![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.351 / (download) - annotate - [select for diffs], Mon Apr 22 13:30:22 2024 UTC (7 weeks ago) by bluhm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.350: +17 -2 lines
Diff to previous 1.350 (colored)
Show pf fragment reassembly counters. Framgent count and statistics are stored in struct pf_status. From there pfctl(8) and systat(1) collect and show them. Note that pfctl -s info needs the -v switch to show fragments. As fragment reassembly has its own mutex, also grab this in pf ipctl(2) and sysctl(2) code. input claudio@; OK henning@
Revision 1.350 / (download) - annotate - [select for diffs], Wed Feb 7 23:53:44 2024 UTC (4 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.349: +17 -11 lines
Diff to previous 1.349 (colored)
fix anchortypes bounds test found by "buffer overflow 'anchortypes' 10 <= 12" smatch error feedback and ok sashan@, ok miod@ on an earlier version
Revision 1.349 / (download) - annotate - [select for diffs], Thu Oct 26 16:26:01 2023 UTC (7 months, 2 weeks ago) by deraadt
Branch: MAIN
Changes since 1.348: +6 -7 lines
Diff to previous 1.348 (colored)
whitespace cleanup my fingers couldn't avoid doing while i was re-reading the parsing code
Revision 1.348 / (download) - annotate - [select for diffs], Tue Apr 18 13:31:14 2023 UTC (13 months, 3 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.347: +17 -21 lines
Diff to previous 1.347 (colored)
Rewrite some ugly for loops This fixes a few KNF issues and ugly line wrapping by using a local version of nitems(); fix two bsearch() on top. ok claudio
Revision 1.347 / (download) - annotate - [select for diffs], Wed Nov 9 23:00:00 2022 UTC (19 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.346: +4 -1 lines
Diff to previous 1.346 (colored)
simplify expiration of 'once' rules. let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@
Revision 1.346 / (download) - annotate - [select for diffs], Mon Feb 1 00:31:04 2021 UTC (3 years, 4 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.345: +2 -11 lines
Diff to previous 1.345 (colored)
change route-to so it sends packets to IPs instead of interfaces. this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
Revision 1.345 / (download) - annotate - [select for diffs], Tue Jan 12 00:10:34 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.344: +2 -2 lines
Diff to previous 1.344 (colored)
Sometimes a user ID was logged in pflog(4) although the logopt of the rule did not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid. Rename PF_LOG_SOCKET_LOOKUP to PF_LOG_USER to express what it does. The lookup involved is only an implemntation detail. OK kn@ sashan@ mvs@
Revision 1.344 / (download) - annotate - [select for diffs], Tue Dec 29 19:50:28 2020 UTC (3 years, 5 months ago) by benno
Branch: MAIN
Changes since 1.343: +3 -2 lines
Diff to previous 1.343 (colored)
getifaddrs() can return entries where ifa_addr is NULL. Check for this before accessing anything in ifa_addr. ok claudio@
Revision 1.343 / (download) - annotate - [select for diffs], Fri May 15 00:56:03 2020 UTC (4 years ago) by cheloha
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.342: +2 -2 lines
Diff to previous 1.342 (colored)
pf(4): use CLOCK_BOOTTIME to get time_uptime(9) in userspace In pf(4), the pf_status.since timestamp is set with time_uptime(9). This is a low-res snapshot of nanouptime(9). nanouptime(9) is used to implement CLOCK_BOOTTIME for clock_gettime(2). It is not used to implement CLOCK_UPTIME, though. The names are misleading. Switch to CLOCK_BOOTTIME in places in userspace where we use pf_status.since so we are working with the right clock. Technically CLOCK_MONOTONIC is equivalent, but we shouldn't use that here. CLOCK_MONOTONIC is not necessarily the "time since boot": the standard says its absolute value is meaningless. ok patrick@ bluhm@
Revision 1.342 / (download) - annotate - [select for diffs], Thu Oct 17 21:54:28 2019 UTC (4 years, 7 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.341: +8 -10 lines
Diff to previous 1.341 (colored)
Use -1 to indicate an invalid uid/gid, not UID_MAX and GID_MAX. This is the userland portion. OK deraadt@ sashan@
Revision 1.341 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:45 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.340: +2 -2 lines
Diff to previous 1.340 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.340 / (download) - annotate - [select for diffs], Sat Mar 30 02:45:14 2019 UTC (5 years, 2 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.339: +2 -2 lines
Diff to previous 1.339 (colored)
Fail on invalid netmasks when filling tables Fix a regression of revision 1.326 "Zap v4mask and v6mask in host()" which allowed CIDR networks with more than one "/" to be loaded into tables. I took care of this code path with regard to rules coming the ruleset parser, which aborts earlier on such invalid specifications, but missed `-T add 1/2/3' and the like. Analyzed and fixed by Petr Hoffmann <petr dot hoffmann at oracle dot com>, thanks! OK deraadt
Revision 1.339 / (download) - annotate - [select for diffs], Tue Jan 29 10:58:31 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.338: +1 -2 lines
Diff to previous 1.338 (colored)
Reuse copy_satopfaddr() when killing entries Recently introduced in pfctl_parser.c r1.333, this helper nicely simplifies code when copying IPs based on their address family, so use it in five other places when killing state or source node entries. All addresses copied in these code paths result from either pfctl_parse_host() or pfctl_addrprefix() which guarantee the address family set to AF_INET or AF_INET6. Therefore, effectively relaxing the case of unhandled families from errx(3) in callers to warnx(3) in copy_satopfaddr() is safe since it's never reached. OK sashan
Revision 1.338 / (download) - annotate - [select for diffs], Sun Sep 16 19:36:33 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.337: +11 -4 lines
Diff to previous 1.337 (colored)
The kernel does not set the address family for the socket addresses that are used for netmask, broadcast, and destination address. In pfctl(8) take the family of the interface address and write it to the other addresses. This fixes some bugs when copy_satopfaddr() copied only part of IPv6 addresses. Print a warning if the address family is unknown. OK kn@
Revision 1.337 / (download) - annotate - [select for diffs], Thu Sep 13 06:03:27 2018 UTC (5 years, 8 months ago) by kn
Branch: MAIN
Changes since 1.336: +2 -4 lines
Diff to previous 1.336 (colored)
Avoid unneeded variable in gen_dynnode() OK bluhm
Revision 1.336 / (download) - annotate - [select for diffs], Tue Sep 11 10:42:10 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.335: +2 -2 lines
Diff to previous 1.335 (colored)
Fix netmask regression in get_dynnode() I introduced this error with r1.330 while removing the af parameter from unmask(). `pass inet from (lo0)/24' would result in `pass inet from (lo0)', sorry.
Revision 1.335 / (download) - annotate - [select for diffs], Tue Sep 11 09:02:27 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.334: +5 -10 lines
Diff to previous 1.334 (colored)
Remove unused buffer from host() Left-over from pre-host_ip() times. While here, use __func__. OK henning benno
Revision 1.334 / (download) - annotate - [select for diffs], Mon Sep 10 20:53:53 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.333: +28 -45 lines
Diff to previous 1.333 (colored)
Merge host_v{4,6}() into simpler host_ip()
Except for networks such as "10/8" host_ip() now handles addresses in an
AF-agnostic way with more duplicate code removed/merged.
OK sashan (as for earlier copy_satopfaddr() diff) henning
Revision 1.333 / (download) - annotate - [select for diffs], Mon Sep 10 16:17:48 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.332: +26 -50 lines
Diff to previous 1.332 (colored)
Introduce copy_satopfaddr() Move the same dance around v4/v6 for copying IP addresses from sockaddr into pf_addr to avoid duplicate code and improve readability. Feedback and OK bluhm
Revision 1.332 / (download) - annotate - [select for diffs], Fri Sep 7 21:37:03 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.331: +4 -4 lines
Diff to previous 1.331 (colored)
More __func__ to fix error messages
Revision 1.331 / (download) - annotate - [select for diffs], Fri Sep 7 14:16:22 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.330: +3 -10 lines
Diff to previous 1.330 (colored)
Remove wildcard address on loopack remnants henning@ removed this functionality years ago, see the share/man/man4/lo.4 revision 1.27. OK jca claudio
Revision 1.330 / (download) - annotate - [select for diffs], Thu Sep 6 15:07:33 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.329: +5 -5 lines
Diff to previous 1.329 (colored)
Remove unused af argument from unmask() This has been unused for years. While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks. OK sashan
Revision 1.329 / (download) - annotate - [select for diffs], Wed Sep 5 21:16:26 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.328: +21 -18 lines
Diff to previous 1.328 (colored)
Move AF-specific mask logic from callers into set_ipmask() Instead of doing the same dance with every caller, check for user provided mask or address familiy specific maximum inside the function itself. Feedback and OK claudio
Revision 1.328 / (download) - annotate - [select for diffs], Wed Sep 5 08:47:21 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.327: +6 -9 lines
Diff to previous 1.327 (colored)
Use error label in host_if() This brings it in line with host() and host_dns(). OK sashan miko
Revision 1.327 / (download) - annotate - [select for diffs], Fri Aug 10 09:54:06 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.326: +5 -6 lines
Diff to previous 1.326 (colored)
Zap bits in host_v4(), use mask parameter This avoids a duplicate strrchr() call and makes the function consistent with host_v6() regarding mask handling. While here, use the destination's size in memcpy instead of hardcoding its type. OK sashan
Revision 1.326 / (download) - annotate - [select for diffs], Tue Jul 31 22:48:04 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.325: +10 -11 lines
Diff to previous 1.325 (colored)
Zap v4mask and v6mask in host() Simply defer checks whether a mask has been specified to where it's set in host_*(); this is to reduce address family specific code. OK sashan
Revision 1.325 / (download) - annotate - [select for diffs], Mon Jul 30 08:28:40 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.324: +15 -29 lines
Diff to previous 1.324 (colored)
Simplify host() Get rid of the `cont' flag, zap obvious comments, add error label. OK benno sashan
Revision 1.324 / (download) - annotate - [select for diffs], Sat Jul 28 23:36:54 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.323: +6 -5 lines
Diff to previous 1.323 (colored)
Use strtonum in host() This is simpler than checking three cases for `q' and gives nicer error messages. While here, use `v6mask' as maximum netmask instead of hardcoding it. OK sashan
Revision 1.323 / (download) - annotate - [select for diffs], Tue Jul 24 09:48:04 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.322: +2 -8 lines
Diff to previous 1.322 (colored)
Move duplicate code into new helper print_addr_str() This simply puts the wiggle around inet_ntop() from four into one location. OK benno
Revision 1.322 / (download) - annotate - [select for diffs], Tue Jul 24 09:38:21 2018 UTC (5 years, 10 months ago) by kn
Branch: MAIN
Changes since 1.321: +5 -8 lines
Diff to previous 1.321 (colored)
Simplify getaddrinfo() error handling `error' is not used so drop it and jump to the end. OK sashan
Revision 1.321 / (download) - annotate - [select for diffs], Tue Jul 10 09:30:49 2018 UTC (5 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.320: +16 -11 lines
Diff to previous 1.320 (colored)
'set delay' for the generic packet delay mechanism, ok benno sashan
Revision 1.320 / (download) - annotate - [select for diffs], Tue Jul 10 09:05:11 2018 UTC (5 years, 11 months ago) by jca
Branch: MAIN
Changes since 1.319: +3 -2 lines
Diff to previous 1.319 (colored)
Add "listenrepv2" for MLDv2 Listener Reports from RFC3810 ok benno@
Revision 1.319 / (download) - annotate - [select for diffs], Thu Feb 8 02:26:39 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.318: +7 -2 lines
Diff to previous 1.318 (colored)
show current synflood detection watermarks in pfctl -vsi, for the lack of a more appropriate place. ok claudio benno procter
Revision 1.318 / (download) - annotate - [select for diffs], Tue Nov 28 16:05:47 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.317: +25 -18 lines
Diff to previous 1.317 (colored)
The divert structure was using the port number to indicate that divert-to or divert-reply was active. If the address was also set, it meant divert-to. Divert packet used a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. Adapt the pf rule struct in kernel and pfctl, no functional change. Note that kernel and pfctl have to be updated together. OK sashan@
Revision 1.317 / (download) - annotate - [select for diffs], Mon Nov 13 11:30:11 2017 UTC (6 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.316: +3 -0 lines
Diff to previous 1.316 (colored)
add a generic packet rate matching filter. allows things like pass in proto icmp max-pkt-rate 100/10 all packets matching the rule in the direction the state was created are taken into consideration (typically: requests, but not replies). Just like with the other max-*, the rule stops matching if the maximum is reached, so in typical scenarios the default block rule would kick in then. with input from Holger Mikolon ok mikeb
Revision 1.316 / (download) - annotate - [select for diffs], Mon Aug 14 15:53:04 2017 UTC (6 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.315: +2 -1 lines
Diff to previous 1.315 (colored)
expose the half-open tcp states counter, ok bluhm
Revision 1.315 / (download) - annotate - [select for diffs], Fri Aug 11 22:30:38 2017 UTC (6 years, 10 months ago) by benno
Branch: MAIN
Changes since 1.314: +10 -7 lines
Diff to previous 1.314 (colored)
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
Revision 1.314 / (download) - annotate - [select for diffs], Thu Aug 3 17:36:06 2017 UTC (6 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.313: +1 -2 lines
Diff to previous 1.313 (colored)
Since nearly 20 years the correct spelling of ICMP6_DST_UNREACH_NOTNEIGHBOR is ICMP6_DST_UNREACH_BEYONDSCOPE (RFC 1885 was obsoleted). sthen grepped the ports sources to make sure nothing uses it. OK millert, jca
Revision 1.313 / (download) - annotate - [select for diffs], Wed Jul 19 12:58:31 2017 UTC (6 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.312: +3 -2 lines
Diff to previous 1.312 (colored)
Allow HFSC classes to use flow queues The FQ-CoDel related configuration (flows, quantum) becomes available for the regular bandwidth queue. Internally the kernel will pick the FQ-CoDel for use as a queue manager for the specified class instead of the FIFO. Discussed with and OK henning@ at d2k17 as a part of a larger diff.
Revision 1.312 / (download) - annotate - [select for diffs], Thu Jun 1 14:38:28 2017 UTC (7 years ago) by patrick
Branch: MAIN
Changes since 1.311: +6 -4 lines
Diff to previous 1.311 (colored)
Return time_uptime as value for when pf was enabled instead of time_second. Since time_second changes depending on the wall- clock time, time_second is not a reliable source for the status. We can even end up with a negative time delta. Thus, use the monotonically growing time_uptime and export it to userland. ok bluhm@ mikeb@
Revision 1.311 / (download) - annotate - [select for diffs], Mon May 15 16:56:42 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.310: +2 -2 lines
Diff to previous 1.310 (colored)
Fixup printing of queue bandwidth specifications Reported by Carl Mascott, thanks! OK sthen
Revision 1.310 / (download) - annotate - [select for diffs], Mon May 15 11:23:25 2017 UTC (7 years ago) by mikeb
Branch: MAIN
Changes since 1.309: +18 -10 lines
Diff to previous 1.309 (colored)
Hook up FQ-CoDel to the tree and enable configuration in the pfctl(8) OK sthen, visa
Revision 1.309 / (download) - annotate - [select for diffs], Wed Oct 26 14:15:59 2016 UTC (7 years, 7 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.308: +3 -1 lines
Diff to previous 1.308 (colored)
When using a /32 IPv4 interface address, pfctl(8) reports a 0.0.0.0 as broadcast address. The kernel does not consider this a broadcast address and ifconfig(8) has a check to exclude it. Use the same check in pfctl(8). Found by regress/sbin/pfctl pfi2; OK mikeb@
Revision 1.308 / (download) - annotate - [select for diffs], Sat Sep 3 17:11:40 2016 UTC (7 years, 9 months ago) by sashan
Branch: MAIN
Changes since 1.307: +5 -1 lines
Diff to previous 1.307 (colored)
Let purge thread to remove once rules, not packets. Thanks mikeb@ for idea to add expire time. OK mpi@, OK mikeb@
Revision 1.307 / (download) - annotate - [select for diffs], Fri Aug 26 06:06:58 2016 UTC (7 years, 9 months ago) by guenther
Branch: MAIN
Changes since 1.306: +9 -8 lines
Diff to previous 1.306 (colored)
Add <time.h> for time(); sort <*.h> includes ok deraadt@
Revision 1.306 / (download) - annotate - [select for diffs], Thu Sep 3 12:46:47 2015 UTC (8 years, 9 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.305: +2 -2 lines
Diff to previous 1.305 (colored)
interface should only be specified for root queues; found by jsg
Revision 1.305 / (download) - annotate - [select for diffs], Wed Jun 3 02:24:36 2015 UTC (9 years ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.304: +5 -4 lines
Diff to previous 1.304 (colored)
Do not assume that asprintf() clears the pointer on failure, which is non-portable. Also add missing asprintf() return value checks. OK deraadt@ guenther@ doug@
Revision 1.304 / (download) - annotate - [select for diffs], Sat Feb 14 23:32:41 2015 UTC (9 years, 3 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.303: +3 -3 lines
Diff to previous 1.303 (colored)
Rather than using 0xff as a placeholder for "don't check prio", use 0xff to mean "prio is 0". This avoids the need for code changes in programs which add pf rules (as was done in pfctl but not other programs) to handle the new "check prio" functionality. Specifically this unbreaks ftp-proxy. Use of #define rather than magic 0xff suggested by benno. ok benno "if henning doesnt like it he can change it when he recovers from jet-lag"
Revision 1.303 / (download) - annotate - [select for diffs], Tue Feb 10 06:45:55 2015 UTC (9 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.302: +2 -0 lines
Diff to previous 1.302 (colored)
since we inherit prio (as in, the queuing priority) from outside sources, i. e. on vlan interfaces, it is useful to be able to match on it - effectively matching on classification done elsewhere. i thought i had long implemented that, but chrisz@ asking for it made me notice that wasn't the case. tests by chrisz, ok phessler pelikan
Revision 1.302 / (download) - annotate - [select for diffs], Sat Feb 7 23:35:27 2015 UTC (9 years, 4 months ago) by tedu
Branch: MAIN
Changes since 1.301: +10 -3 lines
Diff to previous 1.301 (colored)
parse debug levels with strtonum, so that debug 1banana doesn't parse. ok mikeb
Revision 1.301 / (download) - annotate - [select for diffs], Fri Jan 16 06:40:00 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.300: +2 -1 lines
Diff to previous 1.300 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.293.2.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:44 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_4
Changes since 1.293: +26 -6 lines
Diff to previous 1.293 (colored) next main 1.294 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.298.4.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:15 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_5
Changes since 1.298: +26 -6 lines
Diff to previous 1.298 (colored) next main 1.299 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.298.6.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:29:34 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_6
Changes since 1.298: +26 -6 lines
Diff to previous 1.298 (colored) next main 1.299 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.300 / (download) - annotate - [select for diffs], Mon Oct 27 21:51:32 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.299: +26 -6 lines
Diff to previous 1.299 (colored)
Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen
Revision 1.299 / (download) - annotate - [select for diffs], Sat Oct 25 03:18:13 2014 UTC (9 years, 7 months ago) by lteo
Branch: MAIN
Changes since 1.298: +1 -2 lines
Diff to previous 1.298 (colored)
Remove unnecessary netinet/in_systm.h include. ok millert@
Revision 1.298 / (download) - annotate - [select for diffs], Mon Jan 20 02:59:13 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_5_BASE
Branch point for: OPENBSD_5_6,
OPENBSD_5_5
Changes since 1.297: +2 -1 lines
Diff to previous 1.297 (colored)
support "!received-on <interface>", ok dlg benno
Revision 1.297 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:48 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.296: +4 -4 lines
Diff to previous 1.296 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.296 / (download) - annotate - [select for diffs], Mon Oct 28 15:05:35 2013 UTC (10 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.295: +3 -3 lines
Diff to previous 1.295 (colored)
use %d instead of %i in a few fprintf for clarity
Revision 1.295 / (download) - annotate - [select for diffs], Sat Oct 12 12:16:12 2013 UTC (10 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.294: +54 -2 lines
Diff to previous 1.294 (colored)
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
Revision 1.294 / (download) - annotate - [select for diffs], Thu Aug 1 19:03:11 2013 UTC (10 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.293: +33 -1 lines
Diff to previous 1.293 (colored)
Provide local implementations of if_nametoindex(3) and if_indextoname(3) that make use of the cache of addresses populated by the ifa_load on startup to save the trouble of calling expensive getaddrinfo(3) up to four times per rule. Performance wise this change provides a speed up factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250 IP addresses (20 seconds down to 1 in this case). "wow!" henning, ok benno, florian
Revision 1.293 / (download) - annotate - [select for diffs], Sun Apr 21 23:13:39 2013 UTC (11 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE
Branch point for: OPENBSD_5_4
Changes since 1.292: +5 -4 lines
Diff to previous 1.292 (colored)
avoid truncating a time_t division into days
Revision 1.292 / (download) - annotate - [select for diffs], Wed Jan 16 01:49:20 2013 UTC (11 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.291: +9 -5 lines
Diff to previous 1.291 (colored)
for consistency with prio etc, the queue assignment really belongs into the set block. so make pfctl accept, print and the manpage document . match set queue foo instead of . match queue foo but keep accepting the old way without the explicit set. ok bob, man jmc
Revision 1.291 / (download) - annotate - [select for diffs], Tue Dec 4 02:24:46 2012 UTC (11 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.290: +1 -3 lines
Diff to previous 1.290 (colored)
remove some unnecessary sys/param.h inclusions
Revision 1.290 / (download) - annotate - [select for diffs], Tue Sep 18 10:11:53 2012 UTC (11 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.289: +2 -3 lines
Diff to previous 1.289 (colored)
prio 0 is valid, therefore, I chose an "impossible" value for prio meaning "not set" and used a PF_PRIO_NOTSET define for it. now that means that everything that creates a struct pf_rule doesn't get away with bzero'ing it, which turned out to be not so nice. so get rid of PF_PRIO_NOTSET, instead, make a rule+state flag PFSTATE_SETPRIO which indicates wether the prio should be set. ok benno claudio mikeb
Revision 1.289 / (download) - annotate - [select for diffs], Tue Jul 10 09:39:26 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.288: +2 -4 lines
Diff to previous 1.288 (colored)
use PFSTATE_SCRUBMASK whenever you see (flags >= ONE_OF_THE_FLAGS), run. that must break sooner or later.
Revision 1.288 / (download) - annotate - [select for diffs], Tue Jul 10 09:23:56 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.287: +4 -2 lines
Diff to previous 1.287 (colored)
intermediate hack^Wugly "fix" to prevent spurious "scrub ()" prints + XXX comment as reminder to clean this up for good
Revision 1.287 / (download) - annotate - [select for diffs], Tue Jul 10 09:13:41 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.286: +3 -3 lines
Diff to previous 1.286 (colored)
set { ... } -> set ( ... )
brought up by ryan, discussed with him and theo and they convinced me
Revision 1.286 / (download) - annotate - [select for diffs], Mon Jul 9 14:05:35 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.285: +20 -13 lines
Diff to previous 1.285 (colored)
fix some of the confusion we have in pf regarding filter criteria vs
options that "write" to the packet by putting the latter in a set { } block.
for now prio and tos, maintain set-tos backwards compat for the moment.
"match set { prio 6, tos lowdelay }"
"match set prio 6"
from a discussion with ryan in tokyo a while ago, ok ryan phessler
Revision 1.285 / (download) - annotate - [select for diffs], Sat Jul 7 16:24:32 2012 UTC (11 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.284: +4 -4 lines
Diff to previous 1.284 (colored)
rename prio in struct pf_rule and related structs to set_prio so it is utterly clear this is not a filter criteria but a packet modification thing. also preparation for upcoming changes, including one to unscrew this mess (I should not have to touch half the tree for this - ifixitlater) not user visible, ok gcc
Revision 1.284 / (download) - annotate - [select for diffs], Mon Dec 12 21:30:27 2011 UTC (12 years, 6 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.283: +2 -2 lines
Diff to previous 1.283 (colored)
fixup af-to regression with match rules pfctl should not infer the af-to behavior from the af/naf difference. instead, we should be clear that this is an af-to rule. essentially this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so that we don't rely on ambiguous checks (like r->af != r->naf) when setting things up. positive review and comments from claudio, ok henning, sperreault
Revision 1.283 / (download) - annotate - [select for diffs], Wed Nov 23 10:24:37 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.282: +13 -10 lines
Diff to previous 1.282 (colored)
print ports as numbers by default; -P prints names instead 2/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg and myself
Revision 1.282 / (download) - annotate - [select for diffs], Wed Nov 23 10:23:11 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.281: +47 -47 lines
Diff to previous 1.281 (colored)
print_rule: rename opts -> ropts, no binary change 1/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg myself and gcc
Revision 1.281 / (download) - annotate - [select for diffs], Thu Oct 13 18:30:54 2011 UTC (12 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.280: +20 -6 lines
Diff to previous 1.280 (colored)
pfctl change for af-to / NAT64 support. The general syntax is: pass in inet from any to 192.168.1.1 af-to inet6 from 2001::1 to 2001::2 In the NAT64 case the "to" is not needed in af-to and the IP is extraced from the IPv6 dst (assuming a /64 prefix). Again most work by sperreault@, mikeb@ and reyk@ OK mcbride@, put it in deraadt@
Revision 1.280 / (download) - annotate - [select for diffs], Tue Aug 30 00:43:57 2011 UTC (12 years, 9 months ago) by mikeb
Branch: MAIN
Changes since 1.279: +3 -1 lines
Diff to previous 1.279 (colored)
One shot rules can be used in pf.conf by specifying a "once" filter option. ok henning, mcbride
Revision 1.279 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.278: +43 -7 lines
Diff to previous 1.278 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.278 / (download) - annotate - [select for diffs], Fri Jul 8 18:52:47 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.277: +7 -1 lines
Diff to previous 1.277 (colored)
allow rules to specify "prio X" or "prio (X, Y)" to assign priority levels for the new priority queueing implementation. valid range is 0 to 7. the old trick for priorizing empty ACKs etc remains thru the latter notation ok ryan mpf sthen plus pea testing and halex and claudio reading
Revision 1.277 / (download) - annotate - [select for diffs], Thu Jul 7 02:00:25 2011 UTC (12 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.276: +20 -18 lines
Diff to previous 1.276 (colored)
Don't print 'keep state' anymore unless it's needed for state options, it's been implicit for years now. ok henning@
Revision 1.276 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.275: +6 -1 lines
Diff to previous 1.275 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.275 / (download) - annotate - [select for diffs], Wed Apr 6 13:19:55 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.274: +7 -1 lines
Diff to previous 1.274 (colored)
Userland bits to allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.274 / (download) - annotate - [select for diffs], Tue Apr 5 13:48:18 2011 UTC (13 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.273: +3 -7 lines
Diff to previous 1.273 (colored)
ditch fastroute, an ipf feature that made its way into pf before route-to and friends were introduced making it obsolete. one even has to look it up int the ipf manual to get and idea what it's supposed to do. reuse some kernel bits for the upcoming nat64 stuff. "kill it with fire" from mcbride, "what mcbride said" from mpf, "kill kill kill" and ok henning.
Revision 1.273 / (download) - annotate - [select for diffs], Sun Jan 23 11:19:55 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.272: +2 -2 lines
Diff to previous 1.272 (colored)
'pfctl -x none' did not turn debugging off. Skip the syslog internal "no priority" priority named "none". This makes 'pfctl -x none' equivalent to 'pfctl -x crit'. ok mcbride@ henning@
Revision 1.272 / (download) - annotate - [select for diffs], Tue Oct 12 17:45:06 2010 UTC (13 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.271: +2 -2 lines
Diff to previous 1.271 (colored)
pfctl -sr did not show divert-reply rules without address family correctly. A zero address field is used to identify divert-reply rules. If the rule's address family is unspecified, PF_AZERO() always returns false. So use AF_INET6 as address family, to check all bits of the address. ok markus@
Revision 1.271 / (download) - annotate - [select for diffs], Wed Sep 22 06:02:59 2010 UTC (13 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.270: +3 -1 lines
Diff to previous 1.270 (colored)
new log opt "matches" awesome for debugging, a rule like match log(matches) from $testbox will show you exactly which subsequent rules match on that packet real ok theo assumed oks ryan & dlg bikeshedding many implementation time ~1 min bikeshedding about the keyword longish. i voted for "matches" since i like to play with matches idea was theo's, actually
Revision 1.270 / (download) - annotate - [select for diffs], Thu Sep 2 14:01:04 2010 UTC (13 years, 9 months ago) by sobrado
Branch: MAIN
Changes since 1.269: +4 -4 lines
Diff to previous 1.269 (colored)
remove trailing spaces and tabs; no binary change. written with help from henning@, who suggested ensuring that there are no changes in the digests for object files, thanks! ok henning@
Revision 1.269 / (download) - annotate - [select for diffs], Tue Jul 13 13:11:57 2010 UTC (13 years, 11 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.268: +3 -1 lines
Diff to previous 1.268 (colored)
Fix (pflow) display in rule printing. Spotted by dhill@, ok henning@
Revision 1.268 / (download) - annotate - [select for diffs], Sat Jul 3 02:28:57 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.267: +5 -3 lines
Diff to previous 1.267 (colored)
Fix a couple of problems with printing of anchors, in particular recursive printing, both of inline anchors and when requested explicitly with a '*' in the anchor. - Correct recursive printing of wildcard anchors (recurse into child anchors rather than rules, which don't exist) - Print multi-part anchor paths correctly (pr6065) - Fix comments and prevent users from specifying multi-component names for inline anchors. tested by phessler ok henning
Revision 1.267 / (download) - annotate - [select for diffs], Sat Jul 3 02:05:17 2010 UTC (13 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.266: +9 -7 lines
Diff to previous 1.266 (colored)
Use our own enum here rather than abusing the PF rule type enums, which will be getting cleaned up soon. ok henning
Revision 1.266 / (download) - annotate - [select for diffs], Tue Jun 29 19:28:13 2010 UTC (13 years, 11 months ago) by chl
Branch: MAIN
Changes since 1.265: +2 -2 lines
Diff to previous 1.265 (colored)
Fix use after free. Found by regress tests. ok henning@ krw@
Revision 1.265 / (download) - annotate - [select for diffs], Sun May 16 12:23:30 2010 UTC (14 years ago) by zinovik
Branch: MAIN
Changes since 1.264: +2 -1 lines
Diff to previous 1.264 (colored)
plug memory leak. `ps' was allocated with strdup(3), but on error path program does not free(3) it.
Revision 1.264 / (download) - annotate - [select for diffs], Mon Mar 22 17:04:02 2010 UTC (14 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.263: +2 -1 lines
Diff to previous 1.263 (colored)
Following diff fixes memory leak. `debug' is allocated via asprintf(3) so we need to free it with free(3). from zinovik
Revision 1.263 / (download) - annotate - [select for diffs], Thu Mar 18 12:15:22 2010 UTC (14 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.262: +2 -2 lines
Diff to previous 1.262 (colored)
Fix rdr-to printing in pfctl -sr when reply-to is in use. Found by Marcus Muelbuesch. ok henning@
Revision 1.262 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.261: +46 -16 lines
Diff to previous 1.261 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.261 / (download) - annotate - [select for diffs], Wed Jan 13 05:09:07 2010 UTC (14 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.260: +1 -2 lines
Diff to previous 1.260 (colored)
repair a double-free suggested by parfait; ok mcbride
Revision 1.260 / (download) - annotate - [select for diffs], Wed Jan 13 01:41:58 2010 UTC (14 years, 5 months ago) by jsg
Branch: MAIN
Changes since 1.259: +3 -1 lines
Diff to previous 1.259 (colored)
fix some leaks found by parfait ok mcbride@ henning@
Revision 1.259 / (download) - annotate - [select for diffs], Tue Jan 12 16:21:24 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.258: +6 -3 lines
Diff to previous 1.258 (colored)
Only print route specs with @if notation if there is an IP address.
Revision 1.258 / (download) - annotate - [select for diffs], Tue Jan 12 15:49:43 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.257: +10 -4 lines
Diff to previous 1.257 (colored)
Unbreak 10/8 and friends.
Revision 1.257 / (download) - annotate - [select for diffs], Tue Jan 12 14:44:26 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.256: +12 -10 lines
Diff to previous 1.256 (colored)
Fix some issues in redir spec handling, discovered thanks to dlg testing - purge irrelevant addresses from the lists before collapsing - ensure the lists are freed after they're collapsed - more careful ifname copying, avoiding double-free / use-after-free traps
Revision 1.256 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.255: +37 -50 lines
Diff to previous 1.255 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.255 / (download) - annotate - [select for diffs], Thu Dec 24 10:06:35 2009 UTC (14 years, 5 months ago) by sobrado
Branch: MAIN
Changes since 1.254: +2 -2 lines
Diff to previous 1.254 (colored)
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok. ok jmc@
Revision 1.254 / (download) - annotate - [select for diffs], Thu Dec 24 04:24:19 2009 UTC (14 years, 5 months ago) by dlg
Branch: MAIN
Changes since 1.253: +3 -1 lines
Diff to previous 1.253 (colored)
add support to pf for filtering a packet by the interface it was received on. use the received-on IFNAME filter option on a pf.conf rule to restrict which packet the interface had to be received on. eg: pass out on em0 from $foo to $bar received-on fxp0 ive been running this in production for a week now. i find it particularly usefull with interface groups. no objections, and a few "i like"s from henning, claudio, deraadt, mpf
Revision 1.253 / (download) - annotate - [select for diffs], Mon Dec 14 12:31:45 2009 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.252: +17 -11 lines
Diff to previous 1.252 (colored)
fix sticky-address - by pretty much re-implementing it. still following the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Revision 1.252 / (download) - annotate - [select for diffs], Mon Nov 23 21:29:21 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.251: +2 -5 lines
Diff to previous 1.251 (colored)
since "nat/rdr pass" are history natpass can go
Revision 1.251 / (download) - annotate - [select for diffs], Sun Nov 22 22:34:50 2009 UTC (14 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.250: +5 -5 lines
Diff to previous 1.250 (colored)
cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
Revision 1.250 / (download) - annotate - [select for diffs], Wed Oct 28 20:11:01 2009 UTC (14 years, 7 months ago) by jsg
Branch: MAIN
Changes since 1.249: +2 -2 lines
Diff to previous 1.249 (colored)
Add a dedicated pf pool for route options as suggested by henning, which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
Revision 1.249 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.248: +3 -1 lines
Diff to previous 1.248 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.248 / (download) - annotate - [select for diffs], Tue Sep 8 17:52:17 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.247: +0 -2 lines
Diff to previous 1.247 (colored)
I had not enough oks to commit this diff. Sorry.
Revision 1.247 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.246: +3 -1 lines
Diff to previous 1.246 (colored)
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
Revision 1.246 / (download) - annotate - [select for diffs], Wed Sep 2 13:28:03 2009 UTC (14 years, 9 months ago) by reyk
Branch: MAIN
Changes since 1.245: +15 -15 lines
Diff to previous 1.245 (colored)
all the new *-to options are part of the "filteropts" section at the end of a pf rule (nat-to, divert-to, rdr-to, ...). take the historical chance to upgrade the grammar and move the route options to the filteropts section as well. for example, pass in on em0 route-to (em1 192.168.1.1) from 10.1.1.1 becomes pass in on em0 from 10.1.1.1 route-to (em1 192.168.1.1) many people like this including pyr@ mk@ kettenis@ todd@ and others ok henning@
Revision 1.245 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.244: +11 -15 lines
Diff to previous 1.244 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.244 / (download) - annotate - [select for diffs], Wed Apr 15 05:07:02 2009 UTC (15 years, 1 month ago) by david
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.243: +4 -1 lines
Diff to previous 1.243 (colored)
restore printing of the fragment option; ok henning@
Revision 1.243 / (download) - annotate - [select for diffs], Mon Apr 6 12:11:52 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.242: +38 -15 lines
Diff to previous 1.242 (colored)
print prettier, from sthen@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.241: +25 -27 lines
Diff to previous 1.241 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.241 / (download) - annotate - [select for diffs], Tue Sep 9 13:56:38 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.240: +7 -1 lines
Diff to previous 1.240 (colored)
welcome pflow(4), a netflow v5 compatible flow export interface. flows export data gathered from pf states. initial implementation by Joerg Goltermann <jg@osn.de>, guidance and many changes by me. 'put it in' theo
Revision 1.240 / (download) - annotate - [select for diffs], Tue Jun 10 20:55:02 2008 UTC (16 years ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.239: +3 -1 lines
Diff to previous 1.239 (colored)
Make counters on table addresses optional and disabled by default. Use the 'counters' table option in pf.conf if you actually need them. If enabled, memory is not allocated until packets match an address. This saves about 40% memory if counters are not being used, and paves the way for some more significant cleanups coming soon. ok henning mpf deraadt
Revision 1.239 / (download) - annotate - [select for diffs], Tue Jun 10 04:28:54 2008 UTC (16 years ago) by henning
Branch: MAIN
Changes since 1.238: +9 -1 lines
Diff to previous 1.238 (colored)
new state option "sloppy" to use the sloppy tcp state tracker instead of the good one. ok theo ryan reyk
Revision 1.238 / (download) - annotate - [select for diffs], Fri May 9 05:41:01 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.237: +2 -2 lines
Diff to previous 1.237 (colored)
convert port byte order in the production; add port keyword; ok deraadt@
Revision 1.237 / (download) - annotate - [select for diffs], Fri May 9 02:44:55 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.236: +17 -1 lines
Diff to previous 1.236 (colored)
divert packets to local socket without modifying the ip header; makes transparent proxies much easier; ok beck@, feedback claudio@
Revision 1.236 / (download) - annotate - [select for diffs], Wed May 7 06:23:30 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.235: +3 -1 lines
Diff to previous 1.235 (colored)
allow setting TOS with scrub; ok mcbride, claudio
Revision 1.235 / (download) - annotate - [select for diffs], Mon Oct 15 02:16:35 2007 UTC (16 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.234: +2 -2 lines
Diff to previous 1.234 (colored)
specifying int instead of just unsigned is better style
Revision 1.234 / (download) - annotate - [select for diffs], Tue Oct 31 23:46:24 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.233: +1 -7 lines
Diff to previous 1.233 (colored)
Allow a user to recursively print anchors including those without reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@
Revision 1.233 / (download) - annotate - [select for diffs], Sat Oct 28 14:29:05 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.232: +13 -5 lines
Diff to previous 1.232 (colored)
Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
Revision 1.232 / (download) - annotate - [select for diffs], Wed Oct 25 11:28:36 2006 UTC (17 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.231: +5 -2 lines
Diff to previous 1.231 (colored)
allow the log interface to be selected like pass log(to pflog5) block out log(to pflog2) input & ok mcbride
Revision 1.231 / (download) - annotate - [select for diffs], Tue Oct 17 07:14:28 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.230: +2 -2 lines
Diff to previous 1.230 (colored)
Don't automatically set 'flags S/SA' on stateless rules. pointed out by david@ ok mpf@ dhartmei@
Revision 1.230 / (download) - annotate - [select for diffs], Fri Oct 6 17:04:53 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.229: +7 -3 lines
Diff to previous 1.229 (colored)
Print 'flags any' correctly and handle anchors.
Revision 1.229 / (download) - annotate - [select for diffs], Fri Oct 6 16:42:03 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.228: +2 -2 lines
Diff to previous 1.228 (colored)
'no state' should only be printed on pass rules, though.
Revision 1.228 / (download) - annotate - [select for diffs], Fri Oct 6 16:27:49 2006 UTC (17 years, 8 months ago) by mcbride
Branch: MAIN
Changes since 1.227: +4 -2 lines
Diff to previous 1.227 (colored)
Print out 'no state' when the rule is not stateful.
Revision 1.227 / (download) - annotate - [select for diffs], Tue Aug 8 20:05:54 2006 UTC (17 years, 10 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.226: +4 -6 lines
Diff to previous 1.226 (colored)
properly join host lists in ifa_grouplookup(), closes PR 5195, reported by andrew fresh
Revision 1.226 / (download) - annotate - [select for diffs], Thu Jul 6 13:26:41 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.225: +3 -1 lines
Diff to previous 1.225 (colored)
add "rtable" to select alternate routing tables. with & ok claudio hshoexer
Revision 1.225 / (download) - annotate - [select for diffs], Fri Jun 30 16:52:27 2006 UTC (17 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.224: +3 -3 lines
Diff to previous 1.224 (colored)
spaces
Revision 1.224 / (download) - annotate - [select for diffs], Tue May 23 12:04:28 2006 UTC (18 years ago) by henning
Branch: MAIN
Changes since 1.223: +3 -2 lines
Diff to previous 1.223 (colored)
member interfaces of groups might have no IPs and ifa_lookup retun NULL, account for that. fixes PR5130, ok dhartmei
Revision 1.223 / (download) - annotate - [select for diffs], Tue Mar 21 03:31:09 2006 UTC (18 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.222: +6 -5 lines
Diff to previous 1.222 (colored)
instead of sizeof(array) / sizeof(element) computation, use the existing end-of-array NULL marker, shuts up source analysis tool, from deraadt@
Revision 1.222 / (download) - annotate - [select for diffs], Fri Nov 4 08:24:15 2005 UTC (18 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.221: +3 -2 lines
Diff to previous 1.221 (colored)
crank pf_state and pf_src_node byte and packet counters to u_in64_t, since we're breaking pfsync compatibility this cycle anyways. Requested by djm@, ok henning@, 'wheee!' deraadt@
Revision 1.221 / (download) - annotate - [select for diffs], Tue Oct 18 08:59:30 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.220: +66 -1 lines
Diff to previous 1.220 (colored)
add support for static interface group expansion, i. e. pass to group ok hshoexer, hacked at linux-kongress last week
Revision 1.220 / (download) - annotate - [select for diffs], Thu Oct 13 13:27:06 2005 UTC (18 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.219: +3 -3 lines
Diff to previous 1.219 (colored)
unused parameters
Revision 1.219 / (download) - annotate - [select for diffs], Thu Jun 30 20:52:20 2005 UTC (18 years, 11 months ago) by sturm
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.218: +3 -3 lines
Diff to previous 1.218 (colored)
in order for pfvar.h not to conflict with openssl's crypto.h, use PF_MD5_DIGEST_LENGTH instead of including crypto/md5.h ok markus@, henning@, mpf@
Revision 1.218 / (download) - annotate - [select for diffs], Mon Jun 13 20:17:26 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.217: +3 -2 lines
Diff to previous 1.217 (colored)
make the packet and byte counters on rules and src nodes per direction, matches the counters on states now. also fix the counting on scrub rules where we previously did not handle the byte counters at all. extend pfctl -sl output to include the new seperate in/out counters hacked on the ferry from Earls Cove to Saltery Bay ok ryan
Revision 1.217 / (download) - annotate - [select for diffs], Fri May 27 22:09:06 2005 UTC (19 years ago) by mcbride
Branch: MAIN
Changes since 1.216: +10 -7 lines
Diff to previous 1.216 (colored)
Hide Hostid and Checksum in pfctl -si output unless the -v flag is used. Prodded by henning@
Revision 1.216 / (download) - annotate - [select for diffs], Fri May 27 21:41:04 2005 UTC (19 years ago) by mpf
Branch: MAIN
Changes since 1.215: +15 -5 lines
Diff to previous 1.215 (colored)
Calculate an MD5 checksum over the main pf ruleset. This is the basis for further pfsync improvements, to ensure that pf rules are in sync with the master. "get it in" mcbride@
Revision 1.215 / (download) - annotate - [select for diffs], Fri May 27 18:52:42 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.214: +8 -7 lines
Diff to previous 1.214 (colored)
get rid of 'log-all'. now that we have 'log (options)', make 'all' an option to log. so, 'log-all' becomes 'log (all)'.
Revision 1.214 / (download) - annotate - [select for diffs], Fri May 27 17:22:40 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.213: +13 -5 lines
Diff to previous 1.213 (colored)
log two pairs of uid/pid through pflog: the uid/pid of the process that inserted the rule which causes the logging. secondly, the uid/pid of the process in case the logged packet is delivered to/from a local socket. a lookup of the local socket can be forced for logged packets with a new option, 'log (user)'. make tcpdump print the additional information when -e and -v is used. note: this changes the pflog header struct, rebuild all dependancies. ok bob@, henning@.
Revision 1.213 / (download) - annotate - [select for diffs], Thu May 26 15:30:39 2005 UTC (19 years ago) by dhartmei
Branch: MAIN
Changes since 1.212: +3 -3 lines
Diff to previous 1.212 (colored)
use PF_LOG, PF_LOGALL instead of numeric constants
Revision 1.212 / (download) - annotate - [select for diffs], Sat May 21 21:03:58 2005 UTC (19 years ago) by henning
Branch: MAIN
Changes since 1.211: +2 -8 lines
Diff to previous 1.211 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.211 / (download) - annotate - [select for diffs], Tue Dec 7 10:33:41 2004 UTC (19 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.210: +4 -2 lines
Diff to previous 1.210 (colored)
re-commit mcbride@'s 'flush global', this time without the breakage in pfvar.h. builds kernel and userland.
Revision 1.210 / (download) - annotate - [select for diffs], Tue Dec 7 09:38:04 2004 UTC (19 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.209: +1 -3 lines
Diff to previous 1.209 (colored)
oops, incomplete backout
Revision 1.209 / (download) - annotate - [select for diffs], Tue Dec 7 05:30:27 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.208: +4 -2 lines
Diff to previous 1.208 (colored)
Change the default for 'overload <table> flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@
Revision 1.208 / (download) - annotate - [select for diffs], Sat Dec 4 07:58:52 2004 UTC (19 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.207: +40 -2 lines
Diff to previous 1.207 (colored)
Userland support for limiting open tcp connections per source. eg: keep state (max-src-conn 1000, max-src-conn-rate 100/10, overflow <bad> flush) allow a maximum of 1000 open connections or 100 new connections in 10 seconds. The addresses of offenders are added to the <bad> table which can be used in the ruleset, and existing states from that host are flushed. ok deraadt@ dhartmei@
Revision 1.203.2.1 / (download) - annotate - [select for diffs], Sat Nov 13 23:52:14 2004 UTC (19 years, 7 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.203: +9 -3 lines
Diff to previous 1.203 (colored) next main 1.204 (colored)
MFC: Fix by dhartmei@ do not assume entries in pf_timeouts[] are ordererd like PFTM_* in pfvar.h reported by Alexey E. Suslikov ok deraadt@ dhartmei@
Revision 1.207 / (download) - annotate - [select for diffs], Tue Nov 9 11:26:04 2004 UTC (19 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.206: +9 -3 lines
Diff to previous 1.206 (colored)
do not assume entries in pf_timeouts[] are ordererd like PFTM_* in pfvar.h reported by Alexey E. Suslikov, ok henning@
Revision 1.206 / (download) - annotate - [select for diffs], Thu Sep 30 16:38:01 2004 UTC (19 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.205: +2 -2 lines
Diff to previous 1.205 (colored)
print invalid hostmask when refusing it, ok deraadt@
Revision 1.205 / (download) - annotate - [select for diffs], Mon Sep 27 12:51:12 2004 UTC (19 years, 8 months ago) by jaredy
Branch: MAIN
Changes since 1.204: +3 -2 lines
Diff to previous 1.204 (colored)
anchor rules referencing anchors using slashes may need quotes. ok mcbride henning
Revision 1.204 / (download) - annotate - [select for diffs], Tue Sep 21 16:59:11 2004 UTC (19 years, 8 months ago) by aaron
Branch: MAIN
Changes since 1.203: +5 -5 lines
Diff to previous 1.203 (colored)
Implement "no scrub" to allow exclusion of specific traffic from scrub rules.
First match wins, just like "no {binat,nat,rdr}". henning@, dhartmei@ ok
Revision 1.203 / (download) - annotate - [select for diffs], Fri Jul 16 23:44:25 2004 UTC (19 years, 10 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.202: +2 -4 lines
Diff to previous 1.202 (colored)
'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset - remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
Revision 1.202 / (download) - annotate - [select for diffs], Tue Jun 29 22:14:13 2004 UTC (19 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.201: +2 -58 lines
Diff to previous 1.201 (colored)
remove cedric's bogus interface name verification code. this was meant to verify that ne3 is a valid interface that could show up, but bogus0 is not. while this might sound like a good idea it is completely broken and causes a shitload of problems. just allow for anything as interface name, the kernel abstracts that nice enough. if no interface by that name exists (or shows up) the rule never matches; that matches pf semantics used everywhere else. this also fixes the "pfctl always has to run as root" issue that cedric did not fix over the last 6 months despite being bugged to regularily. help & ok mcbride@
Revision 1.201 / (download) - annotate - [select for diffs], Thu Jun 10 14:22:54 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.200: +4 -4 lines
Diff to previous 1.200 (colored)
rename struct pf_rule_addr member 'not' to 'neg', as 'not' is a reserved keyword in C++. ok henning@, cedric@
Revision 1.200 / (download) - annotate - [select for diffs], Thu May 27 11:48:06 2004 UTC (20 years ago) by henning
Branch: MAIN
Changes since 1.199: +4 -2 lines
Diff to previous 1.199 (colored)
plug memleak in error path From: Andrey Matveev <andrushock@korovino.net>
Revision 1.199 / (download) - annotate - [select for diffs], Wed May 19 17:50:51 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.198: +9 -14 lines
Diff to previous 1.198 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.198 / (download) - annotate - [select for diffs], Fri May 7 16:54:20 2004 UTC (20 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.197: +3 -3 lines
Diff to previous 1.197 (colored)
typos From: Jared Yanovich <phirerunner@comcast.net>
Revision 1.197 / (download) - annotate - [select for diffs], Wed May 5 23:16:03 2004 UTC (20 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.196: +2 -1 lines
Diff to previous 1.196 (colored)
Use RFC1323 PAWS timestamps as a logical extension to the conventional TCP sequence numbers by taking advantage of the maximum 1KHz clock as an upperbound on the timestamp. Typically gains 10 to 18 bits of additional security against blind data insertion attacks. More if the TS Echo wasn't optional :-( Enabled with: scrub on !lo0 all reassemble tcp ok dhartmei@. documentation help from jmc@
Revision 1.194.2.1 / (download) - annotate - [select for diffs], Wed May 5 04:00:50 2004 UTC (20 years, 1 month ago) by brad
Branch: OPENBSD_3_5
Changes since 1.194: +27 -6 lines
Diff to previous 1.194 (colored) next main 1.195 (colored)
MFC: Fix by cedric@ Better interface filtering. vlan1 should not match vlan19. Found by Mike Wolman ok deraadt@
Revision 1.196 / (download) - annotate - [select for diffs], Sat Apr 24 23:22:54 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.195: +16 -1 lines
Diff to previous 1.195 (colored)
Add "probability xxx" rule modifier. ok deraadt@
Revision 1.195 / (download) - annotate - [select for diffs], Wed Apr 14 10:51:10 2004 UTC (20 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.194: +27 -6 lines
Diff to previous 1.194 (colored)
Better interface filtering. vlan1 should not match vlan19. Found by Mike Wolman, ok dhartmei@ mcbride@
Revision 1.194 / (download) - annotate - [select for diffs], Mon Mar 15 15:25:44 2004 UTC (20 years, 3 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.193: +13 -11 lines
Diff to previous 1.193 (colored)
cast %llu arguments to unsigned long long, from Max Laier, ok henning@ cedric@
Revision 1.193 / (download) - annotate - [select for diffs], Wed Mar 10 17:48:48 2004 UTC (20 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.192: +6 -2 lines
Diff to previous 1.192 (colored)
plug 3 memory leaks; 2 from andrushock, 1 by me ok pb deraadt
Revision 1.192 / (download) - annotate - [select for diffs], Tue Feb 10 17:53:37 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.191: +6 -5 lines
Diff to previous 1.191 (colored)
KNF
Revision 1.191 / (download) - annotate - [select for diffs], Tue Feb 10 09:27:01 2004 UTC (20 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.190: +7 -6 lines
Diff to previous 1.190 (colored)
new kernel reports enabled & disabled time - use that info. ok henning@ mcbride@
Revision 1.190 / (download) - annotate - [select for diffs], Tue Feb 3 17:59:37 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.189: +18 -12 lines
Diff to previous 1.189 (colored)
bring back this fluffy change, of course without the bug: == to parse v4 adresses, only use inet_net_pton when we find a /, otherwise use inet_pton. helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this results in two addresses. PR3638, bob ok == make sure bits is either 32 or what inet_net_pton tells us, and always call set_ipmask to mask the boring bits away ok dhartmei@ mcbride@ david@
Revision 1.189 / (download) - annotate - [select for diffs], Sun Jan 25 18:47:15 2004 UTC (20 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.188: +11 -18 lines
Diff to previous 1.188 (colored)
This fix was made WITHOUT RUNNING REGRESS. Henning, you are being extremely unfluffy, King Bula is coming for your head.
Revision 1.188 / (download) - annotate - [select for diffs], Thu Jan 22 13:32:00 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.187: +19 -12 lines
Diff to previous 1.187 (colored)
to parse v4 adresses, only use inet_net_pton when we find a /, otherwise use inet_pton. helps bob who likes to type 1.2 3.4 instead of 1.2.3.4 and wonders why this results in two addresses. PR3638, bob ok
Revision 1.187 / (download) - annotate - [select for diffs], Wed Dec 31 22:14:41 2003 UTC (20 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.186: +4 -4 lines
Diff to previous 1.186 (colored)
spacing. note this, cedric
Revision 1.186 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.185: +158 -33 lines
Diff to previous 1.185 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.185 / (download) - annotate - [select for diffs], Fri Dec 19 16:12:43 2003 UTC (20 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.184: +2 -1 lines
Diff to previous 1.184 (colored)
i wrote much of these, assert my copyright
Revision 1.184 / (download) - annotate - [select for diffs], Wed Dec 17 16:36:30 2003 UTC (20 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.183: +3 -3 lines
Diff to previous 1.183 (colored)
cosmetics, ok mcbride@
Revision 1.183 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.182: +2 -1 lines
Diff to previous 1.182 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.182 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.181: +96 -3 lines
Diff to previous 1.181 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.181 / (download) - annotate - [select for diffs], Fri Nov 14 15:32:33 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.180: +7 -4 lines
Diff to previous 1.180 (colored)
in print_status: -print debuglevel "Loud", this was omitted before (catched by mpech@) -use the fine PF_DEBUG_* defines instead of magic numbers ok markus
Revision 1.180 / (download) - annotate - [select for diffs], Sat Nov 8 00:45:34 2003 UTC (20 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.179: +9 -1 lines
Diff to previous 1.179 (colored)
Add 'no-sync' state option to prevent state transition messages for states created by this rule from appearing on the pfsync(4) interface. e.g. pass in proto tcp to self flags S/SA keep state (no-sync) ok cedric@ henning@ dhartmei@
Revision 1.179 / (download) - annotate - [select for diffs], Thu Nov 6 15:18:12 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.178: +3 -3 lines
Diff to previous 1.178 (colored)
two more KNF violations I missed earlier. who introduces those all the time?
Revision 1.178 / (download) - annotate - [select for diffs], Thu Nov 6 15:02:11 2003 UTC (20 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored)
KNF
Revision 1.177 / (download) - annotate - [select for diffs], Wed Oct 8 14:47:57 2003 UTC (20 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.176: +2 -2 lines
Diff to previous 1.176 (colored)
fix cedric's breakage: int is not the same as u_long caused an integer overflow on our 64 bit archs and thus made pf not working there ok mcbride@ marc@ millert@ cedric@
Revision 1.176 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.175: +44 -1 lines
Diff to previous 1.175 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.175 / (download) - annotate - [select for diffs], Thu Sep 18 20:27:58 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.174: +3 -1 lines
Diff to previous 1.174 (colored)
Not all address types have a mask. ok henning@
Revision 1.174 / (download) - annotate - [select for diffs], Fri Aug 22 21:52:11 2003 UTC (20 years, 9 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.173: +5 -5 lines
Diff to previous 1.173 (colored)
correct printf arg mismatch (in 64bit arch). dhartmei ok
Revision 1.173 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:08 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.172: +12 -6 lines
Diff to previous 1.172 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.172 / (download) - annotate - [select for diffs], Tue Jul 29 19:47:22 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.171: +78 -81 lines
Diff to previous 1.171 (colored)
Remove space at end of line. Ok dhartmei@ henning@
Revision 1.171 / (download) - annotate - [select for diffs], Mon Jul 21 22:31:36 2003 UTC (20 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
KNF
Revision 1.170 / (download) - annotate - [select for diffs], Sat Jul 19 13:08:58 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.169: +4 -4 lines
Diff to previous 1.169 (colored)
Simplify struct pf_pooladdr to include struct pf_addr_wrap directly instead of indirectly trough struct pf_rule_addr. Ryan McBride says: If I'm not mistaken, the code _used_ to use the ports in pf_rule_addr as well. The code was changed to fix some of the bugs with port ranges, but it was too late in the release cycle to make kernel API changes, so the structure was left as is. Needless to say: KERNEL/USERLAND SYNC REQUIRED. ok henning@ mcbride@
Revision 1.169 / (download) - annotate - [select for diffs], Tue Jul 15 17:12:38 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.168: +12 -10 lines
Diff to previous 1.168 (colored)
Repair memory managment in table parsing code. I need vacations. Found and verified by Pyun YongHyeon. ok dhartmei@
Revision 1.168 / (download) - annotate - [select for diffs], Fri Jul 11 08:29:34 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.167: +54 -18 lines
Diff to previous 1.167 (colored)
Better parsing and -v support for tables:
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
Revision 1.167 / (download) - annotate - [select for diffs], Fri Jul 4 11:05:44 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.166: +2 -2 lines
Diff to previous 1.166 (colored)
KNF after cedric (grmpf)
Revision 1.166 / (download) - annotate - [select for diffs], Fri Jul 4 10:42:17 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.165: +5 -2 lines
Diff to previous 1.165 (colored)
allow for a "pass" modifier on translation rules: nat pass on $ext_if from $a to $b -> $ext_if when the pass modifier is given, the filter ruleset is _not_ evaluated but the packets matching this translation rule are passed unconditionally. ok dhartmei@ cedric@ markus@
Revision 1.165 / (download) - annotate - [select for diffs], Thu Jul 3 09:13:06 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.164: +69 -1 lines
Diff to previous 1.164 (colored)
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
Revision 1.146.2.1 / (download) - annotate - [select for diffs], Thu Jun 12 19:00:43 2003 UTC (21 years ago) by brad
Branch: OPENBSD_3_3
Changes since 1.146: +4 -3 lines
Diff to previous 1.146 (colored) next main 1.147 (colored)
MFC: Fix by henning@ in set_ipmask, do not try to mask off irrelevant bits of anything but PF_ADDRMASK. due to the union this resulted in "masking" interface names in the dynaddr case... <henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf - pass inet from (l)/8 to any reported by AARON SUEN <ags137 at psu.edu> on misc@ deraadt@ ok
Revision 1.164 / (download) - annotate - [select for diffs], Thu Jun 12 09:40:33 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.163: +4 -3 lines
Diff to previous 1.163 (colored)
in set_ipmask, do not try to mask off irrelevant bits of anything but PF_ADDRMASK. due to the union this resulted in "masking" interface names in the dynaddr case... <henning@quigon:1>$ echo "pass inet from (le0)/8" | pfctl -nvf - pass inet from (l)/8 to any reported by AARON SUEN <ags137 at psu.edu> on misc@
Revision 1.163 / (download) - annotate - [select for diffs], Wed Jun 11 02:54:02 2003 UTC (21 years ago) by itojun
Branch: MAIN
Changes since 1.162: +6 -6 lines
Diff to previous 1.162 (colored)
- sync up MLD declaration with RFC3542 (s/MLD6/MLD/) - routing header declaration with RFC3542 (note: sizeof(ip6_rthdr0) has changed!) also, sync up with RFC2460 routing header definition (no "strict" source routing mode any more) part of advanced API update (RFC2292 -> 3542). markus, todd, millert, henning ok
Revision 1.162 / (download) - annotate - [select for diffs], Mon Jun 9 11:14:46 2003 UTC (21 years ago) by mcbride
Branch: MAIN
Changes since 1.161: +4 -4 lines
Diff to previous 1.161 (colored)
Attempt to resolve byte order confusion in nat code once and for all. - pf_get_sport() leaves the translated port in the packet in network byte order - merge code for the p1=0 p2=0 case and static-port case in pr_get_sport() NOTE: people who use the static-port keyword in their pf.conf need to make sure pfctl is updated along with their kernel.
Revision 1.161 / (download) - annotate - [select for diffs], Sat May 24 19:14:06 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.160: +2 -2 lines
Diff to previous 1.160 (colored)
better netmask check help canacar@ ok canacar@ cedric@
Revision 1.160 / (download) - annotate - [select for diffs], Mon May 19 20:21:53 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.159: +24 -1 lines
Diff to previous 1.159 (colored)
reject invalid netmasks like 10.0.0.0/68, and fix up the netmask for dynaddr rules after we know the address family ok dhartmei@, inspired by a session with bob
Revision 1.159 / (download) - annotate - [select for diffs], Mon May 19 18:21:01 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
err out on obviously wrong netmasks
Revision 1.158 / (download) - annotate - [select for diffs], Sat May 17 02:04:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.157: +5 -2 lines
Diff to previous 1.157 (colored)
support inverse matching on tags like block in ! tagged sometag ok dhartmei@ pb@
Revision 1.157 / (download) - annotate - [select for diffs], Fri May 16 17:15:17 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.156: +3 -1 lines
Diff to previous 1.156 (colored)
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use 'synproxy state' for TCP connections. pf will complete the TCP handshake with the active endpoint before passing any packets to the passive end- point, preventing spoofed SYN floods from reaching the passive endpoint. No additional memory requirements, no cookies needed, random initial sequence numbers, uses the existing sequence number modulators to translate packets after the handshakes. ok frantzen@
Revision 1.156 / (download) - annotate - [select for diffs], Wed May 14 23:51:29 2003 UTC (21 years, 1 month ago) by frantzen
Branch: MAIN
Changes since 1.155: +4 -1 lines
Diff to previous 1.155 (colored)
add scrub modifier "reassemble tcp" to turn on stateful TCP normalizations ok henning@ dhartmei@
Revision 1.155 / (download) - annotate - [select for diffs], Wed May 14 00:56:38 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.154: +7 -7 lines
Diff to previous 1.154 (colored)
print the redirection target for nat/rdr/binat slighly later. no functional difference (yet)
Revision 1.154 / (download) - annotate - [select for diffs], Tue May 13 21:37:42 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.153: +2 -2 lines
Diff to previous 1.153 (colored)
correct rule printing
Revision 1.153 / (download) - annotate - [select for diffs], Tue May 13 21:15:07 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.152: +5 -2 lines
Diff to previous 1.152 (colored)
userland part for tagging. it's now possible to tag packets with an arbitary tag and filter based on that tag later on other interfaces: pass in quick on fxp0 keep state tag blah pass out quick on wi0 keep state with tag blah can be used to express trust between interfaces, to distinguish between NATed connections and connection originating from teh firewall itself and much more ok dhartmei@ frantzen@ pb@ mcbride@
Revision 1.152 / (download) - annotate - [select for diffs], Mon May 12 01:25:31 2003 UTC (21 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.151: +3 -1 lines
Diff to previous 1.151 (colored)
Adaptive timeout value scaling. Allows to reduce timeout values as the number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Revision 1.151 / (download) - annotate - [select for diffs], Fri Apr 25 19:44:57 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.150: +1 -5 lines
Diff to previous 1.150 (colored)
kill a workaround now that inet_net_pton acts reasonably
Revision 1.150 / (download) - annotate - [select for diffs], Sat Apr 5 23:56:32 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.149: +10 -28 lines
Diff to previous 1.149 (colored)
ease netmask handling a bit input theo, ok dhartmei@
Revision 1.149 / (download) - annotate - [select for diffs], Thu Apr 3 15:52:24 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.148: +42 -201 lines
Diff to previous 1.148 (colored)
Simplify pfctl printing code. ok dhartmei@ henning@
Revision 1.148 / (download) - annotate - [select for diffs], Fri Mar 28 20:37:29 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored)
one more const was missing
Revision 1.147 / (download) - annotate - [select for diffs], Thu Mar 27 18:01:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.146: +5 -5 lines
Diff to previous 1.146 (colored)
lotsa const char * from David Hill <david at phobia.ms> a while ago
Revision 1.146 / (download) - annotate - [select for diffs], Wed Mar 19 15:56:08 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.145: +8 -4 lines
Diff to previous 1.145 (colored)
inet_net_pton acts weird when it comes to multicast addresses. so pass the netmask given by the OP to host_v4(), and in case it wasn't specified, do not trust inet_net_pton telling is it is a /4 but use /32. otherwise, "pass in from 224.0.0.6" suddenly became "pass in from 224.0.0.0/4", which is clearly not the desired result. inet_net_pton behaviour under investigation, using the least intrusive fix for now. found after bug report From: Julien Bordet <zejames@greyhats.org> via dhartmei ok daniel cedric
Revision 1.145 / (download) - annotate - [select for diffs], Tue Feb 25 12:22:25 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.144: +2 -17 lines
Diff to previous 1.144 (colored)
repair/simplify/flexify binat userland. ok dhartmei@ henning@
Revision 1.144 / (download) - annotate - [select for diffs], Wed Feb 19 19:08:19 2003 UTC (21 years, 3 months ago) by cedric
Branch: MAIN
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)
Fix little buffer overflow on 64-bit platforms. Produce wrong output on pfr7 regression test, discovered by henning@. ok+testing henning@
Revision 1.143 / (download) - annotate - [select for diffs], Thu Feb 13 10:28:58 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
when complaining about an illegal netmask print the value we're complaining about
Revision 1.142 / (download) - annotate - [select for diffs], Wed Feb 12 12:48:40 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.141: +7 -28 lines
Diff to previous 1.141 (colored)
Simplify the code and make the parser handle the different rule types more consistently. - Merge expand_nat and expand_rdr into expand_rule - Merge rdrrule token into natrule ok concept henning@ ok dhartmei@
Revision 1.141 / (download) - annotate - [select for diffs], Sun Feb 9 12:49:48 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)
Fix a few warnings and remove unnecessary check and cast. ok dhartmei henning
Revision 1.140 / (download) - annotate - [select for diffs], Sat Feb 8 20:13:20 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.139: +3 -1 lines
Diff to previous 1.139 (colored)
Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Revision 1.139 / (download) - annotate - [select for diffs], Sun Feb 2 19:25:06 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.138: +7 -7 lines
Diff to previous 1.138 (colored)
no const for int; cedric@
Revision 1.138 / (download) - annotate - [select for diffs], Sun Feb 2 18:32:35 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.137: +12 -12 lines
Diff to previous 1.137 (colored)
const'ify params for the host stuff ok theo
Revision 1.137 / (download) - annotate - [select for diffs], Sun Feb 2 18:11:43 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.136: +28 -25 lines
Diff to previous 1.136 (colored)
as correctly pointed out by cedric@, the :network and :broadcast parsing code really belongs to host_if() and not host(); I dunno why I did put it in host()... ok dhartmei@ deraadt@
Revision 1.136 / (download) - annotate - [select for diffs], Thu Jan 30 15:41:35 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.135: +5 -5 lines
Diff to previous 1.135 (colored)
in these two cases strdup makes more sense than asprintf, pointed out by camield@
Revision 1.135 / (download) - annotate - [select for diffs], Thu Jan 30 15:03:49 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.134: +25 -6 lines
Diff to previous 1.134 (colored)
add support for :network and :broadcast modifiers to interface names. sample: pass in on dc0 from dc0:network to any keep state block in on dc0 from any to dc0:broadcast ok theo daniel
Revision 1.134 / (download) - annotate - [select for diffs], Sat Jan 25 22:53:45 2003 UTC (21 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.133: +5 -5 lines
Diff to previous 1.133 (colored)
Match changes for rdr port ranges made to pf.c: - fixes behaviour of rdr on le0 from foo to bar port 1:20 -> (lo0) port 22 - makes calculated mapping more explicit for the -> (lo0) port 22:* case testing from dhartmei@ ok dhartmei@
Revision 1.133 / (download) - annotate - [select for diffs], Mon Jan 20 17:16:56 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.132: +13 -13 lines
Diff to previous 1.132 (colored)
Improve pfctl -vvs{r,n} output with rule containing tables.
Shows the number of entries in the table or if the table is not active.
ok dhartmei@, no objections.
Revision 1.132 / (download) - annotate - [select for diffs], Sun Jan 19 09:31:34 2003 UTC (21 years, 4 months ago) by camield
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)
Quote label in rule output. ok henning dhartmei
Revision 1.131 / (download) - annotate - [select for diffs], Sat Jan 18 17:39:37 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.130: +40 -35 lines
Diff to previous 1.130 (colored)
quite some KNF for the older parts
Revision 1.130 / (download) - annotate - [select for diffs], Sat Jan 18 17:20:41 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.129: +97 -53 lines
Diff to previous 1.129 (colored)
host() overhaul: -split off host_if, host_v4, host_v6, host_dns -kill the return-everywhere nightmare -bit better error messages makes the code more read-, understand- and maintainable; no fucntional changes. ok cedric@ dhartmei@ mcbride@
Revision 1.129 / (download) - annotate - [select for diffs], Fri Jan 17 14:01:43 2003 UTC (21 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored)
KNF
Revision 1.128 / (download) - annotate - [select for diffs], Tue Jan 14 21:58:12 2003 UTC (21 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.127: +330 -1 lines
Diff to previous 1.127 (colored)
unified IP parser: -move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h] -extend host() to handle /mask itself, plus minor adjustments -use that in pfctl_table.c instead of coding the same shit again discussed w/ cedric@ ok cedric@ dhartmei@
Revision 1.127 / (download) - annotate - [select for diffs], Sun Jan 5 22:14:23 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.126: +18 -18 lines
Diff to previous 1.126 (colored)
Move ifname from pf_addr to pf_addr_wrap, prepare pf_addr_wrap for table name. ok henning@, mcbride@, cedric@
Revision 1.126 / (download) - annotate - [select for diffs], Sat Jan 4 17:40:51 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.125: +6 -5 lines
Diff to previous 1.125 (colored)
move noroute from flag in pf_rule_addr into type in pf_addr_wrap. ok henning@, mcbride@
Revision 1.125 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.124: +2 -2 lines
Diff to previous 1.124 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.124 / (download) - annotate - [select for diffs], Mon Dec 30 23:46:54 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.123: +2 -2 lines
Diff to previous 1.123 (colored)
Change ipv6-icmp-type to icpm6-type. pf.conf files will need to be adjusted to reflect this. ok dhartmei@ henning@
Revision 1.123 / (download) - annotate - [select for diffs], Wed Dec 18 19:40:41 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.122: +13 -7 lines
Diff to previous 1.122 (colored)
Store translation rule pointer in state entries, so pfctl -vsn can print evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Revision 1.122 / (download) - annotate - [select for diffs], Tue Dec 17 12:36:59 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.121: +73 -45 lines
Diff to previous 1.121 (colored)
Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule ok dhartmei@ henning@
Revision 1.121 / (download) - annotate - [select for diffs], Fri Dec 13 21:51:25 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.120: +5 -3 lines
Diff to previous 1.120 (colored)
allow a second queue for higher priorized (currently: tos=lowdelay) packets to be specified per rule queue (qname, priorized_qname) idea dhartmei ok dhartmei@ frantzen@ deraadt@
Revision 1.120 / (download) - annotate - [select for diffs], Sat Dec 7 23:15:53 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.119: +35 -34 lines
Diff to previous 1.119 (colored)
Support parameters in anchor rules. Allows conditional evaluation, like: anchor spews inet proto tcp from any to any port smtp ok deraadt
Revision 1.119 / (download) - annotate - [select for diffs], Sat Dec 7 20:25:40 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.118: +9 -9 lines
Diff to previous 1.118 (colored)
shadow cleanup ok mcbride@ frantzen@
Revision 1.118 / (download) - annotate - [select for diffs], Fri Dec 6 11:03:36 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.117: +3 -2 lines
Diff to previous 1.117 (colored)
let pfctl -v print out "block drop" instead of just "block" in the drop case. fixes the last self-regress test. ok markus@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Dec 6 00:47:32 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.116: +29 -13 lines
Diff to previous 1.116 (colored)
Introduce anchors and named rule sets, allowing to load additional rule sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Revision 1.116 / (download) - annotate - [select for diffs], Thu Dec 5 14:10:45 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.115: +4 -3 lines
Diff to previous 1.115 (colored)
one step further to "program output is valid program input" and the related extra regress testing opportunities (an excellent idea by markus@). only print rule numbers in case of pfctl -v -v; but not with pfctl -v. ok markus@ frantzen@ mcbride@
Revision 1.115 / (download) - annotate - [select for diffs], Sat Nov 30 10:07:51 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.114: +1 -23 lines
Diff to previous 1.114 (colored)
move unmask back into pf_print_state.c where it was, and please keep it there; henning@ ok
Revision 1.114 / (download) - annotate - [select for diffs], Thu Nov 28 13:18:09 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.113: +4 -3 lines
Diff to previous 1.113 (colored)
- Remove extra space before -> in print_rdr - Print hex keys lowercase ok dhartmei@ henning@
Revision 1.113 / (download) - annotate - [select for diffs], Thu Nov 28 12:14:25 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.112: +48 -78 lines
Diff to previous 1.112 (colored)
- Adjust to match replacement of md5 with pf_hash - Allow keys to be specified in hex (must be 128 bits, mainly to make pfctl -v output paresable by pfctl) or as a string. Randomly generate key if one is not specified. Suggestions and fixes from camield@ ok mickey@ camield@ henning@
Revision 1.112 / (download) - annotate - [select for diffs], Sat Nov 23 11:58:44 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.111: +26 -23 lines
Diff to previous 1.111 (colored)
Cosmetic fixes for print_*() functions, so they match the old regress output (mainly spaces).
Revision 1.111 / (download) - annotate - [select for diffs], Sat Nov 23 10:03:39 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.110: +6 -5 lines
Diff to previous 1.110 (colored)
fix parens "(" ")" when printing
ok dhartmei@
Revision 1.110 / (download) - annotate - [select for diffs], Sat Nov 23 09:33:54 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.109: +3 -3 lines
Diff to previous 1.109 (colored)
KNF
Revision 1.109 / (download) - annotate - [select for diffs], Sat Nov 23 08:59:54 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.108: +3 -2 lines
Diff to previous 1.108 (colored)
Missing {}
Revision 1.108 / (download) - annotate - [select for diffs], Sat Nov 23 08:12:56 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.107: +3 -2 lines
Diff to previous 1.107 (colored)
check to make sure a list item exists before checking to see if the next one is there. ok dhartmei@
Revision 1.107 / (download) - annotate - [select for diffs], Sat Nov 23 06:18:42 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)
missing prototype, remember to use sa_family_t for af
Revision 1.106 / (download) - annotate - [select for diffs], Sat Nov 23 05:22:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.105: +109 -29 lines
Diff to previous 1.105 (colored)
code to support loading of pf rules with multiple redirection addresses
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
Revision 1.105 / (download) - annotate - [select for diffs], Tue Nov 19 23:34:02 2002 UTC (21 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.104: +2 -2 lines
Diff to previous 1.104 (colored)
minor cosmetics, space after "label %s", in case both label and queue are specified.
Revision 1.104 / (download) - annotate - [select for diffs], Mon Nov 18 22:55:39 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.103: +3 -3 lines
Diff to previous 1.103 (colored)
KNF
Revision 1.103 / (download) - annotate - [select for diffs], Mon Nov 18 22:49:15 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.102: +3 -1 lines
Diff to previous 1.102 (colored)
altq and pf merged this isn't 100% done yet: the print_ stuff isn't finished, some features will be added later, and there is no documetation yet, but committing now enables a few more people to work on. print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc, debugging help also pb and camiel. lots of good ideas by theo. "commit now" theo philipp daniel
Revision 1.102 / (download) - annotate - [select for diffs], Fri Oct 25 10:40:45 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.101: +23 -1 lines
Diff to previous 1.101 (colored)
- more sa_family_t - move unmask code to correct file - whitespace ok mcbride@ dhartmei@
Revision 1.101 / (download) - annotate - [select for diffs], Tue Oct 22 12:28:08 2002 UTC (21 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.100: +6 -6 lines
Diff to previous 1.100 (colored)
More conversion of "int af" and "u_int8_t af" declarations and function arguments to the more correct and descriptive "sa_family_t af" ok dhartmei@ henning@
Revision 1.100 / (download) - annotate - [select for diffs], Mon Oct 14 12:58:28 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.99: +3 -3 lines
Diff to previous 1.99 (colored)
Allow one to specify a netblock in a binat rule: binat on fxp0 from 192.168.0.32/27 to any -> 10.0.7.128/27 Both the network mask on the source and redirect addresses MUST be the same, and it works by essentially combining the network section of the redirect address with the host section of the source address. from ryan ok dhartmei@
Revision 1.99 / (download) - annotate - [select for diffs], Mon Oct 7 13:23:46 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.98: +3 -1 lines
Diff to previous 1.98 (colored)
set block-policy [drop|return] drop is default, same behaviour as before support block drop to override a return policy
Revision 1.98 / (download) - annotate - [select for diffs], Mon Oct 7 13:18:40 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.97: +0 -0 lines
Diff to previous 1.97 (colored)
support a generic return block return in|out ... acts like return-rst on tcp, like return-icmp on udp and like an ordinary block on anything else ok dhartmei@
Revision 1.97 / (download) - annotate - [select for diffs], Mon Oct 7 13:15:02 2002 UTC (21 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.96: +33 -17 lines
Diff to previous 1.96 (colored)
make return-icmp work for rules covering both v4 and v6 -new field "return_icmp6" in pf_rule -parser accepts block return-icmp(ipv4-icmpcode, ipv6-icmpcode) ok and some input dhartmei@
Revision 1.96 / (download) - annotate - [select for diffs], Mon Oct 7 12:39:29 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.95: +3 -1 lines
Diff to previous 1.95 (colored)
Add 'reply-to' to filter rules, similar to route-to, but applying to replies (packets that flow in the opposite direction of the packet that created state), used for symmetric routing enforcement. Document how route-to and reply-to work in context of stateful filtering.
Revision 1.95 / (download) - annotate - [select for diffs], Sat Oct 5 21:17:57 2002 UTC (21 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.94: +3 -1 lines
Diff to previous 1.94 (colored)
Allow filtering based on IP header's tos field.
Revision 1.94 / (download) - annotate - [select for diffs], Sat Jul 20 18:58:44 2002 UTC (21 years, 10 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.93: +5 -5 lines
Diff to previous 1.93 (colored)
properly split yacc and lex use
Revision 1.93 / (download) - annotate - [select for diffs], Mon Jul 15 18:13:53 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.92: +7 -3 lines
Diff to previous 1.92 (colored)
add support for pass|block on ! $interface ... ok dhartmei@ will be documented in pf.conf(5) by "I'm not slacking!" pb@ who's currently reworking this manpage
Revision 1.92 / (download) - annotate - [select for diffs], Mon Jul 1 05:28:22 2002 UTC (21 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.91: +5 -5 lines
Diff to previous 1.91 (colored)
KNF
Revision 1.91 / (download) - annotate - [select for diffs], Thu Jun 27 10:17:48 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.90: +5 -5 lines
Diff to previous 1.90 (colored)
repair formatting - the new "enabled since" format is longer than the old one and thus the field lengths need to be adjusted. ok dhartmei@, pb@
Revision 1.90 / (download) - annotate - [select for diffs], Wed Jun 19 17:44:02 2002 UTC (21 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.89: +16 -7 lines
Diff to previous 1.89 (colored)
"Enabled for Ss" -> "Enabled for D days HH:MM:SS", ok frantzen@
Revision 1.89 / (download) - annotate - [select for diffs], Tue Jun 11 18:03:25 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.88: +10 -5 lines
Diff to previous 1.88 (colored)
split the grammar of scrub(fragcache) into scrub ... 'fragment reassemble', 'fragment crop' or a new 'fragment drop-ovl' which will drop overlapping fragments and all corresponding ones ok kjell@ with feedback from kjell@ and deraadt@. the rest are slacking
Revision 1.88 / (download) - annotate - [select for diffs], Tue Jun 11 02:27:19 2002 UTC (22 years ago) by frantzen
Branch: MAIN
Changes since 1.87: +7 -3 lines
Diff to previous 1.87 (colored)
SCRUB(fragcache) to do gap tracking and overlap pruning of IPv4 fragments without the memory overhead of the conventional defrag in SCRUB ok dhartmei@, idea by deraadt@
Revision 1.87 / (download) - annotate - [select for diffs], Tue Jun 11 02:12:37 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.86: +9 -1 lines
Diff to previous 1.86 (colored)
Make NAT proxy port range configurable per rule, for instance privileged source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jun 11 01:58:00 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.85: +55 -31 lines
Diff to previous 1.85 (colored)
rework pfctl statistics display move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl some input by nick@ ok frantzen@, dhartmei@
Revision 1.85 / (download) - annotate - [select for diffs], Mon Jun 10 19:31:44 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.84: +52 -60 lines
Diff to previous 1.84 (colored)
Allow ports to be specified in nat rules, useful later on for individual proxy port ranges.
Revision 1.84 / (download) - annotate - [select for diffs], Sun Jun 9 20:20:58 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.83: +9 -7 lines
Diff to previous 1.83 (colored)
Make pf_nat.saddr/daddr a pf_rule_addr instead of pf_addr_wrap, so it includes ports and operator.
Revision 1.83 / (download) - annotate - [select for diffs], Sun Jun 9 05:31:25 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
spaced out developers...
Revision 1.82 / (download) - annotate - [select for diffs], Sat Jun 8 21:09:59 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.81: +12 -12 lines
Diff to previous 1.81 (colored)
Change remaining read-only lookup tables to const, suggestion drahn@
Revision 1.81 / (download) - annotate - [select for diffs], Sat Jun 8 16:44:15 2002 UTC (22 years ago) by drahn
Branch: MAIN
Changes since 1.80: +21 -1 lines
Diff to previous 1.80 (colored)
pf_timeouts is shared between pfctl and authpf, put it in the shared file. unbreak build.
Revision 1.80 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:07 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.79: +24 -2 lines
Diff to previous 1.79 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.79 / (download) - annotate - [select for diffs], Fri Jun 7 22:53:45 2002 UTC (22 years ago) by pb
Branch: MAIN
Changes since 1.78: +7 -4 lines
Diff to previous 1.78 (colored)
add the possibility to configure a TTL while return-rst ok dhartmei@, ipv6 part itojun@ ok
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jun 7 21:25:35 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.77: +3 -1 lines
Diff to previous 1.77 (colored)
Add "(max <number>)" option for "keep/modulate state" to limit the number of concurrent connections a rule can create. ok frantzen@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jun 7 19:30:40 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.76: +4 -4 lines
Diff to previous 1.76 (colored)
minor KNF while I'm here ok dhartmei@
Revision 1.76 / (download) - annotate - [select for diffs], Thu Jun 6 22:22:44 2002 UTC (22 years ago) by mickey
Branch: MAIN
Changes since 1.75: +2 -195 lines
Diff to previous 1.75 (colored)
split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok
Revision 1.75 / (download) - annotate - [select for diffs], Sat Jun 1 04:06:47 2002 UTC (22 years ago) by hugh
Branch: MAIN
Changes since 1.74: +4 -4 lines
Diff to previous 1.74 (colored)
ECN flag support for pf. Committed in consultation with Daniel.
Revision 1.74 / (download) - annotate - [select for diffs], Mon May 27 10:33:32 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
Ports require 6 chars, from Oleg Safiullin
Revision 1.73 / (download) - annotate - [select for diffs], Thu May 23 09:47:20 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.72: +32 -30 lines
Diff to previous 1.72 (colored)
tiny KNF, some malloc checks, etc
Revision 1.72 / (download) - annotate - [select for diffs], Sun May 19 22:26:27 2002 UTC (22 years ago) by deraadt
Branch: MAIN
Changes since 1.71: +10 -13 lines
Diff to previous 1.71 (colored)
KNF
Revision 1.71 / (download) - annotate - [select for diffs], Sat May 18 13:47:57 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.70: +3 -3 lines
Diff to previous 1.70 (colored)
Handle long (unsigned 32-bit) IDs in print_uid/gid(). From Oleg Safiullin.
Revision 1.70 / (download) - annotate - [select for diffs], Sun May 12 00:54:56 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.69: +20 -7 lines
Diff to previous 1.69 (colored)
Add gid based filtering, reduce to one (effective) uid, rename parser keywords to 'user' and 'group'.
Revision 1.69 / (download) - annotate - [select for diffs], Thu May 9 21:58:12 2002 UTC (22 years, 1 month ago) by jasoni
Branch: MAIN
Changes since 1.68: +3 -1 lines
Diff to previous 1.68 (colored)
Add a max-mss option to the scrub rule which will enforce a maximum mss by lowering it to the given value. - ok dhartmei@, provos@
Revision 1.68 / (download) - annotate - [select for diffs], Thu May 9 19:58:42 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.67: +49 -21 lines
Diff to previous 1.67 (colored)
Introduce user based filtering. Rules can specify ruid and euid (real and effective user ID) much like ports. The user of a packet is either the user that opens an outgoing connection, the one that listens on a socket, or 'unknown' if the firewall is not a connection endpoint (for forwarded connections). Socket uid lookup code from jwk@bug.it.
Revision 1.67 / (download) - annotate - [select for diffs], Sun May 5 21:40:22 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.66: +5 -2 lines
Diff to previous 1.66 (colored)
Instead of returning a useless kernel space pointer for the rule that created the state from DIOCGETSTATE(S), return the integer rule number, Print rule number (if existant) from pfctl -vss. Suggested by Jeff Nathan.
Revision 1.66 / (download) - annotate - [select for diffs], Wed Apr 24 18:10:25 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.65: +55 -21 lines
Diff to previous 1.65 (colored)
Add dynamic (in-kernel) interface name -> address translation. Instead of using just the interface name instead of an address and reloading the rule set whenever the interface changes its address, the interface name can be put in parentheses, and the kernel will keep track of changes and update rules. There is no additional cost for evaluating rules (per packet), the cost occurs when an interface changes address (and the rules are traversed and updated where necessary).
Revision 1.65 / (download) - annotate - [select for diffs], Tue Apr 23 14:32:23 2002 UTC (22 years, 1 month ago) by dhartmei
Branch: MAIN
Changes since 1.64: +3 -1 lines
Diff to previous 1.64 (colored)
Allow explicit filtering of fragments when they are not reassembled. Document fragment handling in the man page. Short version: if you're scrubbing everything (as is recommended, in general), nothing changes. If you want to deal with fragments manually, read the man page. ok frantzen.
Revision 1.64 / (download) - annotate - [select for diffs], Mon Apr 15 20:39:58 2002 UTC (22 years, 2 months ago) by dhartmei
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)
Use in_addr_t instead of unsigned long, which breaks on alpha (64-bit). Closes PR 2547. Reported by Dries Schellekens. Found by frantzen@.
Revision 1.63 / (download) - annotate - [select for diffs], Wed Mar 27 18:16:23 2002 UTC (22 years, 2 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.62: +8 -3 lines
Diff to previous 1.62 (colored)
implement a "no-route" keyword. usage semantics are analogous w/ "any", meaning is "any ip address for which there is no route in the current routing table", could be used in both from and to. typical usage would be (assuming symmetrical routing): block in from no-route to any also doc "any" in the pf.conf.5, include in regress, etc. tested by me on i386 and sparc. dhartmei@ and frantzen@ ok
Revision 1.62 / (download) - annotate - [select for diffs], Tue Mar 12 08:15:03 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.61: +11 -8 lines
Diff to previous 1.61 (colored)
Handle inet_ntop() returning NULL explicitly. Found by mpech@.
Revision 1.61 / (download) - annotate - [select for diffs], Mon Mar 11 22:22:57 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.60: +52 -9 lines
Diff to previous 1.60 (colored)
Add -r to reverse lookup addresses when displaying states. From John Kerbawy.
Revision 1.60 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.59: +3 -1 lines
Diff to previous 1.59 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.59 / (download) - annotate - [select for diffs], Tue Jan 8 09:31:55 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.58: +27 -15 lines
Diff to previous 1.58 (colored)
Add "no nat/rdr/binat" to nat.conf. The first matching rule applies. If it is a "no" rule, no translation occurs. Useful to exclude certain packets from translation. Suggested by Henning Brauer.
Revision 1.58 / (download) - annotate - [select for diffs], Mon Jan 7 17:24:43 2002 UTC (22 years, 5 months ago) by mpech
Branch: MAIN
Changes since 1.57: +7 -7 lines
Diff to previous 1.57 (colored)
Next issue: af is always u_int8_t, not int; dhartmei@ ok
Revision 1.57 / (download) - annotate - [select for diffs], Fri Jan 4 12:32:30 2002 UTC (22 years, 5 months ago) by mpech
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
check (p != NULL), not n. dhartmei@ ok
Revision 1.52.2.1 / (download) - annotate - [select for diffs], Thu Dec 13 20:06:18 2001 UTC (22 years, 6 months ago) by jason
Branch: OPENBSD_3_0
Changes since 1.52: +3 -3 lines
Diff to previous 1.52 (colored) next main 1.53 (colored)
Pull in patches from current: Fix (frantzen, dhartmei): -- wipe print_nat()'s nose (use dnot correctly instead of snot). i need to start naming variables 'bugger'. yes, thats what i'll do -- Use snot/dnot correctly in print_rdr. RDR rules with '!' used on the destination address were printed incorrectly before (though the rules worked correctly).
Revision 1.56 / (download) - annotate - [select for diffs], Mon Dec 10 18:08:12 2001 UTC (22 years, 6 months ago) by dhartmei
Branch: MAIN
Changes since 1.55: +41 -55 lines
Diff to previous 1.55 (colored)
Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on source/destination addresses/ports only. Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols. Destination and redirection port(s) are now optional for RDR rules. Not specifying destination port(s) means 'redirect all ports', not specifying redirection port(s) means 'redirect to the original port'.
Revision 1.55 / (download) - annotate - [select for diffs], Sat Dec 1 16:44:45 2001 UTC (22 years, 6 months ago) by frantzen
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
wipe print_nat()'s nose (use dnot correctly instead of snot). i need to start naming variables 'bugger'. yes, thats what i'll do
Revision 1.54 / (download) - annotate - [select for diffs], Mon Nov 26 16:50:26 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.53: +16 -1 lines
Diff to previous 1.53 (colored)
add fastroute options similar to what is found in ipf ok dhartmei@, frantzen@
Revision 1.53 / (download) - annotate - [select for diffs], Wed Oct 24 09:09:32 2001 UTC (22 years, 7 months ago) by dhartmei
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
Use snot/dnot correctly in print_rdr. RDR rules with '!' used on the destination address were printed incorrectly before (though the rules worked correctly).
Revision 1.52 / (download) - annotate - [select for diffs], Mon Oct 15 16:22:22 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE
Branch point for: OPENBSD_3_0
Changes since 1.51: +3 -1 lines
Diff to previous 1.51 (colored)
Add 'allow-opts' to rules. Packets with IP options will be blocked by default now, and can be allowed per rule. ok deraadt@
Revision 1.51 / (download) - annotate - [select for diffs], Thu Oct 4 21:54:15 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
Changes since 1.50: +24 -20 lines
Diff to previous 1.50 (colored)
Honour -v flag when printing states, print only one line per state when non-verbose. Suggested by gwyllion@ace.ulyssis.org.
Revision 1.50 / (download) - annotate - [select for diffs], Sat Sep 15 23:23:40 2001 UTC (22 years, 9 months ago) by wilfried
Branch: MAIN
Changes since 1.49: +27 -19 lines
Diff to previous 1.49 (colored)
Implement return-icmp(number), return-icmp6(number) Differentiate between return-icmp and return-icmp6, icmp-type and ipv6-icmp-type. ok dhartmei@
Revision 1.49 / (download) - annotate - [select for diffs], Sat Sep 15 23:13:40 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
ICMP6_DST_UNREACH_NOROUTE <-> _ADMIN, reported by Wouter Coene.
Revision 1.48 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.47: +206 -97 lines
Diff to previous 1.47 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.47 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.46: +40 -1 lines
Diff to previous 1.46 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.46 / (download) - annotate - [select for diffs], Sun Sep 2 15:15:31 2001 UTC (22 years, 9 months ago) by dhartmei
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
Print rule numbers zero-based. Noted by primus@gblx.net.
Revision 1.45 / (download) - annotate - [select for diffs], Sat Aug 25 21:54:26 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.44: +20 -8 lines
Diff to previous 1.44 (colored)
PF ISN randomization. Or in trekkie techno-babble, ISN phase modulation.
Revision 1.44 / (download) - annotate - [select for diffs], Thu Aug 23 04:10:51 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +22 -22 lines
Diff to previous 1.43 (colored)
KNF
Revision 1.43 / (download) - annotate - [select for diffs], Sun Aug 19 17:03:00 2001 UTC (22 years, 9 months ago) by frantzen
Branch: MAIN
Changes since 1.42: +8 -3 lines
Diff to previous 1.42 (colored)
Unfuck some TCP state stuff that would drop the SYN|ACK. Enumerated the TCP states. Here's a mapping new->old tcp states if anyone gives a shit: TCPS_CLOSED 0 TCPS_SYN_SENT 1 TCPS_ESTABLISHED 2 TCPS_CLOSING 3 TCPS_FIN_WAIT_2 4 TCPS_TIME_WAIT 5
Revision 1.42 / (download) - annotate - [select for diffs], Sat Aug 18 14:05:56 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.41: +4 -5 lines
Diff to previous 1.41 (colored)
prettier printing of states
Revision 1.41 / (download) - annotate - [select for diffs], Thu Aug 16 11:46:56 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.40: +3 -3 lines
Diff to previous 1.40 (colored)
track the line number per-token, so that we can report errors correctly
Revision 1.40 / (download) - annotate - [select for diffs], Sat Aug 11 12:05:00 2001 UTC (22 years, 10 months ago) by dhartmei
Branch: MAIN
Changes since 1.39: +14 -3 lines
Diff to previous 1.39 (colored)
Add support for ICMP errors referring to ICMP queries/replies. Fixes 'ICMP error message for bad proto' messages. Reported by Mark Grimes and Steve Rumble. Add debugging level with ioctl interface and pfctl switch. Default is 'None'.
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jul 19 00:07:36 2001 UTC (22 years, 10 months ago) by krw
Branch: MAIN
Changes since 1.38: +4 -2 lines
Diff to previous 1.38 (colored)
Fix/complete the handling of the binary ops >< and <> to behave like the ipf operators. The 'n >< m' construct (Include Range = PF_OP_IRG) should match ports greater than n and less than m, not greater than or equal to n and less than or equal to m. The 'n <> m' construct (Exclude Range = PF_OP_XRG) should match all ports less than n OR greater than m, not be treated as an alias for ><. Thus PF_OP_GL, which was used for both <> and >< is replaced with PF_OP_IRG and PF_OP_XRG with the 'correct' semantics. OK dhartmei@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jul 17 23:25:42 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
markus doesnt like min-ttl =, begone
Revision 1.37 / (download) - annotate - [select for diffs], Tue Jul 17 22:22:17 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.36: +4 -2 lines
Diff to previous 1.36 (colored)
support min-ttl, okay dhartmei@
Revision 1.36 / (download) - annotate - [select for diffs], Tue Jul 17 21:54:27 2001 UTC (22 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.35: +5 -2 lines
Diff to previous 1.35 (colored)
normalize ip_off, make IP_DF stripping optional, return rst is a flag now. okay markus@
Revision 1.35 / (download) - annotate - [select for diffs], Mon Jul 16 21:09:38 2001 UTC (22 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.34: +12 -776 lines
Diff to previous 1.34 (colored)
add a yacc parser for pf.conf and nat.conf, with help from mickey@, plus: -n now turns off all operations, and just parses the conf files ok deraadt@
Revision 1.34 / (download) - annotate - [select for diffs], Wed Jul 11 21:30:14 2001 UTC (22 years, 11 months ago) by csapuntz
Branch: MAIN
Changes since 1.33: +42 -14 lines
Diff to previous 1.33 (colored)
Error on invalid ports
Revision 1.33 / (download) - annotate - [select for diffs], Tue Jul 10 05:55:57 2001 UTC (22 years, 11 months ago) by millert
Branch: MAIN
Changes since 1.32: +15 -24 lines
Diff to previous 1.32 (colored)
Oops, we can't use 0 as next_addr()'s error return since 0.0.0.0 is a valid address. Instead I add a pointer to the result as a parameter and return 0 on failure and 1 on success. Also uses inet_pton() instead of inet_aton().
Revision 1.32 / (download) - annotate - [select for diffs], Tue Jul 10 03:03:44 2001 UTC (22 years, 11 months ago) by millert
Branch: MAIN
Changes since 1.31: +51 -7 lines
Diff to previous 1.31 (colored)
Resolve as a host name if not an IP address; dhartmei@ OK
Revision 1.31 / (download) - annotate - [select for diffs], Tue Jul 10 00:07:21 2001 UTC (22 years, 11 months ago) by millert
Branch: MAIN
Changes since 1.30: +17 -17 lines
Diff to previous 1.30 (colored)
move "proto" in the nat case as well
Revision 1.30 / (download) - annotate - [select for diffs], Mon Jul 9 23:20:45 2001 UTC (22 years, 11 months ago) by millert
Branch: MAIN
Changes since 1.29: +28 -28 lines
Diff to previous 1.29 (colored)
Move the proto field to be after the "on" argument which is consistent with pf.conf. If no proto is specified tcp is assumed. dhartmei@ OK
Revision 1.29 / (download) - annotate - [select for diffs], Mon Jul 9 10:30:58 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.28: +179 -63 lines
Diff to previous 1.28 (colored)
Extend nat/rdr syntax. Add source/destination selection. Make
interface optional. Suggested by rdump@river.com.
nat [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) -> <addr> [proto (tcp | udp | icmp)]
rdr [on [!] <ifname>] from (any | [!] <addr>[/<mask>]) to (any |
[!] <addr>[/<mask>]) port <a>[:<b>] -> <addr> port <c>[:*]
[proto (tcp | udp | icmp)]
Revision 1.28 / (download) - annotate - [select for diffs], Fri Jul 6 21:19:54 2001 UTC (22 years, 11 months ago) by chris
Branch: MAIN
Changes since 1.27: +17 -3 lines
Diff to previous 1.27 (colored)
Allow negative match on interface name for nat and rdr ok dhartmei@
Revision 1.27 / (download) - annotate - [select for diffs], Wed Jul 4 23:45:40 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.26: +17 -17 lines
Diff to previous 1.26 (colored)
cleaner
Revision 1.26 / (download) - annotate - [select for diffs], Wed Jul 4 21:10:43 2001 UTC (22 years, 11 months ago) by wilfried
Branch: MAIN
Changes since 1.25: +18 -3 lines
Diff to previous 1.25 (colored)
add new icmp codes and types as symbolic names, ok deraadt
Revision 1.25 / (download) - annotate - [select for diffs], Sun Jul 1 23:04:45 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.24: +45 -9 lines
Diff to previous 1.24 (colored)
tag packets generated by pf (return-rst, return-icmp) so they are not filtered, use existing icmp_error() and ip_output(). ok dugsong@, frantzen@
Revision 1.24 / (download) - annotate - [select for diffs], Sun Jul 1 17:16:02 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.23: +24 -4 lines
Diff to previous 1.23 (colored)
Add port ranges to the rdr directive. Connections can be redirected to either a range of the same size, or a single port. Redirects between ranges of different sizes are not supported. Eg: rdr dc0 10.0.0.0/24 port 60000:61000 -> 127.0.0.1 port 65530:* proto udp rdr xl0 0.0.0.0/0 port 6660:6669 -> 127.0.0.1 port 6667 proto tcp This replaces the wildcard port patch (when port = 0), as it should no longer be necessary. ok dhartmei@
Revision 1.23 / (download) - annotate - [select for diffs], Sun Jul 1 17:04:13 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.22: +21 -21 lines
Diff to previous 1.22 (colored)
Always print filter statistics, even when the filter is disabled.
Revision 1.22 / (download) - annotate - [select for diffs], Fri Jun 29 00:27:48 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored)
fix counter/reason array usage
Revision 1.21 / (download) - annotate - [select for diffs], Thu Jun 28 21:54:43 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.20: +28 -11 lines
Diff to previous 1.20 (colored)
support scrub directive. somebody please please BNF yaccify this.
Revision 1.20 / (download) - annotate - [select for diffs], Wed Jun 27 20:47:46 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
print inbound packets passed correctly
Revision 1.19 / (download) - annotate - [select for diffs], Wed Jun 27 04:29:21 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.18: +15 -12 lines
Diff to previous 1.18 (colored)
state counter changes
Revision 1.18 / (download) - annotate - [select for diffs], Wed Jun 27 02:45:58 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.17: +6 -1 lines
Diff to previous 1.17 (colored)
make it understand protocol numbers, too
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 26 22:56:01 2001 UTC (22 years, 11 months ago) by dugsong
Branch: MAIN
Changes since 1.16: +25 -25 lines
Diff to previous 1.16 (colored)
name comparison operators
Revision 1.16 / (download) - annotate - [select for diffs], Tue Jun 26 22:36:28 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.15: +5 -5 lines
Diff to previous 1.15 (colored)
int -> unsigned, so -Wall is happy
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jun 26 22:26:15 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.14: +21 -14 lines
Diff to previous 1.14 (colored)
array of counters indexed by reason codes
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jun 26 20:50:26 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.13: +2 -1 lines
Diff to previous 1.13 (colored)
add rule nr for Niels
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jun 26 19:43:15 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.12: +7 -2 lines
Diff to previous 1.12 (colored)
add rule pointer and log option to states
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jun 26 18:18:58 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.11: +13 -7 lines
Diff to previous 1.11 (colored)
Print statistics in a human readable format. ok dhartmei
Revision 1.11 / (download) - annotate - [select for diffs], Tue Jun 26 15:29:05 2001 UTC (22 years, 11 months ago) by wilfried
Branch: MAIN
Changes since 1.10: +146 -10 lines
Diff to previous 1.10 (colored)
symbolic names for icmp-type and codes, ok deraadt@
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jun 26 12:47:10 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
add space after line number; wilfried@
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jun 26 12:27:14 2001 UTC (22 years, 11 months ago) by wilfried
Branch: MAIN
Changes since 1.8: +4 -4 lines
Diff to previous 1.8 (colored)
allow 0.0.0.0/x in rules
Revision 1.8 / (download) - annotate - [select for diffs], Mon Jun 25 10:15:55 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +6 -6 lines
Diff to previous 1.7 (colored)
more sync against kernel changes
Revision 1.7 / (download) - annotate - [select for diffs], Mon Jun 25 10:14:07 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +91 -58 lines
Diff to previous 1.6 (colored)
catch up, might have introduced bugs, but there is a next pass...
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jun 25 09:44:32 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +83 -67 lines
Diff to previous 1.5 (colored)
catch up to Art changes in the kernel
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 25 05:00:58 2001 UTC (22 years, 11 months ago) by smart
Branch: MAIN
Changes since 1.4: +12 -8 lines
Diff to previous 1.4 (colored)
Replace magic numbers 1, 6, and 17 with IPPROTO_{ICMP,UDP,TCP}. deraadt@ ok.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jun 24 23:24:15 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.3: +35 -35 lines
Diff to previous 1.3 (colored)
some KNF
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jun 24 23:16:36 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +13 -7 lines
Diff to previous 1.2 (colored)
match changes in header files
Revision 1.2 / (download) - annotate - [select for diffs], Sun Jun 24 21:40:51 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
REGENTS -> COPYRIGHT HOLDERS
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 24 21:04:16 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Move and rename packet filter userland. grr. CVS: making easy things difficult, and directory operations impossible.