![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.119 / (download) - annotate - [select for diffs], Mon Jan 15 07:23:32 2024 UTC (4 months, 3 weeks ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.118: +2 -1 lines
Diff to previous 1.118 (colored)
Currently 'pfctl -a "*" -sr' recursively walks anchor tree and shows rules found in every anchor. This commit introduces the same behavior for tables. Command 'pfctl -a "*" -sT' prints all tables attached to every anchor loaded to pf(4). Inconsistency has been noticed by Klemens (kn@). OK @bluhm, OK @kn
Revision 1.118 / (download) - annotate - [select for diffs], Mon Oct 25 14:50:29 2021 UTC (2 years, 7 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.117: +2 -1 lines
Diff to previous 1.117 (colored)
- pfctl $nr incorrect macro expansion Issue reported by Kristof Provost from FreeBSD. [ https://reviews.freebsd.org/D32488 ] In order to fix the issue we must delay '$nr' macro expansion after optimizer collapses ruleset. OK kn@
Revision 1.117 / (download) - annotate - [select for diffs], Tue Jul 21 14:10:51 2020 UTC (3 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.116: +0 -1 lines
Diff to previous 1.116 (colored)
rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.h OPT is misleading and usually refers to command line arguments to pfctl ok sashan kn
Revision 1.116 / (download) - annotate - [select for diffs], Wed Jan 15 11:52:50 2020 UTC (4 years, 4 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.115: +17 -16 lines
Diff to previous 1.115 (colored)
Enable pfctl(8) to recursively flush rules and tables from PF driver. The
recursive operation ("pfctl -a '*' ...") works for '-s' option already. This
change enables the same thing for '-F' option, so "pfctl -a '*' -Fa" will flush
everything from PF driver.
The idea was discussed with many on tech@ in spring 2019.
OK kn@
Revision 1.115 / (download) - annotate - [select for diffs], Thu Mar 7 08:01:52 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.114: +1 -4 lines
Diff to previous 1.114 (colored)
Remove pfctl_*_pool() remnants Left behind in pfctl_parser.h revision 1.91 "First pass at removing the 'pf_pool' mechanism [...]" These functions don't exist anymore, no object change. OK procter
Revision 1.114 / (download) - annotate - [select for diffs], Wed Mar 6 19:49:05 2019 UTC (5 years, 3 months ago) by kn
Branch: MAIN
Changes since 1.113: +2 -2 lines
Diff to previous 1.113 (colored)
Fix once rules parse.y revision 1.682 from 16.07.2018 errornously allowed `match once' and `anchor "a" once'. Fix both by checking for PF_DROP not PF_MATCH and creating anchors in the parser already such that they can be used to distinguish anchor rules in the same check as well. Found and fixed by Petr Hoffmann <petr.hoffmann at oracle dot com>, thanks! While here, remove an unneeded cast and make pfctl_add_rule() void as it always returned 0. OK sashan
Revision 1.113 / (download) - annotate - [select for diffs], Tue Jan 29 10:58:31 2019 UTC (5 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.112: +3 -1 lines
Diff to previous 1.112 (colored)
Reuse copy_satopfaddr() when killing entries Recently introduced in pfctl_parser.c r1.333, this helper nicely simplifies code when copying IPs based on their address family, so use it in five other places when killing state or source node entries. All addresses copied in these code paths result from either pfctl_parse_host() or pfctl_addrprefix() which guarantee the address family set to AF_INET or AF_INET6. Therefore, effectively relaxing the case of unhandled families from errx(3) in callers to warnx(3) in copy_satopfaddr() is safe since it's never reached. OK sashan
Revision 1.112 / (download) - annotate - [select for diffs], Thu Sep 6 15:07:34 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored)
Remove unused af argument from unmask() This has been unused for years. While here, zap the duplicate function signature from pfctl.h (already present in pfctl_parser.h); spotted by sashan, thanks. OK sashan
Revision 1.111 / (download) - annotate - [select for diffs], Wed Sep 5 21:16:26 2018 UTC (5 years, 9 months ago) by kn
Branch: MAIN
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored)
Move AF-specific mask logic from callers into set_ipmask() Instead of doing the same dance with every caller, check for user provided mask or address familiy specific maximum inside the function itself. Feedback and OK claudio
Revision 1.110 / (download) - annotate - [select for diffs], Thu Feb 8 09:15:46 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.109: +5 -2 lines
Diff to previous 1.109 (colored)
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
Revision 1.109 / (download) - annotate - [select for diffs], Thu Feb 8 02:26:39 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.108: +6 -2 lines
Diff to previous 1.108 (colored)
show current synflood detection watermarks in pfctl -vsi, for the lack of a more appropriate place. ok claudio benno procter
Revision 1.108 / (download) - annotate - [select for diffs], Tue Feb 6 23:47:47 2018 UTC (6 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.107: +3 -0 lines
Diff to previous 1.107 (colored)
allow control over syncookies: set syncookies never/always/adaptive
Revision 1.107 / (download) - annotate - [select for diffs], Sat Nov 25 22:20:06 2017 UTC (6 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.106: +2 -1 lines
Diff to previous 1.106 (colored)
- patching use-after-free and innocent memory leak in pfctl_optimzie.c OK bluhm@
Revision 1.106 / (download) - annotate - [select for diffs], Fri Aug 11 22:30:38 2017 UTC (6 years, 9 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.105: +4 -3 lines
Diff to previous 1.105 (colored)
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
Revision 1.105 / (download) - annotate - [select for diffs], Mon Jul 18 19:11:18 2016 UTC (7 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.104: +0 -1 lines
Diff to previous 1.104 (colored)
no more cbq_opts - CBQ is gone, ok mpi phessler benno
Revision 1.99.8.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:44 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_4
Changes since 1.99: +2 -1 lines
Diff to previous 1.99 (colored) next main 1.100 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.101.4.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:36:15 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_5
Changes since 1.101: +2 -1 lines
Diff to previous 1.101 (colored) next main 1.102 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.102.4.1 / (download) - annotate - [select for diffs], Wed Oct 29 15:29:34 2014 UTC (9 years, 7 months ago) by sthen
Branch: OPENBSD_5_6
Changes since 1.102: +2 -1 lines
Diff to previous 1.102 (colored) next main 1.103 (colored)
MFC pfctl fix (parse.y 1.641, pfctl_parser.c 1.300, pfctl_parser.h 1.104) ----- Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen -----
Revision 1.104 / (download) - annotate - [select for diffs], Mon Oct 27 21:51:32 2014 UTC (9 years, 7 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.103: +2 -1 lines
Diff to previous 1.103 (colored)
Fixup incorrect expansion of the networking mask for dynamic interface specifications under certain circumstances resulting in potentially elevated access permissions for IPv6 traffic. Reported by sthen@; ok henning benno sthen
Revision 1.103 / (download) - annotate - [select for diffs], Sat Aug 23 00:11:03 2014 UTC (9 years, 9 months ago) by pelikan
Branch: MAIN
Changes since 1.102: +11 -9 lines
Diff to previous 1.102 (colored)
when you specify queues in a rule, make sure they have been defined. DIOCADDRULE EBUSY turns into an error message that pfctl -n catches. DIOCXCOMMIT EINVAL after the kernel rejected the rules was reported to occur, possibly from hfsc.c: this should be fixed as well. ok henning mikeb sthen
Revision 1.102 / (download) - annotate - [select for diffs], Sat Apr 19 14:22:32 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE
Branch point for: OPENBSD_5_6
Changes since 1.101: +1 -14 lines
Diff to previous 1.101 (colored)
remove altq bits here, too (i was convinced i committed that yesterday already, hrm)
Revision 1.101 / (download) - annotate - [select for diffs], Sat Oct 12 12:16:12 2013 UTC (10 years, 7 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE
Branch point for: OPENBSD_5_5
Changes since 1.100: +14 -1 lines
Diff to previous 1.100 (colored)
config bits for the bandwidth shaping part of the new queueing subsystem syntax worked out with many in ljubljana using a whiteboard, testing & looking over by many, ok phessler sthen
Revision 1.100 / (download) - annotate - [select for diffs], Thu Aug 1 19:03:11 2013 UTC (10 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.99: +3 -1 lines
Diff to previous 1.99 (colored)
Provide local implementations of if_nametoindex(3) and if_indextoname(3) that make use of the cache of addresses populated by the ifa_load on startup to save the trouble of calling expensive getaddrinfo(3) up to four times per rule. Performance wise this change provides a speed up factor of 20 with a 11k line ruleset on a machine with 150 VLANs and 250 IP addresses (20 seconds down to 1 in this case). "wow!" henning, ok benno, florian
Revision 1.99 / (download) - annotate - [select for diffs], Sat Dec 3 12:46:16 2011 UTC (12 years, 6 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1
Branch point for: OPENBSD_5_4
Changes since 1.98: +2 -2 lines
Diff to previous 1.98 (colored)
pfctl_set_hostid always returns 0; don't pretend otherwise and make it a void function instead. ok dlg
Revision 1.98 / (download) - annotate - [select for diffs], Wed Nov 23 10:24:37 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.97: +2 -1 lines
Diff to previous 1.97 (colored)
print ports as numbers by default; -P prints names instead 2/2 from Lawrence Teo <lteo at devio dot us> ok sthen dlg and myself
Revision 1.97 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.96 / (download) - annotate - [select for diffs], Sun Jul 3 23:37:55 2011 UTC (12 years, 11 months ago) by zinke
Branch: MAIN
Changes since 1.95: +2 -1 lines
Diff to previous 1.95 (colored)
bring in least-states load balancing algorithm ok mcbride@ henning@
Revision 1.95 / (download) - annotate - [select for diffs], Wed Apr 6 13:19:55 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.94: +3 -1 lines
Diff to previous 1.94 (colored)
Userland bits to allow PF to filter on the rdomain a packet belongs to. This allows to write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
Revision 1.94 / (download) - annotate - [select for diffs], Fri Jun 25 23:27:47 2010 UTC (13 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.93: +1 -2 lines
Diff to previous 1.93 (colored)
remove -m (merge). it is violating the transactional model we have and made stronger in pf, it is broken in some cases and since some options are passed to the kernel while some are userland only and affect how the rules are parsed it is complete bullshit anyway - obviously, changing options that affect ruleset parsing without reloading and thus reparsing the ruleset cannot work. so stop pretending it could and cut the crap. ok dlg krw deraadt
Revision 1.93 / (download) - annotate - [select for diffs], Tue Mar 23 13:31:29 2010 UTC (14 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.92: +1 -8 lines
Diff to previous 1.92 (colored)
remove -A, -O, -R and -T load the partial loading of a ruleset (leaving ancors aside) is wrong and conflicts with the general idea of how pf works. last not least it breaks with the optimizer generating tables automagically. ok deraadt sthen krw manpage jmc
Revision 1.92 / (download) - annotate - [select for diffs], Mon Jan 18 23:52:46 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.91: +4 -1 lines
Diff to previous 1.91 (colored)
Convert pf debug logging to using log()/addlog(), a single standardised definition of DPFPRINTF(), and log priorities from syslog.h. Old debug levels will still work for now, but will eventually be phased out. discussed with henning, ok dlg
Revision 1.91 / (download) - annotate - [select for diffs], Tue Jan 12 03:20:51 2010 UTC (14 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.90: +5 -3 lines
Diff to previous 1.90 (colored)
First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio
Revision 1.90 / (download) - annotate - [select for diffs], Sun Jan 10 07:45:41 2010 UTC (14 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.89: +2 -1 lines
Diff to previous 1.89 (colored)
In the non-optimized case, an address list containing "any" (ie. { any 10.0.0.1 })
should be folded in the parser to any, not to 10.0.0.1. How long this bug has
been with us is unclear.
ok guenther mcbride
Revision 1.89 / (download) - annotate - [select for diffs], Tue Sep 1 13:42:00 2009 UTC (14 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.88: +2 -2 lines
Diff to previous 1.88 (colored)
the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
Revision 1.88 / (download) - annotate - [select for diffs], Mon Apr 6 12:05:55 2009 UTC (15 years, 2 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.87: +4 -1 lines
Diff to previous 1.87 (colored)
1) scrub rules are completely gone. 2) packet reassembly: only one method remains, full reassembly. crop and drop-ovl are gone. . set reassemble yes|no [no-df] if no-df is given fragments (and only fragments!) with the df bit set have it cleared before entering the fragment cache, and thus the reassembled packet doesn't have df set either. it does NOT touch non-fragmented packets. 3) regular rules can have scrub options. . pass scrub(no-df, min-ttl 64, max-mss 1400, set-tos lowdelay) . match scrub(reassemble tcp, random-id) of course all options are optional. the individual options still do what they used to do on scrub rules, but everything is stateful now. 4) match rules "match" is a new action, just like pass and block are, and can be used like they do. opposed to pass or block, they do NOT change the pass/block state of a packet. i. e. . pass . match passes the packet, and . block . match blocks it. Every time (!) a match rule matches, i. e. not only when it is the last matching rule, the following actions are set: -queue assignment. can be overwritten later, the last rule that set a queue wins. note how this is different from the last matching rule wins, if the last matching rule has no queue assignments and the second last matching rule was a match rule with queue assignments, these assignments are taken. -rtable assignments. works the same as queue assignments. -set-tos, min-ttl, max-mss, no-df, random-id, reassemble tcp, all work like the above -logging. every matching rule causes the packet to be logged. this means a single packet can get logged more than once (think multiple log interfaces with different receivers, like pflogd and spamlogd) . almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on.
Revision 1.87 / (download) - annotate - [select for diffs], Sat Oct 13 16:35:18 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.86: +3 -3 lines
Diff to previous 1.86 (colored)
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
Revision 1.86 / (download) - annotate - [select for diffs], Tue Oct 31 23:46:25 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.85: +2 -1 lines
Diff to previous 1.85 (colored)
Allow a user to recursively print anchors including those without reserved names, if a trailing * is specified in the anchor name. e.g. recursively print the main ruleset: pfctl -a '*' -sr Recursively print the spam anchor: pfctl -a 'spam*' pfctl -a 'spam/*' Also fix a bug which prevented the contents of inline anchors with explicit names from being loaded into the kernel. ok henning@
Revision 1.85 / (download) - annotate - [select for diffs], Tue Oct 31 14:17:45 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.84: +7 -4 lines
Diff to previous 1.84 (colored)
Allow pfctl ruleset optimizer to be controlled from the ruleset. "set" "ruleset-optimization" [ "none" | "basic" | "profile" ] You can optionally control ruleset optimization with these keywords on the command line with the -o option; the command line setting will override the pf.conf setting. The existing -o/-oo flags continue to work as expected. cleanup and ok henning@
Revision 1.84 / (download) - annotate - [select for diffs], Sat Oct 28 14:29:05 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.83: +10 -9 lines
Diff to previous 1.83 (colored)
Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").
anchor on fxp0 {
pass in proto tcp port 22
}
The anchor name is optional on inline loaded anchors.
testing ckuethe@
ok henning@ dhartmei@
Revision 1.83 / (download) - annotate - [select for diffs], Thu Nov 17 20:52:39 2005 UTC (18 years, 6 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0,
OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
for pfctl -f rules, open the file before resetting options. when opening the file fails, produce only the error message and leave options unchanged. reported by Tamas TEVESZ, ok deraadt@
Revision 1.82 / (download) - annotate - [select for diffs], Thu Oct 13 13:27:06 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)
unused parameters
Revision 1.81 / (download) - annotate - [select for diffs], Thu Oct 13 12:54:01 2005 UTC (18 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.80: +1 -5 lines
Diff to previous 1.80 (colored)
dead defines
Revision 1.80 / (download) - annotate - [select for diffs], Mon Feb 7 18:18:14 2005 UTC (19 years, 4 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8,
OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.79: +1 -2 lines
Diff to previous 1.79 (colored)
KNF; ok henning@
Revision 1.79 / (download) - annotate - [select for diffs], Wed Jan 5 18:23:10 2005 UTC (19 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.78: +16 -1 lines
Diff to previous 1.78 (colored)
Modify pfctl behaviour so that 'set ...' options are no longer "sticky", ie.
they are reset to default values if omitted from a subsequent ruleset load.
Also:
- make sure 'set ...' options are not loaded in anchors.
- add a -m ("merge") flag to pfctl which allows an individual option to be set
without reseting the others, eg:
# echo "set loginterface fxp0" | pfctl -mf -
ok henning@ dhartmei@
Revision 1.78 / (download) - annotate - [select for diffs], Wed Dec 22 17:17:55 2004 UTC (19 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.77: +2 -1 lines
Diff to previous 1.77 (colored)
Introduce 'set skip on <ifspec>' to support a list of interfaces where no packet filtering should occur (like loopback, for instance). Code from Max Laier, with minor improvements based on feedback from deraadt@. ok mcbride@, henning@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jul 16 23:44:25 2004 UTC (19 years, 10 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.76: +33 -2 lines
Diff to previous 1.76 (colored)
'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset - remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@
Revision 1.76 / (download) - annotate - [select for diffs], Wed May 19 17:50:51 2004 UTC (20 years ago) by dhartmei
Branch: MAIN
Changes since 1.75: +6 -6 lines
Diff to previous 1.75 (colored)
Allow recursive anchors (anchors within anchors, up to 64 levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
Revision 1.75 / (download) - annotate - [select for diffs], Wed Apr 14 11:16:43 2004 UTC (20 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.74: +2 -1 lines
Diff to previous 1.74 (colored)
make antispoof work with dynamic addresses. ok dhartmei@ mcbride@
Revision 1.74 / (download) - annotate - [select for diffs], Tue Feb 10 22:26:56 2004 UTC (20 years, 4 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.73: +3 -3 lines
Diff to previous 1.73 (colored)
KNF
Revision 1.73 / (download) - annotate - [select for diffs], Thu Jan 29 01:25:13 2004 UTC (20 years, 4 months ago) by mcbride
Branch: MAIN
Changes since 1.72: +2 -1 lines
Diff to previous 1.72 (colored)
Clean up 'pfctl -s all' output. ok deraadt@ henning@
Revision 1.72 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.71: +8 -9 lines
Diff to previous 1.71 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.71 / (download) - annotate - [select for diffs], Mon Dec 15 07:11:30 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.70: +2 -1 lines
Diff to previous 1.70 (colored)
Add initial support for pf state synchronization over the network. Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
Revision 1.70 / (download) - annotate - [select for diffs], Mon Dec 15 00:02:03 2003 UTC (20 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.69: +3 -2 lines
Diff to previous 1.69 (colored)
Add support to track stateful connections by source ip. This allows us to: - Ensure that clients get a consistent IP mapping with load-balanced translation/routing rules - Limit the number of simultaneous connections a client can make - Limit the number of clients which can connect through a rule ok dhartmei@ deraadt@
Revision 1.69 / (download) - annotate - [select for diffs], Fri Nov 14 13:51:09 2003 UTC (20 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.68: +2 -1 lines
Diff to previous 1.68 (colored)
allow the debuglevel to be set from pf.conf (set debug) ok cedric@
Revision 1.68 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.67: +4 -4 lines
Diff to previous 1.67 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.67 / (download) - annotate - [select for diffs], Thu Aug 21 19:12:09 2003 UTC (20 years, 9 months ago) by frantzen
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.66: +18 -1 lines
Diff to previous 1.66 (colored)
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
Revision 1.66 / (download) - annotate - [select for diffs], Thu Jul 31 22:25:54 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.65: +3 -3 lines
Diff to previous 1.65 (colored)
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jul 18 06:30:07 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.64: +1 -2 lines
Diff to previous 1.64 (colored)
Simplify handling of flags (-R, -N...). Remove PFCTL_FLAG_ALL. ok dhartmei@
Revision 1.64 / (download) - annotate - [select for diffs], Fri Jul 11 08:29:34 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.63: +14 -4 lines
Diff to previous 1.63 (colored)
Better parsing and -v support for tables:
- remove the tableaddrs and tableaddr yacc production and reuse
host_list instead.
- produce better error messages.
- do not load addresses from external file when it is not
required (like with -R option).
- store initializers in a new node_tinit linked list before
putting them into the address buffer (see next point).
- add a new print_tabledef() function, which makes "pfctl -nvf"
print something useful for table definitions, which in turn
makes it possible to write better regress tests (see first chunk
of the diff) and bring table definition consistant with other
parsed rules.
ok dhartmei@
Revision 1.63 / (download) - annotate - [select for diffs], Thu Jul 3 21:09:13 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.62: +4 -4 lines
Diff to previous 1.62 (colored)
Bye bye atexit(), bye bye globals... The pfctl.c part will probably need some further improvements. ok henning@
Revision 1.62 / (download) - annotate - [select for diffs], Thu Jul 3 09:13:06 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.61: +7 -4 lines
Diff to previous 1.61 (colored)
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
Revision 1.61 / (download) - annotate - [select for diffs], Mon May 19 20:21:53 2003 UTC (21 years ago) by henning
Branch: MAIN
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)
reject invalid netmasks like 10.0.0.0/68, and fix up the netmask for dynaddr rules after we know the address family ok dhartmei@, inspired by a session with bob
Revision 1.60 / (download) - annotate - [select for diffs], Sat May 10 00:45:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.59: +4 -1 lines
Diff to previous 1.59 (colored)
support loading of anchors from within the main ruleset via load anchor anchorname:rulesetname file /path/to/file ok pb@ dhartmei@ cedric@
Revision 1.59 / (download) - annotate - [select for diffs], Wed Apr 30 12:30:27 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.58: +4 -2 lines
Diff to previous 1.58 (colored)
Allow tables to be loaded into anchors. Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@
Revision 1.58 / (download) - annotate - [select for diffs], Tue Apr 15 11:29:24 2003 UTC (21 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.57: +4 -3 lines
Diff to previous 1.57 (colored)
pass down the unparsed queue opts (struct node_queue_opt) to print_altq/print_hfsc -> print_hfsc_opts and extract struct node_hfsc_sc there for each service curve and pass those down to print_hfsc_sc. now bandwidth specifications in the service curves are printed correct in the case of a queue belonging to more than one interface/parent queue, the parent queues having different bandwidths and the bandwith on teh service curve beeing specified in percent.
Revision 1.57 / (download) - annotate - [select for diffs], Mon Apr 14 14:50:46 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.56: +5 -1 lines
Diff to previous 1.56 (colored)
let print_altq and print_queue take a struct node_queue_bw parameter instead of dintinct bw_percent
Revision 1.56 / (download) - annotate - [select for diffs], Sun Apr 13 20:41:37 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.55: +21 -7 lines
Diff to previous 1.55 (colored)
new struct node_hfsc_opts for, surprise, hfsc options. needed because they contain bandwidth specifications and we need to carry the unprocessed bw specs around for quite some time until we can break them down to absolute values.
Revision 1.55 / (download) - annotate - [select for diffs], Sun Apr 13 20:16:06 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.54: +5 -3 lines
Diff to previous 1.54 (colored)
pass down the struct node_queue_opts from the altqif/queuespec yacc targets to expand_altq/expand_queue -> eval_pfaltq/eval_pfqueue and further down to the new eval_queue_opts() instead of evaluating them directly in the yacc grammar. this will be needed to process the hfsc options which can contain relative bandwidth specifications, and we can't break them down to an absolute one earlier.
Revision 1.54 / (download) - annotate - [select for diffs], Sun Apr 13 19:36:00 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.53: +17 -3 lines
Diff to previous 1.53 (colored)
move the structs node_queue_bw and node_queue_opt to pfctl_parser.h. let eval_pfqueue() and eval_pfaltq() take a pointer to a struct node_queue_bw instead of two distince bw_absolute and bw_percent parameters.
Revision 1.53 / (download) - annotate - [select for diffs], Sat Apr 5 23:56:32 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)
ease netmask handling a bit input theo, ok dhartmei@
Revision 1.52 / (download) - annotate - [select for diffs], Thu Apr 3 15:52:24 2003 UTC (21 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.51: +1 -5 lines
Diff to previous 1.51 (colored)
Simplify pfctl printing code. ok dhartmei@ henning@
Revision 1.51 / (download) - annotate - [select for diffs], Thu Mar 27 18:01:57 2003 UTC (21 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.50: +3 -3 lines
Diff to previous 1.50 (colored)
lotsa const char * from David Hill <david at phobia.ms> a while ago
Revision 1.50 / (download) - annotate - [select for diffs], Fri Mar 7 12:55:37 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.49: +2 -1 lines
Diff to previous 1.49 (colored)
don't include debugging output, namely, the result of teh skip steps calculation, in verbose output (pfctl -vvsr). Instead, use a new flag -g for that. result of a longer discussion with dhartmei@ and jakob@ ok cedric@ pb@
Revision 1.49 / (download) - annotate - [select for diffs], Tue Feb 18 21:59:34 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)
fix load option handling (-A, -N, -R) for options. due to a bug in the loadopt check options were always loaded no matter which loadopts where specified. while beeing there, move the prints for that to where they belong, into the appropriate pfctl_set_* functions, and thus only print when the options are actually loaded. fixes regress tests pfopt3, pfopt4, pfopt5 I added earlier. ok dhartmei@
Revision 1.48 / (download) - annotate - [select for diffs], Sun Feb 16 14:04:34 2003 UTC (21 years, 3 months ago) by henning
Branch: MAIN
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)
cosmetics
Revision 1.47 / (download) - annotate - [select for diffs], Mon Feb 3 14:51:36 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.46: +1 -2 lines
Diff to previous 1.46 (colored)
remove loadopt global definition and cleanup a bit. ok henning@
Revision 1.46 / (download) - annotate - [select for diffs], Mon Feb 3 13:40:45 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.45: +2 -1 lines
Diff to previous 1.45 (colored)
fix a problem with queue definitions when load options (like -N etc) are given; they used to check for their parent interface/queue even in this case. ok dhartmei@ cedric@
Revision 1.45 / (download) - annotate - [select for diffs], Sun Feb 2 23:22:07 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
there is no need to pass opts to parse_rules explicitely; it's passed as part of the struct pfctl.
Revision 1.44 / (download) - annotate - [select for diffs], Sun Feb 2 18:32:35 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.43: +4 -4 lines
Diff to previous 1.43 (colored)
const'ify params for the host stuff ok theo
Revision 1.43 / (download) - annotate - [select for diffs], Sat Jan 25 18:16:05 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)
Fix NOACTION with table statements.
Revision 1.42 / (download) - annotate - [select for diffs], Sat Jan 25 16:33:19 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.41: +2 -1 lines
Diff to previous 1.41 (colored)
Permit initialisation of a table content from a file in pf.conf. Cleaning up of the table options parsing, more flexible. idea+cleanup deraadt@, ok dhartmei@, pass all regress tests.
Revision 1.41 / (download) - annotate - [select for diffs], Sat Jan 18 15:00:24 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.40: +2 -1 lines
Diff to previous 1.40 (colored)
Cleanup PF_OPT_NOACTION with tables. No changes on current behaviour, but do something useful when the user has no access to /dev/pf. Tested on i386, sparc64. ok henning@
Revision 1.40 / (download) - annotate - [select for diffs], Tue Jan 14 21:58:12 2003 UTC (21 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.39: +33 -1 lines
Diff to previous 1.39 (colored)
unified IP parser: -move host(), set_ipmask and the ifa_* functions to pfctl_parser.[c|h] -extend host() to handle /mask itself, plus minor adjustments -use that in pfctl_table.c instead of coding the same shit again discussed w/ cedric@ ok cedric@ dhartmei@
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.38: +8 -1 lines
Diff to previous 1.38 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.38 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.37: +4 -1 lines
Diff to previous 1.37 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.37 / (download) - annotate - [select for diffs], Sun Dec 22 14:19:29 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.36: +3 -1 lines
Diff to previous 1.36 (colored)
Instead of inserting and removing rules at the top/bottom of the main ruleset, make authpf manage its rules inside anchors.
Revision 1.36 / (download) - annotate - [select for diffs], Wed Dec 18 19:40:41 2002 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.35: +4 -4 lines
Diff to previous 1.35 (colored)
Store translation rule pointer in state entries, so pfctl -vsn can print evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Revision 1.35 / (download) - annotate - [select for diffs], Wed Dec 18 14:14:09 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)
Maintain separate pfioc_rule structures for each type of rule, to prevent tickets from getting overwritten. bug reported by dhartmei@ ok dhartmei@
Revision 1.34 / (download) - annotate - [select for diffs], Tue Dec 17 12:36:59 2002 UTC (21 years, 5 months ago) by mcbride
Branch: MAIN
Changes since 1.33: +7 -12 lines
Diff to previous 1.33 (colored)
Match merge of pf_nat/pf_binat/pf_rdr structs into pf_rule ok dhartmei@ henning@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Dec 5 14:10:45 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)
one step further to "program output is valid program input" and the related extra regress testing opportunities (an excellent idea by markus@). only print rule numbers in case of pfctl -v -v; but not with pfctl -v. ok markus@ frantzen@ mcbride@
Revision 1.32 / (download) - annotate - [select for diffs], Wed Dec 4 08:07:28 2002 UTC (21 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.31: +3 -2 lines
Diff to previous 1.31 (colored)
do not warn for unused variables except with -v -v; henning ok
Revision 1.31 / (download) - annotate - [select for diffs], Sat Nov 30 13:53:15 2002 UTC (21 years, 6 months ago) by mickey
Branch: MAIN
Changes since 1.30: +1 -3 lines
Diff to previous 1.30 (colored)
move damn unmask() proto into place as well
Revision 1.30 / (download) - annotate - [select for diffs], Thu Nov 28 12:14:25 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.29: +1 -1 lines
Diff to previous 1.29 (colored)
- Adjust to match replacement of md5 with pf_hash - Allow keys to be specified in hex (must be 128 bits, mainly to make pfctl -v output paresable by pfctl) or as a string. Randomly generate key if one is not specified. Suggestions and fixes from camield@ ok mickey@ camield@ henning@
Revision 1.29 / (download) - annotate - [select for diffs], Sat Nov 23 06:18:42 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)
missing prototype, remember to use sa_family_t for af
Revision 1.28 / (download) - annotate - [select for diffs], Sat Nov 23 05:22:24 2002 UTC (21 years, 6 months ago) by mcbride
Branch: MAIN
Changes since 1.27: +2 -1 lines
Diff to previous 1.27 (colored)
code to support loading of pf rules with multiple redirection addresses
(in nat, rdr, route-to, dup-to and reply-to)
Syntax looks like this, see pf.conf(5) for details:
nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> \
192.168.0.16/29 source-hash random
rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> \
{ 192.168.0.8/31, 192.168.0.15 } port 22 round-robin
ok dhartmei@ henning@
Revision 1.27 / (download) - annotate - [select for diffs], Mon Nov 18 22:49:15 2002 UTC (21 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.26: +5 -1 lines
Diff to previous 1.26 (colored)
altq and pf merged this isn't 100% done yet: the print_ stuff isn't finished, some features will be added later, and there is no documetation yet, but committing now enables a few more people to work on. print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc, debugging help also pb and camiel. lots of good ideas by theo. "commit now" theo philipp daniel
Revision 1.26 / (download) - annotate - [select for diffs], Fri Oct 25 10:40:45 2002 UTC (21 years, 7 months ago) by camield
Branch: MAIN
Changes since 1.25: +20 -20 lines
Diff to previous 1.25 (colored)
- more sa_family_t - move unmask code to correct file - whitespace ok mcbride@ dhartmei@
Revision 1.25 / (download) - annotate - [select for diffs], Tue Jun 25 08:13:26 2002 UTC (21 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.24: +7 -1 lines
Diff to previous 1.24 (colored)
move pfctl options -t, -m, -O and -l to pf.conf. These are set using the
"set" keyword. example rulefile:
set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all
fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@
Revision 1.24 / (download) - annotate - [select for diffs], Tue Jun 11 06:12:15 2002 UTC (22 years ago) by kjell
Branch: MAIN
Changes since 1.23: +5 -1 lines
Diff to previous 1.23 (colored)
Add -N and -R options. When used in conjunction with pfctl -f <rulefile> they allow just the nat or filter rules to be reloaded, respectively. The default (no flags) is to load everything. If -N is specified, any existing filter rules are retained, similarly for -R. ok deraadt@, dhartmei@
Revision 1.23 / (download) - annotate - [select for diffs], Tue Jun 11 03:12:03 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.22: +1 -2 lines
Diff to previous 1.22 (colored)
Remove parse_nat() prototype, it's gone. Yes, authpf is broken at the moment.
Revision 1.22 / (download) - annotate - [select for diffs], Tue Jun 11 02:12:37 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.21: +4 -2 lines
Diff to previous 1.21 (colored)
Make NAT proxy port range configurable per rule, for instance privileged source ports can mapped to privileged proxy ports, or source port 500 to proxy port 500. ok frantzen@
Revision 1.21 / (download) - annotate - [select for diffs], Tue Jun 11 01:58:00 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.20: +9 -1 lines
Diff to previous 1.20 (colored)
rework pfctl statistics display move FCNT_NAMES from pfvar.h to pfctl_parser.h, only used by pfctl some input by nick@ ok frantzen@, dhartmei@
Revision 1.20 / (download) - annotate - [select for diffs], Sat Jun 8 21:09:59 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.19: +5 -5 lines
Diff to previous 1.19 (colored)
Change remaining read-only lookup tables to const, suggestion drahn@
Revision 1.19 / (download) - annotate - [select for diffs], Sat Jun 8 07:58:07 2002 UTC (22 years ago) by dhartmei
Branch: MAIN
Changes since 1.18: +8 -1 lines
Diff to previous 1.18 (colored)
Make state timeouts configurable per rule, like pass in from any to any port www keep state (tcp.established 60) ok frantzen@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Jun 7 19:33:03 2002 UTC (22 years ago) by henning
Branch: MAIN
Changes since 1.17: +3 -1 lines
Diff to previous 1.17 (colored)
allow using $srcaddr, $srcport, $dstaddr and $dstport in rule labels, evaluated at parse time. ok dhartmei@
Revision 1.17 / (download) - annotate - [select for diffs], Thu Jun 6 22:22:44 2002 UTC (22 years ago) by mickey
Branch: MAIN
Changes since 1.16: +1 -3 lines
Diff to previous 1.16 (colored)
split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok
Revision 1.16 / (download) - annotate - [select for diffs], Sat Jun 1 04:06:47 2002 UTC (22 years ago) by hugh
Branch: MAIN
Changes since 1.15: +3 -1 lines
Diff to previous 1.15 (colored)
ECN flag support for pf. Committed in consultation with Daniel.
Revision 1.15 / (download) - annotate - [select for diffs], Mon Mar 11 22:22:57 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.14: +7 -5 lines
Diff to previous 1.14 (colored)
Add -r to reverse lookup addresses when displaying states. From John Kerbawy.
Revision 1.14 / (download) - annotate - [select for diffs], Wed Feb 27 18:11:45 2002 UTC (22 years, 3 months ago) by dhartmei
Branch: MAIN
Changes since 1.13: +2 -1 lines
Diff to previous 1.13 (colored)
Instead of printing useless @0 rule numbers from pfctl -vR, increase a counter. Helps debugging rule sets that are not loaded. Suggested by John Kerbawy.
Revision 1.13 / (download) - annotate - [select for diffs], Wed Jan 9 11:30:53 2002 UTC (22 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)
Add labels to rules. These are arbitrary names (not to be confused with tags that will be used to tag packets later on). Add pfctl -z to clear per-rule counters. Add pfctl -s labels to output per-rule counters in terse format and only for rules that have labels. Suggested by Henning Brauer.
Revision 1.12 / (download) - annotate - [select for diffs], Thu Oct 4 21:54:15 2001 UTC (22 years, 8 months ago) by dhartmei
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
Honour -v flag when printing states, print only one line per state when non-verbose. Suggested by gwyllion@ace.ulyssis.org.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Oct 1 17:58:16 2001 UTC (22 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.10: +7 -1 lines
Diff to previous 1.10 (colored)
print variable asignments only if -v is given. ok dhartmei/deraadt
Revision 1.10 / (download) - annotate - [select for diffs], Sat Sep 15 03:54:40 2001 UTC (22 years, 8 months ago) by frantzen
Branch: MAIN
Changes since 1.9: +5 -5 lines
Diff to previous 1.9 (colored)
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Revision 1.9 / (download) - annotate - [select for diffs], Thu Sep 6 18:05:46 2001 UTC (22 years, 9 months ago) by jasoni
Branch: MAIN
Changes since 1.8: +4 -1 lines
Diff to previous 1.8 (colored)
1:1 bidrectional NAT (binat); ok dhartmei@ and frantzen@
Revision 1.8 / (download) - annotate - [select for diffs], Thu Aug 23 04:10:51 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +4 -4 lines
Diff to previous 1.7 (colored)
KNF
Revision 1.7 / (download) - annotate - [select for diffs], Sat Aug 11 09:54:59 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +10 -10 lines
Diff to previous 1.6 (colored)
\+\n support, and spit out cc-style error messages. the parser's line counting is lex dependent, and will need to be tweaked
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jul 16 21:09:38 2001 UTC (22 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.5: +33 -5 lines
Diff to previous 1.5 (colored)
add a yacc parser for pf.conf and nat.conf, with help from mickey@, plus: -n now turns off all operations, and just parses the conf files ok deraadt@
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 25 18:02:44 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.4: +4 -4 lines
Diff to previous 1.4 (colored)
include guard fix; smat@acm.org
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 25 09:44:33 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +9 -9 lines
Diff to previous 1.3 (colored)
catch up to Art changes in the kernel
Revision 1.3 / (download) - annotate - [select for diffs], Sun Jun 24 23:16:36 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +1 -3 lines
Diff to previous 1.2 (colored)
match changes in header files
Revision 1.2 / (download) - annotate - [select for diffs], Sun Jun 24 21:40:51 2001 UTC (22 years, 11 months ago) by dhartmei
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
REGENTS -> COPYRIGHT HOLDERS
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jun 24 21:04:16 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Move and rename packet filter userland. grr. CVS: making easy things difficult, and directory operations impossible.