![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.69 / (download) - annotate - [select for diffs], Sat Feb 2 15:43:18 2019 UTC (5 years, 4 months ago) by yasuoka
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
HEAD
Changes since 1.68: +11 -1 lines
Diff to previous 1.68 (colored)
Show the routing address selected by "route-to" in "pfctl -s states". ok sthen
Revision 1.68 / (download) - annotate - [select for diffs], Fri Sep 7 10:29:22 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.67: +21 -27 lines
Diff to previous 1.67 (colored)
Make print_hostname() less AF-specific Reduce differences address families and replace strlcpy() with simpler if/else logic as done in print_addr_str(). OK sashan
Revision 1.67 / (download) - annotate - [select for diffs], Thu Sep 6 15:07:33 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.66: +3 -3 lines
Diff to previous 1.66 (colored)
Remove unused af argument from unmask() This has been unused for years. While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks. OK sashan
Revision 1.66 / (download) - annotate - [select for diffs], Thu Sep 6 14:46:36 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.65: +5 -11 lines
Diff to previous 1.65 (colored)
Fill netmask AF-independently in print_host() Instead of masking the host address in two different ways, just fill it no matter the address family. In case of AF_INET, setting the extra 96 bit does not hurt. While here, stop resetting `af' for no reason and move up the variable declaration. OK benno sashan
Revision 1.65 / (download) - annotate - [select for diffs], Tue Jul 24 09:48:04 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.64: +17 -20 lines
Diff to previous 1.64 (colored)
Move duplicate code into new helper print_addr_str() This simply puts the wiggle around inet_ntop() from four into one location. OK benno
Revision 1.64 / (download) - annotate - [select for diffs], Wed Jan 21 21:50:33 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.63: +3 -2 lines
Diff to previous 1.63 (colored)
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
Revision 1.63 / (download) - annotate - [select for diffs], Fri Aug 17 20:37:16 2012 UTC (11 years, 9 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.62: +3 -3 lines
Diff to previous 1.62 (colored)
Don't forget to byteswap the state_flags since it's a uint16_t now. From Hrvoje Popovski via Florian Obser, ok henning
Revision 1.62 / (download) - annotate - [select for diffs], Sun Jul 8 17:48:37 2012 UTC (11 years, 11 months ago) by lteo
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.61: +19 -11 lines
Diff to previous 1.61 (colored)
New attempt to make the -P flag work with -ss, so that states can be printed with port names if desired. tcpdump's pf_print_state.c has diverged significantly from pfctl's, so the change to tcpdump's pf_print_state.c is not exactly the same as pfctl's. ok henning sthen
Revision 1.61 / (download) - annotate - [select for diffs], Fri Jun 1 08:35:45 2012 UTC (12 years ago) by jsg
Branch: MAIN
Changes since 1.60: +11 -19 lines
Diff to previous 1.60 (colored)
revert previous, breaks tcpdump spotted by jmc@
Revision 1.60 / (download) - annotate - [select for diffs], Fri Jun 1 02:44:36 2012 UTC (12 years ago) by lteo
Branch: MAIN
Changes since 1.59: +19 -11 lines
Diff to previous 1.59 (colored)
Make the -P flag work with -ss, so that states can be printed with port names if desired. ok henning
Revision 1.59 / (download) - annotate - [select for diffs], Thu Oct 13 18:30:54 2011 UTC (12 years, 7 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.58: +14 -8 lines
Diff to previous 1.58 (colored)
pfctl change for af-to / NAT64 support. The general syntax is: pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2 In the NAT64 case the "to" is not needed in af-to and the IP is extraced from the IPv6 dst (assuming a /64 prefix). Again most work by sperreault@, mikeb@ and reyk@ OK mcbride@, put it in deraadt@
Revision 1.58 / (download) - annotate - [select for diffs], Fri Nov 12 13:14:41 2010 UTC (13 years, 6 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.57: +3 -3 lines
Diff to previous 1.57 (colored)
The ioctl to show states returns a pfsync_state which is in network byte order and therefore a ntohs is needed to show the rdomain correctly. OK henning@ dlg@
Revision 1.57 / (download) - annotate - [select for diffs], Thu Sep 2 14:01:04 2010 UTC (13 years, 9 months ago) by sobrado
Branch: MAIN
Changes since 1.56: +3 -3 lines
Diff to previous 1.56 (colored)
remove trailing spaces and tabs; no binary change. written with help from henning@, who suggested ensuring that there are no changes in the digests for object files, thanks! ok henning@
Revision 1.56 / (download) - annotate - [select for diffs], Wed Jan 13 00:57:49 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.55: +2 -2 lines
Diff to previous 1.55 (colored)
In some cases the netmask gets set to a full 128 bit mask even if no address family is selected; don't print the v6 mask if it's a v4 address.
Revision 1.55 / (download) - annotate - [select for diffs], Tue Nov 3 10:59:04 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.54: +14 -8 lines
Diff to previous 1.54 (colored)
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
Revision 1.54 / (download) - annotate - [select for diffs], Thu Mar 19 01:00:16 2009 UTC (15 years, 2 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.53: +3 -3 lines
Diff to previous 1.53 (colored)
pfctl -ss printed state levels for ICMPv6. Disable this the same way it has already been done for ICMPv4. ok mcbride@
Revision 1.53 / (download) - annotate - [select for diffs], Tue Sep 9 13:56:38 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.52: +3 -1 lines
Diff to previous 1.52 (colored)
welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
Revision 1.52 / (download) - annotate - [select for diffs], Tue Aug 12 16:40:18 2008 UTC (15 years, 10 months ago) by david
Branch: MAIN
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored)
use correct byte order when printing state expiration minutes; ok henning@
Revision 1.51 / (download) - annotate - [select for diffs], Sun Jun 29 08:42:15 2008 UTC (15 years, 11 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.50: +38 -24 lines
Diff to previous 1.50 (colored)
Simplify state creation code; merge state import/export code between pfsync and the state-related pf(4) ioctls, and make functions in state creation and destruction paths more robust in error conditions. All values in struct pfsync_state now in network byte order, as with pfsync. testing by david ok henning, systat parts ok canacar
Revision 1.50 / (download) - annotate - [select for diffs], Tue Jun 10 19:32:14 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
save somespace in the state by collapsing two 8 bit ints used as booleans into one 8 bit flags field. shrinks the state structure by 4 bytes on 32bit archs ryan ok
Revision 1.49 / (download) - annotate - [select for diffs], Tue Jun 10 04:29:21 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.48: +3 -1 lines
Diff to previous 1.48 (colored)
in verbose mode indicate which states are sloppy, ryan reyk theo
Revision 1.48 / (download) - annotate - [select for diffs], Thu May 29 01:00:53 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.47: +30 -18 lines
Diff to previous 1.47 (colored)
Second half of PF state table rearrangement. - Mechanical change: Use arrays for state key pointers in pf_state, and addr/port in pf_state_key, to allow the use of indexes. - Fix NAT, pfsync, pfctl, and tcpdump to handle the new state structures. In struct pfsync_state, both state keys are included even when identical. - Also fix some bugs discovered in the existing code during testing. (in particular, "block return" for TCP packets was not returning an RST) ok henning beck deraadt tested by otto dlg beck laurent Special thanks to users Manuel Pata and Emilio Perea who did enough testing to actually find some bugs.
Revision 1.47 / (download) - annotate - [select for diffs], Fri May 9 13:59:31 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)
Add support to kill states by rule label or state id. Fix printing of the state id in pfctl -ss -vv. Remove the psnk_af hack to return the number of killed states. OK markus, beck. "I like it" henning, deraadt. Manpage help from jmc.
Revision 1.46 / (download) - annotate - [select for diffs], Thu Aug 30 09:28:49 2007 UTC (16 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.45: +15 -1 lines
Diff to previous 1.45 (colored)
add support for address ranges ("from 10.1.2.50 - 10.1.3.75") in from/to
criteria. ok mcbride@
Revision 1.45 / (download) - annotate - [select for diffs], Thu May 31 04:13:37 2007 UTC (17 years ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.44: +17 -14 lines
Diff to previous 1.44 (colored)
Cope with new ioctl interface (use pfsync_state instead of pf_state) ok henning@ toby@ pyr@
Revision 1.44 / (download) - annotate - [select for diffs], Thu Mar 1 17:20:53 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
be more careful with mixing &/| with &&/||, ok otto
Revision 1.43 / (download) - annotate - [select for diffs], Tue Mar 14 11:09:44 2006 UTC (18 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.42: +4 -1 lines
Diff to previous 1.42 (colored)
implement a Unicast Reverse Path Forwarding (uRPF) check for pf(4) which optionally verifies that a packet is received on the interface that holds the route back to the packet's source address. This makes it an automatic ingress filter, but only when routing is fully symmetric. bugfix feedback claudio@; ok claudio@ and dhartmei@
Revision 1.42 / (download) - annotate - [select for diffs], Fri Nov 4 08:24:15 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
crank pf_state and pf_src_node byte and packet counters to u_in64_t, since we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
Revision 1.41 / (download) - annotate - [select for diffs], Tue May 24 22:14:22 2005 UTC (19 years ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.40: +4 -3 lines
Diff to previous 1.40 (colored)
Identify states that will not be synchronised in pfctl -vvss output. ok mcbride@ henning@
Revision 1.40 / (download) - annotate - [select for diffs], Fri Dec 10 22:13:26 2004 UTC (19 years, 6 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.39: +4 -1 lines
Diff to previous 1.39 (colored)
allow pf to filter on route labels pass in from route dtag keep state queue reallyslow tested by Gabriel Kihlman <gk@stacken.kth.se> and Michael Knudsen <e@molioner.dk> and ryan ok ryan
Revision 1.39 / (download) - annotate - [select for diffs], Tue Feb 10 17:48:08 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6,
OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
fix at leats the worst of Cedric "KNF is for everybody but me" Berger's fuckup
Revision 1.38 / (download) - annotate - [select for diffs], Mon Jan 26 23:11:36 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.37: +5 -2 lines
Diff to previous 1.37 (colored)
we must not omit printing the netmask when it is all zero, this is dangerous - 1.2.3.4/0 is not equal to 1.2.3.4... this "helped" to make failure already only omit the netmask when both the addr and the mask itself are all zero (the "any" case) ok dhartmei@ mcbride@
Revision 1.37 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.36: +18 -2 lines
Diff to previous 1.36 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.36 / (download) - annotate - [select for diffs], Sat Dec 27 19:37:43 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.35: +1 -2 lines
Diff to previous 1.35 (colored)
Remove extra \n from pf_print_state(). ok deraadt@ cedric@
Revision 1.35 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.34: +8 -2 lines
Diff to previous 1.34 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.34 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.33: +6 -1 lines
Diff to previous 1.33 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.33 / (download) - annotate - [select for diffs], Sun Jul 6 22:01:28 2003 UTC (20 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
knf (cedric did not do it right)
Revision 1.32 / (download) - annotate - [select for diffs], Fri Jul 4 11:05:16 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)
KNF
Revision 1.31 / (download) - annotate - [select for diffs], Sat Jun 21 09:07:01 2003 UTC (20 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.30: +3 -2 lines
Diff to previous 1.30 (colored)
count packets and bidirectionally on state entries, allowing for fine-grained traffic reporting w/ pfsync; ok dhartmei@ Note: ABI change (new fields in struct pf_state), requires a rebuild of pfctl and tcpdump.
Revision 1.30 / (download) - annotate - [select for diffs], Fri Jun 20 16:53:48 2003 UTC (20 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.29: +3 -1 lines
Diff to previous 1.29 (colored)
some cleanings recommended by lint; dhartmei ok
Revision 1.29 / (download) - annotate - [select for diffs], Sat Jun 7 21:10:47 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.28: +5 -2 lines
Diff to previous 1.28 (colored)
in print_host(), don't set the mask blindly to /128 but adhere to the address family. fixes the ipv4/128:port output in pfctl -ss.
Revision 1.28 / (download) - annotate - [select for diffs], Mon May 19 20:22:53 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.27: +4 -8 lines
Diff to previous 1.27 (colored)
print out the full netmask; don't just ignore the upper bits in the v4 case helps finding assignment bugs.
Revision 1.27 / (download) - annotate - [select for diffs], Sat May 17 07:45:28 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.26: +9 -6 lines
Diff to previous 1.26 (colored)
Fix proxy related output.
Revision 1.26 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years ago) by dhartmei
Branch: MAIN
Changes since 1.25: +7 -4 lines
Diff to previous 1.25 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.25 / (download) - annotate - [select for diffs], Wed Apr 9 15:38:46 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.24: +3 -1 lines
Diff to previous 1.24 (colored)
on "pfctl -vvss", print the anchor rule number when there is one. ok dhartmei@ henning@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Apr 3 15:52:24 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.23: +25 -10 lines
Diff to previous 1.23 (colored)
Simplify pfctl printing code. ok dhartmei@ henning@
Revision 1.23 / (download) - annotate - [select for diffs], Mon Mar 24 17:06:39 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.22: +4 -3 lines
Diff to previous 1.22 (colored)
Add missing return. Fix following buglet: # echo "pass in from <veryLONGtableNAME>" | pfctl -nvf- pass in from <veryLONGtableNAME>/0 to any
Revision 1.22 / (download) - annotate - [select for diffs], Sat Mar 8 16:06:03 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.21: +2 -12 lines
Diff to previous 1.21 (colored)
Remove unneeded #includes, from Andrey Matveev andrushock(at)pisem(dot)net
Revision 1.21 / (download) - annotate - [select for diffs], Tue Jan 21 22:23:49 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.20: +7 -1 lines
Diff to previous 1.20 (colored)
Support for TCP window scaling (RFC 1323). ok frantzen@
Revision 1.20 / (download) - annotate - [select for diffs], Mon Jan 20 18:37:52 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.19: +4 -4 lines
Diff to previous 1.19 (colored)
Remove unused argument from print_name() and fix two other nits found by lint. ok henning
Revision 1.19 / (download) - annotate - [select for diffs], Mon Jan 20 17:16:56 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.18: +11 -4 lines
Diff to previous 1.18 (colored)
Improve pfctl -vvs{r,n} output with rule containing tables.
Shows the number of entries in the table or if the table is not active.
ok dhartmei@, no objections.
Revision 1.18 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:08 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.17: +3 -10 lines
Diff to previous 1.17 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.17 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.16: +11 -11 lines
Diff to previous 1.16 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.16 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.15: +2 -3 lines
Diff to previous 1.15 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jan 3 21:37:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.14: +11 -1 lines
Diff to previous 1.14 (colored)
Bring in userland code for accessing PF radix tables. ok dhartmei@ mcbride@
Revision 1.14 / (download) - annotate - [select for diffs], Wed Dec 18 16:09:25 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
rule.nr USHRT_MAX -> -1, to detect states whose creating rules are already gone.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Nov 30 10:07:51 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.12: +23 -1 lines
Diff to previous 1.12 (colored)
move unmask back into pf_print_state.c where it was, and please keep it there; henning@ ok
Revision 1.12 / (download) - annotate - [select for diffs], Fri Nov 29 18:24:29 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.11: +4 -6 lines
Diff to previous 1.11 (colored)
no need for extra hrs; henning@ ok
Revision 1.11 / (download) - annotate - [select for diffs], Sat Nov 23 09:33:54 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
KNF
Revision 1.10 / (download) - annotate - [select for diffs], Sat Nov 23 05:22:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.9: +6 -5 lines
Diff to previous 1.9 (colored)
code to support loading of pf rules with multiple redirection addresses
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
Revision 1.9 / (download) - annotate - [select for diffs], Sat Nov 2 15:29:28 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
%i -> %d, matches the style of existing code, from millert@
Revision 1.8 / (download) - annotate - [select for diffs], Sat Nov 2 14:13:42 2002 UTC (21 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
printf int with %i, not %u. from pilot@monkey.org.
Revision 1.7 / (download) - annotate - [select for diffs], Fri Oct 25 10:40:45 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.6: +4 -26 lines
Diff to previous 1.6 (colored)
- more sa_family_t - move unmask code to correct file - whitespace ok mcbride@ dhartmei@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Oct 22 12:28:08 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
More conversion of "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Jul 31 20:19:15 2002 UTC (21 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.4: +3 -1 lines
Diff to previous 1.4 (colored)
KNF, esp. missing prototypes
Revision 1.4 / (download) - annotate - [select for diffs], Fri Jul 19 12:31:59 2002 UTC (21 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.3: +26 -32 lines
Diff to previous 1.3 (colored)
Use getnameinfo() instead of gethostbyaddr() to support IPv6 reverse lookups with pfctl -r. Makes things actually simpler.
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jul 18 21:25:01 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored)
use inet_aton(), until this is made v6 aware
Revision 1.2 / (download) - annotate - [select for diffs], Tue Jun 11 02:48:12 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.1: +10 -1 lines
Diff to previous 1.1 (colored)
print a string for UDP and OTHER state level instead of a numeric level ok dhartmei@, henning@
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 6 22:22:44 2002 UTC (22 years ago) by mickey
Branch: MAIN
split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok