405: +5 -1 lines
Diff to previous 1.405 (colored)
catch max-mss values > 65535, report by Gregory Steuck
Revision 1.405 / (download) - annotate - [select for diffs], Sat Aug 9 14:56:48 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
Changes since 1.404: +9 -19 lines
Diff to previous 1.404 (colored)
This patch remove the restriction that tables cannot be used in routing or
redirection rules...
The advantage of using tables in redirection/routing rules is not efficiency,
in fact it will run slower than straight address pools. However, this brings
a lot of flexibility to PF, allowing simple scripts/daemons to add/remove
addresses from redirection/routing pools easily.
This implementation support all table features, including cidr blocks and
negated addresses. So specifying { 10.0.0.0/29 !10.0.0.0 !10.0.0.7 } will
correctly round-robin between the six addresses: .1, .2, .3, .4, .5, .6.
Tables can also be combined with simple addresses, so the following rule
will work as expected: "nat on foo0 -> { 1.1.1.1 <bar> }"
ok henning@ mcbride@
Revision 1.404 / (download) - annotate - [select for diffs], Tue Jul 29 18:47:43 2003 UTC (20 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.403: +2 -2 lines
Diff to previous 1.403 (colored)
indent
Revision 1.403 / (download) - annotate - [select for diffs], Sat Jul 19 13:08:58 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.402: +5 -5 lines
Diff to previous 1.402 (colored)
Simplify struct pf_pooladdr to include struct pf_addr_wrap directly instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
Revision 1.402 / (download) - annotate - [select for diffs], Fri Jul 18 06:30:06 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.401: +4 -4 lines
Diff to previous 1.401 (colored)
Simplify handling of flags (-R, -N...). Remove PFCTL_FLAG_ALL. ok dhartmei@
Revision 1.401 / (download) - annotate - [select for diffs], Tue Jul 15 17:12:38 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.400: +15 -1 lines
Diff to previous 1.400 (colored)
Repair memory managment in table parsing code. I need vacations. Found and verified by Pyun YongHyeon. ok dhartmei@
Revision 1.400 / (download) - annotate - [select for diffs], Mon Jul 14 20:01:07 2003 UTC (20 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.399: +2 -2 lines
Diff to previous 1.399 (colored)
tpo
Revision 1.399 / (download) - annotate - [select for diffs], Fri Jul 11 08:29:34 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.398: +91 -47 lines
Diff to previous 1.398 (colored)
Better parsing and -v support for tables:
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
Revision 1.398 / (download) - annotate - [select for diffs], Thu Jul 10 05:25:27 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.397: +4 -7 lines
Diff to previous 1.397 (colored)
Fix merging of host lists. ok dhartmei@ henning@
Revision 1.397 / (download) - annotate - [select for diffs], Fri Jul 4 11:05:44 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.396: +7 -7 lines
Diff to previous 1.396 (colored)
KNF after cedric (grmpf)
Revision 1.396 / (download) - annotate - [select for diffs], Fri Jul 4 10:42:16 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.395: +55 -47 lines
Diff to previous 1.395 (colored)
allow for a "pass" modifier on translation rules: nat pass on $ext_if from $a to $b -> $ext_if when the pass modifier is given, the filter ruleset is _not_ evaluated but the packets matching this translation rule are passed unconditionally. ok dhartmei@ cedric@ markus@
Revision 1.395 / (download) - annotate - [select for diffs], Thu Jul 3 21:09:13 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.394: +3 -2 lines
Diff to previous 1.394 (colored)
Bye bye atexit(), bye bye globals... The pfctl.c part will probably need some further improvements. ok henning@
Revision 1.394 / (download) - annotate - [select for diffs], Thu Jul 3 09:13:05 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.393: +34 -6 lines
Diff to previous 1.393 (colored)
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
Revision 1.393 / (download) - annotate - [select for diffs], Thu Jun 19 22:08:35 2003 UTC (20 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.392: +2 -1 lines
Diff to previous 1.392 (colored)
knf
Revision 1.392 / (download) - annotate - [select for diffs], Wed Jun 18 11:38:19 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.391: +33 -20 lines
Diff to previous 1.391 (colored)
change expand_label_addr() to use a switch (h->addr.type) instead of if .. else if .. else, and handle PF_ADDR_NOROUTE as well. inspired by a comment from cedric.
Revision 1.391 / (download) - annotate - [select for diffs], Wed Jun 18 11:04:14 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.390: +3 -1 lines
Diff to previous 1.390 (colored)
when expanding the $srcaddr/$dstaddr label macros and the address is actually a table refernence, don't print nonsense but the table name. found by claudio jeker, fix by me, agreement by cedric
Revision 1.390 / (download) - annotate - [select for diffs], Mon Jun 9 11:14:46 2003 UTC (20 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.389: +14 -5 lines
Diff to previous 1.389 (colored)
Attempt to resolve byte order confusion in nat code once and for all. - pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
Revision 1.343.2.1 / (download) - annotate - [select for diffs], Sat May 31 01:00:23 2003 UTC (21 years ago) by margarida
Branch: OPENBSD_3_3
Changes since 1.343: +2 -1 lines
Diff to previous 1.343 (colored) next main 1.344 (colored)
Pull patch from -current: Fix by dhartmei@ Properly copy the second part of nat proxy port range, when specified. Ok deraadt@
Revision 1.389 / (download) - annotate - [select for diffs], Sun May 25 17:07:28 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.388: +3 -3 lines
Diff to previous 1.388 (colored)
must not run check_netmask() before remove_invalid_hosts() - binat case had it wrong for the redirection target. reported by jared r r spiegel <jrrs@ice-nine.org>
Revision 1.388 / (download) - annotate - [select for diffs], Mon May 19 20:21:53 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.387: +13 -1 lines
Diff to previous 1.387 (colored)
reject invalid netmasks like 10.0.0.0/68, and fix up the netmask for dynaddr rules after we know the address family ok dhartmei@, inspired by a session with bob
Revision 1.387 / (download) - annotate - [select for diffs], Mon May 19 18:31:13 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.386: +15 -9 lines
Diff to previous 1.386 (colored)
all host() receivers have to test for NULL
Revision 1.386 / (download) - annotate - [select for diffs], Mon May 19 18:18:34 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.385: +7 -1 lines
Diff to previous 1.385 (colored)
if host() returns NULL, it is an error, so err the fuck out and don't load bullshit
Revision 1.385 / (download) - annotate - [select for diffs], Sat May 17 02:04:24 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.384: +6 -3 lines
Diff to previous 1.384 (colored)
support inverse matching on tags like block in ! tagged sometag ok dhartmei@ pb@
Revision 1.384 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.383: +11 -5 lines
Diff to previous 1.383 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.383 / (download) - annotate - [select for diffs], Thu May 15 06:22:46 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.382: +25 -6 lines
Diff to previous 1.382 (colored)
properly complain about too long tags
Revision 1.382 / (download) - annotate - [select for diffs], Wed May 14 23:51:28 2003 UTC (21 years ago) by frantzen
Branch: MAIN
Changes since 1.381: +22 -4 lines
Diff to previous 1.381 (colored)
add scrub modifier "reassemble tcp" to turn on stateful TCP normalizations ok henning@ dhartmei@
Revision 1.381 / (download) - annotate - [select for diffs], Wed May 14 22:54:39 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.380: +17 -13 lines
Diff to previous 1.380 (colored)
tagging on binat
Revision 1.380 / (download) - annotate - [select for diffs], Wed May 14 22:46:01 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.379: +1 -5 lines
Diff to previous 1.379 (colored)
enabled tagging on rdr rules
Revision 1.379 / (download) - annotate - [select for diffs], Wed May 14 05:14:06 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.378: +3 -2 lines
Diff to previous 1.378 (colored)
with tag/tagged given, only whine about missing keep state on pass rules
Revision 1.378 / (download) - annotate - [select for diffs], Wed May 14 05:02:12 2003 UTC (21 years ago) by frantzen
Branch: MAIN
Changes since 1.377: +12 -12 lines
Diff to previous 1.377 (colored)
allow SCRUB rules to specify protocol again. broken sometime in the past. okie dhartmei@, yay pb@
Revision 1.377 / (download) - annotate - [select for diffs], Wed May 14 04:53:04 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.376: +36 -26 lines
Diff to previous 1.376 (colored)
tags on nat rules: nat on $ext_if all tag humppa -> $ext_if pass out tagged hummpa keep state
Revision 1.376 / (download) - annotate - [select for diffs], Tue May 13 23:02:15 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.375: +5 -1 lines
Diff to previous 1.375 (colored)
make sure tagging is only ever used with stateful filter rules
Revision 1.375 / (download) - annotate - [select for diffs], Tue May 13 21:15:07 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.374: +17 -1 lines
Diff to previous 1.374 (colored)
userland part for tagging. it's now possible to tag packets with an arbitary tag and filter based on that tag later on other interfaces: pass in quick on fxp0 keep state tag blah pass out quick on wi0 keep state with tag blah can be used to express trust between interfaces, to distinguish between NATed connections and connection originating from teh firewall itself and much more ok dhartmei@ frantzen@ pb@ mcbride@
Revision 1.374 / (download) - annotate - [select for diffs], Sun May 11 01:48:50 2003 UTC (21 years ago) by mcbride
Branch: MAIN
Changes since 1.373: +2 -2 lines
Diff to previous 1.373 (colored)
Don't ntohs() the translation port for nat as it is already in host byte order. Makes nat ... -> $ext_if port 500 rules work correctly again. ok henning@ dhartemi@ frantzen@
Revision 1.373 / (download) - annotate - [select for diffs], Sat May 10 00:45:23 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.372: +84 -8 lines
Diff to previous 1.372 (colored)
support loading of anchors from within the main ruleset via load anchor anchorname:rulesetname file /path/to/file ok pb@ dhartmei@ cedric@
Revision 1.372 / (download) - annotate - [select for diffs], Sat May 3 16:50:38 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.371: +3 -4 lines
Diff to previous 1.371 (colored)
don't free() the char * carrying the rule label too early noticed by Mathieu Sauve-Frankel <m.sauve at secureops.net> via silc
Revision 1.371 / (download) - annotate - [select for diffs], Thu May 1 16:22:12 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.370: +24 -37 lines
Diff to previous 1.370 (colored)
ease label handling ok cedric@
Revision 1.370 / (download) - annotate - [select for diffs], Thu May 1 16:16:08 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.369: +55 -6 lines
Diff to previous 1.369 (colored)
allow label on antispoof; requested by Gregor Binder <gbinder at sysfive.com> ok cedric@
Revision 1.369 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.368: +3 -2 lines
Diff to previous 1.368 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.368 / (download) - annotate - [select for diffs], Fri Apr 25 17:36:33 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.367: +2 -1 lines
Diff to previous 1.367 (colored)
Properly copy the second part of nat proxy port range, when specified. ok henning@
Revision 1.367 / (download) - annotate - [select for diffs], Tue Apr 15 11:29:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.366: +4 -3 lines
Diff to previous 1.366 (colored)
pass down the unparsed queue opts (struct node_queue_opt) to print_altq/print_hfsc -> print_hfsc_opts and extract struct node_hfsc_sc there for each service curve and pass those down to print_hfsc_sc. now bandwidth specifications in the service curves are printed correct in the case of a queue belonging to more than one interface/parent queue, the parent queues having different bandwidths and the bandwith on teh service curve beeing specified in percent.
Revision 1.366 / (download) - annotate - [select for diffs], Mon Apr 14 14:50:46 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.365: +3 -4 lines
Diff to previous 1.365 (colored)
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
Revision 1.365 / (download) - annotate - [select for diffs], Sun Apr 13 23:51:51 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.364: +3 -3 lines
Diff to previous 1.364 (colored)
KNF
Revision 1.364 / (download) - annotate - [select for diffs], Sun Apr 13 23:39:18 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.363: +17 -1 lines
Diff to previous 1.363 (colored)
prevent double service curve specification
Revision 1.363 / (download) - annotate - [select for diffs], Sun Apr 13 23:34:31 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.362: +63 -16 lines
Diff to previous 1.362 (colored)
add support for the HFSC linkshare, realtime, and upperlimit service curves to be specified.
Revision 1.362 / (download) - annotate - [select for diffs], Sun Apr 13 22:45:28 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.361: +2 -1 lines
Diff to previous 1.361 (colored)
unbreak (missing })
Revision 1.361 / (download) - annotate - [select for diffs], Sun Apr 13 21:51:10 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.360: +16 -11 lines
Diff to previous 1.360 (colored)
say bye bye to hfscflags_list and hfscflags_item welcome hfscopts_list and hfscopts_item, returning a full struct node_hfsc_opt instead of just an int for the flags. needed because of all the opts hfsc knows
Revision 1.360 / (download) - annotate - [select for diffs], Sun Apr 13 20:41:37 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.359: +3 -2 lines
Diff to previous 1.359 (colored)
new struct node_hfsc_opts for, surprise, hfsc options. needed because they contain bandwidth specifications and we need to carry the unprocessed bw specs around for quite some time until we can break them down to absolute values.
Revision 1.359 / (download) - annotate - [select for diffs], Sun Apr 13 20:16:06 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.358: +14 -46 lines
Diff to previous 1.358 (colored)
pass down the struct node_queue_opts from the altqif/queuespec yacc targets to expand_altq/expand_queue -> eval_pfaltq/eval_pfqueue and further down to the new eval_queue_opts() instead of evaluating them directly in the yacc grammar. this will be needed to process the hfsc options which can contain relative bandwidth specifications, and we can't break them down to an absolute one earlier.
Revision 1.358 / (download) - annotate - [select for diffs], Sun Apr 13 19:36:00 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.357: +7 -20 lines
Diff to previous 1.357 (colored)
move the structs node_queue_bw and node_queue_opt to pfctl_parser.h. let eval_pfqueue() and eval_pfaltq() take a pointer to a struct node_queue_bw instead of two distince bw_absolute and bw_percent parameters.
Revision 1.357 / (download) - annotate - [select for diffs], Sun Apr 13 17:01:12 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.356: +5 -5 lines
Diff to previous 1.356 (colored)
move the bandwidth keyword from within the bandwidth target up to the queue_opts target so the bandwidth parser can be used for other things too; will be needed for hfsc's linkshare etc
Revision 1.356 / (download) - annotate - [select for diffs], Sat Apr 12 20:10:32 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.355: +49 -5 lines
Diff to previous 1.355 (colored)
initial support for the HFSC scheduler. whoever uses that for more than toying around is on drugs. it's far from done.
Revision 1.355 / (download) - annotate - [select for diffs], Fri Apr 11 15:19:10 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.354: +2 -2 lines
Diff to previous 1.354 (colored)
KNF
Revision 1.354 / (download) - annotate - [select for diffs], Fri Apr 11 14:42:32 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.353: +1 -4 lines
Diff to previous 1.353 (colored)
don't set r->qid and r->pqid in expand_rule any more, queue name -> queue ID mapping is done in kernel land now
Revision 1.353 / (download) - annotate - [select for diffs], Mon Apr 7 13:40:48 2003 UTC (21 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.352: +5 -1 lines
Diff to previous 1.352 (colored)
Catch and refuse invalid icmp codes (> 255). ok pb@, mpech@.
Revision 1.352 / (download) - annotate - [select for diffs], Sat Apr 5 23:56:32 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.351: +10 -3 lines
Diff to previous 1.351 (colored)
ease netmask handling a bit input theo, ok dhartmei@
Revision 1.351 / (download) - annotate - [select for diffs], Sat Apr 5 21:44:45 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.350: +107 -93 lines
Diff to previous 1.350 (colored)
allow queue specs to be limited to certain interfaces.
altq on { $if0 $if1 $if2 $if3 } priq bandwidth 10Mb queue { one two }
queue one priority 1 priq(default)
queue two on $if0 priority 15
queue two on ! $if0 priority 0
ok dhartmei@
Revision 1.350 / (download) - annotate - [select for diffs], Sat Apr 5 21:04:53 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.349: +2 -2 lines
Diff to previous 1.349 (colored)
whitespace KNF
Revision 1.349 / (download) - annotate - [select for diffs], Fri Apr 4 18:48:11 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.348: +20 -39 lines
Diff to previous 1.348 (colored)
clean up: instead of letting the lexer interpret '<' '>' '=' '>=' '<=' and return them as PF_OP_LT, PF_OP_GT etc etc etc in PORTUNARY, just let the lexer return '<' '>' and '=' literally, and in the few cases where the old PORTUNARY was really used like originally intended, replace that by a new unaryop yacc target. in all other cases that gets rid of quite some checks wether PORTUNARY is really < and nothing else etc etc etc. ok cedric@ deraadt@
Revision 1.348 / (download) - annotate - [select for diffs], Thu Mar 27 18:01:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.347: +5 -5 lines
Diff to previous 1.347 (colored)
lotsa const char * from David Hill <david at phobia.ms> a while ago
Revision 1.347 / (download) - annotate - [select for diffs], Thu Mar 27 16:17:37 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.346: +15 -12 lines
Diff to previous 1.346 (colored)
introduce a "yesno" target. eases code a bit and yes is no keyword any more.
Revision 1.346 / (download) - annotate - [select for diffs], Thu Mar 27 16:11:55 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.345: +9 -1 lines
Diff to previous 1.345 (colored)
handle invalid priq/cbq flags better and give a nice error message
Revision 1.345 / (download) - annotate - [select for diffs], Thu Mar 27 15:58:11 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.344: +23 -16 lines
Diff to previous 1.344 (colored)
default, borrow, ecn, red and rio are no keywords any more. use STRING and strcmp instead.
Revision 1.344 / (download) - annotate - [select for diffs], Thu Mar 27 15:49:47 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.343: +24 -15 lines
Diff to previous 1.343 (colored)
switch symset/symget to TAILQ instead of using hand baked lists ok dhartmei@ cedric@
Revision 1.343 / (download) - annotate - [select for diffs], Wed Mar 19 15:51:40 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.342: +7 -6 lines
Diff to previous 1.342 (colored)
kill the address token and move the host() invocation up to the host token, so that host() always gets the full address to be parsed including the netmask instead of applying the netmask afterwards. this could break some edge cases and was broken since the (interface)/24 fix. new token dynaddr for, well, dynaddr, and apply an eventually given netmask afterwards in the host token just in this case. found after bug report From: Julien Bordet <zejames@greyhats.org> via dhartmei ok daniel cedric
Revision 1.342 / (download) - annotate - [select for diffs], Mon Mar 10 14:50:29 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.341: +13 -7 lines
Diff to previous 1.341 (colored)
correctly cope with errors returned by eval_pfqueue and pfctl_add_altq ok dhartmei@ pb@ (as part of... you know, monsterdiff)
Revision 1.341 / (download) - annotate - [select for diffs], Mon Mar 10 14:46:09 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.340: +2 -2 lines
Diff to previous 1.340 (colored)
when complaining about a queue wiwthout parent, include the queue name in the error message ok dhartmei@ pb@ (as part of a monsterdiff)
Revision 1.340 / (download) - annotate - [select for diffs], Sun Mar 9 19:07:21 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.339: +6 -0 lines
Diff to previous 1.339 (colored)
cope with LOOP_THROUGH modifying the lis (queues). in case of an error in the queue def in question the queues list remains unmodified, but the LOOP_THROUGH caused a mod anyway, and the list can stay empty. subsequent checks for NULL which check for a empty list fail then. fix by adding an explicit check before looping. fixes regress pfail31 error report by Kamil Andrusz via pb@, testcase from pb@ ok dhartmei@
Revision 1.339 / (download) - annotate - [select for diffs], Sun Mar 9 18:58:25 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.338: +16 -12 lines
Diff to previous 1.338 (colored)
cope with the fact that LOOP_THROUGH loops once even if the list is empty by moving the addition of child queues a bit down after the successfull addition of the current queue and an explicit NULL check before looping. fixes regress pf59 found by kjc@ ok kjc@ cedric@ dhartmei@
Revision 1.338 / (download) - annotate - [select for diffs], Sat Mar 8 15:17:34 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.337: +2 -2 lines
Diff to previous 1.337 (colored)
fix the obvious: since we do not modify the struct pf_altq *a any more but our private copy, we can of course not inherit teh scheduler type from it, since it did not inherit the scheduler type from the parent. so just inherit the scheduler type from the parent directly... ok dhartmei@ cedric@
Revision 1.337 / (download) - annotate - [select for diffs], Sat Mar 8 14:52:17 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.336: +14 -11 lines
Diff to previous 1.336 (colored)
in expand_queue, make a private copy of the struct pf_altq before modifying it. modifying the original one had undesired side effects if a queue was expanded to more than one because it belonged to more than one interface ok pb@ cedric@ dhartmei@
Revision 1.336 / (download) - annotate - [select for diffs], Thu Mar 6 12:50:40 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.335: +3 -3 lines
Diff to previous 1.335 (colored)
fix queue assignment on filter rules which are not bound to an interface. when looking up the queue IDs using qname_to_qid, we do not need to limit the matching on the interface in question, as it is guaranteed that same named queues on different interfaces habe the same queue id. moreover, we must not limit the matches to the interface if we do not have an interface given on the filter rule to match on ;-) found after problems reported by Andre Nathan <andre at v2r dot com dot br> ok dhartmei@ pb@ cedric@
Revision 1.335 / (download) - annotate - [select for diffs], Sun Mar 2 23:37:24 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.334: +16 -15 lines
Diff to previous 1.334 (colored)
when printing queues at load time that have bandwidth specified in percent, print the bandwidth in percent instead of the calculated absolute value. if a queue belongs to more than one interface and they have different bandwidth the calculated absolute is of course different per interface. previously the first calculated absolute value was shown; what of course is incorrect on the second interface. note that only the print was wrong, the correct values were passed to the kernel. ok theo daniel
Revision 1.334 / (download) - annotate - [select for diffs], Sun Mar 2 12:37:49 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.333: +2 -4 lines
Diff to previous 1.333 (colored)
remove the control keyword for cbq queues. the control class was a legacy of the original CBQ design by LBL/Sun to support RSVP. the control class is not used in openbsd, in the sense that we don't automatically set filters for ICMP/IGMP/RSVP for the control class. ok dhartmei@ kjc@ deraadt@
Revision 1.333 / (download) - annotate - [select for diffs], Thu Feb 27 04:16:28 2003 UTC (21 years, 3 months ago) by david
Branch: MAIN
Changes since 1.332: +3 -3 lines
Diff to previous 1.332 (colored)
modify error message to match the same 7 sections in pf.conf(5) ok deraadt@ henning@
Revision 1.332 / (download) - annotate - [select for diffs], Wed Feb 26 20:27:20 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.331: +3 -1 lines
Diff to previous 1.331 (colored)
in expand_rule, correctly set r->pqid if a priority queue was defined, and reuse the value of r->qid if not. ok dhartmei@ mcbride@
Revision 1.331 / (download) - annotate - [select for diffs], Tue Feb 25 20:59:09 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.330: +20 -11 lines
Diff to previous 1.330 (colored)
some minor KNF my fingers just did... ok dhartmei@ cedric@
Revision 1.330 / (download) - annotate - [select for diffs], Tue Feb 25 12:22:25 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.329: +19 -36 lines
Diff to previous 1.329 (colored)
repair/simplify/flexify binat userland. ok dhartmei@ henning@
Revision 1.329 / (download) - annotate - [select for diffs], Mon Feb 24 21:55:51 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.328: +5 -7 lines
Diff to previous 1.328 (colored)
when a macro is redefined, don't bother with reusing the existing entry in symset() but just prepend a new sym entry to symhead like we always did. as symget searches the list sequentially, the newest one is picked first. prevents an endless loop introduced when trying to reuse the existing entry by an invalid setting for the next pointer. fixes regress test pf57. found after conversation with Chris Linn, celinn at mtu dot edu ok dhartmei@ cedric@
Revision 1.328 / (download) - annotate - [select for diffs], Fri Feb 21 10:54:57 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.327: +2 -2 lines
Diff to previous 1.327 (colored)
re-allow set loginterface none ok cedric@ dhartmei@
Revision 1.327 / (download) - annotate - [select for diffs], Fri Feb 21 10:34:52 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.326: +5 -1 lines
Diff to previous 1.326 (colored)
better error message if set loginterface is called with nonexistant interface, found by krause (who is doing EXCELLENT work. Thank you very much!), fix by me, ok dhartmei@ and cedric@
Revision 1.326 / (download) - annotate - [select for diffs], Thu Feb 20 00:18:19 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.325: +5 -1 lines
Diff to previous 1.325 (colored)
reject nonexistant interfaces in the dynaddr case, noticed during discussion with jasondixon at myrealbox dot com ok dhartmei@
Revision 1.325 / (download) - annotate - [select for diffs], Wed Feb 19 22:00:20 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.324: +8 -2 lines
Diff to previous 1.324 (colored)
Make 'from (kue0)/24' work again (dynamic interface name translation with a /prefix), reported by Jason Dixon. ok henning@
Revision 1.324 / (download) - annotate - [select for diffs], Wed Feb 19 21:54:46 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.323: +4 -2 lines
Diff to previous 1.323 (colored)
better error message on icmp version / address family mismatch ok markus@
Revision 1.323 / (download) - annotate - [select for diffs], Tue Feb 18 21:59:34 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.322: +2 -10 lines
Diff to previous 1.322 (colored)
fix load option handling (-A, -N, -R) for options. due to a bug in the loadopt check options were always loaded no matter which loadopts where specified. while beeing there, move the prints for that to where they belong, into the appropriate pfctl_set_* functions, and thus only print when the options are actually loaded. fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier. ok dhartmei@
Revision 1.322 / (download) - annotate - [select for diffs], Mon Feb 17 14:36:46 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.321: +5 -5 lines
Diff to previous 1.321 (colored)
"optarg" was a bad pick for the variable name in pfctl_cmdline_symset, it shadows a global. rename.
Revision 1.321 / (download) - annotate - [select for diffs], Mon Feb 17 06:56:04 2003 UTC (21 years, 3 months ago) by mpech
Branch: MAIN
Changes since 1.320: +1 -2 lines
Diff to previous 1.320 (colored)
-#include <sys/ioctl.h> mcbride@, dhartmei@ ok
Revision 1.320 / (download) - annotate - [select for diffs], Sun Feb 16 15:19:42 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.319: +2 -3 lines
Diff to previous 1.319 (colored)
unneeded {}
Revision 1.319 / (download) - annotate - [select for diffs], Sun Feb 16 15:11:09 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.318: +3 -1 lines
Diff to previous 1.318 (colored)
throw a syntax error if the portunary operator in varset is no '=' extif>"whatever" should not be the same as extif="whatever" but a syntax error.
Revision 1.318 / (download) - annotate - [select for diffs], Fri Feb 14 14:38:32 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.317: +1 -9 lines
Diff to previous 1.317 (colored)
Allow route-to loopback interfaces again, since Ryan fixed the loops that might have occured before.
Revision 1.317 / (download) - annotate - [select for diffs], Fri Feb 14 13:23:17 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.316: +7 -1 lines
Diff to previous 1.316 (colored)
Better and more consistent error message. Ok dhartmei@
Revision 1.316 / (download) - annotate - [select for diffs], Thu Feb 13 10:26:21 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.315: +13 -17 lines
Diff to previous 1.315 (colored)
ease the yacc a bit by using a "not" rule instead of having two rules w/ and without '!' everywhere ok dhartmei@
Revision 1.315 / (download) - annotate - [select for diffs], Wed Feb 12 13:03:54 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.314: +5 -5 lines
Diff to previous 1.314 (colored)
KNF after ryan
Revision 1.314 / (download) - annotate - [select for diffs], Wed Feb 12 12:48:40 2003 UTC (21 years, 3 months ago) by mcbride
Branch: MAIN
Changes since 1.313: +220 -404 lines
Diff to previous 1.313 (colored)
Simplify the code and make the parser handle the different rule types more consistently. - Merge expand_nat and expand_rdr into expand_rule - Merge rdrrule token into natrule ok concept henning@ ok dhartmei@
Revision 1.313 / (download) - annotate - [select for diffs], Tue Feb 11 20:11:36 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.312: +35 -5 lines
Diff to previous 1.312 (colored)
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM ok pb@ dhartmei@ cedric@
Revision 1.312 / (download) - annotate - [select for diffs], Sun Feb 9 15:04:04 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.311: +27 -11 lines
Diff to previous 1.311 (colored)
more live code from FOSDEM: make pass in proto tcp to port 80 work. -allow to omit the "any" if you're specifying a port -allow to omit the from or to part if you want "any" for the other ok dhartmei@ pb@
Revision 1.311 / (download) - annotate - [select for diffs], Sun Feb 9 13:50:44 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.310: +2 -2 lines
Diff to previous 1.310 (colored)
KNF
Revision 1.310 / (download) - annotate - [select for diffs], Sun Feb 9 12:49:48 2003 UTC (21 years, 3 months ago) by camield
Branch: MAIN
Changes since 1.309: +6 -10 lines
Diff to previous 1.309 (colored)
Fix a few warnings and remove unnecessary check and cast. ok dhartmei henning
Revision 1.309 / (download) - annotate - [select for diffs], Sat Feb 8 20:13:20 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.308: +13 -2 lines
Diff to previous 1.308 (colored)
Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Revision 1.308 / (download) - annotate - [select for diffs], Wed Feb 5 16:05:54 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.307: +18 -7 lines
Diff to previous 1.307 (colored)
Fix "pass out dup-to (tun0 1.1.1.1) inet6 all" error message Allow "pass out dup-to tun0 all" ok mcbride@ henning@
Revision 1.307 / (download) - annotate - [select for diffs], Wed Feb 5 00:46:57 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.306: +2 -1 lines
Diff to previous 1.306 (colored)
Set the network mask to all 1's if no address is specified for a route-to/dup-to/reply-to rule. Keeps round-robin from incrementing through the entire address space. ok dhartmei@
Revision 1.306 / (download) - annotate - [select for diffs], Mon Feb 3 16:44:21 2003 UTC (21 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.305: +3 -5 lines
Diff to previous 1.305 (colored)
pretty
Revision 1.305 / (download) - annotate - [select for diffs], Mon Feb 3 15:44:52 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.304: +15 -3 lines
Diff to previous 1.304 (colored)
Don't allow loopback interfaces as route/reply/dup-to targets. ok henning@
Revision 1.304 / (download) - annotate - [select for diffs], Mon Feb 3 14:51:36 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.303: +3 -2 lines
Diff to previous 1.303 (colored)
remove loadopt global definition and cleanup a bit. ok henning@
Revision 1.303 / (download) - annotate - [select for diffs], Mon Feb 3 13:40:45 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.302: +12 -1 lines
Diff to previous 1.302 (colored)
fix a problem with queue definitions when load options (like -N etc) are given; they used to check for their parent interface/queue even in this case. ok dhartmei@ cedric@
Revision 1.302 / (download) - annotate - [select for diffs], Sun Feb 2 23:22:07 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.301: +3 -3 lines
Diff to previous 1.301 (colored)
there is no need to pass opts to parse_rules explicitely; it's passed as part of the struct pfctl.
Revision 1.301 / (download) - annotate - [select for diffs], Mon Jan 27 19:08:27 2003 UTC (21 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.300: +17 -17 lines
Diff to previous 1.300 (colored)
KNF
Revision 1.300 / (download) - annotate - [select for diffs], Sat Jan 25 22:53:45 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.299: +10 -4 lines
Diff to previous 1.299 (colored)
Match changes for rdr port ranges made to pf.c: - fixes behaviour of rdr on le0 from foo to bar port 1:20 -> (lo0) port 22 - makes calculated mapping more explicit for the -> (lo0) port 22:* case testing from dhartmei@ ok dhartmei@
Revision 1.299 / (download) - annotate - [select for diffs], Sat Jan 25 18:16:05 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.298: +3 -2 lines
Diff to previous 1.298 (colored)
Fix NOACTION with table statements.
Revision 1.298 / (download) - annotate - [select for diffs], Sat Jan 25 16:33:19 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.297: +41 -15 lines
Diff to previous 1.297 (colored)
Permit initialisation of a table content from a file in pf.conf. Cleaning up of the table options parsing, more flexible. idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.
Revision 1.297 / (download) - annotate - [select for diffs], Sat Jan 25 15:37:00 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.296: +27 -1 lines
Diff to previous 1.296 (colored)
Correctly check illegal constructs with tables. Better error messages. ok dhartmei@ pass all regress tests.
Revision 1.296 / (download) - annotate - [select for diffs], Sat Jan 25 00:51:40 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.295: +5 -2 lines
Diff to previous 1.295 (colored)
if a table name ist too long, it's actually nice to tell so instead of just aborting with a syntax error
Revision 1.295 / (download) - annotate - [select for diffs], Mon Jan 20 18:37:52 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.294: +3 -2 lines
Diff to previous 1.294 (colored)
Remove unused argument from print_name() and fix two other nits found by lint. ok henning
Revision 1.294 / (download) - annotate - [select for diffs], Sun Jan 19 10:19:15 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.293: +73 -116 lines
Diff to previous 1.293 (colored)
Spin off label string expansion into a separate function. Clarifies and tightens all expand_label functions. ok dhartmei henning
Revision 1.293 / (download) - annotate - [select for diffs], Sat Jan 18 15:06:13 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.292: +2 -2 lines
Diff to previous 1.292 (colored)
KNF after ryan...
Revision 1.292 / (download) - annotate - [select for diffs], Sat Jan 18 04:45:59 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.291: +5 -1 lines
Diff to previous 1.291 (colored)
Add missing token string and assignment to make static-port work for real. Diff and report courtesy of mpech@ and form@ ok dhartmei@
Revision 1.291 / (download) - annotate - [select for diffs], Fri Jan 17 12:53:52 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.290: +4 -3 lines
Diff to previous 1.290 (colored)
bandwith -> bandwidth YYERROR on failed parseicmpspec() ok dhartmei mcbride henning
Revision 1.290 / (download) - annotate - [select for diffs], Wed Jan 15 15:14:42 2003 UTC (21 years, 4 months ago) by mpech
Branch: MAIN
Changes since 1.289: +2 -2 lines
Diff to previous 1.289 (colored)
Typo in yyerror(). henning@
Revision 1.289 / (download) - annotate - [select for diffs], Tue Jan 14 21:58:11 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.288: +1 -329 lines
Diff to previous 1.288 (colored)
unified IP parser: -move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h] -extend host() to handle /mask itself, plus minor adjustments -use that in pfctl_table.c instead of coding the same shit again discussed w/ cedric@ ok cedric@ dhartmei@
Revision 1.288 / (download) - annotate - [select for diffs], Mon Jan 13 08:17:47 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.287: +23 -43 lines
Diff to previous 1.287 (colored)
err() on all memory allocation failures ok henning dhartmei
Revision 1.287 / (download) - annotate - [select for diffs], Sat Jan 11 22:00:00 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.286: +2 -2 lines
Diff to previous 1.286 (colored)
Whitespace KNF
Revision 1.286 / (download) - annotate - [select for diffs], Thu Jan 9 19:02:21 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.285: +10 -10 lines
Diff to previous 1.285 (colored)
no need for explicit numbering in enums ok dhartmei@
Revision 1.285 / (download) - annotate - [select for diffs], Thu Jan 9 18:42:44 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.284: +155 -84 lines
Diff to previous 1.284 (colored)
Check return values on the remaining strlcpy/strlcat. ok henning@
Revision 1.284 / (download) - annotate - [select for diffs], Thu Jan 9 17:59:23 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.283: +4 -4 lines
Diff to previous 1.283 (colored)
minor KNF
Revision 1.283 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.282: +45 -3 lines
Diff to previous 1.282 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.282 / (download) - annotate - [select for diffs], Wed Jan 8 19:47:37 2003 UTC (21 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.281: +26 -6 lines
Diff to previous 1.281 (colored)
check more strlcpy; camield@
Revision 1.281 / (download) - annotate - [select for diffs], Tue Jan 7 04:20:06 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.280: +2 -2 lines
Diff to previous 1.280 (colored)
Allow underscore at the beginning of strings, fixes pass all user _spamd which was refused as syntax error before. Reported by Joe Nall. ok henning@
Revision 1.280 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:07 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.279: +9 -13 lines
Diff to previous 1.279 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.279 / (download) - annotate - [select for diffs], Mon Jan 6 11:30:10 2003 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.278: +9 -5 lines
Diff to previous 1.278 (colored)
Fix some oversights with address pools for route-to/dup-to/reply-to - copy key for src-hash - copy pool type (pools were being set to round-robin in all cases) + some minor knf. ok dhartmei@
Revision 1.278 / (download) - annotate - [select for diffs], Sun Jan 5 22:20:34 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.277: +2 -2 lines
Diff to previous 1.277 (colored)
err after calloc failure, not errx
Revision 1.277 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.276: +68 -64 lines
Diff to previous 1.276 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.276 / (download) - annotate - [select for diffs], Sat Jan 4 17:40:51 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.275: +2 -9 lines
Diff to previous 1.275 (colored)
move noroute from flag in pf_rule_addr into type in pf_addr_wrap. ok henning@, mcbride@
Revision 1.275 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.274: +2 -4 lines
Diff to previous 1.274 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.274 / (download) - annotate - [select for diffs], Fri Jan 3 22:22:18 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.273: +12 -13 lines
Diff to previous 1.273 (colored)
whitespace KNF (no, i don't touch the option inits)
Revision 1.273 / (download) - annotate - [select for diffs], Fri Jan 3 21:37:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.272: +21 -1 lines
Diff to previous 1.272 (colored)
Bring in userland code for accessing PF radix tables. ok dhartmei@ mcbride@
Revision 1.272 / (download) - annotate - [select for diffs], Thu Jan 2 11:34:59 2003 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.271: +6 -1 lines
Diff to previous 1.271 (colored)
Require a direction to be specified for rules which do routing. ok dhartmei@ henning@
Revision 1.271 / (download) - annotate - [select for diffs], Mon Dec 30 23:46:54 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.270: +3 -3 lines
Diff to previous 1.270 (colored)
Change ipv6-icmp-type to icpm6-type. pf.conf files will need to be adjusted to reflect this. ok dhartmei@ henning@
Revision 1.270 / (download) - annotate - [select for diffs], Fri Dec 27 22:13:31 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.269: +20 -14 lines
Diff to previous 1.269 (colored)
Since pf_norm.c looks at rule.log to see if it should log packets being dropped due to scrub violations, this adds the ability to set this in pf.conf. ok henning@
Revision 1.269 / (download) - annotate - [select for diffs], Sat Dec 21 18:53:48 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.268: +21 -5 lines
Diff to previous 1.268 (colored)
always initialize rpool.key; diff from Frank Denis; KNF by me
Revision 1.268 / (download) - annotate - [select for diffs], Sat Dec 21 18:47:33 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.267: +46 -37 lines
Diff to previous 1.267 (colored)
KNF
Revision 1.267 / (download) - annotate - [select for diffs], Fri Dec 20 19:57:37 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.266: +1 -2 lines
Diff to previous 1.266 (colored)
remove a redundant assignment.
Revision 1.266 / (download) - annotate - [select for diffs], Thu Dec 19 10:58:21 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.265: +1 -2 lines
Diff to previous 1.265 (colored)
fix 'no rdr'.
Revision 1.265 / (download) - annotate - [select for diffs], Wed Dec 18 18:01:41 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.264: +52 -49 lines
Diff to previous 1.264 (colored)
more KNF
Revision 1.264 / (download) - annotate - [select for diffs], Wed Dec 18 10:16:55 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.263: +6 -1 lines
Diff to previous 1.263 (colored)
proto list expansion is not supported in binat-anchor yet, print an error when attempted.
Revision 1.263 / (download) - annotate - [select for diffs], Wed Dec 18 10:02:40 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.262: +33 -2 lines
Diff to previous 1.262 (colored)
Support (single) destination port in rdr-anchor rules. Print an error where parameters are not supported (in rdr-anchor and binat-anchor) yet. If those are needed, we'll have to expand them properly.
Revision 1.262 / (download) - annotate - [select for diffs], Wed Dec 18 08:01:47 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.261: +4 -9 lines
Diff to previous 1.261 (colored)
fix some INCREDIBLE new bugs which were introduced
Revision 1.261 / (download) - annotate - [select for diffs], Tue Dec 17 20:06:05 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.260: +66 -5 lines
Diff to previous 1.260 (colored)
add support for the PRIQ scheduler partitially from kjc@ ok kjc@ dhartmei@
Revision 1.260 / (download) - annotate - [select for diffs], Tue Dec 17 12:36:59 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.259: +121 -87 lines
Diff to previous 1.259 (colored)
Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule ok dhartmei@ henning@
Revision 1.259 / (download) - annotate - [select for diffs], Tue Dec 17 12:05:58 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.258: +4 -1 lines
Diff to previous 1.258 (colored)
missing break in switch
Revision 1.258 / (download) - annotate - [select for diffs], Tue Dec 17 12:01:22 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.257: +34 -32 lines
Diff to previous 1.257 (colored)
beautify the %type block
Revision 1.257 / (download) - annotate - [select for diffs], Tue Dec 17 11:29:04 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.256: +5 -1 lines
Diff to previous 1.256 (colored)
PRIQ and HFSC support functions, not yet used. mostly from kjc@ with adjustments by me. ok theo ryan daniel
Revision 1.256 / (download) - annotate - [select for diffs], Mon Dec 16 23:36:14 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.255: +17 -14 lines
Diff to previous 1.255 (colored)
only create a root queue if scheduler = cbq
Revision 1.255 / (download) - annotate - [select for diffs], Mon Dec 16 22:50:11 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.254: +11 -6 lines
Diff to previous 1.254 (colored)
get full [scheduler]_opts struct instead of just .flags, and wrap in into a switch (scheduler) statement in one case inspired by kjc@
Revision 1.254 / (download) - annotate - [select for diffs], Fri Dec 13 21:51:25 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.253: +35 -13 lines
Diff to previous 1.253 (colored)
allow a second queue for higher priorized (currently: tos=lowdelay) packets to be specified per rule queue (qname, priorized_qname) idea dhartmei ok dhartmei@ frantzen@ deraadt@
Revision 1.253 / (download) - annotate - [select for diffs], Fri Dec 13 20:02:40 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.252: +14 -14 lines
Diff to previous 1.252 (colored)
a bit KNF originally part of another diff soon to come; frantzen@ correctly pointed out that should be a seperate commit.
Revision 1.252 / (download) - annotate - [select for diffs], Fri Dec 13 12:06:27 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.251: +104 -77 lines
Diff to previous 1.251 (colored)
permit re-ordering of some scrub parameters, and also clean up some other grammer balony; henning ok
Revision 1.251 / (download) - annotate - [select for diffs], Thu Dec 12 15:06:16 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.250: +126 -123 lines
Diff to previous 1.250 (colored)
KNF
Revision 1.250 / (download) - annotate - [select for diffs], Thu Dec 12 14:46:26 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.249: +2 -5 lines
Diff to previous 1.249 (colored)
we don't need to keep a private copy of the queue name in expand_rule, r->qname is never modified discussed with dhartmei@
Revision 1.249 / (download) - annotate - [select for diffs], Wed Dec 11 13:23:38 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.248: +7 -15 lines
Diff to previous 1.248 (colored)
Replace strncpy + ugly pointer math with sscanif for reading source-hash keys ok dhartmei@ henning@
Revision 1.248 / (download) - annotate - [select for diffs], Mon Dec 9 13:17:48 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.247: +5 -4 lines
Diff to previous 1.247 (colored)
(properly guarded) strcpy() -> strlcpy()
Revision 1.247 / (download) - annotate - [select for diffs], Mon Dec 9 03:59:59 2002 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.246: +68 -19 lines
Diff to previous 1.246 (colored)
do not allow redefinitions in variable option blocks; henning ok
Revision 1.246 / (download) - annotate - [select for diffs], Sun Dec 8 17:00:19 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.245: +8 -8 lines
Diff to previous 1.245 (colored)
strncpy is evil.
Revision 1.245 / (download) - annotate - [select for diffs], Sun Dec 8 00:19:47 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.244: +107 -76 lines
Diff to previous 1.244 (colored)
allow flexible options order like Theo did for rules. idea, lots of input, motivation and ok deraadt@ ATTENTION: this changes the syntax. the "scheduler" keyword is gone now. old: altq on $interface scheduler cbq ... new: altq on $interface cbq ...
Revision 1.244 / (download) - annotate - [select for diffs], Sat Dec 7 23:15:53 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.243: +55 -10 lines
Diff to previous 1.243 (colored)
Support parameters in anchor rules. Allows conditional evaluation, like: anchor spews inet proto tcp from any to any port smtp ok deraadt
Revision 1.243 / (download) - annotate - [select for diffs], Sat Dec 7 21:20:23 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.242: +3 -3 lines
Diff to previous 1.242 (colored)
more KNF
Revision 1.242 / (download) - annotate - [select for diffs], Sat Dec 7 21:16:26 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.241: +13 -12 lines
Diff to previous 1.241 (colored)
KNF
Revision 1.241 / (download) - annotate - [select for diffs], Sat Dec 7 20:25:40 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.240: +26 -26 lines
Diff to previous 1.240 (colored)
shadow cleanup ok mcbride@ frantzen@
Revision 1.240 / (download) - annotate - [select for diffs], Sat Dec 7 20:09:57 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.239: +9 -9 lines
Diff to previous 1.239 (colored)
kill an unused param to lungetc
Revision 1.239 / (download) - annotate - [select for diffs], Sat Dec 7 18:16:59 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.238: +5 -1 lines
Diff to previous 1.238 (colored)
Convert the hash of a string key to network byte order. Makes regression work on all platforms. Bug found by dhartmei@ ok dhartmei@ henning@
Revision 1.238 / (download) - annotate - [select for diffs], Fri Dec 6 12:36:02 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.237: +5 -6 lines
Diff to previous 1.237 (colored)
Remove negated address list check again, doesn't work right yet.
Revision 1.237 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:31 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.236: +133 -86 lines
Diff to previous 1.236 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.236 / (download) - annotate - [select for diffs], Thu Dec 5 15:28:00 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.235: +2 -3 lines
Diff to previous 1.235 (colored)
fix a small cosmetic problem. if ifa_lookup was called in LOOKUP_NET mode, it would return things like 127.0.0.1/8. when 127.0.0.1/8 is passed through the new selftests, it becomes 127.0.0.0/8. fix: instead of just copying addr.mask in ifa_lookup, use set_ipmask, so it is 127.0.0.0/8 from the beginning on.
Revision 1.235 / (download) - annotate - [select for diffs], Thu Dec 5 13:07:24 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.234: +3 -3 lines
Diff to previous 1.234 (colored)
-quote varset in -v output -don't add 's' in set timeout -v output makes the feedback regression tests succeed. ok markus@ mcbride@
Revision 1.234 / (download) - annotate - [select for diffs], Wed Dec 4 12:57:55 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.233: +3 -3 lines
Diff to previous 1.233 (colored)
in host(), apply a given netmask to all members of the node_host list returned by ifa_lookup(). reported by Alejandro G. Belluscio ok dhartmei@
Revision 1.233 / (download) - annotate - [select for diffs], Wed Dec 4 08:07:27 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.232: +8 -7 lines
Diff to previous 1.232 (colored)
do not warn for unused variables except with -v -v; henning ok
Revision 1.232 / (download) - annotate - [select for diffs], Mon Dec 2 22:45:37 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.231: +4 -5 lines
Diff to previous 1.231 (colored)
KNF
Revision 1.231 / (download) - annotate - [select for diffs], Mon Dec 2 22:34:33 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.230: +134 -47 lines
Diff to previous 1.230 (colored)
permit more flexible pass/block lines. the options giving at the end of a line can now be placed in any order, and some merging of duplicat options is also done. this is easier to use.
Revision 1.230 / (download) - annotate - [select for diffs], Mon Dec 2 22:18:21 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.229: +7 -9 lines
Diff to previous 1.229 (colored)
allow for "altq on $interface" without specifying a bandwidth. The interface's bandwidth is taken then. as a side-effect, "altq on $interface bandwidth xx%" is also possible now, it's relative to the interface's bandwidth then. ok theo
Revision 1.229 / (download) - annotate - [select for diffs], Sat Nov 30 13:53:14 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.228: +2 -1 lines
Diff to previous 1.228 (colored)
move damn unmask() proto into place as well
Revision 1.228 / (download) - annotate - [select for diffs], Fri Nov 29 17:14:18 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.227: +10 -4 lines
Diff to previous 1.227 (colored)
coredumps are not nice. deal with the fact that when we are merging the lists in host_list both can be NULL. found at EuroBSDCon 2002 while I was explaining the expansion process to Paul de Weerd ok dhartmei@
Revision 1.227 / (download) - annotate - [select for diffs], Fri Nov 29 15:37:23 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.226: +4 -2 lines
Diff to previous 1.226 (colored)
print queuespec only once in verbose mode, even if referenced more often
Revision 1.226 / (download) - annotate - [select for diffs], Fri Nov 29 15:32:14 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.225: +3 -2 lines
Diff to previous 1.225 (colored)
FREE_LIST nqueues later; can be used more than once
Revision 1.225 / (download) - annotate - [select for diffs], Thu Nov 28 14:43:39 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.224: +7 -6 lines
Diff to previous 1.224 (colored)
allow qlimit on altq spec
Revision 1.224 / (download) - annotate - [select for diffs], Thu Nov 28 12:14:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.223: +70 -41 lines
Diff to previous 1.223 (colored)
- Adjust to match replacement of md5 with pf_hash - Allow keys to be specified in hex (must be 128 bits, mainly to make pfctl -v output paresable by pfctl) or as a string. Randomly generate key if one is not specified. Suggestions and fixes from camield@ ok mickey@ camield@ henning@
Revision 1.223 / (download) - annotate - [select for diffs], Wed Nov 27 18:50:32 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.222: +2 -5 lines
Diff to previous 1.222 (colored)
handle the "no bandwidth specified" case earlier and easier.
Revision 1.222 / (download) - annotate - [select for diffs], Wed Nov 27 16:23:01 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.221: +2 -2 lines
Diff to previous 1.221 (colored)
-use a #define for default qlimit instead of hardcoding it -print qlimit in print_queue if it is not the default one -assign the default qlimit early in the parser instead of using 0
Revision 1.221 / (download) - annotate - [select for diffs], Wed Nov 27 16:06:20 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.220: +3 -3 lines
Diff to previous 1.220 (colored)
next round in print fixes: -only print priority if it is not equal to the default one -space handling overhaul
Revision 1.220 / (download) - annotate - [select for diffs], Wed Nov 27 15:49:16 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.219: +2 -2 lines
Diff to previous 1.219 (colored)
use a #define for default priority instead of hardcoding it
Revision 1.219 / (download) - annotate - [select for diffs], Wed Nov 27 14:39:06 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.218: +4 -4 lines
Diff to previous 1.218 (colored)
fix tbrsize spec
Revision 1.218 / (download) - annotate - [select for diffs], Wed Nov 27 14:33:12 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.217: +2 -2 lines
Diff to previous 1.217 (colored)
fix error message for altq ifspec without child queues
Revision 1.217 / (download) - annotate - [select for diffs], Tue Nov 26 21:10:45 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.216: +4 -1 lines
Diff to previous 1.216 (colored)
make bandwidth specification on queue truly optional
Revision 1.216 / (download) - annotate - [select for diffs], Tue Nov 26 19:14:14 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.215: +5 -5 lines
Diff to previous 1.215 (colored)
queue comes before NAT
Revision 1.215 / (download) - annotate - [select for diffs], Mon Nov 25 18:11:34 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.214: +11 -3 lines
Diff to previous 1.214 (colored)
repair decide_address_family you cannot just taked the first address family you meet as rule's address family... either all are equal, or the rule has no explicit AF. found by danh@ ok theo
Revision 1.214 / (download) - annotate - [select for diffs], Mon Nov 25 17:44:39 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.213: +9 -4 lines
Diff to previous 1.213 (colored)
for loN and link1 translate the iface into address properly; henning@ ok
Revision 1.213 / (download) - annotate - [select for diffs], Mon Nov 25 16:30:22 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.212: +4 -4 lines
Diff to previous 1.212 (colored)
1Kb = 1000b, not 1024; as discussed with kjc@ and theo
Revision 1.212 / (download) - annotate - [select for diffs], Mon Nov 25 15:50:58 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.211: +2 -2 lines
Diff to previous 1.211 (colored)
KNF
Revision 1.211 / (download) - annotate - [select for diffs], Sun Nov 24 17:33:57 2002 UTC (21 years, 6 months ago) by pb
Branch: MAIN
Changes since 1.210: +10 -3 lines
Diff to previous 1.210 (colored)
enforce that queue comes right before filtering 'options, normalization, translation, queue, filter' now henning@ ok
Revision 1.210 / (download) - annotate - [select for diffs], Sun Nov 24 13:12:36 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.209: +5 -17 lines
Diff to previous 1.209 (colored)
Cosmetics and removal of a redundant code block.
Revision 1.209 / (download) - annotate - [select for diffs], Sat Nov 23 23:00:32 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.208: +3 -3 lines
Diff to previous 1.208 (colored)
sigh
Revision 1.208 / (download) - annotate - [select for diffs], Sat Nov 23 22:57:54 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.207: +5 -5 lines
Diff to previous 1.207 (colored)
KNF
Revision 1.207 / (download) - annotate - [select for diffs], Sat Nov 23 18:32:29 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.206: +6 -5 lines
Diff to previous 1.206 (colored)
better error checking in expand_queue
Revision 1.206 / (download) - annotate - [select for diffs], Sat Nov 23 18:27:28 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.205: +3 -7 lines
Diff to previous 1.205 (colored)
easier
Revision 1.205 / (download) - annotate - [select for diffs], Sat Nov 23 18:23:41 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.204: +148 -228 lines
Diff to previous 1.204 (colored)
Daniel's diff to untangle my mess with ifa_pick_ips like so: - add decide_address_family() which runs through the list to find hosts with the af set - replace ifa_pick_ips with remove_invalid_hosts() which removes hosts with the wrong address family from the list from/ok dhartmei@
Revision 1.204 / (download) - annotate - [select for diffs], Sat Nov 23 16:41:43 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.203: +24 -11 lines
Diff to previous 1.203 (colored)
better error checking, round 1 this time in expand_altq
Revision 1.203 / (download) - annotate - [select for diffs], Sat Nov 23 15:59:57 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
KNF
Revision 1.202 / (download) - annotate - [select for diffs], Sat Nov 23 09:33:54 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.201: +40 -40 lines
Diff to previous 1.201 (colored)
KNF
Revision 1.201 / (download) - annotate - [select for diffs], Sat Nov 23 09:30:39 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.200: +1 -2 lines
Diff to previous 1.200 (colored)
$$->ifname is NULL, leave it NULL, don't $$->ifname[0] = 0;
Revision 1.200 / (download) - annotate - [select for diffs], Sat Nov 23 09:15:25 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.199: +63 -58 lines
Diff to previous 1.199 (colored)
Fix brokenness in parse.y, clean up: - remove requirement for ( ) in route-to ( if ) - calloc route_host - initialise route_host->next - globally convert malloc to calloc ok dhartmei@
Revision 1.199 / (download) - annotate - [select for diffs], Sat Nov 23 05:22:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.198: +515 -207 lines
Diff to previous 1.198 (colored)
code to support loading of pf rules with multiple redirection addresses
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
Revision 1.198 / (download) - annotate - [select for diffs], Fri Nov 22 12:24:30 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.197: +26 -2 lines
Diff to previous 1.197 (colored)
print altq and queue lines in the pfctl -v case including the child queue assignment
Revision 1.197 / (download) - annotate - [select for diffs], Tue Nov 19 18:51:09 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.196: +5 -2 lines
Diff to previous 1.196 (colored)
only take cbq opts from schedtype if type=CBQ
Revision 1.196 / (download) - annotate - [select for diffs], Tue Nov 19 17:31:24 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.195: +10 -6 lines
Diff to previous 1.195 (colored)
repair queuespec syntax glitch, theo agrees
Revision 1.195 / (download) - annotate - [select for diffs], Tue Nov 19 17:05:19 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
default priority is 1, not 0 found by pb@
Revision 1.194 / (download) - annotate - [select for diffs], Tue Nov 19 12:11:36 2002 UTC (21 years, 6 months ago) by camield
Branch: MAIN
Changes since 1.193: +6 -6 lines
Diff to previous 1.193 (colored)
- match 'Gb' case-sensitively - match "%" unit only, not "%crap" ok henning@
Revision 1.193 / (download) - annotate - [select for diffs], Tue Nov 19 11:25:45 2002 UTC (21 years, 6 months ago) by wilfried
Branch: MAIN
Changes since 1.192: +3 -3 lines
Diff to previous 1.192 (colored)
icmp-type was off by one, ok henning@
Revision 1.192 / (download) - annotate - [select for diffs], Mon Nov 18 23:38:48 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.191: +2 -2 lines
Diff to previous 1.191 (colored)
no; do not use };
Revision 1.191 / (download) - annotate - [select for diffs], Mon Nov 18 23:37:00 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.190: +6 -6 lines
Diff to previous 1.190 (colored)
more using strl* return values instead of strlen calls
Revision 1.190 / (download) - annotate - [select for diffs], Mon Nov 18 23:28:50 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.189: +3 -3 lines
Diff to previous 1.189 (colored)
easier "queue name too long" detection; from theo
Revision 1.189 / (download) - annotate - [select for diffs], Mon Nov 18 23:13:32 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.188: +7 -7 lines
Diff to previous 1.188 (colored)
KNF
Revision 1.188 / (download) - annotate - [select for diffs], Mon Nov 18 22:55:39 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.187: +13 -13 lines
Diff to previous 1.187 (colored)
KNF
Revision 1.187 / (download) - annotate - [select for diffs], Mon Nov 18 22:49:15 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.186: +332 -2 lines
Diff to previous 1.186 (colored)
altq and pf merged this isn't 100% done yet: the print_ stuff isn't finished, some features will be added later, and there is no documetation yet, but committing now enables a few more people to work on. print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc, debugging help also pb and camiel. lots of good ideas by theo. "commit now" theo philipp daniel
Revision 1.186 / (download) - annotate - [select for diffs], Wed Nov 13 22:44:11 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.185: +10 -20 lines
Diff to previous 1.185 (colored)
as scrub rules end up in a struct pf_rule just call expand_rule instead of handcrufting this. has quite a few positive side effects: -interface list expansion works (fries@ asked for that) -can specify address family, very helpful with dynamic interface expansion (pointed out by daniel) -src/dst ip/port list expansion works -fixes a long standing, scary, though never noticed bug: scrub out on lo1 from any to 10.0.0.1 expanded to scrub out on lo1 all ... this bug was there from day #1. "sneaky diff of the month award" dhartmei@
Revision 1.185 / (download) - annotate - [select for diffs], Wed Nov 13 18:24:53 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.184: +26 -5 lines
Diff to previous 1.184 (colored)
Add label macro $if, as we support {} list expansion for interfaces now.
From David Gwynne. ok henning@, camield@
Revision 1.184 / (download) - annotate - [select for diffs], Wed Nov 13 16:51:37 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.183: +3 -1 lines
Diff to previous 1.183 (colored)
Initialize tail pointer to node, found by fries@
Revision 1.183 / (download) - annotate - [select for diffs], Fri Nov 8 10:50:28 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.182: +2 -2 lines
Diff to previous 1.182 (colored)
init buf to NULL just in case... there isn't a single codepath where it can remain uninitialized, but this might prevent a stupid bug if we change something later
Revision 1.182 / (download) - annotate - [select for diffs], Thu Nov 7 17:47:33 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.181: +9 -9 lines
Diff to previous 1.181 (colored)
move the ifa_exists block a bit up in host() inspired by mpech@ pointing out a missing free(buf). so handle the it-is-an-interface case where we don't need the buf before allocating memory.
Revision 1.181 / (download) - annotate - [select for diffs], Mon Nov 4 22:46:28 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.180: +33 -24 lines
Diff to previous 1.180 (colored)
welcome to CIDR world, pfctl! use inet_net_pton to parse IP adresses. stuff like block in from 10/8 to any works now. some input camield@ and dhartmei@ ok dhartmei@, camield@, mcbride@
Revision 1.180 / (download) - annotate - [select for diffs], Sat Nov 2 15:29:28 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.179: +2 -2 lines
Diff to previous 1.179 (colored)
%i -> %d, matches the style of existing code, from millert@
Revision 1.179 / (download) - annotate - [select for diffs], Sat Nov 2 14:13:42 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.178: +2 -2 lines
Diff to previous 1.178 (colored)
printf int with %i, not %u. from pilot@monkey.org.
Revision 1.178 / (download) - annotate - [select for diffs], Wed Oct 30 11:55:19 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.177: +2 -5 lines
Diff to previous 1.177 (colored)
simplify
Revision 1.177 / (download) - annotate - [select for diffs], Wed Oct 30 11:52:49 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.176: +2 -5 lines
Diff to previous 1.176 (colored)
fix interface expansion. since the reversed list expansion code was committed this was broken, only the first IP address was returned. pointed out by danh@, who sent an excellent bug report. ok dhartmei@
Revision 1.176 / (download) - annotate - [select for diffs], Tue Oct 29 15:23:38 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.175: +16 -2 lines
Diff to previous 1.175 (colored)
introduce set require-order [yes|no] default is yes. with set to "no", it isn't required to have the rules in order (options, scrub, nat, filter) any more, though of course NATing still happens before filtering and so on, so one has to take care. ok camield@ mcbride@ dhartmei@ idea discussed with a whole lotta more people and basically ok for everyone ;-)
Revision 1.175 / (download) - annotate - [select for diffs], Sun Oct 27 13:53:59 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.174: +1 -2 lines
Diff to previous 1.174 (colored)
remove the "flags X" syntax. noone who wrote "flags S" meant that, but actually something like "flags S/SA". with "flags S" changing its actual meaning as more flags got supported, things got worse. ok dhartmei@, pb@
Revision 1.174 / (download) - annotate - [select for diffs], Tue Oct 22 12:55:01 2002 UTC (21 years, 7 months ago) by mpech
Branch: MAIN
Changes since 1.173: +3 -3 lines
Diff to previous 1.173 (colored)
%ul -> %lu dhartmei@ ok
Revision 1.173 / (download) - annotate - [select for diffs], Tue Oct 22 12:28:08 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.172: +13 -10 lines
Diff to previous 1.172 (colored)
More conversion of "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.172 / (download) - annotate - [select for diffs], Tue Oct 22 07:07:35 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.171: +24 -25 lines
Diff to previous 1.171 (colored)
Rename ipmask to set_ipmask and add some functionality: the netmask is applied immediately to the address. This way, the parsed rules output shows exactly which bits of an address are significant for a match and errors due to wrong netmasks can be spotted more easily. Example: $ pfctl -nvf - pass in on lo0 from 172.17.0.0/12 to any @0 pass in on lo0 inet from 172.16.0.0/12 to any idea refined by dhartmei@ ok frantzen@ henning@
Revision 1.171 / (download) - annotate - [select for diffs], Thu Oct 17 11:22:42 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.170: +1 -11 lines
Diff to previous 1.170 (colored)
These checks are also made in nat_consistent() and rdr_consistent(). ok dhartmei@ henning@
Revision 1.170 / (download) - annotate - [select for diffs], Thu Oct 17 10:48:57 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.169: +20 -9 lines
Diff to previous 1.169 (colored)
- accept all protocols that are specified by number if they are in the valid range (also when they're not listed in /etc/protocols) - explicitly disallow protocol number 0, because it has special meaning to pf ok dhartmei@ henning@
Revision 1.169 / (download) - annotate - [select for diffs], Wed Oct 16 09:00:06 2002 UTC (21 years, 7 months ago) by mpech
Branch: MAIN
Changes since 1.168: +2 -4 lines
Diff to previous 1.168 (colored)
Fix and improve binat mask comparison. dhartmei@, henning@ ok
Revision 1.168 / (download) - annotate - [select for diffs], Mon Oct 14 12:58:28 2002 UTC (21 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.167: +21 -10 lines
Diff to previous 1.167 (colored)
Allow one to specify a netblock in a binat rule: binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
Revision 1.167 / (download) - annotate - [select for diffs], Fri Oct 11 12:57:53 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.166: +19 -4 lines
Diff to previous 1.166 (colored)
When a macro cannot be expanded because it is not defined, say so. Also warn about unused macros. ok dhartmei@ henning@
Revision 1.166 / (download) - annotate - [select for diffs], Fri Oct 11 12:46:05 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.165: +14 -3 lines
Diff to previous 1.165 (colored)
In lgetc(), compress strings of whitespace to a single space. This makes macros come out right in verbose mode and is less functional overhead. Also err on whitespace after a backslash. That type of error is hard to find otherwise. ok dhartmei@ henning@
Revision 1.165 / (download) - annotate - [select for diffs], Tue Oct 8 01:17:43 2002 UTC (21 years, 7 months ago) by vincent
Branch: MAIN
Changes since 1.164: +16 -26 lines
Diff to previous 1.164 (colored)
remove <0 checks on unsigned numbers. ok henning@
Revision 1.164 / (download) - annotate - [select for diffs], Mon Oct 7 14:34:40 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.163: +2 -2 lines
Diff to previous 1.163 (colored)
-Wsign-compare clean
Revision 1.163 / (download) - annotate - [select for diffs], Mon Oct 7 14:13:48 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.162: +2 -2 lines
Diff to previous 1.162 (colored)
Two cases of const-correctness and make one global local.
Revision 1.162 / (download) - annotate - [select for diffs], Mon Oct 7 13:23:46 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.161: +31 -5 lines
Diff to previous 1.161 (colored)
set block-policy [drop|return] drop is default, same behaviour as before support block drop to override a return policy
Revision 1.161 / (download) - annotate - [select for diffs], Mon Oct 7 13:18:40 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.160: +26 -9 lines
Diff to previous 1.160 (colored)
support a generic return block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
Revision 1.160 / (download) - annotate - [select for diffs], Mon Oct 7 13:15:02 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.159: +47 -35 lines
Diff to previous 1.159 (colored)
make return-icmp work for rules covering both v4 and v6 -new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
Revision 1.159 / (download) - annotate - [select for diffs], Mon Oct 7 12:59:55 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.158: +4 -2 lines
Diff to previous 1.158 (colored)
use a new rule_flag PFRULE_RETURNICMP to decide wether to return-icmp or not instead of just testing return_icmp > 0 ok dhartmei@
Revision 1.158 / (download) - annotate - [select for diffs], Mon Oct 7 12:39:29 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.157: +29 -2 lines
Diff to previous 1.157 (colored)
Add 'reply-to' to filter rules, similar to route-to, but applying to replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
Revision 1.157 / (download) - annotate - [select for diffs], Sun Oct 6 16:22:10 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.156: +9 -35 lines
Diff to previous 1.156 (colored)
Move CHECK_ROOT into LOOP_THROUGH, gets rid of one macro and saves several lines, no functional difference. From Camiel Dobbelaar.
Revision 1.156 / (download) - annotate - [select for diffs], Sat Oct 5 22:25:33 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.155: +114 -30 lines
Diff to previous 1.155 (colored)
Expand {} lists from left to right, so 'pass in from { a, b } to any'
becomes '@0 pass in from a to any @1 pass in from b to any' instead of
the other way around. Patch from Camiel Dobbelaar.
Revision 1.155 / (download) - annotate - [select for diffs], Sat Oct 5 21:17:57 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.154: +33 -11 lines
Diff to previous 1.154 (colored)
Allow filtering based on IP header's tos field.
Revision 1.154 / (download) - annotate - [select for diffs], Sun Sep 22 15:30:15 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.153: +4 -4 lines
Diff to previous 1.153 (colored)
little KNF: return(something) -> return (something)
Revision 1.153 / (download) - annotate - [select for diffs], Sun Sep 22 15:28:53 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.152: +7 -8 lines
Diff to previous 1.152 (colored)
fix linenumber counting in findeol, and simplify by ignoring the \ case, that's already handled earlier. fast-forward on errnous lines partitially from camield@, parts result of a discussion with Mike ok frantzen@ dhartmei@
Revision 1.152 / (download) - annotate - [select for diffs], Sun Sep 22 15:22:20 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.151: +31 -10 lines
Diff to previous 1.151 (colored)
antispoof, take 2. also block incoming packets with our own IP as src. discussion & help frantzen ok ho@ dhartmei@ frantzen@
Revision 1.151 / (download) - annotate - [select for diffs], Tue Sep 17 16:09:49 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.150: +4 -13 lines
Diff to previous 1.150 (colored)
easier "self" implementation. no functional changes ok pb@
Revision 1.150 / (download) - annotate - [select for diffs], Sun Sep 15 16:56:59 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.149: +2 -1 lines
Diff to previous 1.149 (colored)
set a netmask in the dynaddr case noticed by <han@mijncomputer.nl> ok pb@
Revision 1.149 / (download) - annotate - [select for diffs], Sat Sep 14 17:50:17 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.148: +11 -5 lines
Diff to previous 1.148 (colored)
bit more clue in rdr/nat rules wrt address family examination don't take the af from host_node structs based on interface lookups, most interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will at least have one IP address specified from whoch we take the af for the whole rule. The rare exceptional cases require the user to specify the af. ok frantzen@
Revision 1.148 / (download) - annotate - [select for diffs], Thu Sep 12 12:43:23 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.147: +3 -1 lines
Diff to previous 1.147 (colored)
check for calloc() failure; ho@
Revision 1.147 / (download) - annotate - [select for diffs], Thu Sep 12 10:05:08 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.146: +43 -1 lines
Diff to previous 1.146 (colored)
antispoof [log] [quick] for [interface|interface_list] [af]
e. g.
antispoof log quick for { dc0, dc1 } inet
docs & regress coming
ok pb@, frantzen@, deraadt@
also looked over kjell@, markus@, itojun@, dhartmei@
IPv6 help itojun@
finally, a long story finds its happy end here.
Revision 1.146 / (download) - annotate - [select for diffs], Thu Sep 12 09:48:57 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.145: +58 -20 lines
Diff to previous 1.145 (colored)
rework netmask handling: -don't set netmask in host token handler -clear netmask in ipmask() proper before setting it -in ifa_load(), also store interface's netmask and broadcast address -allow ifa_lookup() to return either the interface's IP address(es), network(s) or broadcast address(es) - not used anywhere yet. This implies that ifa_lookup() also returns the netmask now. -host() returns netmasks, too ok pb@, frantzen@, deraadt@ also looked over kjell@, markus@, itojun@, dhartmei@
Revision 1.145 / (download) - annotate - [select for diffs], Sun Sep 8 12:57:35 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.144: +13 -1 lines
Diff to previous 1.144 (colored)
be more clueful wrt address family in nat/rdr rules. behaviour noticed by Paul de Weerd, thanks! ok dhartmei@
Revision 1.144 / (download) - annotate - [select for diffs], Mon Sep 2 19:42:54 2002 UTC (21 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.143: +61 -23 lines
Diff to previous 1.143 (colored)
Fix parsing of port ranges in translation rules (port a:b -> port c:d). ok henning@
Revision 1.143 / (download) - annotate - [select for diffs], Mon Sep 2 19:40:31 2002 UTC (21 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.142: +8 -3 lines
Diff to previous 1.142 (colored)
Make sure the interface specified with route-to/dup-to/fastroute exists and null-terminate the interface name. Found by Michael Wallis. ok henning@
Revision 1.142 / (download) - annotate - [select for diffs], Tue Aug 20 06:32:17 2002 UTC (21 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.141: +4 -2 lines
Diff to previous 1.141 (colored)
Increase lineno on newlines inside multi-line macro definitions, otherwise errors on subsequent lines are reported with wrong line numbers. From Paul B. Henson.
Revision 1.141 / (download) - annotate - [select for diffs], Fri Aug 16 14:14:03 2002 UTC (21 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)
kill duplicated check for '(' and ')' in allowed_in_string
Revision 1.140 / (download) - annotate - [select for diffs], Mon Aug 12 19:36:04 2002 UTC (21 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.139: +10 -6 lines
Diff to previous 1.139 (colored)
Catch null pointer deref (segfault), from wilfried@
Revision 1.139 / (download) - annotate - [select for diffs], Tue Aug 6 13:43:33 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.138: +2 -1 lines
Diff to previous 1.138 (colored)
missing free(), mpech@ ok pb@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Aug 6 11:25:05 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.137: +17 -5 lines
Diff to previous 1.137 (colored)
check fo strdup() allocation errors pointed out by mpech@ ok pb@
Revision 1.137 / (download) - annotate - [select for diffs], Wed Jul 31 20:19:14 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.136: +16 -7 lines
Diff to previous 1.136 (colored)
KNF, esp. missing prototypes
Revision 1.136 / (download) - annotate - [select for diffs], Tue Jul 30 14:53:48 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.135: +2 -3 lines
Diff to previous 1.135 (colored)
grmpf. in some cases, on non-tcp rules flags weren't resetted. cosmetical only problem. but, well, checking for r->flags and r->flagset if we could have assigned them zero just one round ago is just stupid, and it's not needed to check them at all. ok pb@, dhartmei@
Revision 1.135 / (download) - annotate - [select for diffs], Tue Jul 30 09:31:05 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.134: +27 -8 lines
Diff to previous 1.134 (colored)
allow to specify flags on all rules that include tcp.
these are valid:
pass in from any to any flags S
pass in proto { tcp, udp, icmp } from any to any flags S
pass in proto tcp from any to any flags S
these are invalid:
pass in proto { udp, icmp } from any to any flags S
pass in proto udp from any to any flags S
ok "I've lost my slacker status for at least a week" frantzen@
ok pb@, dhartmei@, deraadt@
Revision 1.134 / (download) - annotate - [select for diffs], Fri Jul 26 09:54:29 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.133: +41 -34 lines
Diff to previous 1.133 (colored)
make the order of log and quick irrelevant. now both block in log quick all and block in quick log all work. ok dhartmei@, deraadt@
Revision 1.133 / (download) - annotate - [select for diffs], Tue Jul 23 18:01:15 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.132: +1 -3 lines
Diff to previous 1.132 (colored)
timeout_list/_spec and limit_list/_spec don't return anything -> no %type. ok theo
Revision 1.132 / (download) - annotate - [select for diffs], Sun Jul 21 21:28:06 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.131: +3 -3 lines
Diff to previous 1.131 (colored)
fix route-to also
Revision 1.131 / (download) - annotate - [select for diffs], Sun Jul 21 01:37:46 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.130: +16 -12 lines
Diff to previous 1.130 (colored)
make the , optional in many places. This makes string concat a lot more
useful. Now you can
in = ssh domain www
out = $in ftp finger
pass in proto tcp from any to any port { $in }
pass out proto tcp from any to any port { $out }
a poor example, but the idea is obvious
Revision 1.130 / (download) - annotate - [select for diffs], Sun Jul 21 00:40:00 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.129: +14 -3 lines
Diff to previous 1.129 (colored)
string concat, ie. a=a b c=$a $a
Revision 1.129 / (download) - annotate - [select for diffs], Sat Jul 20 23:43:52 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.128: +11 -10 lines
Diff to previous 1.128 (colored)
minor indent tweaks
Revision 1.128 / (download) - annotate - [select for diffs], Sat Jul 20 18:58:44 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.127: +271 -327 lines
Diff to previous 1.127 (colored)
properly split yacc and lex use
Revision 1.127 / (download) - annotate - [select for diffs], Fri Jul 19 21:00:25 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.126: +4 -4 lines
Diff to previous 1.126 (colored)
minor tweaks, sigh
Revision 1.126 / (download) - annotate - [select for diffs], Fri Jul 19 14:30:08 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.125: +2 -11 lines
Diff to previous 1.125 (colored)
And back out the last change again.
Revision 1.125 / (download) - annotate - [select for diffs], Fri Jul 19 13:23:37 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.124: +62 -83 lines
Diff to previous 1.124 (colored)
rework the interface lookup routines internals. less and easier code than before. no functional changes. ok frantzen@, dhartmei@
Revision 1.124 / (download) - annotate - [select for diffs], Fri Jul 19 12:36:48 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.123: +13 -6 lines
Diff to previous 1.123 (colored)
Support # comments at the end of lines and inside (multi-line) string
literals, so you can do things like
macro="{ foo, # first entry
bar, # second entry
baz }" # last entry
or
pass in on $ext_if \ # external interface
proto tcp \ # TCP connections
from any to $ext_if \ # to the gateway itself
keep state
And sneaking in two minor fixes for KNF.
Revision 1.123 / (download) - annotate - [select for diffs], Fri Jul 19 11:12:42 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.122: +10 -6 lines
Diff to previous 1.122 (colored)
deal with the fact that the struct node_host ifa_pick_ip gets is not always the result of an interface expansion. in this case ifa_pick_ip does an address family check (that's actually a (wanted) side effect). Thus, we need to spit out a meaningfull error message in case of a mismatch. also adjust all the other error messages, they were also assuming that nh is the result of an interface expansion. after a looooong discussion on icb (dhartmei@, pb@, me) we agreed on the term "translation address" for that. okay dhartmei@
Revision 1.122 / (download) - annotate - [select for diffs], Wed Jul 17 08:32:20 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.121: +16 -3 lines
Diff to previous 1.121 (colored)
support "self" as address. self expands to all IPv4 and IPv6 addresses of the machine, on all interfaces. I wanted block in log on ! lo0 from any to self for years, and now it's possible. ok "I may lose my slacking status if I OK it" frantzen@ ok dhartmei@ documentation in pf.conf.5 to come with pb@'s rewrite
Revision 1.121 / (download) - annotate - [select for diffs], Tue Jul 16 15:46:55 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.120: +51 -14 lines
Diff to previous 1.120 (colored)
Add nat_consistent() and rdr_consistent() for checks that should occur after rule expansion, similar to rule_consistent(). Fixes the non-effective test for rdr rules for non-TCP/UDP protocols with ports, found by mpech@, ok frantzen@
Revision 1.120 / (download) - annotate - [select for diffs], Mon Jul 15 18:13:53 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.119: +2 -8 lines
Diff to previous 1.119 (colored)
add support for pass|block on ! $interface ... ok dhartmei@ will be documented in pf.conf(5) by "I'm not slacking!" pb@ who's currently reworking this manpage
Revision 1.119 / (download) - annotate - [select for diffs], Mon Jul 15 15:44:15 2002 UTC (21 years, 10 months ago) by pb
Branch: MAIN
Changes since 1.118: +12 -11 lines
Diff to previous 1.118 (colored)
cosmetics/consolidations to manpage in yyerror()s ok henning@, dhartmei@
Revision 1.118 / (download) - annotate - [select for diffs], Mon Jul 15 13:36:02 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.117: +9 -1 lines
Diff to previous 1.117 (colored)
o complain about keep state on block rules o complain about return-rst on rules which aren't limited to tcp pointed out by not-slacking-but-testing pb@ ok pb@, dhartmei@
Revision 1.117 / (download) - annotate - [select for diffs], Sat Jul 13 18:36:02 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.116: +44 -32 lines
Diff to previous 1.116 (colored)
add list expansion for interface and proto in nat rules and for proto in rdr rules (interface was already there). since the nat.conf/pf.conf merge the parser accepted these but didn't expand them. ugh. ok dhartmei@
Revision 1.116 / (download) - annotate - [select for diffs], Tue Jul 9 11:50:58 2002 UTC (21 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.115: +3 -2 lines
Diff to previous 1.115 (colored)
check sin6_scope_id field, just in case we change the routing socket API for scoped address (unlikely due to the deployed codebase...).
Revision 1.115 / (download) - annotate - [select for diffs], Tue Jul 9 11:49:02 2002 UTC (21 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.114: +13 -1 lines
Diff to previous 1.114 (colored)
getifaddrs(3) grabs link-local addrs in kernel internal form, convert them into proper sockaddr_in6.
Revision 1.114 / (download) - annotate - [select for diffs], Tue Jul 9 10:39:08 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.113: +130 -118 lines
Diff to previous 1.113 (colored)
rework the interface-to-IP routines. you can use interface names instead of an IP in most places. However, until now, it was only expanded to the interface's first IPv4 address if existant (and address family unset or inet) and the first IPv6 address otherwise. this diff changes that. the interface is proper expanded to all IPs, IPv4 _and_ IPv6, now. it also cleans up the lookup procedures (well, in fact, they are replaced by a new one), there's no need for different procedures for IPv4 and IPv6. we now just have one list of interfaces (AF_LINK) and one list with IPs (AF_INET and AF_INET6) with corresponding lookup functions, ifa_exists and ifa_lookup. nat, rdr & friends now use the new function ifa_pick_ip to get the IP in rules like nat on $interface from $whatever to any -> $interface ifa_pick_ip tries to be smart. if the interface has only one IP address and the nat rule doesn't specify an address family (or it matches with this address), take this one. If the address family is specified in the nat rule and there is only one IP for the given address family, this one is used. if the address family is not specified and there is more than one IP pfctl throws an error. The same applies for multiple IPs per address family. This causes regression tests 18 and 20 to fail because the address family isn't specified there; diff for those coming. also fix some prototypes while I'm here. pb@ found another problem while testing that we must have introduced somewhat after 3.1. $cat t nat on ne3 from any to any -> 213.128.133.5 $pfctl -nvf t nat on ne3 all -> ? it's only a representation bug as far as I've checked, nontheless it should be fixed. as a nat/rdr rule always nats/redirects to one IP only we can just steal its target's IP af and set the rule's af accordingly. then inet_ntop does play nice. binat rules already enforce having an address family set always and thus are not affected. ok dhartmei@, pb@, kjell@ "It looks good" frantzen@
Revision 1.113 / (download) - annotate - [select for diffs], Mon Jul 8 11:46:32 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.112: +5 -1 lines
Diff to previous 1.112 (colored)
Don't allow 'flags' option in non-TCP rules, found by mpech@
Revision 1.112 / (download) - annotate - [select for diffs], Fri Jul 5 18:09:50 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.111: +7 -6 lines
Diff to previous 1.111 (colored)
unbreak.
Revision 1.111 / (download) - annotate - [select for diffs], Fri Jul 5 16:48:44 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.110: +6 -1 lines
Diff to previous 1.110 (colored)
another small bug I found while installing a -current pf firewall. we don't support pass/block in on ! <interface> (at least, not yet) let the parser complain instead of ignoring the '!' ok pb@, dhartmei@
Revision 1.110 / (download) - annotate - [select for diffs], Mon Jul 1 10:07:40 2002 UTC (21 years, 11 months ago) by espie
Branch: MAIN
Changes since 1.109: +33 -29 lines
Diff to previous 1.109 (colored)
streamline parse buffer handling (no need to copy value that is not going to go away). add explicit pushback buffer, to be able to push IPv6 failed parses back. handle pushback + parse buffer interactions by using negative indices. okay dhartmei@, deraadt@
Revision 1.109 / (download) - annotate - [select for diffs], Mon Jul 1 05:28:22 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.108: +8 -8 lines
Diff to previous 1.108 (colored)
KNF
Revision 1.108 / (download) - annotate - [select for diffs], Fri Jun 28 19:29:45 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.107: +10 -57 lines
Diff to previous 1.107 (colored)
Don't check for address family conflicts in nat/rdr before expansion, rules will expand to all valid combinations, and there's an error when none is found. Makes "nat on tun0 from 10.0.0.0/8 to any -> (tun0)" work (again).
Revision 1.107 / (download) - annotate - [select for diffs], Tue Jun 25 08:13:25 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.106: +93 -30 lines
Diff to previous 1.106 (colored)
move pfctl options -t, -m, -O and -l to pf.conf. These are set using the
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
Revision 1.106 / (download) - annotate - [select for diffs], Mon Jun 24 10:55:08 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.105: +14 -1 lines
Diff to previous 1.105 (colored)
Use interface when specified in scrub rule. No support for ! or {} yet.
Revision 1.105 / (download) - annotate - [select for diffs], Sun Jun 23 03:07:21 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.104: +3 -3 lines
Diff to previous 1.104 (colored)
uid_t and gid_t are unsigned
Revision 1.104 / (download) - annotate - [select for diffs], Thu Jun 20 08:47:58 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.103: +2 -1 lines
Diff to previous 1.103 (colored)
Copy address family from inet/inet6 keyword, if specified.
Revision 1.103 / (download) - annotate - [select for diffs], Tue Jun 18 21:05:17 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.102: +7 -2 lines
Diff to previous 1.102 (colored)
propogate a '!' when a host resolves to multiple IP addresses ok dhartmei@
Revision 1.102 / (download) - annotate - [select for diffs], Tue Jun 18 20:07:58 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.101: +5 -1 lines
Diff to previous 1.101 (colored)
don't allow individual keep state rules to specify timeouts for 'interval' and 'frag' -- they aren't applied anyway ok dhartmei@ and henning@
Revision 1.101 / (download) - annotate - [select for diffs], Sun Jun 16 23:22:18 2002 UTC (21 years, 11 months ago) by aaron
Branch: MAIN
Changes since 1.100: +6 -6 lines
Diff to previous 1.100 (colored)
Rules must in order -> Rules must be in order
Revision 1.100 / (download) - annotate - [select for diffs], Sat Jun 15 19:19:09 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.99: +2 -1 lines
Diff to previous 1.99 (colored)
Reset rulestate in parse_rules(), so consecutive calls (like from authpf) will not fail. Reported by Chris Kuethe.
Revision 1.99 / (download) - annotate - [select for diffs], Thu Jun 13 04:26:00 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.98: +2 -1 lines
Diff to previous 1.98 (colored)
Fix the numbering of scrub rules. pointed out and oked by frantzen@
Revision 1.98 / (download) - annotate - [select for diffs], Wed Jun 12 18:35:07 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.97: +5 -2 lines
Diff to previous 1.97 (colored)
Fix uninitialized access. Spotted by danh@ This is a good reason to develop with "ln -s 'J' /etc/malloc.conf" enabled. ok henning@
Revision 1.97 / (download) - annotate - [select for diffs], Tue Jun 11 18:03:25 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.96: +17 -11 lines
Diff to previous 1.96 (colored)
split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble', 'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
Revision 1.96 / (download) - annotate - [select for diffs], Tue Jun 11 02:27:19 2002 UTC (21 years, 11 months ago) by frantzen
Branch: MAIN
Changes since 1.95: +17 -9 lines
Diff to previous 1.95 (colored)
SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
Revision 1.95 / (download) - annotate - [select for diffs], Tue Jun 11 02:12:37 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.94: +15 -1 lines
Diff to previous 1.94 (colored)
Make NAT proxy port range configurable per rule, for instance privileged source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
Revision 1.94 / (download) - annotate - [select for diffs], Mon Jun 10 23:07:46 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.93: +33 -24 lines
Diff to previous 1.93 (colored)
Merge the NAT and rules files into a single rulefile. Rules must be in this order, to remove any ambiguity about what order things happen in: scrub rules nat rules filter rules The -N and -R modifiers go away. Rulefiles are now loaded with the more POSIXly-correct '-f' ok frantzen@
Revision 1.93 / (download) - annotate - [select for diffs], Mon Jun 10 19:31:44 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.92: +35 -60 lines
Diff to previous 1.92 (colored)
Allow ports to be specified in nat rules, useful later on for individual proxy port ranges.
Revision 1.92 / (download) - annotate - [select for diffs], Mon Jun 10 16:51:37 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored)
Move enum out of struct (gcc 3.1 wasn't happy), from David Krause
Revision 1.91 / (download) - annotate - [select for diffs], Mon Jun 10 02:09:59 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.90: +29 -58 lines
Diff to previous 1.90 (colored)
split scrub rule processing into its own yacc target, for imminent config file merge. ok frantzen@
Revision 1.90 / (download) - annotate - [select for diffs], Sun Jun 9 20:20:58 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.89: +17 -17 lines
Diff to previous 1.89 (colored)
Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so it includes ports and operator.
Revision 1.89 / (download) - annotate - [select for diffs], Sun Jun 9 05:31:25 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.88: +14 -14 lines
Diff to previous 1.88 (colored)
spaced out developers...
Revision 1.88 / (download) - annotate - [select for diffs], Sun Jun 9 02:47:10 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.87: +62 -14 lines
Diff to previous 1.87 (colored)
Add list parsing in RDR rules: e.g. rdr on $IFLIST proto tcp from $SRC_LIST to $DST_LIST port 21 \ -> 127.0.0.1 port 8021 ok dhartmei@
Revision 1.87 / (download) - annotate - [select for diffs], Sat Jun 8 22:40:32 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.86: +5 -6 lines
Diff to previous 1.86 (colored)
nuke unused parameter af to expand_label_port ok dhartmei@, pb@
Revision 1.86 / (download) - annotate - [select for diffs], Sat Jun 8 21:09:59 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.85: +7 -7 lines
Diff to previous 1.85 (colored)
Change remaining read-only lookup tables to const, suggestion drahn@
Revision 1.85 / (download) - annotate - [select for diffs], Sat Jun 8 20:59:52 2002 UTC (21 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.84: +3 -2 lines
Diff to previous 1.84 (colored)
comment on IPv6 link-local twists
Revision 1.84 / (download) - annotate - [select for diffs], Sat Jun 8 09:41:52 2002 UTC (21 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.83: +43 -12 lines
Diff to previous 1.83 (colored)
add list expansion to src/dest in NAT rules. i.e.
nat on fxp0 from { 10.0.0.0/24, 10.0.1.0/24 } to \
{ 172.6.1.1, 172.14.1.2/32 } -> fxp0
ok theo, dhartmei@
Revision 1.83 / (download) - annotate - [select for diffs], Sat Jun 8 08:44:09 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.82: +1 -38 lines
Diff to previous 1.82 (colored)
remove macro concatenation via += per Theo's advice
Revision 1.82 / (download) - annotate - [select for diffs], Sat Jun 8 08:04:02 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.81: +40 -3 lines
Diff to previous 1.81 (colored)
allow macro concatenation like
webservers = "{ 10.0.0.1, 10.0.0.7, 10.0.0.8, "
webservers += " 10.0.0.17, 10.0.0.25, 10.0.0.37 }"
ok frantzen@, dhartmei@
Revision 1.81 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:07 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.80: +94 -16 lines
Diff to previous 1.80 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.80 / (download) - annotate - [select for diffs], Sat Jun 8 01:00:23 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.79: +18 -1 lines
Diff to previous 1.79 (colored)
expand $nr -> rule number in rule labels okay dhartmei@, frantzen@
Revision 1.79 / (download) - annotate - [select for diffs], Sat Jun 8 00:23:41 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.78: +29 -4 lines
Diff to previous 1.78 (colored)
expand $proto in rule labels okay frantzen@ dhartmei@
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jun 7 23:30:39 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.77: +17 -4 lines
Diff to previous 1.77 (colored)
Handle realloc() failure gracefully. Terminates with err() anyway in this case, but we don't want to trigger "p = realloc(p," grepping causing false alarms here.
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jun 7 23:06:43 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.76: +19 -19 lines
Diff to previous 1.76 (colored)
henning, read this to see what i mean by KNF
Revision 1.76 / (download) - annotate - [select for diffs], Fri Jun 7 22:53:45 2002 UTC (21 years, 11 months ago) by pb
Branch: MAIN
Changes since 1.75: +10 -4 lines
Diff to previous 1.75 (colored)
add the possibility to configure a TTL while return-rst ok dhartmei@, ipv6 part itojun@ ok
Revision 1.75 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:35 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.74: +32 -7 lines
Diff to previous 1.74 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Jun 7 19:33:03 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.73: +104 -1 lines
Diff to previous 1.73 (colored)
allow using $srcaddr, $srcport, $dstaddr and $dstport in rule labels, evaluated at parse time. ok dhartmei@
Revision 1.73 / (download) - annotate - [select for diffs], Fri Jun 7 18:26:55 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.72: +9 -5 lines
Diff to previous 1.72 (colored)
make IPv6 scope identification work for dst (from any to fe80::1%lo0)
Revision 1.72 / (download) - annotate - [select for diffs], Fri Jun 7 18:24:33 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.71: +34 -12 lines
Diff to previous 1.71 (colored)
support scoped IPv6 address in from/to portion.
Revision 1.71 / (download) - annotate - [select for diffs], Sat Jun 1 04:06:47 2002 UTC (22 years ago) by hugh
Branch: MAIN
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)
ECN flag support for pf. Committed in consultation with Daniel.
Revision 1.70 / (download) - annotate - [select for diffs], Fri May 24 13:48:44 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.69: +53 -46 lines
Diff to previous 1.69 (colored)
Support mixed (IPv4/v6) address lists, expand to all possible and valid
combinations. 'pass in from { 10.1.2.3, ::1 } to { 10.4.5.6, ::2 }' will
expand to two rules, 'from 10.1.2.3 to 10.4.5.6' and 'from ::1 to ::2'.
Also applies to host name resolution (when multiple addresses are returned
for one name). ok frantzen@, itojun@
Revision 1.69 / (download) - annotate - [select for diffs], Thu May 23 09:47:20 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.68: +5 -3 lines
Diff to previous 1.68 (colored)
tiny KNF, some malloc checks, etc
Revision 1.68 / (download) - annotate - [select for diffs], Thu May 23 07:47:05 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.67: +8 -23 lines
Diff to previous 1.67 (colored)
new_addr is not used from anywhere. daniel@benzedrine.cx ok
Revision 1.67 / (download) - annotate - [select for diffs], Sun May 19 22:26:27 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.66: +34 -34 lines
Diff to previous 1.66 (colored)
KNF
Revision 1.66 / (download) - annotate - [select for diffs], Sun May 12 15:02:52 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.65: +17 -1 lines
Diff to previous 1.65 (colored)
Explain that user/group 'unknown' can only be used with operators = and != and refuse other constructs in the parser. Also note that 'user >= 0' does not match forwarded packets with unknown user ID.
Revision 1.65 / (download) - annotate - [select for diffs], Sun May 12 00:54:56 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.64: +92 -29 lines
Diff to previous 1.64 (colored)
Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'.
Revision 1.64 / (download) - annotate - [select for diffs], Fri May 10 14:09:53 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.63: +103 -41 lines
Diff to previous 1.63 (colored)
Handle host name resolution returning multiple addresses in the rule parser (expand to every address). ok frantzen@
Revision 1.63 / (download) - annotate - [select for diffs], Thu May 9 21:58:12 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.62: +26 -9 lines
Diff to previous 1.62 (colored)
Add a max-mss option to the scrub rule which will enforce a maximum mss by lowering it to the given value. - ok dhartmei@, provos@
Revision 1.62 / (download) - annotate - [select for diffs], Thu May 9 19:58:42 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.61: +182 -146 lines
Diff to previous 1.61 (colored)
Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it.
Revision 1.61 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.60: +217 -87 lines
Diff to previous 1.60 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.60 / (download) - annotate - [select for diffs], Tue Apr 23 14:32:23 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.59: +26 -11 lines
Diff to previous 1.59 (colored)
Allow explicit filtering of fragments when they are not reassembled. Document fragment handling in the man page. Short version: if you're scrubbing everything (as is recommended, in general), nothing changes. If you want to deal with fragments manually, read the man page. ok frantzen.
Revision 1.59 / (download) - annotate - [select for diffs], Thu Apr 18 06:02:18 2002 UTC (22 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)
use strlcpy
Revision 1.58 / (download) - annotate - [select for diffs], Wed Apr 17 19:06:18 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.57: +3 -1 lines
Diff to previous 1.57 (colored)
Reset lineno for each file, so pfctl -R ... -N ... reports the right line number for non-first files. Reported by aaron@
Revision 1.57 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:22 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.56: +12 -1 lines
Diff to previous 1.56 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.56 / (download) - annotate - [select for diffs], Wed Feb 27 18:11:45 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.55: +4 -2 lines
Diff to previous 1.55 (colored)
Instead of printing useless @0 rule numbers from pfctl -vR, increase a counter. Helps debugging rule sets that are not loaded. Suggested by John Kerbawy.
Revision 1.55 / (download) - annotate - [select for diffs], Fri Jan 11 22:26:41 2002 UTC (22 years, 4 months ago) by mickey
Branch: MAIN
Changes since 1.54: +29 -19 lines
Diff to previous 1.54 (colored)
use bsearch() for keywords lookup, swap couple of entries to make the keywords array sorted and add a comment to keep it that way; dhartmei@ ok
Revision 1.54 / (download) - annotate - [select for diffs], Thu Jan 10 17:02:39 2002 UTC (22 years, 4 months ago) by hugh
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
Let port 0 be specified as it's not special here. Agreement with Daniel and others.
Revision 1.53 / (download) - annotate - [select for diffs], Wed Jan 9 18:00:57 2002 UTC (22 years, 4 months ago) by mpech
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
Port must be >0 and <=65535. Idea while have fun with ssh. dhartmei@ ok
Revision 1.52 / (download) - annotate - [select for diffs], Wed Jan 9 12:39:42 2002 UTC (22 years, 4 months ago) by mpech
Branch: MAIN
Changes since 1.51: +4 -1 lines
Diff to previous 1.51 (colored)
free() 'interface' in {nat,binat,rdr}rule
dhartmei@ ok
Revision 1.51 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.50: +24 -3 lines
Diff to previous 1.50 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.50 / (download) - annotate - [select for diffs], Tue Jan 8 09:31:55 2002 UTC (22 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.49: +168 -113 lines
Diff to previous 1.49 (colored)
Add "no nat/rdr/binat" to nat.conf. The first matching rule applies. If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
Revision 1.49 / (download) - annotate - [select for diffs], Mon Jan 7 17:23:31 2002 UTC (22 years, 4 months ago) by mpech
Branch: MAIN
Changes since 1.48: +6 -6 lines
Diff to previous 1.48 (colored)
remove 3rd argument from ipmask(), not used. dhartmei@ ok
Revision 1.48 / (download) - annotate - [select for diffs], Sun Dec 23 03:50:03 2001 UTC (22 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)
find correct line number in lval, instead of val
Revision 1.41.2.1 / (download) - annotate - [select for diffs], Thu Dec 13 20:05:02 2001 UTC (22 years, 5 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.41: +29 -43 lines
Diff to previous 1.41 (colored) next main 1.42 (colored)
Pull in patches from current:
Fix (dhartmei, deraadt):
-- Correctly parse hex numbers. Spotted by Claudio Jeker. Closes PR 2234.
-- For nat, binat and rdr rules, don't allow different address families in
one rule. pf can't translate IPv4 <-> IPv6 packets. Such rules didn't work,
even if they were falsely accepted before.
-- noone responds. this diff makes } and { not be part of symbols
Revision 1.47 / (download) - annotate - [select for diffs], Mon Dec 10 18:08:12 2001 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.46: +16 -3 lines
Diff to previous 1.46 (colored)
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
Revision 1.46 / (download) - annotate - [select for diffs], Wed Dec 5 17:11:54 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.45: +3 -3 lines
Diff to previous 1.45 (colored)
Correctly parse hex numbers. Spotted by Claudio Jeker. Closes PR 2234.
Revision 1.45 / (download) - annotate - [select for diffs], Mon Dec 3 21:52:08 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.44: +24 -39 lines
Diff to previous 1.44 (colored)
For nat, binat and rdr rules, don't allow different address families in one rule. pf can't translate IPv4 <-> IPv6 packets. Such rules didn't work, even if they were falsely accepted before.
Revision 1.44 / (download) - annotate - [select for diffs], Mon Nov 26 16:50:25 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.43: +108 -23 lines
Diff to previous 1.43 (colored)
add fastroute options similar to what is found in ipf ok dhartmei@, frantzen@
Revision 1.43 / (download) - annotate - [select for diffs], Mon Nov 5 09:28:00 2001 UTC (22 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.42: +4 -3 lines
Diff to previous 1.42 (colored)
noone responds.
this diff makes } and { not be part of symbols
Revision 1.42 / (download) - annotate - [select for diffs], Wed Oct 24 09:18:35 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.41: +5 -1 lines
Diff to previous 1.41 (colored)
Check interface names using ifa0_lookup() and print error message for non-existant interfaces (instead of the generic ioctl error returned by the kernel in this case).
Revision 1.41 / (download) - annotate - [select for diffs], Mon Oct 15 16:22:22 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.40: +13 -4 lines
Diff to previous 1.40 (colored)
Add 'allow-opts' to rules. Packets with IP options will be blocked by default now, and can be allowed per rule. ok deraadt@
Revision 1.40 / (download) - annotate - [select for diffs], Thu Oct 11 22:03:12 2001 UTC (22 years, 7 months ago) by frantzen
Branch: MAIN
Changes since 1.39: +3 -2 lines
Diff to previous 1.39 (colored)
Don't htonl() past buffer bounds if ipmask == 128
Revision 1.39 / (download) - annotate - [select for diffs], Sun Oct 7 11:56:57 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.38: +138 -2 lines
Diff to previous 1.38 (colored)
Add interface name to address translation to pfctl, document it and add a regress test. Translation is done on rule set load-time only, so the rule sets must be reloaded when an interface address changes. parse.y patch from Cedric Berger. Similar patch from Jonathon Fletcher. Thanks to both.
Revision 1.38 / (download) - annotate - [select for diffs], Mon Oct 1 17:58:16 2001 UTC (22 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.37: +3 -2 lines
Diff to previous 1.37 (colored)
print variable asignments only if -v is given. ok dhartmei/deraadt
Revision 1.37 / (download) - annotate - [select for diffs], Fri Sep 28 14:12:15 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
Support underscores in macro names and document it in the man page.
Revision 1.36 / (download) - annotate - [select for diffs], Thu Sep 20 18:31:44 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.35: +3 -3 lines
Diff to previous 1.35 (colored)
Fix uninitialized structure fields. Problem reported by Cedric Berger.
Revision 1.35 / (download) - annotate - [select for diffs], Sat Sep 15 23:23:40 2001 UTC (22 years, 8 months ago) by wilfried
Branch: MAIN
Changes since 1.34: +21 -8 lines
Diff to previous 1.34 (colored)
Implement return-icmp(number), return-icmp6(number) Differentiate between return-icmp and return-icmp6, icmp-type and ipv6-icmp-type. ok dhartmei@
Revision 1.34 / (download) - annotate - [select for diffs], Sat Sep 15 21:49:19 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.33: +8 -2 lines
Diff to previous 1.33 (colored)
Fix 'binat ... to any ...' (binat.af wasn't set).
Revision 1.33 / (download) - annotate - [select for diffs], Sat Sep 15 11:21:50 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
Parse bug, found by wilfried@
Revision 1.32 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.31: +374 -81 lines
Diff to previous 1.31 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.31 / (download) - annotate - [select for diffs], Wed Sep 12 16:37:14 2001 UTC (22 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.30: +5 -1 lines
Diff to previous 1.30 (colored)
check calloc() return value
Revision 1.30 / (download) - annotate - [select for diffs], Thu Sep 6 22:37:08 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
- you can only binat between hosts - add binat example and description
Revision 1.29 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.28: +42 -2 lines
Diff to previous 1.28 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.28 / (download) - annotate - [select for diffs], Tue Sep 4 13:47:51 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.27: +120 -74 lines
Diff to previous 1.27 (colored)
Support parameter lists {} for interfaces in filter rules, like
pass in on { gm0, kue0 } from any to any
Revision 1.27 / (download) - annotate - [select for diffs], Tue Aug 28 12:17:04 2001 UTC (22 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.26: +9 -11 lines
Diff to previous 1.26 (colored)
move '!' from host_list to host: "xhost : '!' host | host;"; ok dhartmei@
Revision 1.26 / (download) - annotate - [select for diffs], Tue Aug 28 09:54:14 2001 UTC (22 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.25: +28 -3 lines
Diff to previous 1.25 (colored)
check for malloc/strdup == NULL
Revision 1.25 / (download) - annotate - [select for diffs], Tue Aug 28 09:27:16 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.24: +9 -3 lines
Diff to previous 1.24 (colored)
Support ! operator in host parameter lists. Fixes PR system/2030. Reported by Kamil Andrusz <wizz@mniam.net>.
Revision 1.24 / (download) - annotate - [select for diffs], Sun Aug 26 07:58:40 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
sort keywords
Revision 1.23 / (download) - annotate - [select for diffs], Sat Aug 25 21:54:26 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.22: +16 -5 lines
Diff to previous 1.22 (colored)
PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.
Revision 1.22 / (download) - annotate - [select for diffs], Thu Aug 23 05:36:53 2001 UTC (22 years, 9 months ago) by millert
Branch: MAIN
Changes since 1.21: +6 -3 lines
Diff to previous 1.21 (colored)
o for a port_item, initialize the "next" pointer to NULL o for an address, use calloc() instead of malloc() so the struct is zeroed Fixes a SEGV in pfctl due to uninitialized "next" pointers.
Revision 1.21 / (download) - annotate - [select for diffs], Thu Aug 23 04:14:20 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +263 -82 lines
Diff to previous 1.20 (colored)
Support var="string". Expansion (at lex time) done using $var, for instance:
okproto="{ssh, smtp, domain, auth}"
pass in on key0 proto tcp from any to any port $okproto keep state
Can I ask someone else to document this in pf.conf(5)?
Revision 1.20 / (download) - annotate - [select for diffs], Sun Aug 19 16:16:41 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.19: +256 -115 lines
Diff to previous 1.19 (colored)
Add parameter list support to parser. Handles lists for protocol, hosts
and ports in filter rules, like
block in from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } to any
pass in proto tcp from any to any port { ssh, 1024 >< 2000, > 65000 }
block in proto { udp, igmp }
and does rule expansion (generate all needed rule combinations).
Revision 1.19 / (download) - annotate - [select for diffs], Thu Aug 16 11:46:56 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.18: +64 -57 lines
Diff to previous 1.18 (colored)
track the line number per-token, so that we can report errors correctly
Revision 1.18 / (download) - annotate - [select for diffs], Tue Aug 14 16:25:45 2001 UTC (22 years, 9 months ago) by mickey
Branch: MAIN
Changes since 1.17: +10 -30 lines
Diff to previous 1.17 (colored)
optimize the flags parsing; markus@ ok
Revision 1.17 / (download) - annotate - [select for diffs], Sat Aug 11 09:54:59 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.16: +86 -72 lines
Diff to previous 1.16 (colored)
\+\n support, and spit out cc-style error messages. the parser's line counting is lex dependent, and will need to be tweaked
Revision 1.16 / (download) - annotate - [select for diffs], Tue Jul 31 09:02:18 2001 UTC (22 years, 10 months ago) by wilfried
Branch: MAIN
Changes since 1.15: +11 -1 lines
Diff to previous 1.15 (colored)
allow to test that flags are unset, ok dhartmei@, mickey@
Revision 1.15 / (download) - annotate - [select for diffs], Thu Jul 19 00:07:36 2001 UTC (22 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.14: +3 -3 lines
Diff to previous 1.14 (colored)
Fix/complete the handling of the binary ops >< and <> to behave like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
Revision 1.14 / (download) - annotate - [select for diffs], Wed Jul 18 09:53:14 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.13: +10 -7 lines
Diff to previous 1.13 (colored)
new ERROR token, errx() -> warnx() + ERROR; ok deraadt@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Jul 18 08:48:15 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.12: +15 -15 lines
Diff to previous 1.12 (colored)
KNF for return
Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 18 01:08:43 2001 UTC (22 years, 10 months ago) by mickey
Branch: MAIN
Changes since 1.11: +7 -4 lines
Diff to previous 1.11 (colored)
check number range to fit in 32 bits
Revision 1.11 / (download) - annotate - [select for diffs], Wed Jul 18 00:41:48 2001 UTC (22 years, 10 months ago) by mickey
Branch: MAIN
Changes since 1.10: +36 -4 lines
Diff to previous 1.10 (colored)
put range checks on NUMBER, pointed out by deraadt
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jul 17 23:52:29 2001 UTC (22 years, 10 months ago) by mickey
Branch: MAIN
Changes since 1.9: +38 -38 lines
Diff to previous 1.9 (colored)
spaces, parens, err instead of errx+strerror
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jul 17 23:41:01 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.8: +64 -45 lines
Diff to previous 1.8 (colored)
warnx()/YYERROR instead of errx(); suggested by mickey@
Revision 1.8 / (download) - annotate - [select for diffs], Tue Jul 17 23:25:42 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (colored)
markus doesnt like min-ttl =, begone
Revision 1.7 / (download) - annotate - [select for diffs], Tue Jul 17 22:22:16 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.6: +20 -6 lines
Diff to previous 1.6 (colored)
support min-ttl, okay dhartmei@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jul 17 21:54:27 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.5: +17 -6 lines
Diff to previous 1.5 (colored)
normalize ip_off, make IP_DF stripping optional, return rst is a flag now. okay markus@
Revision 1.5 / (download) - annotate - [select for diffs], Tue Jul 17 17:39:42 2001 UTC (22 years, 10 months ago) by marc
Branch: MAIN
Changes since 1.4: +6 -2 lines
Diff to previous 1.4 (colored)
bitch about ! in pf rule; ok dhartmei@ and markus@
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jul 17 16:07:47 2001 UTC (22 years, 10 months ago) by millert
Branch: MAIN
Changes since 1.3: +23 -23 lines
Diff to previous 1.3 (colored)
Only set default proto in the rdr case; markus@ OK
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jul 16 22:43:19 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.2: +9 -3 lines
Diff to previous 1.2 (colored)
errx() if getservbyname() fails
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jul 16 22:09:55 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.1: +18 -4 lines
Diff to previous 1.1 (colored)
better flags parsing; dhartmei
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jul 16 21:09:37 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
add a yacc parser for pf.conf and nat.conf, with help from mickey@, plus: -n now turns off all operations, and just parses the conf files ok deraadt@