![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pfctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.38 / (download) - annotate - [select for diffs], Tue Sep 5 15:37:07 2023 UTC (9 months ago) by robert
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)
fix mismatching declaration of argument with mismatched bounds ok tb@
Revision 1.37 / (download) - annotate - [select for diffs], Wed Jan 15 22:31:51 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.36: +1 -14 lines
Diff to previous 1.36 (colored)
Unify error message for nonexisting anchors
pf(4) returns EINVAL for DIOCGETRULE, DIOCGETRULES and DIOCGETRULESET if
the specified anchor does not exist.
Extend and rename {pfr -> pf}_strerror() to make error message more
consistent.
There are other occasions as well but those need additional tweaks;
that's stuff for another diff.
OK and rename from sashan
Revision 1.36 / (download) - annotate - [select for diffs], Wed Jan 15 16:15:08 2020 UTC (4 years, 4 months ago) by kn
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
Refine error message While code in pf/pfctl confusingly uses either anchor or ruleset depending on the context, pfctl(8) (both manual and user interface) should be consistent. For users there are basically anchors only, so do not imply any difference between the two terminologies. OK sashan
Revision 1.35 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:45 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.34: +16 -16 lines
Diff to previous 1.34 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.34 / (download) - annotate - [select for diffs], Fri Aug 11 22:30:38 2017 UTC (6 years, 9 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.33: +3 -3 lines
Diff to previous 1.33 (colored)
add option -N (no domain resolution) manpage wording and reminder about usage() jmc@ ok florian@ henning@
Revision 1.33 / (download) - annotate - [select for diffs], Thu Dec 10 17:27:00 2015 UTC (8 years, 6 months ago) by mmcc
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.32: +2 -3 lines
Diff to previous 1.32 (colored)
Remove NULL-checks before free(). ok tb@
Revision 1.32 / (download) - annotate - [select for diffs], Wed Jan 21 21:50:33 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)
Include <netinet/in.h> before <net/pfvar.h>. In a future change when ports is ready, <net/pfvar.h> will stop including a pile of balony.
Revision 1.31 / (download) - annotate - [select for diffs], Wed May 7 14:59:11 2014 UTC (10 years, 1 month ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.30: +9 -19 lines
Diff to previous 1.30 (colored)
consolidate some code by using reallocarray in all cases. ok deraadt millert
Revision 1.30 / (download) - annotate - [select for diffs], Fri Nov 22 04:12:48 2013 UTC (10 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.29: +3 -3 lines
Diff to previous 1.29 (colored)
Whole bunch of (unsigned char) casts carefully added for ctype calls. Careful second audit by millert
Revision 1.29 / (download) - annotate - [select for diffs], Wed Jul 27 00:26:10 2011 UTC (12 years, 10 months ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.28: +7 -4 lines
Diff to previous 1.28 (colored)
Add support for weighted round-robin in load balancing pools and tables. Diff from zinke@ with a some minor cleanup. ok henning claudio deraadt
Revision 1.28 / (download) - annotate - [select for diffs], Wed Dec 5 12:01:47 2007 UTC (16 years, 6 months ago) by chl
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7,
OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.27: +1 -50 lines
Diff to previous 1.27 (colored)
remove unused functions from tobias@ ok mcbride@ tobias@
Revision 1.27 / (download) - annotate - [select for diffs], Sat May 21 21:03:58 2005 UTC (19 years ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1,
OPENBSD_4_0_BASE,
OPENBSD_4_0,
OPENBSD_3_9_BASE,
OPENBSD_3_9,
OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.26: +3 -4 lines
Diff to previous 1.26 (colored)
clean up and rework the interface absraction code big time, rip out multiple useless layers of indirection and make the code way cleaner overall. this is just the start, more to come... worked very hard on by Ryan and me in Montreal last week, on the airplane to vancouver and yesterday here in calgary. it hurt. ok ryan theo
Revision 1.26 / (download) - annotate - [select for diffs], Mon Jun 14 20:44:22 2004 UTC (19 years, 11 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7,
OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.25: +1 -39 lines
Diff to previous 1.25 (colored)
Remove unused functions. ok beck@ henning@
Revision 1.25 / (download) - annotate - [select for diffs], Fri Apr 9 12:42:06 2004 UTC (20 years, 2 months ago) by cedric
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
Do not try to load directories. found+ok mpech@
Revision 1.24 / (download) - annotate - [select for diffs], Tue Feb 10 18:29:30 2004 UTC (20 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.23: +7 -5 lines
Diff to previous 1.23 (colored)
lotsoflotsoflotsof KNF and an off by one
Revision 1.23 / (download) - annotate - [select for diffs], Wed Dec 31 11:18:24 2003 UTC (20 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.22: +30 -2 lines
Diff to previous 1.22 (colored)
Many improvements to the handling of interfaces in PF. 1) PF should do the right thing when unplugging/replugging or cloning/ destroying NICs. 2) Rules can be loaded in the kernel for not-yet-existing devices (USB, PCMCIA, Cardbus). For example, it is valid to write: "pass in on kue0" before kue USB is plugged in. 3) It is possible to write rules that apply to group of interfaces (drivers), like "pass in on ppp all" 4) There is a new ":peer" modifier that completes the ":broadcast" and ":network" modifiers. 5) There is a new ":0" modifier that will filter out interface aliases. Can also be applied to DNS names to restore original PF behaviour. 6) The dynamic interface syntax (foo) has been vastly improved, and now support multiple addresses, v4 and v6 addresses, and all userland modifiers, like "pass in from (fxp0:network)" 7) Scrub rules now support the !if syntax. 8) States can be bound to the specific interface that created them or to a group of interfaces for example: - pass all keep state (if-bound) - pass all keep state (group-bound) - pass all keep state (floating) 9) The default value when only keep state is given can be selected by using the "set state-policy" statement. 10) "pfctl -ss" will now print the interface scope of the state. This diff change the pf_state structure slighltly, so you should recompile your userland tools (pfctl, authpf, pflogd, tcpdump...) Tested on i386, sparc, sparc64 by Ryan Tested on macppc, sparc64 by Daniel ok deraadt@ mcbride@
Revision 1.22 / (download) - annotate - [select for diffs], Fri Sep 26 21:44:09 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.21: +2 -1 lines
Diff to previous 1.21 (colored)
Rearchitecture of the userland/kernel IOCTL interface for transactions. This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Sep 24 09:12:35 2003 UTC (20 years, 8 months ago) by cedric
Branch: MAIN
Changes since 1.20: +13 -15 lines
Diff to previous 1.20 (colored)
Fix realloc usage and make sure we don't increase buffer size on failure. ok henning@ mcbride@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Aug 22 21:50:34 2003 UTC (20 years, 9 months ago) by david
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
pf spelling police ok dhartmei@ jmc@
Revision 1.19 / (download) - annotate - [select for diffs], Thu Jul 31 22:25:54 2003 UTC (20 years, 10 months ago) by cedric
Branch: MAIN
Changes since 1.18: +8 -3 lines
Diff to previous 1.18 (colored)
Make table tickets per-ruleset instead of global. Make table tickets u_int32_t for consistency with other parts of PF. Ok dhartmei@ henning@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Jul 4 11:05:44 2003 UTC (20 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.17: +4 -4 lines
Diff to previous 1.17 (colored)
KNF after cedric (grmpf)
Revision 1.17 / (download) - annotate - [select for diffs], Thu Jul 3 09:13:06 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.16: +21 -12 lines
Diff to previous 1.16 (colored)
This patch finally cleanup pfctl_table.c. No more global buffer, and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
Revision 1.16 / (download) - annotate - [select for diffs], Mon Jun 30 20:02:46 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.15: +111 -1 lines
Diff to previous 1.15 (colored)
Buffer management functions. ok dhartmei@
Revision 1.15 / (download) - annotate - [select for diffs], Sat Jun 28 12:26:22 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.14: +1 -2 lines
Diff to previous 1.14 (colored)
No need to include the same header twice. Thanks to Max Laier.
Revision 1.14 / (download) - annotate - [select for diffs], Fri Jun 27 15:35:00 2003 UTC (20 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.13: +79 -1 lines
Diff to previous 1.13 (colored)
Reorg part I: move 3 functions out of pf_table.c to pf_radix.c ok dhartmei@
Revision 1.13 / (download) - annotate - [select for diffs], Sun Jun 8 09:41:07 2003 UTC (21 years ago) by cedric
Branch: MAIN
Changes since 1.12: +12 -4 lines
Diff to previous 1.12 (colored)
A table in an anchor creates a real anchor: pfctl -sA works. The following two pfctl functions work with an "-a" option: - pfctl [-a foo[:bar]] -sT - pfctl [-a foo[:bar]] -FT ok dhartmei@
Revision 1.12 / (download) - annotate - [select for diffs], Sun Apr 27 16:02:08 2003 UTC (21 years, 1 month ago) by cedric
Branch: MAIN
Changes since 1.11: +15 -1 lines
Diff to previous 1.11 (colored)
Update the pfioc_table IOCTL structure. Prepare for anchors, improve robustness. WARNING: need to sync kernel/userland. ok dhartmei@
Revision 1.11 / (download) - annotate - [select for diffs], Mon Feb 3 08:42:15 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.10: +1 -2 lines
Diff to previous 1.10 (colored)
More cleanup in tables thanks to Andrey Matveev: - get rid of unnecessary header netinet/in.h in pfctl_radix.c and pfctl_table.c - do fclose(3) only when we use config file, not STDIN - get rid of unneeded temporatory variables - minor KNF
Revision 1.10 / (download) - annotate - [select for diffs], Sat Jan 25 23:17:34 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.9: +22 -24 lines
Diff to previous 1.9 (colored)
Another nice cleanup patch from Andrey Matveev KNF + remove/reorg headers.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 20 20:47:10 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.8: +4 -4 lines
Diff to previous 1.8 (colored)
Cut & paste madness. We were (un)lucky it worked before!
Revision 1.8 / (download) - annotate - [select for diffs], Thu Jan 9 10:40:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.7: +83 -1 lines
Diff to previous 1.7 (colored)
Add support for active/inactive tablesets in the kernel. Add table definition/initialisation construct in pfctl parser. Add and fix documentation for pf.4 and pf.conf.5. Tested on i386 and sparc64 by myself, macppc by Daniel. ok dhartmei@
Revision 1.7 / (download) - annotate - [select for diffs], Tue Jan 7 00:21:08 2003 UTC (21 years, 5 months ago) by dhartmei
Branch: MAIN
Changes since 1.6: +1 -44 lines
Diff to previous 1.6 (colored)
Remove table name hashing (pass the name in each ioctl instead), and introduce reference counting for tables, they are now automatically created and deleted through referencing rules. Diff partly from cedric@. ok mcbride@, henning@, cedric@
Revision 1.6 / (download) - annotate - [select for diffs], Sat Jan 4 00:01:34 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
I do not know where this policy of "one .h file for every .c file" comes from, but whoever thought of it is stupid.
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jan 3 22:47:51 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +18 -38 lines
Diff to previous 1.4 (colored)
simplify ioctl access
Revision 1.4 / (download) - annotate - [select for diffs], Fri Jan 3 22:31:15 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Changes since 1.3: +24 -24 lines
Diff to previous 1.3 (colored)
Remove _ before static functions & variables.
Revision 1.3 / (download) - annotate - [select for diffs], Fri Jan 3 21:55:51 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +61 -37 lines
Diff to previous 1.2 (colored)
kill stupid macro
Revision 1.2 / (download) - annotate - [select for diffs], Fri Jan 3 21:43:11 2003 UTC (21 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +14 -14 lines
Diff to previous 1.1 (colored)
knf
Revision 1.1 / (download) - annotate - [select for diffs], Fri Jan 3 21:37:44 2003 UTC (21 years, 5 months ago) by cedric
Branch: MAIN
Bring in userland code for accessing PF radix tables. ok dhartmei@ mcbride@