![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.394 / (download) - annotate - [select for diffs], Fri Feb 2 08:23:29 2024 UTC (4 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.393: +3 -3 lines
Diff to previous 1.393 (colored)
The fix to pfctl_kill_src_nodes() comes from Olivier Croquin. bluhm@ pointed out pfctl_net_kill_states() suffers from the same copy'n'paste typo. Commit combines both fixes. OK @bluhm, OK @kn
Revision 1.393 / (download) - annotate - [select for diffs], Mon Jan 15 07:23:32 2024 UTC (4 months, 3 weeks ago) by sashan
Branch: MAIN
Changes since 1.392: +20 -5 lines
Diff to previous 1.392 (colored)
Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows rules found in every anchor. This commit introduces the same behavior for tables. Command 'pfctl -a "*" -sT' prints all tables attached to every anchor loaded to pf(4). Inconsistency has been noticed by Klemens (kn@). OK @bluhm, OK @kn
Revision 1.392 / (download) - annotate - [select for diffs], Thu Oct 26 16:26:01 2023 UTC (7 months, 1 week ago) by deraadt
Branch: MAIN
Changes since 1.391: +3 -3 lines
Diff to previous 1.391 (colored)
whitespace cleanup my fingers couldn't avoid doing while i was re-reading the parsing code
Revision 1.391 / (download) - annotate - [select for diffs], Fri Apr 28 14:08:38 2023 UTC (13 months, 1 week ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.390: +12 -20 lines
Diff to previous 1.390 (colored)
This change speeds up DIOCGETRULE ioctl(2) which pfctl(8) uses to retrieve rules from kernel. The current implementation requires like O((n^2)/2) operation to read the complete rule set, because each DIOCGETRULE operation must iterate over previous n rules to find (n + 1)-th rule to read. To address the issue diff introduces a pf_trans structure to keep pointer to next rule to read, thus reading process does not need to iterate from beginning of rule set to reach the next rule. All transactions opened by process get closed either when process is done (reads all rules) or when /dev/pf device is closed. the diff also comes with lots of improvements from dlg@ and kn@ OK dlg@, kn@
Revision 1.390 / (download) - annotate - [select for diffs], Fri Jan 6 17:44:33 2023 UTC (17 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.389: +6 -1 lines
Diff to previous 1.389 (colored)
PF_ANCHOR_STACK_MAX is insufficient protection against stack overflow. On amd64 stack overflows for anchor rule with depth ~30. The tricky thing is the 'safe' depth varies depending on kind of packet processed by pf_match_rule(). For example for local outbound TCP packet stack overflows when recursion if pf_match_rule() reaches depth 24. Instead of lowering PF_ANCHOR_STACK_MAX to 20 and hoping it will be enough on all platforms and for all packets I'd like to stop calling pf_match_rule() recursively. This commit brings back pf_anchor_stackframe array we used to have back in 2017. It also revives patrick@'s idea to pre-allocate stack frame arrays from per-cpu. OK kn@
Revision 1.389 / (download) - annotate - [select for diffs], Sat Nov 19 14:01:51 2022 UTC (18 months, 2 weeks ago) by kn
Branch: MAIN
Changes since 1.388: +8 -1 lines
Diff to previous 1.388 (colored)
Prettify expired rules printing
"pfctl -s rules" omits expired rules but print newlines for them.
"pfctl -s rules -v" omits expired rules but print their stats.
Add the existing skip check to those two missing print logic places such
that expired rules won't cause any output at all, as expected, unless
debug ("-g") or more verbose ("-vv") mode are given, as documented.
OK sashan
Revision 1.388 / (download) - annotate - [select for diffs], Wed Jul 27 12:28:27 2022 UTC (22 months, 1 week ago) by mbuhl
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.387: +2 -2 lines
Diff to previous 1.387 (colored)
Remove redundant bzero, the pfctl struct memset later on. Also memset the pfctl struct in pfctl_reset. OK jan@
Revision 1.387 / (download) - annotate - [select for diffs], Thu Jul 21 05:26:10 2022 UTC (22 months, 2 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.386: +2 -1 lines
Diff to previous 1.386 (colored)
Set the default pool size for the new anchors pool otherwise it's set to 0.
Revision 1.386 / (download) - annotate - [select for diffs], Wed Jul 20 09:33:11 2022 UTC (22 months, 2 weeks ago) by mbuhl
Branch: MAIN
Changes since 1.385: +2 -1 lines
Diff to previous 1.385 (colored)
Add a pool for the allocation of the pf_anchor struct. It was possible to exhaust kernel memory by repeatedly calling pfioctl DIOCXBEGIN with different anchor names. OK bluhm@ Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
Revision 1.385 / (download) - annotate - [select for diffs], Thu Nov 11 12:49:53 2021 UTC (2 years, 6 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.384: +3 -1 lines
Diff to previous 1.384 (colored)
add tests to cover DIOCCHANGERULE ioctl(2) OK bluhm@
Revision 1.384 / (download) - annotate - [select for diffs], Mon Oct 25 14:50:29 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.383: +4 -1 lines
Diff to previous 1.383 (colored)
- pfctl $nr incorrect macro expansion Issue reported by Kristof Provost from FreeBSD. [ https://reviews.freebsd.org/D32488 ] In order to fix the issue we must delay '$nr' macro expansion after optimizer collapses ruleset. OK kn@
Revision 1.383 / (download) - annotate - [select for diffs], Wed Oct 14 19:30:37 2020 UTC (3 years, 7 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.382: +6 -3 lines
Diff to previous 1.382 (colored)
Accommodate a basename(3) that takes a non-const parameter and may in fact modify the string buffer. ok kn@ sashan@ cVS: ----------------------------------------------------------------------
Revision 1.382 / (download) - annotate - [select for diffs], Thu Jan 16 01:02:20 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.381: +5 -15 lines
Diff to previous 1.381 (colored)
Fail on missing anchor There is no reason to continue on anchor specific paths if the given anchor does not exist. OK sashan
Revision 1.381 / (download) - annotate - [select for diffs], Wed Jan 15 22:38:31 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.380: +6 -6 lines
Diff to previous 1.380 (colored)
Do the actual pfr_strerror() to pf_strerror() rename Missed in previous
Revision 1.380 / (download) - annotate - [select for diffs], Wed Jan 15 22:31:51 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.379: +19 -5 lines
Diff to previous 1.379 (colored)
Unify error message for nonexisting anchors
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
Revision 1.379 / (download) - annotate - [select for diffs], Wed Jan 15 13:42:39 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.378: +2 -2 lines
Diff to previous 1.378 (colored)
Print the main ruleset/anchor as "/" not "<root>" for consistency OK sashan
Revision 1.378 / (download) - annotate - [select for diffs], Wed Jan 15 11:52:50 2020 UTC (4 years, 4 months ago) by sashan
Branch: MAIN
Changes since 1.377: +241 -38 lines
Diff to previous 1.377 (colored)
Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
Revision 1.377 / (download) - annotate - [select for diffs], Wed Nov 27 19:42:56 2019 UTC (4 years, 6 months ago) by kn
Branch: MAIN
Changes since 1.376: +2 -2 lines
Diff to previous 1.376 (colored)
Fix function name in error message (zap trailing s)
Revision 1.376 / (download) - annotate - [select for diffs], Thu Aug 15 18:44:53 2019 UTC (4 years, 9 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.375: +2 -1 lines
Diff to previous 1.375 (colored)
pfctl_reset() must set syncookies settings back to default (bug found and fix tested by Jesper Wallin) OK deraadt OK kn
Revision 1.375 / (download) - annotate - [select for diffs], Tue Jul 9 16:42:48 2019 UTC (4 years, 11 months ago) by kn
Branch: MAIN
Changes since 1.374: +2 -2 lines
Diff to previous 1.374 (colored)
Add parentheses for readability Prompted by and OK deraadt
Revision 1.374 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:45 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.373: +45 -45 lines
Diff to previous 1.373 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.373 / (download) - annotate - [select for diffs], Mon Apr 15 21:36:44 2019 UTC (5 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.372: +46 -3 lines
Diff to previous 1.372 (colored)
introduce 'pfctl -FR' to reset settings to defaults (discussed with many at tech@) OK deraadt@, kn@, sthen@, tedu@
Revision 1.372 / (download) - annotate - [select for diffs], Wed Mar 6 19:49:05 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.371: +3 -27 lines
Diff to previous 1.371 (colored)
Fix once rules parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and `anchor "a" once'. Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the parser already such that they can be used to distinguish anchor rules in the same check as well. Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks! While here, remove an unneeded cast and make pfctl_add_rule() void as it always returned 0. OK sashan
Revision 1.371 / (download) - annotate - [select for diffs], Mon Feb 18 13:11:44 2019 UTC (5 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.370: +5 -7 lines
Diff to previous 1.370 (colored)
Change ps_len of struct pfioc_states and psn_len of struct pfioc_src_nodes to size_t. This avoids integer truncation by casts to unsigned. As the types of DIOCGETSTATES and DIOCGETSRCNODES ioctl(2) arguments change, pfctl(8) and systat(1) should be updated together with the kernel. Calculate number of pf(4) states as size_t in userland. OK sashan@ deraadt@
Revision 1.370 / (download) - annotate - [select for diffs], Sun Feb 10 15:05:17 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
Changes since 1.369: +3 -1 lines
Diff to previous 1.369 (colored)
Anchor names must not be empty The parser would allow bogus input and sometimes even produce invalid rules on empty anchor names, so error out immediately. OK sashan
Revision 1.369 / (download) - annotate - [select for diffs], Tue Jan 29 10:58:31 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.368: +11 -55 lines
Diff to previous 1.368 (colored)
Reuse copy_satopfaddr() when killing entries Recently introduced in pfctl_parser.c r1.333, this helper nicely simplifies code when copying IPs based on their address family, so use it in five other places when killing state or source node entries. All addresses copied in these code paths result from either pfctl_parse_host() or pfctl_addrprefix() which guarantee the address family set to AF_INET or AF_INET6. Therefore, effectively relaxing the case of unhandled families from errx(3) in callers to warnx(3) in copy_satopfaddr() is safe since it's never reached. OK sashan
Revision 1.368 / (download) - annotate - [select for diffs], Tue Jan 29 08:56:22 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.367: +4 -1 lines
Diff to previous 1.367 (colored)
Make -N and -r mutually exclusive Either disable DNS or enable additional reverse lookups, but not both. OK benno
Revision 1.367 / (download) - annotate - [select for diffs], Mon Jan 28 10:25:20 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.366: +32 -47 lines
Diff to previous 1.366 (colored)
Simplify lookups when killing entries Killing source tracking or state entries by hostname or CIDR would pass given keys twice to getaddrinfo(3): once to resolve/parse and again to parse the numerical address in case a prefix was specified. Avoid this overhead by making pfctl_addrprefix() resolve, pass and mask in one go and return the list of IPs to the callers. This notably simplifies both logic and sanity checks around prefix length and address family. While here, also pass -N along such that -k and -K can be restricted to not use DNS. Discussed with procter sashan, OK sashan
Revision 1.366 / (download) - annotate - [select for diffs], Sat Jan 19 11:48:54 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.365: +7 -8 lines
Diff to previous 1.365 (colored)
Use mnemonic PFCTL_SHOW_* macros, terminate string with null character Tweak spacing while here, no object change. Feedback and OK procter, OK sceloha
Revision 1.365 / (download) - annotate - [select for diffs], Fri Jan 11 03:09:24 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.364: +4 -4 lines
Diff to previous 1.364 (colored)
Defuse `-F all -i interface' Flushing all filter parameters does not make sense on one specific interface only as already noted. However, the main ruleset as well as all tables were still cleared on such invalid usage. Furthermore, an empty interface name was treated like no interface at all, hence source tracking entries, statistics and interface flags were cleared also. Immediately error out if `-i' is given regardless of its argument before flushing anything. OK sashan
Revision 1.364 / (download) - annotate - [select for diffs], Fri Jan 11 01:56:54 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.363: +1 -3 lines
Diff to previous 1.363 (colored)
When creating tables inside anchors, pfctl warned about namespace collisions with global tables, but only in certain cases and with limited information sometimes leaving users clueless. Deferring the check to process_tabledefs() where tables are eventually created, both anchor and table name are known which allows for checking all existing anchors. With this, warn on all duplicates even in dry-runs (`-n') and print quoted names so they can be copied to fix configurations right away. No functional change in parsing or ruleset production. Discussed with and OK sashan
Revision 1.363 / (download) - annotate - [select for diffs], Thu Jan 10 22:22:51 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.362: +4 -4 lines
Diff to previous 1.362 (colored)
Zap unnused iface function parameter from pfctl_kill_src_nodes() Killing source tracking entries per interface does not make sense and `-i interface' along with `-K key' is completely ignored anyway. There since import in 2006, probably just copy/pasta. OK sashan
Revision 1.362 / (download) - annotate - [select for diffs], Wed Jan 2 23:08:00 2019 UTC (5 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.361: +5 -2 lines
Diff to previous 1.361 (colored)
Error out on missing table command, zap internal wrapper function Table name and table command require each other as reflected in the synopsis [-t table -T command [address ...]], so print usage and exit if only one of them is given. By moving the inter-dependence check right after option parsing is done, we can bail out even before opening pf(4) and drop the internal wrapper pfctl_command_tables() as unneeded indirection with now duplicate checks. OK sashan
Revision 1.361 / (download) - annotate - [select for diffs], Thu Dec 27 16:33:44 2018 UTC (5 years, 5 months ago) by kn
Branch: MAIN
Changes since 1.360: +1 -4 lines
Diff to previous 1.360 (colored)
Zap duplicate struct declaration These are in <net/pfvar.h> already. OK sashan
Revision 1.360 / (download) - annotate - [select for diffs], Tue Sep 18 12:55:19 2018 UTC (5 years, 8 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.359: +4 -4 lines
Diff to previous 1.359 (colored)
fix table commands under anchors With r1.358 I simplified anchor handling but also broke semantics with regard to tables: # pfctl -a aname -t tname -T show pfctl: anchors apply to -f, -F and -s only Unbreak this by checking for table commands as well. OK bluhm
Revision 1.359 / (download) - annotate - [select for diffs], Sat Sep 8 14:45:55 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.358: +4 -3 lines
Diff to previous 1.358 (colored)
Allocate path only when needed, use __func__
Revision 1.358 / (download) - annotate - [select for diffs], Sat Sep 8 14:12:57 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.357: +9 -8 lines
Diff to previous 1.357 (colored)
Error out early on bad anchor usage `pfctl -a foo' would do nothing with the non-existent anchor and exit 0. This implements behaviour as documented in pfctl(8): -a anchor Apply flags -f, -F, and -s only to the rules in the specified anchor. While here, hoist a duplicate "_" check by using the more mnemonic `mode'. OK henning sashan
Revision 1.357 / (download) - annotate - [select for diffs], Fri Sep 7 19:56:07 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.356: +4 -6 lines
Diff to previous 1.356 (colored)
Fix function name in error messages by using __func__
Revision 1.356 / (download) - annotate - [select for diffs], Fri Jul 20 11:16:55 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.355: +2 -2 lines
Diff to previous 1.355 (colored)
Stop checking table commands for `create' Tiny left over from 2003 when it was removed. Twist the logic by checking for `show' and `test' to make it even simpler. OK sashan henning
Revision 1.355 / (download) - annotate - [select for diffs], Tue Jul 10 09:30:49 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.354: +2 -0 lines
Diff to previous 1.354 (colored)
'set delay' for the generic packet delay mechanism, ok benno sashan
Revision 1.354 / (download) - annotate - [select for diffs], Thu Feb 8 09:15:46 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.353: +48 -14 lines
Diff to previous 1.353 (colored)
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
Revision 1.353 / (download) - annotate - [select for diffs], Thu Feb 8 02:26:39 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.352: +10 -2 lines
Diff to previous 1.352 (colored)
show current synflood detection watermarks in pfctl -vsi, for the lack of a more appropriate place. ok claudio benno procter
Revision 1.352 / (download) - annotate - [select for diffs], Tue Feb 6 23:47:47 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.351: +62 -0 lines
Diff to previous 1.351 (colored)
allow control over syncookies: set syncookies never/always/adaptive
Revision 1.351 / (download) - annotate - [select for diffs], Sat Nov 25 22:26:25 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.350: +10 -9 lines
Diff to previous 1.350 (colored)
- pfctl fails to handle nested 'load anchor' properly [ + yet another 'anchor name vs. path mix up in load anchor (parse.y) ] OK bluhm@
Revision 1.350 / (download) - annotate - [select for diffs], Tue Sep 26 20:23:32 2017 UTC (6 years, 8 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.349: +2 -2 lines
Diff to previous 1.349 (colored)
- pfctl always prints warning when flushes ruleset OK mikeb@
Revision 1.349 / (download) - annotate - [select for diffs], Tue Sep 5 22:15:32 2017 UTC (6 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.348: +1 -2 lines
Diff to previous 1.348 (colored)
- split pf_find_or_create_ruleset() to smaller chunks. tested by Hrvoje OK mpi@, OK bluhm@
Revision 1.348 / (download) - annotate - [select for diffs], Fri Aug 11 22:30:38 2017 UTC (6 years, 9 months ago) by benno
Branch: MAIN
Changes since 1.347: +6 -3 lines
Diff to previous 1.347 (colored)
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
Revision 1.347 / (download) - annotate - [select for diffs], Wed Jul 19 12:58:31 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.346: +25 -9 lines
Diff to previous 1.346 (colored)
Allow HFSC classes to use flow queues The FQ-CoDel related configuration (flows, quantum) becomes available for the regular bandwidth queue. Internally the kernel will pick the FQ-CoDel for use as a queue manager for the specified class instead of the FIFO. Discussed with and OK henning@ at d2k17 as a part of a larger diff.
Revision 1.346 / (download) - annotate - [select for diffs], Wed Jul 19 12:51:30 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.345: +12 -2 lines
Diff to previous 1.345 (colored)
Rework HFSC vs FQ-CoDel checks The selection mechanism introduced in pf_ioctl.c -r1.316 suffers from being too ambiguous and lacks robustness. Instead of relying on composition of multiple flags in the queue specification, it's easier to identify the root class (if it exists) and derive all further checks from it.
Revision 1.345 / (download) - annotate - [select for diffs], Fri Jun 16 19:59:13 2017 UTC (6 years, 11 months ago) by awolk
Branch: MAIN
Changes since 1.344: +24 -39 lines
Diff to previous 1.344 (colored)
pfctl: merge identifical if conditions and void functions discarding ret values Transform the following functions (which never return anything other than 0, and whose return value is never used) to void: * pfctl_clear_stats, pfctl_clear_interface_flags, pfctl_clear_rules, pfctl_clear_src_nodes, pfctl_clear_states * pfctl_kill_src_nodes, pfctl_net_kill_states, pfctl_label_kill_states, pfctl_id_kill_states, pfctl_key_kill_states inside main: merge two identical if conditions next to each other into one. Submitted by rain1 (thanks!) with additional credit to: - mikeb@ for pointing out we can void all _clear_ functions - ghostyy for pointing out all _kill_ functions can be voided OK tb@, mikeb@
Revision 1.344 / (download) - annotate - [select for diffs], Tue May 30 12:13:04 2017 UTC (7 years ago) by henning
Branch: MAIN
Changes since 1.343: +1 -1 lines
Diff to previous 1.343 (colored)
fix a comment
Revision 1.343 / (download) - annotate - [select for diffs], Mon May 15 11:23:25 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.342: +4 -4 lines
Diff to previous 1.342 (colored)
Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8) OK sthen, visa
Revision 1.342 / (download) - annotate - [select for diffs], Wed Apr 26 15:50:59 2017 UTC (7 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.341: +3 -19 lines
Diff to previous 1.341 (colored)
Perform H-FSC root queue allocation in the kernel Since only leaf queues can have packets assigned to them, H-FSC requires the user specified root queue to have a parent. To simplify userland tools and the configuration interface, the kernel can be leveraged to set it up. ok henning
Revision 1.341 / (download) - annotate - [select for diffs], Sun Apr 23 07:41:25 2017 UTC (7 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.340: +8 -8 lines
Diff to previous 1.340 (colored)
oops, this was meant to be committed with the pfctl.8 change: sync usage() with SYNOPSIS;
Revision 1.340 / (download) - annotate - [select for diffs], Fri Apr 21 23:22:49 2017 UTC (7 years, 1 month ago) by yasuoka
Branch: MAIN
Changes since 1.339: +121 -1 lines
Diff to previous 1.339 (colored)
Add "key" modifier for -k to make pfctl can kill a state by specifying the key of the state. ok sasha
Revision 1.339 / (download) - annotate - [select for diffs], Mon Mar 27 17:38:09 2017 UTC (7 years, 2 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.338: +2 -2 lines
Diff to previous 1.338 (colored)
rather than printing the wrong function name, dont print it at all. found by Klemens Nanni
Revision 1.338 / (download) - annotate - [select for diffs], Thu Jan 26 08:24:34 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.337: +25 -13 lines
Diff to previous 1.337 (colored)
Select the routing domain to be used for kill states by host or by label, by adding a -V <rdomain> option. written by Bertrand Provost, provost DOT bertrand AT gmail DOT com, thanks. ok florian@, with feedback from florian and jmc.
Revision 1.337 / (download) - annotate - [select for diffs], Sat Sep 3 21:30:49 2016 UTC (7 years, 9 months ago) by jca
Branch: MAIN
Changes since 1.336: +3 -3 lines
Diff to previous 1.336 (colored)
err->errx, errno info is not related to the failure mode ok mikeb@
Revision 1.336 / (download) - annotate - [select for diffs], Sat Sep 3 17:56:07 2016 UTC (7 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.335: +13 -14 lines
Diff to previous 1.335 (colored)
pfctl mixes up anchorname with anchorpath OK mikeb@
Revision 1.335 / (download) - annotate - [select for diffs], Sat Sep 3 17:11:40 2016 UTC (7 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.334: +12 -2 lines
Diff to previous 1.334 (colored)
Let purge thread to remove once rules, not packets. Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
Revision 1.334 / (download) - annotate - [select for diffs], Thu Jan 14 12:05:51 2016 UTC (8 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.333: +11 -1 lines
Diff to previous 1.333 (colored)
detect multiple root queues on a single interface and give a nice error message - beats "pfctl: DIOCXCOMMIT: Invalid argument". from Nathanael Rensen <nathanael at list.polymorpheus.com>, 10x! ok sthen phessler, commit reminder mikeb
Revision 1.333 / (download) - annotate - [select for diffs], Tue Jan 5 22:51:38 2016 UTC (8 years, 5 months ago) by benno
Branch: MAIN
Changes since 1.332: +2 -11 lines
Diff to previous 1.332 (colored)
remove long deprecated "set debug "none|urgent|misc|loud" levels in pf.conf. Change this before upgrade or pf.conf won't load. florian@ henning@ phessler@ jung@
Revision 1.332 / (download) - annotate - [select for diffs], Thu Dec 10 17:27:00 2015 UTC (8 years, 6 months ago) by mmcc
Branch: MAIN
Changes since 1.331: +2 -3 lines
Diff to previous 1.331 (colored)
Remove NULL-checks before free(). ok tb@
Revision 1.331 / (download) - annotate - [select for diffs], Fri Oct 2 15:32:17 2015 UTC (8 years, 8 months ago) by krw
Branch: MAIN
Changes since 1.330: +3 -1 lines
Diff to previous 1.330 (colored)
Make 'pfctl -s all' show queues. pfctl(8) says it does, and 5.4 pfctl(8) did for the old queues. ok sashan@ sthen@
Revision 1.330 / (download) - annotate - [select for diffs], Fri Jun 12 16:10:43 2015 UTC (8 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.329: +7 -6 lines
Diff to previous 1.329 (colored)
Allow rule ID filter to be specified for show states output Tweak pfctl to respect the rule ID parameter (-R) specified along with the show states (-s states) option to filter out states that are not associated with a given rule from the output. ok sthen, benno
Revision 1.329 / (download) - annotate - [select for diffs], Fri Jan 16 06:40:00 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.328: +13 -13 lines
Diff to previous 1.328 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.328 / (download) - annotate - [select for diffs], Wed Dec 10 13:59:29 2014 UTC (9 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.327: +5 -3 lines
Diff to previous 1.327 (colored)
If pfctl cannot set a limit in the kernel, print the name of the limit and the requested value. OK henning@
Revision 1.327 / (download) - annotate - [select for diffs], Thu Nov 13 17:35:30 2014 UTC (9 years, 6 months ago) by pelikan
Branch: MAIN
Changes since 1.326: +26 -12 lines
Diff to previous 1.326 (colored)
keep queues around when anchors are being loaded ok mikeb
Revision 1.326 / (download) - annotate - [select for diffs], Sat Aug 23 00:11:03 2014 UTC (9 years, 9 months ago) by pelikan
Branch: MAIN
Changes since 1.325: +18 -9 lines
Diff to previous 1.325 (colored)
when you specify queues in a rule, make sure they have been defined. DIOCADDRULE EBUSY turns into an error message that pfctl -n catches. DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported to occur, possibly from hfsc.c: this should be fixed as well. ok henning mikeb sthen
Revision 1.325 / (download) - annotate - [select for diffs], Sat Apr 19 14:22:32 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.324: +2 -95 lines
Diff to previous 1.324 (colored)
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
Revision 1.324 / (download) - annotate - [select for diffs], Fri Apr 11 02:56:41 2014 UTC (10 years, 2 months ago) by jsg
Branch: MAIN
Changes since 1.323: +2 -1 lines
Diff to previous 1.323 (colored)
fix a use after free in an error path ok henning@ mikeb@
Revision 1.323 / (download) - annotate - [select for diffs], Fri Feb 28 22:18:23 2014 UTC (10 years, 3 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.322: +39 -1 lines
Diff to previous 1.322 (colored)
Bring back the code removed in rev1.317 used to print anchors with
wildcard path ("ftp-proxy/*"), but make sure to call it after we're
done with the ruleset for the current anchor. On one hand this
repairs printing content of such anchors and on the other it allows
to use a wildcard on the command line for anchors that were not
initially specified with a wildcard. Makes pfctl regress happy
again. OK henning, deraadt
Revision 1.322 / (download) - annotate - [select for diffs], Mon Feb 17 04:52:25 2014 UTC (10 years, 3 months ago) by lteo
Branch: MAIN
Changes since 1.321: +1 -2 lines
Diff to previous 1.321 (colored)
Remove a stray debug printf that crept in via one of the newqueue commits. ok henning@
Revision 1.321 / (download) - annotate - [select for diffs], Fri Nov 1 22:55:39 2013 UTC (10 years, 7 months ago) by pelikan
Branch: MAIN
Changes since 1.320: +2 -1 lines
Diff to previous 1.320 (colored)
keep net/hfsc.h away from userspace, except in pfctl tested by naddy, ok deraadt
Revision 1.320 / (download) - annotate - [select for diffs], Thu Oct 17 19:59:54 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.319: +8 -3 lines
Diff to previous 1.319 (colored)
cannot have queue definitions inside anchors. don't attempt to load them and err out if we run into one ran into by Gregor Best <gbe@@ring0.de>, analysis & fix your's truly
Revision 1.319 / (download) - annotate - [select for diffs], Sat Oct 12 12:16:11 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.318: +208 -3 lines
Diff to previous 1.318 (colored)
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
Revision 1.318 / (download) - annotate - [select for diffs], Wed Oct 9 02:59:27 2013 UTC (10 years, 8 months ago) by lteo
Branch: MAIN
Changes since 1.317: +5 -3 lines
Diff to previous 1.317 (colored)
Make sure that pfctl_state_store() frees the inbuf pointer and closes the state file before returning. ok henning
Revision 1.317 / (download) - annotate - [select for diffs], Mon Aug 12 17:42:08 2013 UTC (10 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.316: +6 -48 lines
Diff to previous 1.316 (colored)
Remove duplicate and incorrect recursive anchor printing code and instead rely on the one provided by the same function just a few lines below. ok lteo henning
Revision 1.316 / (download) - annotate - [select for diffs], Fri Aug 2 08:33:11 2013 UTC (10 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.315: +1 -2 lines
Diff to previous 1.315 (colored)
Remove an incorrect call to pfctl_print_rule_counters when trying to print out anchor rules recursively; unbreaks pf1.loaded regress test. ok lteo, henning
Revision 1.315 / (download) - annotate - [select for diffs], Thu Mar 21 00:54:33 2013 UTC (11 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.314: +10 -3 lines
Diff to previous 1.314 (colored)
fetch NMBCLUSTERS at runtime from the sysctl kern.maxclusters ok sthen
Revision 1.314 / (download) - annotate - [select for diffs], Wed Sep 19 15:52:17 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.313: +2 -2 lines
Diff to previous 1.313 (colored)
Show which limit cannot be set. idea mikeb ok mikeb henning beck
Revision 1.313 / (download) - annotate - [select for diffs], Thu Jul 26 11:48:00 2012 UTC (11 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.312: +2 -2 lines
Diff to previous 1.312 (colored)
load os passive fingerprints when testing the ruleset; ok henning
Revision 1.312 / (download) - annotate - [select for diffs], Mon May 7 11:55:34 2012 UTC (12 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.311: +14 -3 lines
Diff to previous 1.311 (colored)
fix printing of wildcard anchors, from lteo, ok phessler sthen me
Revision 1.311 / (download) - annotate - [select for diffs], Wed May 2 14:23:49 2012 UTC (12 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.310: +1 -3 lines
Diff to previous 1.310 (colored)
remove redundant check; from lteo; ok haesbaert
Revision 1.310 / (download) - annotate - [select for diffs], Wed Apr 18 14:42:17 2012 UTC (12 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.309: +3 -3 lines
Diff to previous 1.309 (colored)
not (unsigned); ok henning
Revision 1.309 / (download) - annotate - [select for diffs], Sun Jan 15 15:59:33 2012 UTC (12 years, 4 months ago) by dhill
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.308: +2 -2 lines
Diff to previous 1.308 (colored)
convert an snprintf to strlcpy ok mikeb henning
Revision 1.308 / (download) - annotate - [select for diffs], Sat Dec 3 12:46:16 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.307: +2 -4 lines
Diff to previous 1.307 (colored)
pfctl_set_hostid always returns 0; don't pretend otherwise and make it a void function instead. ok dlg
Revision 1.307 / (download) - annotate - [select for diffs], Sat Dec 3 12:44:56 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.306: +2 -1 lines
Diff to previous 1.306 (colored)
Avoid loading garbage hostid and other values not always initialised, by bzero()ing the 'struct pfsync' properly. ok dlg mpf
Revision 1.306 / (download) - annotate - [select for diffs], Wed Nov 23 10:24:37 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.305: +8 -6 lines
Diff to previous 1.305 (colored)
print ports as numbers by default; -P prints names instead 2/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg and myself
Revision 1.305 / (download) - annotate - [select for diffs], Tue Nov 8 19:17:07 2011 UTC (12 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.304: +2 -2 lines
Diff to previous 1.304 (colored)
Fixup skip step printout: rdomains come after direction; ok mcbride, henning
Revision 1.304 / (download) - annotate - [select for diffs], Fri Jul 8 02:16:12 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.303: +3 -3 lines
Diff to previous 1.303 (colored)
Correctly print skip steps in -vv mode - Did not include PF_SKIP_RDOM - Changed order of address and ports.
Revision 1.303 / (download) - annotate - [select for diffs], Fri Oct 1 12:33:14 2010 UTC (13 years, 8 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.302: +37 -14 lines
Diff to previous 1.302 (colored)
Add the -R id option to pfctl that allows to show only a specified rule by numeric ID in combination with the "-s rules" or "-s labels" options. For example, this allows you to dump the statistics of a specified rule only (pfctl -sr -v -R 0). ok henning@
Revision 1.302 / (download) - annotate - [select for diffs], Thu Sep 2 14:01:04 2010 UTC (13 years, 9 months ago) by sobrado
Branch: MAIN
Changes since 1.301: +7 -7 lines
Diff to previous 1.301 (colored)
remove trailing spaces and tabs; no binary change. written with help from henning@, who suggested ensuring that there are no changes in the digests for object files, thanks! ok henning@
Revision 1.301 / (download) - annotate - [select for diffs], Wed Aug 11 10:03:29 2010 UTC (13 years, 10 months ago) by jsg
Branch: MAIN
Changes since 1.300: +2 -2 lines
Diff to previous 1.300 (colored)
Fix a logic problem which could in theory cause pfctl to recursively print anchors with wildcards when not requested via the command line but in practice only applied to automatically generated inline anchors (which don't have wildcards) or when recursion was requested. Found by the clang static analyser and behaviour explained by mcbride@ ok henning@ mcbride@
Revision 1.300 / (download) - annotate - [select for diffs], Sat Jul 3 02:28:57 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.299: +92 -43 lines
Diff to previous 1.299 (colored)
Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors. tested by phessler ok henning
Revision 1.299 / (download) - annotate - [select for diffs], Thu Jul 1 15:12:25 2010 UTC (13 years, 11 months ago) by stsp
Branch: MAIN
Changes since 1.298: +2 -2 lines
Diff to previous 1.298 (colored)
Fix 'pfctl -a anchor -Fa' segfault introduced in r1.298. ok mcbride
Revision 1.298 / (download) - annotate - [select for diffs], Mon Jun 28 23:21:41 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.297: +27 -11 lines
Diff to previous 1.297 (colored)
Clean up iterface stats handling:
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
Revision 1.297 / (download) - annotate - [select for diffs], Fri Jun 25 23:27:47 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.296: +14 -28 lines
Diff to previous 1.296 (colored)
remove -m (merge). it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt
Revision 1.296 / (download) - annotate - [select for diffs], Fri Apr 2 09:48:48 2010 UTC (14 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.295: +7 -4 lines
Diff to previous 1.295 (colored)
Use a dedicated variable to prevent attempting to open multiple ALTQ transactions when anchors are loaded. Fixes pfctl when using 'load anchor ... from' as seen by beck@ and Toni Mueller, which stopped working after r1.295 removed loadopt (which was overloaded to do this job as well as indicate command- line flags). ok henning@
Revision 1.295 / (download) - annotate - [select for diffs], Tue Mar 23 13:31:29 2010 UTC (14 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.294: +20 -75 lines
Diff to previous 1.294 (colored)
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
Revision 1.294 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.293: +47 -45 lines
Diff to previous 1.293 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.293 / (download) - annotate - [select for diffs], Wed Jan 13 01:41:58 2010 UTC (14 years, 4 months ago) by jsg
Branch: MAIN
Changes since 1.292: +3 -1 lines
Diff to previous 1.292 (colored)
fix some leaks found by parfait ok mcbride@ henning@
Revision 1.292 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.291: +1 -106 lines
Diff to previous 1.291 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.291 / (download) - annotate - [select for diffs], Thu Dec 10 15:57:20 2009 UTC (14 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.290: +4 -2 lines
Diff to previous 1.290 (colored)
plug some memory leaks; found by parfait, ok henning
Revision 1.290 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.289: +18 -27 lines
Diff to previous 1.289 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.289 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.288: +9 -1 lines
Diff to previous 1.288 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.288 / (download) - annotate - [select for diffs], Tue Sep 29 12:54:14 2009 UTC (14 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.287: +2 -2 lines
Diff to previous 1.287 (colored)
sort usage();
Revision 1.287 / (download) - annotate - [select for diffs], Mon Sep 28 22:13:20 2009 UTC (14 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.286: +90 -5 lines
Diff to previous 1.286 (colored)
add -S and -L options to store and load the pf state table from a file. inspired by the short reboot times on an rb600a provided by stephan rickauer. testing and bugfixing by sthen@ ok mcbride@ sthen@
Revision 1.286 / (download) - annotate - [select for diffs], Thu Sep 3 15:14:33 2009 UTC (14 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.285: +2 -2 lines
Diff to previous 1.285 (colored)
remove -N from usage();
Revision 1.285 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.284: +31 -107 lines
Diff to previous 1.284 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.284 / (download) - annotate - [select for diffs], Fri Aug 21 05:27:57 2009 UTC (14 years, 9 months ago) by ratchov
Branch: MAIN
Changes since 1.283: +2 -2 lines
Diff to previous 1.283 (colored)
remove the ``;'' at the end of INDENT() macro definition using
the ``do { ... } while (0)'' construct.
ok henning, from Frederic Culuot <frederic _at_ culot.org>
Revision 1.283 / (download) - annotate - [select for diffs], Thu Jul 9 23:52:25 2009 UTC (14 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.282: +10 -3 lines
Diff to previous 1.282 (colored)
repair -x since all this stuff is transactional now we need to wrap that into DIOCXBEGIN/COMMIT. bad henning forgot to commit this chunk at c2k9
Revision 1.282 / (download) - annotate - [select for diffs], Thu Apr 16 04:40:19 2009 UTC (15 years, 1 month ago) by david
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.281: +5 -2 lines
Diff to previous 1.281 (colored)
Really turn fragment reassembly on by default. pfctl must handle this since the DIOCSETREASS ioctl is called on every ruleset load and was overriding the initial setting in pfattach(). Fix setting of the global no-df bitmask as well. ok henning@
Revision 1.281 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.280: +42 -41 lines
Diff to previous 1.280 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.280 / (download) - annotate - [select for diffs], Mon Feb 23 06:58:30 2009 UTC (15 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.279: +2 -1 lines
Diff to previous 1.279 (colored)
back out last commit since it breaks a few regress tests -- this will be looked at post-release -- out of time for these kinds of problems david@ says: pfopt6 and f91.ok; pfopt6 change looks ok, but pf91 is of concern.
Revision 1.279 / (download) - annotate - [select for diffs], Mon Feb 16 23:53:59 2009 UTC (15 years, 3 months ago) by sthen
Branch: MAIN
Changes since 1.278: +2 -3 lines
Diff to previous 1.278 (colored)
fix pfctl -v printing of anchors, from camield@. Closes user/6065
Revision 1.278 / (download) - annotate - [select for diffs], Sun Aug 31 20:18:17 2008 UTC (15 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.277: +6 -5 lines
Diff to previous 1.277 (colored)
avoid line wrap in usage() output;
Revision 1.277 / (download) - annotate - [select for diffs], Thu Jul 24 10:52:43 2008 UTC (15 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.276: +3 -2 lines
Diff to previous 1.276 (colored)
check sysctl return value From: Gleydson Soares <gsoares@gmail.com>, ryan ok
Revision 1.276 / (download) - annotate - [select for diffs], Tue May 27 08:14:57 2008 UTC (16 years ago) by mcbride
Branch: MAIN
Changes since 1.275: +2 -2 lines
Diff to previous 1.275 (colored)
Fix count of states flushed, broken when the psnk_af hack was removed in pf_ioctl.c r1.196.
Revision 1.275 / (download) - annotate - [select for diffs], Fri May 9 13:59:31 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.274: +80 -18 lines
Diff to previous 1.274 (colored)
Add support to kill states by rule label or state id. Fix printing of the state id in pfctl -ss -vv. Remove the psnk_af hack to return the number of killed states. OK markus, beck. "I like it" henning, deraadt. Manpage help from jmc.
Revision 1.274 / (download) - annotate - [select for diffs], Tue May 6 03:45:21 2008 UTC (16 years, 1 month ago) by mpf
Branch: MAIN
Changes since 1.273: +11 -20 lines
Diff to previous 1.273 (colored)
Add a counter to record how many states have been created by a rule. It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
Revision 1.273 / (download) - annotate - [select for diffs], Wed Feb 13 19:55:12 2008 UTC (16 years, 3 months ago) by kettenis
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.272: +5 -4 lines
Diff to previous 1.272 (colored)
Use HW_PHYSMEM64. ok henning@
Revision 1.272 / (download) - annotate - [select for diffs], Tue Nov 27 16:22:13 2007 UTC (16 years, 6 months ago) by martynas
Branch: MAIN
Changes since 1.271: +2 -2 lines
Diff to previous 1.271 (colored)
typos; ok jmc@ sys/dev/pci/pciide.c from naddy@
Revision 1.271 / (download) - annotate - [select for diffs], Wed Oct 24 13:07:38 2007 UTC (16 years, 7 months ago) by wilfried
Branch: MAIN
Changes since 1.270: +2 -2 lines
Diff to previous 1.270 (colored)
HW_PHYSMEM is unsigned yuck & ok henning@
Revision 1.270 / (download) - annotate - [select for diffs], Mon Oct 15 02:16:35 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.269: +3 -3 lines
Diff to previous 1.269 (colored)
specifying int instead of just unsigned is better style
Revision 1.269 / (download) - annotate - [select for diffs], Sat Oct 13 16:35:18 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.268: +4 -24 lines
Diff to previous 1.268 (colored)
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
Revision 1.268 / (download) - annotate - [select for diffs], Sat Jun 30 18:25:08 2007 UTC (16 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.267: +3 -3 lines
Diff to previous 1.267 (colored)
allow states instead of just state for -s and -F for consistency's sake. since only the first letter matters in the end and state still matches states since we do strncmp this does not change xisting behaviour and just allows plural states to be used as well. pt out by Tom Van Looy <tom@ctors.net>
Revision 1.267 / (download) - annotate - [select for diffs], Thu May 31 04:13:37 2007 UTC (17 years ago) by mcbride
Branch: MAIN
Changes since 1.266: +3 -3 lines
Diff to previous 1.266 (colored)
Cope with new ioctl interface (use pfsync_state instead of pf_state) ok henning@ toby@ pyr@
Revision 1.266 / (download) - annotate - [select for diffs], Sat Apr 21 14:50:26 2007 UTC (17 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.265: +2 -2 lines
Diff to previous 1.265 (colored)
"o" in optiopt_list is superfluous now too
Revision 1.265 / (download) - annotate - [select for diffs], Sat Apr 21 14:49:45 2007 UTC (17 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.264: +7 -20 lines
Diff to previous 1.264 (colored)
fix -o handling. syntax is now -o none|basic|profile. -o without argument is invalid now, it doesn't serve any purpose any more anyway since that is the default. ok mcbride
Revision 1.264 / (download) - annotate - [select for diffs], Fri Apr 20 07:30:16 2007 UTC (17 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.263: +3 -3 lines
Diff to previous 1.263 (colored)
no whitespace allowed between -o and its argument, so update doc/usage() to reflect this; whilst there i had to wrap -t in Xo/Xc to stop line split, and i zapped some extra whitespace in usage(); fixes user/5441 from sthen
Revision 1.263 / (download) - annotate - [select for diffs], Wed Mar 21 03:01:31 2007 UTC (17 years, 2 months ago) by mcbride
Branch: MAIN
Changes since 1.262: +2 -2 lines
Diff to previous 1.262 (colored)
Enable basic ruleset optimization by default. ok deraadt henning
Revision 1.262 / (download) - annotate - [select for diffs], Thu Mar 1 17:20:53 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.261: +5 -5 lines
Diff to previous 1.261 (colored)
be more careful with mixing &/| with &&/||, ok otto
Revision 1.261 / (download) - annotate - [select for diffs], Fri Feb 23 21:31:52 2007 UTC (17 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.260: +12 -1 lines
Diff to previous 1.260 (colored)
if machine has more than 100MB of physmem, default the max table entries to 200,000 instead of the conservative 100,000; ok dhartmei beck tested by ckuethe
Revision 1.260 / (download) - annotate - [select for diffs], Fri Feb 9 11:28:32 2007 UTC (17 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.259: +1 -12 lines
Diff to previous 1.259 (colored)
pfctl_clear_rule_counters() is not needed any more
Revision 1.259 / (download) - annotate - [select for diffs], Fri Feb 9 11:25:27 2007 UTC (17 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.258: +29 -20 lines
Diff to previous 1.258 (colored)
use DIOCGETRULE ioctl & action set to PF_GET_CLR_CNTR to clear counters with -z instead of DIOCCLRRULECTRS. Unbreaks -z with anchors and makes the read & reset operation atomic. innstrument pfctl_show_rules() to clear counters while reading rules and add a new output format for it, showing nothing, if only resetting counters without actually displaying them is requested. minor cleanups on the way. ok dhartmei & agreement from theo and ryan
Revision 1.258 / (download) - annotate - [select for diffs], Thu Jan 18 20:45:55 2007 UTC (17 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.257: +3 -3 lines
Diff to previous 1.257 (colored)
implement -T expire. "pfctl -t tablename -T expire 3600" would expire all entries in the given table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
Revision 1.257 / (download) - annotate - [select for diffs], Mon Nov 20 14:31:17 2006 UTC (17 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.256: +128 -7 lines
Diff to previous 1.256 (colored)
-K argument to kill source tracking nodes explicitly, behaves like the -k argument for killing states; From Berk D. Demir <bdd@mindcast.org> ok dhartmei henning
Revision 1.256 / (download) - annotate - [select for diffs], Tue Nov 7 06:16:56 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.255: +4 -3 lines
Diff to previous 1.255 (colored)
Only try to recursively print rules if they are actually anchors.
Revision 1.255 / (download) - annotate - [select for diffs], Tue Nov 7 01:12:01 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.254: +95 -31 lines
Diff to previous 1.254 (colored)
Unbreak authpf by handling non-inline anchors separately from the { } anchors
as pf_find_or_create_ruleset() will mangle relative anchor names and wildcards.
Also fixes some nits with nesting and printing inline anchors.
ok deraadt@
Revision 1.254 / (download) - annotate - [select for diffs], Sun Nov 5 07:19:30 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.253: +13 -13 lines
Diff to previous 1.253 (colored)
Don't open a transaction for a ruleset unless it's a brace ruleset that contains rules. Fixes DIOCXCOMMIT: Device busy when multiple anchors with the same name are specified. reported by ckuethe@ and mkb@crypt.org.ru
Revision 1.253 / (download) - annotate - [select for diffs], Wed Nov 1 12:27:26 2006 UTC (17 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.252: +7 -8 lines
Diff to previous 1.252 (colored)
sync usage(); ok mcbride
Revision 1.252 / (download) - annotate - [select for diffs], Wed Nov 1 03:39:24 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.251: +2 -2 lines
Diff to previous 1.251 (colored)
Don't recures ALL the time.
Revision 1.251 / (download) - annotate - [select for diffs], Tue Oct 31 23:46:24 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.250: +38 -7 lines
Diff to previous 1.250 (colored)
Allow a user to recursively print anchors including those without reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@
Revision 1.250 / (download) - annotate - [select for diffs], Tue Oct 31 14:17:45 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.249: +50 -13 lines
Diff to previous 1.249 (colored)
Allow pfctl ruleset optimizer to be controlled from the ruleset. "set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
Revision 1.249 / (download) - annotate - [select for diffs], Tue Oct 31 07:02:35 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.248: +10 -2 lines
Diff to previous 1.248 (colored)
- don't allow anchors with _* names to be cleared or loaded from the command line (but they can still be viewed) - don't allow users to specify _* as an anchor name in the ruleset - don't print _* anchor names with pfctl -sA unless -v is specified 'looks sensible' deraadt@
Revision 1.248 / (download) - annotate - [select for diffs], Sat Oct 28 14:29:05 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.247: +221 -123 lines
Diff to previous 1.247 (colored)
Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
Revision 1.247 / (download) - annotate - [select for diffs], Fri Jun 30 16:52:27 2006 UTC (17 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.246: +2 -2 lines
Diff to previous 1.246 (colored)
spaces
Revision 1.246 / (download) - annotate - [select for diffs], Sun May 28 02:45:45 2006 UTC (18 years ago) by mcbride
Branch: MAIN
Changes since 1.245: +18 -1 lines
Diff to previous 1.245 (colored)
Enable adaptive timeouts by default, with adaptive.start of 60% of the state limit and adaptive.end of 120% of the state limit. Explicitly setting the adaptive timeouts will override the default, and it can be disabled by setting both adaptive.start and adaptive.end to 0. ok henning@
Revision 1.245 / (download) - annotate - [select for diffs], Mon Apr 24 06:10:54 2006 UTC (18 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.244: +3 -2 lines
Diff to previous 1.244 (colored)
don't clear interface flags (set skip on) when -N/-F is used without -O, from Jon Simola, ok henning@
Revision 1.244 / (download) - annotate - [select for diffs], Thu Nov 17 20:52:39 2005 UTC (18 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.243: +19 -20 lines
Diff to previous 1.243 (colored)
for pfctl -f rules, open the file before resetting options. when opening the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@
Revision 1.243 / (download) - annotate - [select for diffs], Mon Jul 11 14:16:09 2005 UTC (18 years, 11 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.242: +2 -1 lines
Diff to previous 1.242 (colored)
clear PFI_IFLAG_SKIP when clearing interface flags, found by David Hill, ok henning@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:25 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.241: +23 -9 lines
Diff to previous 1.241 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.241 / (download) - annotate - [select for diffs], Mon Jun 13 19:26:06 2005 UTC (19 years ago) by jaredy
Branch: MAIN
Changes since 1.240: +11 -5 lines
Diff to previous 1.240 (colored)
free memory in show_src_nodes and show_states, as reported by Henrik Gustafsson <openbsd@fnord.se> via tech@. ok henning
Revision 1.240 / (download) - annotate - [select for diffs], Sat May 28 01:48:23 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.239: +4 -3 lines
Diff to previous 1.239 (colored)
don't print the "[ Inserted: uid pid ]" line when -g is used, so the regress tests don't have to deal with it (and it's a useless thing to check from there).
Revision 1.239 / (download) - annotate - [select for diffs], Fri May 27 17:22:40 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.238: +5 -2 lines
Diff to previous 1.238 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.238 / (download) - annotate - [select for diffs], Mon May 23 23:28:53 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.237: +14 -10 lines
Diff to previous 1.237 (colored)
change pool allocation of table entries, no longer use the oldnointr allocator and two pools, but PR_WAITOK when called from non-interrupt context (ioctl). add configurable hard limits for tables and table entries (set limit tables/table-entries), defaulting to 1000/100000. ok aaron@, henning@, mcbride@, art@
Revision 1.237 / (download) - annotate - [select for diffs], Sun May 22 21:05:23 2005 UTC (19 years ago) by mpf
Branch: MAIN
Changes since 1.236: +59 -4 lines
Diff to previous 1.236 (colored)
Add support to kill states that match networks. man page from jmc@ OK dhartmei@
Revision 1.236 / (download) - annotate - [select for diffs], Sat May 21 21:03:58 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.235: +1 -2 lines
Diff to previous 1.235 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.235 / (download) - annotate - [select for diffs], Thu May 5 04:00:26 2005 UTC (19 years, 1 month ago) by joel
Branch: MAIN
Changes since 1.234: +2 -2 lines
Diff to previous 1.234 (colored)
typo
Revision 1.234 / (download) - annotate - [select for diffs], Mon Mar 7 13:52:50 2005 UTC (19 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.233: +9 -3 lines
Diff to previous 1.233 (colored)
fd leaks in error paths, From: Andrey Matveev <andrushock@korovino.net>
Revision 1.233 / (download) - annotate - [select for diffs], Sun Mar 6 02:40:08 2005 UTC (19 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.232: +1 -6 lines
Diff to previous 1.232 (colored)
print "set skip on" with -v in such a way that the output is valid input syntax, instead of the cryptic hex flags output.
Revision 1.232 / (download) - annotate - [select for diffs], Thu Jan 6 08:30:22 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.231: +3 -2 lines
Diff to previous 1.231 (colored)
Missing braces in pfctl_load_debug(), pointed out by camield@
Revision 1.231 / (download) - annotate - [select for diffs], Wed Jan 5 18:23:10 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.230: +184 -52 lines
Diff to previous 1.230 (colored)
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie.
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
Revision 1.230 / (download) - annotate - [select for diffs], Wed Dec 29 15:09:30 2004 UTC (19 years, 5 months ago) by danh
Branch: MAIN
Changes since 1.229: +10 -9 lines
Diff to previous 1.229 (colored)
change last commit so that the test for PF_OPT_NOACTION is actually in pfctl_clear_interface_flags(). suggested by and ok henning@
Revision 1.229 / (download) - annotate - [select for diffs], Wed Dec 29 14:21:01 2004 UTC (19 years, 5 months ago) by danh
Branch: MAIN
Changes since 1.228: +3 -2 lines
Diff to previous 1.228 (colored)
don't clear interface flags if '-n' option was given. ok henning@
Revision 1.228 / (download) - annotate - [select for diffs], Wed Dec 29 10:54:01 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.227: +2 -2 lines
Diff to previous 1.227 (colored)
be quiet about resetting the interface flags omn ruleset load, only print that info on manual flushes. noticed by marc@
Revision 1.227 / (download) - annotate - [select for diffs], Tue Dec 28 18:12:14 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.226: +22 -1 lines
Diff to previous 1.226 (colored)
reset skip interface flags on reloads and for -Fall from max, this time working :)
Revision 1.226 / (download) - annotate - [select for diffs], Mon Dec 27 15:47:07 2004 UTC (19 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.225: +0 -6 lines
Diff to previous 1.225 (colored)
unbreak tree
Revision 1.225 / (download) - annotate - [select for diffs], Mon Dec 27 13:35:57 2004 UTC (19 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.224: +7 -1 lines
Diff to previous 1.224 (colored)
reset skip interface flags on reloads and for -Fall from max
Revision 1.224 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:55 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.223: +34 -1 lines
Diff to previous 1.223 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.223 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:11 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
Changes since 1.222: +2 -1 lines
Diff to previous 1.222 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.222 / (download) - annotate - [select for diffs], Thu Aug 26 16:35:36 2004 UTC (19 years, 9 months ago) by jaredy
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.221: +4 -5 lines
Diff to previous 1.221 (colored)
sync usage for -a reminded by jmc, ok deraadt
Revision 1.221 / (download) - annotate - [select for diffs], Sun Aug 8 19:04:25 2004 UTC (19 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.220: +2 -2 lines
Diff to previous 1.220 (colored)
spacing
Revision 1.220 / (download) - annotate - [select for diffs], Fri Jul 23 10:20:42 2004 UTC (19 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.219: +6 -5 lines
Diff to previous 1.219 (colored)
- make SYNOPSIS and usage() clear that -t precedes -T; spotted by Tamas Tevesh, via dhartmei@; also, add -o to usage(), and note that /ruleset is now the correct syntax, not :ruleset; ok dhartmei@
Revision 1.219 / (download) - annotate - [select for diffs], Mon Jul 19 22:04:00 2004 UTC (19 years, 10 months ago) by dlg
Branch: MAIN
Changes since 1.218: +3 -2 lines
Diff to previous 1.218 (colored)
print the correct labels when displaying timeouts with pfctl (eg, pfctl -st). From Chris Pascoe. ok dhartmei@
Revision 1.218 / (download) - annotate - [select for diffs], Fri Jul 16 23:44:24 2004 UTC (19 years, 10 months ago) by frantzen
Branch: MAIN
Changes since 1.217: +47 -2 lines
Diff to previous 1.217 (colored)
'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset - remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
Revision 1.217 / (download) - annotate - [select for diffs], Fri May 21 23:10:48 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.216: +2 -2 lines
Diff to previous 1.216 (colored)
Use '/' instead of ':' as separator for anchor path components. Note that the parser now needs quotes around paths containing separators. ok mcbride@
Revision 1.216 / (download) - annotate - [select for diffs], Wed May 19 17:50:51 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.215: +92 -255 lines
Diff to previous 1.215 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.215 / (download) - annotate - [select for diffs], Wed May 5 23:16:03 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.214: +5 -1 lines
Diff to previous 1.214 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.214 / (download) - annotate - [select for diffs], Fri Apr 9 12:42:06 2004 UTC (20 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.213: +24 -2 lines
Diff to previous 1.213 (colored)
Do not try to load directories. found+ok mpech@
Revision 1.213 / (download) - annotate - [select for diffs], Sat Mar 20 09:31:42 2004 UTC (20 years, 2 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.212: +2 -2 lines
Diff to previous 1.212 (colored)
make pfctl -s osfp work and remove -o option from manpage; ok deraadt@ pointed out by David Hill <davidh at wmis dot net>
Revision 1.212 / (download) - annotate - [select for diffs], Mon Mar 15 15:25:44 2004 UTC (20 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.211: +10 -7 lines
Diff to previous 1.211 (colored)
cast %llu arguments to unsigned long long, from Max Laier, ok henning@ cedric@
Revision 1.211 / (download) - annotate - [select for diffs], Wed Mar 3 02:00:23 2004 UTC (20 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.210: +3 -3 lines
Diff to previous 1.210 (colored)
no newline in errx, bad cedric; spotted by tedu
Revision 1.210 / (download) - annotate - [select for diffs], Fri Feb 27 10:42:00 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.209: +1 -2 lines
Diff to previous 1.209 (colored)
make pfctl -s all a bit more useful again by not printing a lllooooooottttt of OS fingerprints and a list of interface drivers... cedric deraadt ok
Revision 1.209 / (download) - annotate - [select for diffs], Thu Feb 26 15:43:51 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.208: +10 -19 lines
Diff to previous 1.208 (colored)
Fix/Simplify printing of titles with "pfctl -s all". ok mcbride@
Revision 1.208 / (download) - annotate - [select for diffs], Wed Feb 25 10:09:40 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.207: +8 -6 lines
Diff to previous 1.207 (colored)
Don't clear global stuff when an anchor is given in addition to -Fa. Ok mcbride@ pb@
Revision 1.207 / (download) - annotate - [select for diffs], Thu Feb 19 21:37:01 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.206: +17 -14 lines
Diff to previous 1.206 (colored)
Makes pfctl -ss and pfctl -sq use optional -i argument. ok dhartmei@ markus@ mcbride@
Revision 1.206 / (download) - annotate - [select for diffs], Thu Feb 19 21:29:51 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.205: +20 -10 lines
Diff to previous 1.205 (colored)
Makes pfctl -Fs and pfctl -w works with the optional -i specifier. Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
Revision 1.205 / (download) - annotate - [select for diffs], Tue Feb 17 08:48:29 2004 UTC (20 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.204: +12 -8 lines
Diff to previous 1.204 (colored)
add -i flag, use it for -sI as a start. ok henning@, ok+test mcbride@
Revision 1.204 / (download) - annotate - [select for diffs], Thu Feb 12 11:03:45 2004 UTC (20 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.203: +5 -5 lines
Diff to previous 1.203 (colored)
- sort SYNOPSIS and options list - add -p to SYNOPSIS - uppercase start of sentence - sync usage() w/ SYNOPSIS
Revision 1.203 / (download) - annotate - [select for diffs], Thu Feb 12 02:05:32 2004 UTC (20 years, 4 months ago) by beck
Branch: MAIN
Changes since 1.202: +13 -7 lines
Diff to previous 1.202 (colored)
add -p flag to specify the device - ok mcbride@, henning@ with no objections from deraadt@
Revision 1.202 / (download) - annotate - [select for diffs], Tue Feb 10 22:26:55 2004 UTC (20 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.201: +8 -8 lines
Diff to previous 1.201 (colored)
KNF
Revision 1.201 / (download) - annotate - [select for diffs], Tue Feb 10 17:53:37 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.200: +3 -2 lines
Diff to previous 1.200 (colored)
KNF
Revision 1.200 / (download) - annotate - [select for diffs], Wed Feb 4 10:43:18 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.199: +4 -3 lines
Diff to previous 1.199 (colored)
Fix a number of bugs with setting pool limits which I introduced with source-tracking. Found by Pyun YongHyeon. Also add support to pfctl to set the src-nodes pool limit. "Luckily" some of the bugs cancel each other out; update kernel before pfctl. ok dhartmei@
Revision 1.199 / (download) - annotate - [select for diffs], Thu Jan 29 01:25:13 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.198: +66 -11 lines
Diff to previous 1.198 (colored)
Clean up 'pfctl -s all' output. ok deraadt@ henning@
Revision 1.198 / (download) - annotate - [select for diffs], Wed Dec 31 22:14:41 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored)
spacing. note this, cedric
Revision 1.197 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.196: +14 -13 lines
Diff to previous 1.196 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.196 / (download) - annotate - [select for diffs], Fri Dec 19 16:12:43 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.195: +2 -1 lines
Diff to previous 1.195 (colored)
i wrote much of these, assert my copyright
Revision 1.195 / (download) - annotate - [select for diffs], Tue Dec 16 00:32:59 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
hostid is stored in network byte order, print in host byte order.
Revision 1.194 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.193: +19 -1 lines
Diff to previous 1.193 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.193 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.192: +70 -9 lines
Diff to previous 1.192 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.192 / (download) - annotate - [select for diffs], Fri Nov 14 13:51:09 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.191: +32 -1 lines
Diff to previous 1.191 (colored)
allow the debuglevel to be set from pf.conf (set debug) ok cedric@
Revision 1.191 / (download) - annotate - [select for diffs], Thu Nov 6 15:01:30 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.190: +3 -3 lines
Diff to previous 1.190 (colored)
KNF
Revision 1.190 / (download) - annotate - [select for diffs], Thu Oct 2 17:01:16 2003 UTC (20 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.189: +5 -4 lines
Diff to previous 1.189 (colored)
clean up p = realloc(p ok deraadt@ henning@
Revision 1.189 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.188: +105 -126 lines
Diff to previous 1.188 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.188 / (download) - annotate - [select for diffs], Fri Aug 29 21:47:36 2003 UTC (20 years, 9 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.187: +6 -2 lines
Diff to previous 1.187 (colored)
Document interactions between tables and anchors. Add a warning on global/anchor name clashes to help prevent mistakes from our users during the 3.3 -> 3.4 switch. ok henning@
Revision 1.187 / (download) - annotate - [select for diffs], Fri Aug 22 17:24:27 2003 UTC (20 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.186: +5 -4 lines
Diff to previous 1.186 (colored)
move pfctl_file_fingerprints() call, table commands can use -f themselves (like pfctl -t spammers -vvTt -f file, causing EPERM on DIOCOSFPFLUSH).
Revision 1.186 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:08 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.185: +27 -4 lines
Diff to previous 1.185 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.185 / (download) - annotate - [select for diffs], Mon Aug 4 17:29:44 2003 UTC (20 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.184: +8 -3 lines
Diff to previous 1.184 (colored)
Not every suggested patch is perfect :) ERRX() has two effects: the message printing and goto _error; which causes exit(1). While we don't want the message if pfctl was invoked with -n, we DO want to abort. Otherwise subsequent 'load anchor' statements will get executed, for instance, and the return value is handy for scripts.
Revision 1.184 / (download) - annotate - [select for diffs], Mon Aug 4 12:17:01 2003 UTC (20 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.183: +2 -2 lines
Diff to previous 1.183 (colored)
don't whine about "cannot load ruleset" when ruleset load wasn't desired (with pfctl -n) Jared Yanovich <phirerunner@comcast.net>
Revision 1.183 / (download) - annotate - [select for diffs], Thu Jul 31 22:25:54 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.182: +11 -4 lines
Diff to previous 1.182 (colored)
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
Revision 1.182 / (download) - annotate - [select for diffs], Fri Jul 18 06:30:07 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.181: +25 -34 lines
Diff to previous 1.181 (colored)
Simplify handling of flags (-R, -N...). Remove PFCTL_FLAG_ALL. ok dhartmei@
Revision 1.181 / (download) - annotate - [select for diffs], Fri Jul 11 08:29:34 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.180: +2 -6 lines
Diff to previous 1.180 (colored)
Better parsing and -v support for tables:
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
Revision 1.180 / (download) - annotate - [select for diffs], Thu Jul 3 21:09:13 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.179: +36 -20 lines
Diff to previous 1.179 (colored)
Bye bye atexit(), bye bye globals... The pfctl.c part will probably need some further improvements. ok henning@
Revision 1.179 / (download) - annotate - [select for diffs], Thu Jul 3 09:13:06 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.178: +5 -1 lines
Diff to previous 1.178 (colored)
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
Revision 1.178 / (download) - annotate - [select for diffs], Sun Jun 29 12:22:39 2003 UTC (20 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.177: +1 -8 lines
Diff to previous 1.177 (colored)
Replace assert(3) calls with warnx(3), if the warning is relevant at all.
Revision 1.177 / (download) - annotate - [select for diffs], Fri Jun 13 12:10:42 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.176: +5 -3 lines
Diff to previous 1.176 (colored)
Make "show Anchor" obey quiet flag. ok henning@
Revision 1.176 / (download) - annotate - [select for diffs], Tue Jun 3 12:18:57 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.175: +46 -46 lines
Diff to previous 1.175 (colored)
process show options before ruleset reload
Revision 1.175 / (download) - annotate - [select for diffs], Mon May 19 02:32:47 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.174: +5 -19 lines
Diff to previous 1.174 (colored)
don't print altq en-/disabled - there's no point, you can't turn them on and off independently. so only complain if there's a real error. ok dhartmei@ pb@ camield@
Revision 1.174 / (download) - annotate - [select for diffs], Mon May 19 00:54:19 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.173: +10 -10 lines
Diff to previous 1.173 (colored)
style consistency
Revision 1.173 / (download) - annotate - [select for diffs], Sun May 18 20:25:15 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.172: +5 -5 lines
Diff to previous 1.172 (colored)
in the pfctl -vsr output (-vvsr/-gvvsr as well), indent instead of extra newline. requested by markus@, dhartmei and myself agree
Revision 1.172 / (download) - annotate - [select for diffs], Sat May 17 02:46:22 2003 UTC (21 years ago) by mcbride
Branch: MAIN
Changes since 1.171: +2 -2 lines
Diff to previous 1.171 (colored)
A little bugfix. We want pfioc_states, not pfioc_state. ok henning@
Revision 1.171 / (download) - annotate - [select for diffs], Mon May 12 01:25:31 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.170: +7 -2 lines
Diff to previous 1.170 (colored)
Adaptive timeout value scaling. Allows to reduce timeout values as the number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Revision 1.170 / (download) - annotate - [select for diffs], Sat May 10 00:45:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.169: +7 -2 lines
Diff to previous 1.169 (colored)
support loading of anchors from within the main ruleset via load anchor anchorname:rulesetname file /path/to/file ok pb@ dhartmei@ cedric@
Revision 1.169 / (download) - annotate - [select for diffs], Wed Apr 30 13:22:26 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.168: +50 -48 lines
Diff to previous 1.168 (colored)
kill globals anchorname and rulesetname; have them in main instead and pass to the functions that need them. makes the code easier and cleaner in some places and will be needed for other things to come soon ok cedric@
Revision 1.168 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.167: +24 -16 lines
Diff to previous 1.167 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.167 / (download) - annotate - [select for diffs], Thu Apr 3 15:52:24 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.166: +20 -54 lines
Diff to previous 1.166 (colored)
Simplify pfctl printing code. ok dhartmei@ henning@
Revision 1.166 / (download) - annotate - [select for diffs], Wed Apr 2 22:31:06 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.165: +3 -3 lines
Diff to previous 1.165 (colored)
no \n w/ errx(3), reminded by andrushock
Revision 1.165 / (download) - annotate - [select for diffs], Wed Apr 2 14:09:20 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.164: +5 -6 lines
Diff to previous 1.164 (colored)
better error handling
Revision 1.164 / (download) - annotate - [select for diffs], Wed Apr 2 14:07:38 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.163: +3 -3 lines
Diff to previous 1.163 (colored)
better error message
Revision 1.163 / (download) - annotate - [select for diffs], Thu Mar 27 20:21:34 2003 UTC (21 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.162: +9 -9 lines
Diff to previous 1.162 (colored)
minor tweaks from Andrey Matveev, ok henning@ and cedric@
Revision 1.162 / (download) - annotate - [select for diffs], Thu Mar 27 18:01:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.161: +12 -12 lines
Diff to previous 1.161 (colored)
lotsa const char * from David Hill <david at phobia.ms> a while ago
Revision 1.161 / (download) - annotate - [select for diffs], Tue Mar 11 13:20:17 2003 UTC (21 years, 3 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.160: +68 -16 lines
Diff to previous 1.160 (colored)
On pfctl -a foo -Fn/-Fr, traverse all subrulesets in the anchor and clear nat/rules, like -sn/-sr already does. Reported by Julien Bordet. ok henning@, cedric@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Mar 11 11:53:28 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.159: +2 -2 lines
Diff to previous 1.159 (colored)
fix format strings in debugging output, qid is unsigned ok cedric@ mcbride@
Revision 1.159 / (download) - annotate - [select for diffs], Mon Mar 10 13:28:00 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.158: +3 -9 lines
Diff to previous 1.158 (colored)
it doesn't make sense to mimic pfctl -vsr output in pfctl -vsl (same for -vvsr ./. -vvsl). this resulted in more or less garbage in pfctl -vsl and -vvsl output. so ignore the extra verbosity flags for -sl. found by pb@ ok pb@ dhartmei@
Revision 1.158 / (download) - annotate - [select for diffs], Sat Mar 8 14:26:31 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.157: +6 -4 lines
Diff to previous 1.157 (colored)
inlcude queue interals in -gsr and -gsq output; will make debugging easier. ok cedric@ pb@
Revision 1.157 / (download) - annotate - [select for diffs], Fri Mar 7 12:55:37 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.156: +12 -10 lines
Diff to previous 1.156 (colored)
don't include debugging output, namely, the result of teh skip steps calculation, in verbose output (pfctl -vvsr). Instead, use a new flag -g for that. result of a longer discussion with dhartmei@ and jakob@ ok cedric@ pb@
Revision 1.156 / (download) - annotate - [select for diffs], Thu Feb 20 22:09:27 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.155: +2 -2 lines
Diff to previous 1.155 (colored)
extra plurals; openbsd@davidkrause.com
Revision 1.155 / (download) - annotate - [select for diffs], Thu Feb 20 11:08:06 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.154: +2 -2 lines
Diff to previous 1.154 (colored)
Fix table syntax documentation, from David Krause.
Revision 1.154 / (download) - annotate - [select for diffs], Wed Feb 19 21:50:16 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.153: +5 -6 lines
Diff to previous 1.153 (colored)
cmdline options in alphabetical order in usage() and manpage; and sync them from krause
Revision 1.153 / (download) - annotate - [select for diffs], Tue Feb 18 21:59:34 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.152: +82 -63 lines
Diff to previous 1.152 (colored)
fix load option handling (-A, -N, -R) for options. due to a bug in the loadopt check options were always loaded no matter which loadopts where specified. while beeing there, move the prints for that to where they belong, into the appropriate pfctl_set_* functions, and thus only print when the options are actually loaded. fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier. ok dhartmei@
Revision 1.152 / (download) - annotate - [select for diffs], Mon Feb 17 15:33:07 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.151: +1 -2 lines
Diff to previous 1.151 (colored)
pfctl_clear_pool doesn't need to be prototyped twice either
Revision 1.151 / (download) - annotate - [select for diffs], Mon Feb 17 15:11:29 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.150: +1 -2 lines
Diff to previous 1.150 (colored)
no need to prototype pfctl_add_pool twice
Revision 1.150 / (download) - annotate - [select for diffs], Mon Feb 17 06:58:27 2003 UTC (21 years, 3 months ago) by mpech
Branch: MAIN
Changes since 1.149: +2 -2 lines
Diff to previous 1.149 (colored)
We want err() after failed ioctl() here too. mcbride@, dhartmei@ ok
Revision 1.149 / (download) - annotate - [select for diffs], Fri Feb 14 17:17:27 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.148: +2 -2 lines
Diff to previous 1.148 (colored)
remove explicit table creation ( -T create ), it's useless. ok pb@ mcbride@ deraadt@
Revision 1.148 / (download) - annotate - [select for diffs], Tue Feb 11 20:11:36 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.147: +9 -3 lines
Diff to previous 1.147 (colored)
allow macro definition on the command line: pfctl -Dextif=wi0 -f /etc/pf.conf command line macro definitions override the ones made in the file (idea theo), very handy if your notebook has another NIC at some conference, as well as for debugging etc. idea rezine@mistrusted.net via pb@ hacked live at FOSDEM ok pb@ dhartmei@ cedric@
Revision 1.147 / (download) - annotate - [select for diffs], Wed Feb 5 11:18:45 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored)
Simplify more.
Revision 1.146 / (download) - annotate - [select for diffs], Wed Feb 5 10:13:44 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.145: +3 -3 lines
Diff to previous 1.145 (colored)
Simplify.
Revision 1.145 / (download) - annotate - [select for diffs], Mon Feb 3 14:51:36 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.144: +5 -3 lines
Diff to previous 1.144 (colored)
remove loadopt global definition and cleanup a bit. ok henning@
Revision 1.144 / (download) - annotate - [select for diffs], Mon Feb 3 13:57:47 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.143: +1 -9 lines
Diff to previous 1.143 (colored)
zap dead code
Revision 1.143 / (download) - annotate - [select for diffs], Mon Feb 3 13:40:45 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.142: +2 -1 lines
Diff to previous 1.142 (colored)
fix a problem with queue definitions when load options (like -N etc) are given; they used to check for their parent interface/queue even in this case. ok dhartmei@ cedric@
Revision 1.142 / (download) - annotate - [select for diffs], Sun Feb 2 23:22:07 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.141: +2 -2 lines
Diff to previous 1.141 (colored)
there is no need to pass opts to parse_rules explicitely; it's passed as part of the struct pfctl.
Revision 1.141 / (download) - annotate - [select for diffs], Mon Jan 27 15:42:29 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.140: +6 -1 lines
Diff to previous 1.140 (colored)
When -a is specified, the operation affects an anchor only, so don't try to replace queues (or options) which are global and can't be loaded into an anchor. Found by j@pureftpd.org.
Revision 1.140 / (download) - annotate - [select for diffs], Fri Jan 24 11:11:17 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.139: +4 -3 lines
Diff to previous 1.139 (colored)
let pfctl -vvsq loop and display measured bandwidth and packets/s per queue. cbq only for now.
Revision 1.139 / (download) - annotate - [select for diffs], Tue Jan 21 19:12:08 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.138: +2 -2 lines
Diff to previous 1.138 (colored)
remove redundant if ok dhartmei
Revision 1.138 / (download) - annotate - [select for diffs], Mon Jan 20 18:37:52 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.137: +3 -3 lines
Diff to previous 1.137 (colored)
Remove unused argument from print_name() and fix two other nits found by lint. ok henning
Revision 1.137 / (download) - annotate - [select for diffs], Sun Jan 19 15:28:12 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.136: +9 -12 lines
Diff to previous 1.136 (colored)
Simplify and KNF anchoropt processing. ok dhartmei henning
Revision 1.136 / (download) - annotate - [select for diffs], Sun Jan 19 13:48:06 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.135: +2 -2 lines
Diff to previous 1.135 (colored)
The -s option to show anchors is 'A' or 'Anchors', not 'a' (which is used to show 'all' information).
Revision 1.135 / (download) - annotate - [select for diffs], Sat Jan 18 22:23:00 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.134: +2 -3 lines
Diff to previous 1.134 (colored)
Move freeaddrinfo() so it doesn't get called with an uninitialized pointer (which segfaults). From Julien Bordet.
Revision 1.134 / (download) - annotate - [select for diffs], Sat Jan 18 15:00:24 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.133: +5 -7 lines
Diff to previous 1.133 (colored)
Cleanup PF_OPT_NOACTION with tables. No changes on current behaviour, but do something useful when the user has no access to /dev/pf. Tested on i386, sparc64. ok henning@
Revision 1.133 / (download) - annotate - [select for diffs], Wed Jan 15 20:53:36 2003 UTC (21 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.132: +2 -2 lines
Diff to previous 1.132 (colored)
what a bogus message
Revision 1.132 / (download) - annotate - [select for diffs], Wed Jan 15 12:13:02 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)
Repair table "load" command.
Revision 1.131 / (download) - annotate - [select for diffs], Sat Jan 11 21:10:56 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.130: +3 -5 lines
Diff to previous 1.130 (colored)
whitespace KNF _AGAIN_
Revision 1.130 / (download) - annotate - [select for diffs], Fri Jan 10 14:21:21 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.129: +57 -11 lines
Diff to previous 1.129 (colored)
Be a bit more strict when parsing options. Disallow "pfctl -s rabbits" and friends. ok dhartmei@
Revision 1.129 / (download) - annotate - [select for diffs], Thu Jan 9 18:55:32 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.128: +6 -3 lines
Diff to previous 1.128 (colored)
strlcpy return checks.
Revision 1.128 / (download) - annotate - [select for diffs], Thu Jan 9 18:34:29 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.127: +3 -3 lines
Diff to previous 1.127 (colored)
use a verbose flag in pfctl_show_altq instead of carrying around opts from pfctl.c, and get rid of the #include "pfctl_parser.h"
Revision 1.127 / (download) - annotate - [select for diffs], Thu Jan 9 17:33:19 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.126: +3 -34 lines
Diff to previous 1.126 (colored)
first attack at pfctl queue statistics, to be displayed with pfctl -vsq This commit is dedicated to the cute KLM girls who made part of this possible with giving me a seat in the plane where you actually have enough place to hack. Thanks, girls. ok markus@ dhartmei@
Revision 1.126 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.125: +12 -6 lines
Diff to previous 1.125 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.125 / (download) - annotate - [select for diffs], Tue Jan 7 01:04:33 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.124: +1 -2 lines
Diff to previous 1.124 (colored)
the "default" alias for "normal" optimization in pf_hints is dead for some time now... catched by david krause
Revision 1.124 / (download) - annotate - [select for diffs], Sun Jan 5 22:34:20 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.123: +7 -6 lines
Diff to previous 1.123 (colored)
don't whine about missing altq support in the kernel in the -q case ok dhartmei@
Revision 1.123 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.122: +9 -8 lines
Diff to previous 1.122 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.122 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.121: +2 -5 lines
Diff to previous 1.121 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.121 / (download) - annotate - [select for diffs], Fri Jan 3 22:57:26 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.120: +1 -2 lines
Diff to previous 1.120 (colored)
no need to close
Revision 1.120 / (download) - annotate - [select for diffs], Fri Jan 3 22:48:17 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.119: +5 -5 lines
Diff to previous 1.119 (colored)
(a && (b & c))
Revision 1.119 / (download) - annotate - [select for diffs], Fri Jan 3 22:47:51 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.118: +3 -3 lines
Diff to previous 1.118 (colored)
simplify ioctl access
Revision 1.118 / (download) - annotate - [select for diffs], Fri Jan 3 21:37:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.117: +41 -3 lines
Diff to previous 1.117 (colored)
Bring in userland code for accessing PF radix tables. ok dhartmei@ mcbride@
Revision 1.117 / (download) - annotate - [select for diffs], Wed Jan 1 17:20:14 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.116: +3 -3 lines
Diff to previous 1.116 (colored)
KNF
Revision 1.116 / (download) - annotate - [select for diffs], Wed Jan 1 04:26:19 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.115: +2 -2 lines
Diff to previous 1.115 (colored)
Remove skip step for action (scrub vs. non-scrub), as scrub rules are stored in a separate list now. Regress tests still pass after sed "s/ a=end / /g", other skip steps are not affected.
Revision 1.115 / (download) - annotate - [select for diffs], Wed Jan 1 00:58:10 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.114: +4 -4 lines
Diff to previous 1.114 (colored)
Extend two error messages, change one err() -> errx() where there's no errno to translate. From Andrey Matveev.
Revision 1.114 / (download) - annotate - [select for diffs], Tue Dec 31 19:27:08 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.113: +74 -22 lines
Diff to previous 1.113 (colored)
Match kernel changes splitting scrub rules into their own ruleset type. ok henning@ dhartmei@
Revision 1.113 / (download) - annotate - [select for diffs], Tue Dec 31 01:39:46 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.112: +2 -4 lines
Diff to previous 1.112 (colored)
err() doesn't return. from Andrey Matveev.
Revision 1.112 / (download) - annotate - [select for diffs], Sun Dec 29 22:02:46 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.111: +61 -1 lines
Diff to previous 1.111 (colored)
Make pfctl -a name -sr/-sn show all rules of all rulesets within the anchor. From discussion with Michael Lucas. ok henning@
Revision 1.111 / (download) - annotate - [select for diffs], Wed Dec 25 16:05:23 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.110: +10 -2 lines
Diff to previous 1.110 (colored)
Honour -R/-N and don't attempt to load other rules in those cases. Found by Michael Lucas.
Revision 1.110 / (download) - annotate - [select for diffs], Sun Dec 22 15:52:13 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.109: +5 -1 lines
Diff to previous 1.109 (colored)
Handle pool addresses in binat rules, ok mcbride@
Revision 1.109 / (download) - annotate - [select for diffs], Wed Dec 18 19:40:41 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.108: +40 -34 lines
Diff to previous 1.108 (colored)
Store translation rule pointer in state entries, so pfctl -vsn can print evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Revision 1.108 / (download) - annotate - [select for diffs], Wed Dec 18 16:28:40 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.107: +22 -1 lines
Diff to previous 1.107 (colored)
Pass skip step values through ioctl interface, pfctl -vvsr shows them, main purpose is making them regress-testable.
Revision 1.107 / (download) - annotate - [select for diffs], Wed Dec 18 16:00:03 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.106: +8 -8 lines
Diff to previous 1.106 (colored)
ryan, look at this.
Revision 1.106 / (download) - annotate - [select for diffs], Wed Dec 18 14:14:09 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.105: +55 -24 lines
Diff to previous 1.105 (colored)
Maintain separate pfioc_rule structures for each type of rule, to prevent tickets from getting overwritten. bug reported by dhartmei@ ok dhartmei@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Dec 17 20:06:05 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.104: +11 -14 lines
Diff to previous 1.104 (colored)
add support for the PRIQ scheduler partitially from kjc@ ok kjc@ dhartmei@
Revision 1.104 / (download) - annotate - [select for diffs], Tue Dec 17 12:36:59 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.103: +78 -147 lines
Diff to previous 1.103 (colored)
Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule ok dhartmei@ henning@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Dec 16 22:59:37 2002 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.102: +17 -5 lines
Diff to previous 1.102 (colored)
only try to add the root queue for cbq from kjc@
Revision 1.102 / (download) - annotate - [select for diffs], Tue Dec 10 11:03:52 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.101: +5 -5 lines
Diff to previous 1.101 (colored)
don't warnx after ioctl, use warn pointed out by form@ via mpech@
Revision 1.101 / (download) - annotate - [select for diffs], Mon Dec 9 18:26:09 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.100: +19 -11 lines
Diff to previous 1.100 (colored)
replace (properly guarded) strncpy using logic by a strsep & strlcpy using one. discussion & ok dhartmei@
Revision 1.100 / (download) - annotate - [select for diffs], Sat Dec 7 20:45:04 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.99: +2 -2 lines
Diff to previous 1.99 (colored)
TAILQ_INSERT_TAIL instead of TAILQ_INSERT_HEAD. Makes addresses print out in correct order when getting rules from kernel (affects pfctl -s). ok henning@
Revision 1.99 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:31 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.98: +154 -24 lines
Diff to previous 1.98 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.98 / (download) - annotate - [select for diffs], Thu Dec 5 14:10:45 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.97: +5 -4 lines
Diff to previous 1.97 (colored)
one step further to "program output is valid program input" and the related extra regress testing opportunities (an excellent idea by markus@). only print rule numbers in case of pfctl -v -v; but not with pfctl -v. ok markus@ frantzen@ mcbride@
Revision 1.97 / (download) - annotate - [select for diffs], Thu Dec 5 12:26:55 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.96: +15 -15 lines
Diff to previous 1.96 (colored)
Replace warnx with warn on ioctls so that we get the error message associated with the warning. From DJ Gregor. ok henning@ dhartmei@
Revision 1.96 / (download) - annotate - [select for diffs], Wed Dec 4 08:07:28 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.95: +4 -2 lines
Diff to previous 1.95 (colored)
do not warn for unused variables except with -v -v; henning ok
Revision 1.95 / (download) - annotate - [select for diffs], Sun Dec 1 22:10:40 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.94: +54 -20 lines
Diff to previous 1.94 (colored)
deal with not-ALTQ-enabled kernels
Revision 1.94 / (download) - annotate - [select for diffs], Sun Dec 1 19:56:42 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.93: +6 -2 lines
Diff to previous 1.93 (colored)
Match pf_ioctl.c cleanup; set up the pool_ticket when loading rules ok dhartmei@ henning@
Revision 1.93 / (download) - annotate - [select for diffs], Sun Nov 24 16:47:02 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.92: +4 -4 lines
Diff to previous 1.92 (colored)
Fix an error message and remove 'S' from getopt, it's not used. From Andreas Oestling.
Revision 1.92 / (download) - annotate - [select for diffs], Sun Nov 24 13:34:15 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.91: +9 -9 lines
Diff to previous 1.91 (colored)
Same fix for nat and rdr. Now all regress tests pass with malloc.conf J again.
Revision 1.91 / (download) - annotate - [select for diffs], Sun Nov 24 13:26:29 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.90: +8 -8 lines
Diff to previous 1.90 (colored)
Don't memcpy() structures that contain TAILQs. If you need a copy, you have to perform a deep copy (memcpy() is shallow, and the structures contain pointers to head/nodes). This solves the malloc.conf J segfaults.
Revision 1.90 / (download) - annotate - [select for diffs], Sat Nov 23 09:33:54 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.89: +5 -5 lines
Diff to previous 1.89 (colored)
KNF
Revision 1.89 / (download) - annotate - [select for diffs], Sat Nov 23 07:52:54 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.88: +5 -3 lines
Diff to previous 1.88 (colored)
don't try to do ioctl with pfctl -n ok dhartmei@
Revision 1.88 / (download) - annotate - [select for diffs], Sat Nov 23 05:22:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.87: +95 -5 lines
Diff to previous 1.87 (colored)
code to support loading of pf rules with multiple redirection addresses
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Nov 22 12:24:30 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.86: +1 -5 lines
Diff to previous 1.86 (colored)
print altq and queue lines in the pfctl -v case including the child queue assignment
Revision 1.86 / (download) - annotate - [select for diffs], Mon Nov 18 22:49:15 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.85: +108 -3 lines
Diff to previous 1.85 (colored)
altq and pf merged this isn't 100% done yet: the print_ stuff isn't finished, some features will be added later, and there is no documetation yet, but committing now enables a few more people to work on. print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc, debugging help also pb and camiel. lots of good ideas by theo. "commit now" theo philipp daniel
Revision 1.85 / (download) - annotate - [select for diffs], Mon Oct 7 14:34:40 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.84: +3 -2 lines
Diff to previous 1.84 (colored)
-Wsign-compare clean
Revision 1.84 / (download) - annotate - [select for diffs], Mon Oct 7 14:13:48 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.83: +3 -3 lines
Diff to previous 1.83 (colored)
Two cases of const-correctness and make one global local.
Revision 1.83 / (download) - annotate - [select for diffs], Fri Jul 5 14:07:32 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.82: +5 -2 lines
Diff to previous 1.82 (colored)
allow unsetting the statusinterface via set loginterface none ok dhartmei@
Revision 1.82 / (download) - annotate - [select for diffs], Mon Jul 1 05:28:22 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.81: +3 -3 lines
Diff to previous 1.81 (colored)
KNF
Revision 1.81 / (download) - annotate - [select for diffs], Tue Jun 25 08:13:26 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.80: +118 -226 lines
Diff to previous 1.80 (colored)
move pfctl options -t, -m, -O and -l to pf.conf. These are set using the
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
Revision 1.80 / (download) - annotate - [select for diffs], Fri Jun 14 17:31:30 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.79: +3 -3 lines
Diff to previous 1.79 (colored)
make the output of pfctl -k look nice again noticed by pb@ ok dhartmei@
Revision 1.79 / (download) - annotate - [select for diffs], Wed Jun 12 22:27:05 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.78: +22 -22 lines
Diff to previous 1.78 (colored)
this stuff really belongs to stderr, not stdout pointed out by ho@ ok dhartmei@, kjell@
Revision 1.78 / (download) - annotate - [select for diffs], Tue Jun 11 17:43:46 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.77: +2 -2 lines
Diff to previous 1.77 (colored)
Typo in err()
Revision 1.77 / (download) - annotate - [select for diffs], Tue Jun 11 08:22:15 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.76: +4 -4 lines
Diff to previous 1.76 (colored)
nuke an unused parameter in pfctl_timeout. ok frantzen@
Revision 1.76 / (download) - annotate - [select for diffs], Tue Jun 11 06:12:15 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.75: +63 -40 lines
Diff to previous 1.75 (colored)
Add -N and -R options. When used in conjunction with pfctl -f <rulefile> they allow just the nat or filter rules to be reloaded, respectively. The default (no flags) is to load everything. If -N is specified, any existing filter rules are retained, similarly for -R. ok deraadt@, dhartmei@
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jun 11 02:26:10 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.74: +4 -4 lines
Diff to previous 1.74 (colored)
sync usage() with reality
Revision 1.74 / (download) - annotate - [select for diffs], Mon Jun 10 23:07:46 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.73: +13 -58 lines
Diff to previous 1.73 (colored)
Merge the NAT and rules files into a single rulefile. Rules must be in this order, to remove any ambiguity about what order things happen in: scrub rules nat rules filter rules The -N and -R modifiers go away. Rulefiles are now loaded with the more POSIXly-correct '-f' ok frantzen@
Revision 1.73 / (download) - annotate - [select for diffs], Mon Jun 10 15:19:13 2002 UTC (22 years ago) by mickey
Branch: MAIN
Changes since 1.72: +2 -2 lines
Diff to previous 1.72 (colored)
some olde version piece crept into my diffski; pt out by dfa@
Revision 1.72 / (download) - annotate - [select for diffs], Sun Jun 9 02:14:29 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.71: +3 -3 lines
Diff to previous 1.71 (colored)
use strchr() instead of index()
Revision 1.71 / (download) - annotate - [select for diffs], Sat Jun 8 16:44:15 2002 UTC (22 years ago) by drahn
Branch: MAIN
Changes since 1.70: +1 -21 lines
Diff to previous 1.70 (colored)
pf_timeouts is shared between pfctl and authpf, put it in the shared file. unbreak build.
Revision 1.70 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:07 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.69: +2 -5 lines
Diff to previous 1.69 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.69 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:35 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.68: +5 -4 lines
Diff to previous 1.68 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.68 / (download) - annotate - [select for diffs], Thu Jun 6 22:22:44 2002 UTC (22 years ago) by mickey
Branch: MAIN
Changes since 1.67: +3 -2 lines
Diff to previous 1.67 (colored)
split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok
Revision 1.67 / (download) - annotate - [select for diffs], Mon Jun 3 16:13:17 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.66: +2 -1 lines
Diff to previous 1.66 (colored)
Also print labels in 'pfctl -s all'. ok dhartmei@
Revision 1.66 / (download) - annotate - [select for diffs], Thu May 23 09:47:20 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.65: +16 -17 lines
Diff to previous 1.65 (colored)
tiny KNF, some malloc checks, etc
Revision 1.65 / (download) - annotate - [select for diffs], Sun May 19 22:26:27 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.64: +4 -4 lines
Diff to previous 1.64 (colored)
KNF
Revision 1.64 / (download) - annotate - [select for diffs], Sun May 19 22:15:19 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.63: +31 -26 lines
Diff to previous 1.63 (colored)
KNF
Revision 1.63 / (download) - annotate - [select for diffs], Sun May 19 21:09:56 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.62: +2 -3 lines
Diff to previous 1.62 (colored)
KNF
Revision 1.62 / (download) - annotate - [select for diffs], Sun May 19 21:08:34 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.61: +3 -2 lines
Diff to previous 1.61 (colored)
nicer usage
Revision 1.61 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.60: +5 -5 lines
Diff to previous 1.60 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.60 / (download) - annotate - [select for diffs], Mon Apr 1 20:01:16 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.59: +15 -16 lines
Diff to previous 1.59 (colored)
change return values back from EX_* to 0/1
Revision 1.59 / (download) - annotate - [select for diffs], Mon Apr 1 15:06:21 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.58: +19 -17 lines
Diff to previous 1.58 (colored)
style(9) improvements from Raymond M Schneider
Revision 1.58 / (download) - annotate - [select for diffs], Thu Mar 28 23:13:18 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.57: +2 -1 lines
Diff to previous 1.57 (colored)
prototype pfctl_kill_states()
Revision 1.57 / (download) - annotate - [select for diffs], Tue Mar 26 17:37:11 2002 UTC (22 years, 2 months ago) by frantzen
Branch: MAIN
Changes since 1.56: +12 -12 lines
Diff to previous 1.56 (colored)
tidy up usage statement and sort headers. patch from dfa@solo.ee
Revision 1.56 / (download) - annotate - [select for diffs], Mon Mar 25 22:05:49 2002 UTC (22 years, 2 months ago) by frantzen
Branch: MAIN
Changes since 1.55: +119 -2 lines
Diff to previous 1.55 (colored)
add -k option to shootdown all the state entries from the specified host ok dhartmei@
Revision 1.55 / (download) - annotate - [select for diffs], Mon Mar 11 22:22:57 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.54: +6 -3 lines
Diff to previous 1.54 (colored)
Add -r to reverse lookup addresses when displaying states. From John Kerbawy.
Revision 1.54 / (download) - annotate - [select for diffs], Thu Feb 28 15:51:17 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.53: +5 -3 lines
Diff to previous 1.53 (colored)
Don't force /dev/pf to be opened read-write for pfctl -t/-m when values are only queried but not set.
Revision 1.53 / (download) - annotate - [select for diffs], Wed Feb 27 18:11:45 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
Instead of printing useless @0 rule numbers from pfctl -vR, increase a counter. Helps debugging rule sets that are not loaded. Suggested by John Kerbawy.
Revision 1.52 / (download) - annotate - [select for diffs], Tue Feb 26 07:25:33 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.51: +118 -3 lines
Diff to previous 1.51 (colored)
Add optional pool memory hard limits, mainly as temporary solution until pool exhaustion causes problems no more.
Revision 1.51 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.50: +50 -12 lines
Diff to previous 1.50 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.50 / (download) - annotate - [select for diffs], Sun Jan 6 21:56:12 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.49: +2 -1 lines
Diff to previous 1.49 (colored)
-x needs read-write access for DIOCSETDEBUG ioctl
Revision 1.49 / (download) - annotate - [select for diffs], Mon Dec 31 16:48:36 2001 UTC (22 years, 5 months ago) by mickey
Branch: MAIN
Changes since 1.48: +13 -2 lines
Diff to previous 1.48 (colored)
only open device for writing if we gonna modify anything
Revision 1.48 / (download) - annotate - [select for diffs], Mon Dec 10 18:08:12 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.47: +4 -1 lines
Diff to previous 1.47 (colored)
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
Revision 1.47 / (download) - annotate - [select for diffs], Thu Oct 4 21:54:15 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.46: +6 -6 lines
Diff to previous 1.46 (colored)
Honour -v flag when printing states, print only one line per state when non-verbose. Suggested by gwyllion@ace.ulyssis.org.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 2 18:18:28 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.45: +1 -2 lines
Diff to previous 1.45 (colored)
Remove duplication from simultaneous commits
Revision 1.45 / (download) - annotate - [select for diffs], Tue Oct 2 18:00:38 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.44: +5 -3 lines
Diff to previous 1.44 (colored)
Typo fixes (thanks gwyllion@ace.ulyssis.org)
Revision 1.44 / (download) - annotate - [select for diffs], Tue Oct 2 17:55:24 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.43: +3 -3 lines
Diff to previous 1.43 (colored)
'pfctl -O foo' dumped core. A check was there, but didn't work.
Revision 1.43 / (download) - annotate - [select for diffs], Mon Oct 1 17:58:16 2001 UTC (22 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.42: +1 -7 lines
Diff to previous 1.42 (colored)
print variable asignments only if -v is given. ok dhartmei/deraadt
Revision 1.42 / (download) - annotate - [select for diffs], Mon Oct 1 14:38:34 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.41: +7 -3 lines
Diff to previous 1.41 (colored)
Print error message when pfctl -N/-R can't open the specified file (instead of failing silently). Found by niklas@.
Revision 1.41 / (download) - annotate - [select for diffs], Sun Sep 30 05:29:37 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.40: +82 -3 lines
Diff to previous 1.40 (colored)
Selectable preset FSM optimizations for several network environments. Thanks to everyone who sent me packet captures!
Revision 1.40 / (download) - annotate - [select for diffs], Sat Sep 22 18:30:11 2001 UTC (22 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.39: +2 -5 lines
Diff to previous 1.39 (colored)
remove debug printf
Revision 1.39 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.38: +40 -1 lines
Diff to previous 1.38 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Aug 28 00:02:43 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.37: +117 -3 lines
Diff to previous 1.37 (colored)
Bump state timeouts and allow tweaking them from pfctl. (The state timeouts need some _serious_ tuning)
Revision 1.37 / (download) - annotate - [select for diffs], Thu Aug 23 04:10:31 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +40 -20 lines
Diff to previous 1.36 (colored)
for -s all, do not error out when the first ioctl fails
Revision 1.36 / (download) - annotate - [select for diffs], Sun Aug 19 19:57:33 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.35: +3 -1 lines
Diff to previous 1.35 (colored)
do not spin if no states are found
Revision 1.35 / (download) - annotate - [select for diffs], Sun Aug 19 19:03:58 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.34: +4 -3 lines
Diff to previous 1.34 (colored)
Add per-rule byte counter, so mickey can do accounting. We're counting the data part (without IP and TCP/UDP/ICMP headers), like the state counter does.
Revision 1.34 / (download) - annotate - [select for diffs], Sun Aug 19 18:20:46 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.33: +8 -5 lines
Diff to previous 1.33 (colored)
Print per-rule statistics when -v is used with -sr (show rules).
Revision 1.33 / (download) - annotate - [select for diffs], Sat Aug 18 21:09:13 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.32: +27 -11 lines
Diff to previous 1.32 (colored)
make pfctl -s state SCREAM; frantzen is now happy
Revision 1.32 / (download) - annotate - [select for diffs], Sat Aug 11 12:05:00 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.31: +52 -4 lines
Diff to previous 1.31 (colored)
Add support for ICMP errors referring to ICMP queries/replies. Fixes 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
Revision 1.31 / (download) - annotate - [select for diffs], Sat Aug 11 09:54:59 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.30: +13 -5 lines
Diff to previous 1.30 (colored)
\+\n support, and spit out cc-style error messages. the parser's line counting is lex dependent, and will need to be tweaked
Revision 1.30 / (download) - annotate - [select for diffs], Thu Jul 26 12:55:15 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.29: +5 -2 lines
Diff to previous 1.29 (colored)
usage() with __progname according to style(9), typo in man page. both from mpech@.
Revision 1.29 / (download) - annotate - [select for diffs], Tue Jul 17 17:39:09 2001 UTC (22 years, 10 months ago) by marc
Branch: MAIN
Changes since 1.28: +7 -1 lines
Diff to previous 1.28 (colored)
bitch about extra command line args; ok dhartmei@ and markus@
Revision 1.28 / (download) - annotate - [select for diffs], Mon Jul 16 21:09:37 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.27: +93 -135 lines
Diff to previous 1.27 (colored)
add a yacc parser for pf.conf and nat.conf, with help from mickey@, plus: -n now turns off all operations, and just parses the conf files ok deraadt@
Revision 1.27 / (download) - annotate - [select for diffs], Thu Jul 5 11:40:25 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.26: +8 -8 lines
Diff to previous 1.26 (colored)
&, not &&. Pointed out by dhartmei@.
Revision 1.26 / (download) - annotate - [select for diffs], Tue Jul 3 12:10:45 2001 UTC (22 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.25: +52 -38 lines
Diff to previous 1.25 (colored)
Add a -q (quiet) option. dhartmei@ ok.
Revision 1.25 / (download) - annotate - [select for diffs], Sun Jul 1 16:58:51 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.24: +44 -31 lines
Diff to previous 1.24 (colored)
Finish with posixifying command options. Now both "pfctl -Fs" and "pfctl -F states" work. Changed -[Fs]S to -[Fs] info (or -[Fs]i) based on an earlier conversation with theo. Added -[Fs] "all" to show or flush everything Fixup some man page pastos in the process
Revision 1.24 / (download) - annotate - [select for diffs], Fri Jun 29 21:11:24 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.23: +65 -39 lines
Diff to previous 1.23 (colored)
change load_file implementation so we can accept input on stdin. Rewrite NAT processing loop to accomodate this fact (we can only read the rules file once). ok theo
Revision 1.23 / (download) - annotate - [select for diffs], Thu Jun 28 20:30:53 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.22: +3 -3 lines
Diff to previous 1.22 (colored)
usage() was out of date
Revision 1.22 / (download) - annotate - [select for diffs], Wed Jun 27 21:54:47 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.21: +20 -25 lines
Diff to previous 1.21 (colored)
Change flag syntax -Fs, -Fn, -Fr, -FS to flush states, nat rules, filter rules, stats -ss, -sn, -sr, -sS to show them -z goes away
Revision 1.21 / (download) - annotate - [select for diffs], Wed Jun 27 21:27:47 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.20: +61 -109 lines
Diff to previous 1.20 (colored)
errx() doesn't return. use err() to get errno as well. translate two common errno. ok provos@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jun 27 19:06:32 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.19: +35 -32 lines
Diff to previous 1.19 (colored)
Use bitfields for flag options in getopt.
Revision 1.19 / (download) - annotate - [select for diffs], Wed Jun 27 10:31:49 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.18: +23 -3 lines
Diff to previous 1.18 (colored)
add -z flag for zeroing statistics. -s status no longer resets anything
Revision 1.18 / (download) - annotate - [select for diffs], Tue Jun 26 23:24:06 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.17: +76 -48 lines
Diff to previous 1.17 (colored)
Add -N (parse, but do not load) and -v (verbose: show parsed rules) for pf and nat rules.
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 26 22:24:14 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.16: +1 -2 lines
Diff to previous 1.16 (colored)
bad smart
Revision 1.16 / (download) - annotate - [select for diffs], Tue Jun 26 22:19:47 2001 UTC (22 years, 11 months ago) by smart
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored)
Add err.h for errx()
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jun 26 22:18:17 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.14: +10 -4 lines
Diff to previous 1.14 (colored)
some warnx, and exit instead of return
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jun 26 20:50:26 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.13: +1 -2 lines
Diff to previous 1.13 (colored)
add rule nr for Niels
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jun 26 17:46:02 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.12: +30 -38 lines
Diff to previous 1.12 (colored)
use errx()
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jun 26 00:18:30 2001 UTC (22 years, 11 months ago) by jasoni
Branch: MAIN
Changes since 1.11: +4 -1 lines
Diff to previous 1.11 (colored)
display usage if no command line args; ok dhartmei@
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jun 25 22:14:07 2001 UTC (22 years, 11 months ago) by smart
Branch: MAIN
Changes since 1.10: +19 -18 lines
Diff to previous 1.10 (colored)
Fix up usage() and alphabetize options.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jun 25 17:59:19 2001 UTC (22 years, 11 months ago) by smart
Branch: MAIN
Changes since 1.9: +76 -48 lines
Diff to previous 1.9 (colored)
Separate getopt handling from execution of functions. Still need to do stricter checking to make sure invalid option combinations don't get through. deraadt@, dhartmei@ ok.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jun 25 17:17:06 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.8: +351 -250 lines
Diff to previous 1.8 (colored)
revised ioctl interface, first getopt version of pfctl
Revision 1.8 / (download) - annotate - [select for diffs], Mon Jun 25 10:14:07 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
catch up, might have introduced bugs, but there is a next pass...
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 25 09:44:32 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +28 -19 lines
Diff to previous 1.6 (colored)
catch up to Art changes in the kernel
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 25 00:02:55 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.5: +2 -15 lines
Diff to previous 1.5 (colored)
use only ioctl return values found in errno.h
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jun 24 23:44:07 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
ioctlbuffer renamed.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jun 24 23:20:57 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.3: +20 -20 lines
Diff to previous 1.3 (colored)
some KNF
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jun 24 23:16:35 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +8 -3 lines
Diff to previous 1.2 (colored)
match changes in header files
Revision 1.2 / (download) - annotate - [select for diffs], Sun Jun 24 21:40:51 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
REGENTS -> COPYRIGHT HOLDERS
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 24 21:04:15 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Move and rename packet filter userland. grr. CVS: making easy things difficult, and directory operations impossible.